Most reviews agree that UK SOX is on its way, although it's been delayed even further by recent events. We look at what businesses should be doing now to prepare for the promised regime.
The Brydon report gave consideration to introducing a lighter, UK version of the internal control reporting regime imposed on US listed companies by the Sarbanes–Oxley Act of 2002 (UK SOX), which had already been raised by the Kingman review. The Department for Business, Energy and Industrial Strategy (BEIS) are currently developing proposals based on these recommendations.
In January we looked at the impact of the Brydon review on internal audit teams, and expectations were that this year would bring greater clarity on whether a UK SOX would be introduced.
Much has happened since then, with audit reform and the government’s response to the Brydon recommendations falling down the list of priorities. However, I believe that the BEIS are still committed to developing proposals, and I'm hopeful of further communications in the near future.
Businesses have been focused on managing their new risk profile during the COVID-19 situation. And the initial focus on the Brydon review and UK SOX that we saw prior to the lockdown in March has naturally fallen away.
We have seen renewed interest in this area over the last few weeks as companies start to look ahead to year-end and the reporting season.
What is likely to change?
The UK already has many requirements relating to internal control assessments. In particular:
The UK Corporate Governance Code
This requires that boards perform an annual review of the effectiveness of risk management and internal control systems and report on that in their Annual Report.
Wates Corporate Governance Principles
There are similar requirements for large private companies in the Wates Principles, which require the establishment of an internal control framework including a monitoring and review process.
In our experience, the nature and extent of procedures performed to support this annual review vary widely and rarely include much detailed testing of operating effectiveness as would be expected in a UK SOX-type regime.
Our latest Corporate governance review noted that there remained little discussion of how companies had reviewed the effectiveness of their internal controls, with 66% of the FTSE 350 only providing the most basic of disclosures in this area.
We expect that the requirements relating to how businesses perform their annual effectiveness reviews will become more prescriptive.
Key changes with UK SOX
The key changes that we expect to see clarified in the new guidance relate to:
whether a separate Internal Controls Statement will be mandated, with formal attestation by the CEO and CFO to the board
the breadth of scope and whether broader entity-level controls that don’t directly relate to financial statements should be included within the remit of this assessment
principles around the nature and extent of procedures required to support the assessment
the assessment of control exceptions identified, including their evaluation and the requirement to disclose
whether there will be a requirement for external auditors to review and report on management’s assessment
The challenge will be to ensure that any new regulations introduced are sufficiently robust to mandate a meaningful assessment, while retaining enough flexibility for each company to develop an approach that best fits their unique business model and organizational structure.
What should internal audit be doing to support?
While there is unlikely to be any regulatory change this financial year, we have noted that boards and audit committees are looking to the business to provide them additional information around their annual internal control effectiveness review, in anticipation of future change.
Experience in the US shows that the vast majority of internal audit teams are involved in the SOX process, and we believe it's right they should be supporting the business with this.
Internal audit needs to maintain its independence, but there are areas where leading functions can start the dialogue with the business to improve focus and rigour even before requirements are announced.
In particular, internal audit should help the business answer the following key questions to inform future approach:
Has a group-wide internal control framework been developed and embedded?
What is currently done to support the annual review of internal control effectiveness?
Are there are gaps in the current process? For example:
group processes such as treasury, tax or consolidation
activities performed by outsourced service providers or other third parties, such as payroll
IT controls around key financial systems
Where are key risk areas where effort should be prioritised?
By doing this, internal audit can use their risk and control skill set and their knowledge of the business to define a sound framework to assess the current state and suggest focused areas for improvement.
The opportunities for UK SOX
Internal audit has the opportunity to add value by ensuring this is pragmatic, aligning compliance needs with the culture and ways of working of the business, to ensure approaches add value and are embedded as part of good business management.
To find out more about how you can get ahead of the curve in understanding the implications and opportunities of UK SOX for your business, contact Eddie Best or Martin Gardner.