UK Corporate Governance Code

The UK Corporate Governance Code (CGC) is published by the Financial Reporting Council (FRC) and sets out standards of good practice for listed companies on board composition and development, remuneration, shareholder relations, accountability and audit. On 24 May 2023, the FRC launched a public consultation on the proposed revisions to the code, following the UK government's response to the white paper “Restoring Trust in Audit and Corporate Governance.”

The consultation document has five sections:

1. Board leadership and company purpose
2. Division of responsibilities
3. Composition, succession, and evaluation
4. Audit, risk and internal control
5. Remuneration

 Link to the consultation document: https://www.frc.org.uk/consultation-list/2023/corporate-governance-code-consultation

 Who does the UK CGC apply to and when does it come into effect?

The UK CGC applies to all companies with a premium listing on the London Stock Exchange, irrespective of the place of incorporation. The reporting requirements relate to the annual accounting policy and resilience statement of companies which have 750 or more employees and a turnover of £750 million or more, referred to as Public Interest Entities.

The revised code will apply to financial year ends commencing on or after 1 January 2025.

 Which of the proposed changes to the UK CGC will impact an IT internal audit (IA) function?

The public consultation on the proposed revisions to the code focuses largely on internal controls, assurance and resilience. Some of the key revisions that will impact IT IA functions are highlighted below:

•        Audit and Assurance Policy (AAP) – Organisations will be required to develop the AAP on a triennial basis. This will be combined with an annual implementation report included in the annual reports and accounts, and will detail how the organisation will assure the accuracy of information in and beyond financial statements. This will incorporate details of any external assurance sought, including relevant standards, the internal auditing and assurance process, and the policy of tendering services from the external auditor.

•        Internal control framework – The board will be responsible for maintaining an effective risk management and internal control framework and review and report on the effectiveness of operation of material internal controls, including operational, reporting and compliance controls. The board will be required to make a declaration on whether they can reasonably conclude that risk management and internal control systems have been effective throughout the accounting period and up to the date of the annual report and provide a description of any material weaknesses or failures identified, the remedial actions being taken and the expected time frame.

•        Resilience statement – Organisations are required to establish an approach to managing risk and developing resilience and issue an annual resilience statement to set out how the directors have assessed the company’s prospects and addressed challenges to the business model over the short, medium, and long term.

What are the key considerations for an IT IA function?

The FRC plans to issue updated guidance on risk management, internal controls and related financial and business reporting later this year. This will include guidance on the role of the IA function as an independent source of assurance within the company. To address this guidance, IT IA Functions should consider the following:

•        Has your organisation developed a common understanding of key financial and non-financial risks (including IT risks), and the key processes in place to place to identify and mitigate these risks?

•        How mature is your organisation’s IT process, risk and control framework? Is it rolled out across the whole enterprise, including coverage of IT assets related to “operational, compliance and reporting” activities?

•        Does your audit methodology require you to periodically assess the effectiveness of IT controls throughout your accounting period, or is it more aligned to ‘point-in-time’ assessments?

•        Does your audit plan include an assessment of your organisation’s IT risk management framework?

•        Does your organisation have an existing resilience function and if so, how is this function integrated with the broader enterprise risk management and reporting processes? Does your audit plan consider an assessment of the effectiveness of this function?

In summary, IT IA functions will be required to play a key role in enabling organisations to meet the proposed requirements of the updated UK CGC. The proposed changes to the code, and further guidance expected to be released by the FRC this year will emphasise the role of IT IA functions in providing assurance over the completeness and accuracy of financial and non-financial reporting. As such, it is important that IT IA functions work proactively with the board, audit committee and risk functions to consider the impact of UK corporate governance reform and help to shape the response of their organisation.

Disclaimer: The views reflected in this article are the views of the authors and do not necessarily reflect the views of the global EY organisation or its member firms.