Getting The Most From The 2024 UK Corporate Governance Reforms

Reform of Audit, Internal Controls and Governance

Following a limited consultation, the Financial Reporting Council updated the 2018 UK Corporate Governance Code in January 2024. The updates aim to balance enhanced transparency and minimising burdens on businesses. The revised code is designed to foster the UK’s growth and competitiveness while maintaining its allure as an investment destination.

The 2024 Code will apply to financial years beginning on or after 1 January 2025, except for provision 29, which will apply to financial years beginning on or after 1 January 2026. The 2018 code’s provision 29 will apply to financial years beginning on or after 1 January 2025.

The Code applies to companies with a premium listing on the London Stock Exchange, regardless of where they are incorporated. This means that all such companies will need to adhere to the new requirements and adjust their governance and control systems as necessary.

The 2024 Code is separated into five sections:

1. Board Leadership and Company Purpose; 
2. Division of Responsibilities;
3. Composition, Succession and Evaluation;
4. Audit, Risk and Internal Control; and
5. Remuneration,

Key Changes in the 2024 Code

The first and most significant revision in the 2024 Code revolves around Provision 29, which deals with internal controls. Companies are now required to provide additional disclosures related to internal controls in their annual reports and accounts. Boards must declare the effectiveness of these internal controls, focusing on managing risks and building resilience over short, medium, and long terms. This is a crucial update that all CFOs need to be aware of.

Boards will have to actively monitor the company’s risk management and internal control systems. This includes conducting an annual review of their effectiveness and reporting on that review in the annual report. The board’s responsibilities extend to all controls, including financial, operational, and compliance, ensuring that the company’s control systems are robust and effective.

The monitoring and review should cover all material controls, including financial, operational and compliance controls. Although the references to ESG were removed in the final version of the code, given the need for material EU subsidiaries to comply with the CSRD and the increasing reputational pressure, we recommend that any “non-mandatory” ESG content in the annual report also be subject to effective controls—especially for IFRS reporters meeting the S1 and S2 disclosure requirements!

There is also some streamlining of the Audit Committee Responsibilities, referencing the “Minimum Standard: Audit Committees and the External Audit.”

The 2024 Code’s emphasis on governance reporting, particularly on Board decisions and their outcomes within the context of a company’s strategy and objectives, is a significant shift. This focus on transparency and accountability now necessitates clear explanations for any departures from the 2024 Code. Additionally, reporting on corporate culture now extends to its integration within the organisation.

Thirdly, the Code underlines the pivotal role of diversity and inclusion in corporate governance, acknowledging the unique perspectives and contributions that a diverse board can bring.

Lastly, the code strengthens malus (reducing bonuses) and clawback (reclaiming bonuses) arrangements, ensuring alignment with performance and accountability.

Audit, Risk & Internal Control

This blog focuses on Section 4: Audit, Risk and Internal Control.

The momentum for a UK version of the Sarbanes-Oxley (SOx) legislation had been building pace, with 79% of CFOs surveyed by the Centre for Audit Quality indicating that SOx had improved the quality of the information in their financial statements.

On the other hand, you may have read or heard many stories of companies feeling like SOx compliance is a beast and adds little value. At Loughridge Transformations, we believe this improvement benefits more robust control effectiveness – something UK CFOs should welcome.

Looking Back at SOx Compliance and Control Effectiveness

The team at Loughridge Transformations has many years of experience working with SOx compliance. While at a top-five FTSE company, they worked with the SOx methodology, design, deployment and audit from its inception in 2004, and they have been working with clients requiring SOx compliance ever since. Some readers may remember that the approach in the early days often felt like “quantity over quality”. The result was hundreds, if not thousands, of non-standardised SOx controls and many unhappy SOx control operators. However, in hindsight, organisations likely chose that approach because the alternative of regulatory non-compliance was unacceptable. 

The Next Phase of Compliance

However, the next phase of the compliance journey was to take a step back and re-think their approach for those companies that invested the time and effort. The list of control effectiveness improvement opportunities was inevitably long. It included, for example, standardisation, classification of key- and non-key controls, and more precise wording of control descriptions. 

