ICAEW.com works better with JavaScript enabled.

Attesting time for financial services

Author: ICAEW Insights

Published: 28 Jun 2024

The new Corporate Governance Code attestation requirement on banks and insurers shines a spotlight on their internal controls. ICAEW’s Financial Services Faculty explains some of the practical implications

An annual declaration by boards about the effectiveness of internal controls is one of the major changes being introduced in the revised UK Corporate Governance Code announced by the Financial Reporting Council in 2024. 

The Code will come into effect for financial years beginning on or after 1 January 2025, although the requirements for a review of internal controls in the annual report – Provision 29 of the Code – will not come into effect until 2026.

Corporate Governance Code 2024 – Provision 29.

The board should monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls. The board should provide in the annual report:

  • A description of how the board has monitored and reviewed the effectiveness of the framework.
  • A declaration of effectiveness of the material controls as at the balance sheet date.
  • A description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them, and any action taken to address previously reported issues.

Some have compared the increased focus on the internal control environment to features of the Sarbanes-Oxley Act 2002 (SOX) in the US. However, Provision 29 departs from the scope and requirements of SOX in two fundamental ways. First, it does not mandate independent assurance over the effectiveness of internal controls and the attestation made by the board. Second, the scope of the attestation is broader than SOX, as it is not confined to the controls and procedures for financial reporting.

The attestation instead requires boards to determine the effectiveness of material controls within the risk management and control framework, and how deficiencies in the control environment could impact upon the interests of the company, shareholders and other stakeholders.

For banks and insurers, with a potentially broad church of stakeholders including the PRA and FCA means that material controls could extend beyond financial reporting to include considerations such as reputational damage, regulatory compliance, and the overall sustainability and resilience of the business model.

Supporting guidance provides a steer on potential key areas where boards may need to expand their monitoring and assessment of material controls.

Banks and insurers: principle risks

Principle risks are those that have the potential to threaten the business model or future performance of the business. Where the viability of the business model hinges on management of key risks around solvency and access to liquidity, this may result in boards expanding their view of the control environment to those functions that govern regulatory reporting and prudential risk management.

For banks, this may include the credit risk of their lending activities, including underwriting and loan origination, arrears monitoring and forbearance and models that govern how credit risk is measured and quantified for financial reporting purposes and regulatory capital.

Insurers who also face credit risk relating to their investment activities will need to consider similar controls as well as the actuarial and pricing models that inform their insurance underwriting activities.

Market and pricing risks and asset impairments will need to be taken into account by both banks and insurers. Meanwhile, the broad and complex nature of regulation means there is a broader bucket of risk relating to regulatory compliance.

External reporting

The Code directs boards to consider external reporting that might impact upon investment decisions, whether in the company or otherwise. External financial reporting is the obvious starting point here, however boards may also want to consider a broader set of external publications.

Sustainability reporting could also have a disproportionate impact on investors’ perceptions of the firm. As such, this will be an important area to consider in respect of the wider control environment. 

Banks are also required under the Capital Requirements Directive V (CRD V) to disclose to market their Pillar 3 – this sets out essential information about banks’ risk management practices, capital adequacy and other relevant information about key risks.

At present, there is no mandatory requirement for Pillar 3 to be subject to third party assurance. However, boards may need to consider how it is captured for materiality purposes. Certain insurers are already subject to mandatory assurance over regulatory reporting and boards will need to consider whether the scope and nature of such assurance provide appropriate evidence.

Fraud

The Code requires boards to consider controls material to protect against fraud and the risk of controls being overridden. For banks dealing with a dispersed set of customers and high transaction volumes relating to payments and underwriting, the prospect of potential fraud is significant.

Technology risks

Widespread use of technology adds another layer of complexity to the governance landscape. Effective controls in areas, such as model risk management, operational resilience and business continuity are paramount to mitigate cybersecurity risks and ensure the uninterrupted functioning of critical systems and infrastructure.

The Code also expands the potential scope here to include both internal and external risks stemming from artificial intelligence (AI). For example, the declaration might need to consider the ethical and regulatory implications of AI-driven pricing decisions and the extent to which they are transparent, explainable and might involve bias.

An important question is how should organisations manage instances where material controls are not found to be effective or where the control environment has not yet reached a state of maturity, for example emerging areas of external reporting such as sustainability disclosures.

The Code requires a description of those controls that were not effective as at the balance sheet date and details of the remedial steps being taken to ensure efficacy.

This is an extremely sensitive area for banks in particular; external stakeholders may take the view that certain deficiencies pose a threat to going concern. Given the enhanced risk of deposit flight and risks to viability, boards will need to ensure steps are taken to retain stakeholder confidence.

Interestingly, the Code is silent on the reporting and disclosure requirements of material controls that were deficient during a part of the year but were remedied prior to reporting date. Boards will need to consider in which circumstances disclosure might be appropriate. 

More information

A longer version of this article was published by the ICAEW Financial Services Faculty.

Further resources

ICAEW Faculty
Find out more about the Financial Services Faculty
Financial Services

Gain sector-specific technical support and expert opinions to keep you up to date in a fast-changing environment. Choose from either Banking, Insurance, or Investment Management.

Gavel on a blue background
Corporate governance codes and reports

Access the key reports and codes aimed at raising standards in corporate governance in the UK published in the wake of the BCCI and Maxwell cases.

See more
ICAEW Community
Boardroom
Corporate Governance

Stay up to date with the latest news and developments in corporate governance, to help you in your role as a board member, NED or corporate governance professional. Membership is free and open to everyone

Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250