UK SOx: Internal Controls FAQs

The Government’s proposed corporate governance reforms, including stringent new internal controls requirements, will raise the bar for UK businesses.

With the final details not yet known – even if the overall direction of travel is clear – the proposals raise many questions that business leaders need clarity over. This was evident from the Corporate Governance Reform webinar we held on 26 March, when participants put forward a wide-ranging series of questions.

What do the internal controls requirements mean in terms of individual director responsibility? What are the likely timescales, and what actions should businesses be taking now? What does the experience of companies complying with US SOx teach us? And many more.

To help clients get to grips with what lies ahead, we’ve collated the range of questions we received together with our responses. The most commonly asked questions are below. To access the full Q&A, simply download the PDF attached at the bottom of the page.

Richard J Andrews

Head of Environmental, Social and Governance (ESG)

The White Paper does not include any timeframes for when future requirements would enter info force. From our US experience, companies typically have two full reporting years before they are required to be SOx compliant. So, if UK legislation is finalised in 2022, it would not be unreasonable to assume a 2024 year-end start for premium listed entities. The Government's preferred option is for the new requirements to apply to UK PIEs two years later.

Q2. Does the White Paper specify what controls will be covered by the directors' attestation, for example only internal controls over financial reporting?

The White Paper consults on three options for the areas covered by the Directors' Attestation:

1. All aspects of the company’s internal control and risk management procedures; or
2. Limited to the internal control structure and procedures for financial reporting (similar to US SOx); or
3. Limited to a subset of the internal control structure and procedures for financial reporting, focusing the auditors’ work only on priority areas of particular interest to investors. (similar to a SOC1).

The Government's preferred approach is option 2.

The White Paper explicitly links the attestation Directors will need to make to the enhanced oversight regime over Directors by ARGA. It focuses on whether the attestation is misleading and flows through to potential civil penalties (e.g. clawback / malus provisions) and the ability for the regulator to pursue an investigation and enforcement measures.

Q4. Will we need to implement a controls framework over ESG, fraud, payment practices and other disclosures, and how can we do this in the absence of a defined standard?

There are a number of disclosures in the Annual Report and Accounts which go beyond areas covered by the statutory audit, including those over sustainability and corporate governance. The White Paper introduces the requirement for a publicly available Audit and Assurance Policy which will set out how the directors get comfort over all disclosures in their AR&A, above and beyond the statutory audit, and where this assurance will come from over a three year period. This policy will also need to describe tendering arrangements for external audit and the role and scope of the internal audit function.

Q5. What action would you recommend we take now, ahead of the legislation being enacted, and how can we avoid potential costly re-work once the specific requirements are known?

The White Paper sets out the governments preferred option which really feels like a "minimum" position that companies will need to achieve. The challenges really come around the scope of controls and the framework your use. Our view is that it would be sensible to assume that:

1. Management will need to given some form of annual statement externally about the strength of internal controls over financial reporting
2. While there may or may not be be a requirement for auditor review and / or opinion in relation to that statement you would be wise to work on the basis that your controls and documentation to support those controls should be of an 'auditable standard'
3. Whilst you may be able to select the framework you use, given that COSO 13 is widely recognised as being a strong benchmark and there is lots of support material already in place, this is likely to be the default option for many
4. If you're not already US SOx compliant there will likely be some work that you need to do to support making an external statement
5. Even if you are US SOx compliant, your larger non-listed entities that may currently be scoped out (perhaps due to materiality) could well come into scope under any new PIE defintion

There are a number of “no regrets” actions we believe you can take now:

• These changes will require a cultural shift, and tone from the top, clear roles and responsibilities, scorecards, accountabilities, and training will be key Where to start: Educate your Board on what this will mean for them - this will likely be well understand by the CFO and perhaps others but the impact of these proposed changes extend well beyond finance.
• Be very clear as to the benefits you expect to drive. Our experience from other countries including the US is that those who see this as an opportunity to transform (and not simply as a compliance exercise) are the most successful. Where to start: set out a clear benefits case and use this to help your organisation to understand 'why' they need to change and not simply 'what' they need to change.
• Take a look at any ongoing transformation programmes that you have runnning now. Are you addressing internal controls requirements already? If not, you should be as retro-fitting these later will cost you up to three times more Where to start: Review your ongoing programmes. Do you have an internal controls workstream? Have you got internal controls SMEs embedded in the team? Review the approach and resourcing to ensure you address internal controls now.
• Get your risks right, Where to start: Agree your principal risks in line with your future strategy and business model, starting with the key risks with a financial statement impact. If you don’t know where your principal risks are you will end up with the wrong control environment.
• Invest in the 1st Line of Defence, Where to start: Establish your control owners and process owners now. These are people who understand the end to end finance processes, risks, associated controls and the supporting technology and tools. They need to operate a “show me don’t tell me” mindset to start embedding good governance over your controls early on. Culture and good governance together are what will stop controls from failing.
• Define your key risk indicators, Where to start: Can you confidently list your top 10 financial & IT controls? Do you know which processes present the highest risk; and therefore, need the most attention? Define your key risk indicators upfront with a balance between lagging and forward-looking indicators. This will help prioritise your efforts so that you are focussed on what matters the most.
• Standardise & Automate, Where to start: There are easy wins to standardise processes, controls and leverage technology to drive resilience and efficiency. You can drive down the cost of controls if you really maximise the power of your systems. Our KPMG Powered solution defines leading practice for you and is a great starting point!

Attracting niche talent during transition

We supported a global Life Sciences organisation in completing a bolt-on acquisition of a target business that was dedicated to developing gene therapies for neurological genetic diseases. Acquiring talent was a strategic focus and critical to the ongoing production of the therapies, which required niche and specialised skills. It was vital this wasn’t impacted by the integration. Following the transaction, the acquired company-maintained control over all recruitment activities. That meant it could continue to attract talent and compete onboarding quickly, during a period of transition, without having to align to new, global processes. This allowed the integration to deliver on deal value and mitigated the impact on innovation, product development and production.