Proposals to enhance UK corporate reporting and internal controls for listed and other companies
On 19 July 2023, the UK government laid draft corporate reporting regulations before Parliament. If approved, the regulations will amend Part 15 of the Companies Act 2006 to introduce new corporate reporting obligations on certain large UK incorporated companies, forming part of the broader framework of corporate governance reforms outlined by the government.
On 19 July 2023, the Department for Business & Trade (DBT) laid the Draft Companies (Strategic Report and Directors’ Report) (Amendment) Regulations 2023 (Regulations) before Parliament. The Regulations were accompanied by guidance published by the DBT (Guidance) to help companies and other interested stakeholders understand the new corporate reporting requirements contained in the Regulations. If approved, the Regulations will amend Part 15 of the Companies Act 2006 (Companies Act) to introduce new corporate reporting obligations on certain large UK incorporated companies, as proposed by the government in ‘Restoring Trust in Audit and Corporate Governance’, published in May 2022.
The Regulations form part of a broader framework of corporate governance reforms outlined by the government. In addition to the statutory reforms introduced by these Regulations, the government is working with the Financial Reporting Council (FRC) to deliver part of the proposed reforms through amendments to the UK Corporate Governance Code (Code). The FRC launched a public consultation on its proposed revisions to the Code on 24 May 2023 (asking for responses by 13 September 2023), as summarised in our client update.
This client update provides an overview of the draft Regulations and Guidance and highlights other relevant areas of the anticipated reforms, which companies should be aware of.
In-scope companies under the Regulations
The Regulations, if approved, will apply to all UK companies (being companies incorporated under the Companies Act) with a high level of employees (750 employees or more) and a high level of turnover (an annual turnover of at least £750 million).
Summary of the new corporate reporting obligations
If approved by Parliament in their current draft form, the Regulations will create the following new corporate reporting requirements for in-scope companies:
Resilience statement
In-scope companies will be required to include an annual resilience statement in their strategic report, summarising the company’s strategic approach to managing risk and building or maintaining business resilience over the short, medium and long term. In particular, the Guidance highlights that in-scope companies will need to:
- provide a summary of the company’s strategic approach to managing risk and building or maintaining business resilience, including how risk and resilience are considered within the company’s business planning and investment cycle;
- describe the principal risks that the board considers could be a threat to the company’s operational or financial resilience over the short to medium term, including explaining how such risks are being managed;
- provide a summary of why the board has decided to adopt the going concern basis of accounting (confirming that the company will be able to meet its liabilities as they fall due over an assessment period of 12 months or more), including any significant judgments or mitigating action taken to reach the conclusion;
- provide the board’s assessment of the company’s prospects over the medium term (with this period to be defined and explained by the company), including consideration of the likelihood that the company will be able to continue in operation and meet its liabilities as they fall due over that period;
- report on an annual reverse stress test, which identifies a combination of adverse circumstances that could cause the company’s business plan to become unviable, and identifies any mitigating action put in place in light of the exercise; and
- provide a summary of long term trends or factors which could threaten the company’s business model or operations, and any plans the board may have in place, or be considering, in response.
However, companies will not be required to disclose information about impending developments, matters in the course of negotiation or matters relating to the elements of the stress test, to the extent the disclosure would (in the opinion of the board) be seriously prejudicial to the interests of the company.
While the Companies Act currently requires companies to provide a description of the principal risks and uncertainties facing the company, the new resilience statement is intended to provide further detail, including around the likelihood and potential impact, time period, mitigating actions and a company’s underpinning governance processes for risk management and developing business resilience. The Regulations and Guidance make clear that in-scope companies will not need to report separately on their principal risks and uncertainties if they report on their principal risks in line with the requirements of the resilience statement.
Interaction with the Code
The FRC, in its proposed revisions to the Code, has indicated that where a company following the Code has published a resilience statement, it will be regarded as having complied with the provisions in the updated Code relating to the ‘viability statement’ (i.e., the statement on future prospects) and going concern. For Code companies that will not be subject to the resilience statement, the FRC expects boards to report in a similar and proportionate way to the statutory requirement or set out the basis for the assessment in the annual report (see new Provision 32 of the proposed revised Code).
