Gearing Up for the New UK Corporate Governance Code: Connecting Internal Controls Across the Business

The UK Corporate Governance Code (Code) is changing, and organisations should be getting ready with proactive support from their risk and assurance professionals. Most of the updates to the Code released are required starting January 2025 (Provision 29 comes into force 12 months later). 

This timing coincides nicely with the introduction of the Institute of Internal Auditors’ Global Internal Audit Standards, creating plenty of opportunity for review, reflection, and improvement. Internal audit functions are busy performing gap analyses and updating their charters, manuals, templates, and training materials in readiness. One of the strongest themes in the Global Internal Audit Standards is the increased emphasis on interaction among boards (aka audit committees), senior management, and the Chief Audit Executive, especially regarding the “essential conditions.” This dovetails well with the bigger role boards are expected to play under the Code in monitoring and reporting on the adequacy and effectiveness of risk management and internal control. 

In this article, we’ll highlight key elements of changes to the Code that all organisations should be aware of and offer some insights for leveling up your control environment. For a deeper dive into how internal audit and internal controls professionals expect the reforms to impact their organisations, download AuditBoard’s report, UK Corporate Governance: Turning Compliance Into a Strategic Advantage.

Headline Changes to the UK Corporate Governance Code 

Of particular interest to internal auditors looking to support their companies in conforming to the Code are three principles contained in Section Four of the Code:

• Principle 1 strengthens the provisions for the independence of both internal and external auditing and the objectivity of auditors.
• Principle 2 calls for a “balanced and understandable” assessment of risk and internal control.
• Principle 3 establishes the requirement for an effective risk management and internal control framework.

These increase the board’s role to include not just establishing, but also maintaining the effectiveness of the risk and control framework, requiring continuous monitoring with an annual assessment and a jargon-free report intelligible to all stakeholders. “Framework” refers to the structures, processes, objectives, and standards adopted and adapted by the organisation to implement risk management and internal control, which may be drawn from COSO or ISO, for example, or devised internally.

To assist them, boards need appropriate information at and between meetings through attestations and assurance from internal and external sources, including internal audit’s annual assurance opinion. These inputs will support a yearly assessment reflective of the organisation’s willingness to accept risk (risk appetite), its risk culture, its risk management processes, and its ability to identify and respond to control deficiencies.

Furthermore, the annual assessment must cover and include a declaration on the effectiveness of “all material controls, including financial, operational, reporting, and compliance controls.”

As Ann notes, no definition is given of “material controls,” but these things are very familiar to internal auditors, and Ann suggests linking the concept to the relative materiality of risks thus forming the basis of a useful discussion with the board. Deciding what is material is a judgment based on qualitative and quantitative factors unique to every organisation, its priorities, circumstances, and risk appetite. The Code is not able to provide a definitive list and leaves it to organisations to determine. This is no small task. The set of controls designed to treat material risks might run to 200 or more, and therefore criteria to help prioritise these are needed. This can be the approach used for developing an internal audit plan, and therefore leveraging the development process and the assurance provided can support Principle 29 of the Code significantly. 

It is important to recognise that the process sitting to support Principle 29 needs to be documented, and the report written in plain English. Any material controls that have not operated effectively must be noted.

Overcoming Obstacles to Strengthening Your Internal Control Environment 

What difficulties are organisations likely to encounter in honing the strength of their risk and control framework? Based on extensive interactions between AuditBoard and its customers over 10 years, Tom has identified some common pain points, including:

• Creating an organisation-wide risk register and controls library.
• Establishing risk and control ownership.
• Providing leadership with sufficient line of sight into risk management and internal control.
• Gaining real-time insights into control effectiveness.

Addressing these common challenges is key to strengthening the control environment. Tom has some IDEAS (Inform, Delegate, Eliminate, Automate, Share) on how to do this:

Inform

In an advisory capacity, internal auditors have plenty of scope to raise awareness and provide training programmes for risk and control owners aimed at reducing the occurrence of failures through greater anticipation and enabling quicker and better responses when controls do fail. Auditors have a great deal of expertise in evaluating controls and can share these approaches and tools with those at the frontline.

Delegate

Internal auditors may help with the development and initial implementation of controls, but it is important that there is an exit strategy to hand these over. “Continuous auditing” is really a misnomer for what should be management’s job. Auditors can help transition the tools for monitoring and testing to the appropriate control owner. Peers can test for each other. This is more effective when there is adequate documentation, and some organisations have a GRC coordinator to ensure coherence across the many controls being implemented. However, internal auditing needs to be focused on delivering relevant, timely, and valuable assurance and advice.

Eliminate

There is a tendency to add and improve controls, which results in being somewhat over-controlled. Part of our efforts need to be expended toward reducing and eliminating unnecessary controls. Risks change and controls need to reflect that. This includes enabling control owners to self-identify and correct control deficiencies, thus increasing the level of confidence and reducing the need for additional assurance.

Automate

Wherever possible, automation is a no-brainer. There are many tools available. Technology is a great multiplier. Not only does it improve control, but it also strengthens the ability of auditing to provide higher levels of assurance. It also improves the relationship between the control and the control owner

Share

There is a great chance for internal auditors to be ambassadors of successful control, to share best practices, and be advocates for real ownership at the coalface.

Gearing Up for the UK Corporate Governance Code

We hope these insights help you and your organisation prepare for connecting risks and controls across your business to drive compliance with the UK’s Corporate Governance Code Reform. Download AuditBoard’s report, UK Corporate Governance: Turning Compliance Into a Strategic Advantage to learn how other organisations are approaching changes to the Code and what actions you can take to prepare.