Preparing for a new era in financial compliance with Sarbanes-Oxley (SOX)

In March 2021, the UK’s Department for Business, Energy and Strategy (BEIS) launched their much anticipated consultation: “Restoring trust in audit and corporate governance.” This consultation followed three significant reports into the operation of the UK’s financial services industry: the Sir John Kingman’s review, the Sir Donald Brydon review, and the CMA’s statutory audit market study. 

In short, the consultation seeks to introduce a strengthened internal controls regime, similar to the Sarbanes-Oxley rules in the US which require directors to attest to the effectiveness of internal controls over financial reporting.

What is Sarbanes-Oxley (SOX) Compliance?

Sarbanes-Oxley, also known as SOX, is a major piece of financial legislation which was passed in 2002 in the United States. This was in response to a number of financial scandals in the early 2000s involving publicly traded companies including Enron, Tyco and WorldCom. These high-profile frauds shook investor confidence and led to demands for an overhaul of decades-old regulatory standards. 

SOX created strict rules for accountants, auditors and corporate officers and imposed much more stringent recording keeping standards. Criminal penalties for violating securities law were also implemented. While the Act is aimed at public companies, elements also apply to private companies and nonprofits. 

Key Features of SOX

Section 302

Some key features of SOX include Section 302 on “Corporate Responsibility for Financial Reports.” This established that CEOs and CFOs must review all financial reports and that the reports are “fairly presented” and don’t contain misrepresentations.

Section 404

Section 404 deals with “Management Assessment of Internal Controls” and requires companies to publish details about their internal accounting controls and their procedures for financial reporting as part of their annual financial reports. This requires corporate executives to personally certify the accuracy of their company’s financial statements and makes them individually liable if the SEC finds violations.

There are also whistleblower protections, mandated disclosure in periodic reports of transactions that could impact financial status, prohibition of personal loans from a corporation to an executive, criminal sanctions for evidence tampering and new auditing practices.

Sarbanes Oxley Act Compliance Requirements

Which companies must comply? 

Under SOX, there are both internal and external financial record keeping and reporting requirements that are meant to ensure corporate and auditing accountability, responsibility, and transparency. 

The following types of companies are required to comply with SOX:

  • US publicly traded companies that are larger than a certain size, no matter where the stocks are traded. NYSE, Nasdaq, and over the counter stocks are all subject to SOX compliance.
  • Foreign companies that have registered debt or equity with the US Security and Exchange Commission (SEC).
  • Accounting firms that audit companies that are required to comply with SOX

Which sections are relevant for compliance?

The act contains eleven titles, or sections, ranging from additional corporate board responsibilities to criminal penalties. Eight of the eleven sections are particularly relevant from a compliance perspective:. 

Section 302: Corporate Responsibility for Financial Reports

This section requires signing officers to review the reports and attest that to the best of his knowledge there are no untrue or misleading statements or omissions, and that the financial report fairly represents the financial condition of the company. The signing officers are responsible for establishing and maintaining effective internal controls, and they must disclose any fraud, controls deficiencies, or changes that took place since a report, to auditors.

Section 401: Disclosures in Periodic Reports

This section states that financial information reported to the public and any reports to the SEC cannot contain any untrue statements or omissions and that reports comply with the Generally Accepted Accounting Principles (GAAP).

Section 404: Management Assessment of Internal Controls

The rules in this section detail the main SOX compliance audit requirements. This section spells out the information that companies must include in their annual filing. That information includes a statement of responsibility on the part of the management, to establish and maintain adequate financial reporting controls. The management must state how they evaluated the effectiveness of the company’s internal controls and what their findings were, and these statements must then be attested to by an external auditor. This section does not relate to the actual accuracy of the numbers in the report, but rather to the existence and effectiveness of the internal controls themselves.

Section 409: Real Time Issuer Disclosures

This section relates to the requirement for issuers to disclose to the public information on material changes in their financial condition or operations as soon as they come up. The disclosure must be in language that is easy to understand and graph presentations when necessary. This could include information that a company might rather not publish, such as a data breach or cyber attack.

Section 802: Criminal Penalties for Altering Documents

This section details the penalties for altering documents. Offenders face up to 20 years in jail for altering, destroying, or concealing records or documents related to relevant legal investigations. An accountant or auditor who knowingly and willfully violates the requirement to maintain records could face to up to ten years in jail.

Section 806: Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud

Some of the biggest financial scandals came to light as a result of the testimony of whistleblowers who were insiders in their companies. As such, this section protects whistleblowers from retaliation by the company. Under this section, someone who retaliates against a whistleblower can face criminal charges.

Section 902: Attempts & Conspiracies to Commit Fraud Offenses

This section, part of the “White Collar Crime Penalty Enhancement” title, states that any person who violates SOX will be subject to the usual penalties for fraud, whether fines or jail time.

Section 906: Corporate Responsibility for Financial Reports

This section details the penalties that executives of public companies could face if found guilty of fraud: up to $5 million and over 20 years in jail for certifying a false or misleading report.

For compliance with this section, the CEO and CFO of a company must state in writing that the periodic report containing the financial statements fully complies with the requirements of sections of 13(a) and 15(d) of the Security Exchange Act of 1934 and that the information contained in the report accurately represents the financial condition and results of operations.

Sarbanes Oxley (SOX) IT Compliance Checklist

How compliant are you with SOX? What steps does your company need to take to get there?

This checklist can help you assess where you are today and what you need to do to become fully SOX compliant.

