Article

SOX compliance UK: embedding robust internal controls

Before you report on the effectiveness of your internal control framework for UK SOX compliance requirements you must have assurance that the regime is effective. We explain how you can confirm that it is well designed and operating effectively.

Most companies will have a control framework, finance manual or delegation of authority matrix that sets expectations around controls. To comply with UK SOX these will need to be rolled out effectively and embedded in the business. You can optimise the effectiveness of your regime by establishing a culture of control.

You also need assurance that your regime does actually comply with UK SOX requirements.

What are your assurance options?

You can achieve assurance either by some form of self-assessment or by an independent review.

Independent review

There are several options for delivering an independent review, all with pros and cons. These are primarily:

  • Group finance or central controls function
  • Peer review
  • Internal audit (in-house or with co-source support)

Typically, an internal audit means delivery of an audit programme to sample test control operation, and often walkthroughs of end-to-end processes: to understand them and assess control design. It brings an external perspective, with the ability to share experience and benchmark. It is independent, but at a cost, so historically businesses have chosen to rely on some form of self assessment instead.

Control self-assessment (CSA)

A CSA can take various forms:

  • Complete defined audit programme including sample testing
  • Self-certify compliance with each control without sample testing
  • Periodic certification by FC/FD/MD

It's important to remember that a key risk of self-assessment is false assurance.

Boards and management would take comfort from clear returns across all locations. But should they really be placing such reliance on what is effectively a self-certification? Would local management feel obliged to self-report non-compliance in their own team, or would they present a more favourable position to Group? And do local management understand controls and their objectives well enough to know if controls are not effective locally? What evidence do management retain to demonstrate controls are being performed?

To compensate for this there can be challenge of returns, or periodic review and validation. Good practice would be some review and requests for documentation to support compliance, led by group finance or regional/divisional FDs to validate what local management reported.

On balance most organisations rely on a form of CSA, so it is important to think about how you can build an effective regime.

What does the CSA really tell management?

To answer this question you need to think about how much reliance you can place on the information, whether the assurance goes far enough and whether the outputs can be trusted.

There is a natural tendency for positivity bias from any ‘self-assessment’. It is human nature to want to report a rosier picture than perhaps is the case. Your organisation may also have a culture of ‘not reporting bad news’ that results in returns being better than is actually the case.

Organisations completing the returns may have every intention of improving any areas where perhaps the control environment is not quite as good as is being reported. Or they may delegate the completion of the CSA to more junior personnel and do not have the full picture of the control environment themselves.

You also need to consider what evidence is retained to demonstrate control performance. In our experience, most organisations have some form of minimum control framework already. Where UK SOX-style internal control reporting regimes will require a step change is in the quality of the supporting documents retained to evidence that controls are being performed.

How to address these risks?

In our experience, there are a few key ways you can address risks of relying on a CSA:

Sponsorship

Sponsorship from the C-suite (the CEO or CFO is usual) can provide the correct tone from the top and help drive the culture of responsibility and accountability

Communication and guidance

Communication of the purpose, value and benefits of CSA activity is key to achieve appropriate buy-in to the process. You will need a proper roll out, training and regular reinforcement. This will take time and resources, so you need to ensure there is enough focus and effort applied from the start.

Responsibility and accountability

Clarify expectations of management accountable for owning and completing the CSA return on the required levels of integrity, honesty and accuracy of statements in the questionnaire. We normally see, for example, that the local FD has to sign off a return completed by their team stating that they have reviewed assessment and agree with the reported results.

Evidence

Consider what evidence management needs to retain to demonstrate controls are operating effectively, and then submit to support their CSA response. How this will be collated and stored? Will there be a shared folder or a SharePoint site or similar? Will management need to provide evidence to support their CSA or just to retain evidence for independent validation by a group control function post-submission?

Culture

Your culture must support open and transparent CSA returns; providing support and potentially allocation of resources to help business units that have indicated weaknesses requiring remediation. The key message should be that your desire is to improve controls, and that therefore you actually expect to see exceptions, so long as there are plans to remediate. What is not acceptable is not reporting exceptions which are then flagged later, or failing to implement agreed actions on time. You can consider setting an amnesty period at the start to encourage honesty and avoid defensiveness.

Key control focus

Clarify the control framework and linked audit programme/self-assessment and guidance from the start. Focus your efforts on key controls to avoid it becoming a large tick-box compliance exercise. Keep the assessment scoring simple, with a free-text box to provide explanations.

Monitoring

Implement a robust process to monitor completion of agreed actions against due dates. Consider adding a general free text question asking for an update on any control changes or other information deemed useful; often, this is a good way to flush out challenges and issues that were not reflected in other CSA responses.

Validation and verification

Independent verification processes from the second and third lines of defence is a key requirement: both to validate the CSA responses on a sample basis and provide assurance around the integrity of returns submitted. Without effective compliance activity the process may fail to deliver an accurate picture of the control environment across the business.

Use of data and tools

Data analytics and data visualisation techniques can be used to great effect to simplify results interpretation and reporting, and help drive the efficiency and effectiveness of the CSA process.

How does a CSA fit into your other assurance activity?

A well-designed CSA process can be implemented and completed effectively ‘remotely’ and provides broad coverage of the business from an assurance perspective.

However, CSAs do not negate the need for further assurance and the more traditional internal audit activity.

CSAs can be highly complementary and insightful as a tool to gauge the effectiveness of control environments and compliance with internal minimum controls. They also help to emphasise local management’s responsibility for deploying the control framework effectively. At minimal cost and with few negatives, it is hard to suggest that it is not a worthwhile process to augment other internal audit activity.

In the first year or so of CSA activity, a business must have realistic expectations of results and compliance levels. There is a strong chance that management may get the process wrong or results will not be 100% as expected due to user error or interpretation. However, if a process of re-education and re-enforcement of the activity and what is expected occurs, the quality of results should approve with time. This will provide a wealth of information and data from which to build actions, benchmarks and a stronger control framework in the longer term.

Preparing for UK SOX compliance

If you want to know more about how to get ready for UK SOX and establish a robust internal control reporting regime then contact