Posted: 11 May 2022 5 min. read

What’s next for internal controls in the UK?

The UK SOX debate has shone a light on the extensive current requirements of the UK Corporate Governance Code and the need for a recognised framework and ongoing evidence for stakeholders, management teams and Boards to know internal controls are operating effectively.

Effective internal controls are good business practice and protect stakeholder value. Clear and balanced reporting on controls provides markets and stakeholders, including customers, suppliers, employees, pensioners, with confidence in a good company, honestly run. Audit committees should be examining if they are making statements based on trust, or an agreed programme of work to gather and test evidence that controls are working effectively.

Current requirements of the UK Code of Corporate Governance

In November 2021, the FRC clarified their expectation that Boards complying with the Code should confirm the results of their annual review of the effectiveness of internal controls.  Previously, the requirement had been widely understood to relate to disclosure of the process undertaken.    

The Code requirement includes operational and compliance controls as well as financial controls. Whilst the benchmark for financial controls is the most mature, expectations in other areas such as Economic, Social and Governance (ESG) reporting are developing rapidly, and companies should plan to extend their control frameworks beyond financial controls.

The need for a recognised framework and ongoing evidence

A framework for internal control ensures that risk assessment and controls are kept up to date and embedded in the organisation. Elements of a control framework typically include organisation wide policies, structure and ‘tone at the top’, risk assessment, business, and IT controls, monitoring and reporting. We developed our four-step framework to help Boards demonstrate compliance with the UK Code. Documentation is essential to communicating a complete understanding of a process and enables accountability. However, documentation of control operation should be proportionate to risk and complexity. Wherever possible, controls should be automated and evidenced via system configuration. Most organisations already have some controls and, with visibility through documentation, effort can be focussed on areas of greatest risk as the organisation changes.

Effective internal controls are good for business

Internal controls enable transparency, accountability, operational efficiencies, and a positive culture of ‘right first time’. They also help to prevent and detect fraud, and a well understood and documented process is a solid base for transformation.

Where do controls typically fail?  

When companies first IPO in the US and report and/or are audited on internal controls under US SOX, our analysis shows the most common areas of material weaknesses include:

  • Accounting related issues including lack of documentation, policies and/or procedures, inadequate numbers, competency, training of accounting personnel
  • Material and/or numerous auditor year-end adjustments
  • Segregation of duties and design of controls
  • Information technology, software, security, and access issues
  • Untimely or inadequate balance sheet account reconciliations
  • Manual journal entry control issues

For more mature US listed companies, material weaknesses are more unusual and typically relate to:

  • Management accounting judgements (e.g., impairment, liabilities & provisions and/or taxes)
  • Areas impacted by significant changes (e.g., debt, equity, reorganisations, M&A, regulator expectations and/or change of auditor)

One of the key lessons is to be laser focussed on risk in the identification and design of controls.  The top-down view is critical to keep controls in proportion and to adapting to change, in addition to establishing clear accountability for controls. For more, see our blog:  gx-why-did-sox-stand-out.pdf ( 

Moving forwards

There is no one size fits all approach that UK companies should adopt. UK companies seeking to comply with the Code should start with their financial and fraud risk assessment now and determine their plan to establish a documented and evidenced internal control framework. 

Deloitte four step framework for assessing the effectiveness of internal controls over financial reporting

Step 1 – initial assessments and entity level controls

  • Start with a detailed understanding of the business model
  • Undertake a financial risk assessment and fraud risk assessment
  • Establish clear and robust entity level controls to ensure the right “tone from the top”
  • Define a hierarchy of delegated authorities from the board

Step 2 – confirmation of in scope systems and identification of material controls

  • Obtain clarity over in scope systems and related general IT controls
  • Generate robust process documentation for material business cycles, with clear process owners
  • Identify the material controls

Step 3 – establish robust monitoring and review processes

  • Define and evidence a robust process for on-going monitoring of the design and operating effectiveness of material controls
  • Define and evidence a robust process for a year-end assessment of the design and operating effectiveness of material controls

Step 4 – establish clear reporting protocols and accountability for action

  • Define a significant control failure or weakness that would require detailed consideration and disclosure of remediating actions
  • Define reporting processes including remedial action tracking

Please contact one of the team for more information.

Key Contacts

Neal Aggarwal

Neal Aggarwal


Neal is a Partner focussed on technology risk and control. As well as helping clients to manage their technology risks, he also helps his clients to implement technology enablement in their control environment to transform the way technology is used to operate; assure; and monitor their controls. He works with UK and US listed businesses across the Corporates sectors. Neal has worked with clients, including a significant number going through finance system transformations, to identify simplification and automation opportunities to help drive efficiencies and increase their level of confidence in their control environment.

Dan Cane

Dan Cane

Partner, Risk Advisory

Dan is a Partner in our Controls Advisory practice in London. Dan has significant experience in delivering finance transformation, focusing on developing and enhancing internal control environments. He has worked with clients to facilitate their risk identification processes, helped them implement control frameworks and supported them to streamline and standardised their financial processes. Dan uses his experience and expertise in finance optimisation and controls to advise clients across a variety of sectors.

Sonya Butters

Sonya Butters

Partner, Accounting Operations Assurance Leader

Sonya is a controls specialist, Audit partner and the leader of our Accounting Operations team. Accounting Operations is a team of audit trained accountants who support our non-audit clients in modernising their finance functions, embedding controls and being ready for audit. She works with UK and US, private and listed companies. Her project experience includes US and UK IPOs, SOX and JSOX implementations, controls and finance transformation and close optimisation.