Battle lines drawn on internal controls as FRC closes consultation on new Corporate Governance Code

October 5, 2023

According to the Chartered IIA, internal audit should be placed at the forefront of a new Code

Putting internal audit front and centre of a revamped Corporate Governance Code is a smart step, according to Gavin Hayes, head of policy and public affairs at the Chartered Institute of Internal Auditors (Chartered IIA)

Hayes’ comments shortly followed the closure of a consultation on a revised Code on 13th September. The consultation asked for responses to proposals including a framework for “effective controls to provide a stronger basis for reporting on and evidencing their effectiveness”.

The Chartered IIA’s consultation response argues that increased focus on strengthening internal controls is timely, describing it “as a critical element” of effective corporate governance.

“We are pleased to see the spotlight on internal control, assurance and resilience and these issues finally getting the attention they deserve.”

Hayes reinforces this, saying the Chartered IIA is onboard with the thrust of the proposals, but does have one key concern.

There is a need for the code to make it explicit and “crystal clear”, not just implicit, that internal audit is crucially important, he says

“It should be clear that the audit committee maintains an internal audit function against internationally-recognised standards.”

The Chartered IIA, Hayes says, has looked at other G20 countries and found that more than half stated in its codes that an audit committee should hold the internal audit function.

Debate over corporate governance and compliance
Similarly, The Institute of Chartered Accountants in England and Wales (ICAEW) warned in a recent statement that the UK’s reputation as “an example of global best practice” is at risk, arguing that the proposed code does not meet “major aspects of the new G20/OECD Principles for Corporate Governance”.

It also warns “that many of the proposed changes to the Code could be onerous to implement, requiring substantial additional work”, and that there is a “missed opportunity” surrounding sustainability and ethical compliance requirements for companies.

But this issue of compliance in the area of internal controls is a battleground where some of the accountancy sector’s major players disagree.

The Institute of Chartered Accountants of Scotland (ICAS) says one of the most pressing items in the in-tray is the question of whether the proposed internal controls are too broad in scope.

“It should only be internal controls over financial reporting,” James Barbour, director of policy leadership at ICAS, told Accountancy Age.

Otherwise, the new code, with its “significant changes” could be “too onerous” and “quite an ask” for companies to meet, he says, echoing the comments made by ICAEW.

He argues that the controls being put forward by FRC put at risk the UK’s environment as “an inviting place to invest”.

“We would also like clarification on how the UK would avoid the detail, complexity and onerous burdens which are causing concern,” ICAS says in its consultation response.

Scope and implementability
ICAS believes annual reports may be become unwieldy and difficult to read if the requirements on internal reporting become too wide-ranging.

Barbour stresses the importance of the guidance that will accompany the final code, saying this will help many companies where there is a lot of work to achieve compliance.

With about 12 months to ensure compliance with the code, assuming a publication date early next year and a 1st January 2025 implementation date, there will be little time to develop new controls and processes, he says.

ICAS’ response also expresses the need for company directors to show ethical leadership., arguing that a code of conduct for directors should be introduced.

This code of conduct needs to be publicly available to ensure transparency, Barbour says, and as a signal that the UK sees this as a priority.

One major accountancy firm, which hasn’t made its response public, told Accountancy Age that the code is “too fuzzy”, and not specific enough on which regulatory framework to use.

For example, one option is the United States’ Sarbanes Oxley (SOX) model with the ‘COSO’ framework, which is well-known, and is recognised for its stringent requirements backed by legal requirements.

Without clear information about the model FRC wants UK companies to use, some smaller ones may just do the minimum they believe is needed to comply, the firm says.

There are also questions about who is going to police the new code, AA was told, with no timetable yet for the successor to FRC, the Audit, Reporting and Governance Authority (ARGA), being introduced.

[Accountancy Age]