UK Corporate Governance Code 2024

This is a list of frequently asked questions (FAQs) that are intended to help companies navigate the FRC’s revised UK Corporate Governance Code 2024, and related guidance. The FAQs are intended to provide some initial practical support to organisations, but are not exhaustive so should be read in conjunction with the FRC’s Corporate Governance Code and guidance and our Restoring Trust in Risk Management and Internal Control guide, which we refer to throughout the FAQs.

Timing and application of the revised Code

Who does the revised Code apply to and what is the most significant change?

The Listing Rules require all premium listed entities to report against the UK Corporate Governance Code (the Code).

Large private companies might also be impacted, but only to a limited extent. This is because, under The Companies (Miscellaneous Reporting) Regulations 2018, private companies that meet certain thresholds are required to disclose their corporate governance arrangements in their directors’ report and on their website, including information on whether they follow a formal governance code. Many follow the Wates Principles to meet this requirement, but some might choose to follow the revised Code. In doing so, however, they would have more flexibility in which aspects of the Code they follow, than those who are required to follow the Code.Other industries, for example, public sector organisations, are often subject to specific governance or licensing arrangements and some of these are based on the Code. Such organisations should therefore check for any updates to their specific governance arrangements to reflect the revised Code.

The most significant change to the Code is that boards will have to make a specific declaration in the annual report that all material controls are operating effectively at the balance sheet date; also describe how they have monitored and reviewed the organisation’s risk management and internal control framework; and describe any material controls that are not operating effectively at the balance sheet date.

When will the revised Code become effective?

All of the changes to the Code are effective for financial periods beginning on or after 1 January 2025, with the exception of Provision 29, which covers the new directors’ declaration over risk management and internal control described above. That is effective for financial periods beginning on or after 1 January 2026.

It is important to remember that the existing Code provisions will continue to be in place in the meantime.

What are the other changes to the Code?

The changes to section 4 'Audit, Risk and Internal Control' are the most significant and the subject of these FAQs. There are limited changes to the other sections, which are summarised by the FRC in this Key Changes document.

Material controls

What are material controls?

In the guidance, the FRC states that material controls could include, but are not limited to, controls over risks that could threaten the organisation’s business model, solvency, liquidity etc; controls over reporting that could be price sensitive; fraud controls; or certain IT controls. In our view, put simply, a material control is a control that, individually or in aggregate, addresses a material risk. We have provided our view on how organisations can determine what is a material control here.

How do I determine what are my organisation’s material controls?

There has been lots of debate around the different categories of control (financial, operational, reporting and compliance), when in fact, the Code wants the focus to be on 'all material controls'. Arguably, these are just examples of the types of categories those controls could fall into.

Firstly, businesses should think about what are their material risks and identify the controls that would address these risks. Those controls will then, most likely, fall into the categories described in the Code, whether they are formally labelled in that way or not.

We recognise that risks can be complex and highly aggregated, so a drilling down will be needed, for example, using the organisation’s risk register, but principal risks, such as those in the annual report, are a good place to start. Also, using current taxonomy/risk categorisation could be a good way to start to drill down. For more details, so our guidance on how organisations can determine what is a material control here.

What reporting could fall within the scope of material 'reporting' controls?

The Code does not specifically refer to what elements of an organisation’s reporting would be included in the declaration, nor does it explicitly limit to the reporting in the annual report or half year reporting. We interpret this as meaning the material 'reporting' controls would be those over any material reporting that the organisation issues publicly. It is likely that this would largely be what is in the annual or half-year reports, but could also be other material public reporting. This was confirmed during a webinar held by the FRC after the guidance was issued, but with an re-emphasis on it being limited to 'material reporting'.

Would you expect controls over environmental, social and governance (ESG) reporting to be material?

This will depend on individual companies’ facts and circumstances, and what management and the board consider is the risk that this reporting could be incorrect. That said, ESG is a growing area of focus for investors and other stakeholders, so given its increasing profile but often relatively immature control framework, in particular relating to sustainability, we would expect to see controls over this reporting to be considered material for many companies.

Control failures

Do all material control deficiencies need to be disclosed or is there some form of severity grading system (like US SOx – control deficiency, significant deficiency, material weakness)?

The revised Code and the guidance say that 'material controls that have not operated effectively at the balance sheet date' should be disclosed as part of the new declaration, along with plans for remediation. This goes a step further than the existing guidance: 'Guidance on risk management, internal control and related financial and business reporting', which recommends that, 'the board should explain what actions have been or are being taken to remedy any significant failings or weaknesses' in the annual report, but doesn’t explicitly require them to describe what has failed.

In this context, neither the updated Code nor the accompanying guidance use the terminology 'significant deficiencies' or 'material weaknesses' and do not suggest any sort of severity grading. It is possible that this is a deliberate attempt not to use SOx-type language, as the FRC has been clear that this is not a version of SOx.

