Strengthening risk management and internal controls has significant benefits for organisations, helping them to combat fraud and enhance the quality of corporate reporting and governance. Beyond compliance it creates a risk and controls-focused culture with broader insight and operational benefits that improves your investors’ confidence, supports better decision-making and protects shareholder value.
The importance of strong internal controls, particularly over financial reporting, was highlighted by Sir Donald Brydon and Sir John Kingman in their government-commissioned reviews and many companies have already begun major controls transformation programmes in anticipation of the changes implemented in the new Code.
Based on our own experience of successful control transformation programmes and also publicly available evidence of improvements experienced in the US after the introduction of Sarbanes Oxley (SOX) in the early 2000s, we believe that the strengthening of internal controls, has significant benefits for organisations:
A controls-focused culture led from the top, promotes behaviours and activities across your organisation, playing an important role in safeguarding your business and shareholder value. Employees who understand their responsibilities and are accountable will be able to design and operate effective controls and identify deficiencies early. This leads to improvements in the behaviours and attitudes specifically related to risk and controls. It also promotes a controls mindset over increasingly important disclosures outside of financial information, such as ESG and climate change, helping organisations to build or rebuild trust.
More than ever, the updated Code is bringing risk management and internal controls closer together, and the changes to the Code represent an opportunity for you to rethink how you approach risk, control and assurance. Whether your organisation needs to comply with the Code or not, there are a number of elements that underpin an effective risk management and internal controls framework. At PwC, we think about this through the lens of ‘Enterprise Control.’ What we mean by this is an optimised, right-sized control environment that is focused on key risks and strategic objectives beyond a narrow view of internal control over financial reporting.
Enterprise Control provides panoramic insight, underpinned by trusted data sources and enabled by technology. It allows you to balance the need for transformation and creating new opportunities for growth with building resilience and creating trust and confidence among stakeholders, investors and customers.
A successful control implementation programme requires significant effort, resource and planning from a broad range of stakeholders across an organisation. Understanding what the change means for your business and taking a pragmatic approach will enable you to enhance and optimise your control environment. In our experience there are a number of critical success factors.
There are a number of steps that Boards could take in their approach to overseeing, monitoring and reviewing their risk management and internal control framework and to provide a robust foundation for the annual declaration around risk management and internal controls effectiveness required by the revised Code.
The FRC is clear that the updated Code requirements are not the same as those under US SOx and that it is not expecting organisations to take the same approach - much more is left to the Board’s judgement and the Code is on a comply or explain basis rather than a legal requirement. That said, if your business is dual-listed and you are already complying with a regime such as US SOx, for example, you are starting from a position of strength in that you will have already defined your material (key) internal controls over financial reporting (ICFR) and have governance, oversight and assurance arrangements in place which can be leveraged. For most companies, we do not expect that compliance with the Code would require any additional work to be performed over ICFR.
However, as the Code is broader than US SOx in that the declaration covers all material controls rather than just ICFR, you will need to consider non-financial reporting, operational and compliance controls along with the overarching risk management processes underpinning your framework. In doing so, US SOx filers could consider which elements of their approach to ICFR could be leveraged more widely to this broader set of controls, but without replicating the full SOx approach.
Following the publication of the updated Code by the FRC, we hosted a webinar for over 1000 attendees in which we outline the impact of the changes to the Code on businesses and explore the practical steps that they can take to comply.
Playback of this video is not currently available