The promise of a SOX-like regime in the UK has been floating around for a while.
Reading this article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.
While the details may not yet be fully concrete, and we’re not completely certain about when it will come into force, we have a pretty good idea about the general shape of a UK SOX mandate. Which is good news for everyone who’s going to be impacted by the mandate. With enough of an idea about what the Department for Business, Energy & Industrial Strategy (BEIS) is likely to enforce, we’re all in a good position to get UK-SOX ready.
A potted history of UK SOX
How can we be so confident about what BEIS is going to do? For starters, we’ve read the reviews that form the backbone of the mandate. There was the 2018 Kingman review, which offered guidance about external audits and internal controls, and the 2019 Brydon report, which outlined the overarching need for audit to be transformed into a service that meets the expectations of UK stakeholders, increases accountability for directors and introduces new rigour and suspicion to the qualities of auditing.
Then there was the BEIS whitepaper itself. It laid out which firms would be impacted (primarily the UK’s largest companies), indicated that directors would need to conduct an annual review of their internal control effectiveness and new disclosures, and that external audits will be allowed if it’s determined that extra assurance would be proportionate.
Finally, we know that an Auditing, Reporting & Governance Authority (ARGA) is going to be established to replace the existing Financial Reporting Council (FRC) and that this new organisation will be sharing “best practices” for businesses to follow. We don’t know the letter of these best practices…but we can take a stab at their spirit.
Seven actions you can take now to prepare for UK SOX
So, how to prepare? The answer lies in a mixture of operational, organisational and technological transformation. Here are seven things that you can do today:
1. Establish strong leadership
With the business, its investors and regulators demanding and depending on compliance, decisive action is needed. This needs to come from someone in the C-suite, particularly when UK SOX directly impacts directors and those sitting on the board.
But decisions shouldn’t be made in closed rooms. The best leaders take time to understand the challenges that employees on the ground are going to face. They understand the limitations of silos. They understand the overall objective of establishing a new process, but they also know what it means to individual personas.
2. Build effective lines of communication between teams
Lack of communication is the biggest pitfall when formalising any process. If people don’t believe in the leading strategy, or if they aren’t moving toward the same goal or perspective, issues can arise. While this can be partially mediated with strong leadership, effective communication strategies need to be embedded into the core and satellite teams working on delivering the process.
If everything - direction, strategy, timelines - is strictly disseminated from the top and there’s limited cross-pollination between teams during the process of collating the annual review of internal control effectiveness and disclosures, then new risk will be introduced.
3. Make time to fail
One of the biggest pitfalls encountered by organisations in the US as they began their SOX journey was not ring fencing enough time to identify gaps and deficiencies in their existing control environment. If you build time into process development not only will you be helping to prevent any issues in the back-end, but you will also be catching mistakes before regulators do—and avoiding a costly compliance exercise.
4. Ask the right questions when building your SOX tech stack
Making the best decisions about which technology will support your internal reform of audit, controls and governance first relies on knowing which questions to ask. So, when thinking about how to build your controls ecosystem, it’s a good idea to start with questions such as:
- Are we getting the insight and the value out of this as and when we need them to identify key risk indicators in real time?
- How can it be used to enhance and monitor controls?
- How can we automate repetitive tasks that often take lots of time and can be a key point of failure?
5. Don’t let regulators define your technology needs
Any investments that you make should be driven by your business’ integrated assurance and reporting needs. While you will, of course, need to ensure that you’re able to match up to regulatory expectations, these expectations shouldn’t be seen as an end goal. Go further. Look at your entire end-to-end process and consider your ecosystem as a whole—what can you do to ensure connectivity, control, full data traceability and true process integration to a degree that surpasses regulatory directives?
6. Centralise controls
Create a single source of truth by integrating controls within the same central platform. Everyone involved needs to be confident that they’re looking at the same data and that the data is linked and consistent. This will ease the audit process and enable discussions to focus on analysis instead of managing inherent risk.
7. Create a connected environment
The technology that you use should be able to create data lineage across both structured and unstructured data to all underlying processes, risks, controls, and issues. It should also allow you to track and map Annual Report line items and disclosures to the assurance environment. Combined, this will allow you to create a connected environment where risk assessments and monitoring directly feed into your control records, conclusions around control effectiveness, and issues tied to audit planning and scoping. Further, it will give you transparency over your overall assurance in real-time.
Start preparations today
This really should be number eight on the list above, but it’s important enough to stand on its own. Yes, the mandate has been pushed back. But there’s no real signs that it’s going to be nullified anytime soon. You still have time to get everything in order so that you can establish industry-leading UK SOX practices.
The findings of the reviews, and the recommendations of the BEIS whitepaper, should well herald a new era for UK-based organisations. And the additional rigour that they’ll bring to audits can only be a good thing. So why wait for UK SOX, or whatever it ends up being called, to come into force?
For more information about UK SOX, and advice about how to prepare, read this e-book.
Tim Le Mare, Regional Sales Director, Integrated Risk for Workiva