News round-up May 2024 A&R magazine May Jun 24

Have your say on the revised Internal Audit Code of Practice

The consultation on revisions to the Chartered IIA’s internal audit codes of practice closes on 8 May and members are strongly urged to make their views known.

The plans include creating a single Internal Audit Code of Practice covering the financial services, private and third sectors (amalgamating and updating the current two codes). The new code is intended to build on the success of the existing codes and has been updated to align with the new Global Internal Audit Standards and the revised UK Corporate Governance Code, both of which come into effect on 1 January 2025, as well as to reflect evolving industry practices.

The institute plans to publish the new code by September 2024. Under its provisions, all internal audit functions will be expected to include capital and liquidity risks and the risks arising from poor customer treatment in their priorities, and internal audit’s remit will be expanded to assess organisational culture, not just risk and control culture. Additional priority areas for internal audit include: environmental sustainability, climate change risks and social issues; and technology and data risks, along with financial crime, economic crime and fraud.

Internal audit will also be expected to support any board disclosure on the company’s risk management and internal control framework. This aligns with new requirements for an Internal Controls Declaration in the revised UK Corporate Governance Code.

While the new combined Code of Practice will preserve the more stringent regulatory requirements that apply in internal audit in the financial services sector, the aim is to raise the bar across the whole profession and put financial services and non-financial services internal audit functions on a more equal footing.

The revisions are being led by an independent committee of senior audit industry leaders with the involvement of key regulators. The committee is chaired by Sally Clark, Audit Committee Chair of Citigroup Global Markets Ltd.

“The combined Internal Audit Code of Practice aims to stretch and strengthen internal audit functions to aid efforts to improve corporate governance. Whether it’s supporting greater financial resilience, assessing corporate culture, or keeping companies honest on their ESG commitments, the internal audit profession needs to be bold and courageous to remain relevant and deliver value,” Clark said. “Through this code, we want to empower internal audit to have a key voice and opinion as it helps to protect the assets, reputation and sustainability of our organisations.”

Anne Kiem, Chief Executive of the Chartered IIA, added that there have been too many examples of the impact of insufficient attention to audit and corporate governance. “It is crystal clear that strengthening audit and assurance is now vital,” she said. “Our new code addresses this by advocating for robust, competent and appropriately resourced internal audit functions.’

She said the code would be a practical guide to help internal audit raise the bar and enable organisations to make the best use of their internal audit function. “We need a dynamic and forward-looking internal audit profession that supports boards in navigating an increasingly complex and multifaceted risk landscape,” she explained.

Directors of large firms escape penalties for corporate crime

Britain’s company bosses are unlikely to face fines, prison sentences or any other sanction if the companies they run are involved in economic or corporate crime, according to research by Spotlight on Corruption.

The campaign group’s report, Power Without Responsibility, found the UK’s main investigatory and enforcement agencies responsible for prosecuting serious economic and financial crime rarely take action against senior executives in large firms.

For example, just 6% of the investigations carried out under the Financial Conduct Authority’s (FCA’s) Senior Managers Regime – set up after the 2008 financial crisis to make executives in the financial services industry more directly accountable – have resulted in any enforcement action. 

Elsewhere, the group found that the Competition and Markets Authority (CMA) had been unable hold a single executive accountable despite successfully prosecuting 11 companies for breaching competition rules, while the Serious Fraud Office (SFO), the UK’s main corporate crime agency, has achieved just two convictions in 20 corporate enforcement actions.

However, directors of smaller companies, where management’s line of responsibility is often clearer, are far more likely to be prosecuted successfully, and their firms face proportionately larger fines. This is because prosecutors regard them as “low-hanging fruit”, the report claims.

ICO issues guidance on fining processes and calculations

New guidance from the UK’s data regulator, the Information Commissioner’s Office (ICO) provides companies with insights into why it decides to issue penalties and how it calculates fines. The updated data protection fining guidance is intended to provide companies with greater clarity about how and why the regulator would issue a fine for a breach of the UK General Data Protection Regulation (UK GDPR) or Data Protection Act 2018.

