AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Heads of Internal Audit Virtual Forum

14 June 2023

Please note:

  • Where the chair comments in that capacity, the box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised


Chair opening comments | Anne Kiem, Chief Executive, Chartered IIA UK and Ireland (Chair)

Our speaker today is Sarah Rapson, Deputy Chief Executive, Financial Reporting Council.

Sarah provides an overview of the plans and proposals to update the UK Corporate Governance Code, following the public consultation that was launched on Wednesday 24 May. While the UK Corporate Governance Code is specifically intended for publicly listed firms, it is also used more broadly as a benchmark of good corporate governance across a range of sectors.

The proposals include some quite significant changes to the principles and provisions in the Code on Audit, Risk and Internal Control. This includes plans for a declaration by the Board that the company’s risk management and internal control systems have been effective. Significantly the internal controls declaration will go beyond just the financial controls and encompass within its scope non-financial areas of the business. There are also proposals to strengthen company directors’ responsibilities regarding environmental, social and governance reporting. The plans for the updated Code also reflect new reporting requirements due to become law, including the requirement for public interest entities to publish an Audit and Assurance Policy and a Resilience Statement. These changes are likely to have impacts for the internal audit functions of organisations that comply with the Code, particularly in terms of directors requiring greater independent assurance.

Broadly speaking the Chartered Institute of Internal Auditors welcomes the strengthening of the Code in relation to internal control effectiveness and ESG reporting requirements. However, we would like to see the Code go further in relation to the requirement for publicly listed firms to have an internal audit function. At present, the Code remains implicit not explicit that firms should have an internal audit function. We believe this is an area of the Code that would benefit from greater clarity so that it is clearer that firms should have internal audit. Furthermore, strengthening the provisions on the requirement for publicly listed firms to have internal audit would go hand in hand with strengthening the provisions on internal control effectiveness, along with the legislation for public interest entities to have an Audit and Assurance Policy.

The Chartered Institute of Internal Auditors will respond to the public consultation on behalf of our members and are keen to consult with and listen to the views of our members to help shape our response.

Key Takeaways

Click here for details of the consultation on the UK Corporate Governance Code.

Ongoing initiatives

  1. Transition to ARGA awaiting the Government’s legislative agenda. The Kings Speech will inform this although it is likely to be a tight agenda to enable completion ahead of an election during 2024.
  2. New minimum standards for audit committees and external audit published May 2023.
  3. Call for evidence on non-financial reporting (Dept for Business and Trade) – seeking views on the non-financial reporting requirements UK companies need to comply with to produce their annual report, and whether company size thresholds remain appropriate. Consultation closes 16th August 2023. Note, this also includes questions about onshoring the ISSB sustainability standards.
  4. Statutory instruments pending approval - annual resilience statement, annual fraud statement, tri-annual audit and assurance policy and a statement regarding distributable profit – these are all inextricably linked to corporate governance.
  5. The FRC would like to see global standards developed and adopted for ESG (like IFRS) – however, indications are that the US will adopt a different approach to the EU although all based on TCFD. The FRC will be chairing a new technical advisory committee to review the ISSB standards and propose next steps.

UK Corporate Governance Code

  • Code was last published in 2018, since then there has been Kingman and a need for governance reform. This review is important to maintain market confidence.
  • The FRC propose to continue with flexible and proportionate approach of ‘comply or explain.’
  • Consultation closes 13 September 2023.
  • The FRC recognise there is work to do before publication – this is an open-minded consultation – the FRC welcomes the views of the internal audit profession as there is a need for good assurance.
  • Key points to note:
    • System of internal controls and risk management –this is definitely not uk sox or sox lite - the Code is considered by Government to be a more flexible and proportionate vehicle than primary legislation.
    • Changes to malice and clawback will also be included rather than as primary legislation.
    • Responsibility for audit committees for the ES of ESG – links to the new minimum standards.
    • Increased expectations of boards on issues such as diversity and inclusion, and overboarding.
    • If an organisation opts to explain rather than comply the explanation must stand up to scrutiny. Where proportionate this is an acceptable approach which the new Code will reinforce.
    • Outcome focused descriptions rather than process – more interesting and decision-useful for stakeholders.
  • Internal audit
    • No plans to change comply or explain for an internal audit function.
    • Monitoring confirms majority of companies have an internal audit function.
    • Proposed changes to internal control framework assurance strengthens the position of internal audit, expect to include reference to the use of internal auditors.
    • Open to feedback on the role of internal audit in section four.

