10 July 2023
Financial Reporting Council
8th Floor
125 London Wall
London
EC2Y 5AS
By email: codereview@frc.org.uk
Financial Reporting Council
8th Floor
125 London Wall
London
EC2Y 5AS
By email: codereview@frc.org.uk
Response to the Corporate Governance Code Consultation
Dear Sirs,
We welcome the opportunity to provide comments on specific areas of the UK Corporate Governance Code.
Lynceus Management Consulting is a small advisory firm working internationally with professional accounting organizations, learning providers and public sector bodies to develop the finance profession, build-capacity and strengthen corporate governance systems of organizations.
The UK Corporate Governance Code is both a reference for our own internal corporate governance processes and a pillar in our capacity-building and advisory work. Being a part-British-owned business and working with UK stakeholders, we take an active interest in the developments of the regulatory framework in the UK and feel that we are able to contribute to FRC’s drive to improve of the Code.
Our responses relate to the specific questions raised with regards to Section 4 – Audit, risk and internal control of the Consultation Document and are set out in Appendix 1.
Should you have any queries with respect to the matters outlined in our responses, please to do hesitate to contact us at the contact details below.
Yours sincerely,
Olga Akimova, FCCA, CIA, ISO31000
Member of ACCA Global Forum for Risk, Governance and Performance
Managing Partner
Lynceus Management Consulting
We welcome the opportunity to provide comments on specific areas of the UK Corporate Governance Code.
Lynceus Management Consulting is a small advisory firm working internationally with professional accounting organizations, learning providers and public sector bodies to develop the finance profession, build-capacity and strengthen corporate governance systems of organizations.
The UK Corporate Governance Code is both a reference for our own internal corporate governance processes and a pillar in our capacity-building and advisory work. Being a part-British-owned business and working with UK stakeholders, we take an active interest in the developments of the regulatory framework in the UK and feel that we are able to contribute to FRC’s drive to improve of the Code.
Our responses relate to the specific questions raised with regards to Section 4 – Audit, risk and internal control of the Consultation Document and are set out in Appendix 1.
Should you have any queries with respect to the matters outlined in our responses, please to do hesitate to contact us at the contact details below.
Yours sincerely,
Olga Akimova, FCCA, CIA, ISO31000
Member of ACCA Global Forum for Risk, Governance and Performance
Managing Partner
Lynceus Management Consulting
Appendix 1: Consultation Document, Section 4 – Audit, risk and internal control
Q10: Do you agree that all Code companies should prepare an Audit and Assurance Policy, on a 'comply or explain' basis?
Yes. Although the AAP is primarily aimed at PIE, nevertheless it is good practice for other companies implementing the UK Corporate Governance code to prepare an AAP as this would promote transparency with regards to external assurance provider engagement and allow to incorporate a sustainability perspective into the corporate governance through multi-stakeholder considerations which should be applicable to non-PIE entities as well in the light of the current global challenges.
Q11: Do you agree that amending Provisions 25 and 26 and referring Code companies to the Minimum Standard for Audit Committees is an effective way of removing duplication?
No. As the Code Provisions contain holistic and wholesome guidelines on the roles and responsibilities of the Audit Committees, removing some aspects of the Provision and referring companies to the Standard would fragment the guidelines and lead to inefficiencies by making companies refer to a number of documents relating to a single topic. The aspects in questions are not of such significant volume as to lead to significant inefficiency from duplication or extend the Code to an unreasonable length.
Q10: Do you agree that all Code companies should prepare an Audit and Assurance Policy, on a 'comply or explain' basis?
Yes. Although the AAP is primarily aimed at PIE, nevertheless it is good practice for other companies implementing the UK Corporate Governance code to prepare an AAP as this would promote transparency with regards to external assurance provider engagement and allow to incorporate a sustainability perspective into the corporate governance through multi-stakeholder considerations which should be applicable to non-PIE entities as well in the light of the current global challenges.
Q11: Do you agree that amending Provisions 25 and 26 and referring Code companies to the Minimum Standard for Audit Committees is an effective way of removing duplication?
No. As the Code Provisions contain holistic and wholesome guidelines on the roles and responsibilities of the Audit Committees, removing some aspects of the Provision and referring companies to the Standard would fragment the guidelines and lead to inefficiencies by making companies refer to a number of documents relating to a single topic. The aspects in questions are not of such significant volume as to lead to significant inefficiency from duplication or extend the Code to an unreasonable length.
