ICAEW.com works better with JavaScript enabled.

Corporate Governance Developments for Internal Auditors


Published: 08 Apr 2024

Exclusive content
Access to our exclusive resources is for specific groups of students, users, subscribers and members.
After what seems like a very extended waiting period we finally have the revised UK Corporate Governance Code (the Code) and associated Guidance.

ICAEW recently held a conference for members of the Corporate Governance faculty with an introduction by the FRC’s new Chief Executive Officer, Richard Moriarty. There were several important messages for internal auditors as summarised below. While the Code is only mandatory for premium listed companies it sets the direction for corporate governance expectations for all companies. This means it is important guidance for all internal auditors.

It shouldn’t be entirely new news

Richard Moriarty could not have been clearer. The Code has always required directors to take responsibility for the system of risk management and internal control. An assessment has always been required with a confirmation in the annual report and accounts. The evidence is that this exercise has to date been somewhat superficial. And that now needs to change. Directors are expected to step up. The board must own the exercise of maintaining and assessing controls that mitigate material risks.

Comply or explain… or comply and explain

The Guidance to the new Code emphasises the expectation that companies will finally seize the opportunity to comply or explain. The FRC previously issued guidance on what this means. It wants to see meaningful explanations of the outcomes of companies’ corporate governance practices. It wants companies to feel they can explain where they conclude it is not appropriate to comply with certain requirements in full. Explanations must then enable a stakeholder to understand the discussions that the board has had in reaching this conclusion.
There is some recognition of the challenges this creates in engaging with investors. The FRC recognises some investors apply a mechanistic approach, evaluating corporate governance without adequate understanding of the comply or explain approach. There will be a further revision to the Stewardship Code shortly to reinforce expectations.
In many respects the Code moves us toward an environment that goes beyond comply or explain to comply and explain. UK corporate governance has always been based on principles rather than rules. This evolution of the Code is no different. In this context it is essential to explain the decisions taken to comply so that an increasing range of stakeholders can understand the consequences and impacts.

No further definition of materiality

Many respondents to the government’s consultation were concerned about the lack of explicit guidance around the meaning of materiality. The FRC believes it has incorporated this within the Guidance and does not intend to be more explicit. It is clear that the board must evaluate what is most important to the company, through the eyes of investors, but also a wider stakeholder group as outlined in s172 of the Companies Act.

Companies vary widely in the nature of the business they carry out, as well as in factors such as the regulatory obligations, stakeholder expectations and the impact they can have on the environment and society. Directors are best place to determine which risks can have the most material consequences and establish the required control frameworks to manage these risks to an acceptable level of risk appetite. This is not something that the FRC can, or should, mandate.

It will be important for companies to explain how they have arrived at the decisions they make in respect of materiality. In doing so they will need to balance competing tensions, such as the more quantifiable nature of financial risks alongside the requirement to do no harm to individuals, be they employees or customers.

Reporting brings ESG into scope

Much of the current discussion is about the difference between these requirements and the US Sarbanes-Oxley obligations. The Code extends the definition of controls to include financial, operational, compliance and reporting risks (compared to financial reporting risks only under Sox). The inclusion of reporting risks brings into scope aspects of the business that are commonly understood to be part of ESG (Environment, Society & Governance) reporting. The original proposals for the Code reform included greater direct emphasis on ESG. This has not found its way through to the final draft. But in focussing on reporting risks and associated controls, ESG has found its way onto the agenda.
It’s worth mentioning other key differences to the Sox requirements. Unlike Sox, there are no specific rules around how the company should go about testing, retesting and then obtaining assurance over the material controls. This is another factor that boards are expected to debate and make the critical decisions on.

Over 30 mentions of internal audit

The Code is clear that directors should establish and assess the quality of monitoring and assurance activities and functions within the company. They should rely where appropriate on the Three Lines as defined by the Institute of Internal Auditors. Directors must obtain assurance that controls are designed and operating effectively. Within the Code Guidance internal audit is referenced more than 30 times, a tenfold increase from the previous version.

Richard Moriarty believes directors should seek to avoid a costly exercise involving armies of external consultants on a sustained basis to achieve compliance. Instead, they should acknowledge that there will be work in the coming years to implement and embed the intended improvements, but beyond this a focus on the effectiveness of internal audit, assurance and monitoring is crucial. In doing so there is likely to be a need for an assurance mapping exercise, even if the requirement for an Audit & Assurance Policy has not been taken forward at present.

Investors may require external audit or assurance over a limited number of specific data points or disclosures, similar to the current statutory audit process.

Transparency is the ultimate goal, accountability the golden thread

There will be many decisions for boards to take. Companies should not under-estimate the level of work and focus required. Ultimately the FRC anticipates that this will result in better understanding. To achieve this transparency in the annual report is critical. Companies are expected to discuss how they have implemented and maintained appropriate controls over their material risks.
While the requirement is for an annual assessment at the balance sheet date, with disclosure of any material weaknesses, it is unlikely directors will be forgiven for control breakdowns occurring throughout the year. Particularly where the control framework has failed to detect or prevent them.

These requirements clearly raise the bar. Directors will be expected to lean into their accountabilities. There is a need for action.

Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250