TeamMate ESG advertising banner 2023

News round-up March 2024 Mar Apr 24

Chartered IIA welcomes revised Corporate Governance Code

The Financial Reporting Council (FRC) has published its long-awaited revised Corporate Governance Code and supporting guidance. The Chartered IIA has welcomed the increased focus on audit, risk, internal controls and the need for robust risk management. This is particularly evident in the guidance to the revised code, which includes 40 explicit references to the internal audit function.

Revisions to the code include making boards responsible for maintaining and reviewing the effectiveness of risk management and the internal control framework. It says that boards should describe in the annual report how they monitor and review the framework’s effectiveness and declare the effectiveness of material controls, including financial, operational, reporting and compliance controls.

Furthermore, boards should describe any material controls which have not operated effectively and disclose the actions they took (or propose to take) to improve them, as well as providing details of actions taken to address previously reported issues.

“It is likely that internal audit functions will be called on to provide additional assurance to the board on whether controls are operating effectively, which is good for the profession,” said Gavin Hayes, Head of Policy and Public Affairs at the Chartered IIA. “However, it is disappointing that the FRC did not strengthen provisions requiring all public limited companies to have an internal audit function. This would have supported the provisions relating to assurance over controls and means that the UK is out of sync with the G20/OECD Principles of Corporate Governance and most of our international peers. This is a missed opportunity.”

However, he added that the FRC had previously said that there would be minimal changes to the code itself. The accompanying guidance compensates to some extent by not only mentioning the role of internal audit repeatedly and highlighting the function’s role in providing assurance over the internal control framework, but also referencing the Chartered IIA’s Codes of Practice and The Global Internal Audit Standards.

The Chartered IIA contributed directly to the revision of the guidance and worked closely with the FRC as part of its Stakeholder Insights Group. Whereas previous guidance to the Code was published in separate documents, the new guidance is consolidated into one. This makes it easier to access, but also raises the profile of internal audit, which is now referenced throughout the guidance, rather than in just one part.

“The other important issue for Chartered IIA members is that the guidance strengthens the provisions around board responsibility for monitoring, evaluating and embedding corporate culture,” Hayes added. “This creates an important role for internal audit, which will be needed to assess existing culture and can also support the board by providing an objective view of the desired culture and ways to embed this.”

The Chartered IIA remains disappointed that the government has not yet revisited its decision to withdraw the statutory instrument and secondary legislation to amend the Companies Act 2006 that would have required larger companies to publish an audit and assurance policy and resilience statement. A further announcement is expected on this.

The anticipated Audit Reform Bill was also dropped from the last King’s Speech. This would have focused mainly on external audit, but the Chartered IIA supported the creation of a new regulatory body (the ARGA) and the intention of holding company directors to account for audit and governance failings.

The Chartered IIA will continue to campaign for further changes. “We met with Kevin Hollinrake MP, Parliamentary Under Secretary of State at the Department for Business and Trade, to discuss our concerns about the withdrawal of the secondary legislation and the pace of audit reform,” Hayes says. “We also requested that a commitment to audit and governance reform should appear in the Conservative Party Manifesto. The Labour Party has already gone on the record saying that they commit to audit reform if they are elected.”

 

New resources to help CAEs conform to the Global Internal Audit Standards

IIA Global’s new Global Internal Audit Standards will become mandatory in January 2025, so CAEs and their teams are advised to start assessing their impact and putting in any necessary changes now. IIA Global and the Chartered IIA will be supporting members and offering advice and guidance to help them do this.

The Global Standards are billed as an evolution, rather than a revolution. They build on the existing ones to clarify what good internal audit looks like in a rapidly changing world and enhance consistency worldwide. They will support chief audit executives (CAEs) by providing explicit guidance on the position of internal audit within organisations and the resources it needs to perform at the required level. They will also enable the IIA, centrally and nationally, to build the reputation of the profession and increase understanding of its value.

IIA Global has published a printable pdf version of the Global Standards alongside a condensed version of the mandatory elements. There is also a free on-demand webinar enabling attendees to hear directly from International Internal Audit Standards Board (IIASB) representatives about the structure and content of the final Standards as well as the rationale supporting decisions.

