UK corporate governance reform is delayed again - what does this mean for Heads of Internal Audit?

As long ago as May 2022, the UK Government published its proposals for corporate governance reform in Restoring Trust in Audit and Corporate Governance. This document proposed significant changes to UK corporate governance and reporting notably in respect of the following areas:
  • Strengthened regulation through the establishment of the Audit, Reporting and Governance Authority (“ARGA”)
  • Resilience statement requirements
  • Capital maintenance and dividend disclosures
  • Audit and Assurance Policy (“AAP”)
  • Material fraud statement requirements
  • Risk management and internal controls declaration.

The position on each of these areas as at December 2023 is set out below:

Primary legislation is required to establish ARGA. This was not included in the King’s Speech on 7 November and will not therefore form part of the Government’s programme for the current parliamentary session.

Secondary legislation is required to implement the amendments necessary to the Companies Act 2006 to enact the requirements for a resilience statement, capital maintenance and dividend disclosures, the Audit and Assurance Policy and material fraud statement. This legislation was drafted as “The Companies (Strategic Report and Directors’ Report) (Amendment) Regulations 2023” and will only apply to all Public Interest Entities (“PIEs”) - defined as large companies with more than 750 employees and £750m turnover. This draft secondary legislation was withdrawn on 16 October and will not form part of the Government’s programme for the current parliamentary session.

The statutory basis for the proposed changes has therefore at least been deferred until the next parliament. However, some important elements do not require legislation and were to be addressed through amendments to the UK Corporate Governance Code (“the Code”) to be implemented by the Financial Reporting Council (“FRC”). These amendments are currently under consultation with the revised Code to be published in early 2024.

Resilience statement

The Code proposed revisions include reference to the Resilience Statement and require all companies reporting under the Code (not just PIEs) to disclose a statement as to how the Board has assessed the future prospects of the company. This addresses the UK Government proposals for large companies to improve the information disclosed to stakeholders about the future prospects of the business, including the principal risks to the business in the short and medium term, together with their likelihood, impact and the mitigating actions being taken by management to address them. Reverse stress testing performed and any long-term trends will also be required to be disclosed.

The FRC published a policy statement on 7 November 2023. The statement suggested that this requirement is now likely to be withdrawn, although this will be confirmed when the revised Code is published in early 2024.

Audit and Assurance Policy (AAP)

The proposed revisions to the Code include requirements for all companies reporting under the Code to consider producing an AAP on a “comply or explain” basis with responsibility for developing the AAP placed with the Audit Committee. In line with the UK Government proposals large companies were to be required to include an AAP in the Directors’ Report setting out the extent to which their annual report and other disclosures have been scrutinised by the external auditor or other assurance providers. The AAP was to be produced every three years and an implementation report should be included in the annual report every year.

The FRC policy statement suggested that the AAP requirement is now likely to be withdrawn, although this will be confirmed when the revised Code is published in early 2024.

Risk management and internal controls declaration

The proposed Code revisions look to implement the Government proposal that an explicit statement should be required from the Board about their view of the effectiveness of the internal control systems and the basis for that assessment. The Code revisions specifically require companies reporting under the Code to provide the following information in the annual report:

  • A declaration of whether the Board can reasonably conclude that the company’s risk management and internal control systems (including material operational, reporting and compliance controls) have been effective throughout the reporting period and up to the date of approval of the annual report
  • An explanation of the basis for its declaration, including how it has monitored and reviewed the effectiveness of these systems during the period and any other relevant information
  • A description of any material weaknesses or failures identified and the remedial action being taken, and over what timeframe.

In its policy statement, the FRC reiterated its intention to take forward its proposals for a risk management and internal controls declaration, although this could be subject to an extended implementation timetable. This will be confirmed when the revised Code is published in early 2024.

Material fraud statement

Finally, the secondary legislation to implement UK Government proposals for a material fraud statement in the Directors’ Report of large companies has been withdrawn. This was to include:

  • A summary of the directors’ assessment of the risk of material fraud to the company’s business operations, including how the directors have assessed the company’s susceptibility to material fraud and the types of material fraud considered
  • A description of the main measures which are in place to prevent and detect the occurrence of material fraud including any new measures which are in place or proposed to be put in place during the relevant financial year or the next financial year.

However, the Economic Crime and Corporate Transparency Act 2023 will come into force during 2024 - including a new “failure to prevent fraud” offence. All organisations over a specified threshold will be subject to this Act and need to be taking steps to ensure that they have “reasonable” procedures to prevent fraud in place.

What this means for Heads of Internal Audit

Heads of Internal Audit need to update their Boards and Audit Committees on the current status of corporate governance reform and its impact on the organisation. The withdrawal of the draft legislation by the Government and the subsequent FRC policy statement has removed many of the requirements in the short term at least. That said, the pressure for reform has not gone away and it is expected that the proposed legislation will be picked up again after the next election - whatever the outcome at the polls.

For now, the main focus is upon the risk management and internal controls declaration. The FRC remains committed to implementing its proposals. Even though the timetable for implementation is likely to be extended - the preparatory work needs to keep progressing.

Some activity can be paused. Preparation work in respect of the resilience statement and capital maintenance and dividend disclosure can justifiably be brought to a halt. However, even though the AAP requirements will probably be removed from the new Code, the underlying work to support the Audit Committee’s understanding of the assurance that it receives in respect of key risks and controls remains important and useful. This work should continue.

Finally, the requirements of the Economic Crime and Corporate Transparency Act 2023 are significant. These will need to be a key area of focus for 2024 for organisations above the specified threshold. Heads of Internal Audit need make sure that the steps necessary to establish “reasonable” fraud prevention procedures are taken promptly when the Government publishes its guidance in this area.

Heads of Internal Audit Newsletter

Every quarter, experts from our Risk and Advisory Services team write on issues affecting internal audit professionals. The articles provide Heads of Internal Audit as well as Internal Auditors with relevant insight covering topics such as risk management, internal controls and governance.

Subscribe

References:

Subscribe