Internal controls requirements of the UK Corporate Governance Code

On 22 January 2024, the Financial Reporting Council (FRC) published the Corporate Governance Code 2024 (the code) to ‘enhance transparency and accountability of UK plc and help support the growth and competitiveness of the UK and its attractiveness as a place to invest’. 

The FRC has kept changes to the code to the minimum necessary, prioritising changes concerning internal controls (Provision 29 of the code). Other minor changes to the code were aimed at better streamlining expectations or clarifying language.

What key changes does the Corporate Governance Code 2024 bring?

The code states that the board should provide in the annual report:

• a description of how the board has monitored and reviewed the effectiveness of the internal controls framework;
• a declaration of effectiveness of the material controls as at the balance sheet date; and
• a description of any material controls that have not operated effectively as of the balance sheet date, the action taken, or proposed, to improve them, and any action taken to address previously reported issues.

The key change to the code from 2018 is the explicit declaration requirement. Previously, boards were only required to monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report.

The FRC explained that if the 2018 requirements were already being met, the effort needed to meet the provision should not be too great.

Our viewpoint:

Based on our interactions with organisations, many believe the effort is going to be significant. The main reason for this being that declaring effectiveness is significantly different from confirming the board has monitored and reviewed effectiveness.

Organisations have varied in their reporting, with some stating they have reviewed the effectiveness of the risk management and internal control and others stating their systems are effective. We believe that many organisations have not, however, been covering all their material controls (including financial, operational, reporting and compliance). Through internal audit and other assurance means, it is likely that organisations have been monitoring and reviewing some of their material controls, but this coverage may have been incomplete.

Organisations, therefore, will be required to identify all their material controls and ensure all of these are assessed at least annually in meeting the provisions required under the code.

What is the scope of internal controls stated by the Corporate Governance Code?

The code has been updated to explicitly include ‘reporting’ in addition to financial, operational and compliance controls as examples of material controls coverage.

The FRC explained that the scope has not changed from the 2018 code and that these were just examples of areas where material controls may exist. 

Our viewpoint:

It appears organisations have been interpreting the 2018 code differently and now feel the scope has been expanded. It may be that the FRC identified the interpretation gap during their consultation and hence decided to explicitly state that ‘reporting’ controls are now required to be assessed under the new code.

There are already some areas of ‘reporting’ where some organisations have started to consider their material controls, such as to meet the standards relating to sustainability and client-related disclosures. Nonetheless, it is clear now that material controls in relation to what is being reported to stakeholders must be included in the board’s assessment and declaration.

What does the Corporate Governance Code mean by material controls?

The code states that it is for the board to determine what should comprise its material controls.

The FRC explained it is not able to determine what is material for each company, as it will differ organisation to organisation, and that the board is best placed to make this judgement. It also stated that the FRC’s role is not to be prescriptive as the code is principles-based.

The FRC guidance states that material controls could include those related to addressing:

• risks that could threaten the company’s business model, future performance, solvency or liquidity and reputation (ie principal risks);
• external reporting that is price sensitive or that could lead investors to make investment decisions, whether in the company or otherwise;
• fraud, including override of controls; and
• information and technology risks including cybersecurity, data protection and new technologies (eg artificial intelligence).

Our viewpoint:

The FRC has made it clear that a more prescriptive guidance will not be forthcoming. Although most companies disclose their principal risks, and mitigating controls, often including cyber risk, organisations must make a clearer assessment and link between the material controls that are in place and should be in place to mitigate these risks and evaluate effectiveness.

Are the Corporate Governance Code requirements the same as US SOX?

At first glance, the declaration requirement could be seen as being similar to Section 404a of the US SOX requirements.

The FRC explained that the code’s internal controls requirements are different to US SOX requirements for the following reasons:

• US SOX focuses on internal controls over financial reporting, whereas the code also covers operational, reporting and compliance controls;
• US SOX is more prescriptive. The expectation is that the volume of controls that are deemed to be material by the board should be much less than the volume of key controls identified for a typical US SOX environment; and
• there is no requirement for attestation by the external auditors about management’s conclusion of the operating effectiveness of internal controls.

Our viewpoint:

The FRC is not seeking to establish a SOX-type regime, nor seek the attestation of the material controls by external auditors. The key here is to determine all material controls and not necessarily all key controls. Furthermore, US SOX is focused on internal control over financial reporting, whereas the requirements of the code are wider ranging and do not require attestation.

The board’s conclusion that their internal controls are operating effectively will be for the board to assess, and should not necessarily be in contradiction, for instance, with whether the external auditors take a controls-based approach to the audit, as the focus is on material controls rather than an extensive set of key controls. The external auditors are, however, likely to consider the consistency of the board’s view of the material controls and the effectiveness against their understanding of the organisation.

What is the reporting date for the internal controls declaration requirements of the Corporate Governance Code?

The FRC confirmed that the reporting date is ‘at the balance sheet’ date.

Our viewpoint:

This reporting date seems to have caused some confusion. What the FRC means by this is that management is required to report on any deficiencies in material controls that have not been remediated at the balance sheet date. This means that management does not need to report on a deficiency where they have developed a remediation plan; have been able to re-assess the operating effectiveness; and concluded that the control is operating effectively. This will only work where regular assessment is carried out and there is sufficient time for deficiencies to be shown to be remediated within the organisation’s financial year.

When is the compliance deadline?

Provision 29 relating to internal controls will apply for financial years beginning on or after 1 January 2026, with the FRC explaining the need to give organisations time to put the internal controls framework in place.

Our viewpoint:

The longer deadline seems pragmatic. The FRC likely having recognised that:

• some organisations have been waiting for the government’s legislation for corporate governance reforms to be put in place (which has now been withdrawn) before acting. These organisations will require the most time for implementation and should immediately start their journey; and

• some organisations have been focusing on implementing internal controls over financial reporting framework but not necessarily a framework that covers operational, reporting and compliance controls. These organisations will be required to expand their scope.

What should be the approach to meet the internal controls requirements of the Corporate Governance Code?

The code is principle-based, meaning organisations will be required to determine their material controls framework themselves.

Our viewpoint:

Organisations have different viewpoints on where they should start. The following may be a suitable approach:

1. Undertake a scoping exercise to determine the material risks and objectives to the organisation:

• financial controls – organisations could undertake a financial statement risk assessment to determine the material financial statement line items from a quantitative and qualitative perspective;
• reporting controls – although the Audit and Assurance Policy requirement has been dropped, organisations could review their report and assess how important each area of information is to the users of the report. This will help to determine the material reporting areas;
• operational controls – organisations could maintain a strategic and operational risk register and assess which are the material risks to their organisation considering the FRC guidance questions; and
• compliance controls – organisations could assess their regulatory and legal requirements to determine their material compliance requirements.

2. Identify the material controls that mitigate the risk or address the objective

Where there is not a suitable control in place, management will be required to produce a remediation plan to put in place the material control.

3. Define and implement an assurance strategy

Ensure that each material control can be evaluated for operating effectiveness, at least annually. This can include changes to the scope and activities of internal audit, greater visibility on the outcomes of second line or other external assurance activities.

4. Repeat these steps each year

Ensure that the material controls remain current and complete.

How we can help

We are helping various organisations set up internal controls frameworks and can help you on your journey to meet the requirements of the new code.

For more information, please contact Shingo Soga.