The Audit & Assurance Policy

Original recommendation

The Brydon Review recommended that the audit committee publish a three-year rolling Audit and Assurance Policy which would be put to an annual advisory vote by shareholders for approval at the Annual General Meeting. (Source: Brydon 10.0.3)


The Government agrees (Section 3.2) with the Brydon Review recommendation and proposes to introduce a statutory requirement on public interest entities to publish an annual Audit and Assurance Policy that describes the company’s approach to seeking assurance of its reported information over the next three years. In the case of quoted public listed entities, the Policy would be subject to an advisory shareholder vote at the time of its publication. The Government is minded that the Policy would be required initially of premium listed companies, and extend to other public interest entities two years later.

The Government invites views on whether the Policy should include the following at a minimum:

  • An explanation of what independent assurance, if any, the company intends to obtain in the next three years in relation to the annual report and other company disclosures beyond required by statutory audit. The Government proposes that this should include an explanation of what independent assurance, if any, the company plans to obtain in relation to:
    • the company’s Resilience Statement in whole or part, and other disclosures related to risk; and
    • the effectiveness of the company’s internal controls framework.
  • A description of the company’s internal auditing and assurance processes. This might include how management conclusions and judgements in the annual report and accounts can be challenged and verified internally, and whether, and if so how, the company is proposing to strengthen its internal audit and assurance capabilities over the next three years.
  • A description of what policies the company may have in relation to the tendering of external audit services (for example, whether the company is prepared to allow the external company auditor to provide permitted non-audit services).
  • An explanation of whether, and if so how, shareholder and employee views have been taken into account in the formulation of the Audit and Assurance Policy.

Government response

The Government confirms that the Audit and Assurance Policy (AAP) will apply to companies which are Public Interest Entities with 750 employees or more and an annual turnover of at least £750m.

Period covered by the AAP

The intention is that the AAP should be published every three years, to give companies sufficient time to review their existing assurance arrangements and gather shareholder and other views before bringing forward a new AAP. This triennial publication will, however, be complemented by an annual implementation report, in which the directors (typically through the audit committee) provide a summary update of how the assurance activity outlined in the AAP is working in practice.

Advisory shareholder vote will not be required

The Government is not proceeding with the proposal that the AAP should be subject to an advisory shareholder vote. However, in the absence of a vote, the Government will make it mandatory that companies state within the AAP how they have taken account of shareholder views in its development. Employee views will also be required to be taken into account.

Mandatory minimum content

The AAP will be required to set out whether, and if so how, a company intends to seek independent (external) assurance over any part of the Resilience Statement or over reporting on its internal control framework. It will also the require companies to describe their internal auditing and assurance process and their policy in relation to the tendering of external audit services.

Understanding the nature of assurance

In order to facilitate a clear understanding of how any independent (external) assurance commissioned by a company beyond the statutory audit meets commonly recognised assurance standards or models, the AAP will be required to state whether any independent assurance proposed within it will be ‘limited’ or ‘reasonable’ assurance, as defined in the FRC’s Glossary of Terms, or whether an alternative form of engagement or review, as agreed between the company and the external provider, will be undertaken. The AAP will also be required to state whether any independent assurance beyond the statutory audit will be carried out according to a recognised professional standard, such as the International Standard on Assurance Engagements (ISAE) (UK) 3000 (covering assurance other than audits of historical financial information).

Audit committee reporting

The Government confirms that, for PIEs that are required to produce an audit committee report, the triennial AAP and the annual implementation report on the AAP should be published within the same section of the annual report as the audit committee report.

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.