Controls and the move to the UK Sarbanes-Oxley Act (SOX)

This may seem like a dull and perhaps confusing term, but the Controls and UK SOX are actually very interesting and important. Controls are what allow businesses to operate in the UK, and underpins published financial results, giving investors and stakeholders confidence in the continuity of operations. Controls are inherent in successful companies and provides the foundation to: 

  • Make strong investment decisions 
  • Ensure accuracy in information provided
  • Establish confidence internally and externally in reported financial results  
  • Monitor and mitigate risk 
  • Guarantee system security – enable the relevant individuals to access to the right data and understand segregation risks  
  • Ensure robustness and resilience of data moving between systems 

Ultimately, the controls ensure that the right information is available at the right time to the right people, who use it with confidence to report and make decisions. 

Sarbanes-Oxley (SOX) is a US law intended to protect investors from corporate fraud. This lays out strict requirements for enhanced financial disclosure, internal control assessment, corporate governance, and auditor independence. In light of recent corporate failures, the UK government are looking to deploy a similar law for UK registered companies. Recently, the appetite to drive a new SOX style control framework has been questioned and it is unclear currently if the government will pursue the proposals in the white paper into full legislation. However, some things are known, and it is safe to assume that a change will be required, this blog provides further guidance based on the current agreement by the government. 

So, why is this relevant now? 

The landscape is changing, and the UK government is progressing a white paper through parliament that will have lasting and far-reaching implications for most UK operating companies.  

The government whitepaper ‘Restoring trust in corporate governance and audit’, has set out a clear intention to step away from the current code of conduct established in the 1990s by the Cadbury Committee to a US style Sarbanes Oxley framework.   

The name says it all – they do not believe the current framework is fit for purpose and they think that the audit companies are too close to their clients to provide objective challenge. This blog provides detail and advice on the key corporate governance changes. 

The scope of companies impacted is broad 

The government note in the whitepaper that they intend this to be applied to all companies which they consider to be Public Interest Entities (PIEs). In simple terms: 

  • If a company in listed on the UK exchanges, they fit the definition  
  • If a company is deemed a medium/large private company, they fit the definition 

Do not assume that based on size or market capitalisation the rules don’t apply, they do. Rules will be enforced by a new regulator Audit, Reporting and Governance Authority (ARGA) which is being set up to replace the Financial Reporting Council (FRC). 

The timeframe is aggressive 

Starting in late 2023, companies under the first wave (except FTSE 100 companies) will need to comply with the new controls. Any companies captured in the wider scope (e.g., any listed companies) will be expected to comply by 2025. Companies must adhere to the new controls in the given timescales. This will be non-negotiable. 

Repercussion for non-compliance will be significant 

This will be enforced by the new regulator, ARGA, and backed by parliament. Enforcement measures can include sanctions, publication of reports without consent of auditors or company involved, as well as direct changes to reports and accounts without needing a court order following a reporting review. The new ARGA authority will come into force, and no one should assume the existing governance framework will be maintained.  Change will happen and the open question now is how far will it go? 

Directors and senior executives will be held accountable for the controls 

They must provide written statements on the robustness of the controls and supported by evidence to support the statement. 

Failure in controls could result in action against the directors for recovery of remunerations as part of the sanctions referred to above. 

The scope of controls will need to be constantly evaluated  

It is critical that you understand the changes, as failure to adhere to these will create substantial issues on reported numbers, market confidence in the business and the ability to generate investments. The drive should be to prepare for a change and plan ahead. At the end of the day good governance, deployed controls relevant to risks and transparency in reporting should be a fundamental principle for businesses which should only serve to enhance reputation and market perception. 

The question for businesses is why, regardless of government direction, wouldn’t you want to do this? Controls must be evaluated regularly and benchmarked to show alignment to best practice. We recommend: 

  • If you don’t have a controls function set one up
  • If you don’t have a risk register set one up 

Learn more about the UK SOX here. 

Searchlight TeamControls and the move to the UK Sarbanes-Oxley Act (SOX)