The benefits of stronger internal controls
Strengthening risk management and internal controls has significant benefits for organisations, helping them to combat fraud and enhance the quality of corporate reporting and governance. Beyond compliance it creates a risk and controls-focused culture with broader insight and operational benefits that improves your investors’ confidence, supports better decision-making and protects shareholder value.
The importance of strong internal controls, particularly over financial reporting, was highlighted by Sir Donald Brydon and Sir John Kingman in their government-commissioned reviews and many companies have already begun major controls transformation programmes in anticipation of the changes implemented in the new Code.
Based on our own experience of successful control transformation programmes and also publicly available evidence of improvements experienced in the US after the introduction of Sarbanes Oxley (SOX) in the early 2000s, we believe that the strengthening of internal controls, has significant benefits for organisations:
A controls-focused culture led from the top, promotes behaviours and activities across your organisation, playing an important role in safeguarding your business and shareholder value. Employees who understand their responsibilities and are accountable will be able to design and operate effective controls and identify deficiencies early. This leads to improvements in the behaviours and attitudes specifically related to risk and controls. It also promotes a controls mindset over increasingly important disclosures outside of financial information, such as ESG and climate change, helping organisations to build or rebuild trust.
Why you need to act now to strengthen your risk management and internal controls
The Government’s proposed reforms to audit and corporate governance include measures that emphasise the need for and importance of better internal controls. These include:
An annual controls declaration required - boards will be required to make an annual declaration in the annual report on the effectiveness of all material controls as at the balance sheet date.
A wide-ranging scope covering all material controls - the declaration will cover all material controls, including (i) financial, (ii) operational, (iii) compliance controls and (iv) non-financial reporting controls.
The basis of declaration to be disclosed - it will include a description of how the board has monitored and reviewed the effectiveness of its risk management and internal control framework.
A need to consider “material” control deficiencies - it will also include a description of any material controls that have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues.
Whilst the effective date of the revised Code is financial years beginning on or after 1 January, 2025, additional implementation time has been allowed for the provisions relating to the declaration on material controls, which will be applicable for financial years beginning on or after 1 January 2026. Until these effective dates, companies should follow the existing 2018 Code.
The FRC has also issued guidance to support the changes to the Code, in particular around internal controls.
How you can strengthen your risk management and internal controls framework
More than ever, the updated Code is bringing risk management and internal controls closer together, and the changes to the Code represent an opportunity for you to rethink how you approach risk, control and assurance. Whether your organisation needs to comply with the Code or not, there are a number of elements that underpin an effective risk management and internal controls framework. At PwC, we think about this through the lens of ‘Enterprise Control.’ What we mean by this is an optimised, right-sized control environment that is focused on key risks and strategic objectives beyond a narrow view of internal control over financial reporting.
Enterprise Control provides panoramic insight, underpinned by trusted data sources and enabled by technology. It allows you to balance the need for transformation and creating new opportunities for growth with building resilience and creating trust and confidence among stakeholders, investors and customers.
A successful control implementation programme requires significant effort, resource and planning from a broad range of stakeholders across an organisation. Understanding what the change means for your business and taking a pragmatic approach will enable you to enhance and optimise your control environment. In our experience there are a number of critical success factors.
Start early
Understand your areas of strength and where you have gaps. Be aware of common pitfalls and set out the improvement that is needed by establishing a roadmap to enhance internal controls. Acting early will let you identify weaknesses early, and allow you time to resolve them.
Appropriately-resourced programme
Establishing an appropriately-resourced programme to enhance the design, perform operational testing and modify for business changes.
Focus on optimising controls
Build a right-sized internal control framework that is aligned to your governance model and tailored to business operations for an efficient and cost-effective controls testing programme.
Making use of technology and automation
Establish an integrated internal control framework that drives efficiency, improves quality and provides real-time reporting and insight for management oversight.
Embed controls culture
Enhancing your control environment is not just about processes and controls. From Board level to control owners, you need to create the right culture, encourage the right behaviours and embed change.
What steps could Boards take in their approach to overseeing, monitoring and reviewing the effectiveness of their risk management and internal controls framework?
There are a number of steps that Boards could take in their approach to overseeing, monitoring and reviewing their risk management and internal control framework and to provide a robust foundation for the annual declaration around risk management and internal controls effectiveness required by the revised Code.
Dual-listed entities - what you need to know
The FRC is clear that the updated Code requirements are not the same as those under US SOx and that it is not expecting organisations to take the same approach - much more is left to the Board’s judgement and the Code is on a comply or explain basis rather than a legal requirement. That said, if your business is dual-listed and you are already complying with a regime such as US SOx, for example, you are starting from a position of strength in that you will have already defined your material (key) internal controls over financial reporting (ICFR) and have governance, oversight and assurance arrangements in place which can be leveraged. For most companies, we do not expect that compliance with the Code would require any additional work to be performed over ICFR.
However, as the Code is broader than US SOx in that the declaration covers all material controls rather than just ICFR, you will need to consider non-financial reporting, operational and compliance controls along with the overarching risk management processes underpinning your framework. In doing so, US SOx filers could consider which elements of their approach to ICFR could be leveraged more widely to this broader set of controls, but without replicating the full SOx approach.
Find out what the changes to the UK Corporate Governance Code mean for your organisation and how we can help you strengthen your risk management and internal controls regime.
PwC Webinar
Revised UK Corporate Governance Code
Following the publication of the updated Code by the FRC, we hosted a webinar for over 1000 attendees in which we outline the impact of the changes to the Code on businesses and explore the practical steps that they can take to comply.
28:40
Revised UK Corporate Governance Code
Follow us
Contact us
