5 Ways to Prepare for UK SOX Today
First raised in the Kingman review in 2018 and again in the Brydon report in 2019, the potential for a UK version of Sarbanes-Oxley (SOX) legislation on internal controls has been gaining momentum over the last few years.
The SOX legislation became law in the U.S. in 2002, after several financial scandals, to better protect investors from fraudulent financial reporting. It also introduced firm rules handing executives legal responsibility for internal controls and better reporting.
While UK SOX legislation has been slowed as a result of the COVID-19 pandemic, make no mistake: it’s on its way. The exact timing when it will come into force is still unknown. However, once more clarity is provided, you can expect things to move quickly.
With this in mind, I joined forces with Michael Stallard, a Director at Deloitte leading the UK’s Corporate and Private Sector Controls Advisory team, in a recent webinar to help kick-start your preparation.
You’ll want to watch the whole webinar for all the analysis, but here are five quick highlights from our conversation.
1. Shareholder value and the health of your controls framework
In a recent article, Workiva looked at the performance of all the companies on the New York Stock Exchange (NYSE) and Nasdaq Stock Market, and then contrasted that performance against any material weaknesses, deficiencies or disclosures incurred that year.
The results were harsh. Companies that reported a material weakness in 2019 experienced:
- A 90-day average drop of 6% in stock value
- A 6-month average drop of 11% in stock value
- A 12-month average drop of 19% in stock value
What’s the takeaway? There is a clear connection between shareholder value and the health of your controls framework. Simply put, this is one of the reasons why there is a regulatory regime around the controls environment.
2. SOX program adds value
In the 2020 State of the SOX/Internal Controls Market Report, one of the key findings is that the C-suite places a high value on the SOX program because it can provide good intelligence on the health of your organisation.
What does this mean for corporate organisations in the UK? You shouldn’t see SOX as a burden. There is actually some real value-add you can get out of your controls testing regime—if you approach it the right way.
Source: 2020 State of the SOX/Internal Controls Market Report
3. How to approach UK SOX
When SOX was implemented in the U.S., there was far less technology available. Now, there is a wider array of technologies, but a lot of companies still have problems maintaining their controls environment.
Whether it’s struggling with a lack of visibility of controls performance, trying to automate things that are broken or not deploying technology to the full effect, there are a range of issues companies run into.
In the webinar, we broke down a few things you can consider to generate greater insight and to enable a more efficient controls framework. For example, don’t manage your internal controls manually, but use an audit, risk and compliance platform. It will be much easier to keep documentation up to date, and it helps drive integration across compliance frameworks.
And, when thinking about how to build your controls ecosystem, it’s a good idea to start with questions such as:
- Are we getting the insight and the value out of this as and when we need them to identify key risk indicators in real time?
- How can it be used to enhance and monitor controls?
- How can we automate repetitive tasks that often take lots of time and can be a key point of failure?
4. Start building your foundation
We don’t anticipate that all organisations will build the complete future controls ecosystem at once—but you should at least start by picking the parts that will drive the most value to your organisation, and that will make your controls environment under a UK SOX regime as lean and efficient as possible.
It’s all about selecting the right parts you want to focus on to begin with, and then building from this solid foundation.
5. Be proactive
There are many things you can do now to prepare yourself—the key is to be proactive.
Have conversations with your board, CFO or audit committee. Really understand your controls framework and how it’s operating today. Think through the issues we have seen with the U.S. SOX in terms of material weakness. And, make sure you have the right people, tools and technology ready for the challenge.
About the Author
Tim is a CMIIA and QIAL internal audit professional, with a 20-year career in internal audit and risk that includes leading a significant internal audit transformation project leading the migration of 10 separate internal audit teams to a single unified technology platform. Tim specialises in the use of tools and technology to optimise internal audit processes.