For companies applying the UK Corporate Governance Code, the current guidance in respect of internal control and risk management is the Financial Reporting Council (FRC)'s publication Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (link to FRC website).  The Guidance was issued in September 2014 ("the 2014 Guidance") and is applicable to companies applying the 2018 Code. 

The 2014 guidance serves as a reference for boards, prompting them to consider how they effectively manage risk within their business and ensuring a sound monitoring of internal controls, while also highlighting related reporting responsibilities in respect of these areas, such as principal risk disclosures, internal control statements and the longer term viability statement.  

For companies complying with US requirements to report on internal controls over financial reporting, the Guidance is a suitable framework as noted by the US Securities and Exchange Commission (SEC).

In January 2024, the FRC issued an updated Code which will apply to accounting periods commencing on or after 1 January 2025 with the exception of Provision 29 – a new declaration on the effectiveness of the risk management and internal control framework – which will apply to accounting periods commencing on or after 1 January 2026.  In addition to the updated Code, the FRC has issued guidance to support companies in the application of the 2024 Code.  The FRC stresses that the guidance should not be viewed as part of the 2024 Code and should not be seen as a requirement of the FRC. It is aimed at contributing helpful context to a board’s consideration of how they might go about complying with the 2024 Code.  This guidance also incorporates previously published FRC guidance, namely the Guidance on Board Effectiveness, Guidance on Risk Management, Internal Control and Related Financial and Business Reporting and Guidance on Audit Committees. 

Statement on internal controls - companies applying the 2018 Code

All companies following the 2018 Code need to explain whether they comply with Provision 29 which requires companies to include an explanation regarding how boards have reviewed the effectiveness of their risk management and internal control systems, covering financial, operational and compliance controls. The FRC expects this ex­plan­a­tion to include suf­fi­cient detail re­gard­ing the review itself and that it should confirm the results of the review. In line with the 2014 Guidance on Risk Management, Internal Control and Related Financial and Business Reporting, the board should describe in the annual report what actions have been or are being taken to remedy any significant failings or weaknesses.

2014 Code update

During May 2022, the UK Government indicated that directors should be more open and accountable for operating an effective internal control system, not only for financial reporting but also for wider operational and compliance risks. It therefore invited the regulator (the Financial Reporting Council (FRC)) to strengthen the 2018 Code for premium listed companies to provide for an explicit directors’ statement about the effectiveness of the company’s internal controls and the basis for that assessment, and to work with companies, investors and auditors to develop appropriate guidance.  Following a consultation on changes to the 2018 Code in May 2023, the FRC issued an updated Code in January 2024 ("the 2024 Code")..  

In the 2024 Code, there has been a change to Code Principle O: “The board should establish a framework of prudent and effective controls, which enable risk to be assessed and managed” is replaced by “The board should establish and maintain an effective risk management and internal control framework”.

This amended Principle is reinforced by an extension of the existing Code provision (Provision 29) in relation to the board’s responsibility to monitor the company’s risk management and internal control framework and, at least annually, carry out a review of its effectiveness. Building on this review and monitoring activity, it is proposed that the board provides the following disclosure in the annual report:

• a description of how the board has monitored and reviewed the effectiveness of the framework;
• a declaration of effectiveness of the material controls as at the balance sheet date; and
• a description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues.

The new declaration is expected to cover, in line with the board’s review and monitoring responsibilities, “material controls” noting that this has been changed from “financial, operational and compliance” in the 2018 Code to “financial, operational, reporting and compliance” in the 2024 Code.

This extension to provision 29 will be effective from 1 January 2026, while the rest of the Code becomes effective from 1 January 2025. This is to allow suf­fi­cient time for im­ple­ment­a­tion of the new declaration.

Until the 2024 Code comes into effect, the 2018 Code applies and continues to be supported by: The Guidance on Board Effectiveness; The Guidance on Audit Committees; and The Guidance on Risk Management, Internal Controls and Related Financial Business Reporting.