Likely internal control effectiveness requirements for UK listed Irish companies

What does the consultation recommend in regards to internal controls?

The consultation provides a range of options for what the regime will look like. The UK Government’s preferred option is that directors make an explicit statement about the effectiveness of internal controls over financial reporting, set out the benchmark system used to make that assessment and how assurance over the statement is to be provided. It is likely that the new Audit and Assurance Policy (AAP) will be the method by which the level of required assurance over internal controls over financial reporting is determined. Any decisions about whether the directors’ attestation should be subject to external audit would be explained in the company’s AAP, although external audit of the statement would likely not be mandated.

What does this mean for Irish domiciled companies with a UK Listing?

The consultation does not specifically refer to Foreign Private Issuers (FPIs), e.g. Irish Companies with a UK Listing. We expect this to be clarified following the consultation period however we do not believe that there will be any special considerations provided to FPIs. As a result it is likely that Irish domiciled Premium Listed companies will need to comply fully with any regulation and/or legislation. 

When is this likely to become a requirement?

The implementation date for changes will depend upon whether legislative change is needed, or if change can be made through regulation. Based on the time to legislate, December 2023 is likely to be the earliest date of attestation. 

Given that an internal controls implementation programme can take 18-24 months for a mature filer, starting early is critical. We also recommend a dry run year, in the year preceding the first year of adoption to ensure the framework is fully embedded and any material control weaknesses are addressed.

How is this different to what existing requirements are?

While listed companies have long been required to maintain effective systems of internal controls by the UK Corporate Governance Code 2018, this proposal will require them to annually evaluate their financial internal controls and to disclose the results of that assessment. This includes whether there were any material weaknesses in controls that may not prevent or detect a material misstatement in the financial statements.

Further to this, the newly created regulator (ARGA) will likely have powers to investigate the accuracy and completeness of the directors’ internal control disclosures and take action. This could be the recommendation of an external audit of the internal controls or the issuing of sanctions against directors. 

This new regime represents a significant step change in the diligence and attention that will need to be given to the company’s internal control framework. 

What does ‘good’ look like in terms of internal controls

Understanding what this change means for your business and taking a pragmatic approach will enable you to enhance and optimise your control environment.

This means:

• An embedded controls culture and engagement from everyone from Board level to control owners.

• Clear understanding of your internal control strengths, areas for improvements and common pitfalls, i.e. taking learnings from US SOX such as reliability of key reports and spreadsheets and well designed  management review controls.

• An appropriately resourced controls programme that includes clear guidance, training, ongoing monitoring and controls redesign for business and IT changes.

• Having an efficient and effective controls testing programme supported by automation and insight reporting, to increase the quality of the control environment.

• Development of a technology enabled integrated internal control framework with real-time monitoring by management.

Critical success factors in ensuring effective internal controls over financial reporting

Tone from the Top

Leadership from CEO and CFO to clearly articulate the importance and purpose of good internal control. 

Culture and Engagement

Buy-in from all levels of staff to a controls focused culture is key to ensuring a well functioning system of internal control. 

Accountability 

Ensuring accountability for controls design and operation up and down through the organisation, at all levels. 

Evidence Mind-Set

The operation of controls must be evidenced clearly to demonstrate effectiveness. This represents a shift from a ‘tell-me’ to a ‘show-me’ mindset.  

Business Change Management

Ensuring key risks remain mitigated against effectively by controls as the organisation goes through business as usual change.

Sound scoping

Understanding those material risks to financial reporting, business processes and IT systems is critical to ensure effort is directed towards the right areas.

Understanding Third Parties

The extent of reliance on third parties and service organisations is critical in understanding risks in the organisation’s control environment and ensuring these risks are appropriately mitigated.

Standardisation

Having a clearly defined and streamlined approach to identifying, documenting and evidencing key financial controls will help to minimise cost and effort incurred during the design and implementation phase of the programme.

The key actions to take now

Businesses should consider what actions to take now to assess how they respond, and use this time to develop and perform ‘no regrets’ activities to drive improvements to their internal controls over financial reporting, which could be regarded as good practice in any event. Acting now will result in early identification of any control weaknesses, allowing time to remediate. By embracing this change, organisations can transform a poorly structured control environment – or a strict, rigid financial control framework – into a flexible and agile platform that is fit for the future.

There are some ‘no regrets’ activities you should start now to drive improvements to your business in any event, alongside preparing for the likely requirement to issue an annual internal controls effectiveness statement.

1. Get a clear understanding of the design and effectiveness of your control environment over financial reporting. Ask yourself: 

• How well do you understand the material risks in your financial reporting processes? Remember that controls over financial reporting do not just reside with your finance function and can bring in many areas of your business including IT, HR and operations. 

• How much do you rely on third parties to get the financial numbers complete and accurate? Could there be a material risk with them?

• How comfortable are you that your key IT systems, relating to financial reporting, are well controlled to support your financial numbers?

• How do you know you are operating the right controls at the right level, at the right time to get coverage over your identified risks?

2. Consider what mechanisms you have in place to ensure controls over financial reporting are operating effectively.  Is your controls testing programme sufficiently robust to ensure annual testing can be completed to a high standard?

3. Use the time now to increase the use of technology to develop real-time and/or automated controls and monitoring by management to increase the quality of the control environment and reduce staff workload.

We are here to help you

As the consultation process unfolds, we know that the best course of action is to commence some ‘no regrets activities’ as early as possible.  This will allow you to assess your internal control environment and build a robust, flexible and automated control environment that is an asset to your business. We have an experienced team ready to guide and support you on this journey. Contact us today.