Tools for the job: what next for UK audit and corporate governance reform?

Last month, the Financial Reporting Council (FRC) announced changes to the UK Corporate Governance Code which reflect an increased focus on internal controls and boards’ ability to make a comprehensive declaration of their effectiveness. These changes highlight the importance of controls over all material risks, and compliance will rely on the boards’ ability to see into every layer of their organisations.

The latest changes are promising. The introduction of the internal controls declaration should lead to stronger risk management and internal audit practices, and means that boards will have greater visibility across all aspects of their organisation’s governance, risk and compliance (GRC) operations.

What has changed?

The addition of Provision 29 indicates an increased focus on maintaining robust controls. Boards must now include a declaration in their annual reports and accounts (ARA) regarding the effectiveness of all material controls, including financial, operational, reporting and compliance controls. This declaration encompasses three key elements:

Monitoring and review: boards are required to describe how they have monitored and assessed the effectiveness of their control framework.

Declaration of effectiveness: boards must make a declaration of the effectiveness of the company’s material controls as of the balance sheet date.

Addressing areas of inefficacy: boards must include a description of any material controls that have not operated effectively, coupled with the actions taken, or proposed, to improve them, and any measures taken to address previously reported issues.

Essentially, boards are now responsible for providing a comprehensive declaration on control effectiveness, at least annually. They must be able to monitor and report on external controls over all material risks, beyond traditional financial reporting controls.

To achieve this, they require full visibility across all aspects of the organisation’s governance, risk and compliance (GRC) operations to ensure that potential risks are identified, assessed and mitigated effectively. This is a huge opportunity for internal auditors to step forward, since much of what the board needs to know is already part of their remit.

Enhance internal controls

Organisations and boards should proactively prepare for this heightened focus on internal controls. They should focus on the pillars of assessment, improving processes and implementing technology to provide the board with the visibility, information and tools they need to ensure compliance.

Internal audit can help boards to understand the state of the existing controls and conduct a thorough assessment to identify gaps or weaknesses. An objective evaluation will help boards to understand where they need to improve to meet new requirements. They can also help to set up a process of continuous monitoring to ensure the ongoing effectiveness of controls and promptly identify deficiencies.

Some internal audit teams may need to enhance their reporting processes, as directors will need accurate and timely information on the effectiveness of the controls in place. Internal audit has the overview that can help boards to understand where information is held. They can also advise on implementing a rigorous and repeatable process, which collates and contextualises information from across the organisation.

It is critical for businesses to get this step right, and it may be necessary to invest in technology to centralise, streamline and automate GRC processes on a purpose-built platform. This can empower the board to ask insightful questions proactively and make more informed decisions about risk management, compliance monitoring and reporting.

Watch for further reforms

Although the much-anticipated audit reforms are currently not in the political pipeline, the problems they set out to address should still be priorities for responsible businesses. Building trust in UK businesses is an important pillar of success and benefits all stakeholders in the UK economy. Organisations that act now will realise the benefits sooner, gain an edge on the competition and build trust with shareholders and stakeholders.

For example, the proposed reforms included a mandatory resilience statement to outline the steps companies are taking to improve resilience over the short, medium and long term. Organisations should start establishing their priorities for resilience now, and put a framework in place to capture, collect and contextualise data from across the organisation to inform their resilience strategy. Whether or not a resilience statement is mandated, business leaders who communicate
their organisation’s resilience against known vulnerabilities will increase stakeholder confidence.

We cannot predict the future, but it is clear that businesses which implement these changes will see benefits now. Increased trust, greater clarity and mitigating future risk are just some of the advantages. Regardless of whether, or when, further legislation appears, this should be motivation enough for any business to invest in the right processes and technology to remain one step ahead. Internal audit can both promote awareness of the need for these changes, and help boards to act to realise them.

Keith Fenner is Senior Vice-President and General Manager EMEA at Diligent.

This article was published in March 2024.