The Financial Reporting Council (FRC) has published an update to the UK Corporate Governance Code (the Code), focused primarily on internal controls with additional guidance to support companies applying principles of the Code. Emma Young explains what these changes mean and what you should do next.
Internal controls reporting update
In the nearly three years since the government issued the much-anticipated consultation, “Restoring trust in audit and corporate governance”, there have been multiple consultations, drafted and withdrawn statutory instruments, and extensive debate among market players on various proposals.
While the fate of other 2021 proposals driven by the Brydon and Kingman reports remains uncertain, the government has now clearly communicated its intention to pursue options to streamline and simplify existing corporate reporting.
The latest update is a result of the FRC consulting on changes to the Code, being tasked by the government to progress proposals relating to risk and internal control reporting. With targeted guidance issued by the FRC, boards and stakeholders must now digest and discuss.
Key 2024 changes to the Code
The Code is a principles-based regime that companies apply on a ‘comply or explain’ basis, providing flexibility and proportionality for companies to adapt based on their circumstances. The 2024 Code update maintains and re-enforces this approach to Corporate Governance in the UK.
The FRC introduced changes, primarily focused on internal controls, with several minor amendments to clarify existing points in the Code and two new provisions. Transparency is a key driver for these changes to enhance accountability and investor confidence.
Notable changes include the addition of Provision 29, outlining the board’s role in monitoring and reviewing a company’s risk management and internal control framework. The board is now required to make a declaration of the effectiveness of material controls on the balance sheet in the annual report. The FRC see this as an extension of the existing requirements, so it should not be seen as a major departure from what was required before.
-
The board should conduct a review of the effectiveness of the risk management and internal control framework at least once a year, with a description of how this was done in the annual report.
-
Monitoring, review and disclosure should cover all material controls, including financial, operational, reporting and compliance controls.
-
The board should make a declaration of the effectiveness of material controls at the balance sheet date.
-
Any material controls which have not operated effectively at the balance sheet date should be outlined, with actions taken or proposed to improve them reported. In future periods, any action taken to address previously reported issues should also be included.
-
The new Provision will be effective for premium listed companies (whether incorporated in the UK or elsewhere) for periods starting on or after 1 January 2026.
What does this mean for you?
The FRC has made clear the pivotal role of the board in defining material controls and determining what assurance they want on control effectiveness. Using the more expansive 2024 published guidance, you will need to decide how the board will make these decisions.
Another point to address is the role of third-line internal audit functions for your business. It could be to support definitions of materiality, or you could leave executive management to develop their own view and provide an independent assurance lens.
The average size of annual reports has increased by nearly 40% over the last five years, so it remains to be seen how this Code change and scaling back of other corporate governance proposals impacts this. The FRC specifically flag that companies should avoid boilerplate reporting and provide meaningful insight for investors. The board should start to consider how they can balance a focus on quality rather than quantity, with the ask to enhance transparency while also building investor confidence.
A new Principle (Principle C) in the 2024 Code update talks about how governance reporting should be focused on outcomes and report meaningfully on how the Principles have been applied. Our latest Corporate Governance Review 2023 flagged that only 50% of FTSE 350 company annual reports provide insight into their internal control process reviews. While this number has improved from 44% in 2021, this raises questions about the board’s activities in this area, suggesting there is going to be more work needed across the FTSE 350.
While annual reports increasingly talk about assurance, and companies are claiming data is assured, they are not yet sufficiently transparent about definition and context. The board must prioritise this to meet the latest requirements of the update.
For regulated industries such as financial services, the Prudential Regulatory Authority (PRA) issued a Supervisory Statement in 2016 – SS 5/16, “Corporate Governance: Board responsibilities”, in which it stated that the PRA would also expect to see evidence that the board and its relevant sub-committees exercise effective oversight of risk management and controls, supported with meaningful and well-targeted management information used to inform board discussions.
These expectations should already exist as a result of the Senior Management Certification Regime for Financial Services firms. The provision serves as a helpful reminder to those such as the Chief Financial Officer, Chief Risk Officer, Chief Operating Officer, Compliance Officer and Money Laundering Officer, who hold Prescribed Responsibilities, to review their arrangements so that they are comfortable in demonstrating their accountability and can provide evidence to support the board’s declaration on the effectiveness of financial, operational, reporting and compliance controls.
What you need to do next
In our experience, most companies have been taking value-adding, no-regret steps to mature their approach to internal controls and assurance and reporting on these frameworks ahead of the Code update. The timeline for board declarations is now clear, so what do you need to think about now?
-
Consider if you are comfortable and confident that your internal control framework is robust, value-adding and effectively monitored. Our controls advisory teams can help you understand what this means for you and how to navigate the changes.
-
If you haven’t already, prioritise defining the non-financial material controls that you will be reporting, such as operational, compliance, or reporting controls. Revisit your principal risks and consider any sector-specific risks.
-
Consider the new guidance where the FRC shares material control examples for the board to consider. This includes controls over external reporting that lead investors to make decisions, fraud and management override, cyber, data protection and new technologies. Expand what you include in your reporting if necessary.
-
Have an assurance strategy for your material risk and internal control frameworks in place, and consider how you can leverage data, dashboards and automation to drive sustainability.
-
Consider how your annual report benchmarks against your peers. Either as a diagnostic or an assurance exercise; gain a detailed insight into your reported governance practises aligned to the five areas of the Code, with a tailored comparative view as to where your governance practices stand against competitors.
This update is a key step to concluding the risk management and internal control reporting enhancements that have been proposed and discussed over recent years. What remains to be seen is how boards start to address this, apply the Code and leverage the guidance, and what the role of internal audit should be.
