What is the context around the proposed “UK SOX” legislative?
Find out what our thought leaders had to say about U.K SoX. If you missed our live panel discussion, here's what our experts had to say:
Corporate Governance isn’t new. There has been a code of conduct in place in the U.K since the early 1990s with a comply or explain enforcement applied by the stock exchange. However, after recent failures such as Carillion, Thomas Cook and BHS questions over the impartiality of audit. The short termism of executive pay and incentives have bought the topic of governance firmly back into the spotlight.
In March 2021 the Department for Business, Energy and Industrial Strategy issued a white paper proposing a significant and wide ranging consultation for major overhaul of Corporate Governance and the Audit sector in the U.K. The paper “Restoring trust in audit and corporate governance” sets over 100 recommendations and looks to:
- Strengthen regulatory enforcement
- Drive increased accountability for directors, CEOs, CFOs and the Board
- Implement a framework of consequences for breaches by executives
The scope of organizations impacted is defined as “Public Interest Entities” which in very simple terms means any FTSE 350 organisation must comply. The legislation is still being drafted but it is expected to pass with a compliance deadline of Dec 2023 for significant organizations and a further 2 years for small sized businesses to adopt and comply.
This is often referred to SoX23 which reflects the U.K adopting a similar approach to early 2000 Sarbanes Oxley changes in the USA.
Why is this different and what is likely to be the outcome of non- compliance?
Firstly, it all depends on who you are as a legal entity. The white paper expanded the definition of PIE to listed + largest private companies and focuses on regulatory measures re: audit, corporate reporting and corporate governance on PIEs.
The U.K Government is proposing a new regulator called the Audit, Reporting and Governance Authority (“ARGA”) to replace the FRC.
ARGA is to be funded by a statutory levy on market participants and receives strategic direction from the Government but is accountable to Parliament.
Secondly regulatory powers:
Proposed role, function and powers of the Regulator
At this stage, the intention is to strengthen the powers of ARGA via new legislation, e.g. it is to have the power to:
- Impose sanctions and take enforcement action
- Require PIEs to provide explanations re: its reporting or audit compliance
- Publish its Audit Inspection Reports on individual PIE audits, w/out consent of audit firm or PIE
- Require an expert “skilled person” to review a PIE’s corporate reporting or audit and where it concerns identified – right to publish summary findings if in the public interest
In relation to corporate reporting review work:
- Direct changes to company reports and accounts, no longer needing a court order
- Publish summary findings and, if necessary, full correspondence following a corporate reporting review, increasing transparency
- Extend the review process to the whole of the annual report and accounts, allowing ARGA to be able to review novel areas e.g. corporate governance statements, directors’ remuneration and audit committee reports, CEO and Chairman’s reports.
ARGA will be empowered and extensively armed “to protect and promote the interests of investors, other users of corporate reporting and the wider public interest.” The message from the White Paper is clear - greater trust, accountability and transparency when it comes to audit, corporate reporting and corporate governance from PIEs. With a proactive regulator exercising such powers there will be little or no room to hide in the case of non- compliance including failures to employ effective, appropriate internal controls, systems and risk management in time.
Is December 2023 a fixed date?
The white paper indicates a 2-stage approach:
High value, significant PIEs, basically large businesses, need to comply by Dec 2023. Where the PIE definition has been expended, these companies are expected to have an additional 2 years to comply. These dates are all conditional on final legislation.
Is there anything companies can be doing now to get ahead of the curve?
This is not a sit and wait. Start planning now and prepare, create a road map because 2 years isn't along time at all. A typical financial controls framework implementation can take 18-24 months to identify the scope. Scope in terms of applications, and then implement controls and then another year to embed those controls effectively. Companies need to start thinking about UK SOX preparation as soon as possible (assuming attestations begin from 2023-24).
It typically takes a year to identify your scope, design and implement controls and upskill your teams. It can then take a further year to embed controls across the organisation and validate that these controls are designed and operating effectively, and to remediate any issues. In the case of a UK SOX mandate coming into effect, we recommend that the year preceding the first year of attestation is used as a ‘’dry run’’.
Can lessons be learnt from this US SOX experience to help business adapt to these changes and are they relevant?
If we go back to the early days of SOX, when the top executives were asked about internal controls the general response would have been “what is an internal control?” The President of Enron had a direct line saying that he could not be expected to know the state of their internal controls.
The white paper says, Directors, primarily the CEO and CFO, but with collective board support, must provide a written attestation on the effectiveness of controls that underpin the financial reports. This attestation must reference a benchmark system to show the effectiveness and assurance of the statement.
This was a key requirement driven by SOX in the US. We all remember the SOX evolvement and huge time/investments incurred as business grappled with creating a compliance/governance framework.
A key aspect occurred right at the start of the SOX rollout. Internal auditors were heavily involved, as the knowledge base of internal controls and risk management sits with that profession. However, their involvement blurred the line between management and auditors. Process owners were appointed to be the ‘Czar’ of each process and a SOX Program Office was established, such that internal auditors could remain independent from management.
The area of SOX also highlighted additional risks, where companies outsourced operations. The controls became subject to other companies, outsourced partners, implementations which gave rise to the SOC I and SOC II standards. Adoption of a similar standard in the UK will drive a need for this to be extended across the extended process chain.
