Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Position Paper: UK Corporate Governance Code 2024 - what does it mean for internal audit?

February 2024 

Chartered IIA’s position and overview of UK Corporate Governance Code 2024

Download a PDF version of the briefing

On Monday 22 January, the Financial Reporting Council (FRC) published the revised UK Corporate Governance Code 2024. This followed an extensive public consultation, to which the Chartered IIA responded. The changes that have been made to the Code remain limited and targeted, most relate to the principles and provisions on audit, risk, and internal control and so there are likely to be impacts for internal audit.

The revised Code comes into effect for financial years starting on or after the 1st of January 2025 (apart from the Internal Controls’ Declaration which is effective from the 1st of January 2026). The Code applies to all publicly listed companies on the main London Stock Exchange, which must comply with the Code as part of the listing requirements on a “comply or explain” basis. However, many other types of organisations choose to follow the Code, as it is regarded as a benchmark of good corporate governance.

The update to the UK Corporate Governance Code is broadly speaking a positive development for the internal audit profession, with a much stronger focus on the need for companies to have a robust internal control and risk management framework. This includes the requirement for an Internal Controls’ Declaration by the board that the material controls have operated effectively – with financial, operational, reporting and compliance controls all in scope. This in turn is likely to result in boards requiring greater independent assurance to support this, including from their internal audit functions. Internal audit should be proactive and engage boards and audit committees on these new requirements as soon as possible.

The Code itself remains implicit not explicit on the need for publicly listed companies to have an internal audit function, with the wording on this remaining the same as before. However, we are pleased to see that in the supporting Code Guidance that was published on Monday 29 January, there is much greater recognition of the vital role of internal audit in supporting good corporate governance – including referencing “internal audit” over forty times (significantly more than before). In the section on audit, risk and internal control, the guidance includes a set of clear recommendations on the internal audit process that for the first time references the Chartered IIA’s Internal Audit Code of Practice and the Global Internal Audit Standards.

The guidance also includes further recommendations on maintaining and reporting on the effectiveness of the risk management and internal control framework, including the new Internal Controls’ Declaration. This includes guidance on where the board should get assurance on the effectiveness of the framework including where appropriate from internal audit.

Download the UK Corporate Governance Code 2024 here
Download the UK Corporate Governance Code 2024 Guidance here

Five key takeaways in the Code for internal audit

  1. Comply or explain

    The UK Corporate Governance Code 2024 is complied with on a “comply or explain” basis and remains principles-based. The FRC wishes to encourage companies to utilise the flexibility of the comply or explain regime, to avoid a box-ticking approach. However, new Principle C makes clear that where the board reports on departures from the Code’s provisions a clear explanation should be provided.

  2. Monitor, assess and embed the corporate culture

    The 2018 version of the Code strengthened the provisions on the board’s responsibility for setting, monitoring, and assessing the corporate culture. The revised 2024 version of the Code goes further; it makes clear that the board is also responsible for embedding the desired corporate culture. As per our report Cultivating a healthy culture, internal audit functions have a key role to play in supporting the board to monitor, assess and embed the corporate culture. This can include conducting independent assurance and assessments to monitor the corporate culture, including assessing whether it has been sufficiently embedded across the organisation. Internal audit’s work in this area can go beyond looking at the risk and control culture and encompass the broader organisational culture.

    The supporting Code guidance makes clear that boards should draw on existing internal capabilities and information to shape their assessment and monitoring efforts, making clear that internal audit has a role to play here, along with other functions like HR, risk management and compliance.

  3. Establishing and maintaining the effectiveness of the risk management and internal control framework

    The new Principle O of the Code makes clear that the board is not only responsible for establishing but also maintaining the effectiveness of the risk management and internal control framework. Internal audit functions have a key role to play in supporting the board on this by providing independent and objective assurance and assessments on the effectiveness of the risk management and internal control framework, including the new Internal Controls’ Declaration (see below).

