Developments in regulation
In the coming year we can expect to see three initiatives in the UK that have the potential to change the reporting landscape. In short, we can expect progress to be made on the UK’s equivalent for CSRD; Companies House are expected to provide details of a switch to mandatory digital reporting for all companies; and the FRC will set out aspects of their vision for the future for digital corporate reporting in the UK, perhaps including whether they will chart a course for mandatory audit of compliance with the digital rules. What will happen and will these initiatives prove to be quiet or noisy? Time will tell.
But there’s one regulatory change that has already arrived and it’s turning out to be a relatively stealthy one. Provision 29 of the FRC’s UK Corporate Governance Code published in 2024? Ring a bell? Maybe, maybe not.
Provision 29 in focus
Provision 29 is going to apply for the 2026 annual reports of listed companies and any other organisation choosing to apply the Code. The Directors will be expected to make an explicit declaration relating to the effectiveness of their risk management and internal control framework. Risks and controls related to compliance with reporting regulation falls within the scope.
In one sense, this isn’t so new. The preceding version of the Corporate Governance Code invites listed companies to carry out an assessment of risks, monitor the risk management and internal control systems and carry out a review of effectiveness, setting out information about the review in the annual report. It’s very rare that a listed company signals that their approach is ineffective. The Listing rules require any non-compliance with the Code to be reported upon and, in connection with controls, that is also rare. So it's reasonable to imagine that, by implication, the Directors must already be covering off much or all of the requirements, right? If all Provision 29 requires is an explicit declaration of something that is implicit now, then surely there’s no real change. Strictly, that logic is difficult to refute and indeed some companies currently choose to voluntarily declare their internal controls to be effective.
And yet… there’s something about the prospect of a new explicit declaration that focusses attention. Regulators know this and, in all likelihood, it’s a part of why they are implementing the change. Annual approaches to reviewing and testing controls can grow stale. A fresh look at the approach from time to time is sensible and indeed Provision 29 is prompting this to happen at some listed companies.
A fresh look at ESEF compliance and controls
There’s one topic that seems a clear candidate to feature in a refreshment of approaches to internal control: the FCA’s Digital Reporting Regulation. Formally, it’s referred to as Disclosure Guidance and Transparency Rules 4.1.15R-4.1.18R, which frankly, is a mouthful. Colloquially it’s referred to as “ESEF”, shorthand for the EU’s European Single Electronic Format requirements from which the rules stem or “UKSEF” to indicate how this has become part of UK regulation post-Brexit.
Arriving at the tail end of the COVID pandemic, ESEF rules have been in place for three years. Since its arrival, UK regulators have emphasised how they expect Directors to take ESEF compliance as seriously as they take other aspects of the annual report.
In its early phase, much of the focus was on ensuring listed companies knew about the regulation, produced the relevant data and that the digital files would pass through the FCA’s digital gateway. A supportive approach helped those involved to navigate the digital reporting “On Ramp”. But that phase seems over and the message from the FCA last summer was clear: they have noticed a low compliance rate and there are problems with both the digital format and correctly tagging the financial statements in line with the rules. It’s doubtful they would be saying this if they didn’t consider at least some of the problems to be material.
So ESEF/UKSEF seems a strong candidate to look at when refreshing approaches to Risk Management and Internal Control in readiness for Provision 29. If that sounds daunting, it need not be. Applying robust control to digital reporting doesn’t mean becoming a data scientist, it means knowing enough to ask the right questions and sense check the answers, conducting the right level of review, engaging with specialists appropriately, setting a tone from the top that shows digital reporting is given an appropriate level of focus.
Whilst there’s jargon to be navigated, that’s also true of accounting, actuarial and environmental aspects of an annual report. Fortunately the underlying principles involved in digital reporting are relatively straightforward.
The team at Friend Studio can help with this and would be delighted to speak with Internal Control teams, Financial Controllers and Audit Committee members looking for ideas and perspective about how to weave ESEF into their Provision 29 preparations.