Look In: Take a Top-Down Approach to Process Improvement to Prepare for UK SOX
The consultation period for the proposals outlined by the Department for Business, Energy & Industrial Strategy (BEIS) to reform internal controls, audit and governance is now over, which means that we’re one step closer to having a UK version of US Sarbanes-Oxley (SOX) legislation. While nobody can be completely sure what’s going to be included in the final mandate, we can make educated guesses. In short, the eventual mandate should carry a likeness to its US counterpart. It may not be its twin, but it may end up being its cousin.
Knowing the general shape of the mandate gives organisations an advantage: they can prepare. And these preparations shouldn’t just involve thinking about how to enhance their technology stack to solve the specific challenges associated with the eventual legislation. They also need to include an assessment of how well the business is structured to successfully formalise and incorporate a new process as seamlessly as possible.
This ability to “look in” is a defining feature of firms that respond to and comply with new mandates—like UK SOX—with agility. They look at their leadership structure, take time to assess issues with their existing processes and establish effective channels of communication between siloed teams to ensure their success. With UK SOX on the not-too-distant horizon, now is the perfect time to perform a health check and establish what, if anything, needs to change to accommodate the new mandate.
1. Any new process needs strong leadership
Left unmanaged, change sparks chaos. What you don’t want to happen is for UK SOX compliance to be mandated and for everyone in your organisation to have different ideas about how to incorporate its requirements into your process. With the business, its investors and regulators demanding and depending on compliance, decisive action is needed. And this needs to come from someone in the C-suite, particularly when UK SOX directly impacts directors and those sitting on the board.
This isn’t to say that decisions should be made in closed rooms and relayed as gospel to those carrying out the work. The best leaders take time to understand the challenges that employees on the ground are going to face. They understand the limitations of silos. They understand the overall objective of establishing a new process, but they also know what it means to individual personas.
Every decision they make should be grounded in their overall objective while actively lessening the pain, and making life easier, for all stakeholders—from those performing oversight over internal controls over financial reporting (ICFR), to any external auditors and everyone in between.
2. Communication is king
Lack of communication is the biggest pitfall when formalising any process. If some people aren’t buying the leading strategy, or if they aren’t moving toward the same goal or perspective, things get messy. While this can be partially mediated with strong leadership, effective communication strategies need to be embedded into the core and satellite teams working on delivering the process.
If everything—direction, strategy, timelines—is strictly disseminated from the top and there’s limited cross-pollination between teams during the process of collating the annual review of internal control effectiveness and disclosures, then mistakes will happen. Risk will be introduced. Work will need to be redone.
Ineffective information sharing was a significant issue for US medium-small companies before the introduction of SOX legislation. While it’s not always straightforward to break down silos and for disparate teams to work collaboratively, it’s easy to avoid miscommunication and reduce risk if all teams are working from one central place that offers a single source of truth for data.
3. Make time to fail
No process is perfect: this is especially true for new processes. Mistakes will happen. You just need to put yourself in the position where you’re the person finding the mistakes and not the regulator. When preparing your UK SOX compliance process, give yourself enough time to map out any potential deficiencies and gaps. Work out if there’s anything you can do to fully address them in time and, if not, establish risk mitigation strategies.
The same goes for when you perform your first, and subsequent, UK SOX reviews. Build time into the process. You’re going to need it.
4. Don't be afraid to innovate
It might be time to retire your old processes. Just because something has worked well for years doesn’t mean that it’s going to continue to serve you.
You shouldn’t use old processes without knowing why. Ahead of UK SOX coming into force, test how you’ll manage it within your current setup. It could be that everything works perfectly. In which case, great. But if it feels like you’re trying to fit a square peg through a round hole and that there are too many inefficiencies, then move on. Always think of the bigger picture.
If you’re preparing for the legislation and could see the benefit of transforming your processes, take a look at our UK SOX hub. It includes information about the proposals and insight to how Workiva’s platform will simplify complex work for your team.
About the Author
Tim is a CMIIA and QIAL internal audit professional, with a 20-year career in internal audit and risk that includes leading a significant internal audit transformation project leading the migration of 10 separate internal audit teams to a single unified technology platform. Tim specialises in the use of tools and technology to optimise internal audit processes.