Watch out, there’s a train coming! It might not be as big as it might have been, but it is a train, nevertheless.
The train in question is the 2024 updates to the UK Governance Code, commonly being called UK SOX, some of which companies simply cannot afford to ignore. Last published in 2018, the UK Governance Code sets out to make companies accountable to their shareholders and wider stakeholders. The updated Code means listed companies will now be required by the FCA (Financial Conduct Authority) Listing Rules to make a ‘Comply or Explain’ statement when filing their annual reports.
The 2024 UK Corporate Governance Code has a few key differences from the last major revision in 2018 version, most of which come into play for accounting periods starting 1st of January 2025. The exception is ‘Provision 29’ that relates to risk management and internal control frameworks. The Code acknowledges that companies will have to put these measures in place and therefore ‘Provision 29’ will only apply from 1st of January 2026. In effect, UK listed companies (or a foreign company listed in the UK) will have just 2025 to make sure they get the right governance in place in order to comply with the rules.
![](https://www.caosys.com/wp-content/uploads/2024/12/The-Train-Apples2-1024x576.jpg)
![](https://www.caosys.com/wp-content/uploads/2024/12/The-Train-Apples2-1024x576.jpg)
There are some key changes to the Code between 2018 and 2024.
The reasons for the changes stems from a consultation published in May 2023 on “Restoring Trust in Audit and Corporate Governance” which highlighted areas of the 2018 Code that could be strengthened, specifically relating to the responsibility directors have for internal control, risk, audit and corporate reporting.
From a CAOSYS point of view, the key part of the 2024 Code is Section 4 – Audit, Risk and internal control and there are some very important changes to the 2018 version. Firstly, ‘Principle O’ has been amended so that the Board is now required to establish and maintain an effective risk management and internal control framework. The other key change of interest relates to ‘Provision 29’. Heavily amended, this provision relates to the monitoring and effectiveness review of the company’s risk management and internal controls. This review should cover financial, operational AND compliance controls.
As such, a company Board will now be required to provide, in their annual report, such information as how they monitored and reviewed the effectiveness of the framework mentioned above along with a declaration of the effectiveness of the material controls. If any of these have not operated as intended, then the Board must describe the action taken, or proposed, to improve them along with any action relating to previously reported issues.
A keynote of interest is that Section 5 – Remuneration includes an additional to ‘Provision 37’ that state director contracts must now have malus (a financial penalty incurred by a trader, investor, or banker when an investment or deal results in a loss) and claw back provisions. Thereby making directors personally responsible for any losses incurred through and breach of the Code.
![](https://www.caosys.com/wp-content/uploads/2024/12/The-Train-Report-1024x576.jpg)
![](https://www.caosys.com/wp-content/uploads/2024/12/The-Train-Report-1024x576.jpg)
Mandatory requirements for annual reporting with an onus on director responsibility.
In conjunction with the revised 2024 UK Governance Code, the FRC (Financial Reporting Council) has produced some guidance relating to the changes. Part of this guidance covers Section 4 and makes recommendations relating to internal/external auditors, good practice risk management and suggests how a Board can determine material controls. It goes further in suggesting how a company can gain assurance via audit that any framework is working effectively. Finally, it looks at how a company then makes its declaration in its annual report.
In summary, the revised 2024 Code requires a company Board to declare that it has conducted the required monitoring and review exercise along with their conclusions. This requirement reinforces the direct responsibility of directors for their company’s risk management and internal control framework with a focus to ensure that that framework remains effective.
What this all means for those companies covered by the Code and using Oracle E-Business Suite or Oracle Cloud Applications (Oracle ERP Cloud, Oracle Fusion applications), is that 2025 is a key year to make sure that an effective risk management and internal control framework is in place, ready for reporting to start in 2026. Now that framework can cover a multitude of areas within a company but from an applications perspective, it has never been more important to make sure you have effective Access Control and Access Review in place. The management of Segregation of Duties, Sensitive Access and levels of responsibility are also key to making sure risk is monitored effectively. And of course, consistent, automated auditing and reporting is essential; doing this all manually would be time and cost prohibitive, even for a small company.
If you are a listed company or one that adheres to the Code, then the 2024 updates to the Code are coming your way. Now is the perfect time to get the tracks laid so this particular train has a smooth interrupted journey.
As one of the leading players in compliance and auditing market for Oracle E-Business Suite and Oracle ERP Cloud, if you require any help in making sure you are fit and ready for 2026, then please contact me at [email protected] or visit us online at www.caosys.com for more information.