It provides more detail on the factors that could influence whether the regulator would require companies to take corrective actions or whether they would face penalties, whether they could face more than one case based on the same or “linked” conduct, and details of its five-step approach to calculating fines. It also explains on what grounds it might reduce fines, for example for “financial hardship”.

It says that fine amounts will be calculated by assessing the seriousness of the infringement, how it accounts for turnover (especially where the organisation is part of a group of companies), how it assesses the base point of any fine to be levied, taking into account aggravating or mitigating factors, and how it assesses whether the fine would be “effective, proportionate and dissuasive”.

SFO considers paying whistleblowers

The new head of the Serious Fraud Office (SFO) has said he favours paying whistleblowers in exchange for information. In his first speech as SFO director, Nick Ephgrave said financially incentivising whistleblowers had “many benefits”, adding that the UK has “fantastic legislation” which allows the SFO and other agencies to encourage assisting offenders to help progress large investigations more quickly.

The problem, he said, was that the UK was “reluctant culturally” to use the tools at its disposal.

Shortly after he delivered his speech, it was reported that the new joint executive directors of enforcement and market oversight of the Financial Conduct Authority (FCA) are reviewing the regulator’s approach to whistleblowers and would consider incentivisation (which it previously dismissed). They said they would be meeting the SFO to discuss the issue.

Executives fear litigation from ESG risks

Nearly two-thirds of senior leaders in large UK businesses are concerned that their environmental, social and governance (ESG) targets put them at risk of litigation, while nearly three-quarters admit they have felt pressure to set ESG targets without being confident they could reach them, according to research by global risk management and insurance broker Gallagher.

Just over half of the respondents to the study believed legal action over missed ESG targets is far more likely now than it was ten years ago. When ranking their concerns for their businesses should they miss their ESG targets, a quarter
said investor withdrawal, one in five said litigation, and one in seven said shareholder activism.

Risk management tops priorities for ethics programmes

Risk mitigation and risk analysis were the main areas prioritised in ethics and compliance programmes over the past year, according to the latest edition of compliance specialist LRN’s Ethics & Compliance (E&C) Program Effectiveness Report.

Over the same period, the focus of such programmes has shifted significantly away from traditional areas such as bribery and corruption to complex government regulations, information security (including artificial intelligence) and data protection.

Just over half of organisations with high-performing E&C programmes have disciplined or terminated the contract of a senior executive for unethical behaviour in the past year. Organisations globally are also increasingly using compensation clawbacks to penalise misconduct – three-quarters of organisations with high-impact programmes said they had clawback policies.

Employers told to make provisions to help employees going through menopause

Menopause symptoms can be considered a disability and employers could be sued if they do not make “reasonable adjustments”, according to the Equality and Human Rights Commission (EHRC).

The UK’s human rights watchdog has issued guidance to clarify employers’ legal obligations to workers going through the menopause. It said managers should offer provisions such as rest areas or flexible hours, and that relaxing strict uniform policies to allow women to wear cooler clothes could also help.

Failing to make “reasonable adjustments” amounts to disability discrimination under the Equality Act 2010 if the symptoms have a “long-term and substantial impact” on a woman’s ability to carry out their usual day-to-day activities, the EHRC said.

FCA plans to accelerate enforcement cases

The Financial Conduct Authority (FCA) has said it will carry out enforcement cases more quickly to deter wrongdoing. The financial regulator will focus on a streamlined portfolio of cases aligned to its strategic priorities to focus on where it can deliver the greatest impact. It will also close cases more quickly where no outcome is achievable.

As part of its new approach, the FCA has opened a consultation on its plans to become more transparent when starting an enforcement investigation. It will now publish updates on investigations as appropriate and be more open about cases that are closed with no enforcement outcome.

This is a radical change from the current process in which investigations are announced only in very limited circumstances.

Climate transition impact reporting still lacking

Large polluters are failing to account for climate change impact and adaptation, according to a report by financial think tank Carbon Tracker. It found that, despite pressure from regulators and stakeholders to disclose information about the financial impact of climate change and climate change adaptation, only 40% of the most polluting firms provide this in their financial statements and accounts.

The report compared the financial statements and related audit reports of 140 companies responsible for the world’s highest emissions for fiscal year 2022.

This article was published in May 2024.