Will the UK Corporate Governance Code be Pulling its SOX up?

The UK is considering steps to implement regulations similar to the Sarbanes-Oxley Act (SOX) in the US. SOX is a US law that mandates practices in financial record-keeping and reporting, along with the regular assessment of internal controls by management.

On 18 March 2021, the UK Department for Business, Energy and Industrial Strategy (BEIS) issued a white paper titled, “Restoring trust in audit and corporate governance,” presenting audit reforms to the UK Corporate Governance Code for listed companies.  These reforms will force UK listed companies to adopt a more rigorous internal framework and internal controls to ensure the company’s financial statements are reliable. The proposals respond to recommendations made by three independent reviews commissioned by the government in 2018¹. The recent consultation period ended on 8 July 2021. The exact timeline for the implementation of a UK SOX regime remains unclear.

The whitepaper outlines three options for assertions about the effectiveness of internal controls:

1. An explicit directors’ statement about the effectiveness of the internal control and risk management systems
2. A requirement for auditors to report more about their views on the effectiveness of the systems
3. A requirement for auditors to express a formal opinion on the directors’ assessment of the effectiveness of the internal control systems

The following key proposals in the white paper will help guide in-scope firms and other stakeholders on potential areas of focus to prepare for a UK SOX regime:

• A new regulator — The proposals include a “remodeling the regulator” approach to establish the Financial Reporting Council’s successor body, the Audit, Reporting and Governance Authority (ARGA). ARGA will have greater authority to review audit firms’ work and issue disciplinary action when needed.
• Accountability for Directors — The white paper proposes that corporate directors should take responsibility for internal controls over financial reporting, dividend and capital maintenance decisions, and company resilience planning. This responsibility will likely include an attestation in the quarterly and annual reporting regarding the operational effectiveness of the internal control environment.
• Increased audit competition — The consultation includes a proposal that would require a meaningful portion of the audit of Financial Times Stock Exchange 350 companies to be performed by non-Big Four firms, initially through a “managed shared audit regime.”
• Shareholder engagement — The paper includes proposals to increase shareholder interactions related to the audit process, including a proposal for publication of an audit and assurance policy, setting out the audit approach, on which there would be an advisory shareholder vote. Another interesting recommendation from the BEIS is to provide shareholders a formal opportunity to comment on the company’s audit plan and the areas of emphasis to be considered.
• Creation of a new corporate auditing profession — The white paper contains a proposal for a new type of auditor, one who operates independently of the professional accountancy bodies with a reach across all forms of corporate reporting, not just the financial statements.
• Public Interest Entities — The proposals are expected to extend the definition of “public interest entities,” imposing extra governance requirements on more companies.

What Does this Mean for your Internal Control Environment?

In assessing readiness to implement the proposals from the white paper and potential business implications, in-scope firms should consider the following key areas of focus:

• Internal Controls — Assess the effectiveness, efficiency, and coverage of your internal control environment (including a review of technology controls underlying the systems that process and report financial data).
• Monitoring — Determine the optimum assurance mechanisms for testing and evidencing the design and operating effectiveness of internal controls. In this regard, consider the role of your Internal Audit function and how effective and empowered it is at challenging control gaps and financial reporting.
• Culture — Ensure a clear link exists between your strategy, your enterprise risk management program, and the tone of the corporate culture you establish, and that it influences day-to-day decision-making and accountability at the right levels. This includes educating the C-suite and board on key internal control issues.
• Data — Determine what information is reported by the company and what controls exist to develop that information. Risk and control data is crucial to enable clear insights into any control weaknesses. This data therefore needs to be stored and managed in a way that is transparent and accessible.
• Supply Chain — Evaluate your audit tender procedures, governance, and documentation to ensure that non-Big Four firms are given a fair chance.

Where to from here?

The reforms should achieve the delicate balance of appropriate accountability and responsibilities of directors, auditors, and regulators to restore trust in the system, whilst avoiding a regime that adds more rigor, but little value. A UK SOX regime can become a catalyst to mature your existing risk and compliance culture, ultimately working in tandem to create and protect value in your organisation.

Clearly defining your goals, aligning them to your purpose and strategy, and tracking progress over time, is essential for sustainable value creation. Guidehouse can help you to assess and improve your internal control environment, evaluate the effectiveness of your risk controls, benchmark governance practices, and educate leadership on new developments and requirements as they emerge.