Ultimately, those companies successfully achieved process and control integration. They reduced the absolute number of SOx controls (not too many or too few) and, most importantly, delivered global standardisation. These efforts led, in turn, to improved adoption from control operators and a much lower percentage of control failures. Consequently, the level and quality of assurance significantly increased.

The Future?

However, some companies still have not yet undertaken the streamlining and rationalising of their SOx control framework. As a result, they “suffer” year after year with an unnecessarily burdensome control framework. 

Of course, executing financial controls will typically be labour-intensive. The controls require gathering evidence of execution, secure filing, positive control confirmation, testing of controls, and management reporting.

On the other hand, many organisations are still working with audits based on substantive testing. They have not yet moved towards a controls-based approach required by SOx or what will be an excellent foundation for meeting the FRC’s 2024 Code. If organisations work with substantive testing, they can expect physical inspections, examination of records and checking of calculations rather than focusing on the design and operating effectiveness of the controls themselves.

So, How Does Successful Control Design and Deployment Look?

Successful design and implementation depend on analysing where the organisation needs SOx controls and reviewing the associated risks. As a result, a good starting point is materiality. After all, a control framework gives assurance of “materially correct” financial statements. Therefore, the more material the numbers flowing through an account, set of accounts, or process, the greater the likelihood you will need to assure material correctness.

A Straightforward Example:

For example, say your organisation has a thousand Balance Sheet accounts reconciled monthly, quarterly or annually. Usually, the values in the organisation’s Balance Sheet accounts are substantial. Therefore, you would want a robust SOx control to assure accuracy and completeness.

The critical question is, “Should all one thousand accounts be in scope for a SOx control?” If you want to answer yes, you may set yourself up for a monthly or quarterly burdensome and labour-intensive exercise. The result could be that “quick and dirty” reconciliations are performed to complete them before external financial reporting. In the spirit of SOx and any other control framework,  the value-add of the exercise is much lower and will not provide the intended and required assurance. 

We strongly recommend considering our example and looking into the process and actual risk. Materiality forms an essential component of the assurance of Financial Controls. It is no less the case for SOx compliance. That means that you should review the thousand Balance Sheet accounts. Select the top five to ten per cent of the most material for review and reconcile following a SOx-compliant procedure. It is not uncommon to find that the top five to ten per cent account for eighty per cent or more of the total value of the thousand accounts.

In other words, you can design a control-effective process where the most material accounts are selected. Those executing the reconciliations will have much more time to properly scrutinise these accounts and take corrective action before the external financial reporting. So, what happens to the rest of the Balance Sheet accounts? They should also be subject to proper reconciliation and scrutiny, but this can be a broader process step, not a formal SOx control.

Another Practical Example of Streamlining?

In our consultants’ corporate experience and with clients, we often see examples of manual reconciliations, perhaps between accounts or sub-ledgers. Team members frequently overlook that the system, or a simple add-on or re-configuration, can automatically perform the reconciliation. Where that option exists, only a system-enabled (SOx) control that describes the automatic reconciliation is required. That control would typically only be subject to control testing every second year.

The Benefits of Standardisation

Global standardisation is another opportunity for companies following the updated FRC Code. If there are operations in multiple regions worldwide, it can be hugely beneficial to standardise and automate the (SOx) controls where possible. The same mitigating control can apply if the same risk exists in several locations. It saves time in the design, training and eventual testing. Those savings translate into a significant positive impact on the bottom line.

Recent Control Effectiveness Experiences

All companies in scope for the FRC 2024 Code will likely already have a control framework in some shape or form. For example, at Loughridge Transformations, we recently worked with a client where we reviewed the control framework. We will use one real-life example to illustrate how you can enhance existing AS-IS controls. The result is more robust and ultimately compliant with regulation.

The Existing Description

Our client’s AS-IS Key Control on the monthly review and approval of the “Board Pack” was written down in the organisation’s Financial Manual. It read, more or less, as follows:

1. Month-End closed to ensure adequate time for review
2. Finance performs Board report analysis
3. Results reviewed by the CFO before being presented in the Board Pack.

