I recently hosted a roundtable event focused on the UK Corporate Governance Code and the changes announced by the FRC earlier in the year. Attended by a range of business leaders from large organisations spanning the Financial Services, Pharmaceutical, Chemical and Sustainable Technologies, and Facilities Management sectors, we used the roundtable as an opportunity to dissect and discuss the code’s ‘Audit, Risk, and Internal Controls’ section and build a supportive community of likeminded peers.
As the leader of Turnkey’s Integrated Risk Management (IRM) practice, one of my primary objectives is to support our customers with risk management and internal controls, helping them generate value and deliver high levels of performance in pursuit of their business objectives. These are key pillars of good corporate governance. They are also topics that many of our customers have been seeking further knowledge on, which is why I was really looking forward to the roundtable.
The big change at the centre of our discussions was Provision 29’s requirement for boards to monitor, review, and make a declaration on the effectiveness of all material controls. This requirement not only includes financial controls, but also operational, reporting, and compliance controls that are deemed to be “material”. Boards will need to comply with this measure – or ‘explain’ otherwise – from January 2026, and the declaration will need to be included within their Annual Reports to provide more detailed information and conclusions. Our customers were eager to know how other organisations interpret these changes and what they’re doing, or planning to do, to address them. In this blog, we’ll bring you into the roundtable conversation and share some of the key questions and challenges discussed.
What are material controls?
The FRC has stated that the definition of a ‘material control’ is up to each board to determine, as they’ll be different for every company based on its size, strategy, operations, and complexity. The Code has never been seen as a rulebook by the FRC. Rather, it sets out good practice, which is made up of flexible requirements. Where a company has explained non-compliance with a Provision, investors should determine whether this explanation is satisfactory and demonstrates how departures from the Code benefit the company and help to align with objectives. Where explanations are weak, investors should engage with companies and hold directors to account to improve governance practices and reporting.
The guidance on material controls is another example of the Code not being overly prescriptive as it provides flexibility to boards in how they approach these requirements. Whilst this flexibility allows organisations to have ‘targeted and proportionate’ practices, it also leaves a degree of ambiguity over their own interpretation and approach.
Insights from the roundtable: Material controls
Material controls was an area of concern for the roundtable attendees and thus featured heavily in our initial discussions. That’s because understanding what is or isn't material is important to determining the scope of controls that need monitoring, reviewing, and including in the annual declaration. While most attendees were comfortable with this concept for Finance controls, knowing how to apply materiality for non-financial controls felt more challenging.
There was a consensus that strategic/principal risks should be used as a guide to determine which related non-financial controls are material and should therefore be in scope. However, there was also recognition that there could be various ways to do this and that performing this risk-to-control mapping at a suitable level of detail is complex.
One participant explained that it took them two years to perform a full mapping of risks to controls to prioritise controls assurance activities, and, despite their effort, every control is still in scope and hasn’t been reviewed for materiality. Due to constant changes in the business, they expressed that the task is never-ending. Furthermore, they lacked clarity on where to get effective inputs from across the business to determine actual materiality.
Other participants questioned whether they had already done enough by categorising and clearly defining ‘key controls’, which are used as a guide for prioritisation. They wondered if they now need to add another level above ‘key’ for ‘material’ controls? Ultimately, this is something Internal Controls and Enterprise Risk teams should discuss and agree on.
What level of controls monitoring will be sufficient?
Provision 29 of the Code requires the board to monitor the company’s risk management and internal controls framework and review its effectiveness annually. An effective risk management and internal controls framework will include monitoring and review components. As such, the information collected internally can be used for reporting and making any declaration. Individual boards should decide whether external assurance is required over controls and to what degree.
Insights from the roundtable: Controls monitoring
Most of the roundtable attendees perform some level of controls monitoring already, particularly those that also must comply with the U.S. Sarbanes–Oxley Act (SOX). The rest perform a mixture of self-assessments and independent testing programmes, supported by the 2nd and 3rd lines of defence. These tests have helped highlight many inaccuracies in how controls are documented compared to how they work (initial walkthroughs are essential to understand the control design prior to sample testing). This is proving to be a big undertaking for many organisations in terms of writing test scripts, executing tests, and refining controls documentation.
Many attendees also emphasised that defining key/non-key controls is essential to prioritise monitoring activities for the most significant controls. They also found issues with control evidence not being formally retained/available to present, so they would fail the control as a result.
Furthermore, several organisations raised the issue of capacity, with these initiatives always competing with other priorities. These constraints are not only experienced within the 2nd line, but also with Control Owners across the 1st line who aren’t able to fully engage in related activities. Although there is support and understanding of the need, there is still a perception of risk and controls being a necessary evil rather than providing value and contributing to the achievement of the company’s business objectives.
Is automation the answer?
The attendees widely regarded increasing levels of automation across both controls performance and controls monitoring as a longer-term objective to help achieve efficiency gains and provide continuous assurance. However, most currently have low levels of automation, apart from those needing to comply with prescriptive regulations such as SOX. The latter group of organisations are leveraging various GRC and RPA technologies to increase automation within the control environment, and finding, after the initial implementation effort, that doing so has helped reduce some capacity-related issues.
For example, one organisation found that deploying a series of “bots” to test controls helped achieve significant efficiencies. The External Auditor also agreed to leverage the bots’ testing instead of performing their own (having understood how they operated, and that there was sufficient control over the bots themselves), thereby reducing External Audit scope.
Turnkey acknowledged the importance of automation in helping organisations increase their level of internal controls maturity. We have seen that, when applied strategically using a structured approach, automation enables organisations to gain greater assurance, reduce their associated effort required, and make the most of their investment.
In summary
Overall, no one felt comfortable that they would currently be able to satisfy Provision 29’s requirements, particularly for non-financial controls, apart from those already operating under SOX regulations. Even these attendees recognised that there’s always room for improvement, particularly regarding ease and level of reporting over internal controls. However, many hoped that current initiatives would get them there by the January 2026 target.
To satisfy the requirements, organisations must address the common challenge of capacity. It’s crucial to consider and plan for utilising technology to increase levels of automation, as well as leveraging external support for expertise, guidance, and dedicated resources. This includes whether they require external assurance over their controls as part of reporting for the annual declaration and, if so, to what level.
One thing’s for sure, despite the group reflecting on positive progress, it was widely recognised that there is still much to do.
If you'd like to join our ongoing conversation about navigating the UK Corporate Governance Code, please contact me, Marc Jackson, at marc.jackson@turnkeyconsulting.com.