The Chartered IIA is currently revising its Internal Audit Code of Practice for the private and third sectors and Internal Audit Financial Services Code of Practice to bring these up to date and align them with the Global Standards. Most significantly, it plans to combine these into a single code. A consultation on the revised codes will launch on 11 March.

A longer article explaining the changes to the IPPF can be found in Audit & Risk January-February 2024.

 

CAEs urged to respond to consultation on Cyber Governance Code of Practice

A UK government consultation on a proposed code intended to inform boards about their duties and responsibilities to safeguard organisations from cyber attacks is currently inviting comments and views. The Department for Science, Innovation and Technology (DSIT) has published its proposals with the aim of ensuring that directors and governance functions understand cyber security risks and good cyber governance practice as well as they do financial risks.

As organisations become ever more dependent on technology, the risks to organisations are evolving rapidly. Government figures show 32% of businesses suffered a cyber breach or attack in the past year (69% of large businesses).

However, the code’s authors warn that cyber risks are often managed largely at a technical level in the IT department, partly because they are perceived as IT issues and partly because many senior managers believe they lack the knowledge to address them at a strategic level. A Code of Practice would formalise the government’s expectations of directors for governing cyber risk so it can be treated the same way as other material or principal business risks.

The Chartered IIA has welcomed the Cyber Governance Code as an important and timely development. “We are particularly pleased to see the focus in the draft code on the importance of independent assurance. Internal audit is obviously one assurance provider that could and should be leveraged by the board to provide comfort that the organisation’s cyber resilience strategy and the associated cyber controls are effective at preventing cyber attacks,” said Gavin Hayes, Head of Policy and Public Affairs at the Chartered IIA.

“Our own Risk in Focus research has found cyber security risk to be the number one risk facing organisations for seven years in a row and it is also the risk area that internal audit spends the most time and effort auditing. We will therefore be responding to the consultation and making the case for strong, competent, and appropriately resourced internal audit functions to support robust cyber governance, risk management and internal controls.”

Practical advice on how to deal with cyber risks is available in the NCSC’s Cyber Security Toolkit for Boards. The new code sets out five overarching principles, each with a series of actions that dovetail with the practical measures outlined in the toolkit.

“This new Cyber Governance Code of Practice will help to ensure cyber resilience is put at the top of the agenda for organisations and I’d encourage all directors, non-executive directors and senior leaders to share their views,” said Lindy Cameron, CEO of the NCSC.

The consultation will remain open until 19 March.

 

FCA proposes lighter listing rules

The UK’s financial services regulator has released proposals to simplify the UK’s listing regime to make it more accessible, effective and competitive. The changes would make it easier for companies to list by adopting a single listing category instead of the current “premium” and “standard” designations, as well as streamlining eligibility requirements.

The Financial Conduct Authority (FCA) also wants to move to a “disclosure-based” system, which it hopes will “put sufficient information in the hands of investors, so they can influence company behaviour and decide how they want to invest”.

The change would scrap the current system of mandatory votes for shareholders for certain “significant transactions” such as related-party transactions. This would bring the UK into line with the US, where major tech companies such as Meta and Alphabet use dual-class structures so the founders retain voting control without holding a majority of shares.

This could have consequences for corporate governance. The FCA admits “the proposals could entail an increased possibility of failures”, although it said it hopes “the changes set out would better reflect the risk appetite the economy needs to achieve growth”.

The London Stock Exchange has lost listings to US and European exchanges since Brexit. If the proposals are adopted, the FCA expects the new listing regime would go live in the second half of this year.

 

EU approves AML watchdog

The European Union (EU) has agreed to establish a central body to clamp down on money laundering and attempts to circumvent sanctions. The new institution, known as the Anti-Money Laundering Authority (AMLA), will also crack down on terrorist financing. It will be a hub working in coordination with national authorities.

The agency will have supervisory powers and will be able to impose financial penalties in serious cases or after repeated breaches. It will oversee the 40 riskiest financial entities and companies that allow people to trade and store crypto-assets.

The European Commission, the EU’s executive arm, first proposed the idea for a standalone agency in 2021 after a series of money-laundering scandals involving European banks. 

