UK SOX (Sarbanes-Oxley) is coming to town

Finance leaders, are you prepared for the new regulations coming to the United Kingdom and do you have the right risk management in place?

According to a recent poll I carried out on LinkedIn (which was not a representative sample) I found that in general finance folk are not ready, there is talk, but that’s it.

In this article I examine the what and why of UK SOXs.

What is UK SOX Compliance?

UK SOX is the unofficial name given to new UK corporate governance reforms, motivated by the US 2002 Sarbanes-Oxley Act. The exact details have not yet been finalised, but the new rules are expected to closely follow US SOX, which aims to protect shareholders from fraudulent financial reporting by corporations, e.g., if you recall in the the Enron scandal.

A brief history, just over two decades ago, in 2001, it was discovered that Enron’s financial condition was institutionalised with wilful corporate fraud and corruption, where systematic plans were put into place to drive the share price up, coupled with creatively planned serious accounting fraud. The scandal brought into question the accounting practices and activities of many corporations in the United States which was a factor in the enactment of the 2002 Sarbanes–Oxley Act.

Similarly, the UK SOX version is meant to increase regulatory oversight. While the Financial Reporting Council (FRC) was historically in charge of regulating corporate reporting and auditing in the UK, a new authority, called the Audit, Reporting, and Governance Authority (ARGA), is replacing the FRC and leading this reform with stricter enforcement powers. To sight some examples within the UK and the motivation for UK SOX: 9,000 redundancies with 555 retail stores closed and 1,286 companies and government entities owed money following the collapse of Thomas Cook; 11,000 jobs put at risk by the collapse of BHS; 7,000 suppliers and contractors impacted by the collapse of Carillion.

Who will be impacted?

The new regulations are not just limited to companies listed on the London stock exchange- FTSE/ AIM. UK SOX will target UK public interest entities (PIEs) both individual entities and the group position that has more than 750 employees and over £750 million in annual turnover, i.e., > 750 and > 750 rule. By group position I am referring to UK consolidated group companies world-wide where the sum total of any subsidiary companies employees and turnover meets the PIE definition. Note this does not change any other requirements under UK Companies Act, Audit thresholds as this reform is intended to widen the definition of public interest entities.

When is the Go-live date for UK SOX?

UK SOX legislation is still being finalised. However, 1 January 2025 is when UK SOX will come into full effect. This is estimated but includes the time to finalise and implement the legislation and a grace period. Companies must be compliant and report by the end of their first financial year after the start of this legislation. Unlike with US SOX, there will not be the in-year buffer to prepare before disclosing effectiveness as of year-end.

How long to implement UK SOX?

The issue now is that companies do not have much time, in fact just under 15 months until January 2025. Put into context, if PIE companies that have a year-end date of either March, June , September or December, then simply add 3,6,9,12 respectively to the 15 odd months left to give the implementation months count down.

As a rule of thumb guide, without prejudice, at least 12 to 24 months worth of actual UK SOX work is required end to end to properly implement vis-a-vis considering company size, complexity, subsidiaries, current state of ERP systems and functional processes, review of current internal controls, listed/ non listed prior to the first financial reporting end date post enactment date. Yet again, it could be more or less, but how long is a piece of string?

UK SOX will impinge on finance, procurement and IT- why?

The goals of UK SOX is to provide more controls around external audits, increase transparency for shareholders, ensure accurate reporting, identify risks sooner and prevent fraud. Meeting SOX compliance establishes trust, builds investor confidence and encourages them to invest in the company. The reform requires that these support function/ departments have adequate controls over and visibility into corporate purchasing practices, frequently overlooked. It will heavily involve IT teams that must put new internal controls in place, manage integration and fulfil technological implementations that help achieve compliance. While the changes required may sound vast, it should not be put off or overlooked as compliance is mandatory which can lead to large penalties and sanctions if not properly followed.

