Watch the recording: A UK Sarbanes-Oxley regime?

Transcript

Andy Kemp: Today I’m here with Iain Robinson, a partner in Digital Audit who specialises in SOX and Internal Controls. Iain and I are discussing the rather hot topic of strengthening the framework for internal controls in the UK.

Developing a UK version of the US Sarbanes-Oxley, or “SOx” regime was recommended by both Sir John Kingman in his review of the FRC and Sir Donald Brydon, in his review of the quality and effectiveness of audit, with Sir Donald concluding that the CEO and CFO should make an attestation to the Board on the effectiveness of internal controls.

There are a number of questions around how this could work in the UK and the extent to which it should be applied.

Iain, what are the key questions you think need to be answered as a UK framework is developed?

Iain Robinson: I’d say there are 5 key questions Andy.

Firstly I think there needs to be careful consideration of the scope of any enhanced UK regime. Should it cover only internal controls over financial reporting, as it does in the US, or should it cover broader operational and non-financial controls.

Secondly, to which companies should it apply. Should it be limited to the very largest companies, for example the FTSE 350, or all companies where there is a significant public interest, including large private companies?

Thirdly, how deep should the framework go and how rigorous is the documentation, testing and evidence gathering that supports the CEO/CFO attestation expected to be? Is it to an audit standard?

The natural fourth question then is - should assurance over the attestation be mandated? Again like the US should there be an auditor attestation?

Finally, what framework should be used? Should it be COSO as a tried and tested framework; should a new framework be developed; or an existing framework be adapted?

Andy Kemp: Sounds like there are a lot of big questions to consider. What impact do you think a strengthened UK ICFR framework could have on companies?

Iain Robinson: Let's start by looking at what happened with SOx in the US as that gives a really useful indication of what the impact could be in the UK.

The introduction of SOx in the US made an important difference to auditing and reporting.

It drove a much greater sense of accountability in management for ensuring the effectiveness of the company’s internal controls and, as a consequence, has strengthened them.

If I think about the time I spend discussing internal controls with management and those charged with governance at organisations subject to SOX today v those that are not - it’s night and day different.

This in turn improved the quality of both financial reporting and the audit.

Then we’ve seen other benefits such as:

• lower risk of corporate failure
  
• increased investor confidence
  
• increased reliability and resilience of financial reporting
  
• increased oversight responsibility for the audit committee

So the benefits are clear. But SOx did come at a considerable cost for companies both in terms of implementation and ongoing running costs.

Andy Kemp: Would you expect similar benefits and costs in the UK?

Iain Robinson: It depends on the scope and application of the framework.

I think the benefits would be similar, but in order for any UK ICFR regime to be rigorous and implemented consistently, it is inevitable that there will be cost and resource demands and therefore the transition timetable is going to be really important.

But we can learn lessons from the way SOx was implemented in the US to try and minimise this and I do believe companies that do it well will be able to leverage the work to better understand their processes, drive efficiencies and leverage technology much better.

Andy Kemp: Based on your experience, would you recommend a full US SOx regime in the UK, or something less prescriptive?

Iain Robinson: My personal view is that it should be closer to the US style regime, perhaps with a bit more pragmatism around the depth of controls and documentation requirements and I do think there should be a requirement for assurance over it. Otherwise I am worried it will not be robust enough and will lead to inconsistencies in approach.

I think an interesting reference point will be the experience of companies listed on the Johannesburg Stock Exchange as they are required to comply for the first time with a requirement for a CEO/CFO SOX style controls attestation for 31 Dec 2020 year ends.

Finally we need to remind ourselves about what we are trying to achieve. If it’s to mitigate large scale financial fraud (ala Wirecard, Patisserie Valerie) and improve financial reporting quality then a US style regime is absolutely right, however if its to prevent corporate collapse then the requirements are probably going to have to look beyond pure financial reporting and more towards an organisation’s principle business risks.

Andy Kemp: Well, if a strengthened UK internal controls regime does feature in the government’s proposals around audit reform, I’d certainly encourage companies to respond and share their views. As always, we are also here to help you navigate change so if you would like to discuss this further with us, please contact me or your usual PwC contact.