As it remains uncertain at the moment, as to exactly when the reforms will come into force, organizations are willing to wait for clarity on the regulatory requirements before they start with the compliance process. This approach, however, is not advisable as the entire process could take months on end as well as involve extensive effort and investments, running into millions of pounds.
Starting early will give organizations the advantage of having the time to iron out any deficiencies and ensure a seamless and structured process. It would also help accelerate the process to ensure compliance once the regulation gets implemented.
That said, organizations could find it extremely overwhelming to undertake this initiative—How to start? What areas to focus on? What strategy to follow? How much time and effort will this entail? This eBook aims to provide a practical guide to organizations as they embark on the journey to prepare for UK SOX.
The proposals in the BEIS’ consultation paper are based on the recommendations made by three independent reviews commissioned by the government in 2018 – Sir John Kingman’s independent review of the Financial Reporting Council, the Competition and Market Authority’s statutory audit market study, and Sir Donald Brydon’s independent review of the quality and effectiveness of audit.
Both Sir Donald Brydon and Sir John Kingman underscored the need for organizations to improve the effectiveness of internal controls over financial reporting.
Before getting to how organizations can go about ensuring compliance, it is important to understand which organizations will fall under the purview of the UK SOX.
According to the BEIS consultation paper, there is a growing call to introduce “stronger regulation, possibly adopting elements of the regime that applies in the US under the Sarbanes-Oxley Act 2002 (SOX).”
“The key SOX provisions are requirements for the management of public companies to assess and report annually on the effectiveness of their company’s internal control structure and procedures for financial reporting. The company’s auditor is then required to attest to and report on this assessment. SOX also places responsibility for a company’s financial statements and internal controls clearly with the CEO and the CFO. These officers must certify (inter alia) for each annual and quarterly report that they have reviewed the report, acknowledge their responsibility for establishing and maintaining internal controls and that they have evaluated the effectiveness of the internal controls within 90 days prior to each [of] the report.”
These requirements, however, entail significantly higher internal and external costs for companies, at least initially, the paper said, adding that the government would explore options and bring forward a detailed consultation in due course
The reform options have been classified into three non-mutually exclusive categories:
Based on these reform options, the US SOX, and the Corporate Governance Code provisions, the internal audit teams can start assessing the overall organizational compliance posture and take necessary steps.
As a first step on the compliance journey, organizations need to take a stock of their current state of risk management processes and internal control systems over financial reporting. IA teams need to assess whether the organization has prudent and effective controls in place which enable efficient risk identification and management, whether the board has effective oversight over risk management and internal control systems, and whether there is an established cadence for annual review. At the same time, they also need to ascertain if there are procedures in place that can provide evidence regarding the effectiveness of controls to mitigate the risks and the review of the risk management process and internal controls by the board.
In this context, here are some key questions that the IA teams need to find answers to:
After having identified the current compliance posture, boards and audit-related committees need to put together a comprehensive compliance program to ensure the process is quality-driven and cost-effective. The plan will detail how the organization plans to adopt UK SOX, how it plans to ensure continuous monitoring of controls, what will be the process for year-end assessment, controls testing plans and procedures, whether it plans to implement a compliance software solution, measures for addressing the identified gaps, project timelines and critical milestones, action tracking, and more.
It is important to note here that the entire process of narrowing down the scope and design, implementing the program, and training the relevant teams can take up to a year. Embedding the controls in the organization and ensuring their seamless functioning can take another year. Organizations seeking to be compliant with the UK SOX, therefore, need to ensure that they have at least a year for implementing a dry run to spot errors and fix them.
Once the plan has been drafted, it is important to set the tone from the top for its effective implementation. Support from the top management and leadership, along with embedding the compliance measures as part of employees’ job descriptions, will help make compliance an integral part of the organizational culture. This will also ensure that an effective controls framework is in place and that employees are trained and held accountable in the operation of controls, and more.
With its audit and SOX compliance data scattered across systems, the organization was finding it difficult to track key risks and issues. The implementation of MetricStream Internal Audit Management and SOX Compliance products helped the company streamline and automate assurance workflows, improving risk responsiveness. MetricStream offers the company a unified view of internal audit and SOX compliance across the enterprise. The platform maps risks to compliance requirements, internal controls, control tests, assessments, processes, and other data elements in a single framework. This gives users a holistic and contextual view of risk.
In its endeavor to facilitate governance, risk and compliance (GRC) automation across industries and building upon its expertise on US SOX, MetricStream is ready to support organizations in their journey to ensure compliance with UK SOX.
The MetricStream UK SOX Compliance solution supports the process of setting up a SOX framework, planning and scheduling risk assessments, and performing control tests and assessments. It helps automate the internal controls management with reduced time and costs. It also helps in managing evidence collection and other documentation, remediating issues, and performing certifications and sign-offs. Complex organizational hierarchies can be mapped in an organized manner with clearly defined lines of responsibility and accountability.
With this solution, organizations can: