Skip to main content

The Roadblocks to Complying with UK SOX Best Practices

Internal Audit
Internal Controls
UK SOX roadblocks
4 min read
Published: 13 January 2022
Last Updated: 13 January 2022

In March 2021, the Department for Business, Energy & Industrial Strategy (BEIS) released proposals that intend to reform audit, internal controls and governance. The BEIS whitepaper laid out how reform would be focused on the UK’s largest companies, indicating that directors would need to conduct an annual review of their internal control effectiveness and new disclosures, and that external audits will be allowed if it’s determined that extra assurance would be proportionate.

If approved, we’re likely to end up with a series of legislated SOX-like best practices in the UK. In our e-book, “UK SOX Is Here: Who Will the Mandate Impact and How to Prepare,” we outline how UK SOX will impact all three lines. It also explains the main roadblocks that organisations face as they prepare for the mandate. These roadblocks are outlined here—for more insight, download the e-book.

Technology is the main barrier to change

Technology is a broad church. Before thinking more granularly about specific technological hurdles that many businesses will need to overcome, it’s worthwhile identifying some overarching issues.

Without the right technology, it’s difficult to accurately identify and control points—whether process or control handoff points—between different teams in the business. It’s also difficult to collaborate when teams are siloed, when governance and change controls are opaque, and without automation that connects people, data and process.

To address these challenges, there are four main areas of concern that organisations will be looking to address:

1. Being able to link control frameworks to financial reporting

Right now, these frameworks are often disconnected, use different systems, and run on spreadsheet software, making it difficult to connect data and reduce risk. With spreadsheets being passed around and without establishing a single source of truth for data, it’s almost impossible to ensure the consistency needed for full assurance. The controls and processes that sit beneath the Provisions for Loan Loss (PLL) and balance sheet are relatively weak, which leads to too much risk.

2. Scattered control data

To meet the best practices outlined in the BEIS whitepaper, organisations will need to solve how to build a stable home for their control data. This is an issue that touches finance, operational and IT teams. It’s critical to establish how to control the financial controls, IT general controls and operational controls that could end up underpinning the financial statements.

3. Manual attestation processes

Accountability is a focus that emerged from the BEIS consultation. The headline is that the first line will need to take accountability for the control framework and the testability of that control framework. That first line won’t want to rely on inefficient and risky manual attestation processes that involve reams of disconnected spreadsheets—they will be looking at how to supercharge these processes with automation as a solution.

4. Manual control testing

With companies having to do more with less, it’s easy for errors to occur. One area where this is particularly pertinent is control testing, which can, through lack of resources, be difficult to make more efficient. Companies will be looking at how they can use digital tools, automation and cloud testing to reduce inefficiencies and extend their coverage so that they’re no longer just doing sample-based testing but, instead, full population testing.

To address UK SOX, organisations will need to establish their target operating model. They will need to understand what the balance of relationships, responsibilities and accountability should be between the first, second and third lines. They will also need to know what their roles are in a new regime where they’re accountable to both internal and external stakeholders. These stakeholders will have high expectations of the companies that they invest in, lend to, contract with, work for, regulate, exist alongside or may be harmed by.

For more insight, download your copy of the e-book.


You May Also Like

Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at