Close Widget

For many years now, the UK audit industry and Financial Reporting Council (FRC) have been looking to design a UK version of the US Sarbane-Oxley Act (SOX), a piece of US governance first brought into law in 2002.  In March 2021, the Department for Business & Industrial Strategy (BEIS) published a whitepaper setting out its proposals for a UK equivalent of the US SOX legislation. Designed to restore confidence in the auditing of listed companies and protect investors from fraud, when it’s brought into law, UK SOX would force UK listed companies to adopt a more rigorous internal framework that requires directors to attest the internal controls are robust and effective to ensure the company’s financial statements are reliable. Many assume that achieving SOX compliance will be a herculean task, a complex and costly endeavor that will put an untenable strain on already stretched resources. However, Yang Zheng, Senior Director of Customer Success, says the good news is that through proactive planning and clever implementation of the right technologies; businesses won’t just be able to minimize the impact of UK SOX, they’ll actually be able to benefit from it. Rather than allowing UK SOX to become additional reactive and administrative overhead, through implementing a successful SOX strategy, the business can redesign its risk and compliance culture to proactively manage its entire GRC landscape.

What is the timeframe for UK SOX? 

Though the government has outlined its intentions to bolster Britain’s compliance landscape, the exact timeline for the implementation of UK SOX remains unclear. The lack of certainty is understandably unnerving, but we can look to our US counterparts for guidance on what the roadmap to UK SOX might look like. 

Drawing on experience from the US, we can see that companies had two full years of reporting to prepare for SOX compliance. Given that we don’t expect legislation to be finalized until some point in 2022, the earliest listed companies will need to be SOX compliant in 2024. If you are a listed company in the UK, then you need to proactively prepare your UK SOX strategy from the first half of 2022, thus allowing adequate time to lay the foundations for operationalizing UK SOX and implementing technologies that will help you to achieve a future-proofed risk and compliance solution.

What does this mean for your business?

Whether it’s the evolving nature of business or the leveraging of new technologies, the compliance landscape is constantly shifting. There are more challenges today in the security and compliance world than ever before, so it’s easy to see why so many view UK SOX as an additional headache.

But the implementation of UK SOX is not without its benefits. Not only would the legislation provide us with a more detailed and controlled compliance environment, it would also improve documentation, increase audit committee involvement, standardize processes and reduce complexity. 

However, those benefits will only be achieved, by taking a proactive approach to risk and compliance and using the run-up to legislation to understand how we can simplify different regulatory needs alongside the amount of testing and evidence collection that will be needed. 

Technology can also help. Implementing the right system, or stack of systems, can greatly reduce the strain by automating tasks and providing ongoing monitoring across an entire organization. This will, in turn, save you time and money, allowing you to reallocate your resources to achieve other business benefits. 

Taking a proactive approach 

If we consider the US case, the companies that have thrived since the introduction of SOX were those that have understood the bigger picture. These companies haven’t just focused on providing the auditor with the information they need, but on wider objectives from across the compliance landscape. This broader approach means that SOX can become a catalyst to mature your existing risk and compliance culture, or develop new ways of working that maximize your return on investment.

Proactivity is key. Though your organization may be years away from having to tackle SOX, by acting now you can lay the foundations of frameworks that will enhance your entire compliance infrastructure. This means that instead of operating reactively to address any issues that SOX may create, you are proactively monitoring your business, identifying any areas in which you may fall short and taking action before you even begin your end-of-year reporting. 

Choosing the right tool for the job 

Today, most listed companies utilize large technology stacks in order to monitor different areas of risk and compliance. But to fully operationalize your approach to UK SOX you need to expand these frameworks and look beyond what the auditors might look for, instead considering localized risk factors from across your entire operation. 

There are a number of modern GRC tools on the market that can help. Platforms such as SureCloud are specifically designed to help you change the way risk and compliance management is delivered within your organization. Covering strategic planning and process automation, they are designed to seamlessly integrate with your existing systems and level up your compliance culture.

The current best-in-class GRC tools do this through a process of continuous control monitoring. This means that they are constantly evaluating all aspects of your business and feeding them back into one central point of evaluation – a single source of truth that gives you a line of sight on compliance across your entire operation. 

Because everything is centrally managed you can adapt your current processes to any changes in the legislative landscape. That means that understanding how your organization will be impacted by UK SOX can be rolled in with your existing compliance activities, greatly reducing both time and expense. 

Continuous monitoring also means that you can react to issues in real-time. By taking steps to implement these processes now, your company will understand how the current risks within the business map onto UK SOX, enabling you to proactively remediate problems before they become a compliance issue. 

SOX isn’t a burden, it’s an opportunity 

The uncertainty around UK SOX and its impact on the risk and compliance community is understandable. While we won’t have concrete information on specific rules and regulations until any legislation comes into effect, businesses can work proactively using existing frameworks and evidence from the US to prepare for the future. By implementing new technologies and laying the foundations of your processes now, you can get a better picture of what your roadmap to compliance looks like. It’s an investment that will not only harmonize your compliance strategy, but save you valuable time and resources when the standards are eventually finalized. 

For more information, check out our recent webinar here to find out how your organization can operationalize UK SOX.

How can we help?