Updated to reflect the FRC announcement on 7 November 2023
Corporate reform proposals developed by the government in the wake of the Brydon, Kingman, and CMA independent reviews and high-profile corporate failures, such as Carillion, have required multiple parties to implement. The proposals cover different aspects of risk management, such as how it impacts decision-making and resilience (resilience statement), how management can ensure it's based on reliable and complete information (internal controls and fraud); and what assurance is available to have trust in the reporting (audit and assurance policy).
Some of them were intended to be implemented by legislation, others such as the internal control requirements (UK SOX) would need further consultation by the Financial Reporting Council (FRC) and will be applied through the UK Corporate Governance Code (the Code).
In a move that has surprised many, on 16 October 2023 the government announced it has withdrawn the legislation after companies and industry bodies again raised concerns about onerous reporting requirements.
On 7 November 2023 the FRC responded with a statement indicating what next steps they will take and made it clear that they had listened to the wider debate on business reporting requirements in finalising their risk and internal control revisions to the Code.
The government has now said that they'll pursue options to streamline and simplify existing corporate reporting.
While there was no direct impact on the FRC’s proposed changes to the Code (as an independent regulator), the FRC's latest statement sets out that they will now take forward only a handful of the original 18 proposed changes. For now, they will only focus on internal control updates to the Code. They make it clear that this has been done in response to the feedback from their own consultation during the summer, wider discussions on burdensome reporting, and competitiveness of the UK. More time will now be given for implementation, and more thinking will be done to ensure the UK approach is more targeted and less intrusive than the US SOX approach. There will be a few other changes made to streamline the requirements in the Code, where the published updates are promised to be out in January 2024.
The government has indicated they still plan to debate primary legislation proposals, including setting up the FRC's replacement, the 'Audit, Reporting, and Governance Authority' (ARGA), when parliamentary time allows, and that they remain committed to streamlining corporate reporting requirements. It's not clear what this means or when proposals would apply.
The government’s planned Economic Crime and Corporate Transparency Bill, including the new failure to prevent fraud offences, is still expected in 2024.
If you've already started working on projects to get ready for the proposed changes you may be wondering what you should be doing.
For now, the most pragmatic response for companies to take is to focus on ‘no regret’ activities until the FRC publishes the final changes to the Code. The two key areas we're seeing organisations continue to prioritise relate to internal controls and fraud risk frameworks.
| Proposals | What has changed | Next steps |
|---|---|---|
|
Resilience statement Combines and enhances existing going concern and viability disclosures. Must include at least one reverse stress test and outline material uncertainties.
|
New requirement removed Existing going concern and viability statements will remain. |
Halt work on resilience statements |
|
Internal controls Provision of a stronger basis for reporting on and evidencing the effectiveness of internal controls around year-end reporting. |
No impact from the withdrawal This is a requirement in the FRC's planned changes to the revised Code now expected in January 2024. Remains to be seen if and how the scope of this internal control initiative extends from financial to operational and compliance controls as the FRC had originally suggested and what the implementation timeline will be. |
Continue with ‘no regret’ activities Companies should focus on significant financial reporting risk areas and ensure there are robust business and technology control frameworks in place. The UK already has various well-established requirements relating to the internal control environment (for listed and large private businesses under the Companies Act and Wates Principles, and those that voluntarily align to the Code). However, in our experience, the nature and extent of these frameworks vary widely. Are you comfortable and confident that your financial control framework is robust, value-adding, and monitored?
|
|
Fraud risk management The onus on directors to identify, prevent and report on steps taken to mitigate/manage fraud risks. Building on the package proposed by Brydon. |
New requirement removed New failure to prevent fraud offence is still planned for |
Continue with ‘no regret’ activities The new Economic Crime and Corporate Transparency Bill is expected in the new year. Companies need to make sure they have reasonable procedures in place and have established an effective fraud risk management framework. How mature and embedded is your fraud risk framework and what assurance do you have that it operates effectively?
|
|
Audit and assurance policy (AAP) |
New requirement removed for listed and non listed businesses
|
Halt work The benefits of developing an integrated assurance map remain so consider continuing this activity where not yet completed. |
|
Capital dividend disclosures Introducing disclosures on distributable reserves and a narrative explanation of the board's long-term approach.
|
New requirement removed |
Halt work on new disclosures |
* Subject to change when the FRC publishes its own proposals
| Instrument | Government activity | FRC activity | ||
| Primary legislation | Secondary legislation |
Revisions to the Code
|
Revisions to ethical standards | |
| Actions |
Includes setting up ARGA, expanding PIE definition, increasing director accountability and audit market competition measures. |
Includes AAP, resilience statement, fraud reporting, and reporting on distributable reserves. |
Changes to board and audit committee responsibilities, includes and/or incorporates internal controls, AAP and resilience statement. |
Updates include the new PIE definition. |
| Status |
Delayed Legislation is likely to be delayed until post general election in 2024/25.
|
Withdrawn The government is "still committed" to streamlining reporting requirements.
|
Progressing The impact of the government withdrawing legislation is not clear. The earliest effective date is 1 January 2025.
|
Consultation Consultation closes this month with planned implementation in 2024.
|
For the latest updates on responding to the ICFR requirements access our
Controls Advisory Hub →
For more insight and guidance get in touch with Eddie Best, Emma Young and
Paul Young.