That said, in the guidance it is recommended that the board should have regard to significant failings or weaknesses that have been reported during the year and whether they could have a material impact on the organisation’s financial performance or condition, that necessary actions have been taken and any areas for improvement identified. In doing this, the principles of significant deficiencies and material weaknesses in US SOx might be a useful reference point.

If a control failure has been remediated by the balance sheet date, does it need to be disclosed?

Where a control failure has been remediated, the board might still decide to disclose it if they believe it was sufficiently significant for readers to know about. This would also illustrate the effective working of their monitoring, review and remediation process.

Are control failures considered material on an individual basis or in aggregate?

It is likely that there could be situations where a number of controls don’t individually address a material risk fully, but do so in aggregate. In this situation, it will be down to the board’s judgement whether a failure in only one of these controls should be disclosed as a failure of a material control. In our view, more transparent disclosure is better and describing the thought process the board has gone through to determine what are the material controls and how it has assessed whether any individual failures could have a material effect would be helpful to the reader.

Approach to assurance

Is it necessary to seek external assurance over the board’s declaration of effectiveness of material controls?

The Code does not mandate external assurance. However, the FRC’s Guidance does say that 'The board, in conjunction with other committees and management, will decide whether any form of external assurance is necessary. The type of assurance and nature is also a decision for the board, and they may wish to discuss this with their investors.'

On this latter point, it is most likely, for many companies, that management will be responsible for the day to day monitoring and review processes over material aspects of risk management and internal control, and will periodically report on this to the board. However, the board remains ultimately responsible for making the declaration, and will need to consider how comfortable it is relying on delegation and self certification of controls design and operation to management. To help bridge this potential gap, an assurance mapping process, similar to that proposed under the draft legislation for the Audit and Assurance Policy, would be helpful. Under this process, the board would map the material risks and controls to the lines of defence and determine if they thought more 'assurance', internal or external, was needed. As part of this process, the board might choose to obtain some degree of external assurance. Refer to our Restoring Trust guide under the Audit and Assurance Policy for more details on assurance mapping.

How can a second line of defence support the objectives of the Code?

As part of its monitoring and review process, the board should consider the level and mix of process and assurance, both internal or external, which it considers necessary to support the declaration. The role and structure adopted by the second line of defence will be influenced by practical factors such as the extent of business operations requiring coverage, and whether there is already a mature and effective second line function in place.

First line of defence risk and control activities, whilst providing a broad ‘baseline’, are a relatively weak form of assurance unless they are validated and complemented by assurance from other lines. Most large businesses will have an internal audit function, and may also commission additional external assurance. However, the extent of assurance provided by each line will depend on how comfortable the board is relying on self certification of controls design and operation and how much it wants independent testing and assurance (internal or external).

Our view, therefore, is that it is likely that most organisations will incorporate elements of assurance provision from a number of lines of defence. Our Restoring Trust guide provides an example approach to assurance.

How can Internal Audit support the board’s monitoring and review process? Would you expect Internal Audit to perform independent testing of internal controls?

In the guidance, the FRC states that 'Senior management and the board may desire objective assurance and advice on risk and internal control. An adequately resourced Internal Audit function (or its equivalent..) may provide such assurance'. As described further below, in our view, Internal Audit could be a key part of the assurance the board obtains in support of its monitoring and review process. This would most likely include some degree of independent testing by Internal Audit, ideally using a targeted, risk-based approach and could include some degree of cycle-testing.

Do I only need to consider assurance over processes/controls that can affect the financial statements?

The declaration covers all material controls, including financial, operational, reporting and compliance controls, so is not just limited to controls and processes that could impact the financial statements. Therefore, the board’s consideration of the assurance it needs should take into account all of these areas and not just the risks and controls relating to the financial statements.

Is the Audit and Assurance Policy still going to be a requirement?

The Government’s draft Secondary Legislation that required new disclosures (Audit and Assurance Policy (AAP), Resilience Statement, Material Fraud Statement and distributable reserves disclosures) for companies of a certain size (i.e. with 750 employees and £750m annual turnover threshold) was withdrawn in October 2023. The rationale cited by the Government was that it wants to re-look at all aspects of non-financial reporting as part of its ongoing review in this area before issuing any new requirements.

However, each of these reforms have been many years in the making and given a tremendous amount of thought by the Government, FRC, professional institutes and firms. In our experience, many boards appreciate the value that the new disclosures such as the Audit and Assurance Policy would have brought and are considering what elements of these proposals can be taken forward, in its own time and flexed to their own facts and circumstances. In fact, some are moving at pace with 'assurance mapping' processes.

