What do you need to know about UK SOX?

Emily Khan:

Hi everyone and welcome to this episode of our Business in Focus Podcast. I am Emily Khan, a director at PwC, and I am your host for this episode. One of the many things delayed by COVID-19 has been the announcement of the next steps following the review by Sir Donald Brydon in 2019. Whilst many of us may have been looking forward to receiving our COVID vaccine or returning to the office in the Spring, the accountants among us have been awaiting clarity on whether or not the recommendation to implement a form of UK SOX shorthand for the Sarbanes Oxley Act currently in place in the US will be taken forward. Finally, last week, on the 18th of March, the Government's Department of Business Energy and Industrial Strategy published its proposals for restoring trust in the UK’s audit and corporate governance regime. Here at PwC, we welcome this consultation as a crucial step in maintaining trust and confidence in the UK’s reporting and regulatory frameworks. It comes at an important time as the UK seeks to attract foreign investment, and to maintain its status as a leading place to do business. I am delighted to be joined in our virtual studio today by two specialists, who are closely tracking what's been happening and working with clients to help prepare their response. Jonathan Lucas-Lucas and Semsi Sonmez. We are still for now all working from home. Welcome both of you and I'd like to start by asking you where you are in the country today, and how you are doing? Jonathan, I'll come to you first.

Jonathan Lucas-Lucas:

Thanks Emily. Hello everybody, as Emily mentioned I am Jonathan Lucas-Lucas, a partner in our governance, risk and controls team within our PwC risk practice. I am leading on PwC’s UK SOX implementation support for our clients. I am currently located deep in the Surrey countryside, a far cry away from the hub of corporate regulation, pleased to say it's a really sunny day here, and spring appears to have finally sprung.

Emily:

Great, and Semsi, how about you, welcome.

Semsi Sonmez:

Hi, Emily, thank you so much for having me here. I am Semsi, as you said, I am a digital audit director and I specialise in running global SOX audits. I also helped many organisations implement their US SOX programs. I am currently at home in Greenwich in London, and the sun is shining outside. I actually had my COVID vaccination yesterday, so really excited at the moment.

Emily:

Brilliant, well thank you both for joining me today. I am looking forward to getting into this conversation. I have to start with a confession, with the government's proposals published last week, 200 pages, I think, or thereabouts, I haven't read them all. It feels like we've been waiting for such a long time for them now. I am sure Jonathan that you have already, so perhaps you could bring us up to speed on what the headlines are in the proposals to get us going.

Jonathan:

Brilliant, yes thanks Emily. No, you're right, it was 232-page document, and a lot of time was spent digesting that material over the weekend. We won't have time to go through the whole content, you'll be pleased to hear, but I will draw upon some of the key highlights for you now. Just worth reiterating, this is a consultation document, and these changes haven't yet been mandated. The document itself is open to comment from anyone for 16 weeks from the 18th of March. So, look some of the key highlights. First of all, there is discussion in there around strengthening the role and responsibilities of audit committees around subjecting them to more regular scrutiny and potential inspection and observation of their activities. Secondly, there is this discussion around the requirement for an audit and assurance policy. That's going to set out what assurance is being commissioned or not over the whole annual report, and other corporate information. It also talks about the requirement for a managed shared audit regime for FTSE 350 companies that have a big four firm as their lead auditor. There is also discussion around the requirement for operational separation of the largest audit firms. Further, there is also discussion around a new corporate audit separate profession to be established, effectively separate from the accounting profession, something that's really new that was discussed in the document. Now, most critically for this discussion, all directors of public interest entities are to be held accountable for their reporting responsibilities and will be subject to increased regulatory scrutiny and enforcement powers. It goes on to further clarify that a new regime for internal controls over financial reporting, which is now widely badged as UK SOX can be coming into the future.

Emily:

Gosh, that's quite a lot in there, then quite a list of changes and proposals, I can imagine you've been inundated with questions about those, was it 236 pages and all those changes?

Jonathan:

Yeah 232, that's absolutely right. The key question that I'm still getting asked, that I've been asked actually from the first paper was simply, ‘will I be in scope?’ The initial expectations last year with a potential UK SOX mandate would impact companies in the FTSE 350. However, the latest consultation papers have gone further than that, and it's actually saying that the new regime would initially apply to premium listed companies, and then would be extended to all PIE's after two years, so considerably broader than the FTSE 350.

Emily:

Okay, and tell me a little bit, you used a couple of acronyms there, premium listed and PIEs. Give us a moment on those definitions.

Jonathan:

Yeah, this is another point of clarification. Premium listed companies are equity issuers in the FTSE 100, FTSE 250, and the FTSE small cap, and they have to meet much more stricter standards than other equity issuers. Interestingly, PIEs have been described as entities, whose transferable securities are admitted to trading on a UK regulated market. They also cover credit institutions aka banks, but also insurance undertakings. However, the key thing actually coming out of this consultation, is that this PIE definition should be extended to include more organisations, that's going to mean a lot more companies can potentially fall into scope.

