Education

Companies House filing breach and what it teaches about governance and controls

Companies House IT security breach started last October | Business & Accountancy Daily

When a public register has a security scare or an online filing disruption, it grabs attention for two reasons. First, it highlights how fragile trust can be when systems fail. Second, it shows how quickly a control weakness becomes a reporting issue.

For SBR ACCA, this is useful. It gives you a real world style backdrop for questions about governance, internal controls, risk disclosures, and professional marks. You do not need to know every detail of a headline to score well. You need to show that you understand what good controls look like, how a board should respond, and how reporting should stay fair, clear, and not misleading.

This post breaks the topic down in plain English and shows you how to write it in an exam. If you want more support on exam craft and how to structure answers under pressure, start with a calm base at ACCA SBR tutor.

Why a filing breach is an SBR topic

SBR is not a cyber security paper. But governance and reporting are inseparable. If a company’s systems are weak, the quality of its reporting becomes harder to trust. If controls fail in one area, users start to question other areas too.

A Companies House issue is a perfect trigger for an SBR style scenario because it touches:

  • governance and oversight 
  • data integrity and record keeping 
  • risk management and controls 
  • transparency and public trust 
  • disclosure discipline and ethics 

Examiners love scenarios like this because they let you earn professional marks without heavy calculations. Candidates who write clearly and practically often do very well on these sections.

What the headline really tells you

Forget the specific tech details. In exam terms, a filing breach or disruption usually tells you one of these things happened:

  • access controls were weak 
  • data handling and security were weak 
  • change management failed during a system update 
  • monitoring and incident response were not strong enough 
  • people and processes did not match the risk level 

You can write strong points without naming the exact mechanism. The exam tests judgement, not your knowledge of server logs.

The governance angle that wins marks

The exam will often position this as an audit committee or board issue. Your answer should show what good governance looks like in practice.

A strong governance response includes:

Clear ownership
Someone senior must own the risk. Not “IT”. Not “the team”. A named function with board visibility.

Board oversight
The board should set risk appetite, approve key policies, and get regular reporting on incidents and control testing.

Audit committee challenge
The audit committee should ask whether controls are designed and operating effectively, and what evidence supports that view.

Independent assurance
Where risk is high, the board should seek independent testing or assurance over controls, not rely on internal comfort statements.

You do not need long paragraphs. Two or three tight points with clear recommendations are enough.

Controls that matter most in filing and identity systems

If the scenario hints at a system that stores personal data, accepts filings, or verifies identity, these are the controls that usually matter. Use them as a mental checklist. Then pick only the ones that fit the facts.

Access control and authentication

  • Who can access the system 
  • What level of access they have 
  • How permissions are granted and removed 
  • Whether access is reviewed regularly 

In an SBR answer, you can say the company should use least privilege access and regular reviews, especially for admin roles.

Segregation of duties

A common control failure is when one person can do everything. In filing systems, you want separation between:

  • creating or changing data 
  • approving changes 
  • deploying updates 
  • monitoring logs 

You do not need to be technical. You just need to show the principle.

Change management

System updates are a frequent trigger for incidents. Good change control includes:

  • testing in a safe environment 
  • approval gates 
  • rollback plans 
  • post-deployment monitoring 
  • clear documentation 

In exam language, you can say the company should treat system changes as high risk events and apply strict approval and testing.

Audit trails and logging

If something goes wrong, you need evidence. Audit trails support accountability and investigation. You can say:

  • maintain logs of key actions 
  • protect logs from tampering 
  • review logs for unusual activity 

That is enough. Keep it practical.

Incident response

A strong company does not pretend incidents never happen. It prepares for them.

Your answer can include:

  • how the company detects issues 
  • how quickly it escalates 
  • who communicates with stakeholders 
  • how it fixes the root cause 
  • how it prevents repeat events 

These points work well for professional marks because they show real world thinking.

How this links to financial reporting

This is where many candidates miss easy marks. They talk about controls but never connect it back to reporting.

A filing or data incident can impact financial statements and disclosures in several ways.

Provisions and contingent liabilities

There may be costs to investigate, notify, support affected parties, or strengthen security. There may also be claims. You should not assume the company must book a provision. You should state the conditions in plain terms.

  • If a present obligation exists and an outflow is probable and can be estimated, a provision may be required. 
  • If the outcome is possible but uncertain, a contingent liability disclosure may be needed. 

This keeps your answer balanced and professional.

Exceptional costs and presentation

Companies sometimes want to label incident costs as exceptional to protect operating profit narratives. Your response should stay calm:

  • If costs are material, they should be clearly presented and explained. 
  • Presentation should not be used to hide poor control outcomes. 

