What you can do now to help with a possible UK SOX requirement
Throughout 2018 and 2019, a number of reviews were held regarding the quality and effectiveness of audit. These reviews; Sir John Kingman’s Independent Review of the Financial Reporting Council (FRC), the Competition and Market Authority (CMA)’s Statutory Audit Market Study and Sir Donald Brydon’s Independent Review of the Quality and Effectiveness of Audit, each produced a number of recommendations aimed at improving the audit profession. You can read more about each of the reviews here.
Despite the current control landscape, such as the UK Corporate Governance Code and the Companies Act (amongst others), it was deemed that more was required, with two of the inquires recommending a UK version of the Sarbanes-Oxley (SOX) Act internal control reporting regime be implemented.
With consultation for the reports and proposed recommendations currently open (you can read more here about how to provide your feedback), it is not possible to know what exactly the final requirements will be, or even if a UK SOX will be required. Regardless, there are still many things which businesses can start to do now to not only ensure good internal controls, but also set some basic foundations which can be easily built upon, should a UK SOX be required in the future.
But firstly, why is it important to start preparing for a possible UK SOX now? When US SOX was first introduced, it caught many businesses off guard. The amount of work required within such a short timeframe added incredible pressure to many teams within the business, with many businesses also engaging external contractors. As a result, businesses struggled to continue business as usual (BAU) activities whilst implementing SOX, not only impacting current controls and processes, but also increasing costs for the business as more reliance was placed on consultants to help with the SOX implementation. By preparing now, not only are you possibly going to ease the burden if UK SOX is required, but you are also educating the business on what good controls and processes look like.
Here is where you can start.
Best practice says our processes should be documented and aligned to any overarching policy document. Don't have your processes currently documented? Well now is the time to start documenting. Encouraging key business areas such as Finance, HR and IT to document their current business processes is a great starting point. This will help with future SOX activity, but also help ensure good processes are currently in place and avoid any business continuity issues.
We have this handy template which can assist in documenting your processes and templates, which you can access here.
Alternatively, there is a variant to this template which is available in our Key Controls document mentioned further below.
When documenting processes, it may be beneficial to include a process map, as this allows the team to easily visual the process, but also highlight where risks and controls exist. You can view our Process Flow document here.
Work smarter; not harder!
With many people still working remotely, now is the perfect time to take advantage of some technology which we use everyday. Whether using WebEx, Teams or Zoom, you can now call yourself, record the call, then you can demonstrate what you are doing and narrate this at the same time. This is another great way and innovative way of documenting your process.
If your organisation does not already have a controls program, you may want to consider a very basic starting point. We have developed a list of generic Entity Level, HR, and Finance Key Controls. These controls can be easily adapted to suit your organisation, but help ensure that each process has appropriate checks and balances in place.
Whilst these controls are very basic, they are a great starting point for organisations which either do not have a formal controls program, or team members are not used to having controls regularly monitored. This process / activity should be used as an opportunity to educate the business, raise awareness of the importance of controls and good processes, and show the progress the business has made in improving their controls and processes.
Whilst nobody can promise what will eventuate from the three reviews, it is likely businesses will need to implement some formal controls and compliance program.
My Audit Spot is working hard in the background to build a toolkit which can help businesses implement a UK SOX program without the need to spend big money on consultants. Our 'Off the Shelf' toolkit will offer a base package for many businesses which can be easily expanded upon and adapted to suit the specific needs of the organisation. This toolkit will not be realised until we have a clear idea of what the specific requirements will be, however to keep up to date and be the first to know when our toolkit becomes available, please subscribe to our mailing list.
We will also regularly provide tips and updates to help businesses prepare for a possible UK SOX requirement.
We want to reiterate, that the reviews and recommendations are currently going through consultation and as such, there is no final decision on the requirements as at the time of writing this post, however the items discussed in the post are considered better practice and should be in existence in any organisation already.