BEIS have since released their new consultation. This article provides useful context, but read UK SOX is coming: how can you get ahead of the curve? for the most up to date information.
The Brydon report gave consideration to introducing a lighter, UK version of the internal control reporting regime imposed on US listed companies by the Sarbanes–Oxley Act of 2002 (UK SOX), which had already been raised by the Kingman review. The Department for Business, Energy and Industrial Strategy (BEIS) are currently developing proposals based on these recommendations.
In January we looked at the impact of the Brydon review on internal audit teams, and expectations were that this year would bring greater clarity on whether a UK SOX would be introduced.
Much has happened since then, with audit reform and the government’s response to the Brydon recommendations falling down the list of priorities. However, I believe that the BEIS are still committed to developing proposals, and I'm hopeful of further communications in the near future.
Businesses have been focused on managing their new risk profile during the COVID-19 situation. And the initial focus on the Brydon review and UK SOX that we saw prior to the lockdown in March has naturally fallen away.
We have seen renewed interest in this area over the last few weeks as companies start to look ahead to year-end and the reporting season.
The UK already has many requirements relating to internal control assessments. In particular:
This requires that boards perform an annual review of the effectiveness of risk management and internal control systems and report on that in their Annual Report.
There are similar requirements for large private companies in the Wates Principles, which require the establishment of an internal control framework including a monitoring and review process.
In our experience, the nature and extent of procedures performed to support this annual review vary widely and rarely include much detailed testing of operating effectiveness as would be expected in a UK SOX-type regime.
Our latest Corporate governance review noted that there remained little discussion of how companies had reviewed the effectiveness of their internal controls, with 66% of the FTSE 350 only providing the most basic of disclosures in this area.
We expect that the requirements relating to how businesses perform their annual effectiveness reviews will become more prescriptive.
The key changes that we expect to see clarified in the new guidance relate to:
We have noted an increased focus on internal control since the Brydon recommendations were published late last year, which can only be seen as positive.
The challenge will be to ensure that any new regulations introduced are sufficiently robust to mandate a meaningful assessment, while retaining enough flexibility for each company to develop an approach that best fits their unique business model and organizational structure.
While there is unlikely to be any regulatory change this financial year, we have noted that boards and audit committees are looking to the business to provide them additional information around their annual internal control effectiveness review, in anticipation of future change.
Experience in the US shows that the vast majority of internal audit teams are involved in the SOX process, and we believe it's right they should be supporting the business with this.
Internal audit needs to maintain its independence, but there are areas where leading functions can start the dialogue with the business to improve focus and rigour even before requirements are announced.
In particular, internal audit should help the business answer the following key questions to inform future approach:
By doing this, internal audit can use their risk and control skill set and their knowledge of the business to define a sound framework to assess the current state and suggest focused areas for improvement.
Internal audit has the opportunity to add value by ensuring this is pragmatic, aligning compliance needs with the culture and ways of working of the business, to ensure approaches add value and are embedded as part of good business management.
To find out more about how you can get ahead of the curve in understanding the implications and opportunities of UK SOX for your business, contact Eddie Best or Martin Gardner.
The FCA has taken another step forward by confirming the introduction of a targeted support framework and publishing the near final rules in PS25/22.
Boards are increasingly being called upon to take ownership of technology risk oversight as a strategic imperative, reinforced by the updated UK Corporate Governance Code and the new Cyber Governance Code of Practice. In 2026, staying ahead of technology risks and regulatory shifts isn’t optional - it’s essential. Are you clear on where to focus to keep your organisation in control?
Recent high-profile failures have shown how third-party risk can lead to severe financial and reputational damage. Yet, despite growing awareness, many organisations still struggle to manage it effectively.
Get the latest insights, events and guidance, straight to your inbox.
