Strengthening risk management and internal controls

UK Corporate Governance Code reform

Following its consultation on 'Restoring trust in audit and corporate governance' the Government announced in its Response Statement that it intended to ask the FRC to consult on strengthening the internal controls provisions in the UK Corporate Governance Code (the Code) to provide for an explicit statement from the board about their view of the effectiveness of the internal controls systems and the basis for that assessment - which was termed in some quarters as 'UK SOX.'

The FRC has now issued an updated Corporate Governance Code which predominantly focuses on strengthening organisations’ risk management and internal controls. In our 'Restoring Trust' guide, we explore in detail the practical steps organisations can take to comply. These are also summarised below, along with our view on the benefits of strengthening risk management and controls, and a number of frequently asked questions about the Code updates.

Benefits of internal controls Why you need to act now Strengthening risk and controls What steps could Boards take

The benefits of stronger internal controls

Strengthening risk management and internal controls has significant benefits for organisations, helping them to combat fraud and enhance the quality of corporate reporting and governance. Beyond compliance it creates a risk and controls-focused culture with broader insight and operational benefits that improves your investors’ confidence, supports better decision-making and protects shareholder value.

The importance of strong internal controls, particularly over financial reporting, was highlighted by Sir Donald Brydon and Sir John Kingman in their government-commissioned reviews and many companies have already begun major controls transformation programmes in anticipation of the changes implemented in the new Code.

Based on our own experience of successful control transformation programmes and also publicly available evidence of improvements experienced in the US after the introduction of Sarbanes Oxley (SOX) in the early 2000s, we believe that the strengthening of internal controls, has significant benefits for organisations:

The process of strengthening internal controls helps you to better understand your reporting risks, to put in place appropriate controls to mitigate these risks and address internal control deficiencies in a more timely fashion. This in turn has a positive impact on the quality and reliability of the information you produce, increasing the confidence of shareholders, investors and other stakeholders in your reporting.

A robust internal control framework with clearly assigned and embedded ownership within the front line of the business reinforces high quality standards through better governance and accountability.

One of the most tangible benefits is in helping organisations to prevent and detect material fraud. While we can’t attribute this only to the implementation of an enhanced control framework, we believe it plays a key role by providing the awareness of where an organisation's key fraud risks are and whether mitigating controls are in place to address those risks.

Having right-sized controls for your current structure and future plans can help you build greater resilience, gain broader insight and have more confidence in the decisions you make. Processes and controls are simplified, standardised and digitised and duplicate and redundant controls are identified and removed, while ongoing monitoring of the operation of controls leads to continuous real-time improvement.

Technology advances plus a risk-based, top-down approach and focus on entity level controls helps drive a proportionate and cost-effective response to a strengthened internal control regime. And by using automation and advanced analytics, you will benefit from having more real-time management information and insight.

A controls-focused culture led from the top, promotes behaviours and activities across your organisation, playing an important role in safeguarding your business and shareholder value. Employees who understand their responsibilities and are accountable will be able to design and operate effective controls and identify deficiencies early. This leads to improvements in the behaviours and attitudes specifically related to risk and controls. It also promotes a controls mindset over increasingly important disclosures outside of financial information, such as ESG and climate change, helping organisations to build or rebuild trust.

Why you need to act now to strengthen your risk management and internal controls

The Government’s proposed reforms to audit and corporate governance include measures that emphasise the need for and importance of better internal controls. These include:

An annual controls declaration required - boards will be required to make an annual declaration in the annual report on the effectiveness of all material controls as at the balance sheet date.

A wide-ranging scope covering all material controls - the declaration will cover all material controls, including (i) financial, (ii) operational, (iii) compliance controls and (iv) non-financial reporting controls.

The basis of declaration to be disclosed - it will include a description of how the board has monitored and reviewed the effectiveness of its risk management and internal control framework.

A need to consider “material” control deficiencies - it will also include a description of any material controls that have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues.

Whilst the effective date of the revised Code is financial years beginning on or after 1 January, 2025, additional implementation time has been allowed for the provisions relating to the declaration on material controls, which will be applicable for financial years beginning on or after 1 January 2026. Until these effective dates, companies should follow the existing 2018 Code.

The FRC has also issued guidance to support the changes to the Code, in particular around internal controls.

How you can strengthen your risk management and internal controls framework

More than ever, the updated Code is bringing risk management and internal controls closer together, and the changes to the Code represent an opportunity for you to rethink how you approach risk, control and assurance. Whether your organisation needs to comply with the Code or not, there are a number of elements that underpin an effective risk management and internal controls framework. At PwC, we think about this through the lens of ‘Enterprise Control.’ What we mean by this is an optimised, right-sized control environment that is focused on key risks and strategic objectives beyond a narrow view of internal control over financial reporting.

Enterprise Control provides panoramic insight, underpinned by trusted data sources and enabled by technology. It allows you to balance the need for transformation and creating new opportunities for growth with building resilience and creating trust and confidence among stakeholders, investors and customers.

A successful control implementation programme requires significant effort, resource and planning from a broad range of stakeholders across an organisation. Understanding what the change means for your business and taking a pragmatic approach will enable you to enhance and optimise your control environment. In our experience there are a number of critical success factors.

Start early

Understand your areas of strength and where you have gaps. Be aware of common pitfalls and set out the improvement that is needed by establishing a roadmap to enhance internal controls. Acting early will let you identify weaknesses early, and allow you time to resolve them.

Appropriately-resourced programme

Establishing an appropriately-resourced programme to enhance the design, perform operational testing and modify for business changes.

