Comply or Explain: Expectations for an internal audit function

For over two decades the UK Corporate Governance Code (‘the Code’) has set the expectations and provided guidelines for corporate governance for UK listed companies. The Financial Conduct Authority (FCA) listing rules require companies to state clearly in their annual reports how the Principles of the Code have been applied.  The listing rules allow companies to explain any apparent deviations from the Principles in their annual reports so interested parties can evaluate the application of the Principles.  This ‘comply or explain’ basis allows companies flexibility in organising and administering their governance frameworks, ostensibly making them more fit for purpose by aligning them with their organisation’s particular circumstance.

However, the Financial Reporting Council’s February 2021 report Improving the Quality of ‘comply or explain’ reporting found too many companies of their sample of 100 preferred ‘tick-box’ compliance over high quality reporting of good governance practice. The report found that companies reported non-compliance with regard to the guidance for the functioning of the Audit Committee, and either provided no explanation or an explanation that was not sufficiently transparent.

According to Provision C.3.6 of the Code, where there is no internal audit function the Audit Committee is charged with recommending to the Board that an internal audit function be put in place or sufficiently explaining in the annual report the reason why an internal audit function is absent.  This is a clear requirement of the listing rules and for financial sector firms internal audit is compulsory.  Further, Provision C.3.2 states the responsibility of the Audit Committee to review and monitor the effectiveness of the internal audit function.

There are thousands of listed companies and companies of all sizes in the financial sector.  Whether a firm is a subsidiary of a foreign parent or just a smaller listed or financial sector firm with a limited number of employees it is imperative to have a fully independent internal audit, not just to comply with the letter of the Code, but because good governance requires it.  The particular circumstance for some subsidiaries and smaller companies may preclude an in-house, independent internal audit function.  In such cases an internal audit function may most effectively be provided by an outsource or co-source provider. Using an outsource or co-source solution allows for a fully independent, agile application of required expertise in the most cost-effective manner.

Whether you are a listed company, or a small/start-up financial sector firm, if you are unclear on whether you do comply or can transparently explain the status of your internal audit function then you would benefit from seeking the advice of a specialist internal audit firm.

[1] Improving-the-Quality-of-Comply-or-Explain-Reporting. (