If companies have decided to develop an AAP or have a similar, informal assurance mapping process, the risk assessment for the purposes of assessing the effectiveness of risk management and internal control could be done in conjunction with scoping for the assurance mapping process. An AAP will include what is the most important reported information to the business, so could be a good starting point for determining what financial and non-financial reported information should be in scope. It would also, for most, if not all companies, include the reported principal risks, resilience information and information on fraud risks, so would also help frame the scoping of operational and compliance risks and controls.

Scope and content of the declaration

How much detail should be in the description of the monitoring and review process that is included in the declaration?

Knowing up front what will be in the disclosures will help with a number of the key decisions that will be needed as part of the monitoring and review process. The FRC’s guidance states that the description 'may include the type of information the board has received and reviewed, the units and individuals it has consulted with, any internal or external assurance received, and if relevant, the name of the recognised framework, standard or guideline the board has used to review the effectiveness'. We would also suggest including a description of how scoping was undertaken and the factors that played into decisions over materiality. We believe that a logical, thoughtful approach that is disclosed in a transparent and detailed way will not only be informative, but stand up to challenge.

What does it mean in the declaration that material controls are 'operating effectively at the balance sheet date'?

The FRC guidance states that 'The board should provide a summary of how it has monitored and reviewed the effectiveness of the framework during the reporting period'. Therefore, we don’t think the expectation is that all evidence is gathered at the balance sheet date. In our view, robust monitoring and review processes should be conducted at logical milestones throughout the reporting period and kept current up to the balance sheet date, so that there is early warning of controls that are failing and can be remediated in time. For controls that operate on, for example, a weekly, monthly or quarterly basis, it would be sensible to get more than one example that they are operating effectively throughout the period and up to the balance sheet date.

Although we stress that this is not US SOx, we can learn a lot from the basics of SOx which has always followed a point in time assessment. With this in mind, companies could consider an interim testing phase with a follow up and year end update that validates any remediations have been dealt with.

Enforcement and accountability

Will the Code be enforced by the FRC?

The FRC does not currently have powers to enforce the Code. As noted in its 'Corporate Governance and Stewardship Mythbuster', published in February 2023, when asked whether the Code gives the FRC powers to enforce against directors, the response was 'No, it does not. The Code is a flexible part of a framework that allows companies to develop high quality governance practices for their own particular circumstances which shareholders should understand, engage with and approve. We do monitor reporting against the Code by selecting a random sample of 100 FTSE 350 and Small Cap companies to assess the quality of reporting, which informs our Review of Corporate Governance Reporting each year.'

If the primary legislation that has been expected for some time from the Government is eventually introduced and enacted and the FRC is replaced by the Audit, Reporting and Governance Authority (ARGA), ARGA may have powers to hold directors to account, but we expect this would still be limited in relation to the Code if it retains the comply or explain mechanism.

However, in our view, the additional attention that has been paid to risk management and internal control as part of the multiple reviews and consultations over recent years (e.g. the Brydon Review, Kingman Review and BEIS consultation), has brought it into the spotlight. As a result, it is likely there will be increased external scrutiny going forward over a company’s process and reporting in this area from a broad range of stakeholders.

Ownership of the process

Which function/role should be planning and leading the approach to monitoring and reviewing risk management and internal control?

The board is ultimately responsible for establishing and maintaining an effective risk management and internal control framework, monitoring the systems and reviewing their effectiveness (often via the audit committee), and reporting on the effectiveness in the annual report. However, we expect that management and others in the organisation (not just in the finance function) will have responsibility for day to day monitoring and review. Internal audit and possibly also external audit or other advisors, will all have a role to play. With this in mind, it will be key to consider the following.

  • Duties and day-to-day responsibilities of management for the operation of the risk management and internal control framework, including any self assessments.
  • Any reviews or compliance testing carried out by individuals other than the control operators.
  • The role of internal audit and its reporting to the board and the management on the design and effectiveness of risk management and internal control.
  • The role of the external audit or other external advisors or providers of independent assurance.

These are effectively the ‘lines of defence’ that ensure risk management and internal control are working effectively. Allied to this, a clearly defined vision and strategy for risk, control and assurance defined by the board and management and aligned to the business’s objectives will help ensure the activities of each line of defence are coordinated and focused on a common set of goals. This will enable effective prioritisation of resources and effort when making capital allocation decisions and project scoping.

Contact us

Jayne Kerr

Jayne Kerr

Director, UK Public Policy, PwC United Kingdom

Tel: +44 (0)7740 241129

Richard Bailes

Richard Bailes

Partner - Governance, Risk and Compliance, PwC United Kingdom

Tel: +44 (0)7715 034917

Lisa Bark

Lisa Bark

Partner - Business Risks and Controls - FS, PwC United Kingdom

Follow us