Thinking outside the SOX: What do acquired UK companies need to know?

Business acquisitions and compliance are part of everyday life for many companies. But what does it mean for UK businesses when they are acquired by a US-listed company and come up against Sarbanes-Oxley (SOX) compliance?

In PwC’s SOX Centre of Excellence, we work with UK companies acquired by US-listed groups and often get asked about the what, the when and the how of implementing a SOX programme locally. My initial comment is don’t worry, you’re not the first company in this situation and there are best practices and common pitfalls.

But let me answer some common questions here.

When do you need to be SOX compliant?

Let’s assume a UK private business was acquired in August 2019 by a US-listed group with a December year-end. The SEC issued guidance, that people like me call the “SEC FAQ 3 exemption”, which states a group can exclude an acquired business of its SOX programme as of 31 December 2019 (annual report in the year of acquisition) but it will have to be in scope for 31 December 2020 SOX certification (first annual report in the year following the acquisition). This is a decision that group management has to take and I suggest UK management confirm the adopted approach with the group as soon as possible post acquisition.

Do you need to be fully SOX compliant?

It depends on materiality: if the acquired company is material to the group, then I expect most, if not all, business processes will be included in the SOX programme. This is not something UK management can assess. It is a group decision and my advice would be that UK management contact the group SOX leader early on to understand the expectations.

What does it mean for financial reporting?

Now you are part of a US-listed group, you will likely prepare and report your reporting package under a group accounting manual. My advice is to start performing an assessment of the differences between the old and new reporting framework as soon as possible. The devil is in the detail and I advise you not to underestimate the time it takes to perform this assessment.

What are the factors that lead to success?

Without a doubt, companies that successfully implement a SOX programme from scratch master the three following elements:

Don’t wait to get started

The longer you wait, the more challenging it is likely to be. I suggest you start early by performing a gap assessment to identify any critical SOX gaps so both UK and group management are aware of the potential challenges regarding capabilities and capacities.

Involve your auditors early

Auditors may want to take reliance on controls as part of their audit. You will need to work with them to harmonise your expectations and agendas

Own your programme

A successful SOX programme implementation has the right structure in place to govern the process. It does not have to be a large governance group but all key stakeholders have to be involved. You will also need to identify business process owners and control operators to empower them and train them on what SOX is about.

What is the most common mistake I encounter?

By far the most common mistake is underestimating the time it takes to adopt a SOX programme. Implementing new controls and new processes is “easy”; changing behaviours and empowering your people will take a lot more time. I usually say it takes three years to fully benefit from implementing SOX.

It would be a lie if I were to say that the first year of SOX implementation is going to be straightforward. SOX is a journey and these are recipes to help make the process a success. Hopefully this information is useful.