Introduction
Organizations operating in the UK are currently governed by various regulations, including the Companies Act 2006, the Corporate Governance Code, and others. However, the recent surge in the number of scandals -- BHS, Carillion, and Patisserie Valerie to name a few -- has highlighted the ineffectiveness of the current regime, substandard audit practices, the lax attitude of organizations to ensure compliance, and lack of accountability.
Realizing the apparent and dire need to reform corporate governance and audit rules, the government started working on the UK equivalent of the US Sarbanes-Oxley Act (SOX) -- a federal law to protect investors by improving the accuracy and reliability of corporate disclosures. In March 2021, the Department for Business, Energy & Industrial Strategy (BEIS) published a consultation paper titled “Restoring trust in audit and corporate governance”, essentially setting out proposals to drive much-needed reforms.
As it remains uncertain at the moment as to exactly when the reforms will come into force, organizations are willing to wait for clarity on the regulatory requirements before they start with the compliance process. This approach, however, is not advisable as the entire process could take months on end as well as involve extensive effort and investments, running into millions of pounds.
Starting early will give organizations the advantage of having the time to iron out any deficiencies and ensure a seamless and structured process. It would also help accelerate the process to ensure compliance once the regulation gets implemented.
That said, organizations could find it extremely overwhelming to undertake this initiative—How to start? What areas to focus on? What strategy to follow? How much time and effort will this entail? This eBook aims to provide a practical guide to organizations as they embark on the journey to prepare for UK SOX.
The Scope of UK SOX
The proposals in the BEIS’ consultation paper are based on the recommendations made by three independent reviews commissioned by the government in 2018 – Sir John Kingman’s independent review of the Financial Reporting Council, the Competition and Market Authority’s statutory audit market study, and Sir Donald Brydon’s independent review of the quality and effectiveness of audit.
Both Sir Donald Brydon and Sir John Kingman underscored the need for organizations to improve the effectiveness of internal controls over financial reporting.
Before getting to how organizations can go about ensuring compliance, it is important to understand which organizations will fall under the purview of the UK SOX.
Getting Started
According to the BEIS consultation paper, there is a growing call to introduce “stronger regulation, possibly adopting elements of the regime that applies in the US under the Sarbanes-Oxley Act 2002 (SOX).”
“The key SOX provisions are requirements for the management of public companies to assess and report annually on the effectiveness of their company’s internal control structure and procedures for financial reporting. The company’s auditor is then required to attest to and report on this assessment. SOX also places responsibility for a company’s financial statements and internal controls clearly with the CEO and the CFO. These officers must certify (inter alia) for each annual and quarterly report that they have reviewed the report, acknowledge their responsibility for establishing and maintaining internal controls and that they have evaluated the effectiveness of the internal controls within 90 days prior to each [of] the report.”
These requirements, however, entail significantly higher internal and external costs for companies, at least initially, the paper said, adding that the government would explore options and bring forward a detailed consultation in due course.
The reform options have been classified into three non-mutually exclusive categories:
Based on these reform options, the US SOX, and the Corporate Governance Code provisions, the internal audit teams can start assessing the overall organizational compliance posture and take necessary steps.
Initial Assessments and Documentation
As a first step on the compliance journey, organizations need to take stock of their current state of risk management processes and internal control systems over financial reporting. IA teams need to assess whether the organization has prudent and effective controls in place which enable efficient risk identification and management, whether the board has effective oversight over risk management and internal control systems, and whether there is an established cadence for annual review. At the same time, they also need to ascertain if there are procedures in place that can provide evidence regarding the effectiveness of controls to mitigate the risks and the review of the risk management process and internal controls by the board.
In this context, here are some key questions that the IA teams need to find answers to:
- Is there a company-wide internal control framework in place and is it a part of the working culture?
- What are the current support systems in place to ensure accuracy in the annual review?
- What are the gaps, if any, in the current processes – possibly related to treasury, tax, or any consolidation activities related to non-payroll and contractual services?
- What are the IT controls in place for crucial financial systems?
- Is there adequate risk visibility and where should efforts around possible risks be prioritized?
- Are there enough skills and resources to implement the new requirements or is there a need to hire experts?
