With the recent Financial Reporting Council's (FRC) update to the UK Corporate Governance Code (the Code) and Provision 29 requiring the board to provide a declaration on the operation of material controls in the annual report from 2026, it is crucial to think about technology.
The Code has a broad definition of potential material controls, including financial, operational, compliance and reporting. FRC guidance, however, suggests risks that could be covered include principal risks, external reporting that leads investors to make decisions, and information technology risks such as cyber security, data protection, and implementation of new technologies.
Preparing technology for Code compliance
Thinking about technology controls now will make efficient compliance much easier to implement.
Technology components (applications, systems, and infrastructure) and data provide material inputs to, process, or report financial transactions. This means they are a core component of a financial control framework. Controls covering these components and data sources are often referred to as ITGCs (IT General Controls) or ITACs (IT Application Controls).
The scope of the Code is wider, however, than just ITGCs and ITACs. Many organisations may also face specific technology related risks, such as cyber security, or the use of artificial intelligence (AI), which need to be reflected in their material control environment and declaration.
In addition to technology components under the direct control of an organisation, any cloud and third-party applications or End User Computing (EUC) solutions may also need to be considered. These controls can be difficult to manage, particularly where this will require changes in organisational behaviour or contract negotiation with providers. The increased use of cloud solutions means the controls will often extend beyond the boundary of the organisation itself. This is where having a clear framework for managing your third parties is key.
There are four key steps for implementing controls to address material technology controls in line with the Code's requirements.
1 Define what should be in-scope
Firstly, there is a need to determine which technology components, data, and risks should be in scope. To achieve this, finance, business, and technology functions may need to work together to develop a clear end-to-end understanding. This would involve identifying:
- material financial processes, technology solutions (such as servers, interfaces, and networks), and systems (including off-the-shelf, in-house developed, cloud/third-party hosted, and EUC applications and databases) involved in creating, updating, storing, processing, and reporting financial data
- material reporting, compliance and operational processes and the technology solutions and systems that enable and underpin these
- any other material technology risks that may impact the business, and therefore the material controls for these will also form part of the declaration.
2 Define the desired technology control set
With reference to the defined scope, determine the controls that should be in place to address the identified technology risks.
Put simply, ITGCs and ITACs usually cover areas such as user access and segregating of duties, how changes are made to systems, the use of backups, monitoring of interfaces, and data integrity checks. As noted above, however, the Code is broader than just ITGCs and ITACs, therefore material controls may need to include elements such as penetration testing, assurance over cloud vendors and other third parties, and the testing and monitoring of artificial intelligence models.
3 Understand existing controls
Once all in-scope components, data, and technology risks have been identified and technology control requirements defined, a review of the existing technology controls framework should be performed to establish what is already in place and to what extent this can be leveraged.
Where gaps are identified, there is a need to:
- review technical documentation and interview stakeholders to understand which of the required controls, if any, are in place, and whether they are appropriately designed
- define which are the ‘material’ controls
- perform an initial assessment to determine how consistently and formally controls are operated and how readily available evidence is
- understand the extent to which any existing assurance over material controls can be leveraged.
4 Remediate control gaps
Remediation plans should be put into place to address any material technology control gaps identified and the controls re-tested to validate they have been actioned appropriately. Compensating controls should also be considered at this stage, particularly where the technology controls gaps may have a pervasive impact on the wider control environment.
The key challenges
The main challenge is often the identification of all the technology risks, components and data that should be in-scope and implementing controls for these material controls where there are significant gaps.
Many organisations will be reliant upon a wide range of different technologies and applications, including non-connected, ageing legacy software or hardware; EUC solutions (often referred to as ‘shadow IT’); cloud and third-party hosted systems; and bespoke internally developed applications.
It is often not possible, or cost effective, to retrospectively build robust controls into these systems. Careful consideration should be given to the impact of this, and how assurance can be obtained over the financial data these systems process, store or report, or the operational processes they underpin and enable.
Some of the specific challenges of building an efficient technology controls framework should be noted.
Technology projects and control workstream
Ensure that the implications of any technology projects/programmes or changes to solutions, systems, and data are considered before they are performed. It is common for businesses not to consider technology control requirements upfront when updating or replacing financial systems, thus introducing weakness or gaps into what was previously a strong environment.
Formalising documentation and engagement
Formally document controls and formalise the engagement between technology and the business, particularly where this has been informal in the past.
Keeping stakeholders bought into the implementation projects
Ensure technology teams are bought into the need for the Code requirements and the process to strengthen controls. A stronger control environment can often be seen to slow technology administrators down or introduce extra to daily tasks. If technology teams are not bought into changes being made, there is a high likelihood they will intentionally or unintentionally subvert the new controls.
Maintaining evidence of control activity
Maintaining evidence of the operation of material technology controls, particularly automated controls, can be a complex task. While most systems allow to log activity this can be cumbersome to configure, require significant storage capacity, and can be difficult to interpret if not set up correctly, especially if the evidence requirements are not understood.
Minimising the use of ‘workarounds’
It is not uncommon for organisations to adopt manual workarounds, such as using a spreadsheet to perform certain tasks in order to compensate for the lack of functionality in a system. Use of such workarounds can be complex to control and evidence of your operation at a point in time can be difficult to maintain. Where a workaround is unavoidable the specific process should be identified, brought into scope, and controlled to the same level as any other system.
Driving efficiency in technology controls
In our experience, there are three main opportunities to drive efficiency in a technology controls framework.
1 Rationalise the control set
As part of the exercise to review the control environment, consider determining whether any of the controls can be rationalised. Longwinded and repetitive lists of controls can be difficult to manage and prone to error. More mature organisations often seek to introduce a consolidated control set over time to make managing it more efficient.
2 Automate, automate, automate
Wherever possible, implement automated controls. If correctly implemented and maintained, automated controls are less prone to error than manual. The first year investment might be significant, but the return in subsequent years generates significant payback. We have seen clients realise efficiencies of 30-40% in year two onwards.
3 Integrate into major projects/programmes
Integrate controls workstreams into all major technology projects or programmes that are seeking to update or replace one of your systems. This helps ensure that control requirements are considered throughout the programme from the start. This applies to both technology controls and controls over financial reporting.
