The UK’s Financial Reporting Council (FRC) has been working on an equivalent of the U.S. Sarbanes-Oxley Act (or SOX) for several years. A consultation with UK companies, audit firms and other stakeholders was launched by the government in March 2021, and closed in early July. What are the regulations going to look like, and who will be affected? When are regulations likely to be introduced and is there anything companies can do now in preparation?
What is SOX and why was it introduced?
In the early 2000s, a number of factors combined to create an environment ripe for corporate scandals in the United States, namely conflicts of interest, inadequate overseeing of accounts, a lack of independent auditors, and weak corporate governance policies/procedures. The highest-profile and best-known of these scandals was at Enron. In response to this corporate climate, auditing and financial regulations were established for companies listed on the U.S. Stock Market, set out in the Sarbanes-Oxley Act of 2002. SOX, as it is also known, set out minimum requirements for publicly-traded companies for greater transparency and accountability in financial reporting.
Image from: https://explified.com/enron-scandal-explained/
For many people working for a US-listed company at the time, the arrival of SOX felt quite sudden. Teams found themselves behind the curve, scrambling to put the necessary controls in place. It was very reactionary; organisations needed to have started the journey much earlier than they did.
Why is UK SOX needed?
The UK has had its own share of accounting and audit-related issues, with recent financial scandals at Patisserie Valerie and BHS deemed to be “indicative of a wider crisis of trust in the audit industry” (
The Future of Audit, by the House of Commons Business, Energy and Industrial Strategy Committee
). Recent independent reviews (the Bryden Report and Sir John Kingman’s 2018 FRC review) have recommended reforming audit and government regulations. Legislation is expected to be finalised in late 2022 but as with other recent regulations, it’s unlikely to come into force for a year or two after that which is good news since, based on U.S. experiences, it’s going to take a couple of years for companies to prepare.
Will it really happen?
Here's a short story. Winterhawk and SAP ran a GDPR-focussed event in October of 2016 in London - it was the first of its kind in the UK at the time. A captive audience of leaders from various UK companies attended to hear lawyers and leading experts speak about GDPR, what it would mean, and the changes that would be required. Feedback at the end of the day was that the content was interesting, but attendees were sceptical that it would have much impact on their businesses, let alone be rolled-out. Fast forward to May 2018... GDPR was introduced and people raced to understand and comply with the regulations. It's now commonplace to read about large fines being handed out across Europe. Proactive companies are already thinking about UK SOX; FTSE-listed clients telling us that they’re concerned and asking what they should do in preparation.
So what can you do right now?
Photo by Leon on Unsplash.com
Now is the time to start planning. A compliance project could take years depending on the size of the organisation and the number of stakeholders involved. It can take time to get it right, to get to the stage where significant deficiencies aren’t being reported.We suggest you start by considering the following questions:
- Do we have an effective programme of risk & controls?
- Do we have clearly defined risks properly aligned with the business?
- What about Key Risk Indicators (KRIs)?
- Are the right people in place with ownership of controls and processes?
- Can we automate and/or innovate to leverage our existing technology?
Past Learnings
When reviewing the ‘404 General Computer Control’ requirements some twenty years ago, it became clear that SOX compliance was going to be a significant undertaking for organisations and would be a multi-year effort. Finding future state control owners was the first major challenge, and was rarely something people wanted to sign up for – it was adding work to their often already busy schedules. To gain buy-in, as the programme evolved, it was important to find ways to streamline, optimise and automate controls, reducing the burden on control owners, not just from a SOX perspective but also saving them and their teams time in the day-to-day roles.
In 2002, when U.S. SOX was introduced, GRC solutions were still in their infancy and compliance projects were very much a manual effort, but the ways we managed SOX (U.S.) are still relevant here. Today we have solutions such as
SAP Risk Management and
SAP Process Control which will be of significant benefit to companies in the UK who are starting their UK SOX journey.
UK companies that are listed on the stock market (or planning to be listed in the future) are likely to be in scope for SOX; it will become part & parcel of their internal & external audits on an annual basis. For organisations that are running SAP, as their existing ERP Systems are looking after their financials, it makes absolute sense that you’d want to have
GRC solutions embedded to help with that journey towards UK SOX compliance (not to mention looking after your data, preventing Fraud, Cyber-attacks etc.).
Bottom line: it’s never too early to start thinking about upcoming regulations and preparing for them.