In 2002, US Congress passed the Sarbanes-Oxley Act, now often simply referred to as SOX, or Sarbox. Named after the two congressmen who drafted it, Paul Sarbanes and Michael Oxley, the act is intended to protect investors from potential fraudulent accounting activities perpetrated by corporations, hastened by major accounting scandals in the early 2000s involving Tyco, Enron, and WorldCom. The legislation has several benefits: not only does it protect the public from erroneous or fraudulent practices, it increases transparency in financial reporting, and helps protect companies from data theft or cyber-attack by encompassing many of the same measures as other data security initiatives.
The UK took note. In 2019, during a review of the UK audit industry, Sir Donald Brydon enforced the necessity of similar changes this side of the Atlantic. Citing the need for major listed companies to provide statements on their internal controls over financial reporting, Brydon suggested a UK version of SOX, and in March 2021, the Department for Business, Energy and Strategy responded to interest in the measure with a new white paper, in which the Secretary of State for BEIS confirmed his determination to “reinforce the UK’s position in the wake of large corporate failures that have led to job losses and uncertainty among small businesses and local communities.”
What your business needs to know about UK SOX
At the moment, it is somewhat uncertain whether UK SOX will require legislative or simply regulatory changes; the FRC will offer more guidance in due course. If changes are to be made to UK law, it is widely expected these will come into effect in full force by December 2023, at the very earliest. However, as we have seen previously with GDPR measures, companies with large and complex operations normally take significant time to adapt to such initiatives. After navigating the changes to the workplace landscape brought about by Covid-19 and its aftermath, it is only natural that CFOs are reticent to think about SOX and control improvements at the moment, however, here at GRG Executive Search, we strongly believe that the time to act is now in order to avoid further issues down the line. Naturally, smoothly executing an internal controls framework in the absence of specific guidelines is challenging to say the least, which is why achieving a successful outcome will require the efforts of the best talent. Simultaneously, the market for people with the required skillsets is about to get extremely tight, which will result in a large number of companies competing for a limited pool of qualified professionals.
What Skillsets Will UK SOX Require?
Although complex internal controls can take years to fully implement, it’s important to put formal practices in place ahead of time to ensure you have the budget and resources for a practical long-term strategy. In fact, section 404 of SOX requires public companies to provide annual reporting on the effectiveness of internal controls on financial reporting, as well as to build in internal auditing processes. It’s estimated that the cost of the first year of SOX compliance for a major business within the UK would be between £10 and £20 million, providing even greater impetus to begin laying the foundations. Companies will need experienced, qualified professionals within their finance departments, as well as those with compliance, audit, and accounting experience in large listed organisations. Additionally, it will be of paramount importance to onboard those with an already stellar track record of implementing and defining robust governance and controls, as well as candidates with the necessary experience in supporting large and complex business operations. Companies may well also choose to hire an experienced consultant to oversee the process, to ensure it runs as smoothly as possible.
Looking ahead: Laying the foundations of UK SOX
We’ve discussed some of the reasons it will almost certainly pay off to begin looking at smart and efficient ways of complying with possible new internal controls legislation ahead of time. Which begs the question: how can your business get started? There are some basic steps you should take first.
1. Set up two committees
One for IT, and one for business processes. They can provide technical oversight, help educate the rest of the organisation, and get executive buy-in. What’s more, they can develop protocols as well as organise frequent testing, giving the rest of the team chance to assess the effectiveness of the programme and make corrections where necessary.
2. Be proactive
Have conversations with your CFO, board, or audit committee, and walk through how your controls framework is operating today. Perhaps most importantly of all, ensure you have the right tools, technology, and people to prepare you for the challenge ahead.
3. Establish your foundation
Collaborate with all the divisions within your business that will be affected by the new initiatives. Give detailed explanations of what is involved, review each of their roles within the process, and give example documentation where necessary. Select the parts of your organisation that will be most impacted first, and begin building out from there.
4. Start documenting your processes
If you aren’t doing this already, then now’s a great time to start. Start by encouraging key areas of your business such as HR, IT, and Finance to begin documenting their current business processes. Not only will this help with any future SOX activity, it will have the added benefit of causing you to take stock of your current ways of working, along with avoiding any business continuity issues. And remember, work smarter, not harder – now’s the ideal time to take advantage of some of the technology we use every day for remote working. This is a great and innovative way to document some of your processes.
Public consultation on the measures closed on 8th July 2021, and although the government is considering the options, it’s still not possible to know exactly what the final requirements will be, or even if a UK SOX will be implemented. Regardless, it’s highly likely businesses will need to implement some formal controls and compliance programmes, which is why it makes good sense to be as prepared as possible. The initiatives may be a heavy (and somewhat intimidating) burden to deal with, but by planning out your processes and getting the right people on board now, your business will be in the position to hit the ground running.
If you would like to discuss how we can help source the right talent for your business, or for more information about the market, please get in touch for a confidential discussion.