Emily:

Okay, so if that is his in-scope, tell us a little bit more on what that actually going to mean for directors in those organisations in terms of the requirements, the proposals contain.

Jonathan:

Yeah, so in terms of the actual requirements, BEIS have explored a few different options in this paper for a new internal control’s regime, with varying degrees of auditor involvement. What I'll do is, I'll just pick out their preferred option here, and that's the directors would need to make an explicit statement about the effectiveness of their internal controls over financial reporting, and as part of this statement, they would need to explain the following. Firstly, how they carried out their assessment; secondly, details of the outcome, include any details of any deficiencies identified; thirdly, the benchmark system used to make that assessment; and fourthly how that actually assured themselves, it's appropriate to make that statement. Just to go on from that, it's worth saying also, any decisions about whether the director’s attestation should be subject to external audit, would need to be explained in the company's audit and assurance policy, although external audit of this statement itself would not be mandated.

Emily:

Okay, Semsi, perhaps we can bring you in here, because you work in the context of external audit, what are you hearing from companies at the moment and their concern and challenges, or points of interest in these proposals.

Semsi:

Yeah, Emily, companies are still digesting what the recommendations in the base consultation will mean for them, but there is an overall agreement that the UK SOX wise regime will be on the cards. Reading through the base consultation, there are three key areas to consider for the organisations in light of UK SOX implementation. The first one that Jonathan covered around the company director’s requirements to carry out a review of the effectiveness of their company's internal controls. The second one relates to the audit report that needs to describe the work the auditors are already required to do to understand the company's internal control systems, and we do that, and I do that currently, and to the extent needed to perform for the audit, and then to state how that work has influenced the audit, but without a formal audit opinion on the internal controls affected as being required, which is a little bit different than how the US SOX equivalent works. The third point relates to the auditor, that is required to provide a formal opinion on the director’s annual attestation about the effectiveness of those company's internal controls, potentially limited to key controls over financial reporting, or even subset of that, but those are the things that need to be clarified as the consultation goes.

Jonathan:

Yeah, thanks Semsi. It's worth adding, this proposal if implemented clearly could be a major change for impacted companies. Our experience in the US is that the workload for directors and management teams in implementing the SOX rules is really significant, but it's not all doom and gloom, the regime also drove substantial improvement in the quality of financial reporting and control.

Emily:

Which is clearly the aim of these proposals here in the UK as well. That’s a really helpful setting of the context of who is in scope and what the change could look like if these consultations go through. I am interested in the considerations your hearing from the organisations that you're working with, how are they approaching that set of changes now?

Semsi:

Yeah, Emily, I've had several conversations with the organisations I work with from an external audit perspective, and companies have a lot of questions, but also considerations, and a couple of them are around the scope. Careful consideration of actually what the scope of any enhanced UK regime means for them. Is it going to go beyond the internal controls over financial reporting, is it's going to cover broader operational and non-financial controls. Then application, Jonathan talked about, am I in scope, will I be in scope, which specific entities will be in scope if I am in scope? All of those considerations, our organisations are getting ready to have an assessment around. Then the other one is around standards. In the US SOX like regime, there are standards around and audit frameworks around COSO that has been applied. It's thinking about that framework around, is it actually the COSO that is going to be applied or is there a new framework that is going to be applied. Then looking at that assurance model, and we touched on that really slightly, but what does that assurance model look like for that station. It's not necessarily mandated in the consultation, and therefore, that model, going to be looking like for the UK, are organisations wanting those external attestations as there will be a requirement for the directors to actually attestate their own internal controls. I guess there are also some concerns, Emily, when I talk to them. Some of those concerns that immediately spring to mind with those organisations, especially with coming out of the economic instability from COVID, is investment and resources needed to implement it, the timing of implementation. These type of implementations can take two to three years. What the cultural transformation is that will be required, and also, the capabilities, technology capabilities as well as internal, SOX internal controls, risk, capabilities, and how they can actually be ahead of that game, but yeah, those are the things that I am hearing at the moment.

Emily:

Right, okay and it sounds like there is a lot of questions still in there, and actually, a broad scope of change to be looking at, as you said, as we are emerging from this period of disruption that affected all businesses. Jonathan, maybe, give us a flavour of your views on what businesses could be doing to address those challenges and maybe how this could be a driver of benefits as they transform their compliance function as we emerge from COVID?

Jonathan:

Yeah sure, thanks Emily. The key thing for me is to start early. It's really important companies don't underestimate how long it will take to implement this framework. SOX implementations that we've worked with in the past can take anything from 18 months to up to 3 years and sometimes even more than that to get to a suitable point for attestation. Leaving yourself enough time to perform things like testing dry runs of your control operations, without an immediately looming attestation deadline right ahead of you. That makes an implementation program much more likely to succeed, and not to mention a whole lot less stressful. The other thing to pick up is around timetabling, set out a clear roadmap, you can do that from now, there's no reason to wait. Set out a clear roadmap of what the next few years look like, so that when that mandatory implementation comes in, you know exactly what's ahead of you, rather than simply speculating. I'd also say really take a risk focused approach that's really important. All companies have different risks with varying levels of complexity, but it's so important to ensure that all key risks are identified and remaining risks are identified and prioritised to ensure that management's time focus can be spent on mitigating controls in exactly the right areas. Getting this investment of time upfront, focusing on the right risks will save a lot of time down the track. The other thing is around technology and to be fair, Semsi, you are probably best place to pick this one up. What are your thoughts on technology?

