Sarbanes-Oxley is coming to the UK. Are you ready?

Preparing for a new era in financial compliance

In March 2021, the UK’s Department for Business, Energy and Strategy (BEIS) launched their much anticipated consultation: “Restoring trust in audit and corporate governance.” This consultation followed three significant reports into the operation of the UK’s financial services industry: the Sir John Kingman’s review, the Sir Donald Brydon review, and the CMA’s statutory audit market study. 

In short, the consultation seeks to introduce strengthened internal controls regime, similar to the Sarbanes-Oxley rules in the US which require directors to attest to the effectiveness of internal controls over financial reporting.

What is Sarbanes-Oxley?

Sarbanes-Oxley, also known as SOX, is a major piece of financial legislation which was passed in 2002 in the United States. This was in response to a number of financial scandals in the early 2000s involving publicly traded companies including Enron, Tyco and WorldCom. These high-profile frauds shook investor confidence and led to demands for an overhaul of decades-old regulatory standards. 

SOX created strict rules for accountants, auditors and corporate officers and imposed much more stringent recording keeping standards. Criminal penalties for violating securities law were also implemented. While the Act is aimed at public companies, elements also apply to private companies and nonprofits. 

Some key features of SOX include Section 302 on “Corporate Responsibility for Financial Reports.” This established that CEOs and CFOs must review all financial reports and that the reports are “fairly presented” and don’t contain misrepresentations.

Section 404 deals with “Management Assessment of Internal Controls” and requires companies to publish details about their internal accounting controls and their procedures for financial reporting as part of their annual financial reports. This requires corporate executives to personally certify the accuracy of their company’s financial statements and makes them individually liable if the SEC finds violations.

There are also whistleblower protections, mandated disclosure in periodic reports of transactions that could impact financial status, prohibition of personal loans from a corporation to an executive, criminal sanctions for evidence tampering and new auditing practices.

What is the current internal controls framework in the UK?

UK Listing Authority statements: Requires directors of listed companies to establish and maintain ongoing internal control frameworks in order to make proper judgements on the financial position and prospects of the business.

The UK Corporate Governance Code: Requires boards perform an annual review of the effectiveness of risk management and internal control systems, and also document those reviews in their annual report.

Wates Corporate Governance Principles: The Wates Principles requires internal control frameworks be established, including a monitoring and review process.

Companies Act: This includes the main requirements to keep adequate accounting records. 

Domestic sector regulators: There are various regulatory bodies for market sectors, such as the Prudential Regulatory Authority (PRA) and Financial Conduct Authority (FCA) for the financial services market. They publish their own expectations around internal controls.

How does the UK want to introduce Sarbanes-Oxley?

The government’s consultation set out three main options to address audit reform:

  • Option A: Requires an explicit director’s statement about the effectiveness of the internal control and risk management systems
  • Option B: Requires auditors to report more about their views on the effectiveness of companies’ internal control systems
  • Option C: Requires auditors to express a formal opinion on the directors’ assessment of the effectiveness of the internal control systems

The government indicated that their preferred choice is Option A. This would likely mean the Audit and Assurance Policy (AAP) will be the preferred method for determining the level of required assurance over internal controls of financial reporting. Any decisions about whether the directors’ attestation should be subject to external audit would be explained in the company’s AAP, although external audit of the statement would likely not be mandated.

Despite US SOX having criminal penalties for non-compliance, the UK has not suggested directors will go to prison if they fall short. But the UK is not starting from zero. As outlined above, there is a well developed internal controls framework with penalties included. The ICAEW have expressed reservations about introducing a UK SOX if criminal penalties are not on the table. 

Although the US regime seems to have proved effective. There has been a markedly lower level of major corporate failures since SOX was introduced. BEIS noted that some stakeholders believe Sarbanes-Oxley has led to better financing reporting and stronger reassurance for investors. 

Another key element is improving competition in the audit sector by opening up the industry to businesses beyond the Big Four audit firms. The Financial Reporting Council (FRC) aims to publish a new framework focusing on the role of auditors and what they need to do. Rationalising the factors that make up a good audit, risk assessment, oversight, and professional scepticism. 

How to set up a SOX compliance programme

Like with any new compliance programme, such as GDPR, it can take some time to understand the requirements. But setting up internal controls and processes early, ideally before mandated by regulation, can make the transition process easier. 

Step 1: Set up two SOX committees

It can be useful to have one committee for business processes, and another for IT, which can provide technical oversight and educate the rest of the organisation. 

Step 2: Systematically educate the business

Tailored training for different teams on what SOX is, how it will impact them and their work and reviewing responsibilities under SOX.

Step 3: Establish a detailed plan

Begin with a risk assessment and map out the processes and systems involved. Understand what needs to happen at each stage of the process, understand who the process and control owners are and ensure they know what is required of them.

Preparing for change and taking a pragmatic approach will help with the inevitable transition. It is clear some version of SOX is coming to the UK, and it is helpful to begin preparations now. Good practice includes:

  • An embedded controls culture with engagement from Board level to control owners.
  • Mapping out areas of strength, weakness and need for improvement.
  • Having an efficient and effective controls testing programme supported by automation and insight reporting.
  • A training programme to systematically educate the business,
  • A technological internal control framework with real-time monitoring by management.

VinciWorks can help with reporting and training using our financial services course suite and highly customisable Omnitrack reporting tool. Contact us via the form below for more information and how VinciWorks can help.