Focus on optimising controls

Build a right-sized internal control framework that is aligned to your governance model and tailored to business operations for an efficient and cost-effective controls testing programme.

Making use of technology and automation

Establish an integrated internal control framework that drives efficiency, improves quality and provides real-time reporting and insight for management oversight.

Embed controls culture

Enhancing your control environment is not just about processes and controls. From Board level to control owners, you need to create the right culture, encourage the right behaviours and embed change.

What steps could Boards take in their approach to overseeing, monitoring and reviewing the effectiveness of their risk management and internal controls framework?

There are a number of steps that Boards could take in their approach to overseeing, monitoring and reviewing their risk management and internal control framework and to provide a robust foundation for the annual declaration around risk management and internal controls effectiveness required by the revised Code.

The board is ultimately responsible for establishing and maintaining an effective system of risk management and internal control; monitoring the system and reviewing its effectiveness (via the audit committee or similar body). To enable this, organisations need to articulate a clear strategy to drive their risk, controls and assurance processes; ensure they have appropriate coordination, commissioning and oversight arrangements in place - ideally defined in a ‘Four Lines of Defence’ model; and assign accountability for implementing their framework effectively.

A comprehensive risk management programme ensures that the framework is risk-led and focused on material areas, therefore meaning it is proportionate.

The focus of the Code’s annual declaration is on material controls. It is logical that these would be the controls that address material risks, therefore first identifying those material risks as part of a risk management programme is essential. This would involve performing a robust risk assessment to identify the areas of reporting most at risk of being wrong and would have the most material impact on the business if they were wrong, along with identifying material compliance and operational risks to the business.

At a practical level, companies will be familiar with financial reporting materiality through the audit process, and all companies with a mature risk management programme will have a process to assess, determine and disclose their principal risks: in effect, they are therefore already assessing material compliance and operational risks. Increasingly, companies are now also responding to new legislation in areas such as sustainability reporting which involves, among other things, a requirement to conduct materiality assessments over non-financial information.

Each material financial, reporting, operational or compliance risk could have a potentially large number of controls to mitigate that risk. To ensure a strong yet proportionate assessment process, businesses should identify the controls they consider most effective in addressing those risks; in other words, their ‘material’ controls.

The FRC has indicated that boards should use their judgement to define what a material control is. In brief, therefore, organisations will need to consider which control, or controls, they consider the most effective at reducing the level of residual risk associated with any material risk to a tolerable level. This control, or controls, would therefore be considered ‘material.’

Material controls, once identified, should be clearly documented and reviewed to ensure they are designed to a sufficient level of detail, and that they mitigate the relevant risk effectively. In order to determine this, management should consider elements such as the objective of the control; the level of precision it will be performed to; whether an appropriate team member performs the control and how frequently the control operates; whether the control relies on a system-driven element; and whether sufficient evidence is being retained to support ongoing monitoring and assurance.

In assessing and documenting their controls, organisations should not only focus on process controls, but also entity level controls and IT controls around systems and reports that support material processes or controls. In doing so they can develop a holistic picture of the risk and controls framework in place across their business, and the level of coverage it provides.

Boards should consider the level and mix of process and assurance, both internal or external, which they consider sufficient (for those that follow the Code, to support their annual declaration). They will need to consider how much they are comfortable relying on self-certification of controls design and operation, how much they want independent testing and assurance (internal or external), and what the nature, extent and quality of that assurance is.

As well as determining their own desire for assurance, organisations should consider whether there are areas of reporting or operational or compliance risk which they will be required or could be expected to have assurance over by third parties, such as shareholders, regulators or other stakeholders. Where this is the case, these requirements should be factored into assurance planning.

At a practical level, organisations should ensure that the results of monitoring, review and other assurance activities across the four lines of defence are reported in an integrated way to provide a ‘big picture’ view of whether material risks are being managed effectively, and to identify any material weaknesses to be reported.

For those that follow the Code, the basis for the Board’s annual declaration should draw on this, setting out how they have monitored and reviewed their systems over the reporting period, and how the board can be content that their conclusion regarding the effectiveness of the systems is appropriate.

Dual-listed entities - what you need to know

The FRC is clear that the updated Code requirements are not the same as those under US SOx and that it is not expecting organisations to take the same approach - much more is left to the Board’s judgement and the Code is on a comply or explain basis rather than a legal requirement. That said, if your business is dual-listed and you are already complying with a regime such as US SOx, for example, you are starting from a position of strength in that you will have already defined your material (key) internal controls over financial reporting (ICFR) and have governance, oversight and assurance arrangements in place which can be leveraged. For most companies, we do not expect that compliance with the Code would require any additional work to be performed over ICFR.

However, as the Code is broader than US SOx in that the declaration covers all material controls rather than just ICFR, you will need to consider non-financial reporting, operational and compliance controls along with the overarching risk management processes underpinning your framework. In doing so, US SOx filers could consider which elements of their approach to ICFR could be leveraged more widely to this broader set of controls, but without replicating the full SOx approach.

Find out what the changes to the UK Corporate Governance Code mean for your organisation and how we can help you strengthen your risk management and internal controls regime.

Speak to us now

PwC Webinar

Revised UK Corporate Governance Code

Following the publication of the updated Code by the FRC, we hosted a webinar for over 1000 attendees in which we outline the impact of the changes to the Code on businesses and explore the practical steps that they can take to comply.

View Transcript

Required fields are marked with an asterisk(*)

First Name*

Last Name*

Job Title*

Company Name*

Email address*

Tick the box to verify you are not a robot. *

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.