Proposals to changes in the way companies manage internal controls will be a “major step change” for non-financial companies, as they adapt to government measures aimed at tackling financial risk.

The warning came during a event organised to explore the government’s reform plans, convened by Diligent and Board Agenda before an audience of finance and controls experts at The Ivy in London.

The changes come as part of a response to the collapse of construction giant Carillion in 2018. The government’s proposals are to include specific measures in the UK’s corporate governance code asking company directors to make disclosures on their internal controls and provide assurance that the controls are “appropriate”.

Speaking as a member of the panel, Carolyn Clarke, an audit committee chair and chief executive of Brave Consultancy, said: “It will be a big step change for the public interest entities that are now being captured by elements of this package.”

There were warnings too for companies who might think they could be able to argue that they are not captured by the new provisions.

Doris Honold, chair of the risk committee at Credit Suisse, said: “If in doubt, you’re in.” She added: “I just don’t see any upside in arguing a borderline case, especially when investors ask, ‘Are you complying with the new regime?’”

She stressed the importance of internal controls, and in particular the new requirements, in any exchange with investors. “There’s so many external stakeholders who will be interested,” said Honold. “And it’s a reasonable question: ‘Why can we trust your accounts?’ Well, because we know our controls are working.”

When the government first discussed transforming the internal controls regime, there was hope that it would opt for US-style rules—known as Sarbox or SOX, following the 2002 Sarbanes-Oxley act. These would legislate for directors to sign off on an internal controls statement that would be subject to mandatory external audit.

Internal or external assurance?

However, as things stand, the government’s direction of travel is that, instead, new clauses will be added to the corporate governance code on a “comply or explain” basis, with boards able to choose the form of assurance they commission: internal or external.

The UK’s governance watchdog, the Financial Reporting Council, is consulting on the form of new measures and is expected to report some time next year.

However, the panellists did not believe that the “comply or explain” nature of the new regime would mean that companies would avoid external assurance.

Nehal Jilka, a partner and internal controls expert at business advisory firm KPMG, said: “Some organisations, based on what their boards believe, will seek external assurance.”

Jilka said there were different reasons for this: they see controls as part of their financial statement so will seek audits for both; others simply want the assurance.

Carolyn Clarke stressed that investors might lever pressure for external assurance, too. “You may well find an engaged investor who is fulfilling their responsibilities under the Stewardship Code will intervene and start to say, ‘We want to see more independent assurance around some of what you’re saying.’”

Preparing for the new internal controls regime may take a significant amount of work. Although some of that will be technical, or even resource driven, some, according to Clarke, will need to focus on organisational culture and “enabling an organisation to feel confident about doing the right thing”.

Clarke conceded that this might be easy when dealing with issues such as climate change or other ESG factors, but these factors were also present in internal controls and how they safeguard finances; after all, pension funds also invest in companies.

“When financial controls break down, pensioners suffer, not just investors but real people who have perhaps worked for an organisation for a very long time.

“So having good controls protects not just the organisation but all stakeholders we’re concerned about.”

Nehal Jilka agreed culture was “integral” to a strengthened internal controls regime. But he warned that “finance generally gets it. The issue is outside of finance.”

“Do people outside finance understand the importance of the value of controls and why you need to go above and beyond compliance?”

He also stressed preparation: mapping existing controls; scoping the work that would be needed for compliance; and documenting necessary key controls.

Comply and obtain…

Jilka stressed that reforming and installing internal controls was not just a “compliance” exercise.

“If there’s no value in the controls, there’s no point in doing the control,” he said. “There is a lot of value in looking at these material processes and actually getting more insight that then informs management decisions.”

Clarke warned that organisations may have to consider whether they have the “skills and capabilities” to go through the reform process. Many companies, especially the largest, she said, had already recruited experts to lead finance departments through change.

“It may not be the right thing to have somebody permanently in those kinds of roles, depending on your size and scale, but think about where this capability is going to come from. If you get ahead of the curve…you can access people who may not be available in six or 12 months.”

The full details of the internal controls regime remain to be clarified. But the broad sweep of new rules has been set. An early start will stand finance departments and companies in good stead.