A UK SOX regime - Five key considerations
December 01, 2020
Change is coming which could profoundly impact our corporate governance model. Over the next few months the Government will consider the many detailed recommendations for audit, corporate reporting and governance arising from the Kingman, Brydon and CMA reviews. To help navigate this change we’ll be publishing a series of insights discussing some of the potential reforms.
In the first of the series, Iain Robinson, a Digital Audit Partner with extensive experience in Sarbanes Oxley (SOX) and the programmes operated by UK Foreign Private Issuers, looks at the potential for a strengthened UK internal controls regime, as recommended by the Brydon and Kingman Reviews.
I spend much of my time discussing internal controls with management and I see a marked difference between the approach of those who are subject to SOX and those who are not.
In the US, SOX has driven a much greater sense of accountability in management for ensuring the effectiveness of the company’s internal controls and, as a consequence, has strengthened them.
Other benefits have included an increase in investor confidence, more reliable and resilient financial reporting and increased oversight responsibility for the audit committee. Companies that do this well are able to leverage their work to better understand their processes, drive efficiencies and make better use of their technology investments.
We need to be clear what the objective of a strengthened UK regime is. If it is to improve financial reporting quality and mitigate large scale financial fraud, such as Wirecard or Patisserie Valerie, then a US SOX style regime is absolutely right. But if the aim is to reduce the risk of corporate collapse then, in my view, the requirements are probably going to have to look beyond pure financial reporting and more towards an organisation’s principal business risks.
A full US SOX regime in the UK?
My personal view is that we do need to get closer to a US style system, perhaps with a bit more pragmatism around the depth of controls and documentation requirements. And there should be a requirement for assurance over the internal controls regime to ensure it is robust enough and does not lead to inconsistencies in approach.
If we want to look to an alternative model with less stringent requirements than the US, we can look to South Africa. Companies listed on the Johannesburg Stock Exchange will be required to comply with a CEO/CFO SOX style controls attestation for the first time for 31st Dec 2020 year ends. Their experiences will provide an interesting reference point for us in the UK.
There are a number of big questions for how such a regime could work in the UK.
Five key questions for a UK SOX regime
- Scope - There needs to be careful consideration of the scope of any enhanced UK regime. Should it cover only internal controls over financial reporting, as it does in the US, or should it cover broader operational and non-financial controls?
- Application - To which companies should it apply? It could be limited to the very largest companies, for example the FTSE 350, or it could apply to all companies where there is a significant public interest, including large private companies.
- Standards - How deep should the framework go? And how rigorous is the documentation, testing and evidence gathering that supports the CEO/CFO attestation expected to be?
- Assurance - Should assurance over the attestation be mandated? In the US there is an auditor attestation - is that the model we’d use here in the UK?
- Framework - What framework should be used? COSO is tried and tested or there is the option to develop a new framework or adapt an existing one.
However these questions are answered, it is clear that any strengthened UK framework for internal controls over financial reporting would have an impact on companies. But we can learn lessons from the way SOX was implemented in the US.
In its proposal for how a UK regime should be developed, the ACCIF has already gone a long way towards responding to a number of the key questions. The question now is how will the government take this forward.
If a strengthened UK internal controls regime does feature in the government’s proposals for the corporate governance system, it is important that companies and their stakeholders respond and share their views.