In light of feedback to its recent consultation Restoring Trust in Audit and Corporate Governance, the Department for Business, Energy and Industrial Strategy is set to require businesses of a certain size to formally publish an Audit and Assurance Policy (AAP).

Forthcoming legislation is expected to classify companies with more than 750 staff, and an annual turnover of more than £750m, as Public Interest Entities (PIEs) – and require them to issue an AAP every three years. Those companies will also need to publish annual implementation reports on how their assurance procedures work in practice. What sort of watershed does that shift represent for relevant businesses?

“Companies must already consider and make extensive disclosures about their risks,” says Carolyn Clarke, CEO of risk and assurance specialists Brave Consultancy. “However, the AAP presents an opportunity to bring together, in a single place, a much more complete picture of where all the necessary assurance comes from – plus its underlying nature and the degree to which directors rely upon it.”

In that sense, she says, the AAP is a useful mechanism for providing a company’s external stakeholders with a window into how its directors and board are thinking about their risks – including the sorts of disclosures they’re making around them, and the relevant assurance they are seeking.

Tone at the top

With the legislation pending, best-practice AAP formulation is still a relatively nascent field. But the government’s consultation – and its subsequent response – have formed the basis of several pieces of guidance. Last year, ICAEW’s Audit and Assurance Faculty published its groundbreaking paper Developing a Meaningful Audit and Assurance Policy – an updated version of which is set to be published shortly. In that report, we examined the challenges that companies may have to overcome when creating an AAP, and made nine recommendations to help a policy meet its full potential.

So, what should relevant businesses do to ensure that their AAP gets off on the right footing?

Jayne Kerr, PwC Director, Audit Public Policy, has been keeping close watch on this emerging terrain. She says: “Before you start formulating the policy, you must have in place a mindset that the AAP is more than a compliance exercise. It is, in fact, a really important way for directors to take a step back and re-engage with their shareholders – and to take a fresh look at the type of financial and non-financial information they’re issuing, how they reach a comfort level with it, and how internal and external stakeholders can rely upon it.”

She notes: “That comes down to tone-at-the-top governance. In practical terms, the AAP will be largely owned by the audit committee. So, they, with the board’s backing, will have to convey to every department that this is an important and valuable task, through which the business will be able to more fully understand itself.”

As the AAP is so new, Kerr points out, the audit committee will very likely have to divert resources from other parts of the business in order to fulfil it – which will have particularly significant impacts for the smaller PIEs that are just over the government’s thresholds. So, it will be even more important that it is viewed as more than just a compliance exercise.

Mapping the way

According to Clarke, the most important step in the drafting stage will be to develop an ‘assurance map,’ setting out the organisation’s risk universe, and also encompassing any financial and non-financial disclosures the business is required to make.

That map, she notes, must then be assessed through the internal lens of the company’s three-line assurance model. “First line,” she explains, “is management oversight: executive supervision of the company’s daily activities. The board will rely a great deal on looking into the eyes of senior managers and asking how they feel about day-to-day risks. Second line includes compliance functions, such as health and safety, that managers have put in place to monitor specific types of risks. And the third line is an independent appraisal – usually performed through internal audit – of the design and operational effectiveness of controls around the company’s risk appetite.”

Large listed companies, Clarke points out, are already required to describe their risk universes in annual reports and accounts. The nature of the relevant risks may be internal, strategic, macroeconomic or environmental. “Some companies may focus on risks they want to minimise,” Clarke says, “such as health and safety incidents. Other types of risks can stem from organisational improvement – for example, the implementation of new IT systems, and especially wider change programmes, can present significant risks.”

In the AAP era, however, the presentation of those risks should be shaped around a narrative that can deliver learnings.

Ensuring quality

Kerr agrees that the assurance map is fundamental to AAP formulation. In her assessment, finding the right starting point for the map so that the AAP will contain the most instructive details is critical.

“In the AAP,” Kerr says, “you as a director must explain how you’ve ensured the quality of the information you report to your shareholders, beyond the financial statements – including, for example, the front half of your annual report and, potentially, regulatory returns and analyst reports. That’s a vast amount of information.”

So, under the new regime, directors will have to decide upon a way to narrow down that volume of information so that the AAP will include only that which is most key to end users. “There’s no official guidance on that yet,” Kerr says. “But in our recent paper, Restoring Trust Through an Audit and Assurance Policy, we suggest that principal risks would be a sensible place to start, and potentially also environmental, social and governance information and metrics, as that’s such a key area now. Plus, for some companies, KPIs that underpin executive remuneration will be a focus.”

The point, Kerr notes, “is to prevent the AAP from turning into a dry inventory that merely lists out reams of information. If it becomes a checklist, then it becomes just a compliance exercise – and that instantly defeats the purpose.”

Kerr notes: “When you carry out your mapping, being able to ‘grade’ the different levels of assurance you receive, both internally and externally, will also be really important. Once you’ve determined what all of those levels, or avenues, of assurance are, you can look at each one separately and ask: ‘How confident am I in what this is telling me?’ Being able to have a rational way of explaining the different levels of comfort you have with each assurance source, and being able to somehow value that, are absolutely central to this process.” 

Further reading

The July 2022 Position Paper from the Financial Reporting Council states that the forthcoming Audit, Reporting and Governance Authority will be responsible for developing AAP implementation guidance. Read the full Position Paper here.

Read the ICAEW’s current guidance on the AAP, to be updated shortly, here.