Corporate Governance and Internal Controls: the backbone of all businesses

The UK government has set out to overhaul audit and corporate governance to help restore trust in big businesses. With this, there will be increased accountability for firms and more effective corporate reporting. The final response was significantly watered down from the original proposal. However, many expect this to be reviewed and built upon over time.

Following the 2021/22 consultation and subsequent response which addresses how major companies are audited, there are three key outcomes expected to help strengthen audit and corporate reporting:

1. The Public Interest Entity (PIE) definition has been expanded to include large companies with 750 employees or more, and turnover of £750m or more. As a result, approximately 600 additional companies will become PIEs.
2. Internal Controls: Boards of premium listed companies will be required to make an explicit statement about their effectiveness. This will be enforced via expansion of the UK Corporate Governance Code, and it will be required that companies consider seeking external assurance over their assessment. This is expected to be rolled out by year end 2024.
3. Annual Assurance Policy (AAP): published every three years, this will require companies to set out their approach to assurance over internal controls reporting and explain processes in place for internal audit findings and reporting.

Despite a diluted ‘UK SOx’ approach, firms need to review their internal controls processes

Whether you will be directly impacted as a result of the recent consultation or not, refining your internal controls is both a necessary and valuable activity to support transformation. Robust internal controls are critical to enhancing businesses' resilience, reducing the risk of corporate failure, and cementing the trust which investors and the wider public place in corporate reporting.

Irrespective of regulatory requirements, companies will still need to review existing processes and frameworks to make sure they are effectively operating and monitoring their controls.

We recommend a risk-based framework

We have worked with many organisations across the industry already to enhance their internal controls. Using our risk-based approach, we focus in in on the areas of greatest risk, rather than starting from scratch, as this is the quickest and most effective path for firms to enhance their internal controls framework.

Here are three steps to consider at the start of reviewing these processes and frameworks:

1. Clarify your objectives and desired outcomes

It is critical to set off with a clear understanding of why and what you want to achieve. This will drive the level of detail and focus required to concentrate your efforts, and to measure the effectiveness of the programme of activities. An increasing number of our clients are already looking to simplify their risk and controls frameworks.

To facilitate this, it will be necessary to gather relevant information to help you set and achieve your objectives. These include:

• Assessing the current landscape – Use available data and records, such as process maps and risk and control documentation to identify key risks and evaluate the current critical controls landscape. Determine whether there are existing systems used for documenting risks and controls, and if these are adequate
• Getting the structure right
  • What are the taxonomies and hierarchies that will be referenced, for example, team names, products, system names, business areas?
  • What is the overarching structure of the processes that gives the work context?
  • What are the control attributes that need to be captured?
  • Are we referencing any IT frameworks like COBIT (Control Objectives for Information and Related Technologies) and ITIL (Information Technology Infrastructure Library)?

2. Agree the governance

Deciding who will own the controls framework and how will it be managed is something that should be agreed in advance to get the best outcomes. Ideally this governance should approve the basic parameters of the framework and its objectives prior to starting work. For example:

• Who owns the processes and controls
• How will they be signed off and maintained
• Link to SMCR where relevant

3. Identify and develop a pilot

Define a pilot and take a process led approach to capture the required control detail. This should use walkthroughs or process mapping to identify and capture all of the real-world control points in action.

To ensure the effectiveness of your pilot, your strategy should include the following:

• Back test for completeness
  • It is key to test for completeness against reliable sources, this could be incidents logs, systems logs, existing registers, procedure documents, and org charts
• Identify control gaps and remediate
  • Where there are risks without adequate control, these points should be identified and a decision made on remediation
• Maintain and assess
  • Controls need to be maintained through a process to be periodically revalidated
  • There should also be regular assessment and testing of performance.

With lessons learnt from running the pilot, you can create and roll out a tailored approach to all areas and processes in scope. For most firms, it’s not just about being in compliant – it’s about future proofing and staying ahead in order to protect your business and mitigate risks as the scope of the rules expand in the future.

We’re already helping clients with their internal controls to deliver sustainable change. But don’t just take our word for it – we worked with one major insurer to help with their internal controls ambition, as well as with a mining company to help them deliver enhanced risk management processes.

If you'd like to know more about operational controls excellence, please contact us.