Internal Controls: UK Corporate Governance Code 2024

After a comprehensive consultation, the Financial Reporting Council (FRC) have recently published the revised UK Corporate Governance Code 2024.

Following the withdrawal of the statutory instrument on financial reporting enacting the government’s proposals, various proposed changes in the consultation document were dropped. A new streamlined version of the code was announced, keeping in line with the FRC’s 7 November 2023 policy statement.

The updated code focuses on a limited number of changes and continues to uphold the FRC’s flexibility of “comply” or “explain” reporting.

The key change to the revised UK Corporate Governance Code 2024

The most significant change comes under what is now known as provision 29 of section 4 – audit, risk and internal control. The revised provision lists the internal control matters that the board should provide for their annual report, reiterating the board’s responsibility to establish and now maintain the effectiveness of internal controls as at balance sheet date. Earlier draft language on continuous monitoring of effectiveness is no longer present. The specific requirement for a review of the effectiveness of material controls is at the balance sheet date.

Other notable changes

  • New principle encouraging governance reporting to focus on the board’s decision-making and their outcome in the context of the company’s strategy and outcomes.
  • New provision regarding directors’ remuneration which should now include malus and clawback.
  • Updates to provisions 25 and 26 to reflect the Audit Committees and the External Audit: Minimum Standard.
  • Reiterating the effectiveness of embedding the desired culture and broadening diversity and inclusion characteristics.

A summary of the key changes to the code, as published by the FRC can be found here.

Comply or explain

Applicability

Effective date 

Removed provision

The flexibility of the code encourages Boards to use judgment about how its principles and provisions apply, with the “explain” component still a legitimate option to make decisions in light of their own circumstances and, appropriate to their own business.

The code applies to companies with a premium listing on the LSE. While not mandatory, all companies may benefit from applying the principles of the code e.g., large private companies are required to disclose governance framework under the Wates Principle.

The code takes effect in January 2025 (Provision 29 related to Internal Controls in January 2026). Therefore, Boards need to start conversations to ensure their strategy aligns with the code and lays out the roadmap to implement its provisions.

While the requirements are for a resilience statement, and audit and assurance policy, we encourage Boards to embed these statements in building a more efficient control framework.

Provision 29 explained

The revised provision 29 addresses specific internal control matters that the board should provide in their annual report.

A description of how the board has monitored and reviewed the effectiveness of the framework

For boards to have confidence that risks are being managed, a process to monitor the effectiveness of the internal control framework should be established. The board should define the monitoring requirements, the scope, and the reporting frequency. An effective monitoring process includes both ongoing monitoring and an annual periodic review.

It is important to note, that it is the board's responsibility to define controls that are material to their organisation. Further, material controls are not limited to financial controls but extend to operational, compliance and reporting controls.

A declaration of the effectiveness of material controls as at the balance sheet date

The aggregation of the monitoring and review activities should allow the board to conclude on the effectiveness of its internal control framework. The statement should include a conclusion of the assessment of the design and implementation of internal controls and the identification of the risks that are principal to the company.

A description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues

The results of the internal control monitoring should be evaluated to determine whether control failures are material to the achievement of strategic objectives. Material control weaknesses should be disclosed, along with the actions taken to address them.

Boardroom conversations for key changes to the code

Boards will now need to consider various points. They will need to assess whether they have the means and ability to obtain a level of assurance which, will enable them to provide a declaration of the effectiveness of internal controls.

Are you focused on the right risks?

A pragmatic and dynamic approach to risk management allows the Board to stay informed, on existing and emerging threats as they evolve. Non-financial risks as well as financial need consideration, as well as fraud risk.

What will the declaration look like in the annual report?

To enable a clear, concise, and truthful declaration, boards should engage with stakeholders to assess and align expectations. This allows them to define the risk appetite and materiality early on, which will help drive the whole internal controls implementation journey.

Are you comfortable with the level of assurance provided by the lines of defence?

Even with an existing three lines of defence strategy, boards should examine the role of each line to clearly map where assurance over principal risks exists. Clear assurance mapping allows boards to discover blind spots, and identify potential “over assurance”, where resources can be better used. 

Are you comfortable with the level of maturity of your “reporting” controls?

The inclusion of the word “reporting” in Provision 29 means the focus goes beyond financials and numbers. Boards should have a clear and defined understanding of other reporting responsibilities that consider non-financial regulations, standards, and reporting commitments (e.g. ESG).

How does the organisation’s definition of material controls link back to key business and strategic risks?

Controls mitigate risks, but controls for the sake of having controls can be a dangerous rabbit hole. A clear link between principal risk and controls should exist to allow boards to focus on things that truly matter. This is a good time for boards to optimise and rationalise their control frameworks, to strike the balance between material controls and business value.

Is the organisation’s technology optimised to assist you?

With the evolution and advancement of technology, it is important for boards to assess whether tools and technologies can be used to improve the way they receive and view information and to enable continuous control monitoring.

Do you have the right tools to implement a control monitoring mechanism and will it help to prevent and detect misstatements?

Implementing and maintaining an effective controls framework takes resources and expertise. Boards should consider whether the right mix of knowledge and expertise is available internally, or whether a strategic external partner could help support existing resources. While the provision for ongoing monitoring was dropped from the code, boards should consider whether a year-round monitoring framework allows for a more pragmatic and effective means to assess the effectiveness of internal controls.

The way forward – a practical implementation journey

Initiate 

Assess

Design

Test

Report

  • Engage with stakeholders to understand expectations and align implementation strategy.
  • Establish a Steering Committee to lead the implementation initiative.
  • Assess whether external support may be required.
  • Revisit risk management framework for a more proactive and agile risk identification.
  • Conduct risk prioritisation exercise to establish the principal risks.
  • Do an inventory and align other non-financial reporting requirements.
  • Preliminary scoping of processes/systems aligned to risk.
  • Review existing documentation and align risks with controls to define material risks.
  • Conduct a design assessment of material controls.
  • Address control design gaps.
  • Establish a testing methodology and perform a test of the operating effectiveness of material controls.
  • Implement actions to remediate control failures.
  • Assess testing results to determine whether control failures, individually and in aggregate, constitute a material weakness.
  • Based on the controls evaluation and results assessment, issue a clear and concise declaration in the annual report.

Get in touch

To discuss how you might be able to implement the new UK Code of Corporate Governance 2024 get in touch with one of the team.

Contact us today