On 22 January 2024, the Financial Reporting Council (FRC) published the Corporate Governance Code 2024 (the Code) to 'enhance transparency and accountability of UK plc and help support the growth and competitiveness of the UK and its attractiveness as a place to invest.'

The FRC has made minimal changes to the Code, prioritising changes concerning internal controls (Provision 29 of the Code). Other minor changes to the Code were aimed at better streamlining expectations or clarifying language.

But what does this mean for premium-listed organisations and those voluntarily applying the Code, particularly from the perspective of internal controls requirements? These internal controls include financial, reporting, operational and compliance controls.

Internal controls specialist, Shingo Soga, and private healthcare specialist, Samuel Abbas, explore the impacts on the healthcare industry.

What key change does the Corporate Governance Code 2024 introduce?

The Code states that the board should provide the following in the annual report:

• a description of how the board has monitored and reviewed the effectiveness of the internal controls framework;
• a declaration of the effectiveness of the material controls as at the balance sheet date; and
• a description of any material controls that have not operated effectively as at the balance sheet date, the action taken or proposed to improve them, and any action taken to address previously reported issues.

The key change from the 2018 Code is the explicit declaration requirement. Previously, boards were only required to monitor the company’s risk management and internal control systems, carry out an annual review of their effectiveness and report on that review in the annual report.

Based on our interactions with organisations, many believe the effort required is going to be significant. This is primarily because declaring effectiveness is significantly different from confirming the board has monitored and reviewed effectiveness.

What does it mean by 'material controls'?

The Code states that the board is responsible for determining what should comprise its material controls. The FRC has clarified that it is not able to determine what is material for each company, as this will vary from one organisation to another, and that the board is best placed to make this judgement. It also stated that the FRC’s role is not to be prescriptive as the Code is principles-based.

The FRC guidance states that material controls could include those related to addressing:

• risks that could threaten the company’s business model, future performance, solvency or liquidity, and reputation (ie principal risks);
• external reporting that is price sensitive or that could lead investors to make investment decisions, whether in the company or otherwise;
• fraud, including override of controls; and
• information and technology risks, including cybersecurity, data protection and emerging technologies (eg artificial intelligence).

We believe that the FRC has made it clear that a more prescriptive guidance will not be forthcoming. Although most companies disclose their principal risks and mitigating controls, often including cyber risk, organisations must make a clearer assessment and link between the material controls in place and those needed to mitigate these risks and evaluate their effectiveness. With this in mind, providers should be thinking more broadly about their material controls in relation to areas such as recruitment and workforce planning, sustainability reporting, payment and insurance data and regulatory compliance.

When is the compliance deadline?

Provision 29, which pertains to internal controls, will apply to financial years beginning on or after 1 January 2026. The FRC has explained that organisations need time to establish the internal controls framework.

Key recommendations

The Code is principles-based, meaning organisations will be required to determine their material controls framework themselves. Organisations could have different viewpoints on where they should start, but the following may be a suitable approach:

• conduct a scoping exercise to determine the material risks and objectives for the organisation;
• identify the material controls that mitigate the risk or address the objective;
• define and implement an assurance strategy; and
• repeat these annually to ensure that the material controls remain up-to-date and complete.

How we can help

Organisations have just under two years to put an internal controls framework in place that covers their material controls. These organisations will need to carry out a risk and objectives assessment to identify the material controls. The assessment needs to include financial, operational, reporting and compliance areas, and should be reviewed and signed off by the board.

We are helping various organisations set up internal controls frameworks and can help you on your journey to meet the requirements of the new Code.