What will UK SOX Cover off:

There are 5 key areas, where I have tried illustrating it in a pictogram. Internal controls, fraud and dividends are intwined as the core, resilience is required to assess and test the core. Finally, assurance is about what, how and the when, a wrapper covering but not limited to judgement and estimates, significant IFRS policies, ESG/ TCFD/ ISSB reporting- back end and front end, technical justifications, policies and procedures to be able to provide the external auditor comfort on internal controls over financial reporting (ICFR) and related matters.

1) Internal controls ¹: Basically, new internal control requirements will be driven through changes to the Corporate Code. While consultation was carried out in September 2023 and awaiting responses, the message is clear. Businesses that meet the definition of PIE will need to address their control environment and those currently complying with US SOX requirements will also need to expand their controls to other areas in scope, yet to be defined;

2) Fraud ¹: PIEs will need to prepare a directors’ fraud statement setting out the actions they have taken to prevent and detect fraud which will form part of the audited information. Expectations are, it will need to provide clear information on the governance environment, how fraud risk is assessed and what the company does to detect fraud via mitigation. Refer to my published article in the Treasurer August 2017, on Cyber Fraud- Prevention and Detection in Corporates', https://www.treasurers.org/node/337510

3) Dividends ¹: Will require disclosure and confirmation of the legality of dividends from distributable reserves where directors will need to make a statement. This is a complicated area for various reasons where guidance is required on determining realised profits;

4) Resilience ¹: A resilience statement will be required involving short and medium-term planning, as well as reverse stress testing and reporting on resilience. This could impact areas such as strategy, ESG, technology and cybercrime, third parties, managed service centres, finance, IT, and legal/ compliance;

5) Assurance ¹: Companies will need to explain their approach to assurance, including but not limited to, whether shareholder and employee views/ concerns have been considered. Including, very importantly, how companies will seek to gain independent external assurance over their reporting on internal controls, fraud, dividends and resilience statements, which coincidently will be subject to external audit and review by the statutory auditor!!!

Companies will also need to disclose if they are prepared to engage non-audit services from their statutory auditors for independent external assurance (bad news is, it is a conflict of interest, and the good news is that it is not open to shareholder vote). Alternatively, companies feeling benevolent could engage another audit firm- that may result in shareholders’ pelting eggs at the AGM, or even demanding resignations, for obvious reasons.

Alas, every cloud has a silver lining… where a better cost-effective approach would be to engage a firm ², who has a strong track record in current technical IFRS and ISSAB (ESG) standards. Extensive systems and processes know-how for internal control continuous improvements (PMO/ lean agile), FTSE reporting and controls experience (where it is the most demanding), worked with audit partners and audit committees and has the creditability to plan and deliver- that will result in a integrated assurance approach, improved application of IFRS and ISSB standards and enhanced internal controls.

Dee Singh Kothari is a senior partner in Kothari Partners

¹ Contact Kothari Partners for a free confidential discussion on how we can help. We have already provided an AIM/ listed FTSE client of ours with a UK SOX roadmap for implementation/ go-live, reverse resilience stress testing methodology, how to embed internal controls over financial reporting (ICFR), independent external assurance testing work (rather than internal self-assessment as a trusted Partner), fraud mitigation internal controls, dividend/ distributable reserves planning and avoiding potential impairments post dividend payments.

Ideas expressed and/ or methodologies in this article are solely of the authors. The author nor Kothari Partner’s accept any liability for the incorrect application of these ideas either used by companies, employees or other individuals alike.

² At Kothari Partners, we have worked with various UK and overseas listed and VC/ PE backed clients across 21 various industries to consider how their business and finance services can bring them both cost reductions and performance improvement.

Our approach is to help our clients understand their current situation, identify the value and decide on the scope, vision and set of strategies for what they could achieve for their business. We help plan their implementation and support them and deliver the solution/ change needed, so it is properly and permanently embedded in their organisation. We aim to help past and future clients by delivering high-quality work to their organisation, generate real efficiencies and free up time to support better business decisions.

For a confidential discussion please free to contact us, via our corporate website: https://www.KothariPartners.com