UK Corporate Governance Code 2024

Approach to assurance

• Is it necessary to seek external assurance over the board’s declaration of effectiveness of material controls?
• How can a second line of defence support the objectives of the Code?
• How can Internal Audit support the board’s monitoring and review process? Would you expect Internal Audit to perform independent testing of internal controls?
• Do I only need to consider assurance over processes/controls that can affect the financial statements?
• Is the Audit and Assurance Policy still going to be a requirement?

Is it necessary to seek external assurance over the board’s declaration of effectiveness of material controls?

The Code does not mandate external assurance. However, the FRC’s Guidance does say that 'The board, in conjunction with other committees and management, will decide whether any form of external assurance is necessary. The type of assurance and nature is also a decision for the board, and they may wish to discuss this with their investors.'

On this latter point, it is most likely, for many companies, that management will be responsible for the day to day monitoring and review processes over material aspects of risk management and internal control, and will periodically report on this to the board. However, the board remains ultimately responsible for making the declaration, and will need to consider how comfortable it is relying on delegation and self certification of controls design and operation to management. To help bridge this potential gap, an assurance mapping process, similar to that proposed under the draft legislation for the Audit and Assurance Policy, would be helpful. Under this process, the board would map the material risks and controls to the lines of defence and determine if they thought more 'assurance', internal or external, was needed. As part of this process, the board might choose to obtain some degree of external assurance. Refer to our Restoring Trust guide under the Audit and Assurance Policy for more details on assurance mapping.

How can a second line of defence support the objectives of the Code?

As part of its monitoring and review process, the board should consider the level and mix of process and assurance, both internal or external, which it considers necessary to support the declaration. The role and structure adopted by the second line of defence will be influenced by practical factors such as the extent of business operations requiring coverage, and whether there is already a mature and effective second line function in place.

First line of defence risk and control activities, whilst providing a broad ‘baseline’, are a relatively weak form of assurance unless they are validated and complemented by assurance from other lines. Most large businesses will have an internal audit function, and may also commission additional external assurance. However, the extent of assurance provided by each line will depend on how comfortable the board is relying on self certification of controls design and operation and how much it wants independent testing and assurance (internal or external).

Our view, therefore, is that it is likely that most organisations will incorporate elements of assurance provision from a number of lines of defence. Our Restoring Trust guide provides an example approach to assurance.

How can Internal Audit support the board’s monitoring and review process? Would you expect Internal Audit to perform independent testing of internal controls?

In the guidance, the FRC states that 'Senior management and the board may desire objective assurance and advice on risk and internal control. An adequately resourced Internal Audit function (or its equivalent..) may provide such assurance'. As described further below, in our view, Internal Audit could be a key part of the assurance the board obtains in support of its monitoring and review process. This would most likely include some degree of independent testing by Internal Audit, ideally using a targeted, risk-based approach and could include some degree of cycle-testing.

Do I only need to consider assurance over processes/controls that can affect the financial statements?

The declaration covers all material controls, including financial, operational, reporting and compliance controls, so is not just limited to controls and processes that could impact the financial statements. Therefore, the board’s consideration of the assurance it needs should take into account all of these areas and not just the risks and controls relating to the financial statements.

Is the Audit and Assurance Policy still going to be a requirement?

The Government’s draft Secondary Legislation that required new disclosures (Audit and Assurance Policy (AAP), Resilience Statement, Material Fraud Statement and distributable reserves disclosures) for companies of a certain size (i.e. with 750 employees and £750m annual turnover threshold) was withdrawn in October 2023. The rationale cited by the Government was that it wants to re-look at all aspects of non-financial reporting as part of its ongoing review in this area before issuing any new requirements.

However, each of these reforms have been many years in the making and given a tremendous amount of thought by the Government, FRC, professional institutes and firms. In our experience, many boards appreciate the value that the new disclosures such as the Audit and Assurance Policy would have brought and are considering what elements of these proposals can be taken forward, in its own time and flexed to their own facts and circumstances. In fact, some are moving at pace with 'assurance mapping' processes.

If companies have decided to develop an AAP or have a similar, informal assurance mapping process, the risk assessment for the purposes of assessing the effectiveness of risk management and internal control could be done in conjunction with scoping for the assurance mapping process. An AAP will include what is the most important reported information to the business, so could be a good starting point for determining what financial and non-financial reported information should be in scope. It would also, for most, if not all companies, include the reported principal risks, resilience information and information on fraud risks, so would also help frame the scoping of operational and compliance risks and controls.

Enforcement and accountability

• Will the Code be enforced by the FRC?

Will the Code be enforced by the FRC?

The FRC does not currently have powers to enforce the Code. As noted in its 'Corporate Governance and Stewardship Mythbuster', published in February 2023, when asked whether the Code gives the FRC powers to enforce against directors, the response was 'No, it does not. The Code is a flexible part of a framework that allows companies to develop high quality governance practices for their own particular circumstances which shareholders should understand, engage with and approve. We do monitor reporting against the Code by selecting a random sample of 100 FTSE 350 and Small Cap companies to assess the quality of reporting, which informs our Review of Corporate Governance Reporting each year.'

If the primary legislation that has been expected for some time from the Government is eventually introduced and enacted and the FRC is replaced by the Audit, Reporting and Governance Authority (ARGA), ARGA may have powers to hold directors to account, but we expect this would still be limited in relation to the Code if it retains the comply or explain mechanism.

However, in our view, the additional attention that has been paid to risk management and internal control as part of the multiple reviews and consultations over recent years (e.g. the Brydon Review, Kingman Review and BEIS consultation), has brought it into the spotlight. As a result, it is likely there will be increased external scrutiny going forward over a company’s process and reporting in this area from a broad range of stakeholders.