Chair closing comments

Thank you, Sarah, for taking the time to share your thoughts and intentions, answering questions and listening to comments. You can count on our assistance as a profession.

Our next meeting on 12th July will focus on the artificial intelligence evolution. We look forward to seeing some of the new faces who joined us today.

Dates for your diary 

  • 3-4 October | Internal Audit Annual Conference – London/virtual | register here

Chat comments including Q&A


Question | There are not many readily available examples of ‘explain’ – could the FRC provide guidance on what good looks like in practice?

Answer | We can consider how we might be able to share examples publicly - during the covid pandemic for instance we saw good examples of explaining matters related to the Code.

Question | There is concern over the definition of operational control as it stands due to potential conflict with HSE requirements for example.

Answer | Thank you, that’s useful feedback that the definition may be too broad.

Question | How successful might a convergence of international standards be regarding sustainability reporting?

Answer | The SEC have set a path which means it is unlikely to be a single global standard. Unfortunately, it is likely to be burdensome for international companies.

Question | You said very few organisations don’t have an internal audit function. Do you have evidence that those who collapsed or had major issues due to mismanagement had internal audit functions? 

Answer | It is not a list we have readily available. A good indicator is the narrative reported within the annual report for companies of interest.

Question | Paragraph 68 onwards in the consultation refers to revising guidance on internal control and risk management – can you shed more light on this?  

Answer | Anticipating significant feedback from the consultation regarding section 4. We will digest and go through our internal governance which will take time. We will then progress onto the individual guidance documents. Likely to start engaging on the detail towards the end of the year at which point we will reach out to key stakeholders.

Question | Might the quality of assurance mapping be a topic for future guidance? 

Answer |Please include suggestions in the consultation feedback.

Question | What would you like to see from the profession to support the consultation or indeed the Code? 

Answer | We welcome your comments, particularly on section 4, there is a lot on assurance and it would be useful to know which points to focus on. 

Question | Paragraph 30 – what is the difference between material weakness and a failure? 

Answer | Thank you, we have heard this response, you are not alone. The FRC has a project ongoing regarding materiality – essentially it is for the board to decide what is material – perhaps it might be helpful to use word material twice ie material weakness and material failure. 

Question | It’s a well written document but it is going to be important to remain focused on the overarching objectives of the revisions – to date there has been ‘noise’ which positions internal control at the expense of a more rounded perspective on risk management that considers risk tolerance not just risk mitigation. 

Answer | Thank you, useful reflections. The Code is not intended to be interpreted like US SOX - proportionality is important. 

Question | Reading the summary at the back is useful – what is your advice on how best to prepare for the changes? 

Answer | Keep an eye out for the timelines of the statutory instruments. At the moment a useful step would be to make the linkages between the different elements to get a sense of the whole picture to share the impact for the organisation. Some of the changes are proposals so still shimmering rather than solid so be mindful if planning ahead. 

Question | It will be challenging to land – I’m a little wary of volume of what needs to be landed with the board – its not a quick discussion. 

Answer | There will be a long lead time. Important to do it well. It will start with large organisations. Need to be mindful that we can never stop all corporate failures, our aim is to stop those that could have been prevented through the application of good corporate governance. 

Comment |  Interestingly this is what the new 2023 Swiss Corporate Governance Code says about internal audit (which was published earlier this year):

The board of directors should set up an internal audit and, in doing so, be guided by recognised professional standards.

The internal audit should make an autonomous and independent assessment of the effectiveness of the controls set up by the board of directors and the executive board and of the internal control system.

The internal audit should be in direct communication with the executive board and the board of directors. It makes reports to the executive board and the board of directors or the audit committee.

Internal audit should have unrestricted access to all areas and information of the company. Internal audit and the external auditor should coordinate with each other in an appropriate manner.