Governance, Risk & Compliance: GRC
Ready for UK SOX? Start Now!
What do we know after a year of the UK SOX consultation? Who’s captured? We examine the expanding definition of PIEs.
Our last blog about UK’s version of the Sarbanes-Oxley Act (SOX) highlighted the key takeaways from the Department of Business, Energy & Industrial Strategy’s (BEIS) 2021 consultation on reforming the UK’s audit and corporate reporting function. Although some aspects are yet to be fully finalized, measures are set to dramatically increase the reporting requirements of public interest entity (PIE) directors.
In this piece, we take a closer look at the types of firms that are most likely to be impacted by UK SOX and explore how directors can best prepare.
Public Interest Entities (PIEs)
The UK’s BEIS consultation highlighted supervisors’ desire to deepen the reporting and attestation requirements for PIE directors, proposing also to extend the responsibilities of all appointed directors, rather than just those who hold professional accountancy qualifications. In conjunction with widening individual requirements, the BEIS proposal includes a change in the definition of public interest entities (PIEs) to include a wider range of firms.
The current definition for PIEs was conceived in 2008, and later reformed in 2014 in the EU framework for statutory audit and includes:
- Entities whose transferable securities are admitted to trading on a UK regulated market
- Credit institutions (informally, banks)
- Insurance undertakings
While this definition covers predominantly publicly listed organizations, respondents to the BEIS consultation were supportive of extending the definition to include other entities, particularly large private corporations and Alternative Investment Market-quoted (AIM) companies. The AIM is a sub-market of the London Stock Exchange (LSE) that is designed to help smaller companies access capital from the public market. AIM allows these companies to raise capital by listing on a public exchange with much greater regulatory flexibility compared to the main LSE stock market.
Expanding the definition
Organizations that impact public confidence and the perceptions of corporate Britain are not only those that are publicly traded. The collapses of Patisserie Valerie and BHS are pertinent examples of how corporate mismanagement can negatively impact the wider population, with both cases resulting in 900 and 11,000 job losses respectively. These high-profile private failures demonstrate that more can be done to protect the UK public and investors.
BEIS subsequently proposed two alternative assessment methodologies to broaden the scope of PIEs, aiming to provide confidence across a wider range of British businesses:
- Option 1 would include firms with over 2,000 employees or a turnover exceeding £200 million and a balance sheet over £2 billion (an additional 1,960 entities)
- Option 2 would serve as a narrower test, extending the definition of PIEs to cover large companies with over 500 employees and £500 million in turnover (an additional 1,000 or so entities)
While it remains to be seen which definition is adopted, all organizations added would fall within the scope of the Audit, Reporting and Governance Authority (ARGA) and be subject to most of the proposals outlined in the BEIS proposal.
How can firms prepare?
There is no better time than the present.
Common estimates suggest late 2024 to be the earliest deadline for UK SOX requirements to come into full effect, with other experts arguing it could take up to five years. Unlike the U.S. approach to internal controls, which mandates a third-party auditor to attest to the robustness of such protocols, UK SOX would require a director’s statement addressing the effectiveness of the firm’s internal control framework.
An internal control transformation program is a significant undertaking and the BEIS proposals place immense pressure on directors to get it right. The U.S. experience of implementing SOX internal controls shows such a transformation to be a marathon, not a sprint. So while the end of 2024 may seem some distance away, we recommend firms begin preparation as soon as possible.
Where to begin?
If your organization is currently listed or plans to be so, or if it meets the criteria of the proposed UK PIE definition, then it is important to review your current internal controls and business continuity plans with a critical eye. Are you prepared for the potential requirements of the upcoming UK Corporate Reform? Have you implemented a system of internal controls? If so, does it mitigate key business, technology, compliance and financial reporting risks?
It’s vital that directors measure the health of existing internal controls and assess as-is processes against best practices. Although UK SOX does not directly map to its U.S. equivalent, established U.S. control frameworks can offer useful guidance for self-assessment.
With the likes of PwC recommending a dry-run year before legislative reform is fully complete, it is vital that directors begin to implement effective internal control processes as soon as possible. Even 20 years after its implementation in the U.S., SOX requirements remain a challenge for many, with 26 to 42 percent of U.S.-based NYSE and NASDAQ traditional IPOs disclosing material weakness in internal control over financial reporting over the past four years.
Work smarter, not harder
British directors can learn a great deal about adapting to SOX by observing its implementation in both the U.S. and Japan, where similar regulations went into effect in 2002 and 2008 respectively. At the time, the regulatory technology landscape was far less mature, and organizations threw people at the problem and would often over-comply by implementing as many controls as possible in the hope that they’d be effective.
Today, firms focus on 31 key controls. Immediately after SOX, public firms in the US were testing for as many as 200. While doing too much can be better than too little when it comes to compliance, such a comprehensive approach generated a huge financial burden for participating firms, forcing a number of foreign companies to delist from the NYSE in an effort to escape the obligations.
British firms should explore ways in which they can leverage technology to streamline the internal controls process to preserve resources. Modern internal controls software such as that provided by SAI360 can reduce the burden of regulatory audits and drive confidence in internal control programs by automating manual controls led by an all-important risk-based approach. Configurable workflows and role-based dashboards provide the oversight required to demonstrate compliance, and robust audit trails allow directors to evidence the effectiveness of their internal controls.
UK SOX is coming, and it’s never too early to evaluate what this might mean for you and your organization. If you are at risk of being captured within the new PIE definition, then the first step is to obtain a thorough understanding of the novel requirements of the BEIS proposal and assess the effectiveness of your internal financial control framework to prioritize subsequent remediation.
SOX compliance software can remove the burden of regulatory oversight by automating the heavy lifting, removing human error, demonstrating compliance and ultimately saving both time and money. History shows us that manual SOX compliance is a burden on both the organization and the people within it. Technology can provide the confidence that managers need in the midst of regulatory change.
The Internal control framework
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) updated its SOX compliance transition framework in 2013 to support organizations to improve performance and governance through effective internal control, enterprise risk management and fraud deterrence. Among other things, the framework details some key principles for establishing a robust internal control framework:
- Control environment – Directors must be able to demonstrate commitment and integrity to ethical values, exercise oversight responsibility through structure, authority and enforce organization-wide accountability.
- Risk assessment – Specify risk appetite with regards to credit, interest rate, operational, compliance, strategic and reputational risks.
- Control activities – Produce control activities akin to risk appetite, both for business process and IT infrastructure.
- Information and communication – Use relevant information to effectively communicate with internal and external stakeholders. This will become particularly relevant for UK directors as they provide evidence-based attestations to the effectiveness of their internal controls.
- Ongoing monitoring – Conduct ongoing and/or separate valuations, evaluating and communicating deficiencies.
Read part one: What Do We Know after a Year of the UK SOX Consultation?
Learn more about SAI360's solution for managing internal controls, or contact us to learn how we've helped organizations like yours.