 

AI creating new risks of crime in financial services sector

Artificial intelligence (AI) is a key emerging fraud risk, according to financial crime tech firm ComplyAdvantage’s latest report into fraud, money laundering and financial crime.

In The State of Financial Crime 2024 report, two-thirds of financial industry respondents said the use of AI by fraudsters and other criminals poses a growing cyber security threat. Risks include deepfakes, sophisticated cyber hacks and the use of generative AI to create malware.

Financial institutions are increasing their defences against these threats – 86% of respondents said their company is investing in new technologies.

 

ICO consults on Gen AI

The Information Commissioner’s Office (ICO) is examining how data protection law should apply to the development and use of generative AI. In particular, it is considering when it is lawful to train generative AI models on personal data scraped from the web.

The ICO has advised AI developers that to avoid breaching the UK General Data Protection Regulation (GDPR) they should run three core tests: a “purpose test” to check the AI model’s specific purpose and use; a “necessity test” to decide whether the data processing is essential to achieve the aims of the technology; and a “balancing test” to see whether it is worth incurring the high risks associated with some aspects of data processing.

 

Disinformation tops global risks

Misinformation and disinformation are biggest short-term risks facing the world, while extreme weather and critical change to Earth systems are the greatest long-term concern, according to the World Economic Forum’s (WEF’s) Global Risks Report 2024.

Researchers found that AI-driven misinformation and disinformation, coupled with a long-term cost-of-living crisis and societal polarisation, present huge global risks, especially given the effect this could have on forthcoming elections in the US, UK and other key economies.

In the WEF’s survey, two-thirds of respondents were worried about extreme weather events in 2024. However, the report highlighted a widening gap between governments, the public and the private sector about the urgency of these risks. Private sector respondents believed that most environmental risks will materialise over a longer period than those representing civil society or government.

The report, produced in partnership with Zurich Insurance Group and Marsh, draws on the views of over 1,400 global risk experts, policymakers and industry leaders surveyed in September 2023.

 

Climate litigation is a trillion-dollar risk for big polluters

Polluting companies, especially in industries such as oil and gas, could be liable for trillions of dollars in damages from climate lawsuits, according to researchers at Oxford University’s Sustainable Law Programme. The researchers suggested ways that investors and regulators could improve how they assess climate-related legal risks. These include: analysing the impact of climate lawsuits on share price; quantifying how climate change influences an extreme-weather event; and calculating the damage each tonne of carbon emissions does to lives and livelihoods.

 

Chartered IIA urges Ofwat to make internal audit mandatory

The Chartered IIA has written an open letter to urge the water regulator Ofwat to make it compulsory for water companies to have internal audit functions. This would mirror the requirements imposed by the financial regulators for financial services companies to have internal audit functions, as well as across the public sector.

The letter highlights concerns about the financial health and governance of water suppliers. Companies currently operating without internal audit capability include Portsmouth Water, South East Water, and Sutton and East Surrey Water – all three of which feature on Ofwat’s financial health watch list, with two in the worst “action required” category. Furthermore, South East Water is also being investigated about its water supply resilience. Collectively, these three companies serve 3.7 million customers across the South East of England.

The lack of an internal audit function “represents a significant weakness in their audit and corporate governance framework, which we believe should be addressed by Ofwat,” writes Anne Kiem, CEO of the Chartered IIA.

“We want to see an efficient, sustainable, and secure water sector in the UK, where critical national infrastructure, consumers, businesses, and suppliers are safeguarded by reducing risks. Thus, we are keen to work with Ofwat in enhancing the audit and governance framework within the water sector.”

 

Obituary: David Phyall, President of the IIA UK & Ireland 1990-91

David Phyall, who died in January, continued to support the IIA UK & Ireland after his period as President, becoming District Director from 1993-99. He was Head of Audit at Cornwall Council for many years and then Head of Internal Audit for Cornwall NHS Trusts from 2005-07. He was a trustee of the Jubilee Sailing Trust from 1994-2012 and, after taking early retirement, he advised the Brandon Trust, was Chairman of the Group Audit, Risk and Assurance Committee at Ocean Housing Group and Chair of SHINE50+ Core Volunteer Group (which supports people with Spina Bifida). From March 2022, he was a trustee of Merlin, Cornwall’s Neuro Therapy Centre.