What about the accountability of Directors?
Under the white paper, Directors in key management positions will be held to greater account following significant corporate collapses.
ARGA is to be given powers to investigate and enforce sanctions against directors e.g. for breach of duties regarding corporate reporting and audit. This is over and above the existing powers of other enforcement agencies e.g. Insolvency Service to still bring directors disqualification proceedings.
Executive directors’ remuneration will be subject to mandatory malus (withholding of pending awards) and clawback terms, for a minimum term of 2 years’ post award.
Default minimum term - triggered by serious misconduct, material misstatement of results or error in performance calculations, and failures of internal controls and risk management.
It is proposed that these changes would be implemented by the regulator through changes to the UK Corporate Governance Code.
Under a related proposal, intended that ARGA to also have power to:
Impose detailed requirements + behavioural standards e.g. honesty and integrity or directors need to comply with existing corporate reporting and audit duties or provide that directors will be liable to civil enforcement action for breach of such requirements.
In the panel’s experience, how can companies build the approach and what tools exist to help meet the compliance requirements and timetable?
- 1. Senior Management buy-in and drive – FDs, CIOs, Audit Committee. A top-down approach.
- 2. Beef-up the Finance and IT functions. Make sure you have strong controls. Internal Controls over financial reporting.
- 3. Scoping correctly – super-critical, work with internal and external controls/audit teams. Focus on critical financial applications like ERP, financial reporting systems, billing systems. Top-down view of risks of material financial misstatement in the business.
- 4. Investment in GRC Tools. Use technology to automate controls, segregation of duties to save time and costs.
- 5. Follow Missouri – the “show-me state”. SOX controls need to be demonstrated to auditors and the focus should be on building an evidence-based controls framework. Focus on evidence.
What about US SOX?
The US SOX approach had 5 phases:
Phase 1 – Procedures Manuals
The way that internal auditors normally look for internal controls is by reviewing a flow chart or other representation of a process and highlight the control activities. This caused an explosion creation of procedures manuals so that people could actually say how a process was performed. Content Management software became very popular.
Phase 2 – Focus on Key Controls
Now we had a sea of control activities it was pretty expensive to sign off all of your controls, so there was a focus on Key Controls and most especially the close process. Software founded on workflow management became very popular.
Phase 3 – Focus on IT General Controls
There seemed to be a realization that processes that were automated were easier to control, and that setting up those controls correctly would be a valuable exercise. Software that management configuration settings became popular.
Phase 4 – Focus on Access Controls
There was a movement to clean up inappropriate access controls that had accumulated in enterprise systems. Segregation of Duties software became very popular.
Phase 5 – Focus on Anomalies
The traditional operation and financial audit had taken a back seat through most of this journey, but there was a re-emergence of the transaction monitoring capability at the end of the first wave. Analytic software became popular.
It’s important to not view this as a negative bureaucratic exercise.
Change will be required and companies need to start planning now to ensure compliance. The change should be seen as positive. The adoption of a robust, benchmarked framework to assess controls relating to financial reporting should be viewed as adoption of good practice which adds strength and robustness to the reporting and company overall.
If there was any lesson that hindsight has given us, it is that there was a great temptation to just get busy rather than think. The wording in section 404 of the act was very explicitly Internal Controls over financial reporting. Think long and hard about where the risks of financial misstatement are before you get busy; choose techniques that address those risks.
Where are you today?
Review and assess relevance and robustness of any existing controls
What do you need to address? Identify key risk and control needs:
Complexity of integrations that produce financial reports and develop controls to show completeness and accuracy of integrations critical to financial reporting
Effectiveness of current controls on access management and segregation of duty controls across all systems
The robustness and measurement of joiners, movers and leavers process
Identifying and evidencing key financial reporting controls and accessibility of reporting to evidence completeness, accuracy and reconciliation
3rd party partners who hold or control data outside of your organisation
Invest in resources
Training and development
Engage with partners to assess and build roadmap/capabilities to meet the change
Identify appropriate technology to deliver and effective/efficient controls framework
This isn’t optional. As the new legislative and regulatory landscape settles to define the enhanced obligations and duties on PIEs plus the role, function and extent of ARGAs powers, the business case will become almost self-defining and driven by necessity. PIEs will have no choice but to assess and employ additional internal controls, systems and risk management to deliver the necessary checks and balances required to attain, adhere to and continuously comply with the new high water mark being set for 2023 onwards. The consequences of ARGAs intervention, effects of its sanctions on the business and its and/or its directors as well as on its reputation and in public confidence, is clearly not a palatable or wise route to follow.
How can SafePaaS help?
Organizations can take advantage of our Segregation of Duties Insight™ assessment for Oracle ERP* environments. We will run 50 segregation of duties controls to identify the effectiveness of your current controls leveraging the SafePaaS Enterprise Risk Management platform to provide a deep, personalized analysis into the gaps that may exist around IT controls in key financial systems. We will then provide a SOX expert with deep SafePaaS knowledge to deliver the findings and make recommendations on remediation as well as how to minimize risk in the future.
*Oracle e-Business Suite, Oracle ERP Cloud, PeopleSoft, J D Edwards, NetSuite. If you run other ERP systems, please contact us for a more detailed discussion.