For years now, the UK’s Financial Reporting Council (FRC) has been working on a UK equivalent of the US Sarbanes-Oxley Act (SOX). SOX requires top officials to attest that a company’s internal controls are robust enough to ensure that financial statements are reliable. Over that same time, the calls for audit reform in the UK continued to accumulate.
The recommendations for reforming audit and government regulation published by Sir John Kingman in 2018 featured a UK version of SOX as a key initiative. And the Brydon Report—an independent review funded by the Institute of Chartered Accountants in England and Wales that was published in 2019—went further, recommending that the purpose of audit be clearly defined in law and regulation “to help establish and maintain deserved confidence in a company, in its directors and in the information for which they have responsibility to report, including the financial statements.”
While these reports provide plenty of recommendations, we’re still waiting on the FRC to offer more detailed guidance on exactly what SOX compliance will look like for the UK.
Who will be affected?
Even without specific requirements from the FRC, we can look to the US SOX as a benchmark to predict much of what will be required as part of UK SOX compliance.
SOX, which is a law that’s intended to protect investors from corporate fraud, lays out strict requirements for enhanced financial disclosure, internal control assessment, corporate governance, and auditor independence. Any organization trading on the Financial Times Stock Exchange will be required to be SOX-compliant. But those aren’t the only organizations that should be initiating SOX programs.
It’s a good time for UK organizations to start considering or initiating a SOX program if they:
- Are planning to go public in the near future
- Have been advised to improve controls by internal stakeholders or external auditors
- Are in the process of designing new controls to remediate deficiencies
- Want a repeatable, sustainable process for continuous control monitoring
- Have complex businesses with many systems, and are looking to increase automation and drive costs down
Since the introduction of SOX in 2002, the US has seen clear improvements in the quality of financial reporting. But, as this Harvard Business Review article discusses, SOX has also brought some unexpected benefits, including strengthening the overall control environment, improving documentation, increasing audit committee involvement, standardizing processes, and reducing complexity and human error. So, any move to implement a similar system of vigorous controls over financial reporting in the UK could only help to improve reporting quality and strengthen trust.
Why start now?
Even without FRC guidance, now is the ideal time to begin building your internal controls framework so you don’t get caught off guard. Internal controls programs can take years to fully implement, so putting formal practices into place now will help ensure you have the allocated resources and budget for a feasible long-term strategy.
This budget and resourcing are important, because section 404 of SOX (or SOX 404) lays out strict requirements for public companies to provide annual reporting on the operational effectiveness of their internal controls over financial reporting (ICFR), and to build in internal auditing processes and integrated internal audits.
Achieving this cadence of annual reporting can be an arduous and expensive process—the first year of SOX compliance for a major business in the UK is estimated to cost between £10 and £20 million and require a full year’s worth of labor from 20 full-time employees. This is why it’s important to address the basic foundations of SOX now.
The basic foundations of a SOX program
Just like the General Data Protection Regulation (GDPR) or other compliance regulations, the foundations of a SOX program are pretty straightforward, albeit tailored for SOX.
- Set up two SOX steering committees
Two SOX committees—one for business processes and one for IT—can provide technical oversight, get executive buy-in, and educate the rest of the organization. And they can develop protocols and coordinate frequent testing in the first year, with at least two rounds of testing, giving management time to assess the program and make corrections.
- Educate your team, division by division
Connect and collaborate with all of the business teams that will be impacted by the SOX initiative (including the C-suite). Explain what UK SOX is, review their respective roles in the process and how it will impact them, provide example documentation, and review their responsibilities and benchmarks for success.
- Build out the process
Establish a detailed plan. Beginning with a risk assessment, map out all of the processes and systems involved. Next, do a complete walkthrough of the processes to validate control existence and design. For each stage of the process, define who your process and control owners are, and make sure they know what is required of them.
As you begin to build your program, you’ll likely go through a multi-stage maturity model, where you’ll eventually move from manual processes to automation to help you gauge control effectiveness.
Understanding the positives and negatives
SOX compliance can be an arduous process to set up, but it can have numerous benefits for your business. It’s important to discuss both the positive and negative impacts of the new initiative.
Some of the positive impacts of SOX:
- Strict controls defined and in place to guide day-to-day operations
- Automation of tasks to decrease time spent on manual activities
- A refocusing of teams on high-risk, high-impact areas
- Consistent and accurate financial statements
- Clear documentation for auditors, with minimal preparation time
- The ability to continually assess the state of financial operations
- A near real-time view into financial and operational health
- A more comprehensive understanding of business risks and controls
Some of the negative impacts of SOX:
- Increased need for technology and human resources to support the program
- Some tasks will involve more steps, taking longer to complete
- More documentation will be required for your team members
What we can learn from existing SOX programs
As companies in Japan and the US have already been engaged in SOX programs for years, there are many lessons we can take away from their successes and failures in establishing their programs.
Best practices include:
- Start early—manage time and resources accordingly to make the process as seamless as possible
- Don’t underestimate what’s involved—SOX compliance is often a multi-year and multi-million dollar (or pound) effort
- Get buy-in from the top—involve the C-suite and key business process owners to help shape and share key messaging
- Don’t reinvent the wheel—use pre-existing content and solutions in comprehensive SOX compliance software to pre-populate and automate much of the program
All of these tips and best practices will be even easier to implement if you’ve got best-in-class technology—a GRC tool with pre-built content so you can set up and launch your SOX program quickly. The right technology can manage and map your internal controls, automate processes and workflows, and serve up insights on storyboards to monitor and track SOX compliance progress.
UK SOX will be a heavy regulatory burden to deal with—but by mapping out a plan and process and choosing the right tools to support your initiative, your company can hit the ground running.
Making SOX Compliance Easier for Everyone
You’ll discover how technology can make significant improvements in your SOX compliance processes and help you:
- Increase collaboration among the Three Lines of Defense
- Leverage data and analytics to achieve greater insights into relationships between risks
- Automate processes and reduce the time and resources involved in control testing
- Get started on the path to improved SOX compliance today.