Just one in 10 companies inspected by regulators could be described as providing “good” disclosures on their internal controls and risk management systems.
Regulators have warned companies they will have to make improvements to their reporting ahead of a change in the UK Corporate Governance Code, which asks boards to make a “declaration” on the effectiveness of their controls.
The warning comes from the Financial Reporting Council (FRC) in its annual review of reporting against the governance code. Regulators looked at the internal controls and risk management disclosures of 130 companies for this year’s review.
Of the sample, 25 companies provided no report at all or left it unclear whether any review of internal controls had been carried out at all. Of 59 that reported in “some detail”, only 13 were described as “good reporting”.
Mark Babington, executive director of regulatory standards at the FRC, says there are “positive signs in outcome-focused reporting” on risk disclosures.
“However, the review identifies clear areas for improvement, particularly in internal controls reporting and the quality of explanations when companies depart from the code,” he adds.
The report will trigger unease in some quarters. It comes at the end of a period in which increased internal controls disclosure was viewed as part of the response to a whole series of scandals, including the collapse of department store chain BHS in 2016 and construction company Carillion in 2018.
After a revision of the UK’s governance code earlier this year, requirements for internal controls were reformed.
Under the code’s Provision 29, from 2026, boards will need to publish a report or a declaration on the effectiveness of their internal controls along with a statement of how they might have failed and the work done to fix them.
Campaigners had called for the report to be mandated in law, but the previous Tory government decided to include it in the governance code to be applied under the “comply or explain” principle.
It will be no surprise in some quarters that the FRC report appears to indicate that some companies struggle with internal controls. Carolyn Clarke, co-founder of the Brave Within risk and governance consultancy, says that while new code requirements are looming, the Economic Crime and Corporate Transparency Act will also place renewed importance on internal controls.
Clarke worries that many companies come to controls as an “afterthought”.
“Sometimes that is only at the point of attempting to put together appropriate disclosures,” she says. “It becomes a box-ticking exercise, seeking to identify as many activities as possible that could be framed as controls. This results in multiple attempts to control certain risks, while at the same time other risks are not addressed, leaving management blind-sided.”
The FRC also revealed some major companies do not have an internal audit function. Gavin Hayes, head of policy and public affairs at the Chartered Institute of Internal Auditors, says an internal audit function is “essential” and it was “concerning that there are major companies that still lack an internal audit function”.
He added an internal audit department “supports” the requirement for an internal controls declaration.
The FRC has recently made significant efforts to stress the “comply or explain” nature of the UK code. Its report says the quality of explanations for stepping away from provisions in the code “could be improved”, although fewer companies chose to “depart” from the code.
There were also concerns from the FRC over reporting on shareholder engagement at a time when it is reviewing the stewardship code for investors.
“Like previous years, we found little improvement in the quality of reporting on shareholder engagement,” the report states. “Most companies offered few details on the engagement, feedback received from shareholders or examples of outcomes.”