UK SOX Update 2022 | Your UK SOX Questions Answered
The plan for introducing SOX-style corporate governance regulations in the U.K. continues to take shape.
In March 2022, the Department of Business, Energy & Industrial Strategy (BEIS) released its 232-word white paper titled ‘Restoring Trust in Audit and Corporate Governance.’
Although it’s still unclear exactly when SOX could take effect in the U.K., it seems inevitable audit reform is on the way for publicly listed companies.
Now is the perfect time for accounting teams to understand what U.K. SOX is and how it can affect their work. (We don’t think it’ll make accounting work more exciting, but you never know. There’s always hope.)
We’ll provide answers to the most common U.K. SOX questions.
What Is SOX?
SOX is a financial reporting requirement short for the Sarbanes-Oxley Act. The United States initially enacted SOX in 2002 in response to financial scandals and high-profile frauds of the early 2000s. Japan and Canada have similar pieces of legislation.
The idea behind SOX legislation is to create financial reporting standards for publicly-listed companies. Ideally, these standards prevent corporations from producing fraudulent financial statements. It also deals with auditors’ independence for those companies and the standardisation of financial disclosures.
The U.K. SOX legislation will closely resemble the U.S. SOX by focusing on financial reporting. Members of management of public companies will need to implement risk assessments of financial controls to ensure proper financial reporting operations.
U.K. SOX likely will not require an external auditor attestation regarding the internal controls for the company, which differs from U.S. SOX rules.
What Is SOX? Key Compliance Areas of UK SOX
The specifics regarding U.K. SOX aren’t mandated yet, but we can make an educated guess based on the BEIS whitepaper which compliance areas will be part of the rules. These assumptions regarding the most critical compliance areas will be similar to U.S. SOX.
- Enhanced financial disclosure: The rules should require public companies to file regular reports with the Financial Conduct Authority (FCA). Under U.K. SOX, the CFO and CEO of the publicly listed company will need to certify the accuracy of the financial reporting to shareholders and the board of directors.
- Internal control assessment: Each financial report will need to include explanations for the company’s internal control structure. Management then will assess the control effectiveness, and if any areas of deficiency are found, it should spell out ways for improvement.
- Real-time disclosures: Should the company experience any changes to its financial operations, it must make public disclosure as quickly as possible. These disclosures protect shareholders and the public by giving them up-to-date information.
- Penalties: Should any company official purposefully conceal or falsify information in the report to deceive the public, shareholders, or the FCA, it could be an imprisonable offence. Financial penalties are possible too.
What Is SOX? Key Compliance Areas of UK SOX
If and when U.K. SOX becomes a reality, it likely will only initially apply to the largest U.K. companies on the London Stock Exchange. Many of these companies already follow similar regulations, so it may not cause significant changes for the accountants at these companies.
Public interest entities (PIEs) likely will become subject to the U.K. SOX compliance regulations within a couple of years of the official enactment.
Whether private companies will need to follow U.K. SOX rules is still up in the air. The recommendation may be that private companies should follow the regulations, but the law might not force them to do so.
When Will UK SOX Reporting Be Required?
Because debates over the final rules included in U.K. SOX remain ongoing, it is unclear exactly when companies may have to begin following the rules.
Some industry experts believe the final version of the U.K. SOX legislation will occur late in 2022. If so, compliance for corporate reporting under U.K. SOX would probably begin in late 2024. After all, with U.S. SOX, companies received a two-year grace period after enacting the rules before they needed to comply with them.
A grace period is essential to allow businesses to have time to develop the internal control framework for risk management and comply with the rules. Nothing in the rules prohibits a company from setting up the basic framework for following the rules before the official enactment.
How Can Technology Help With UK SOX Compliance?
Companies can extensively rely on technology when building an internal control framework for U.K. SOX compliance. Investing in technology early in the setup process can save time and money over the long run. Technology will help monitor and manage the control environment, adding transparency to the process.
Start by understanding the company’s applications that manage its financial processes. If your company uses third-party apps to manage financial controls, you should consider whether you need to bring these processes in-house to gain complete control over them.
Some of the ways technology can help include:
- Tracking the internal controls that you establish
- Ensuring that each team member completes the assigned role related to financial reporting
- Creating an audit trail that shows all activities each person on the team completed
- Automating some of the most tedious tasks involved with financial reporting, such as reconciling bank accounts and clearing accounts (and if you take offence at calling these tasks boring, we understand. That’s why automation is your friend.)
- Eliminating errors in data entry or in creating formulas
Ultimately, any technology you choose to deploy for accounting and financial reporting needs to be able to stand up to an internal control test under U.K. SOX. Most of the time, this shouldn’t be a problem. However, you should always have U.K. SOX compliance requirements in mind when considering adopting new technology.
Should Internal Audit Teams Take Steps Related to UK SOX Now?
For internal audit teams, starting some of these processes now can be helpful when the rules go into effect down the road.
- Create documentation that shows the most important financial reporting processes
- Identify any material accounts, along with the controls and processes in place for them
- Examine these processes for any risks inherent in them
- Identify any applications and IT controls that support the processes
- Develop an Audit and Assurance Policy (AAP) that examines internal controls
- Perform training for members of the organisation who will have involvement in U.K. SOX, including auditors
- Determine whether to add technology to help with testing and review of financial processes
Once the final rules become known, some of the steps taken now will need tweaking. However, you will have much of the groundwork finished, saving time and headaches later.