The UK Corporate Governance Code (Code) is undergoing significant changes, with most updates taking effect in January 2025 (Provision 29 follows 12 months later). This shift aligns with the introduction of the Institute of Internal Auditors’ Global Internal Audit Standards, presenting organisations with an opportunity to enhance their risk management and internal control frameworks.
Internal audit functions are actively conducting gap analyses and updating key materials to prepare for these changes. A major focus of the new Global Internal Audit Standards is fostering stronger collaboration between boards, senior management, and Chief Audit Executives, particularly concerning the “essential conditions.” This aligns with the Code’s expectation for boards to play a larger role in monitoring and reporting on risk management and internal control effectiveness.
Key Changes to the UK Corporate Governance Code
The updated Code emphasises three critical principles in Section Four:
- Principle 1: Strengthens the independence and objectivity of internal and external audits.
- Principle 2: Calls for a “balanced and understandable” assessment of risk and internal control.
- Principle 3: Requires an effective risk management and internal control framework.
Boards must not only establish but also maintain effective risk and control frameworks, ensuring continuous monitoring, annual assessments, and clear, jargon-free reporting. Organisations can draw on established frameworks like COSO or ISO or develop internal models.
Supporting Boards with Assurance and Information
Boards need comprehensive information through attestations and assurance from internal and external sources, including internal audit’s annual assurance opinion. This supports assessments of risk appetite, risk culture, management processes, and control effectiveness. The annual assessment must cover all material controls, including financial, operational, reporting, and compliance controls.
Deciding what constitutes “material controls” involves qualitative and quantitative judgments unique to each organisation. Internal auditors can facilitate this by prioritising controls based on material risks, leveraging internal audit planning processes to support compliance with Principle 29.
Overcoming Challenges in Strengthening Internal Controls
Organisations face several challenges in enhancing their risk and control frameworks:
- Developing an organisation-wide risk register and controls library.
- Establishing clear risk and control ownership.
- Providing leadership with real-time insights into risk management.
- Ensuring timely identification and response to control deficiencies.
Strategies for Success: IDEAS Framework
Inform: Internal auditors can provide training and raise awareness among risk and control owners, enhancing anticipation and response to control failures.
Delegate: Auditors should help implement controls initially but ensure an exit strategy for management to take over, focusing on delivering timely and valuable assurance.
Eliminate: Reduce unnecessary controls by adapting to changing risks and encouraging control owners to self-identify and correct deficiencies.
Automate: Leverage technology to enhance control effectiveness, improve audit assurance, and strengthen relationships with control owners.
Share: Internal auditors can share best practices, advocate for effective control ownership, and act as ambassadors for successful control implementation.
Preparing for the UK Corporate Governance Code Reforms
Organizations should proactively connect risks and controls across their operations to ensure compliance with the updated UK Corporate Governance Code. By addressing key challenges and adopting strategic approaches, businesses can strengthen their internal control environments and enhance governance practices.