Before we start celebrating what some have seen as softer-than-expected plans for audit reform, we need to be clear about what’s really coming and start preparing now.
My 20+ years in audit and risk are bookended by US corporate reform at the start of the century and similar UK measures pending more than two decades later. The need for change is painfully clear, so what’s taken so long?
Much like the scandals of WorldCom, Tyco International, and Enron that precipitated action across the pond, we’ve had to learn our own hard lessons through the failures of Carillion, BHS, and Thomas Cook. Investors, customers, and politicians have wrung their hands and asked, where were the auditors? But will reforms go far enough? Many have voiced surprise not to see a form of UK SOX in government proposals.
In order to understand this better, it’s helpful to look at how we got here and what SOX has meant for US companies. We know quite a lot about government proposals and what to expect, but not so much about timelines. The best approach is to anticipate and prepare, and I have some concrete recommendations we can implement immediately.
The Road to Audit Reform: A Timeline
The 2002 Sarbanes-Oxley Act (SOX) had a major impact on companies traded on US markets by requiring senior managers to attest to the accuracy of financial information and the effectiveness of controls or else face harsh penalties. Crucially, SOX increased accountability for company directors and established the Public Company Accounting Oversight Board (PCAOB) as regulator and enforcer.
Fast forward 20 years and the UK is still lacking a PCAOB or SOX equivalent. Perhaps we’ve felt insulated from the systemic weaknesses that floored Enron, but recent home-grown collapses have thrown the spotlight on deficiencies in corporate reporting, governance, and audit, prompting a series of reviews and government consultation via its whitepaper, Restoring Trust in Audit and Governance. The much-anticipated response was released in May this year and a draft bill is expected soon. The timeline outlines progress made and upcoming steps in the anticipated roll-out, to take place over the next six years.
Restoring Trust: What to Expect
The government plans significant change to the UK Corporate Governance Code with more reporting on internal control and antifraud effectiveness, a new statutory resilience statement, and an expansion of what constitutes a public interest entity (PIE) to be bound by these requirements. Companies will need to disclose their audit and assurance policy. There will be greater restrictions on the distribution of dividends to ensure solvency and transparency on corporate ownership and control. The reforms go beyond the purely financial to embrace ESG controls and reporting too.
Of critical importance is that the FRC will transition to a new regulatory body: the Audit, Reporting and Governance Authority (ARGA) will have greater powers for inspections and penalties. ARGA will ensure stronger accountability of directors and oversight of auditors with an easing of the dominance of the Big 4.
Reactions and Impact: “Soft SOX” Actually Looks a Lot Like “Hard SOX”
These proposals have been generally welcomed although long overdue and coupled with a slow roll-out (no clear timeline has been given). Many expected an explicit SOX-like regime of reporting and inspection, which there is not — or at least there is no “hard SOX.” What we get instead is “soft SOX,” a principles-based approach to disclosure that includes a resilience statement and focuses more on substance than form, consistent with the underlying “comply or explain” ethos behind the UK Corporate Governance Code. Broadly the reforms hit the mark, in particular regarding proportionality in terms of the size of companies impacted and the balance of the cost of compliance versus the benefits of compliance — an issue faced by companies complying with Sarbanes Oxley in the US
But I believe it would be a mistake to regard “soft SOX” as being equivalent to no SOX. Companies will still be required to make those important disclosures on controls and provide evidence of their effectiveness; auditors will still be auditing but even more closely; and ARGA will be checking on the auditors. In reality it sounds like SOX in all but name and stricter rules may yet follow.
What Should Companies Be Doing Now to Prepare for UK Audit Reform?
There are at least three things companies can do while they wait for legislation, likely at the start of 2023.
- Review risk management systems and current disclosures, especially those relating to fraud, internal controls, and ESG.
- Review internal controls over financial reporting and the underpinning accounting assumptions.
- Conduct an independent review of audit committee effectiveness, including an examination of the reports it receives, especially from risk management and internal audit.
To support these preparatory efforts, implementing enabling technology to support an integrated risk management approach to UK Corporate Governance is critical to ensure and demonstrate operational efficiency and provide a single source of truth for organizations and their auditors. A modern connected risk platform is ideally suited to facilitating risk management, internal controls, internal audit, and IT compliance in a unified data core allowing workflow and access to multiple stakeholders including auditors.
Time for UK Organisations to Pull Their SOX Up
While there are opportunities missed, such as the need for simplification, these reforms are a major step in the right direction. We are on a journey and things will continue to evolve to embrace more aspects of internal control, including cybersecurity, ESG, and fraud, particularly when inspections start to take place. Companies are well advised to begin preparing now. Don’t be fooled by the appearance of “soft SOX.” ARGA has real teeth and will drive the change we all agree is necessary.