UK SOX Compliance: Key Challenges

‘UK SOX’ refers to the United Kingdom’s version of the US’ Sarbanes-Oxley Act (SOX),  which was introduced in 2002 in order to implement new auditing and financial regulations for public companies. 

What is UK SOX?

Following a series of high profile financial scandals, such as the Enron bankruptcy in 2001, the original SOX act dramatically reformed the US audit process, imposing new responsibilities on auditors and corporate executives, and new internal controls for accounting teams. The UK equivalent of the Sarbanes-Oxley Act will have the same broad effect as its counterpart, serving as a new corporate governance regime with tighter controls on financial reporting, and more transparency and accountability for executives. 

Like its US counterpart, the new UK regime was motivated by a series of accounting scandals, including the collapses of construction company Carillion in 2018, and bakery company Patisserie Valerie in 2019. Nationwide supermarket chain Tesco also encountered serious financial difficulties in 2014, after accounting errors led to a shortfall of over £250 million. UK regulators have been taking accounting malfeasance seriously: between 2021 and 2022, the UK’s Financial Reporting Council (FRC) issued a record number of accounting fines, amounting to around £46.5 million - triple the amount imposed in the previous year. 

In order to minimise friction with incoming regulations, UK accounting teams should understand how the new regime will affect their companies, and what its key compliance challenges are likely to be. 

The Importance of UK SOX Compliance for Organisations

We previously explored the possible features of UK SOX by comparing it to the impact of its US counterpart. However, the UK government has since released guidance on the new corporate governance regime, announcing a range of regulatory details that will impact the UK business landscape, including:

• The creation of the Audit, Reporting and Governance Authority (ARGA) as a regulator for the new regime. ARGA will replace the FRC. 
• A review of reporting obligations on large and small businesses - with larger businesses falling under the scope of new regulations. 
• A relaxation of the reporting burden on smaller businesses and smaller public interest entities.  
• New transparency requirements for large businesses, including a requirement to appoint challenger firms to conduct audits. 
• Stricter penalties for executives who violate their audit responsibilities. 

The UK government has stated that UK SOX will address the “dominance of ‘Big Four’ audit firms” while ARGA will serve to “reduce the risk of sudden big company collapses, safeguard jobs, and reinforce the UK’s reputation as a world leading destination for investment”. 

Impacted Businesses

Considering the recently-released guidance, it is clear that UK SOX will predominantly impact larger businesses. The UK government has stated that “no extra regulations will be added to smaller businesses” and that “the focus of the reforms is on the largest companies because so many jobs, suppliers and pensions depend on them”. Accordingly, the audit requirements of the new regime will apply to companies:

• That employ over 750 people, and-
• That generate over £750 million in annual turnover (even if they are not listed companies on the stock exchange)

Public interest entities (PIE) will also likely fall under the scope of the SOX regulations when it comes into effect. 

Micro-entities: As part of the new corporate governance regime, the UK government has committed to updating the definition of ‘micro-enterprises’, which is currently based on wording in an old EU directive. Under the new rules, many smaller businesses will be freed from onerous auditing regulations meant for larger enterprise organisations. 

Preparing for UK SOX

There is no formal UK SOX timeline for implementation, and no finalised list of regulatory changes, however, the government has set out its proposals for the new regime in its whitepaper: ‘Restoring trust in audit and corporate governance’. Given its alignment with the US SOX Act, it is likely that the UK regime will feature many of the same requirements and follow a similar timeline once legislation is passed - with full implementation possible in late 2024. 

It’s worth remembering that UK SOX will not be a direct mapping of regulations contained in the US SOX Act, which was introduced as a response to incidents of reckless corporate malfeasance. However, given the probability of the new regime coming into effect in 2024, UK companies should scrutinise the regulatory horizon on an ongoing basis, and prepare accounting teams to adjust to the new climate. 

WIth that in mind, and in the absence of  solid regulatory detail, it’s important that companies think about specific compliance pain points that might apply to their organisation during their UK SOX implementation process. 

