Among the corporate governance reforms the government unexpectedly dropped last year, the Audit and Assurance Policy (AAP) was the one that had been most welcomed by audit committee chairs when first announced. “Of all the reforms the government put forward, this was one that audit committee chairs I speak to were really supportive of and thought was a good idea,” says Tracy Gordon, Director, UK Centre for Corporate Governance, Deloitte.
Until October last year, UK plc was readying itself to formally publish a statement on an AAP every three years. The AAP was intended to be a useful mechanism for providing a company’s external stakeholders with detailed information on how its management was thinking about risks, including disclosures and the relevant assurance they were seeking. Then the government ditched the proposals, a result of “significant thought by a broad range of stakeholders”.
The AAP was meant to be more than just a compliance exercise. It was intended to be a crucial way for directors to step back and re-engage with their shareholders by taking a fresh look at the type of financial and non-financial information they were issuing, and how they reached a comfort level with it.
Given the broad acceptance of the AAP, experts say it is likely that many boards will continue to produce one even if they don’t publish it. Anecdotal evidence suggests the AAP is providing an important lens and assurance over the effective operation of controls, development of data and reporting.
“Many of the audit committee chairs will seek to continue with something. I think they’re using AAPs as a kind of board management tool in the background because it provides really useful information. The AAP has made boards and audit committees realise that perhaps they don’t have good visibility and a clear understanding of what we call the second line of defence assurance activities,” Gordon says. However, she adds that without legislation it’s doubtful that “we’ll actually see many or any of them published in the way that was initially envisioned”.
PwC also agrees that “there is significant value in adopting many of the elements” that underpinned the proposed disclosures as part of companies’ current reporting framework.
Jayne Kerr, a Director in UK Public Policy at PwC, says the AAP, in particular the assurance mapping element, would be a useful exercise for boards, allowing them to take a step back and consider their approach to internal and external assurance.
Indeed, Kerr says that with annual reports seemingly getting larger and larger by the year, and users’ knowledge that the financials in the back end of the annual report are audited, it makes sense for boards to better understand what assurance they have over the non-financial data in the front end of the annual report – and from whom. “I’m speaking to lots of boards who, despite the AAP not being a requirement, are doing an assurance mapping exercise as part of their governance procedures,” Kerr says.
But she adds that it’s unlikely we’ll see “a big swathe of voluntary public reporting in this area”.
Experts say the new internal controls declaration, that UK plc will have to complete under the refreshed Corporate Governance Code, will likely trigger boards to want to understand very clearly where assurance is coming from in relation to the effectiveness of all material controls. So assurance mapping across risk management and internal control functions or activities will help management fulfil the new internal controls declaration.
Nigel Sleigh-Johnson, Director, Audit and Corporate Reporting, ICAEW, says: “ICAEW was closely involved in the development of the thinking that led to the proposed AAP requirements, and continues to advocate voluntary use of the AAP.”
Advisers are standing firmly in the camp that the AAP is a benefit, not a hindrance, to boards, and it’s likely the UK could end up with an AAP in all but name. 3i was among several of the UK’s leading public companies to include an AAP in their 2023 accounts.
3i first incorporated the Audit and Assurance Policy in its 2021 annual report in response to the Brydon review. But given that the revised UK Corporate Governance Code 2024 no longer requires an AAP, the company doesn’t plan to publish one in its next accounts. COO Jasi Halai, who was previously responsible for its finance function, says: “On that basis we intend to remove the Audit and Assurance Policy from the 2024 ARA, but retain it as a standalone document for internal purposes. We may then refer to certain components of the Policy within the Audit Committee and Compliance report where deemed useful.”
If 3i is an example of what’s to come in December 2023 and in 2024 accounts, it’s likely investors and key stakeholders can expect to see greater detail about companies’ risks, including their disclosures and the relevant assurance. “What we could end up with is a form of AAP but focusing more on assurance over the effectiveness of the risk management and internal control framework to support the new material controls declaration,” Gordon says.
The principles behind the AAP are discussed in ICAEW’s Audit and Assurance Faculty’s report, Developing a Meaningful Audit and Assurance Policy.
The new boardroom agenda
Articles, videos and podcasts exploring the crucial role board members play in ensuring their organisation’s long-term sustainability amid complex risks.