In addition to the statutory resilience statement, for companies that are subject to the Code, their boards will be required to comply (or explain non-compliance) with new Provision 30 of the revised Code (if adopted in its current proposed form), with respect to the monitoring of, and reporting on, their risk management and internal control systems. Provision 30 encourages boards to monitor their companies’ management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report (covering all material controls including operational, reporting and compliance controls – not just those relating to financial reporting). Within Provision 30, the Code requires boards to include in their annual reports: (i) a declaration of whether the board can reasonably conclude that the company’s risk management and internal control systems have been effective throughout the reporting period and up to the date of the annual report; (ii) an explanation of the basis for the declaration, including how the board has monitored and reviewed the effectiveness of these systems; and (iii) a description of any material weaknesses or failures identified and the remedial action being taken, including over what time frame.
Audit and assurance policy statement
In-scope companies will be required to publish in the directors’ report a triennial audit and assurance policy (AAP) statement, which will need to include:
- a description of the company’s operation and governance of internal auditing and assurance;
- an explanation of the company’s plans for obtaining internal assurance over the annual accounts and reports, which the company will be required to produce during the next three years, together with any voluntary disclosures supplied with the annual accounts and reports; and
- a description of what external assurance (if any) the company intends to seek in the next three years in relation to the annual accounts and reports of the company (beyond the annual statutory audit).
In addition to the triennial AAP statement, in-scope companies will also be required to publish an annual update statement, explaining: (i) how the AAP has been implemented and whether (and if so how) it has been amended; (ii) the extent to which the company has sought external assurance; and (iii) whether any reports resulting from such external assurance may be accessed (and how).
While the statutory audit provides assurance that the financial information in the company’s annual accounts presents a true and fair view of the company’s financial position, this new AAP statement requirement is designed to ensure reliability of non-financial information within the annual accounts and reports of a company, including around strategy, governance, risk management and sustainability and climate change, which are topics of increasing interest to investors and wider stakeholders.
Interaction with the Code
In the proposed revisions to the Code (see new Provision 26 of the proposed revised Code), the FRC has suggested extending the responsibility for developing, implementing and maintaining the AAP to the audit committee. The proposed revisions to the Code would also have the effect of requiring all Code companies to prepare an AAP statement, on a ‘comply or explain’ basis, going over and above the requirements of the Regulations, which only require in-scope companies to prepare such a statement.
In addition, new Provision 26 of the proposed revised Code confirms that the FRC expects audit committees to follow the Audit Committees and the External Audit: Minimum Standard (Standard) issued by the FRC in May 2023. The Standard sets forth the expectations and responsibilities of audit committees for the appointment and oversight of auditors, with the aim of supporting the delivery of high-quality audits and reinforcing public trust in the financial reporting processes. The Standard is applicable to audit committees of companies with a premium listing on the London Stock Exchange, and which are included within the FTSE 350 index. Assuming that primary legislation is passed to bring the Audit, Reporting and Governance Authority into being, the Standard would (subject to appropriate powers being provided in legislation), become mandatory.
Material fraud statement
In-scope companies will be required to publish in the directors’ report an annual material fraud statement, which will need to include: (i) a summary of the board’s assessment of the risk of material fraud to the company’s business operations, including how the board has assessed the company’s susceptibility to material fraud and the types of material fraud considered; and (ii) a description of the main measures in place to prevent and detect the occurrence of material fraud.
The Regulations provide that ‘fraud’ means behaviour falling within sections 2 to 4 of the Fraud Act 2006 (i.e., fraud by false representation, fraud by failing to disclose information and fraud by abuse of position) and that fraud will be ‘material’ when its nature or magnitude could reasonably be expected to influence the decisions which a reasonable shareholder would take in connection with their shareholding in the company. The definition covers both fraud perpetrated by the company on external parties and fraud where the company is the victim of the fraud.
Failure to prevent fraud offence
The government is also in the process of creating a new offence for ‘failure to prevent fraud’, to hold organisations to account if they profit from fraud committed by their employees, agents or subsidiary undertakings (associates). The expectation is that this new offence will prevent organisations from turning a blind eye to fraud by its associates and will encourage the implementation or enhancement of prevention procedures to detect and prevent fraud. Organisations will have a defence to this new offence if they can demonstrate that they have reasonable procedures in place to prevent fraud (or they can demonstrate that it is reasonable for them to not have any prevention procedures in place due to the specific circumstances of the organisation).