Q12: Do you agree that the remit of audit committees should be expanded to include narrative reporting, including sustainability reporting, and where appropriate ESG metrics, where such matters are not reserved for the board?
Yes. It is suggested that the provisions 26 and 27 should expand on the responsibilities of the audit committees with regards to sustainability matters, and include responsibilities relating to the operationalization of oversight of external sustainability reporting through determination and/or consultation on application of reporting frameworks and guidelines, reporting timeframes, roles and responsibilities, means of reporting ESG information, scope of external assurance over sustainability information and selection of external assurance provider for sustainability disclosures.
Q13: Do you agree that the proposed amendments to the Code strike the right balance in terms of strengthening risk management and internal controls systems in a proportionate way?
Yes. It is important to ensure that management takes responsibility for the oversight, assessment of effectiveness of risk management (RM) and internal control (IC) systems and reporting annually on such. With the speed of changing internal and external environments, the risk and control frameworks of companies should be robust, dynamic and responsive. Management should demonstrate this through explicit statement and reporting to provide confidence to stakeholders that company objectives and business activities established to achieve them are ton a strong foundation of risk management and internal controls systems including their responsiveness to sustainability challenges faced by the companies.
As these foundations should be a status quo in PIE and other companies, explicit declaration by management of their effectiveness is a very organic development in the requirements of the Code.
Yes. It is suggested that the provisions 26 and 27 should expand on the responsibilities of the audit committees with regards to sustainability matters, and include responsibilities relating to the operationalization of oversight of external sustainability reporting through determination and/or consultation on application of reporting frameworks and guidelines, reporting timeframes, roles and responsibilities, means of reporting ESG information, scope of external assurance over sustainability information and selection of external assurance provider for sustainability disclosures.
Q13: Do you agree that the proposed amendments to the Code strike the right balance in terms of strengthening risk management and internal controls systems in a proportionate way?
Yes. It is important to ensure that management takes responsibility for the oversight, assessment of effectiveness of risk management (RM) and internal control (IC) systems and reporting annually on such. With the speed of changing internal and external environments, the risk and control frameworks of companies should be robust, dynamic and responsive. Management should demonstrate this through explicit statement and reporting to provide confidence to stakeholders that company objectives and business activities established to achieve them are ton a strong foundation of risk management and internal controls systems including their responsiveness to sustainability challenges faced by the companies.
As these foundations should be a status quo in PIE and other companies, explicit declaration by management of their effectiveness is a very organic development in the requirements of the Code.
Q14: Should the board's declaration be based on continuous monitoring throughout the reporting period up to the date of the annual report, or should it be based on the date of the balance sheet?
Due to the nature of the RM and IC processes and their inherent characteristics such as responsiveness and adaptability to changes in the internal and external environment, continuous improvement, feedback loops and the pace of changes in reporting, operating and compliance environments, the declaration by management should relate to the effective functioning of the RM and IC systems throughout the reporting period.
This approach will also be responsive to the common approach and best practices of internal audit and external audit assessment of effectiveness of internal controls aimed at identifying systemic deficiencies in internal controls which inherently means reviewing operation over the reporting period rather than at a point in time. Hence declaration should be aligned to such practices.
Q15: Where controls are referenced in the Code, should 'financial' be changed to 'reporting' to capture controls on narrative as well as financial reporting, or should reporting be limited to controls over financial reporting?
Yes. The term ‘financial’ alone refers only to controls over the preparation of the financial statements and financial information subject to audit. Whilst ‘reporting’ allows to include internal controls over sustainability reporting as well.
It is not sufficient for the companies to provide financial information only. As the Code takes a multi-stakeholder view of company reporting and corporate governance practices, sustainability information which is largely still not (and may not be in the future to a certain extent) translated into financial indicators must receive greater attention in annual reporting. Specifically, the reliability of sustainability information is dependent on robust risk assessment and internal controls (especially over source data) and hence allowing for non-financial controls in the Code would adhere to good practices and forward looking approach to Code update process.
Due to the nature of the RM and IC processes and their inherent characteristics such as responsiveness and adaptability to changes in the internal and external environment, continuous improvement, feedback loops and the pace of changes in reporting, operating and compliance environments, the declaration by management should relate to the effective functioning of the RM and IC systems throughout the reporting period.
