1. Seize the moment
We urge companies to seize the moment to create a Policy that builds on existing activities, rather than waiting for this to become mandatory. We emphasise the ongoing need for discussion that results in a consistent and inclusive language to articulate and describe audit and assurance. Improved definition will support the great value that this Policy has the potential to provide, improving internal decision making while providing insight to external users.
2. Deliver integrated and enhanced information
We encourage viewing the Policy as a mechanism to deliver, through effective signposting across all disclosures, integrated and enhanced information on the system of risk management and internal control and the audit and assurance obtained over risks, disclosed financial and non-financial information and regulatory requirements.
3. Encourage a broad range of companies and other organisations
We encourage companies and organisations of any size to consider producing an Audit and Assurance Policy, recognising the potential value for all users, and providing clarity for regulators.
4. Audit committees should own the Policy
We encourage audit committees to own the Policy on behalf of the board, focusing on realising the full range of opportunities through clear, concise and comparable information; ensuring appropriate audit and assurance coverage of those matters of greatest concern to users; providing education to all parties; holding providers to the highest standards; and telling a story that drives value and builds trust.
5. Deliver clarity and transparency, avoiding boilerplate descriptions
We believe the Policy must deliver clarity and transparency, avoiding boilerplate descriptions, and evolve over time as improvements are embedded. Companies may initially need to prioritise aligning their understanding internally to learn, identify practical improvements, build capability, and evaluate gaps in their underlying audit and assurance provision.
6. Create a cohesive and complete narrative covering all sources of audit and assurance
We encourage a cohesive and complete narrative covering all sources of audit and assurance to indicate where and how directors obtain their comfort. Technology and data-driven techniques should be considered as a fully integrated element of the solution, delivering improved insight across all risks. Culture and behaviours should also be addressed.
7. Update the Policy regularly, with proactive shareholder engagement
We recommend that the Policy is updated regularly, with proactive engagement of shareholders. Ideally, the need to consider shareholder views will promote proactive dialogue between shareholders and directors.
8. Focus on underpinning principles, creating flexibility through a proportionate and pragmatic response
We support guidance and regulation with a focus on underpinning principles, creating flexibility through a proportionate and pragmatic approach, alongside a limited number of minimum mandatory elements for comparability. This will allow the approach taken by organisations to evolve, recognising that many will not have all of the information needed on first implementation, and allowing for transparency in discussing how they are progressing.
9. Aim for tailored, engaging and interactive reporting
We encourage tailored, engaging and interactive reporting that reflects the nature, scale and complexity of the company, with succinct, summarised and integrated reports located in the Annual Report. The Policy should explain the core principles in sufficient detail to enable users to evaluate the content and to engage in a meaningful discussion.