It is almost 20 years since the Sarbanes-Oxley Act (SOX) was passed in the US. Following a slew of corporate scandals – with Enron and WorldCom arguably the most high-profile – its purpose is to protect all stakeholders from the effects of publicly traded (US) companies failing as a result of financial mis-reporting, whether intentional or not. At the time, SOX was not introduced in the UK, although through the need for compliance by any US-listed foreign private issuers, its reach spread out to some UK companies. But that all looks set to change.
Regulation to restore trust in corporate governance
In March this year, the UK Government’s Department for Business, Energy & Industrial Strategy (BEIS) published a white paper on restoring trust in audit and corporate governance. Driven by the financial scandals and auditing failures taking place in recent years (such as over-stated profits of £326 million at Tesco and a £40 million accounting fraud and ultimate demise of café chain Patisserie Valerie), the message that events of this nature cannot continue to be allowed to happen is very clear: a new and targeted regulation – that will place significant scrutiny on financial reporting controls – is inevitable.
What is uncertain, however, is the form this will take. The current consultation period, in which the industry provides the BEIS with feedback on its white paper proposals, ended on 8 July 2021, and from here the exact legislation will be worked on, with its formal introduction expected to be around 2023.
Despite the current lack of clarity, there is much that UK-listed companies should be doing now to smooth the process and ensure full compliance when the legislation is implemented. What does seem highly likely, based on SOX experience in the US, is that company executives and directors will be held personally accountable for the effectiveness of internal controls over financial reporting, an edict that drives home how critical it is that related business processes are transparent, effective and widely-understood.
Ensuring compliance therefore centres on enabling a strong internal controls environment; this requires moving away from the informal, ad hoc and heavily manual way that controls are currently managed in the absence of a SOX-like regulation. Organisations need to instil a culture that recognises the importance of this objective, by making risk and controls a board-level agenda item, and establishing that the supporting enterprise technology is robust enough for the task.
Is a lack of governance hindering your cloud workload protection?
Laying the groundwork for strong internal controls
Going about a controls transformation programme is a significant undertaking that calls for strategic planning across the organisation, with people, data and technology being the foundations of the process.
Organisational culture can make or break organisational change. Employees from top to bottom within the enterprise need to understand fully why internal controls are important, how their individual roles play a part in maintaining compliance and why these activities need to be an integral part of business life.
Risk and control data is crucial to enable clear insights into any control weaknesses, in order that they can be rectified ahead of the introduction of the new regulation. This data therefore needs to be stored and managed in a way that is transparent and accessible; a siloed set-up can hinder the identification and remediation of potentially significant risks, for example.
Technology-driven internal controls offer tangible benefits; real-time reporting can improve their visibility, while automated controls reduce the amount of manual effort required to be compliant. Within that it’s important to know which automated controls are already available within existing enterprise technology, and ensure that all those that are relevant are ‘switched on’.
Putting these measures in place now establishes an internal controls mindset well in advance of it becoming a compulsory requirement for organisations. As the regulatory requirements become clearer, enterprises can focus on interpreting what the legislation means for their specific control environment, as well as determine the minimum requirements they need to meet, which is important in order to direct and prioritise initial activities and investments.
The voice of US experience
UK enterprises can also learn from almost two decades of SOX in the US, where the first-of-a-kind regulation was introduced into a landscape in which supporting technology was far less sophisticated.
Initially the trend was to go into overdrive, with organisations throwing as many controls into the mix as possible in the hope that enough of them would be effective; the preference was (understandably) to do too much rather than not enough. The result was a lot of unnecessary cost, and over-zealous activity was, in the main, dialled down after a couple of years.
In terms of repercussions of non-compliance, the threatened jail term is unlikely. But companies that fail SOX audits can suffer share price dips (cue unhappy investors), while the career paths of those at the helm and responsible for the failure are potentially limited.
How do businesses adapt to the rising tide of data regulation?
Take the long view and prepare early
Getting SOX compliant is a lot of work. But investing time, budget and resource in the early days will smooth the path to compliance in the long term. Early preparation will also do away with the temptation to ‘over-control’ (which can impact business operations while adding nothing to the compliance equation). There is no need for hundreds of internal controls; it’s more important to implement the right, risk-based, ones.
Unlike the early days of SOX in the US, technology now has the capability to play a big part in compliance; it can transform sluggish manual controls into lean, muscular automated ones led by an all-important risk-based approach. In short, be informed, be strategic, embrace technology – and start early.