This approach will also be responsive to the common approach and best practices of internal audit and external audit assessment of effectiveness of internal controls aimed at identifying systemic deficiencies in internal controls which inherently means reviewing operation over the reporting period rather than at a point in time. Hence declaration should be aligned to such practices.
Q15: Where controls are referenced in the Code, should 'financial' be changed to 'reporting' to capture controls on narrative as well as financial reporting, or should reporting be limited to controls over financial reporting?
Yes. The term ‘financial’ alone refers only to controls over the preparation of the financial statements and financial information subject to audit. Whilst ‘reporting’ allows to include internal controls over sustainability reporting as well.
It is not sufficient for the companies to provide financial information only. As the Code takes a multi-stakeholder view of company reporting and corporate governance practices, sustainability information which is largely still not (and may not be in the future to a certain extent) translated into financial indicators must receive greater attention in annual reporting. Specifically, the reliability of sustainability information is dependent on robust risk assessment and internal controls (especially over source data) and hence allowing for non-financial controls in the Code would adhere to good practices and forward looking approach to Code update process.
Q16: To what extent should the guidance set out examples of methodologies or frameworks for the review of the effectiveness of risk management and internal controls systems?
The guidance should provide companies with non-prescriptive guidance on assessing RM and IC systems with great emphasis on:
Q17: Do you have any proposals regarding the definitional issues, e.g. what constitutes an effective risk management and internal controls system or a material weakness?
It is suggested that the definition of a Material weakness be amended as follows:
A fault, deficiency or failure, or a number of such, in the design or operation of the risk management and internal control framework, such that there is a reasonable possibility that the company’s ability to identify, assess, respond to or monitor risks to its strategic, operational, reporting and compliance objectives in a timely manner is adversely affected
The guidance should provide companies with non-prescriptive guidance on assessing RM and IC systems with great emphasis on:
- roles and responsibilities of the board (and relevant committees), management, internal audit, process owners etc.;
- the importance of continuous monitoring of the systems and adaptation to the changing environments through risk assessment, control review in the light of key trends and significant operational events, regulation;
- importance of competence of those involved in the review from financial, business, compliance and sustainability perspective, continuous development of skills and cross-training between different teams within the company on order to provide for a holistic view for the assessment of the RM and IC systems.
Q17: Do you have any proposals regarding the definitional issues, e.g. what constitutes an effective risk management and internal controls system or a material weakness?
It is suggested that the definition of a Material weakness be amended as follows:
A fault, deficiency or failure, or a number of such, in the design or operation of the risk management and internal control framework, such that there is a reasonable possibility that the company’s ability to identify, assess, respond to or monitor risks to its strategic, operational, reporting and compliance objectives in a timely manner is adversely affected
Q18: Are there any other areas in relation to risk management and internal controls which you would like to see covered in guidance?
Basis for declaration.
Basis for declaration.
- It is suggested that within the scope of this aspect of reporting management discloses the approach to determining materiality, especially in the context of assessing internal controls over sustainability reporting;
- It may also be reasonable to include a narrative on the changing risk landscape and how this has impacted the maintenance of the effectiveness of the RM system (e.g. high-level approach to risk identification, assessment and internal reporting to ensure that the dynamic environment is factored into the RM system and as an indication that it is a continuous process).
- It is suggested that emphasis is placed on risk assessment and related controls over reliability of data and information used in reporting, both generated internally and collected from third parties, which is most relevant for sustainability reporting due to numerous data sources, limited IT solutions for non-financial data and need to collect information from third parties (e.g. Scope 3 emissions, sustainable supply-chain etc);
- It is suggested that emphasis on building competence and cross-functional knowledge sharing should be made as an integral element of an effective RM and IC system and a primary principle of good governance applicable to the Board, committee members, RM, IC and IA teams. Also it could be advised that companies may need to look for skills outside those typically represented in such teams including sustainability experts and non-finance/non-accounting experts depending on the industry in order to effectively assess effectiveness of ESG and operational controls.
Capabilities
Expertise
Contacts
- Lynceus Management Consulting Est., Brighter Vision Business Centre, F02-089, Al Khabeesi, Dubai, UAE
- lmc@lynceusconsulting.com
© 2024 Lynceus Management Consulting. All Rights Reserved.
