While Parliament reviews proposals and debates the details ahead of a final release, UK-specific financial reporting reforms are on the horizon for publicly traded companies. The UK government is following the path set by other countries like the US, Canada, and Japan with its own reforms to financial reporting requirements and audit firms for many of the same reasons. In this article, we will provide a status update on UK SOX, answer many of your common questions, and discuss how technology enables companies to manage their financial reporting controls.
ICFR Implementation in the UK
Many public companies in the UK (particularly those premium listed) are now making initial efforts in anticipation of the impending reforms to ICFR. These new requirements will include an array of reforms to the governance structure in public companies, including strengthening the roles and responsibilities of audit committees, subjecting them to regular scrutiny, instituting a requirement for an audit and assurance policy, and creating a mandate for CEOs and CFOs in public companies to accept personal responsibility for the internal controls over financial reporting.
Top Questions About UK SOX Reforms
Many senior leaders in UK companies have a similar set of questions. The most prevalent concerns revolve around the ill-defined timing for the required attestation date and the cost associated with increased efforts around documentation and testing. For many companies, particularly high growth, early stage organisations, the lack of any existing controls framework in place poses additional concerns — especially for new control and process owners who have never dealt with such responsibilities. Whilst we await more definitive guidance, we can answer many of the questions based on past experience with financial reporting reforms in other countries.
When will the proposed UK internal control reforms take effect?
The initial publication from the Department for Business, Energy and Strategy (BEIS) consultation titled “Restoring trust in audit and corporate governance” was re-released in March 2021, with the timeline set for compliance in late 2023, and a broader rollout for 2025. The BEIS has not released any definitive guidance yet, but lawmakers are debating the extent of the regulation from a cost/benefit perspective. Given the length of time needed for legislation, the current consensus among industry leaders is an expectation of a go-live requirement date in late 2024. In preparation, companies will need to make a significant investment in the control environment and resources needed. Considering that it can take over two years to implement a new internal controls program, many forward thinking companies have already created new roles for dedicated ICFR leaders.
What are the key areas for UK SOX?
A UK SOX implementation is likely to follow these three high level requirements:
- Company directors are required to review the effectiveness of their company’s internal controls.
- The audit report must describe the internal control work already completed by the auditors, and then state how that work has influenced the audit. This differs somewhat from the US SOX requirement.
- Auditors are required to provide a formal opinion on the director’s annual attestation about the effectiveness of the company’s internal controls.
Who is impacted by the UK SOX rollout?
Those impacted first will be premium listed companies (equity issuers in the FTSE 100, FTSE 250, and the FTSE small cap). After two years, the scope of UK SOX is predicted to include significant public interest entities (PIEs) whose transferable securities are admitted to trading on the UK regulated market.
Will a specific control framework like COSO be required for UK SOX?
As controls are developed and documented, companies will need to decide which framework will be applied. If the UK keeps in line with the US, COSO and COBIT are the most likely choices, but certainly, other frameworks will be considered. We will need to evaluate the framework promised by the FRC once it is published. When making these changes to the control environment, the investment will include process and control documentation and a decision on who will own and maintain the various artifacts that result from the implementation of UK SOX.
What might a typical SOX implementation process include for UK public companies?
UK companies have the fortunate advantage of being able to reference historical ICFR mandates in countries like the US, Canada, and Japan to use as a guide when planning their implementation. Generally speaking, a SOX implementation roadmap takes 18 to 36 months to complete. The activities involved include:
- Identification of material balance sheet accounts.
- Mapping material accounts to underlying processes.
- Identifying key controls and secondary controls for those processes.
- Documenting the processes and controls with walkthrough narratives, flowcharts, and risk/control matrices (RCMs).
- Identifying applications and IT general controls (ITGCs) that support the processes and controls.
- Capturing a risk assessment of the SOX environment.
- Developing an Audit and Assurance Policy (AAP) to define the level of required assurance covering internal controls over financial reporting.
- Training for control owners, reviewers, and auditors that includes discussion about the cultural mindset across the organisation.
- Implementing SOX management technology to facilitate the testing, review, and issue remediation requirements.
- Providing reporting to senior management.
Outside of these internal processes, UK companies will also need to work closely with their external auditors. External auditors will perform their own testing that usually requires support and documentation from the internal teams.
Lean on Technology to Remove ICFR Complexities
Implementing technology has been a key differentiator for companies that have already implemented SOX-like regulations. Most complexities in a SOX program are eliminated when we use a cloud-based SOX management system to facilitate the organisation and updating of documentation, provide real-time visibility into testing progress, streamline evidence gathering, track issues that require remediation, and generate reporting for stakeholders.
Now is the best time to consider your technology options while we are in the early stages of the UK requirements for financial reporting controls. By designing the program with technology enablers in mind, you can build your compliance program to take advantage of technology and start off strong when the requirements are in full effect.
Aaron Wright is a Director of Product Solutions, UK&I at AuditBoard. Before joining AuditBoard, Aaron was an Internal IT Audit Advisor at Cardinal Health, where he managed a risk-based audit plan and led internal audit projects focused on infrastructure, cybersecurity, and applications. Connect with Aaron on LinkedIn.
Leann Lindner, CPA, CISA, is a Senior Manager of Implementation at AuditBoard. Leann started her career in audit at PwC and expanded her experience to include the management and implementation of financial systems at a renewable energy company. Connect with Leann on LinkedIn.