UK SOX is here. What do you need to do about it?

10 min read


The UK SOX is here and as an organization, you may already have done all you need to ensure compliance, or you may be in the midst of it, or contemplating it. No matter which stage your organization may be at, it’s important to understand the legislation, its necessity, and how you can ensure you are on the right side of it.

What You Should Know About SOX

To understand the UK SOX, you must know more about its origin. The Sarbanes–Oxley Act of 2002, commonly called Sarbanes–Oxley or SOX is a United States federal law that put in place new, and in some cases, more elaborate requirements that company boards (public), their management, and their accounting firms needed to adhere to. Some parts of the Act are also applicable to private companies like deliberate destruction of evidence to prevent an investigation. The bill with its extensive 11 sections came into force on the back of several corporate and auditing scandals that rocked the business world. With this bill, any public corporation board of directors are held more accountable, are liable to criminal penalties and their companies subject to regulations created by the Securities and Exchange Commission to ensure compliance. These top officials also must attest that their organization’s internal controls are strong enough to enable genuine and definitive financial statements.

For many years now, Financial Reporting Council (FRC) has been working on similar legislation for implementation in the UK. This came at a time when there were loud calls for audit reforms in the country. A mention of the UK SOX was first made by Sir John Kingman in 2018 as a suggested initiative in the recommendations for audit and regulation reform. Sir Donald Brydon recommendations include having the CEO and CRO provide the board of directors with a yearly attestation on the efficacy of the company’s internal financial reporting controls.

Since the US SOX was introduced in the United States, the quality of financial reporting from the corporate world has seen tremendous improvement. There have been some interesting, unexpected plus points too. Key among these is a reinforcement of the control environment, better documentation, hands-on participation by the audit committee, more standardized processes, and a reduction in human error. Introducing the UK SOX will help bring about similar benefits to the country’s booming corporate world.

What UK SOX Mean for UK Companies

To understand this, let’s make a start with which companies will come under the purview of UK SOX. This legislation primarily aims at providing protection to investors and insulating them from corporate fraud. The requirements laid down are strict and ensure better financial disclosure, stronger assessment of internal controls, corporate governance, and complete auditor independence. UK SOX requires that any organization trading on the Financial Times Stock

Exchange (FTSE) be SOX-compliant. Besides such organizations, if your company comes under the following, it is time to initiate SOX programs:

  • Planning to go public
  • Have been asked by internal stakeholders or by your external auditors to focus on the improvement of controls
  • Have uncovered deficiencies in your system and are in the process of creating newer controls to fix them.
  • Want to create a sustainable, long-term control monitoring system that can be continuously applied.
  • Are looking to explore automation to drive down costs of handling a complex business system.

Once you understand how your company is positioned vis-à-vis UK SOX, here is a look at the kind of changes you can anticipate when getting compliant with the regulation. Several existing internal control measures will see some changes. For example:

Annual Effectiveness Reviews Will Become More Prescriptive: Currently, reporting the efficacy of risk management and related internal control systems are governed by the UK Corporate Governance Code for public companies and the Wates Corporate Governance Principles for large, private ones. Both necessitate that committees and boards conduct an annual review of how effective their controls are and include this in the annual reports that are made. Wates Principles make it compulsory to establish a monitoring and review process along with an internal controls set-up. There is no uniformity in the kind and the expanse of the procedures to support annual reviews and very rarely is operative effectiveness documented. The UK SOX will necessitate a change in this.

Internal Audit Committees will Look to Businesses for Enhanced Support: Boards and audit-related committees are going to need a great deal of information to ensure that their yearly internal control efficacy review is documented and established. Internal audit teams will be deeply involved in the compliance and implementation of UK SOX. They will, however, have to maintain their independence while doing so. You will find that they will increasingly initiate conversations around how the business can improve its controls. These are some of the key questions you can expect:

  • Is there a company-wide internal control framework in place and is it a part of the working culture?
  • What are the current support systems in place to ensure accuracy in the annual review?
  • What are the gaps, if any in the current processes – possibly related to treasury, tax, or any consolidation activities related to non-payroll and contractual services?
  • What are the IT controls in place for crucial financial systems?
  • Where should efforts around possible risks be prioritized?

Such internal audits apply risk and control skills to help any business create a definitive framework to assess current statuses and possible areas of improvement. Some other changes that you can anticipate include:

  • Creating a separate Internal Controls Statement that will need to be attested formally by both the CEO and CFO.
  • The inclusion of broader entity controls that may so far not been included in the ambit of the assessment.
  • An assessment of control exceptions and the addition of their evaluation being required by external auditors.

For a better understanding of what to expect, looking into the learnings from the US-SOX implementation can help. Here are some to consider.

A Dry Run Time of One Year: It can take up to a year to narrow down the scope, the design and be able to implement and train all your teams. Embedding these controls in your organization and ensuring their seamless functioning can take another year. If you are looking to be compliant with the UK SOX, then ensure you have at least a year to be able to implement a dry run to spot errors and fix them.

