What are companies doing to develop an Audit and Assurance Policy?

4 min read
Oct 16, 2023

As a result of upcoming changes to the UK Corporate Governance Code, companies will soon be required to include a statement in their annual report that describes how the organisation is taking action to seek assurance, both internally and externally, about the information they provide to shareholders: the Audit & Assurance Policy (AAP).


This blog was published before the UK government's announcement on 16 October 2023 regarding the withdrawal of its draft new reporting regulations following a consultation period. The ideas and approaches shared within this blog are based on insights practising CROs and risk leaders shared with each other prior to that date.

The government's announcement, which you can read in full here, states: "Draft regulations published in July would have added certain additional corporate and company reporting requirements to large UK listed and private companies, including an annual resilience statement, distributable profits figure, material fraud statement and triennial audit and assurance policy statement...the Business Secretary has now decided to withdraw these regulations, and will be setting out options to reform the wider framework shortly to reduce the burden of red tape on businesses."

Having spoken with our members impacted by the code - largely FTSE-listed businesses - it seems most are waiting for further guidance from the FRC before pursuing any of the proposed (and now withdrawn) requirements. The main exception to this concerns the proposed requirement around an internal controls statement - a declaration around the effectiveness of a company's internal controls over a 12-month reporting period and basis for this assessment. Most organisations we spoke to are continuing their work around this statement.

Throughout corporate governance code member meetings across the network, CROs have often spoken about "no-regret" moves they are implementing to enhance risk management and elevate the function across their business, regardless of whether the proposed changes become requirements. You can read about these approaches of your peers in this and other related blogs. 

We will keep you updated on further developments in due course.


A number of Risk Leadership Network members affected by the code reform wanted to benchmark their progress with the AAP development against their peers.

To assist with these members. priorities, we produced a pulsecheck, surveying 14 CROs and heads of risk at other FTSE and PIE companies in the UK. Here are some of the highlights from the report:

1. Most organisations are undertaking initial planning and consultation activities

What stage is your organisation at in the development of an AAP

Most companies are currently in a phase of planning and consultation activities, whilst they wait for regulation to be confirmed.

Of the companies we surveyed, six (42%) listed assurance mapping as one of their key priorities. This ranges from assurance mapping of specific risks - such as ESG-related risks - to second-line (or enterprise level) assurance of principal risks.

See the full pulsecheck report
Request to see the full Audit and Assurance Policy pulsecheck report, in a short meeting.
Request now

2. Head of internal audit takes charge

Nine of the 14 companies we surveyed say the key stakeholder leading the development of the AAP is the head of internal audit:

Who is driving development

3. All organisations are engaging with internal stakeholders

Despite being at different stages of development with their AAP, the risk teams at all 14 organisations we surveyed have engaged with internal stakeholders. All companies in the pulsecheck had engaged with the audit and risk committee (ARC), and the vast majority with the chief financial officer (CFO).

Internal stakeholders

Of the 14 organisations, eight (57%) have taken the step thus far to engage with external stakeholders; all eight have engaged with external auditors specifically, while a quarter of  these companies have also communicated with the regulator about the new AAP.

4. The biggest challenge is content

The main challenge within the business, as companies prepare for, or actively start to develop, an AAP, is determining what content (and level of detail) to include.

  • All but one company in our pulsecheck (93%) are planning to include an explanation on non-financial controls in their AAP.
  • The most common non-financial controls that organisations will include are ESG-related, with 11 of these 13 organisations (85%) planning to feature these.

Preparing for the AAP -  pulsecheck Report

Preparing for the AAP pulsecheck-1

In response to the priorities of a number of FTSE-listed Risk Leadership Network member organisations we've recently conducted a pulse check with 14 organisations to determine what phase of development these companies are at with driving the development of the Audit and Assurance Policy (AAP). Fill in this form to request to see the full report via a short presentation.

How will Risk Leadership Network continue to support members with the AAP?

We recently held a virtual meeting for members looking to optimise and benchmark their AAP approaches, format and content. In those discussions, many risk leaders shared that they are focusing on assurance mapping to their principal risks and reviewing their controls framework as part of those preperations. 

Working with their dedicated Network Manager in our team, each of our members will be supported through each step of their AAP preparations based on the specific challenges they face along the way . For example, some members might request to collaborate with other risk leaders to:

  • Validate their assurance mapping - through 1-to-1 deep dive discussions, risk leaders will be able to compare their approaches to assurance mapping with CROs at other relevant organisations who are of a similar or higher maturity.
  • Benefit from lessons learned when reviewing their controls framework - members may request their Network Manager to facilitate collaborative meetings with peers, where a member can validate their thinking, get feedback from peers, and avoid mistakes by hearing the lessons learned by others.
  • Understand what other organisations are prioritising - when the FRC releases updated guidelines, members want to reconvene to share responses to the update and collectively brainstorm next steps.

To request to collaborate with risk leaders on upcoming developments of the Corporate Governance Code reform or to benchmark your approach to the AAP with your peers, please fill in this form.

Get new posts by email