A Clear and Comprehensive Compliance Program
After having identified the current compliance posture, boards and audit-related committees need to put together a comprehensive compliance program to ensure the process is quality-driven and cost-effective. The plan will detail how the organization plans to adopt UK SOX, how it plans to ensure continuous monitoring of controls, what will be the process for year-end assessment, controls testing plans and procedures, whether it plans to implement a compliance software solution, measures for addressing the identified gaps, project timelines and critical milestones, action tracking, and more.
It is important to note here that the entire process of narrowing down the scope and design, implementing the program, and training the relevant teams can take up to a year. Embedding the controls in the organization and ensuring their seamless functioning can take another year. Organizations seeking to be compliant with the UK SOX, therefore, need to ensure that they have at least a year for implementing a dry run to spot errors and fix them.
Management Buy-In
Once the plan has been drafted, it is important to set the tone from the top for its effective implementation. Support from the top management and leadership, along with embedding the compliance measures as part of employees’ job descriptions, will help make compliance an integral part of the organizational culture. This will also ensure that an effective controls framework is in place and that employees are trained and held accountable in the operation of controls, and more.
With its audit and SOX compliance data scattered across systems, the organization was finding it difficult to track key risks and issues. The implementation of MetricStream Internal Audit Management and SOX Compliance products helped the company streamline and automate assurance workflows, improving risk responsiveness. MetricStream offers the company a unified view of internal audit and SOX compliance across the enterprise. The platform maps risks to compliance requirements, internal controls, control tests, assessments, processes, and other data elements in a single framework. This gives users a holistic and contextual view of risk.
How MetricStream Can Help
In its endeavor to facilitate governance, risk, and compliance (GRC) automation across industries and build upon its expertise on US SOX, MetricStream is ready to support organizations in their journey to ensure compliance with UK SOX.
The MetricStream UK SOX Compliance solution supports the process of setting up a SOX framework, planning and scheduling risk assessments, and performing control tests and assessments. It helps automate internal controls management with reduced time and costs. It also helps in managing evidence collection and other documentation, remediating issues, and performing certifications and sign-offs. Complex organizational hierarchies can be mapped in an organized manner with clearly defined lines of responsibility and accountability.
With this solution, organizations can:
Organizations operating in the UK are currently governed by various regulations, including the Companies Act 2006, the Corporate Governance Code, and others. However, the recent surge in the number of scandals -- BHS, Carillion, and Patisserie Valerie to name a few -- has highlighted the ineffectiveness of the current regime, substandard audit practices, the lax attitude of organizations to ensure compliance, and lack of accountability.
Realizing the apparent and dire need to reform corporate governance and audit rules, the government started working on the UK equivalent of the US Sarbanes-Oxley Act (SOX) -- a federal law to protect investors by improving the accuracy and reliability of corporate disclosures. In March 2021, the Department for Business, Energy & Industrial Strategy (BEIS) published a consultation paper titled “Restoring trust in audit and corporate governance”, essentially setting out proposals to drive much-needed reforms.
As it remains uncertain at the moment as to exactly when the reforms will come into force, organizations are willing to wait for clarity on the regulatory requirements before they start with the compliance process. This approach, however, is not advisable as the entire process could take months on end as well as involve extensive effort and investments, running into millions of pounds.
Starting early will give organizations the advantage of having the time to iron out any deficiencies and ensure a seamless and structured process. It would also help accelerate the process to ensure compliance once the regulation gets implemented.
That said, organizations could find it extremely overwhelming to undertake this initiative—How to start? What areas to focus on? What strategy to follow? How much time and effort will this entail? This eBook aims to provide a practical guide to organizations as they embark on the journey to prepare for UK SOX.
The proposals in the BEIS’ consultation paper are based on the recommendations made by three independent reviews commissioned by the government in 2018 – Sir John Kingman’s independent review of the Financial Reporting Council, the Competition and Market Authority’s statutory audit market study, and Sir Donald Brydon’s independent review of the quality and effectiveness of audit.
Both Sir Donald Brydon and Sir John Kingman underscored the need for organizations to improve the effectiveness of internal controls over financial reporting.
Before getting to how organizations can go about ensuring compliance, it is important to understand which organizations will fall under the purview of the UK SOX.
