Guest Blog - Omar Ahmed on the arrival of UK SOX
Published: 25th March 2021
Thank you to Omar Ahmed, who we recently placed at SIG Plc as Group Head of Internal Controls, for providing a discussion and advice about UK SOX. This article follows our very own Karen Whiteman’s recent article on the subject of UK SOX and its implications for businesses.
UK SOX has arrived: What do we do now?
So after years in the making, the much anticipated Government white paper on UK SOX has finally landed and it is safe to say it landed with quite a bang and subsequent gasps for air as well (certainly within the risk, controls and audit fraternity anyway). The magnitude of the changes cannot and must not be underestimated - this is likely to be the biggest corporate governance change in the UK for at least a couple of decades, if not a generation.
The title of the paper itself was an interesting one - “Restoring trust in audit and corporate governance”. It directly speaks of the objective of the proposed legislation and is an objective that is almost unanimously agreed upon by stakeholders. The method of how that objective is achieved however is why the paper took so long and why there will still be much debate on the exact workings of the legislation.
First, a brief history of how we have arrived at where we are now
Over the past few years, the UK has seen some major corporate and accounting scandals which have left employees, investors and the public asking questions on the accountability of company directors, external auditors and the regulators. BHS, Carillion, Thomas Cook and Patisserie Valerie have all disappeared for one reason or another, whilst other companies have managed to survive accounting misdemeanors albeit with their reputations and share prices badly affected. The Government, perhaps under intense public feeling at the time and seeing thousands lose jobs overnight, commissioned a series of reviews on the role that was played by regulators and auditors in these collapses.
The Kingman Review and the Brydon Review straddled the CMA study – all of which proposed sweeping changes to be made to the regulator; the audit market; the audit profession; and to corporate governance and accountability. All three reviews mentioned US SOX to varying degrees. The now famous/infamous US Sarbanes-Oxley (SOX) Act is a piece of US legislation that came into effect in 2002 after the spectacular accounting wrongdoings of Enron (and their auditors Arthur Anderson), WorldCom and indeed other companies which ultimately brought an end to all involved. The US legislation was brought in and created the PCAOB (regulator), and personal accountability for the CEO and CFO and enhanced internal controls assessments and attestations for both management and auditors. US SOX is already actually in the UK but only for those UK companies who are also listed in the US.
With those UK collapses, subsequent fallout and the reviews and an “oven-ready” solution from the US - UK SOX was always going to be part of the proposal announced recently by the Government. For those who have read the paper, it will be interesting to see where we do finally end up with a few options provided, but as a minimum it will include CEO/CFO or Board attestations on the internal controls framework with either stakeholder-led assurance or compulsory annual assurance from external auditors. As mentioned, the changes proposed are very significant and I would encourage all to read up on them.
With the implementation of these changes expected to gather speed, the big question that all Boards need to be asking themselves is: “What do we do now?”
The key word in that question is “now”. Meaningful steps have to be taken now for companies to be in a steady state for when the requirements will eventually need to be applied, even if as the paper states “some of the proposals on new corporate reporting would apply to premium listed companies initially, and then after two years to all Public Interest Entities”. This is not something that can be implemented overnight and I would suggest the programme from initiation to workable state would take 18 months as an absolute minimum.
So then, here are just some of the big-ticket items to keep in mind on starting off on this journey. This is by no means an exhaustive list (and certainly not a Top 10 listing despite there being 10 points) and each company will have its own unique problems to solve. This is only scratching the surface and the details behind these points are huge and difficult – that’s the way it is unfortunately.
- Tone at the top is of paramount importance. Like all major change programmes, it needs to start from the very top of the organization. The topic should gain traction with the Board in a more positive way that the paper has landed but still all Directors (financial and non-financial) need to understand the importance of the legislation and how this will impact them personally, as a collective, and the business as a whole.
- This is not a finance activity only (indeed the paper asks for responses as to whether it should be limited to internal controls over financial reporting or be expanded to cover non-financial frameworks as well). It involves so many more teams across a business from the very start of a transaction to the very end of recording it in the financial statements. Communicate with your business regularly about the changes that are coming and progress of the implementation programme – indeed you might need to communicate with almost everyone in the business to some extent.
- This will cost money and use resource. No getting around it. This needs to be budgeted and expect things to go awry as this will not be easy and something will crawl out of the woodwork to drop a bombshell or two (which is the whole point of the legislation – to make companies delve into their closets and see if there are any monsters).
- Hire the best people to drive this from within. There needs to be a team (not internal audit) that drives the programme and who are seen as the experts and supports within the business. The implementation of UK legislation will (whether through design or otherwise) start to mirror the ground realities seen in US SOX. Individuals in the UK who have recent US SOX experience know the inner workings of what a SOX cycle should entail and how to get this done – this will be like gold dust over the next few years as the legislation is brought in and the practicalities start to be embedded. Try to get these people now!!!
- Do not see this as a standalone exercise. Now is the time to truly integrate assurance across the organization and take the opportunity to redefine “what good looks like” - such as re-defining the 3 Lines model; empower staff to have their risk radar switched on at all times; create a culture of responsibility and accountability within the organization; re-train staff in the use of new skills and tools such as data analytics. The opportunities are there, we just need to find them.
- Just as a company selects an external auditor, I would suggest serious consideration to appointing a Controls Partner/Advisor to be able to operate at Board and Management level particularly for those difficult conversations around year end. There are some brilliantly skilled and knowledgeable people out there and having that expertise from day 1 to help steer and guide will be invaluable.
- The theory and methodology is unbelievably important and needs to be clear, accurate and complete – it defines who is doing what; when they are doing it; how they are doing it; why bother doing it at all?; and who needs to know about it. The paper also talked about Boards picking a framework to use for internal controls – I would recommend you pick COSO as your framework. It is easy to understand, most commonly used and how auditors report deficiencies currently.
- I.T., I.T., I.T. The importance of IT and data cannot be understated. More than a fair share of all material weaknesses in the US are in relation to IT deficiencies and this ratio has increased in recent years given greater emphasis is placed on it. It makes sense given the financials rely on the quality of data and systems that underpin them and as we move to an ever greater technology-driven world, the challenges for a controls framework will only increase. On the flip side – the opportunities to automate processes; continuous controls monitoring; use of robots and A.I. also increase which should lead to real step change in a more robust control environment and ultimately reducing cost. Make sure I.T. are fully engaged in the programme and are fully resourced to be able to handle the increased workload.
- MS Excel or specialized controls software? Depends on the size of the organization - is the obvious answer. I would suggest there has to be a pretty good reason not to select a controls software. Software undoubtedly helps and there are some brilliant tools out there that can truly bring this alive as well as integrating risk and assurance across the company – a tool that is used by the controls, internal audit, IT and risk teams should be the one to go for if possible. Choose one with a brilliant user interface, able to handle a full SOX cycle, which produces insightful reports with a few clicks. This programme is as much about hearts and minds and a cumbersome “ugly” tool will not help in winning people over at all.
- It is important to remember the end game - there will be long term benefits. A company knowing its processes, risks and controls in detail is better equipped to handle the stresses and strains of major incidents (either self-inflicted or acts of God). Research shows that companies who report a material weakness in their control environment suffer with a subsequent share price drop. This drop is perhaps a direct result of the material weakness or a symptom of deeper underlying issues within the company coming to fruition. If done correctly, and the business do not see it as a tick-box activity, this can add to (or at least maintain) shareholder value.
It is an exciting time in the industry with some long overdue changes now likely to be implemented. The time is now to be proactive rather than firefighting further down the road when it will be too late.