  4. Monitoring the effectiveness of the risk management and internal control framework and reporting on it in the board’s Internal Controls’ Declaration

    The revised Code also introduces a new provision which not only makes clear that the board should monitor the company’s risk management and internal control framework, as well as carry out an annual review of its effectiveness, but also requires a new declaration that the material controls have operated effectively. The declaration includes within its scope the material financial, operational, reporting and compliance controls. Where any material controls have not operated effectively a description is required of what corrective action has been taken. Internal audit functions can play a key role in supporting these new requirements by providing the board with independent and objective assurance that the material controls have operated effectively.

    The supporting guidance makes clear that the board should consider the level of assurance it is getting on the risk management and internal control framework, and whether this is enough to help the board satisfy itself that these frameworks are operating effectively. It references internal audit as one independent assurance provider that could be engaged to provide a better level of assurance. The guidance also makes clear that there is no requirement or expectation for companies to obtain external assurance over the effectiveness of the risk management and internal control framework. Making clear external assurance may not be required if it has an effective internal audit function that is appropriately resourced.

  5. Provisions on internal audit

    The provisions in the Code that relate to internal audit are unchanged. The Code continues to make clear that the audit committee is responsible for monitoring and reviewing internal audit’s effectiveness. Or, where there is no internal audit function, the audit committee must review annually the need for one and make a recommendation to the board. Where there is no internal audit function there is also a requirement to report in the annual report and accounts an explanation for its absence and how else internal assurance is achieved.

    The Chartered IIA had advocated that the FRC should make a small change to the existing wording of the Code to make clear that where internal audit is present, the annual report and accounts should include a summary of the main activities of the internal audit function. Even though it is not a Code requirement we would encourage Chief Audit Executives/Heads of Internal Audit to engage audit committee chairs to ensure a summary is included in the audit disclosure of the annual report and accounts, on the basis that it is considered good practice to do so, and it helps to raise the profile of the work of internal audit amongst stakeholders.

    The supporting Code guidance goes on to make clear that given their size and complexity, FTSE 350 companies should consider internal audit if they do not have it already. Where there is no internal audit function, the guidance goes on to make clear that this should be reviewed by the audit committee regularly.

    Where there is an internal audit function, the guidance makes clear that the audit committee should review and approve its mandate, approve the audit plan, and approve the internal audit charter. It makes clear that the internal audit plan should be risk-based, that internal audit should play a role in assessing the effectiveness of first and second-line functions, that its scope should be unrestricted, and that its work should follow international standards. The guidance goes on to make clear that the audit committee is responsible for the hiring and firing of the Chief Audit Executive/Head of Internal Audit and references a primary reporting line to the audit committee chair and a secondary reporting line to the chief executive. The guidance also references the Chartered IIA requirement for internal audit functions to have an External Quality Assessment at least once every five years. This mirrors and echoes many of the key requirements in the Chartered IIA’s Internal Audit Code of Practice and the Global Internal Audit Standards.

What should internal audit be doing?

  1. Internal audit should consider how it could support the board/audit committee in meeting the enhanced Code requirements on monitoring, assessing, and embedding the corporate culture. Internal audit has a role to play in helping companies meet these requirements by independently assessing, assuring, and auditing the corporate culture.
  2. If you haven’t done so already, internal audit functions should be having meetings and discussions with the audit committee on what additional independent assurance may be required to satisfy the board on the effectiveness of the risk management and internal control framework. Internal audit is already doing great work in this space that can support the requirements.
  3. Internal audit should also be engaging the audit committee on what additional independent assurance may be required to support the board’s Internal Controls’ Declaration, to provide the board with sufficient comfort that the material controls have operated effectively.
  4. If internal audit requires extra resources to support the additional requirements in the Code, particularly around assuring the internal control and risk management framework and additional assurance to support the Internal Controls’ Declaration, then internal audit should seek the support of the audit committee chair in securing these resources.
  5. While it may not be a Code requirement, we would encourage internal audit functions to work with their audit committee chair to ensure that the audit disclosure in the annual report and accounts includes a summary of the main activities of the internal audit function, as this will help to raise the profile of the profession.