According to the BEIS consultation paper, there is a growing call to introduce “stronger regulation, possibly adopting elements of the regime that applies in the US under the Sarbanes-Oxley Act 2002 (SOX).”
“The key SOX provisions are requirements for the management of public companies to assess and report annually on the effectiveness of their company’s internal control structure and procedures for financial reporting. The company’s auditor is then required to attest to and report on this assessment. SOX also places responsibility for a company’s financial statements and internal controls clearly with the CEO and the CFO. These officers must certify (inter alia) for each annual and quarterly report that they have reviewed the report, acknowledge their responsibility for establishing and maintaining internal controls and that they have evaluated the effectiveness of the internal controls within 90 days prior to each [of] the report.”
These requirements, however, entail significantly higher internal and external costs for companies, at least initially, the paper said, adding that the government would explore options and bring forward a detailed consultation in due course.
The reform options have been classified into three non-mutually exclusive categories:
Based on these reform options, the US SOX, and the Corporate Governance Code provisions, the internal audit teams can start assessing the overall organizational compliance posture and take necessary steps.
As a first step on the compliance journey, organizations need to take stock of their current state of risk management processes and internal control systems over financial reporting. IA teams need to assess whether the organization has prudent and effective controls in place which enable efficient risk identification and management, whether the board has effective oversight over risk management and internal control systems, and whether there is an established cadence for annual review. At the same time, they also need to ascertain if there are procedures in place that can provide evidence regarding the effectiveness of controls to mitigate the risks and the review of the risk management process and internal controls by the board.
In this context, here are some key questions that the IA teams need to find answers to:
- Is there a company-wide internal control framework in place and is it a part of the working culture?
- What are the current support systems in place to ensure accuracy in the annual review?
- What are the gaps, if any, in the current processes – possibly related to treasury, tax, or any consolidation activities related to non-payroll and contractual services?
- What are the IT controls in place for crucial financial systems?
- Is there adequate risk visibility and where should efforts around possible risks be prioritized?
- Are there enough skills and resources to implement the new requirements or is there a need to hire experts?
After having identified the current compliance posture, boards and audit-related committees need to put together a comprehensive compliance program to ensure the process is quality-driven and cost-effective. The plan will detail how the organization plans to adopt UK SOX, how it plans to ensure continuous monitoring of controls, what will be the process for year-end assessment, controls testing plans and procedures, whether it plans to implement a compliance software solution, measures for addressing the identified gaps, project timelines and critical milestones, action tracking, and more.
It is important to note here that the entire process of narrowing down the scope and design, implementing the program, and training the relevant teams can take up to a year. Embedding the controls in the organization and ensuring their seamless functioning can take another year. Organizations seeking to be compliant with the UK SOX, therefore, need to ensure that they have at least a year for implementing a dry run to spot errors and fix them.
Once the plan has been drafted, it is important to set the tone from the top for its effective implementation. Support from the top management and leadership, along with embedding the compliance measures as part of employees’ job descriptions, will help make compliance an integral part of the organizational culture. This will also ensure that an effective controls framework is in place and that employees are trained and held accountable in the operation of controls, and more.
With its audit and SOX compliance data scattered across systems, the organization was finding it difficult to track key risks and issues. The implementation of MetricStream Internal Audit Management and SOX Compliance products helped the company streamline and automate assurance workflows, improving risk responsiveness. MetricStream offers the company a unified view of internal audit and SOX compliance across the enterprise. The platform maps risks to compliance requirements, internal controls, control tests, assessments, processes, and other data elements in a single framework. This gives users a holistic and contextual view of risk.
In its endeavor to facilitate governance, risk, and compliance (GRC) automation across industries and build upon its expertise on US SOX, MetricStream is ready to support organizations in their journey to ensure compliance with UK SOX.
The MetricStream UK SOX Compliance solution supports the process of setting up a SOX framework, planning and scheduling risk assessments, and performing control tests and assessments. It helps automate internal controls management with reduced time and costs. It also helps in managing evidence collection and other documentation, remediating issues, and performing certifications and sign-offs. Complex organizational hierarchies can be mapped in an organized manner with clearly defined lines of responsibility and accountability.
With this solution, organizations can: