Recent corporate scandals, including BHS, Carillion, and Patisserie Valerie, resulted in 14,900 job losses. So the UK government responded with a corporate governance reform similar to the US Sarbanes-Oxley Act (SOX) 2002.
It aims to establish better internal controls in big companies and reduce corporate failures. This reform received mixed feedback and left many questions. So this time, we will explain the crucial changes coming from the new UK compliance regulations and how to respond to them correctly.
Discover effective management tool for your board
Rely on our choice – iDeals Board
Visit WebsiteWhat is SOX compliance in the UK?
UK SOX is the colloquial name for the UK auditing overhaul introduced in March 2021 by the former Department of Business, Energy & Industrial Strategy (BEIS). BEIS published a 200-page UK SOX white paper with proposals to reform corporate governance.
Businesses called this reform “UK SOX” because it resembled the US Sarbanes-Oxley Act of 2002, that enforced stricter internal control practices for the corporate sector.
The UK’s new audit control system will apply similar approaches to improve accountability and risk management in the business sector.
SOX compliance: UK equivalent regulations explained
The UK government’s draft Audit Reform Bill aims to create the Audit Reporting and Governance Authority (ARGA) to replace the Financial Reporting Council (FRC).
ARGA will become the leading audit authority supervising the reform compliance. It also is predicted to overcome the dominance of Deloitte, KPMG, PWC, and Ernst & Young, which provide auditing and accounting services to 97% of FTSE 350 companies.
Following the business feedback on the government’s 2021 white paper, BEIS published regulatory updates to its proposals in June 2022. BEIS reworked some rules, so we summarised the main changes and requirements below.
PIE definition
The reform modified the definition of public interest entities (PIE), introducing a new threshold of £750 million annual turnover and 750+ global employees. Entities other than companies can also qualify as PIEs if they fall under this definition.
ARGA’s responsibilities
The reform gives ARGA the power to do the following:
- Monitor and regulate how C-suite, board directors, and management persons of existing and new PEIs fulfil their duties on SOX reporting.
- Review corporate governance reporting documents, including the annual report and accounts (ARA), director remuneration reports, chairperson’s statements, and board minutes.
- Investigate and sanction directors if they breach their audit and corporate reporting duties. It will be able to disqualify directors for 15 years.
- Change ARAs without the court’s permission and publish its findings. Companies will be able to dispute ARGA’s decisions.
Check the legal requirements for board minutes to prepare for ARGA’s corporate reporting reviews. |
Material fraud statement
PIE directors will report the steps to detect and prevent material fraud. Meanwhile, external auditors will report on the efficiency of PIEs’ fraud detection activities. They will ensure these activities are relevant, accurate, and effective. Audit firms will also report on their steps to detect fraud.
Resilience statement
Companies will be required to make annual resilience statements (RS) within their strategic reports of ARA. These RS must contain the following:
- Short and medium-term material challenges threatening business resilience based on directors’ vision before and after risk mitigation actions. Companies should explain the materiality of these challenges.
- Reverse stress testing outcomes. Companies must perform at least one reverse stress test to identify the circumstances leading to the potential business failure.
Disclosure of distributable reserves
Companies will state the total amount of distributable reserves (dividends) in their annual financial reports and include dividend distribution policies in their RS. When it’s impossible to calculate exact sums, businesses will specify “not less than” amounts of dividends. Here are a few more details on this reform:
- Parent companies will calculate dividends for themselves and their subsidiaries.
- Directors will explicitly confirm the legality of proposed and paid dividends and explain their approaches to shareholder rewards.
Audit and Assurance Policy (AAP)
The new UK audit requirement introduced a mandatory Audit and Assurance Policy (AAP):
- Companies will publish AAPs every three years and make policy implementation progress reports annually.
- AAp will indicate the type of independent assurance (limited or reasonable).
- AAP will not introduce new assurance activities.
- AAP approval will not be subject to shareholder votes. However, companies will explain their choices and how they consider shareholder views on audit and assurance.
New audit committee standards
The audit reform aims to extend the ARGA’s control over audit committees (AC) within corporate boards. The authority will do the following:
- Set appointment and auditor oversight standards for ACs, including mandatory shareholder engagement in audit planning.
- Ensure standards align with UK regulations, including the UK Corporate Governance Code (formerly the UK Combined Code).
- Monitor AC compliance with these standards through public information and on-demand reports.
- Conduct “operational separations” of large firms.
Internal controls statement
The UK SOX rules will require board directors to provide explicit statements on the company’s internal controls effectiveness.
Additionally, ARGA will control how directors evaluate internal controls over financial reporting. It will set benchmarks and procedures for the internal control assessment and define circumstances when an external audit is required.
Which businesses does the UK SOX affect?
The proposed reforms will apply to public interest entities (PIEs). Due to the government’s new PIE classification, over 600 new companies will fall under the scope of proposed reforms, including but not limited to the following:
- Publicly traded companies
- Private and public companies with £750 million annual turnover and 750 employees
- FTSE 350 companies
- Banking firms and alternative investment market (AIM) companies listed on the London Stock Exchange
- Private businesses preparing for IPO
- Companies planning to improve their internal controls frameworks
However, the reforms will not target all PIEs. For instance, smaller public limited companies (PLCs) or premium-listed foreign companies will not need to provide new risk resilience statements.
These circumstances bring confusion, and certain businesses seek advisory services to clarify whether they meet new reform requirements.
Which SOX compliance requirements should directors fulfil?
We summarised the crucial requirements for senior management under the “SOX Act for the UK”:
- Material fraud statement. Directors report their actions to detect material fraud and apply preventive measures.
- Explicit internal controls statement. Directors report on the evaluation methods and internal control effectiveness.
- Disclosure of distributable reserves. Companies state and explain the total amount of dividends paid to shareholders.
- Resilience statement. Directors outline and explain short, mid, and long-term principal risks and mitigation actions.
- Audit and Assurance Policy (AAP). Directors publish AAPs every three years and report on AAP implementation progress annually.
The value of the UK SOX compliance regulations to the board and C-suite
The UK’s version of SOX systems tightens existing legislation and may cost each company $3.5 million in annual auditing fees. However, the UK SOX framework may be beneficial to the board and C-suite in the long run due to the following:
- More insightful financial reporting. SOX reporting standards provide better insights into financial statements, financial operations, business risks, and opportunities. Directors and C-suite will address key risks in a timely fashion and more efficiently due to enhanced financial disclosure.
- More structured management information. Enhanced audit controls will drive organisations to use more digital tools to analyse data timely and efficiently.
- More confident decision-making. Improved internal controls, resilience reporting, and AAPs provide detailed governance data and contribute to better decisions.
What potential benefits does UK SOX compliance bring to UK companies?
We can estimate the potential impact of SOX regulation on corporate performance based on the American experience. One study from Drexel University evaluated the SOX act impact on corporate performance in the 1991-2006 period based on 89,000 firm observations.
This study found that US companies increased the quality of internal controls by 90% and improved the overall control environment. They also improved several financial metrics, illustrated in the graph below.
How long does UK SOX compliance take?
The UK government hasn’t outlined the effective date for its new audit legislation. So UK companies may build their assumptions and set deadlines based on business experience in the US.
KPMG expects the legislation to take effect within two years after the reform gets finalised. Ernst & Young names two-three years as a reasonable deadline.
Here is the current UK SOX compliance timeline.
Original reform proposals white paper | 18 March 2021 |
BEIS’s response to its reform proposals | 1 June 2022 |
ARGA creation | Postponed to 2024 |
Audit reform finalisation | Supposedly 2024 |
Deadline for UK companies | Two reporting years after the reform finalisation |
How to prepare for UK SOX compliance?
As of when to start preparing for the UK SOX legislation, many companies began preparing effective controls in 2022 after the government’s response to its proposals.
Based on our experience, the sooner you start, the better outcomes will be for your organisation. You can take several steps to prepare for SOX standards.
UK SOX application steps | Compliance recommendations |
Understand the requirements | 📎 Study the BEIS response to its audit reform proposals. 📎 Hire a consulting service to clarify the requirements for your business. |
Assess the current state of your company | 📎 Identify the compliance gaps based on BEIS’s requirements and map SOX controls examples matching your business needs. 📎 Identify inefficiencies in your internal controls and financial reporting systems. 📎 Develop a SOX control readiness plan. |
Build internal controls culture around accountability | 📎 Show personal accountability for SOX compliance. 📎 Communicate the reform benefits regularly. 📎 Set clear compliance objectives and manageable deadlines. |
Optimise communications | 📎 Build effective lines of communication between the board, C-suite, internal audit teams, management teams, and regular employees. 📎 Centralise internal controls in one connected ecosystem so that everyone receives synchronised data. |
Improve the internal control framework | 📎 Define control owners for each stage of your compliance plan. 📎 Fulfil your compliance goals step by step. 📎 Automate internal controls. 📎 Incorporate new compliance standards into the company’s internal control structure. 📎 Conduct regular SOX testing. |
Harness the power of technology
According to PWC, automation can reduce over 45% of manual processes and save over $2 trillion in workforce costs. Therefore, UK companies should seek more automation solutions to improve financial controls and save UK SOX compliance costs.
However, based on our experience, they should also digitise their boards to align governance workflows with automated reporting systems. For this, corporate boards can use board management software.
A board portal is a digital workspace designed to simplify many business processes for board directors, from reports to board meetings. Here is how a board portal will help your organisation meet SOX compliance standards:
- Assess compliance gaps. Use centralised document storage to collect and review reports on UK SOX compliance gaps.
- Optimise communications. Plan board meetings using digital calendars and create digital agendas with built-in meeting minutes. Track attendees, vote on critical decisions, and share board materials.
- Support your accountability culture. Assign tasks to board members and executive directors. Monitor board engagement using auto-generated drill-down activity reports.
- Meet SOC2 compliance. Mitigate digital security risks and meet SOX IT compliance standards with enhanced data encryption, role-based access, and information rights management tools.
Key takeaways
- The UK audit reform resembles the US SOX compliance requirements regarding financial reporting.
- The UK government will create the Auditing, Reporting, and Governance Authority (ARGA) to supervise the reform compliance.
- Corporate directors will prepare new compliance documentation, reporting on dividends, business risks, auditing policies, internal controls efficiency, and fraud prevention.
- The potential benefits of UK SOX standards include better firm performance and smoother board governance.
- UK companies should take compliance steps as soon as possible and harness the power of automation tools.
- Board management software can significantly simplify the transition to new UK audit legislation.
Board-room.org recommends iDeals Board as a reliable and affordable solution for the UK SOX compliance journey. Our analysis of this product showed that it offers top-notch security and centralises board communications, from document sharing and meetings to voting, board minutes, and post-meeting routines.
Time to use the modern board management software!
iDeals Board serves board of directors, committee members with a comprehensive suite for governance tools
Visit WebsiteFAQ
Does Sarbanes-Oxley apply to UK companies?
✅ The Sarbanes-Oxley Act doesn’t apply to UK companies. However, the new UK audit legislation regime is similar to SOX. As a result, businesses named it the “UK SOX” reform.
When new UK SOC requirements come into force?
✅ New UK SOX regulations will come into force two years after getting finalised.
What should directors do to comply with UK SOX?
Board directors and C-suite directors have to take the following steps to comply with the UK SOX:
- Report on the steps to detect and prevent material fraud in the fraud statement.
- Report on the effectiveness of internal controls in the internal controls statement.
- Report on the business resilience challenges and mitigation actions and conduct reverse stress tests in the resilience statement.
- Publish an Audit and Assurance Policy (AAP) every three years and report on its progress annually.
What are the consequences of UK SOX non-compliance?
Directors may face monetary penalties for non-compliance with the UK SOX. But they won’t attest to internal controls personally or face jail sentences.