The offence will apply to all large companies, limited liability partnerships and partnerships, including those incorporated or formed (as applicable) outside of the UK. If an associate commits fraud under UK law (or targets UK victims), their employer could be prosecuted even if the organisation (and the employee or agent) are based overseas. The government confirmed that this new offence will not introduce individual liability for failure to prevent fraud (but individuals within companies can already be prosecuted for committing, encouraging or assisting fraud). The precise timing of when this offence will come into force remains to be confirmed, but the government noted that the offence will become effective once the Economic Crime and Corporate Transparency Bill is approved in Parliament and guidance on reasonable fraud prevention procedures is issued.
Distributable profits figure and distribution policy statement
Distributable profits figure
In-scope companies will be required to include their distributable profits (or at least a minimum figure for such profits if the calculation of the total distributable profits would involve unreasonable expense or delay) as a note to their accounts. As a result, the distributable profits figure will be subject to statutory audit.
Distributable profits are a company’s accumulated realised profits minus its accumulated realised losses. UK companies are subject to strict statutory requirements with respect to distributions. For example, the Companies Act prescribes that dividends and other distributions of a company may only be made from profits available for distribution. In addition to having sufficient distributable profits, public companies, in order to make a distribution, must also satisfy the requirements of the net asset restriction test (and the Regulations will require public companies to disclose the impact of the test on their profits available for distribution). As the Guidance highlights, UK companies have not previously been required to disclose their distributable profits. This new reporting requirement is designed to ensure that investors have the relevant information for making their own assessments, including, for example, around the headroom of proposed distributions and the company’s actual profits available for distribution.
Distribution policy statement
Under the Regulations, in-scope companies will also be required to include in their directors’ report an annual distribution policy statement, explaining:
- the board’s approach to capital allocation including decisions on investment, capital expenditure, research and development, distributions, purchase of own shares, and any other matters which the directors consider to be relevant;
- the board’s policy towards the amount and timing of distributions to shareholders and purchase of own shares during the short and medium term (as defined in the company’s resilience statement);
- the considerations and factors which the board considers to be material to their policy governing distributions and purchase of own shares;
- key risks and constraints (including legal constraints) which the board considers to be relevant to implementing and sustaining the policy on distributions and purchase of own shares; and
- how the board has implemented the distribution and share purchase policy and how, in making decisions about paying dividends or recommending the payment of a future dividend, it has considered and taken into account the level of distributable profits disclosed in the notes to the accounts.
The Guidance notes that the distribution policy statement is intended to give investors and other users of the annual report and accounts an understanding of the company’s overall approach to dividends, buy-backs and other uses of surplus capital, as well as ensuring that the distributable profits figure, disclosed in the notes to the company’s accounts, is set in a wider narrative context.
Treatment of groups
The Regulations make specific provisions with respect to reporting by groups. In the context of UK groups (headed by a UK parent), the Regulations provide for reporting on a consolidated basis with respect to the companies in the consolidation. The Guidance clarifies that, provided certain conditions are met, where a group, headed by a UK parent, meets or exceeds the relevant threshold (750 or more employees and annual turnover of £750 million or more, in aggregate for the group), the UK parent company will be able to report under the Regulations on behalf of the group, and no UK subsidiary within the group will be required to report individually under the Regulations (regardless of the size of the subsidiary). With respect to reporting on distributable profits in a UK group context, the Guidance notes that only the UK parent will be required to disclose its distributable profits and will not be required to disclose the distributable profits of other companies within the group (either individually or in aggregate). In contrast, the distribution policy statement will need to provide information about the distribution policy of the UK group as a whole.
With respect to a UK group which satisfies the relevant thresholds, but does not have a UK parent that publishes consolidated accounts or group strategic and directors’ reports (e.g., because the group relies on consolidated accounts of an overseas parent), each UK company within the group that satisfies the thresholds will be required to report individually under the Regulations.
Timing and next steps
The Regulations, if approved by Parliament, are expected to come into effect in two stages:
- 1 January 2025: The Regulations will apply to in-scope companies with equity share capital admitted to trading on a UK regulated market (i.e., public companies traded on the Main Market of the London Stock Exchange), in respect of financial years which begin on or after 1 January 2025.
- 1 January 2026: The Regulations will apply in respect of all other in-scope companies (such as large private companies, non-traded public companies and companies traded on AIM), in respect of financial years which begin on or after 1 January 2026.
The FRC plans to consult separately on detailed non-statutory guidance to assist companies in complying with the new reporting requirements. It is expected that the FRC will publish its draft guidance for consultation by early 2024, with the publication of the final guidance expected later in 2024, ahead of the Regulations coming into effect.