By Caitlin McGurn, Leo van der westhuijzen
The UK is considering steps to implement regulations similar to the Sarbanes-Oxley Act (SOX) in the US. SOX is a US law that mandates practices in financial record-keeping and reporting, along with the regular assessment of internal controls by management.
On 18 March 2021, the UK Department for Business, Energy and Industrial Strategy (BEIS) issued a white paper titled, “Restoring trust in audit and corporate governance,” presenting audit reforms to the UK Corporate Governance Code for listed companies. These reforms will force UK listed companies to adopt a more rigorous internal framework and internal controls to ensure the company’s financial statements are reliable. The proposals respond to recommendations made by three independent reviews commissioned by the government in 20181. The recent consultation period ended on 8 July 2021. The exact timeline for the implementation of a UK SOX regime remains unclear.
The whitepaper outlines three options for assertions about the effectiveness of internal controls:
The following key proposals in the white paper will help guide in-scope firms and other stakeholders on potential areas of focus to prepare for a UK SOX regime:
In assessing readiness to implement the proposals from the white paper and potential business implications, in-scope firms should consider the following key areas of focus:
Assess the effectiveness, efficiency, and coverage of your internal control environment (including a review of technology controls underlying the systems that process and report financial data).
Determine the optimum assurance mechanisms for testing and evidencing the design and operating effectiveness of internal controls. In this regard, consider the role of your Internal Audit function and how effective and empowered it is at challenging control gaps and financial reporting.
Ensure a clear link exists between your strategy, your enterprise risk management program, and the tone of the corporate culture you establish, and that it influences day-to-day decision-making and accountability at the right levels. This includes educating the C-suite and board on key internal control issues.
Determine what information is reported by the company and what controls exist to develop that information. Risk and control data is crucial to enable clear insights into any control weaknesses. This data therefore needs to be stored and managed in a way that is transparent and accessible.
Evaluate your audit tender procedures, governance, and documentation to ensure that non-Big Four firms are given a fair chance.
The reforms should achieve the delicate balance of appropriate accountability and responsibilities of directors, auditors, and regulators to restore trust in the system, whilst avoiding a regime that adds more rigor, but little value. A UK SOX regime can become a catalyst to mature your existing risk and compliance culture, ultimately working in tandem to create and protect value in your organisation.
Clearly defining your goals, aligning them to your purpose and strategy, and tracking progress over time, is essential for sustainable value creation. Guidehouse can help you to assess and improve your internal control environment, evaluate the effectiveness of your risk controls, benchmark governance practices, and educate leadership on new developments and requirements as they emerge.