SOX in UK is coming: Are you ready?
The UK government recently advised huge corporations and their auditors about UK's standards of business conduct and transparency are increasing significantly.
UK SOX is here and as a company, you may have already done everything you can to ensure compliance or you are in the middle of it or considering it. Regardless of what stage your organization is at, understanding the legislation and its needs and how to make sure you are on the right side is important.
The UK Financial Reporting Council (FRC) has been acting on a UK equivalent of the US Sarbanes Oxley Act (SOX) for years. SOX requires executives that a company's internal controls are strong enough to make certain that financial statements are consistent. At the same time, calls for revision reform in the UK increased.
A white paper titled “Restoring Trust in Audit and Corporate Governance” has been released by The Department of Business, Energy, and Industrial Strategy (BEIS) to publicize the intent of the regulation and solicit comments from stakeholders.
The four major themes in the BEIS report and provide peer advice to our UK partners are mentioned as following:
Expanding Directors' Accountability:
In principle, the current UK requirements are already in line with the Sarbanes-Oxley regime in the US Companies Act, which requires the keeping of adequate accounting records and the UK Corporate Governance Code declares: "The Board of Directors must monitor the company's risk management and internal controls and conduct an effectiveness appraisal at least once in a year and account on this in the annual report.
The CEO and CFO certify to the Board of Directors annually the effectiveness of the company's internal controls for financial reporting.
In addition, companies must disclose if a serious error has occurred in their internal controls. A disclosed error would result in the CEO / CFO certification being reviewed for the next three reporting years.
The Role of Internal Audit:
With the UK SOX outlook becoming more secure, it is important that internal audit is proactive and prepared.
Internal auditors consider the following four-step process to be a useful framework for performing such a gap analysis. These steps are implicit in current UK corporate governance requirements, although few apply them in practice, and are likely to form the basis of a new regulatory framework related to the ICFR.
1. Primary evaluations and entity-level controls:
Begin with a comprehensive understanding of the business model.
Conduct a financial risk assessment and a fraud risk assessment.
Establish clear and robust controls at the company level to ensure the "right tone from the top".
Outline a hierarchy of delegated authorization.
2. Approval of in scope systems and recognition of material controls:
Obtain clarity on in-scope systems and the associated general IT controls.
Classify critical third-party vendors / external vendors for in scope processes.
Create robust process documentation for key business cycles with clear process owners.
Distinguish the material controls.
3. Determine robust monitoring and assessment processes:
Define and demonstrate a robust process for continuously monitoring the design and operational effectiveness of material controls.
Identify and validate a robust process for a year-end evaluation of the design and operational effectiveness of material controls.
4. Determine obvious reporting protocols and accountability for action:
Characterize a significant control error or vulnerability that would require detailed review and disclosure of corrective actions.
Describe reporting processes, including tracking corrective actions.
Audit Firms with Improved Competitions:
The auditing market is being restructured in order to separate the auditing and advisory branches of the auditing firms from the "Big Four". In addition, non-Big Four firms are required to conduct a significant portion of the audits for the UK's largest companies; and market share will be limited if competition does not improve.
Modernizing the Auditing System
There must be better transparency of corporate finances with tighter reporting for large unlisted companies as well as extending audits beyond the annual financial statements to review the company's overall performance.
A new regulatory agency, named the Audit, Reporting and Governance Authority (ARGA), will oversee audit practices and will have legal powers to scrutinize misconduct and implement reporting requirements. ARGA is funded through a mandatory industrial tax.
The time for transformation is now
In preparation for the possible UK SOX implementation, many corporations consider they are reasonably ready, but a significant upgrade is required to be fully compliant.
As any regulated organization will know, SOX compliance represents a major shift in the business methodology to internal controls over financial reporting, with a much greater effort to demonstrate that reasonable assurance of the suitability and operational efficiency is being achieved can.
While the timeframe for implementing equivalent regulation in the UK market is still uncertain, the impact will be permanent. It is vital that organizations are willing to consider their controls so that they are not compromised in the future and are required to do so. Close gaps with improvised solutions, to the detriment of the entire control environment.
The time to act is now.