Let’s Talk About UK SOX

What UK SOX Will Mean for UK Businesses and GRC Professionals

2016 saw the insolvency of British Homes Stores. Carillion suffered the same fate in 2018. In 2019, the Financial Reporting Council (FRC) warned the UK’s eight largest audit firms to act swiftly to improve audit quality; by 2020, it found one third of all audits failed to meet its quality standards. In addition, a lack of competition in the statutory audit field has become a growing concern in the UK.

To address issues like these, the Government requested three reviews: the Independent Review of the FRC, the Competition and Markets Authority’s Statutory Audit Services Market Study, and the Independent Review of the Quality and Effectiveness of Audit prepared by Sir Donald Brydon. These reviews found that auditors and directors need to be held to account more, and in particular for providing useful information in reports, and that the audit delivery process needs greater quality, competition, and resilience. The Department for Business, Energy & Industrial Strategy (BEIS) put it this way in its “Restoring Trust in Audit and Corporate Governance” policy paper: “reform is needed to drive a new auditor mindset and to strengthen the resilience and integrity of the audit market.” New measures will impact directors, auditors, shareholders, and audit firms. Coming reforms will focus on all listed entities in the UK, where effective audit and corporate reporting matter the most.

Time for Opinions — Time to Get Ready

The FRC, itself subject to reform as it transitions to ARGA, the Audit Reporting and Governance Authority with much extended powers, is already considering provisions that don’t require legislation. For those that do require legislation, BEIS is holding a review period prior to presentation of measures to Parliament; interested parties can comment online. The consultation period began in March, and will end on 8 July 2021. Some measures may apply to premium listed companies first, and to public interest entities later.

Governance, risk, and compliance (GRC) professionals, directors, and auditors don’t have to wait for the ultimate regulations to come – they can make progress now based on the general philosophy that the Government has outlined:

• Measures that don’t directly impact businesses (such as establishing a new regulator) might go into effect earlier.
• Transition periods are likely for the measures with the greatest impact.
• Measures with broader impacts on businesses may start later, become effective in phases, or feature transition periods. Phasing-in would likely apply to the proposed extension of the “Public Interest Entities” definition and to the introduction of a stronger internal controls regime.

While more regulation will result in additional work and complexity, SOX (Sarbanes-Oxley) has produced stronger controls overall in the United States, increasing standardised processes and reducing human error. By facilitating earlier detection of noncompliance, financial restatements in the US have been reduced by 90% since SOX was enacted in 2002. Applying similar controls in the UK will result in higher-quality reporting and greater trust in businesses here.

If the scale and complexity of UK SOX matches the magnitude of US SOX, however, costs will be high. For example, compliance costs for US SOX Section 404 only — requiring a business to attest to the effectiveness of processes affecting annual financial performance reporting accuracy — “is estimated to be between £10-20 million and consume approximately 20 FTE-years of internal time” for a major business in the first year alone.

Setting up a SOX Programme

No matter what timing is imposed, no matter what scale reforms take, it isn’t too soon to start the journey to SOX compliance. GRC professionals can work with business leaders to set up programmes for designing, implementing, and monitoring internal controls:

• Establish ownership and buy in from the very top of the organisation, educating your senior leadership and Board as you go along.
• Learn from the US experience on what an effective SOX programme looks like for your organisation and sector and what is the gap that you need to bridge based on the level of risk maturity in the business.
• Leverage existing frameworks and risk and control libraries such as those provided by COSO to facilitate the programme
• Anticipate requirements to report on internal controls over financial reporting (ICFR), and to institute internal auditing processes and integrated internal audits.
• Establish steering committees – one for the business, one for IT – to provide oversight, inform leaders, and educate the organisation.
• Map out financial reporting processes, systems, and data. Understand and document the origins of all financial reporting data. It may take significant time to integrate data from sales, manufacturing, accounting, and other systems into a single source of truth for financial reporting.
• Identify process and control owners; set up teams to oversee controls and reporting.
• Analyse risks and devise controls to address them in financial reporting systems. Conduct assessments of control effectiveness – and document these assessments. Test controls at least twice to ensure adequate opportunity to assess effectiveness and make adjustments.
• Educate business teams affected by new regulations about their new responsibilities – including process and control owners, senior executives, and the board.

Leaders who undertake SOX programmes now will progress in maturity, and eventually develop repeatable compliance processes that can be measured and automated.

How Camms Can Help

Ultimately, board members, including NEDs, are accountable for SOX compliance and must attest to the financial integrity of the business. Their leadership is essential, but the life blood of effective SOX programmes is data. Systems can help leaders prepare for SOX by supporting data integration and consolidation, automating controls, and reducing compliance costs. Camms has solutions to cover governance, risk, compliance, audit, and even strategic performance – as modular, configurable products that can be purchased individually or packaged as a complete integrated business platform.