The Ripple Effects of a SOX-like Mandate in the UK
We are all concerned when corporate or other organisations fail, whether listed, private, charitable, public or private investor funded. While we all realise it’s impractical to prevent all failures, too many indicators are missed, or not addressed, and too many people are harmed as a result.
The recent consultation from the Department for Business, Energy & Industrial Strategy (BEIS), which formally closed to comments in July 2021, tested strategies that aimed to reduce corporate failures or the impact of them. It also has wider ambitions, hoping that other organisations will adopt its best practices and extend its reach.
BEIS, via the Financial Reporting Council (FRC), issued sizable publications, arranged numerous briefing sessions and made their CEO, Sir Jon Thompson, available to respond to Q&As from any interested body of auditors, directors or other professionals.
Sir Jon has a reputation as someone who gets on with implementing tactical change and has been doing so at the FRC while awaiting the BEIS consultation and eventual decisions and Parliamentary legal structures for the next substantial steps to follow.
While most professionals would want to see fewer failures (other than those who benefit from them perhaps), the consultation gave any interested body of auditors, directors or other professionals the opportunity to challenge whether the proposed responses would actually help. There appear to be a few who prefer no change, or certainly limited additional effort. But hopefully these few are outnumbered and isolated by those who support Sir Jon’s efforts to ‘lift all boats’.
Will UK SOX refocus director priorities?
The BEIS Consultation included strong proposals for a SOX-like regime in the UK, where specific data are collected and reported using common data models that are only now emerging for ESG needs. But, perhaps more importantly, regulators expect the director’s attestation process, where they personally sign for the reliability of the data and controls, to ensure that directors can be held accountable to ‘do the right thing’. Of course, in practice, the CFO and CEO review and sign first, with perhaps the Audit Chair and Chairman following through. A common challenge is whether directors will be more focused on completing these processes than applying the principles to achieve sound business outcomes. The Financial Conduct Authority (FCA) recognised this issue and commented on a parallel risk guidance effort:
"We welcome the Risk Coalition’s initiative to raise standards in risk oversight in UK financial services. Their approach and guidance complements the personal accountability we regard as an important regulatory objective. It is important that SMF role holders do not simply adhere to the guidance as a box-ticking exercise, but also reflect on how to ensure adequate regulatory outcomes.”
The FRC’s efforts also recognise that there are likely to be updates to The Stewardship Code, The Corporate Governance Code and its variants. These updates will ensure that other stakeholders commit to complementary efforts in their own fields of operations, whether in different roles or markets.
There is clearly a danger, which the UK has long resisted, that costs of controls and regulation could increase well beyond their usefulness. This is a situation from which it is usually impossible to reverse. The best case would be for regulation to stand still while awaiting better absorption through innovation and technology.
Why the BEIS isn’t directly mimicking US standards
While many international companies are UK based, the UK and US governance systems are compatible but different. A UK-based company and lead auditor are expected to follow UK standards (financial and ethical, for example) for international reporting, alongside local standards for local reporting, as in any geographic mix. There is a strong view that copying the US system too closely would add substantial effort and cost without equivalent benefit. A lighter and technology-supported system, underpinning the UK’s principle and outcomes-based regulation, appeals more readily to most stakeholders that have commented to the consultation. The UK has always been attractive to listed and private companies. This mandate, and other regulatory changes, intend to maintain that position even when similar changes may be adopted by others keen to move themselves ahead.
Of particular note, the Audit Committee Chairs Independent Forum (ACCIF) recommends that we step back, refocus on objectives and move towards an integral ‘Audit and Assurance Policy’. There seems to be no doubt that proportionality and focus would present challenges during implementation. Further, the capacity of the market to apply these changes promptly and widely will be tested. A phased implementation and ‘learn as we go’ approach could be more successful, if benefits are still delivered in a timely manner.
The consultation document says that confidence in company reporting has been eroded by “high-profile firm failures where weak internal controls and poor risk management have been evident”. However, in the view of many experienced Audit Chairs, very few failures have been due to internal control weaknesses or audit failure, as opposed to a non-viable business model and/or poor judgement in decision-making.
Regulators shouldn’t be defining your technology needs
High quality and reliable reporting is recognised to be critical in providing ‘Assurance’ and not just ‘Audit’. For years, investors and other stakeholders have debated why an organisation can fail within a short period after audit. In part, the BEIS consultation aims to reduce or close off that expectation gap with improved risk- and assurance-related actions that build on and complement a quality audit process.
Increasingly, and reflecting the growing interest in Environmental, Social and Governance (ESG) among report readers, companies are expected to share an integrated overview of financial and non-financial reporting. This includes details of business strategies, operating models and risk (first line), and comments on oversight and audit (second and third lines) in a manner which is consistent and reconcilable with external data.
It would prove impractical to achieve this without building a technology delivery base that addresses your business’ integrated assurance and reporting needs. Clearly, this should be driven by your objectives and commitments. It shouldn’t be motivated by the decisions of your regulators, other than to ensure their needs are ‘baked in’ to your systems and processes too.
It is essential that directors regularly and methodically assess the effectiveness of internal controls. Rather than await specific regulatory direction, we should make more deliberate steps in building the new governance, oversight and data systems required.