The introduction of a UK SOX style regime is one proposal amongst many put forward in the Department for Business, Energy and Industrial Strategy (BEIS)’s recent white paper on restoring trust in audit and corporate governance.
Initially recommended within the Kingman and Brydon reviews to strengthen the UK’s internal controls framework, the regime is expected to be a lighter touch than the US Sarbanes-Oxley Act (SOX) which became law in 2002.
So, what do we know about this specific proposal so far, and how might it impact businesses and internal auditors?
- Sarbanes-Oxley UK is not yet a certainty
Following the publication of the BEIS white paper, a consultation period commenced whereby the public has been invited to have their say on the proposals by the 8th of July 2021.
Whilst we will not know for sure whether SOX is coming to the UK until the consultation has closed and the government has reported back, the paper has suggested the following options to address this key area of audit reform:
- Option A: Requires an explicit director’s statement about the effectiveness of the internal control and risk management systems
- Option B: Requires auditors to report more about their views on the effectiveness of companies’ internal control systems
- Option C: Requires auditors to express a formal opinion on the directors’ assessment of the effectiveness of the internal control systems
- The government’s preferred choice is Option A
Designed to ‘sharpen directors’ accountability’, new reporting and attestation requirements on internal controls are a core element of the UK SOX proposal.
In line with this, the tentative preference is for directors to acknowledge their responsibility for establishing and maintaining an adequate internal control structure for financial reporting through an official statement.
This option would also require directors to carry out an annual review of internal control effectiveness, explain the outcomes of this assessment and disclose any benchmark system used, as well as deficiencies that may have been identified.
- An Audit and Assurance Policy could play a critical role
It is probable that an Audit and Assurance Policy (AAP) will be the chosen method for determining the level of required assurance regarding internal controls over financial reporting. This is yet another proposal laid out by the BEIS following the Brydon review, which stated: ‘I recommend that directors report to shareholders on their company’s payment policies and performance and that this be subject to some level of audit, as described in the company’s AAP.’
Decisions about whether the directors’ attestation should be subject to external audit would be highlighted in the policy, though it is likely that external audit of the statement described in Option A of the BEIS white paper would not be mandated.
- It would initially apply only to the UK’s biggest companies
If the regime comes into force, it is likely to apply only to premium listed companies at first, who will largely already be compliant with the key obligations. It would then be extended to public interest entities (PIEs) after two years.
This is still a widely debated piece of the puzzle, however, the BEIS consultation recognises the economic importance of privately-owned companies and recommends that they also meet the same high standards of reporting as listed companies.
- The final mandate (and resulting implementation) could be years in the making
Whilst the government white paper doesn’t hold any guarantees as to what will be included in the final bill, it is undoubtedly a step in the right direction for UK audit reform.
Based on the time it takes for new legislation to be drafted and approved in the UK, we may not see the UK SOX proposal come to fruition until near the end of 2023. The implementation dates for certain changes will also depend on whether legislative action is required, or if change can be enforced through regulation.
Businesses can expect it to take anywhere between 18-24 months as a minimum to develop a robust internal control framework once the bill has passed, depending on what they already have in place. Since this could pose a significant burden for some organisations, one option being discussed is a phased approach to implementing the regime, based on company size.
- The prevailing advice for businesses is to act now
With a greater spotlight on internal controls since the positive reception of the Kingman and Brydon recommendations, evidently, it is not too early to be thinking about how this could impact your business.
Now is the time to consider where there may be room for improvement to internal controls over financial reporting, which will be good practice regardless of the outcome of the consultation.
By taking the initiative sooner rather than later, this will allow time to remedy any weaknesses in your control framework. It will also make it far easier to adapt to the changes ahead as you transform the control environment into one that is flexible and agile enough to meet the future demands of the regulators.
With the public consultation still ongoing, key decisions on the viability and scope of a UK SOX regime are still yet to be made – though now is the ideal opportunity to have your say. You can also learn more about this proposal and the other recommendations for audit and corporate governance reform in Deloitte’s helpful summary of the BEIS white paper.
Alexandria Claypole
As Content Marketing Executive at Ideagen, Alex delivers insightful and actionable content to help organisations worldwide better understand the intricacies of the auditing, risk and compliance world. With strong roots in the technology sector, Alex is committed to advocating software solutions that support businesses in both achieving and exceeding their objectives.