For this process, no associated risks were detailed in the Finance Manual.

It is not uncommon, but what is described here is the process. It is not a control that gives any form of assurance to the management. To be clear, nothing is inaccurate in the client’s AS-IS process description. However, it is inadequate in terms of control effectiveness.

Enhancing the Control Description

A standalone control description is more meaningful when enhanced to include the following:

• Who?
• What?
• Why?
• Where?
• When? and
• How?

Including these in the description facilitates proper testing of the control effectiveness. A Control Operating Procedure will usually accompany a control description. Nevertheless, it would be best to aim for a crisp and clear control description that allows the reader to understand the critical points of the control and perform a test for effectiveness.

Our Proposal

Based on a couple of video meetings with our client to discuss the end-to-end process, our proposal for a TO-BE control description was as follows: 

• Risk – every control should have an associated risk – otherwise, there is nothing to mitigate.
  • “Reported Management Information is not complete/accurate and/or inadequate corporate performance management – both resulting in the inability of management to make sound business decisions.”
• Control Objective – every control should also have a control objective
  • “To ensure that Management Information is complete and accurate and compiled in a fit for purpose format/layout allowing management to analyse the presented data and make sound business decisions.”
• Control Description – based on the above risk and objective
  • “To ensure that the monthly Board Report information is complete/accurate and analysed, including commentaries, the Senior Finance Manager runs BS & P&L reports (insert exact report names) from ERP in preparation for the Board Pack. They perform 1st-level analysis with commentaries, including variances, fluctuations against budget, cash flow, and other highlights. At least four workdays before the Board Report meeting, the Board Pack is sent to the CFO for final review. The CFO reviews the pack with commentaries and their own analytical review, highlights any queries or review points, and, where applicable, sends them back to the Senior Finance Manager for clarification/investigation before the Board Report meeting.
  • The CFO presents the Board Pack to the Board at their meeting. The results are discussed and challenged by the Board. Minutes and actions from the meeting are captured and, where applicable, cascaded to the Senior Finance Manager for follow-up.
  • The Senior Finance Manager files the minutes/actions from the Board meeting and the Board pack and ERP reports on SharePoint site XYZ as evidence.”

You will now see that this control description identifies the Control Owner and Operator. In addition, the description states the control frequency, and you can determine the control characteristic and its type. The description also includes evidence that makes the eventual testing much more efficient and manageable. It covers all elements required for assurance of effectiveness to the management. 

Control Effectiveness Enhances Governance

Our key message is that it is crucial to educate your C-suite and board as we move towards the 2024 Code updates taking effect for 2025 data. Equally important will be to ensure that senior and middle management has a good understanding of the requirements. Their support early on will enable your success. It results in the new internal controls reporting requirements not being seen as simply a checkbox for the organisation but instead strengthening its governance. At the same time, the Board will have the needed assurance on the new requirements, so they can also sleep well at night!

Need More Support on Control Effectiveness?

If you need support to enhance your control effectiveness, we are here to help. Whether you need guidance to get started or a comprehensive solution to process your findings and implement improvements, we can provide the support you need. Our services include fit-for-purpose design, testing, and implementation of controls. So, if you need assistance, don’t hesitate to get in touch. We’re here to ensure your success and the effectiveness of your controls.

Alternatively, take a look at our most popular blog posts:

Or are you looking for something else? Here’s what we have been blogging about recently:

Agile Analytics Associates Automation Behaviours Building Trust Business-Partnering CFO Remit Change Management Coaching Collaboration Continuous Improvement Control Design Corporate Governance Data Deployment Design Principles Digital ERP ESG Finance Function Finance Transformation Implementation Migration Off-Shoring Organisation Organisation Design Process Process Design Process Governance Process Improvement Process Performance Productivity Project Management Readiness Risk & Controls Skills sponsorship Standard Organisational Model Strategy Systems Systems Design Technology Transformation Virtual Working