FRC’s UK Corporate Governance Code consultation - what does this mean for Heads of Internal Audit?
FRC’s UK Corporate Governance Code consultation - what does this mean for Heads of Internal Audit?
In May 2023 the Financial Reporting Council ("FRC") issued its consultation paper on reform to the UK Corporate Governance Code ("the Code"). Unlike the 2018 revisions to the Code - which were more substantial - this consultation focuses upon the reforms proposed by the UK Government, taking their cue from the proposals put forward a year ago in Restoring Trust in Audit and Corporate Governance published by the former Department for Business, Energy & Industrial Strategy (“BEIS”). The aim of the new Code is to address the policy issues asked of the FRC as a result of the BEIS proposals, whilst it remains the body responsible for setting the UK’s Corporate Governance and Stewardship Codes. Subject to the consultation response, the new Code will come into force for accounting periods beginning on 1 January 2025.
The main areas covered by the consultation are:
- Board leadership and company purpose - the overarching role of the board, covering areas such as the purpose of the company, its long-term sustainable success, generating value for shareholders and contributing to wider society
- Division of responsibilities - roles and responsibilities of executive and non-executive directors
- Composition, succession and evaluation- diversity and inclusion, reporting on succession planning
- Audit, risk and internal control - details of the proposed Audit and Assurance Policy ("AAP"), Audit Committee minimum standard for external audit, sustainability reporting, risk management and internal controls, going concern and resilience
- Remuneration - strengthening links between remuneration and company performance.
What is proposed for audit, risk and internal control?
Of most interest to Heads of Internal Audit will be the proposals on audit, risk and internal control. A key aspect of these is the proposed AAP. The BEIS proposals were that an AAP should be produced by all Public Interest Entities (UK public and private companies with more than £750m annual turnover and more than 750 employees - "PIEs") and should set out:
- Their internal auditing and assurance arrangements
- What external assurance, if any, the company proposes to seek beyond the statutory auditor’s duties
- A description of the policy in relation to the tendering of external audit services
- Whether any external assurance proposed will be ‘limited’ or ‘reasonable’ assurance. Whether any external assurance beyond the statutory audit will be carried out according to a professional standard
- How the AAP has taken account of shareholder and other stakeholder views. Whether and how the company intends to seek external assurance over any part of the Resilience Statement or over reporting of its internal controls in relation to financial reporting.
The BEIS proposals were that the AAP should be produced every three years and an implementation report should be included in the annual report every year. The draft secondary legislation prepared by the UK Government confirms its intention to make this a legal requirement for all PIEs.
The FRC consultation on the revisions to the Code go beyond this - placing the responsibility for developing the AAP upon the Audit Committee and broadening the scope of this requirement to include all companies required to report against the Code (not just PIEs as proposed by BEIS) on a comply or explain basis. If the AAP requirements prove to be well received by investors, it is likely that this good governance practice will become an expectation of investors and lenders to other listed or large entities.
The growing emphasis on Environmental, Social and Governance ("ESG") factors in corporate reporting, has also led the FRC to propose that the remit of Audit Committees should be extended to include this area - specifically narrative reporting including sustainability reporting. The work undertaken by the Audit Committee to oversee this and any assurance of ESG metrics/sustainability reporting should be disclosed.
The area most discussed in the internal audit community relates to the BEIS proposals for strengthening internal controls within the UK’s largest companies. Many aspects of these proposals require legislation and will not therefore come into force until the new regulatory body to replace the FRC - the Audit, Reporting and Governance Authority ("ARGA") is established. This is currently expected by April 2024. However, the FRC’s proposed revisions to the Code contain several key changes recommended by BEIS.
The proposed revisions to the Code emphasise the Board's responsibilities in respect of internal controls throughout the reporting period. These have changed from being to "establish procedures to manage risk, oversee the internal control framework" to "establish and maintain an effective risk management and internal control framework."
The specified role of the Audit Committee now includes the development, implementation and maintenance of the AAP and its responsibilities for reviewing internal financial control systems have been broadened to now include reviewing all the company’s risk management and internal control systems.
Heads of Internal Audit will be disappointed that there is still no obligation in the revised Code for even the largest companies to have an internal audit - enabling Audit Committees to retain the option to meet their responsibilities for reviewing internal control systems through other sources of assurance. Audit Committee responsibilities remain as before - monitoring and reviewing the effectiveness of the company’s internal audit function, or where there is not one, providing an explanation for its absence, how internal assurance is achieved, how this effects the work of external audit and considering annually whether there is a need for an internal audit function and making a recommendation to the Board.
Nevertheless, a key change to Board reporting is proposed by the FRC. Specifically, the Board will be required to provide in the annual report:
- A declaration of whether the Board can reasonably conclude that the company’s risk management and internal control systems have been effective throughout the reporting period and up to the date of the annual report
- An explanation of the basis for its declaration, including how it has monitored and reviewed the effectiveness of these systems
- A description of any material weaknesses or failures identified and the remedial action being taken, and over what timeframe.
In order to be able to make such a declaration, additional rigour will be required to the Board’s review of internal control systems - especially since the Board is required to conclude whether they have been effective throughout the whole reporting period. If a company has an internal audit function, its work may need to be realigned to ensure that it clearly supports the Board’s declaration. If the Audit Committee and the Board are relying on other sources of assurance, these will in all likelihood require review to ensure that the declaration and the decision not to establish an internal audit function remains credible.
What this means for Heads of Internal Audit
The revisions to the Code are important and Heads of Internal Audit should be briefing their Board Audit Committees on the consultation process and the various areas covered. They may also be asked to be involved in supporting the development of the processes and controls to underpin the company’s response to the requirements for an AAP, diversity and inclusion and ESG assurance.
Whilst many aspects of the UK Government’s proposed reforms of corporate governance will not come into force until ARGA is established, the FRC’s revised Code sets out a readiness timeline for strengthening the internal control framework for all large companies by 1 January 2025. In BDO’s experience, the typical timeline for a significant controls transformation is at least 18 months so those companies need to start work on this now, if they haven’t already begun.
Where Heads of Internal Audit are involved with or have oversight of the readiness preparations, they need to look at the plans again to make sure that they are sufficiently resourced and supported by the company to meet the timetable, noting that the expected scope now goes beyond financial controls and covers controls over wider reporting areas such as ESG.
The FRC has committed to publish further guidance on the implementation of the new Code requirements and the UK Government will no doubt set out its remaining intentions in respect of corporate governance reform through the planned legislation to establish ARGA. Heads of Internal Audit will need review this carefully when it is published and support Audit Committees to adjust the assurance they receive accordingly.
References
- Financial Reporting Council - UK Corporate Governance Code Consultation - May 2023
- UK Government - Restoring Trust in Audit and Corporate Governance - UK Government response - May 2022
- UK Government - BEIS consultation - Restoring Trust in Audit and Corporate Governance - March 2021
- Financial Reporting Council - UK Corporate Governance Code 2018
- Independent review of the Financial Reporting Council - “The Kingman Review” - December 2018
- Report of the independent review into the quality and effectiveness of audit- Brydon review December 2019
- ICAEW- FRC launches consultation on Corporate Governance Code revisions - May 2023