article banner
Article

UK SOX is coming: how can you get ahead of the curve?

In their 2018 and 2019 reviews, Kingman and Brydon both called for the introduction of a UK version of the US Sarbanes-Oxley (SOX) internal control reporting regime. We explain what you need to know to stay ahead of the curve.

January 2024 update - the FRC have now published a revised Corporate Governance Code with new Internal Control reporting requirements. For the latest see FRC Code update improves internal controls reporting.

UK SOX is a key element of wider audit sector reforms proposed in the much anticipated Department for Business, Energy and Strategy (BEIS) consultation: "Restoring trust in audit and corporate governance", launched on 18 March. The 230-page consultation paper contains a large number of recommendations; including introducing rules similar to the US SOX regulations. There will be an extended 16-week window for responses.

The white paper clearly states that new reporting and attestation requirements on internal controls is one of the areas designed to “sharpen directors’ accountability”. In line with this, the consultation is seeking views on three options:

1 Option A is the tentative preference of the consultation paper. This requires an explicit directors’ statement about the effectiveness of the internal control and risk management systems.

2 Option B will require auditors to report more about their views on the effectiveness of companies’ internal control systems

3 Option C is the closest to US SOX and will require auditors to express a formal opinion on the directors’ assessment of the effectiveness of the internal control systems

In October, we wrote about what you should do to prepare for UK SOX. In this series of articles, we will explore the different elements of it. The first step is understanding the corporate governance internal control landscape. 

Before we look at the future of corporate governance, its helpful to think about where we are at the moment. 

Arguably, all organisations should have an adequate and proportionate framework of internal controls already. The UK does currently have various requirements relating to the internal control environment. However, in our experience, the nature and extent of procedures that support these vary widely.

The consultation paper clearly states this premise as well: regulatory and other requirements on internal control arrangements are clearly established, but there is a case for strengthening the internal control framework and clarifying expectations on director, board and external audit responsibility.

But first, what is the current corporate governance internal control landscape?

The internal control landscape: what does it look like now?

This is the current basis of internal control requirements in the UK:

UK Listing Authority statements

These require directors of a listed company to establish and maintain ongoing internal control frameworks to provide a reasonable basis to make proper judgements on the financial position and prospects of the business.

The UK Corporate Governance Code

This requires that boards perform an annual review of the effectiveness of risk management and internal control systems and document that in their annual report.

Wates Corporate Governance Principles

There are similar requirements for large private companies in the Wates Principles, which require the establishment of an internal control framework, including a monitoring and review process.

Companies Act

This includes requirements to keep adequate accounting records.

Our latest corporate governance review research found that there remained little discussion of how companies had reviewed the effectiveness of their internal controls, with 66% of the FTSE 350 only providing the most basic of disclosures in this area.

Domestic sector regulators

Regulatory bodies for material market sectors, such as the Prudential Regulatory Authority (PRA) and Financial Conduct Authority (FCA) for the financial services market, detail clearly, within their sourcebooks and handbooks, their expectations around the maintenance of a robust internal control environment.

The direction of travel

The consultation recommends that a CEO/CFO internal control attestation should be introduced. This should be benchmarked against a control framework, such as the Committee of Sponsoring Organisations (COSO), which is used by the majority of US companies. The consultation also mentions the draft principles being developed by the Audit Committee Chairs Independent Forum (ACCIF) in response to the Brydon recommendations.

The ACCIF Board working group is proposing that Listing Rule 8.4.2(4) is utilised as a lever for UK SOX, as it focuses importance on transparency. This rule requires directors of a company that seeks premium listing on the London Stock Exchange main market to establish procedures that provide a “reasonable basis to make proper judgements on the financial position and prospects of the business”. Their proposal is to limit the attestation to the financial position only.

The key underlying principles ACCIF have sought to base recommendations on are:

  • Leveraging what already exists in the UK and is familiar
  • Can it be applied proportionately
  • Is it achievable to implement and can it be embedded
  • Avoiding being duplicative, so where an organisation already falls under another framework, such as US SOX or J-SOX, there shouldn’t be any further requirements

Both Brydon and Kingman have indicated that they are broadly supportive of the ACCIF proposals:

“I think the paper has caught the spirit of my recommendations very successfully and also acknowledges effectively the need for proportionality. Using 8.4.2 is a sensible way forward.”

Sir Donald Brydon

As you would expect it is in the detail of the implementation where feedback from across the business and investor community diverges. It is these areas that are explored in the BEIS’ consultation paper and ultimately clarified in the new guidance on UK SOX.

There are, however, some key questions still to be answered; assuming there is a clear case for enhancing existing requirements:

Key questions

Who should proposals apply to?

Should it be just premium listed companies who already fall under Listing Rules 8.4.2 (and arguably should already be compliant with the key requirements), or include all quoted companies, or FTSE350 or all public interest entities? This point is widely debated given the anticipated burden of implementing UK SOX (albeit the UK version is expected to be lighter touch than its US counterpart). The BEIS consultation, recognising the economic importance of privately-owned companies, proposes they should meet the equivalent high standards of reporting as listed companies.

Timing and implementation?

It takes time to develop a robust internal control framework, testing and reporting regime. Depending on what already exists, this could be a significant burden for some organisations. Would a 12-month timeline (the maximum time to comply under US SOX) be workable? One option being discussed by commentators is a phased approach to implementation based on size.

It is worth noting that after the consultation period, it will take time for legislation to be drafted and approved in the UK.

In the US it also took time for the Public Company Accounting Oversight Board (PCAOB) to issue more specific guidance on what is expected. We would expect this to be the same in the UK, but with the learnings from US SOX, organisations can take pragmatic steps to get ready now.

Scope and degree of assurance

The level of assurance required by the board to support their internal control attestation is a key question, and it will be interesting to see how prescriptive the legislation and associated guidance will be.

What will be considered a ‘sufficient’ level of documentation to evidence controlled design and operation? This is one area where the requirements of US SOX have evolved and become more prescriptive and the level of effort to comply has increased. What should an organisation be required to disclose on identified control exceptions?

There is also a question about whether broader entity-level controls that don’t directly relate to financial statements will be included within the remit of this assessment?

Accountability

ACCIF suggests that the decision on further assurance for the internal control framework and self-assessment should be made by the audit committee, but this still leaves some questions unanswered. Without this independent assurance will the required step change in internal controls be achieved? What additional support might you look for from internal audit in this space and how do you make sure this does not compromise their independence?

A key question in the consultation is the extent to which external auditors are expected to review and report on management’s assessment. This would be in addition to further work already envisaged under other audit sector reforms in the consultation, and the associated upward pressure on audit fees.

Next steps for UK SOX

We have seen an increased focus on internal controls since the positive reception of the Brydon recommendations, which can only be a good thing for corporate governance as a whole. The challenge is ensuring that new regulations are both robust and flexible. The consultation paper is your chance to have your say.

The key thing is that UK SOX is on its way and it is never too early to start thinking about what this means for you.

To find out more about how you can get ahead of the curve in understanding the implications and opportunities of UK SOX for your business, get in touch with our experts.

Our services
Internal audit services Discover how we can support you