  1. Make a plan: Do the necessary research to understand reporting deadlines. Make both short term goals for the current fiscal year as well as long term goals for the future, taking into account that processes and controls must be appropriate to the scale of the company and therefore may have to be updated as the company grows.
  2. Select a framework or frameworks to support SOX compliance: Several organisations have developed frameworks and models that companies can use to develop their internal SOX controls and compliance one. A few of those are:
  • COSO: The Committee of Sponsoring Organisations of the Treadway Commission: This Committee developed an “Internal Control-Integrated Framework” that helps companies improve their performance through improved internal controls and risk management. The Framework is a useful guide for developing effective internal controls.
  • COBIT (Control Objectives for Information and Related Technologies): The ISACA, an industry group focused on IT governance, developed COBIT as a framework for IT governance that can be used to examine and improve IT processes within a company.
  • ITGI (The Information Technology Governance Institute): This industry group has also developed a framework that can be applied to SOX compliance. ITGI uses COBIT and COSO but has a specific focus on security.
  1. Undertake a risk assessment: Conducting a risk assessment will help you understand which processes within the company are relevant to compliance and to identify possible problem areas, which should then be addressed as part of the plan that’s developed.
  2. Gauge entity level controls: 
  1. Review the regulation to understand how it affects your organisation, and where you stand in relation to the requirements.
  2. Conduct a gap analysis to identify what control or corporate reform gaps exist. Then identify and prioritise the gaps that need to be closed.
  3. Undertake gap-focused readiness assessments: document where you stand, what your key risks are, and what initiatives will be impacted.
  4. Complete an ICFR risk assessment in order to identify your risks in enough detail, resulting in a complete financial reporting risk assessment.
  5. Perform a scoping of processes and entities.
  6. Create a vision and an operational plan to reach your end goal of executing a smarter internal control framework.
  7. Implement the plan, and run the plan to assess and be able to attest to the effectiveness of the internal controls you have set up.

What are the Benefits of SOX Compliance?

Having strong internal controls can help detect fraud early. For example, one common fraud method is employees making reimbursement claims for fictitious expenses; having adequate internal controls in place would increase the likelihood of catching such activity. SOX auditors will want to see that your organisation has controls in place that would catch such activity. Auditors will also want to make sure there are systems in place for testing the adequacy of controls and for finding deficiencies. Becoming SOX compliant will ensure that any fraud is caught and stopped early and that you will pass any SOX or financial-control related inspections by auditors.

What is the current internal controls framework in the UK?

UK Listing Authority statements

Requires directors of listed companies to establish and maintain ongoing internal control frameworks in order to make proper judgements on the financial position and prospects of the business.

The UK Corporate Governance Code

Requires boards perform an annual review of the effectiveness of risk management and internal control systems, and also document those reviews in their annual report.

Wates Corporate Governance Principles

The Wates Principles requires internal control frameworks be established, including a monitoring and review process.

Companies Act

This includes the main requirements to keep adequate accounting records. 

Domestic sector regulators

There are various regulatory bodies for market sectors, such as the Prudential Regulatory Authority (PRA) and Financial Conduct Authority (FCA) for the financial services market. They publish their own expectations around internal controls.

How does the UK want to introduce Sarbanes-Oxley?

The government’s consultation set out three main options to address audit reform:

  • Option A: Requires an explicit director’s statement about the effectiveness of the internal control and risk management systems
  • Option B: Requires auditors to report more about their views on the effectiveness of companies’ internal control systems
  • Option C: Requires auditors to express a formal opinion on the directors’ assessment of the effectiveness of the internal control systems

The government indicated that their preferred choice is Option A. This would likely mean the Audit and Assurance Policy (AAP) will be the preferred method for determining the level of required assurance over internal controls of financial reporting. Any decisions about whether the directors’ attestation should be subject to external audit would be explained in the company’s AAP, although external audit of the statement would likely not be mandated.

Despite US SOX having criminal penalties for non-compliance, the UK has not suggested directors will go to prison if they fall short. But the UK is not starting from zero. As outlined above, there is a well developed internal controls framework with penalties included. The ICAEW have expressed reservations about introducing a UK SOX if criminal penalties are not on the table. 

Although the US regime seems to have proved effective. There has been a markedly lower level of major corporate failures since SOX was introduced. BEIS noted that some stakeholders believe Sarbanes-Oxley has led to better financing reporting and stronger reassurance for investors. 

Another key element is improving competition in the audit sector by opening up the industry to businesses beyond the Big Four audit firms. The Financial Reporting Council (FRC) aims to publish a new framework focusing on the role of auditors and what they need to do. Rationalising the factors that make up a good audit, risk assessment, oversight, and professional scepticism. 

How to set up a SOX compliance programme

Like with any new compliance programme, such as GDPR, it can take some time to understand the requirements. But setting up internal controls and processes early, ideally before mandated by regulation, can make the transition process easier. 

Step 1: Set up two SOX committees

It can be useful to have one committee for business processes, and another for IT, which can provide technical oversight and educate the rest of the organisation. 

Step 2: Systematically educate the business

Tailored training for different teams on what SOX is, how it will impact them and their work and reviewing responsibilities under SOX.

Step 3: Establish a detailed plan

Begin with a risk assessment and map out the processes and systems involved. Understand what needs to happen at each stage of the process, understand who the process and control owners are and ensure they know what is required of them.

Preparing for change and taking a pragmatic approach will help with the inevitable transition. It is clear some version of SOX is coming to the UK, and it is helpful to begin preparations now. Good practice includes:

  • An embedded controls culture with engagement from Board level to control owners.
  • Mapping out areas of strength, weakness and need for improvement.
  • Having an efficient and effective controls testing programme supported by automation and insight reporting.
  • A training programme to systematically educate the business,
  • A technological internal control framework with real-time monitoring by management.

VinciWorks can help with reporting and training using our financial services course suite and highly customisable Omnitrack reporting tool. Contact us via the form below for more information and how VinciWorks can help.