The Government has withdrawn the proposed secondary corporate governance reform legislation it outlined in July. Emma Young explains the potential impact of this change and how you can move your internal control and fraud projects forward.

January 2024 update - the FRC have now published a revised Corporate Governance Code with new Internal Control reporting requirements. For the latest see FRC Code update improves internal controls reporting

Updated to reflect the FRC announcement on 7 November 2023

Corporate reform proposals developed by the government in the wake of the Brydon, Kingman, and CMA independent reviews and high-profile corporate failures, such as Carillion, have required multiple parties to implement. The proposals cover different aspects of risk management, such as how it impacts decision-making and resilience (resilience statement), how management can ensure it's based on reliable and complete information (internal controls and fraud); and what assurance is available to have trust in the reporting (audit and assurance policy).

Some of them were intended to be implemented by legislation, others such as the internal control requirements (UK SOX) would need further consultation by the Financial Reporting Council (FRC) and will be applied through the UK Corporate Governance Code (the Code).

In a move that has surprised many, on 16 October 2023 the government announced it has withdrawn the legislation after companies and industry bodies again raised concerns about onerous reporting requirements.

On 7 November 2023 the FRC responded with a statement indicating what next steps they will take and made it clear that they had listened to the wider debate on business reporting requirements in finalising their risk and internal control revisions to the Code.

What are the changes to the current corporate governance plans?

The government has now said that they'll pursue options to streamline and simplify existing corporate reporting.

While there was no direct impact on the FRC’s proposed changes to the Code (as an independent regulator), the FRC's latest statement sets out that they will now take forward only a handful of the original 18 proposed changes. For now, they will only focus on internal control updates to the Code. They make it clear that this has been done in response to the feedback from their own consultation during the summer, wider discussions on burdensome reporting, and competitiveness of the UK.  More time will now be given for implementation, and more thinking will be done to ensure the UK approach is more targeted and less intrusive than the US SOX approach. There will be a few other changes made to streamline the requirements in the Code, where the published updates are promised to be out in January 2024.

The government has indicated they still plan to debate primary legislation proposals, including setting up the FRC's replacement, the 'Audit, Reporting, and Governance Authority' (ARGA), when parliamentary time allows, and that they remain committed to streamlining corporate reporting requirements. It's not clear what this means or when proposals would apply.

The government’s planned Economic  Crime and Corporate Transparency Bill, including the new failure to prevent fraud offences, is still expected in 2024.

If you've already started working on projects to get ready for the proposed changes you may be wondering what you should be doing.

To be the first to hear about our new 2023 Corporate Governance Review, sign up here

A guide for what the announcement means for you

For now, the most pragmatic response for companies to take is to focus on ‘no regret’ activities until the FRC publishes the final changes to the Code. The two key areas we're seeing organisations continue to prioritise relate to internal controls and fraud risk frameworks.

Proposals What has changed Next steps

Resilience statement

Combines and enhances existing going concern and viability disclosures.

Must include at least one reverse stress test and outline material uncertainties.


New requirement removed

Existing going concern and viability statements will remain.

Halt work on resilience statements

Internal controls

Provision of a stronger basis for reporting on and evidencing the effectiveness of internal controls around year-end reporting.

No impact from the withdrawal

This is a requirement in the FRC's planned changes to the revised Code now expected in January 2024.

Remains to be seen if and how the scope of this internal control initiative extends from financial to operational and compliance controls as the FRC had originally suggested and what the implementation timeline will be.

Continue with ‘no regret’ activities

Companies should focus on significant financial reporting risk areas and ensure there are robust business and technology control frameworks in place.

The UK already has various well-established requirements relating to the internal control environment (for listed and large private businesses under the Companies Act and Wates Principles, and those that voluntarily align to the Code). However, in our experience, the nature and extent of these frameworks vary widely.

Are you comfortable and confident that your financial control framework is robust, value-adding, and monitored?


Fraud risk management

The onus on directors to identify, prevent and report on steps taken to mitigate/manage fraud risks. Building on the package proposed by Brydon.

New requirement removed

New failure to prevent fraud offence is still planned for
large companies in 2024

Continue with ‘no regret’ activities

The new Economic Crime and Corporate Transparency Bill is expected in the new year. Companies need to make sure they have reasonable procedures in place and have established an effective fraud risk management framework.

How mature and embedded is your fraud risk framework and what assurance do you have that it operates effectively?


Audit and assurance policy (AAP)

Outline the approach to assurance over reported information.

New requirement removed for listed and non listed businesses



Halt work

The benefits of developing an integrated assurance map remain so consider continuing this activity where not yet completed.

Capital dividend disclosures 

Introducing disclosures on distributable reserves and a narrative explanation of the board's long-term approach.


New requirement removed

Halt work on new disclosures

* Subject to change when the FRC publishes its own proposals


Instrument  Government activity  FRC activity 
Primary legislation  Secondary legislation 

Revisions to the Code


Revisions to ethical standards 

Includes setting up ARGA, expanding PIE definition, increasing director accountability and audit market competition measures.

Includes AAP, resilience statement, fraud reporting, and reporting on distributable reserves.

Changes to board and audit committee responsibilities, includes and/or incorporates internal controls, AAP and resilience statement.

Updates include the new PIE definition.



Legislation is likely to be delayed until post general election in 2024/25.



The government is "still committed" to streamlining reporting requirements.



The impact of the government withdrawing legislation is not clear. The earliest effective date is 1 January 2025. 



Consultation closes this month with planned implementation in 2024.



For the latest updates on responding to the ICFR requirements access our 
Controls Advisory Hub

Learn more about how our Controls advisory services can help you
Uncover what you need to know about UK ICFR/SOX compliance.
Learn more about how our Controls advisory services can help you
Visit our Controls advisory page

For more insight and guidance get in touch with Eddie BestEmma Young and 
Paul Young.

Heads of internal audit: technical updates and guidance to support your role

Get the latest insights, events and guidance, straight to your inbox.