AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

News round-up: January 2024 A&R magazine Jan Feb 24

Consultation seeks members’ views on revisions to the Chartered IIA’s Internal Audit Codes of Practice

The Chartered IIA is reviewing and updating its two codes of practice: The Financial Services Code of Practice and The Code of Practice for Private and Third Sectors. These provide an industry benchmark for best practice internal audit in these sectors, as well as a gauge by which stakeholders (including regulators and audit committees) can assess the role, function and effectiveness of internal audit functions.

The aim of the review is to reflect evolving practice, including the new Global Internal Audit Standards and developments in the UK Corporate Governance Code, and to correct any unintended consequences that may have arisen in the application of the codes. Members will also be consulted on whether the two codes should be combined.

The review will be overseen by an Internal Audit Codes of Practice Independent Review Committee, chaired by Sally Clark, Audit Committee Chair at Citibank.

Members are invited to respond to an eight-week consultation on the codes, which will begin in February. Responses to the consultation will be used alongside analyses of external quality assessment reviews, evidence from stakeholders, including the regulators, and discussions at roundtable events with chief audit executives, audit committee chairs and other stakeholders.

The revised codes will be published by June.


FRC proposals increase external audit duties over financial compliance

The Financial Reporting Council (FRC), the UK’s corporate governance regulator, has proposed changes that would extend external auditors’ obligations to detect and report non-compliance when reviewing company financial statements.

The proposals are similar to those put forward by the US accounting watchdog, the Public Company Accounting Oversight Board (PCAOB), in June 2023. The changes would require external auditors to obtain reasonable assurance that financial reports are free from material mis-statements, and to report breaches of laws or regulations that come to their attention “even where law, regulation, or relevant ethical requirements do not require it”.

The FRC’s consultation will close this month. If adopted, the changes will come into force for audits of financial statements for periods beginning on or after 15 December this year.


Companies House gains powers to combat money laundering

As part of the UK’s plan to tackle money laundering, the Economic Crime and Corporate Transparency Act (ECCTA) has given Companies House, the registrar of corporate information, a new objective of checking and improving the transparency and accuracy of the information that companies provide for its registers. In addition, Companies House can now share its data with other regulators.

The legislation, which came into force in October, also makes it an offence to provide a false statement to the register. The UK government says the new powers are the most important changes to the agency in its 180-year history.

Further provisions in the Act include the creation of a criminal offence of failing to prevent fraud, which makes organisations liable if they benefit from a fraud committed by employees. The National Crime Agency (NCA) gains new powers to force businesses to hand over information that it suspects relates to money laundering or terrorist financing, while the NCA and law enforcement agencies have greater authority to seize, freeze and recover crypto assets.

Regulators intensify focus on cyber security and data protection

Banks and other financial institutions should prepare for increased regulatory scrutiny, while companies in every sector should expect more questions about how they oversee cyber security and data protection, according to a report on regulatory challenges by professional services firm KPMG.

It predicts that in the next six months financial services regulators will focus more intensely on firms’ risk management and controls, data quality and processes, and management/board accountability. Specifically, KPMG expects regulators to scrutinise financial risks and broad risk-management practices, including leverage ratios, liquidity risk and maturity, and operational risks.


Companies advised to disclose sanctions breaches

Since February 2022, 127 UK companies have voluntarily disclosed breaching the sanctions imposed on Russia for invading Ukraine, according to international law firm Pinsent Masons.

One reason for non-compliance is that Russia was more closely integrated into the global economy than other countries subject to sanctions regimes, such as Iran, Syria and North Korea. Another is that it can be hard to identify the true beneficial owners of sanctioned companies.

There are 1,637 individuals and 239 companies on the UK’s sanctions list for Russia, the law firm said. It advised companies that identify breaches to consider disclosing these to the Office of Financial Sanctions Implementation (OFSI) or to HMRC if they wish to be treated leniently.

If a breach is identified, the authorities may take no action, or they may issue a warning letter or a civil penalty, or start a criminal prosecution. These actions can be taken against bodies and individuals and can lead to prison sentences. The highest financial penalty issued to date was a £20.5m fine imposed on Standard Chartered Bank in 2020.


ICO updates guidance on employee monitoring

The Information Commissioner’s Office (ICO) has updated its guidance on employee monitoring to reflect new types of work, working from home, and the use of more sophisticated monitoring technologies. The UK data regulator said workers’ expectations of privacy are significantly higher at home or outside the workplace, and this should be reflected in any data protection impact assessment.

Monitoring can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings, or using specialist monitoring software to track activity. The ICO warned that employers who use automated decision-making for monitoring must inform workers of this.

Organisations must give workers “meaningful information about the logic involved, as well as the significance and the envisaged consequences” of the processing. This information must also be included if employees submit Subject Access Requests.

The ICO’s research found that 70% of people would find it intrusive to be monitored by an employer in any way. Monitoring personal devices was considered the most intrusive practice (83%), followed by recording audio and video (78%) and taking screenshots or webcam footage (77%). Monitoring timekeeping and access was considered the least intrusive practice.


Global payments system cyber attack could cost trillions

A major cyber attack on a financial services payments system could lead to global losses of US$3.5trn – much of this not covered by insurance, according to Lloyd’s
of London. According to a systemic risk scenario developed by Lloyd’s and the Cambridge Centre for Risk Studies, the US would suffer losses of US$1.1trn over a five-year period after this kind of attack, while China would lose US$470bn and Japan US$200bn.

Cyber insurance is becoming more common, but many companies see it as expensive and are sceptical that it would provide adequate cover.

Message overload increases cyber security risk

More than half of employees admit they ignore cyber security alerts because of “information overload”. In a survey by cyber security firm CybSafe, 47% of respondents said they believed an influx of messages on laptops, tablets, PCs and smartphones reduced their ability to identify threats such as suspicious emails.

In addition, 36% of respondents said they have “cut corners” on cyber security practices, while 7% said they often skip steps such as using safe networks or setting strong passwords to save time.


Compliance and tech top agenda for risk managers

Tech innovation and compliance requirements are two of the main concerns for risk functions, according to research by KPMG and Forbes Insight. Chief risk officers (CROs) said de-risking, growth and strategy, regulatory compliance, effectiveness and efficiency, and costs are all high on their agenda as organisations strive to grow in difficult economic circumstances.

CROs also said the risk function is expanding beyond traditional risk management into the area of threat management, while resources are being cut. Compliance and regulation were the most significant risk management issues they expected to face in the next two to five years. However, 80% of CROs said they were confident about their organisation’s ability to deal with cyber security threats and data breaches, while 70% felt well prepared to tackle disruptions from new technologies, such as generative artificial intelligence (AI).


Finance slower to adopt AI than other functions

Most finance departments have yet to adopt AI, despite optimistic leadership views of the technology, according to a survey by consultancy Gartner.

The survey revealed that 61% of respondent finance functions either have no plans for AI implementation or are still in the initial planning phase.

Gartner’s research also shows that finance is currently well behind most other business functions when it comes to investments in AI by the organisation: just 1% of finance functions have adopted or intend to invest in the technology.

The lag is blamed on other priorities, lack of technical capabilities, low-quality data, and insufficient use cases.


This article was published in January 2024.