Lead from the Top: For compliance to become a part of the working culture of your organization, it is essential the management lead from the top down. This will ensure that you have an effective controls framework in place. Every employee should be trained and held accountable in the operation of controls to make them effective. Such training will also help spot defects that can be rectified. Engagement with compliance is best implemented as part of your employees’ job descriptions.

IT Remains an Integral Part of Framework: In the bid to ensure compliance with financial controls, it is often easy to forget how dependent you are on IT controls and a range of outsourced services. Work to identify central IT controls and/or those managed by third-party service providers to critical to a smooth functioning financial control system. The accountability for this must be set up by your organization.

Best Practices to Consider:

  • Starting early will give you the advantage of having the time to iron out any deficiencies and ensure your process is seamless.
  • Do not underestimate how much effort and investment is going to be needed to comply with UK SOX. It is multiple years, multi-million-pound effort.
  • Work on getting the C-suite and the key business partners involved in spreading the word and implementing processes to get their teams on board.
  • Work with what you have and build upon it. Using your existing content and compliance solutions to develop, upgrade, automate and re-populate the program is a great way to work.

Program Structure to Get UK SOX Compliant

Now that you understand what UK SOX means for your company, here is a look at the basic foundations that make up a SOX program. Here is what you will need to do:

You Need Not One, But Two Steering Committees: You will need to bring into place two SOX committees – one related to business processes and the other one for IT. Together these two committees can provide technical supervisory insights, be able to work on executive buy-in, and ensure the rest of the company is on board too. The steering committees will be able to create protocols and ensure frequent testing in year one. This is inclusive of double rounds of testing, time for management assessment of the program, and making way for corrections.

Educate the Team, Division-Wise: You must connect with and educate all the business teams that comprise your organization, and those over which UK SOX will have a direct impact. This is inclusive of the C-suite level executives. Help them understand its relevance, the parts they play in the process, and the impact on the department. Provide them with sample documentation and an explanation of the responsibilities they have and how to set benchmarks for successful implementation.

Flesh out the Process: Work on a detailed plan. No element is too small. Start with risk assessment and list out every process and system associated with it. Go through every process put down on paper to ensure that it still does what it is supposed to do. This will help validate continuing its use. At every stage, clearly define the process and who holds the responsibility for a particular control. Ensure that they know it and also are clear on what is expected of them.

In the process of building your own SOX program, you will pass through multiple stages of maturity. It will finally culminate in a situation where you will move from manual to automated processes to be able to ascertain control efficacy. Implementing any financial controls framework is spread over 18-24 months at least. Identifying key workstreams and the associated activities is the path to improving controls improvement and getting ahead on the compliance track. All the preparations you do in advance will establish crucial governance-based improvements and efficiency, irrespective of compliance with the UK SOX mandate.

Here are some key workstreams you can concentrate on:

A Clear Vision for Your Compliance Program: The idea behind any good quality compliance program is to ensure that it is quality-driven and cost-effective. Having a clear vision of what it should entail is key. It should have a clear purpose and vision, based on which an operating model is created, and the benefits accrued are what help in achieving the success you are aiming at. This is what your UK SOX compliance model will need.

A Formal Structure: Companies that have a formal structure in place, with qualified and aware stakeholders, well-defined roles and responsibilities across all teams, and strong management taking overall ownership will help a business get compliant and grow.

Putting Together Trained Resources: Companies need to assess their human resources and understand who fits into the necessary roles for compliance models. In some cases, existing resources may not be trained enough, and this will need to happen. In other cases, you may need to recruit new forces or bring in specialized expertise when required. Understanding where you lack resources is essential.

Top-down View of Risk Factors: To be able to arrive at a starting point for your compliance program, you need to have a top view of all the risks possible at multiple stages. This could be with your financial statement line items (FSLIs) or could be in one of the end-to-end business processes you have in place. This comprehensive view will give you the clarity needed on every process and related control.

Investment in Technology: Early in the game, you will need to invest in the right technology to help monitor all controls and related environments. This will help in the testing of controls as well, which in the long term can assure you of having transparent processes in place, bringing down the cost of compliance.

The UK SOX may seem like a massive undertaking, which in many ways it is. But its positive impact needs to be reiterated.

  • Everyday operations will be guided by a strong set of well-defined controls.
  • Manual tasks can be automated reducing time spent on an activity.
  • Teams can be directed to focus on high-risk aspects of the business.
  • Financial statements will always have high levels of consistency and accuracy.
  • Auditing documentation can be made available in a minimum time.
  • Financial operations and their smooth flow can be assessed at any moment.
  • A close to real-time understanding of the financial health of a company. Its operational efficacy too.

There are some negatives such as an increased need for technology and people, which could lead to a rise in costs. Some tasks will take a longer time to complete to meet all compliance requirements. Additional paperwork is now going to be a part of the process. However, these outweigh the benefits that your company stands to gain.



Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.