How can I prepare for UK SOX compliance?
February 19, 2021
As a result of recent government reviews, there is significant focus on the potential development of a UK SOX-type regime. It can be difficult to know where to start with what this means for you and your business. We often hear: “We’re just waiting to see whether this becomes a requirement”, “We’re reluctant to invest into this until we are sure we need to do it”. Sound familiar? Whilst we await the guidance as to what a strengthened UK framework will constitute, there are some key factors you should consider in any event.
A typical financial controls framework implementation can take 18-24 months, and therefore we recommend mapping out the key work streams and activities that will form your controls improvement and compliance roadmap. The preparations you make now will drive valuable governance improvements as well as improved quality and efficiency, regardless of the timing and content of a UK SOX mandate.
We recommend starting with these priority areas:
- Clear vision
Compliance programmes with a clear vision typically focus on sustaining a quality-driven, cost-effective programme that can manage change over time. Defining purpose and objectives is important for your target operating model, the outputs and benefits you want to achieve, and how you will measure success.
- Integrated structure
We have found that organisations with a formalised structure for managing controls and a focus on aligning stakeholders are better equipped to succeed. Defined roles and responsibilities across the teams operating and managing the control environment, strong stakeholder management and a clear communication plan will better equip you to align the business and respond to change.
- Flexible talent model
Considering whether your teams have the requisite resources and capabilities to execute the programme from the outset may prevent issues later. Do the teams have knowledge of risks and controls or do you need to consider providing training, further recruitment, or outside specialist expertise?
- Risk Focus
The starting point for a right-sized scope and approach to your programme should be a top-down view of the risks of material financial misstatement across your business. Mapping your material financial statement line items (FSLIs) to end-to-end business processes will provide clarity on which processes and controls are key.
- Innovative Technology
Early investment in technology to monitor your controls environment and / or to manage your controls testing and attestation cycle should pay back early, enabling a more efficient and transparent process overall, ultimately lowering your total cost of compliance.
Having considered the above, a plan of activities can be designed to support your development of an enhanced internal financial controls framework.
Key lessons from previous SOX implementations:
Although the ultimate intricacies of a UK SOX mandate remain unknown, past US SOX implementations provide some lessons to consider:
- It typically takes a year to identify your scope, design and implement controls and upskill your teams. It can then take a further year to embed controls across the organisation and validate that these controls are designed and operating effectively, and to remediate any issues. In the case of a UK SOX mandate coming into effect, we recommend that the year preceding the first year of attestation is used as a ‘’dry run’’.
- A culture of compliance, led from the top, is key to an effective controls framework. Employees who understand their responsibilities and accountability will be able to operate effective controls and identify deficiencies early. Improve engagement by embedding these responsibilities in employees’ roles and objectives.
- A focus on financial controls often overshadows how dependent a business is on underlying IT controls and outsourced services. Identifying key IT controls, and controls managed by third parties, is fundamental to the success of an effective internal financial controls framework. You can’t outsource accountability for this, so it is important to have oversight of the effectiveness of these controls.
So what next? An easy next step is to assess the current state of your internal financial controls framework. This will help you understand your controls maturity and create a prioritised set of actions so you are ready whatever the forthcoming legislation says. My team and I are on hand to share our insights into the ‘’no regrets’’ steps you could be taking now to better prepare your organisation in the increasing likelihood that a UK SOX-type regime becomes a requirement. So do get in touch if you would like to discuss this further.