Getting ready for UK SOX?
In March of 2021, the UK’s Department for Business, Energy and Industrial Strategy (BEIS) released a white paper outlining a proposal for their intended reform of audit, internal controls and governance.
The department’s proposal is viewed by many as the UK version of the Sarbanes-Oxley Act (SOX), US legislation passed by Congress in 2002 mandating strict reforms to existing securities’ regulations and tough penalties for non-compliant firms, including penalties, fines and bans. The US SOX Act will likely become the benchmark for UK compliance and audit requirements in the next few years. The white paper published by BEIS earlier in 2021 clearly indicated that the UK’s standards for business conduct and transparency would rise significantly, bringing the UK requirements in line with those of the SOX Act.
What is the SOX Act?
The Sarbanes-Oxley (SOX) Act of 2002 was created in response to highly publicised corporate financial scandals, notably the Enron Corporation Scandal. Once thought to be one of the most financially sound companies within the United States, the energy company filed for bankruptcy in 2001.
In the wake of the oil and gas industry deregulation, Enron executives embezzled corporate funds, illegally manipulated the energy market, and presented shareholders with inflated earnings reports.
To combat corporate fraud, US Senator Paul Sarbanes and US Representative Michael Oxley drafted the legislation known as the SOX Act. The Act details strict requirements for enhanced financial disclosures, corporate governance, and internal control assessments. All publicly-traded companies in the US, as well as international companies that have registered equity or debt securities within the Securities and Exchange Commission (SEC) and the accounting firms that provide services to them, must follow its guidelines to maintain compliance, typically by creating an internal controls framework that will increase the accuracy of their reporting and the integrity of data.
In addition, due to what was widely considered as collusion between Enron and the public accounting firm Arthur Andersen & Co, SOX changed the way corporate boards interact with financial auditors. Since the Act was passed, companies must provide a year-end report with regards to internal controls in place as well as the effectiveness of those internal controls. The Public Accounting Oversight Board has also emphasised SOX compliance by focusing on internal control of financial reporting (ICFR).
The SOX Act places the responsibility for maintaining the accuracy of reporting as well as the comprehensive documentation and the submission of all financial reports and the internal control structure to the SEC firmly in the hands of senior personnel. Section 302 mandates that senior corporate officers personally certify (in writing) that the company’s financial statements “comply with SEC disclosure requirements” and fairly presents “all material aspects of the operations and financial condition” of the issuer. Willfully signing off inaccurate financial statements are subject to criminal penalties, including prison terms.
While the SOX Act has not been met without criticism, many firms have highlighted its benefits, including increased investor confidence and decreasing severity of financial restatements.
Why Is There a Need For It Now?
There have been a number of high profile corporate failures in the UK in recent years, including major contractors, retailers and chain restaurants as a result of mismanagement on a senior level that was either undetected or unchallenged by their auditors.
As per the foreword in the BEIS white paper by Rt. Hon. Kwasi Kwarteng, Secretary of State for BEIS, these failures erode trust and investor confidence in UK public limited companies and result in widespread job losses, negatively impacting the communities these companies operate in.
Kwarteng highlighted that the BEIS wants to avoid the fall-out that inevitably results from these corporate failures and ensure that UK investors receive “high-quality, focused and reliable information on UK companies” in order to encourage their continued financial backing.
The white paper served as a consultation document. It sought feedback from interested parties, including business leaders, investors, regulated firms, and companies, about the proposals’ scale, scope, and detail, by the end of July 2021.
The white paper proposes significant changes, including a call for new “reporting and attestation requirements covering internal controls, dividend and capital maintenance decisions, and resilience planning for senior management.”
Similar to the US SOX Act, the proposal will hold senior management in the UK responsible for ensuring that they are presenting an accurate and fully representative report of the business to auditors and shareholders. Company directors who fail to uphold this duty may face significant fines and other penalties. The audit sector may be impacted by the introduction of a new regulator with a public interest focus and greater powers for “effective investigation and civil enforcement powers to hold to account directors of large businesses which are of public importance for breaches of their duties in relation to corporate reporting and audit.” This regulator will be known as the Audit, Reporting and Governance Authority (ARGA), which have greater powers and reach over all forms of corporate reporting, not just the financial statements. Subsequently, auditors will be responsible for reviewing and challenging the financial results presented to them with far greater scrutiny.
What Is The Impact and Risk For Companies/Individuals?
While no compliance date has been set, it’s clear that “UK SOX” is imminent, and the scale and scope of companies affected are significant, going beyond the FTSE 350 businesses to affect more than 2000 public interest entities.
Companies that may be impacted should take advantage of this interim period to prepare for its arrival. Establishing the mature controls required across finance, operations, and IT departments will take time, as will the validation and monitoring processes needed to maintain them, but the consequences of noncompliance may be dire.
In the USA, formal penalties for noncompliance with SOX include fines, removal from listings on public exchanges, and even the invalidation of directors and officers liability insurance policies. CEOs and CFOs found to have willfully and knowingly submitted an incorrect certification to a compliance audit can face up to 20 years in jail and fines of up to $5 million.
While many if not most organisations are well-placed to handle additional requirements surrounding the attestation of results and internal controls through their use of applications like SAP, Oracle and corporate IT systems, there are weak spots - especially in the form of End-User Computing (EUC) applications and other end-user-created and -controlled files.
Organisations must develop a clearly articulated, transparent controls environment over EUCs that both manage the risks and demonstrate to stakeholders that the controls are reliable and can be evidenced. Once in place, it will be important to continue monitoring each file as part of its ongoing lifecycle.
SOX compliant controls over spreadsheets and EUCs are likely going to result in organisations:
- Defining the control process over files with sufficient detail for users to follow and auditors to understand;
- Defining input and process controls;
- Maintaining a record of changes to the logic of a spreadsheet or model;
- Keeping a detailed review of the formula logic.
What Can Companies Do Now To Start Addressing The Issues?
If your company is preparing for the potential UK SOX, it’s vital but challenging to start mapping the risks and controls over the EUC applications at an organisational level in order to stand up against the scrutiny of a formal review.
Many companies’ internal control environments are managed in an informal, ad-hoc and manual manner. Facing the pressure of SOX-like regulations, companies may introduce even more manual controls or delegate responsibility downwards in the organisation, which can slow down business operations and introduce errors to the process.
Others take a point-in-time approach to controls testing and assessment, which provide only limited transparency into the manner in which controls are operating and make it even more difficult to ensure that underlying risks are being identified and adequately mitigated across the entire financial year. This lack of visibility makes it more difficult to ensure that investments into control measures are targeted at the right areas.
To achieve the required levels of transparency and compliance across the spreadsheet and EUC inventory, organisations should move away from reactive, manual, point-in-time control processes for EUCs, to an automated, proactive and streamlined technology-driven control environment. This will save time and reduce the risk of human error, enabling the organisation to better adapt to new regulatory requirements in the future. Furthermore, organisations that have real-time reporting and oversight into their inventory and processes will be better prepared to evidence what they have to all stakeholders, including regulators.
Companies should be able to demonstrate:
- A complete and up-to-date inventory of files relevant to financial processes
- Clearly recorded ownership for each EUC
- EUCs are operating the way they were intended and designed to work
- EUCs meet the standards for completeness, accuracy and appropriateness
- Where EUC outputs are used to support key decisions, how the outputs are controlled and verified
- Sustainable, long-term ways to manage EUC risks as part of ongoing compliance requirements
Start EUC Discovery For Free
Enterprises looking to start their spreadsheet discovery and assessment initiative can get started with their preparation for free with Workscope Lite.