The UK Corporate Governance Code: What’s changing and who’s impacted?

The long-held promise of a SOX-like regime in the UK is finally taking shape. On 24 May 2023, the Financial Reporting Council (FRC) issued a consultation on implementing proposed changes to the UK Corporate Governance Code (the Code). Comments on the questions set out in the consultation document are requested by 13 September 2023.  

This is the latest step in a protracted process that began in 2018 with the Kingman review, followed by the 2019 Brydon report, 2021 whitepaper and consultation from the Department for Business, Energy & Industrial Strategy (BEIS), and last year’s “Restoring Trust in Audit and Corporate Governance” positioning paper published by the FRC.

But this isn’t just another milestone—it’s a clear sign that the end is in sight. Included in the consultation is the FRC’s stated intention to apply the Code, “to accounting years commencing on or after 1 January 2025 to allow sufficient time for implementation.” The waiting game is almost over. 

Why is the UK Corporate Governance Code being updated? 

The drive behind the changes to the Code is clear: bring new rigour to auditing, encourage shareholder investment, mitigate risk of corporate failure and drive growth across the UK. 

Ultimately, it’s also designed to simplify assurance over reporting processes. This is reflected in the decision to make changes to the existing Code in lieu of introducing additional legislation. That the Code is “clear and concise” is spotlighted as a strength in the consultation document—one that they have “sought to maintain.” This will undoubtedly be welcomed by audit leaders across the UK. 

Who do the changes to the UK Corporate Governance Code impact? 

The Code is already mandatory for premium listed companies within the UK and is widely used voluntarily by other listed companies and large private companies. Included within the consultation document are proposals to extend some of the scope to all companies with more than 750 employees, or with £750m+ annual turnover. This extension will happen if and when legislation that reforms the definition of ‘Public Interest Entity’ within the UK beyond just listed and financial services organisations is finalised

How is the UK Corporate Governance Code changing?

Changes to Risk Management and Internal Control

One of the most significant proposed updates to the code is the need for the board to make a clear, “declaration of whether the board can reasonably conclude that the company’s risk management and internal control systems have been effective throughout the reporting period and up to the date of the annual report.”  This declaration, likely to be incorporated within the annual report, that provides:

• A summary of the company’s strategic approach to managing risk, and building or maintaining resilience, including with regard to relevant internal governance processes 
• Identification of the company’s principal risks, and how these are being managed (including likelihood, impact and mitigating action in place)
• A summary of why the directors believe the company remains a going concern
• An assessment of the company’s prospects over the medium term (with this period to be defined and explained by the directors), including with regard to its stated principal risks
• A reverse stress test (identifying a combination of circumstances in which the company’s business plan would become unviable and setting out any mitigating action put in place as a result of the test)

(Source: UK Corporate Governance Code consultation document, p.64) 

Currently, directors only need to state whether or not controls have been effective. If the proposed changes are enacted, the declaration would need to cover internal controls over both financial and non-financial reporting, compliance and operations; operating effectiveness throughout the reporting period; an explanation of the basis of the board’s assessment; and a description of any material weaknesses, failures and associated remediation efforts.

Communicating materiality, or “material controls,” would be the main focus of the declaration. Further information about exactly what this means is expected to be provided in further guidance from the FRC, alongside more information about the Code’s structures, actions and responsibilities. But for organisations looking to get ahead of the Code’s expected application on 1 January 2025, a prudent first step would be to shore up materiality assessment practices.

Organisations could also be required to produce a Resilience Statement that attests to the short- and long-term viability of the business. If included in the final changes to the Code, it will subsume the existing Going Concern and Viability statements. Company directors will have to report on matters that they believe to be material and explain how they have arrived at this judgement.

Changes to Audit and Assurance Policy 

The proposed Audit and Assurance Policy (AAP) is unchanged from last year’s “Restoring trust in audit and corporate governance” paper. The AAP will cover: 

• Internal auditing and assurance arrangements. 
• What external assurance, if any, the company proposes to seek beyond the statutory auditor’s duties.
• A description of the policy in relation to the tendering of external audit services. 
• Whether any external assurance proposed will be ‘limited’ or ‘reasonable’ assurance. 
• Whether any external assurance beyond the statutory audit will be carried out according to a professional standard. 
• How the AAP has taken account of shareholder and other stakeholder views. 
• Whether and how the company intends to seek external assurance over any part of the Resilience Statement or over-reporting of its internal controls in relation to financial reporting.

(Source: UK Corporate Governance Code consultation document, p.14)

However, in efforts to keep the Code as streamlined as possible, the FRC has acknowledged that the introduction of the AAP and Resilience Statement could lead to some duplication of, and confusion with, the audit committee’s existing responsibilities within the Code. To make things as simple as possible, they are therefore proposing to incorporate both the AAP and Resilience statement into the Code on a comply or explain basis. 

Also proposed to be introduced on a comply or explain basis is the new minimum standard for audit committees. In addition to providing greater clarity for affected organisations, it also extends the remit of the minimum standard, AAP and Resilience Statement beyond the FTSE 350 to include all premium listed organisations. 

At the opening of the document, the FRC explains that they’re also aiming to “improve the functioning of comply or explain” by introducing a new Principle in section 1 of the code that sets out an expectation for organisations to, “focus on activities and outcomes to demonstrate the impact of governance practices.” The FRC also speaks out in favour of the comply or explain approach, sharing that more companies are using the flexibility on offer and, “[choosing] bespoke governance arrangements most suitable to their circumstances in both the short and long-term.”

Other changes to the UK Corporate Governance Code 

There are additional proposed amendments to the Code. These include: 

• Amendments to bring more focus to board responsibilities for environmental and social concerns. 
• A recognition that increasing demands on directors’ time and capacity will need to be properly managed 
• An amendment focused on diversity and inclusion, encouraging organisations to consider diversity beyond gender and ethnicity by giving equal weight to all protected and non-protected characteristics. 
• Plans to create closer ties with overall corporate performance, including environmental, social and governance (ESG) objectives. 
• The need to provide more information about malus and clawbacks. 
• An intention to reduce the tendency to boilerplate information within reports and, consequently, improve the quality of reporting.  

Most significant here is the continued reaffirmation of the importance of ESG within the consultation document. This, alongside the expected need to incorporate the Resilience Statement within annual reporting practices, is another sign that the lines of delineation between sustainability and finance are blurring, with the need for more effective controls, audit, and assurance over both becoming an incontrovertible need.  

How can organisations prepare for compliance with the new UK Corporate Governance Code?

The proposed changes shouldn’t be a major shock to anyone who’s been keeping track of what was once referred to as UK SOX, or a SOX-like (or even SOX-lite) regime in the UK. The roadblocks to compliance remain the same: a lack of ability to link control frameworks to financial reporting, scattered control data, manual attestation control processes, and manual control testing. 

The amount of work, and time, that’s required for companies in scope to prepare for compliance depends on the maturity of the risk and controls program. Information about understanding your program maturity and guidance about how to make meaningful, iterative improvements can be found in this guide.  

In addition to taking time to improve materiality practices within your organisation, another critical first step will be to accelerate the development of unified, integrated reporting practices. It’s only by firming connections between risk, finance and sustainability teams and processes that audit professionals will be able to gain the oversight they need to respond to these new requirements with confidence.