Key UK SOX Compliance Challenges

Executive responsibilities

The incoming UK regulations will have significant consequences for company executives. Under the new regime, executives will have to confirm their organisation’s compliance with, and abide by, the country’s corporate governance code (which will be overseen by ARGA), and make disclosures and assurances about their internal fraud detection capabilities. Specific compliance requirements for executives will likely include:

• A director’s statement on the effectiveness of internal audit controls
• A director’s statement on the effectiveness of internal fraud controls
• A director’s report on steps taken to avoid and detect fraud
• The development of a company Audit and Assurance Policy (AAP) that demonstrates the quality of information reported to shareholders, including a description of internal auditing procedures

The UK SOX regime will differ practically from the US SOX in the sense that it will not introduce mandatory reporting requirements which compel company directors to personally vouch for the effectiveness of their internal audit controls - at the risk of criminal penalties in the event of violations. With that said, failure to comply with the new rules will trigger financial penalties and sanctions which could seriously impact business operations and inflict reputational damage. 

Audits, disclosures, and reporting 

The way that companies approach and prepare for audits will change under UK SOX. As stated, under the incoming reforms, obligated companies will have to conduct at least a portion of their audits with a firm outside one of the ‘Big Four’ - that is, PwC, Deloitte, EY, and KPMG. 

The introduction of the AAP will increase financial transparency and disclosure requirements. This means that companies will have to offer a greater depth of explanation, and evidence of their internal financial controls, in order to deliver consistent, accurate financial statements, and clearer documentation for external auditors. Companies will also have to continually assess the effectiveness of their financial operations in order to be able to deliver updated reports in a timely manner. 

The level of transparency and detail required by UK SOX means that companies must be proactive in approaching their internal and external audits. In order to prepare for UK SOX it’s worth considering the following steps:

• Identify material risks and weaknesses in internal audit procedures and financial operations.
• Conduct a review of software applications and IT tools that support those procedures.
• Implement a training program for company employees who will have UK SOX responsibilities, including the accountancy team and internal auditors.
• Consider updating accountancy software to better align with UK SOX compliance requirements. 

Similarly, companies should ensure they are aware of the best accounting technology solutions to handle their new record-keeping and reporting obligations. Beyond the speed and accuracy benefits of automation, technology tools offer firms the flexibility to adjust to an unfamiliar financial landscape, in which new regulations may add unexpected pressures. 

Effecting Cultural Change

Perhaps the most significant challenge of UK SOX implementation is the need to effect company-wide cultural change, in which financial controls become a compliance priority at every level of seniority. This means introducing a focus on financial controls as early as the recruitment process, and offering periodic training and resources to employees to ensure everyone understands the latest requirements of the regime. 

Cultural change should reach as far as the C-suite, with executives, including the CFO, necessarily becoming more involved in the reporting and disclosure process. Changes to internal controls should be backed by clear communication and authoritative leadership with senior figures demonstrating their buy-in to the new regime as a way to reinforce the necessary operational transformations. 

Best Practices to Implement a Successful UK SOX Compliance Program

If your company hasn’t already done so, now is the time to begin developing and implementing your UK SOX compliance program. To ensure the most effective implementation, consider the following best practice tips:

• Conduct a review of your risk exposure and then design new risk management processes and controls to address regulatory gaps and improve process efficiency. 
• Identify opportunities to leverage technology and automate reporting processes across your company’s accounting framework.
• Develop a training program to acclimate employees to the UK SOX regime, and ensure management personnel understand their responsibilities.
• Develop an Audit and Assurance Policy (AAP) to examine the effectiveness of internal UK SOX controls. 

Perhaps the most important aspect of your UK SOX compliance solution will be the software solutions that your company integrates to help it meet its new obligations. Software represents the best way to add flexibility and efficiency to your accounting processes, tailor your solution to your unique business needs, and adapt to inevitable administrative friction as the new regime is introduced.