What’s next for internal controls in the UK? | Deloitte UK has been saved
Limited functionality available
The UK SOX debate has shone a light on the extensive current requirements of the UK Corporate Governance Code and the need for a recognised framework and ongoing evidence for stakeholders, management teams and Boards to know internal controls are operating effectively.
Effective internal controls are good business practice and protect stakeholder value. Clear and balanced reporting on controls provides markets and stakeholders, including customers, suppliers, employees, pensioners, with confidence in a good company, honestly run. Audit committees should be examining if they are making statements based on trust, or an agreed programme of work to gather and test evidence that controls are working effectively.
In November 2021, the FRC clarified their expectation that Boards complying with the Code should confirm the results of their annual review of the effectiveness of internal controls. Previously, the requirement had been widely understood to relate to disclosure of the process undertaken.
The Code requirement includes operational and compliance controls as well as financial controls. Whilst the benchmark for financial controls is the most mature, expectations in other areas such as Economic, Social and Governance (ESG) reporting are developing rapidly, and companies should plan to extend their control frameworks beyond financial controls.
A framework for internal control ensures that risk assessment and controls are kept up to date and embedded in the organisation. Elements of a control framework typically include organisation wide policies, structure and ‘tone at the top’, risk assessment, business, and IT controls, monitoring and reporting. We developed our four-step framework to help Boards demonstrate compliance with the UK Code. Documentation is essential to communicating a complete understanding of a process and enables accountability. However, documentation of control operation should be proportionate to risk and complexity. Wherever possible, controls should be automated and evidenced via system configuration. Most organisations already have some controls and, with visibility through documentation, effort can be focussed on areas of greatest risk as the organisation changes.
Internal controls enable transparency, accountability, operational efficiencies, and a positive culture of ‘right first time’. They also help to prevent and detect fraud, and a well understood and documented process is a solid base for transformation.
When companies first IPO in the US and report and/or are audited on internal controls under US SOX, our analysis shows the most common areas of material weaknesses include:
For more mature US listed companies, material weaknesses are more unusual and typically relate to:
One of the key lessons is to be laser focussed on risk in the identification and design of controls. The top-down view is critical to keep controls in proportion and to adapting to change, in addition to establishing clear accountability for controls. For more, see our blog: gx-why-did-sox-stand-out.pdf (deloitte.com)
There is no one size fits all approach that UK companies should adopt. UK companies seeking to comply with the Code should start with their financial and fraud risk assessment now and determine their plan to establish a documented and evidenced internal control framework.
Step 1 – initial assessments and entity level controls
Step 2 – confirmation of in scope systems and identification of material controls
Step 3 – establish robust monitoring and review processes
Step 4 – establish clear reporting protocols and accountability for action
Please contact one of the team for more information.
Neal is a Partner focussed on technology risk and control. As well as helping clients to manage their technology risks, he also helps his clients to implement technology enablement in their control environment to transform the way technology is used to operate; assure; and monitor their controls. He works with UK and US listed businesses across the Corporates sectors. Neal has worked with clients, including a significant number going through finance system transformations, to identify simplification and automation opportunities to help drive efficiencies and increase their level of confidence in their control environment.
Dan is a Partner in our Controls Advisory practice in London. Dan has significant experience in delivering finance transformation, focusing on developing and enhancing internal control environments. He has worked with clients to facilitate their risk identification processes, helped them implement control frameworks and supported them to streamline and standardised their financial processes. Dan uses his experience and expertise in finance optimisation and controls to advise clients across a variety of sectors.
Sonya is a controls specialist, Audit partner and the leader of our Accounting Operations team. Accounting Operations is a team of audit trained accountants who support our non-audit clients in modernising their finance functions, embedding controls and being ready for audit. She works with UK and US, private and listed companies. Her project experience includes US and UK IPOs, SOX and JSOX implementations, controls and finance transformation and close optimisation.