For companies applying the UK Corporate Governance Code, the current guidance in respect of internal control and risk management is the Financial Reporting Council (FRC)'s publication Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (link to FRC website).  The latest Guidance was issued in September 2014 ("The September 2014 Guidance").  This document serves as a reference for boards, prompting them to consider how they effectively manage risk within their business and ensuring a sound monitoring of internal controls, while also highlighting related reporting responsibilities in respect of these areas, such as principal risk disclosures, internal control statements and the longer term viability statement.  This has been echoed by the changes in the 2018 UK Corporate Governance Code ("The 2018 Code"), which calls for boards to carry out a robust assessment of the company’s emerging risks as well as principal risks.

For companies complying with US requirements to report on internal controls over financial reporting, the Guidance is a suitable framework as noted by the US Securities and Exchange Commission (SEC).

Statement on internal controls

During May 2022, the UK Government indicated that directors should be more open and accountable for operating an effective internal control system, not only for financial reporting but also for wider operational and compliance risks. It therefore invited the regulator (the Financial Reporting Council (FRC)) to strengthen the 2018 Code for premium listed companies to provide for an explicit directors’ statement about the effectiveness of the company’s internal controls and the basis for that assessment, and to work with companies, investors and auditors to develop appropriate guidance.  Following a consultation on changes to the 2018 Code in May 2023, the FRC issued an updated Code in January 2024 to make these changes ("the 2024 Code").  The 2024 Code, which will require a declaration by the board on the effectiveness of the risk management and internal control framework, will apply to accounting periods commencing on or after 1 January 2025 except for Provision 29 – the declaration on the effectiveness of the risk management and internal control framework – which will apply for accounting periods commencing on or after 1 January 2026 to allow sufficient time for implementation.

The FRC has published new guidance in support of the 2024 Code.  The FRC stresses that the guidance should not be viewed as part of the Code and should not be seen as a requirement of the FRC. It is aimed at contributing helpful context to a board’s consideration of how they might go about complying with the 2024 Code.  Until the 2024 Code comes into effect, the 2018 Code applies and continues to be supported by: The Guidance on Board Effectiveness; The Guidance on Audit Committees; and The Guidance on Risk Management, Internal Controls and Related Financial Business Reporting.

Before the application of the 2024 Code and the new guidance as noted above, all companies following the 2018 Code need to explain whether they comply with Provision 29 which requires companies to include an explanation regarding how boards have reviewed the effectiveness of their risk management and internal control systems, covering financial, operational and compliance controls. The FRC expects this ex­plan­a­tion to include suf­fi­cient detail re­gard­ing the review itself and that it should confirm the results of the review. In line with the 2014 Guidance on Risk Management, Internal Control and Related Financial and Business Reporting, the board should describe in the annual report what actions have been or are being taken to remedy any significant failings or weaknesses.