UK SOX Compliance is Coming: What We Know from the BEIS Whitepaper

On 18 March, the Department for Business, Energy & Industrial Strategy (BEIS) released a long-anticipated whitepaper outlining proposals for its intended reform of audit, internal controls and governance. The need for reform was first raised in 2018, with momentum for a UK version of Sarbanes-Oxley (SOX) legislation gaining pace over time. Now, the door has been flung wide open to public consultation. 

This is the first step in what could be a long process. This whitepaper isn’t a mandate, nor does it guarantee what will be included in the final bill. But it is a step in the right direction. In the US, 79% of CFOs surveyed by the Center for Audit Quality (CAQ) shared that SOX had improved the quality of information in their financial statements. This is a direct benefit of stronger control structures that will undoubtedly be welcomed by UK CFOs.

The whitepaper is a pretty hefty document at 232 pages. To save you some time, we’ve taken a deep dive and outlined its key takeaways below. If you want to read the full report, titled ‘Restoring Trust in Audit and Corporate Governance’, you can find it here. 

1. There shouldn’t be any surprises in the BEIS proposal

If you’ve been following the evolution of the new internal control reform act, you’ll be happy to hear that there aren’t any real deviations from the findings of the independent reviews (namely the Kingman review and the Brydon report) that have already been carried out. These reviews outlined the overarching need for audit to be transformed into a service that meets the expectations of UK stakeholders, increases accountability for directors, and introduces new rigour and suspicion to the qualities of auditing. These recommendations form the backbone of the whitepaper and will likely end up shaping the final mandate. 

2. The audit reform mandate will only apply to the UK’s biggest companies 

The reforms are only going to be focused on the largest companies, i.e., all listed entities in the UK. While there could be a conversation about the need for audit reform at SMBs, this isn’t where the government’s focus currently lies. 

3. Directors will have to conduct an annual review of internal control effectiveness and new disclosures 

Under the UK Corporate Governance Code, boards and directors are responsible for monitoring the company’s risk management and internal control systems. This includes a requirement to carry out an annual review of their effectiveness alongside a report on that review. Under the new proposals, directors will have to include the following in their annual review:

• Insight to internal control effectiveness and new disclosures 
• Reports of the effectiveness of the company’s internal controls over financial reporting (ICFR)
• The outcome of the annual review
• A statement stating whether they consider the systems to have operated effectively

4. Directors will be guided by audit committee best practice 

Following consultation, BEIS is going to work on establishing a new Auditing, Reporting & Governance Authority (ARGA) to replace the Financial Reporting Council (FRC). When this has happened, the principles and guidelines that they share will define auditing best practices. Directors should be guided by these principles but, as with SOX 404 audits in the USA, they won’t be expected to do the actual testing and reporting themselves. Instead, they will rely on management to implement review processes that stick tight to best practices. 

5. External audits will be allowed 

A business’ audit committee and shareholders could decide that the internal control effectiveness statement should be subject to external audit and assurance—but only if it’s determined that extra assurance would be proportionate. There are limited circumstances where the intervention of an external auditor will be required, like when there has been a serious and demonstrable failure of internal controls, or where material weaknesses have persisted over several years.

This is a notable variation from SOX 404(c), which states that external auditor opinion is not required under any circumstance for companies smaller than a certain size. 

However, just like SOX ‘restatements’, ARGA will have the authority to investigate the accuracy and completeness of directors’ internal control disclosures and, if necessary, order amendments or recommend an external audit of the internal controls.

6. UK SOX, or ‘SOX lite’?

There are a lot of parallels between these proposals and the established SOX act that governs US companies. The main difference is that UK firms should expect a lighter, more discretionary touch when it comes to external auditor opinion. 

7. The consultation period will last 16 weeks

The consultation period began in March and will last until 8 July 2021. There will be an extensive series of engagement activities throughout this period that shouldn’t escape your notice. It’s still not clear when the phased enforcement of the final mandate is going to come into effect.

Be prepared for upcoming audit reform

Although consultation on the reforms is only just getting started, the expectation is that a system of internal control accountability will eventually be enforced. Some trepidation about this should be expected—more regulations means more work, more process and more complexity—but by getting ahead of the game, you can save yourself a headache. 

For now, your top priority should be to establish, or formalise, internal control oversight within your business. This will include:

• Documenting and identifying key financial reporting processes and systems
• Identifying the risks and controls in these processes that impact financial reporting
• Defining the system of governance and internal controls at the entity level—Tone at the Top, Code of Conduct, Trainings, Boards & Committees
• Setting up teams and resources to perform oversight over ICFR
• Documenting control assessments—including planning, testing, remediation of any control deficiencies, reporting, auditability—with details of how, when and who