An annual declaration by boards about the effectiveness of internal controls is one of the major changes being introduced in the revised UK Corporate Governance Code announced by the Financial Reporting Council in 2024. 

The Code will come into effect for financial years beginning on or after 1 January 2025, although the requirements for a review of internal controls in the annual report – Provision 29 of the Code – will not come into effect until 2026.

Some have compared the increased focus on the internal control environment to features of the Sarbanes-Oxley Act 2002 (SOX) in the US. However, Provision 29 departs from the scope and requirements of SOX in two fundamental ways. First, it does not mandate independent assurance over the effectiveness of internal controls and the attestation made by the board. Second, the scope of the attestation is broader than SOX, as it is not confined to the controls and procedures for financial reporting.

The attestation instead requires boards to determine the effectiveness of material controls within the risk management and control framework, and how deficiencies in the control environment could impact upon the interests of the company, shareholders and other stakeholders.

For banks and insurers, with a potentially broad church of stakeholders including the PRA and FCA means that material controls could extend beyond financial reporting to include considerations such as reputational damage, regulatory compliance, and the overall sustainability and resilience of the business model.

Supporting guidance provides a steer on potential key areas where boards may need to expand their monitoring and assessment of material controls.

Banks and insurers: principle risks

Principle risks are those that have the potential to threaten the business model or future performance of the business. Where the viability of the business model hinges on management of key risks around solvency and access to liquidity, this may result in boards expanding their view of the control environment to those functions that govern regulatory reporting and prudential risk management.

For banks, this may include the credit risk of their lending activities, including underwriting and loan origination, arrears monitoring and forbearance and models that govern how credit risk is measured and quantified for financial reporting purposes and regulatory capital.

Insurers who also face credit risk relating to their investment activities will need to consider similar controls as well as the actuarial and pricing models that inform their insurance underwriting activities.

Market and pricing risks and asset impairments will need to be taken into account by both banks and insurers. Meanwhile, the broad and complex nature of regulation means there is a broader bucket of risk relating to regulatory compliance.

External reporting

The Code directs boards to consider external reporting that might impact upon investment decisions, whether in the company or otherwise. External financial reporting is the obvious starting point here, however boards may also want to consider a broader set of external publications.

Sustainability reporting could also have a disproportionate impact on investors’ perceptions of the firm. As such, this will be an important area to consider in respect of the wider control environment. 

Banks are also required under the Capital Requirements Directive V (CRD V) to disclose to market their Pillar 3 – this sets out essential information about banks’ risk management practices, capital adequacy and other relevant information about key risks.

At present, there is no mandatory requirement for Pillar 3 to be subject to third party assurance. However, boards may need to consider how it is captured for materiality purposes. Certain insurers are already subject to mandatory assurance over regulatory reporting and boards will need to consider whether the scope and nature of such assurance provide appropriate evidence.

Fraud

The Code requires boards to consider controls material to protect against fraud and the risk of controls being overridden. For banks dealing with a dispersed set of customers and high transaction volumes relating to payments and underwriting, the prospect of potential fraud is significant.

Technology risks

Widespread use of technology adds another layer of complexity to the governance landscape. Effective controls in areas, such as model risk management, operational resilience and business continuity are paramount to mitigate cybersecurity risks and ensure the uninterrupted functioning of critical systems and infrastructure.

The Code also expands the potential scope here to include both internal and external risks stemming from artificial intelligence (AI). For example, the declaration might need to consider the ethical and regulatory implications of AI-driven pricing decisions and the extent to which they are transparent, explainable and might involve bias.

An important question is how should organisations manage instances where material controls are not found to be effective or where the control environment has not yet reached a state of maturity, for example emerging areas of external reporting such as sustainability disclosures.

The Code requires a description of those controls that were not effective as at the balance sheet date and details of the remedial steps being taken to ensure efficacy.

This is an extremely sensitive area for banks in particular; external stakeholders may take the view that certain deficiencies pose a threat to going concern. Given the enhanced risk of deposit flight and risks to viability, boards will need to ensure steps are taken to retain stakeholder confidence.

Interestingly, the Code is silent on the reporting and disclosure requirements of material controls that were deficient during a part of the year but were remedied prior to reporting date. Boards will need to consider in which circumstances disclosure might be appropriate.