Do not overdo it. One short paragraph is enough.

Going concern and liquidity

Most incidents do not threaten going concern. But if the scenario hints at severe disruption, loss of access to key systems, or large potential claims, you can say management should consider:

  • cash flow impact 
  • availability of financing 
  • covenant headroom 
  • ability to operate normally 

Be careful with language. Do not exaggerate. State that the assessment depends on scale and duration.

Subsequent events

If the incident occurs after the reporting date but before the financial statements are authorised, you may need to consider whether it provides evidence of conditions that existed at the reporting date. Often it will be a non-adjusting event that still requires disclosure if material.

Again, keep it simple. Show you understand the idea.

Narrative reporting and risk disclosures

This is the easiest link. Users want to know:

  • what happened 
  • what the company did 
  • what the impact is 
  • what the company is changing 

The key exam phrase is fair, clear, and not misleading. If a company downplays an incident in the narrative while costs appear in the accounts, that inconsistency is a red flag.

How to write this in an exam answer

Use a structure that keeps you focused. Here is a reliable approach.

Step 1 Name the issue

Example: “The incident suggests weaknesses in the company’s control environment around data, access, and change management.”

Step 2 Explain why it matters

Example: “This increases operational risk and can undermine confidence in reporting if the same culture affects other controls.”

Step 3 Recommend practical actions

Example: “Strengthen access control, formalise change management, commission independent testing, and improve incident response.”

Step 4 Connect to reporting

Example: “Assess whether costs and potential claims require a provision or disclosure and ensure narrative reporting is consistent with the accounts.”

Step 5 Conclude like an adviser

Example: “The board should treat this as a governance issue, not a technical inconvenience, and demonstrate clear oversight and transparent reporting.”

That is enough. Short. Applied. Professional.

A mini scenario and a high scoring outline

Scenario: A company relies on an online platform to file key statutory information and store sensitive director and shareholder data. A system issue leads to temporary suspension of filing and concerns about data exposure. The board is worried about reputational damage. The finance director wants to keep the annual report brief.

High scoring outline:

  • State the governance issue and the likely control weaknesses at a high level. 
  • Recommend immediate actions such as incident review, containment, and communication plans. 
  • Recommend medium term actions like independent assurance, access control review, and change control strengthening. 
  • Link to reporting: assess costs, potential claims, subsequent events disclosure, and risk disclosures. 
  • Conclude: transparent reporting and board oversight reduce long term damage more than minimising the incident. 

Notice what is missing. There is no drama. No speculation. Just practical judgement.

The one checklist you can reuse

This is the only bullet list in the post. Use it as a quick audit committee style checklist in any governance or controls question.

  • Who owns the risk and how does the board oversee it 
  • What controls failed and what evidence supports that conclusion 
  • What immediate containment and investigation steps are needed 
  • What control improvements will prevent repeat incidents 
  • What disclosures are required in the financial statements and narrative reports 
  • How will the company communicate in a fair, clear, and not misleading way 

If you cover those six points, you will usually earn strong professional marks.

Common mistakes that cost marks

Being vague

Saying “improve security” is weak. Say what to improve. Access control. Change management. Independent testing. Incident response.

Writing like a journalist

In SBR, you do not need to describe the news story. You need to advise the board. Stick to governance and reporting.

Ignoring the accounts

Control issues often have financial consequences. Always include one paragraph on provisions or disclosures, even if your conclusion is that amounts are uncertain.

No conclusion

Always end with a clear recommendation and a board-level next step.

How to practise this topic quickly

Pick any past SBR requirement that asks about governance, ethics, or risk disclosure. Add one line to the scenario:

“There has been a recent disruption and concern about data exposure in a key filing system.”

Then write two short paragraphs:

  • Paragraph 1 governance and controls 
  • Paragraph 2 reporting implications and disclosure 

Rewrite the weaker paragraph into 8 to 10 lines with a clear conclusion.

Do this twice and you will find these answers become easy marks.

Where support can help

Governance answers improve fast with good feedback. If you want structured practice with marking and mock deadlines, the ACCA SBR course route can keep you consistent. The key is not the course name. The key is repeated timed writing and targeted rewrites based on feedback.

Final calm takeaway

A filing breach or system disruption is not only an IT problem. It is a governance problem and a reporting problem. In SBR, you score well when you:

  • identify control themes in plain English 
  • recommend practical safeguards 
  • connect the story to financial statement disclosures 
  • write with clarity and conclude like a board adviser 

Do that, and these current issues style questions become an opportunity rather than a threat.

Previous Post

Leave a Reply

Your email address will not be published. Required fields are marked *