ICAEW.com works better with JavaScript enabled.
Exclusive

Attesting time for financial services

Author:

Published: 01 Jul 2024

Exclusive content
Access to our exclusive resources is for specific groups of students, users and subscribers.
ICAEW’s Financial Services Faculty highlights the potential implications of the new Corporate Governance Code attestation requirement on banks and insurers.

An annual declaration by boards about the effectiveness of internal controls is one of the major changes being introduced in the revised UK Corporate Governance Code announced by the Financial Reporting Council in 2024.  

Although the Code will come into effect for financial years beginning on or after 1 January 2025, the requirements for a review of internal controls in the annual report - Provision 29 of the Code - will not come into effect until 2026. 

Corporate Governance Code 2024 excerpt 

Provision 29. The board should monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls. The board should provide in the annual report:  

  • A description of how the board has monitored and reviewed the effectiveness of the framework; 
  • a declaration of effectiveness of the material controls as at the balance sheet date; and  
  • a description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues.  

Some have compared the increased focus the attestation brings to the internal control environment to features of the Sarbanes-Oxley Act 2002 or SOX in the US. However, although both focus on internal controls, Provision 29 departs from the scope and requirements of SOX in two fundamental ways. 

Firstly, the Code does not mandate independent assurance over the effectiveness of internal controls and the attestation made by the board, although boards can only form a view on effectiveness based on work carried out and evidence obtained, which may include external assurance. Secondly, the scope of the attestation is broader than SOX, as it is not confined to the controls and procedures for financial reporting . 

The attestation set out in the Code instead requires boards to determine the effectiveness of material controls  within the risk management and control framework. In order to identify which controls are deemed 'material,' boards will need to assess how deficiencies in the control environment could impact upon the interests of the company, shareholders and other stakeholders. 

Those stakeholders are not limited in the Code to shareholders.   For banks and insurers, who reside in a heavily regulated sector and play out an important role within the economy, this is potentially a broad church of stakeholders, including the PRA and FCA. As a consequence, material controls could extend beyond financial reporting and encompass a broader set of considerations including reputational damage, regulatory compliance, and the overall sustainability and resilience of the business model.

Supporting guidance to the Code provides a further steer on potential key areas of the business where boards may need to expand their monitoring and assessment of material controls.

Banks and insurers: principle risks

Principle risks are those that have the potential to threaten the business model or future performance of the business. For banks and insurers, where management of key risks around solvency and access to liquidity are paramount to the viability of the business model, it may result in boards expanding their view of the control environment to those functions that govern regulatory reporting and prudential risk management.
For banks, this may include the control environment that governs the credit risk of their lending activities. Its scope could include underwriting and loan origination, arrears monitoring and forbearance and models that govern how credit risk is measured and quantified for financial reporting purposes and regulatory capital. 
 
Insurers who also face credit risk relating to their investment activities will need to consider similar controls. Market and pricing risks and asset impairments will need to be taken into account by both banks and insurers.

Insurers will also need to consider the actuarial and pricing models that inform their insurance underwriting activities, including the models that measure insurance contract liabilities and reserving for both financial reporting and regulatory reporting purposes. 

Banks and insurers operate in a heavily regulated sector and consequently must manage conduct risks appropriately. Historically, the financial penalties incurred for breaching regulatory requirements have not been insignificant, so it will be important for boards to consider conduct risks in their declarations. 
 
The broad and complex nature of regulation, which also differs according to the jurisdictions in which banks and insurers operate, also means there is a broader bucket of risk relating to regulatory compliance. 

External Reporting

The Code directs boards to consider external reporting that might impact upon investment decisions, whether in the company or otherwise. External financial reporting stands out as the obvious starting point here, however for banks and insurers, boards may also want to consider a broader set of external publications  . 

Sustainability reporting - including disclosures that set out firms’ net zero transition plans, other ESG commitments and climate-based risks and opportunities - could have a disproportionate impact on investors’ perceptions of the firm. In particular, reputations can be tarnished by accusations of greenwashing where firms reporting and disclosure on climate related matters is inaccurate or misleading. As such, this will be an important area to consider in respect of the wider control environment. Depending on the business model, this could also be considered a principal risk to the firm.  

Banks, in particular, are also required under the Capital Requirements Directive V (CRD V) to disclose to market their Pillar 3 – this sets out essential information about banks’ risk management practices, capital adequacy and other relevant information about key risks. At present, there is no mandatory requirement for Pillar 3 to be subject to third party assurance but given the importance of the information it contains about risk, boards may need to consider how it is captured for materiality purposes. Certain insurers are already subject to mandatory assurance over regulatory reporting and boards will need to consider whether the scope and nature of such assurance provide appropriate evidence. 

Fraud

The Code requires boards to consider controls material to protecting against fraud and the risk of controls being overridden. For banks that are dealing with a dispersed set of customers - some of whom will seek to undertake criminal activity - and high transaction volumes relating to payments and underwriting, the prospect of potential fraud is significant. Boards must not only consider the controls that relate to potential fraud perpetrated by both customers and counterparties but also, importantly, those operating from within the firm. 

Technology risks 

Widespread use of technology within banks and insurers adds another layer of complexity to the governance landscape. While digitalisation offers unprecedented opportunities, it also exposes banks and insurers to potential cybersecurity threats, data breaches and operational vulnerabilities. Effective controls in areas such as model risk management, operational resilience and business continuity are paramount to mitigate these risks and ensure the uninterrupted functioning of critical systems and infrastructure.

The Code also expands the potential scope here to include risks stemming from Artificial Intelligence (AI). This could encompass use of AI by external actors to compromise or breach a bank’s or insurer’s systems. But the Code’s scope could also be extended to the risks relating to a bank or insurer’s use of AI, either within front or back-office functions. For example, the declaration might need to consider the ethical and regulatory implications of AI-driven pricing decisions and the extent to which they are transparent, explainable and might involve bias. 

An important question is how should banks and insurers manage instances where material controls are not found to be effective or where the control environment has not yet reached a state of maturity. This could be emerging areas of external reporting such as sustainability disclosures, or areas that have historically not been required to have the same levels of assurance as a financial statements audit.

The Code requires a description of those controls that were not effective as at the balance sheet date and details of the remedial steps being taken to ensure efficacy going forward. This is potentially an extremely sensitive area for banks in particular; depending on the deficiencies highlighted, external stakeholders may take the view that they pose a threat to going concern. Where trust in banks is compromised there is the enhanced risk of deposit flight and risks to viability. Boards will therefore need to be mindful of the nature of disclosures made and ensure steps are taken to retain stakeholder confidence in the business model. 

Interestingly, the Code is silent on the reporting and disclosure requirements of material controls that were deficient during a part of the year but were remedied prior to reporting date. Boards will need to consider in which circumstances disclosure might be appropriate.  

Banks and insurers already have comprehensive approaches to ensuring the effectiveness of their control environment and, depending on the jurisdiction they operate in and the extent of external reporting, will already be seeking both internal and external assurance on areas of internal controls.  For example, those that are SEC registered and subject to SOX will already have some form of assurance over internal controls as they relate to financial reporting. Similarly, some firms already seek assurance on regulatory and sustainability reporting. The challenge for boards will be to determine the areas where they may need further evidence as to the effectiveness of the control environment – whether that’s because it is not presently an area subject to testing, or because the scope of the assurance currently provided is in some way deficient. 


Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250