Directors’ accountability for internal controls – planning for the new requirements

24 May 2021

Reforms to the UK corporate governance environment are coming, with important impacts on directors’ accountability for internal controls.

The March 2021 consultation paper issued by the Department for Business, Energy and Industrial Strategy (BEIS) on ‘Restoring trust in audit and corporate governance’ will affect the UK’s major companies in many ways. As well as including more companies in the definition of Public Interest Entity (PIE) – including large private companies and others that may be in the public interest – there will be new requirements relating to internal controls for corporate reporting, audit committee and assurance requirements.

One particular proposed reform would increase the accountability of directors for internal controls over financial reporting and other non-financial information including ESG, Supplier Payment Policy and Practices, Performance Indicators linked to the remuneration and anti-fraud arrangements. The BEIS consultation paper outlines proposals for implementing a UK Sarbanes-Oxley style regime, including stronger disclosure and potential attestation requirements, albeit with great flexibility and proportionality.

The Government is considering a number of options in relation to internal controls, but has stated a preference for reforms such as a Directors’ Responsibility Statement. This would require directors to acknowledge their responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. Directors could also be required to carry out an annual review of the effectiveness of internal controls over financial reporting, explain the outcome of the review, and make a statement as to whether they consider the system to have operated effectively. Other requirements on directors is likely to require disclosure of the benchmark system used to make the assessment, any deficiencies in the control system and associated remedial actions.

The timetable for introducing the Government’s final reforms is yet to be confirmed. Our best estimate is that premium-listed companies may need to comply from 2023/24, with other public interest entities, including large private businesses, following thereafter. However, based on our experience helping businesses respond to other international SOx regimes, successful programmes can take between 18 and 36 months to implement and embed. Due to this lead-time, early planning is encouraged so that businesses can more effectively manage the implementation of new arrangement or transition what is already in place. However, firstly businesses need to determine whether they fall within the scope of the new PIE definitions and start to understand the intentions and expectations of the Directors and Audit Committee with regards the benchmarking system and the need to external assurance.

Once expectations of the key stakeholders are clear, ownership and project management should be established so that a project plan and budget can be developed covering the following fundamental stages:

  • Assessment – current state of internal controls and assurance
  • Design – Process documentation and development of risk and control matrices
  • Implement – Implement the controls and carry out walkthrough to prove concept
  • Embed – Complete operational effectiveness testing regime and remediation actions
  • Improve – Enhancement of the controls and testing regime, move to automate more.

As management teams work through these stages, they should also consider other critical success factors including:

  • developing and maintaining effective governance arrangements
  • assessing the current and desired organisational culture relating to risk and control
  • utilising a digital governance, risk and control (GRC) tool to help create a unified but flexible approach to managing risk and controls in decentralised businesses.

For further information on the proposed corporate governance reforms, the impact on directors’ accountability for internal controls and practical advice on the steps management teams can take to prepare, please download our publication below.