Semsi:

Yeah, Jonathan, thank you. Technology and what I see currently with organisations is really used to eliminate that manual effort, but also to increase robustness of control environments. When considering technology in the upcoming UK SOX regime, organisations should really consider first of all, how do I get technology embedded from the start to manage the program, including repository of processes, controls, the attestation that needs to be done, and actually automating as much as possible of that, but then, second also is the use of technology to automate controls. We are seeing in the US SOX landscape, very much a change, where the manual controls are being replaced by RPA technology or AI technology, and actually thinking through that, at the outset of designing your controls and making sure those are embedded will be a quite key success factor. At the moment, what I am also seeing is that some organisations are starting to revisit that current technology solutions and assessing whether they are actually getting the investment or the value out of the investment that they have, because I've come across quite a lot of organisations that have got risk and governance solutions already implemented, but not necessarily using it to the benefit of the organisation. Organisations should assess the use of that current technology and ensure the readiness of those solutions, and SOX will be a massive catalyst to do this, and secure those resources, those investments that they need to do so. This will allow, from my perspective, for organisations to initiate that broader transformational change that is welcomed by all of the organisations.

Emily:

I was just going say there's quite a list there of things to think about, what would your advice be to leaders who are just starting to get their head around the scope of that change and the roadmap ahead?

Jonathan:

Yeah, that's a really good point, the technology is really important, but the cultural mindset that organisations need to get in is equally important, if not more so. Don't underestimate the mindset shift that's required, it's really important to assign roles and responsibilities to the right people up front, and make sure you are upskilling your teams across your organisation, not just focused in finance, but consider roles outside in operations and commercial teams as well, because those are the people that will be least familiar with these implementations and regulations. We often find finance team to grasp the requirements quickly, but it's those beyond there where those struggles lie.

Semsi:

Jonathan, if I can add to it, I've seen a lot of organisations where SOX is seen as an add on and an afterthought; and therefore, an activity that is done at the end of the day. This drives costs, but it also doesn't drive that cultural mindset change that you talked about, that is really required to obtain the benefits. The benefits of transparency of financial reporting. In my view, and based on my experience, best in class SOX programs have clear responsibilities to find control owners, understand the associated risk, and where controls are performed as part of their daily activities. They don't see it anymore as, ‘oh, I have to do this for SOX compliance,’ but they do it because they know that this will mitigate the risk of error, and organisations have used SOX to their advantage, and I've seen great benefits, and have been classified as no regrets investments that they have done.

Emily:

I really like the reference there to no regrets and it really chimes with them the findings of our CEO survey this year. I am sure you've both seen some of those findings, but they very much highlighted that even coming out of this time of economic uncertainty, UK business leaders are investing in areas where they can see that there will be a catalyst for positive change, and as you said, a no regret decision. Maybe, I am conscious that time is ticking by here, I could ask each of you for your top no regrets activity that businesses could start now, to move towards those best practice approaches, to the compliance you've just been talking about. Jonathan, maybe can I come to you first?

Jonathan:

Sure, again it's a question I get often is, where do I start, what should I be doing now. Companies are reluctant to invest too much into this, because they are still waiting for the final implementation, but I would urge companies to perform a maturity assessment over their internal control’s environment. You know, that's never going to hurt doing that, understanding where you sit, where the pain points are, areas that need more focus, irrespective of UK SOX implementation, that's something that is really valuable, and something we'd be able to help as required.

Emily:

How about you, Semsi.

Semsi:

Yeah Emily, I could probably talk for hours on SOX, so I'll keep it short. For me, in addition to what Jonathan said, the biggest other no regrets investment is for organisations to also look at the broader organisational changes that will be required to allow the director’s attestation, what do they need to put in place at the different entities level, at the different process level for the directors to attestate that they have got an effective internal control framework. While the base consultation is progressing, I would recommend that organisations take this as an opportunity to look at those gaps and to look at those organisational changes.

Emily:

Okay, that sounds like from both of you a real clear call to action to know what you're up against and get clear what you're working with. That's going to draw us to a close of this episode of Business in Focus. Thank you both, Jonathan and Semsi, it's been a fascinating discussion, we've just about scratched the surface there. Thank you to everyone for listening.

As Jonathan and Semsi mentioned, there is real benefit in acting quickly to get your internal controls over financial reporting in order, because it very much looks like change is coming. To find out more about how we can support you with any aspect of UK SOX or compliance transformation, do visit the governance, risk and compliance section of our PwC website.

Finally, don't forget to subscribe to keep up to date with future episodes. Thanks everyone, stay safe.

Participants

• Emily Khan
• Jonathan Lucas-Lucas
• Semsi Sonmez