UK SOX Continued: How to Get Ready for The New Legislation

The Sarbane-Oxley Act (SOX) is a piece of US governance brought in to protect investors by increasing transparency in financial reporting for public companies. It came to fruition in 2002 and has seen great success, with the Center for Audit Quality reporting that 74% of US investors express confidence in US capital markets.

However, a SOX compliance change management plan is needed to stay on the right side of this promising new legislation.

In my last blog on the topic, UK SOX: Everything Your Organization Needs to Know About Compliance, I looked at the expectations surrounding the equivalent UK legislation, colloquially named ‘UK SOX’, which is supposedly due to arrive later this year. There is no firm date for it, but as we get closer to the final version, it’s an excellent time to dive deeper into the benefits of implementing SOX and provide some preparatory steps and key recommendations to help your organization get ready.

Benefits of a successful UK SOX adoption

The number of regulations a company is governed by can be overwhelming, especially if it operates across numerous countries and industries, and adding another piece of legislation to the mix can be stressful. This is especially true when reports suggest that the average cost to maintain compliance can total up to an estimated $10,000 per employee.

While UK SOX promotes transparency so that investors can invest more confidently, there are also wider business benefits if implemented successfully and used as an opportunity to refresh your entire compliance infrastructure.

The top three benefits are: 

• Reduced complexity – Take stock of what SOX needs and what you already have, and evaluate how you can reduce the number of different control frameworks. If you take these extra steps, the business will ultimately be left with a more concise set of policies that will satisfy its broader compliance landscape and free up resources by reducing duplicate controls.

• Standardized documentation – UK SOX will add further accountability to your key players. They will be required to sign that they are happy with the processes and results the company publishes. It will subsequently become more important to have standardized documentation accessible to everyone. After successful implementation, the business can replicate it across the entire compliance infrastructure. This will remediate a key pressure point for many companies that struggle to provide visibility to stakeholders, facilitating much more productive conversations among the board.

• Improved efficiency – Compliance is often a shared burden across multiple different departments in a company. But, as SOX doesn’t permit businesses to carry over deficiencies to the next financial year, these teams have no choice but to communicate earlier. Corrective actions will need to be implemented sooner than in your traditional auditing cycle in order to be compliant. This will improve efficiency, reduce unnecessary duplication of tasks and give a stronger view of your compliance landscape.

How to operationalize UK SOX

Thankfully, the UK can see how US businesses have already implemented this legislation and which tactics have worked best. To operationalize SOX, companies should be looking to implement the following into a SOX compliance change management plan:

• Educate your C-suite and board –  As mentioned previously, one of the benefits of introducing SOX is better communication and visibility among your C-suite and board. Therefore, one of the first steps a company should take when looking to operationalize SOX is to explain the governance, how it will impact the business, and what your priorities are as a result.

• Establish a UK SOX steering committee – If compliance is conducted in silo, as is standard, it is possible to miss aspects. This can result in conflict around how things work. For example, how the company manages testing, control changes and documentation. This transition will be much smoother if a steering committee is elected. It can comprise representatives from all parts of the business or just senior stakeholders and selected department representatives. With a steering committee in place, they can agree upon a vision and then prepare a roadmap that benefits the entire company.

• Embed a risk and control culture – If you want UK SOX to transform or improve the way risk and compliance management is handled, then you need to start by understanding the risk associated, and then define those controls. This is achievable by giving your team the right combination of equipment, support and data so that they can attest against how these controls operate on a day-to-day basis.

Your risk and compliance frameworks may still be applicable under SOX

In many instances, companies already use risk and compliance frameworks that will still be applicable under UK SOX. Businesses don’t need to create different activities and tasks if they meet the requirements. If there is overlap, it’s an opportunity to reduce repetitive processes. Companies need to start assessing their current actions and evaluate how the compliance management workload will shift.

Start planning for UK SOX compliance now

The most important takeaway from this discussion is that it’s not too early to start planning for the move. While we don’t have any exact dates on when UK SOX will arrive, we do know that it’s coming soon and that it will be mandated. Businesses should take advantage of this time to prepare. 

Ask yourself questions such as:

• Have I got the teams in place to deal with this style of control testing? 
• Do I have the skillsets and tools to review operations thoroughly?
• Do I have a joined-up process of risk and control taxonomy?

If not, then you need to look at how you can start putting these strategies in place, whether by utilizing a GRC tool or building a manual strategy that has the capacity to manage the robust, consistent and repeatable nature of UK SOX. 

How can SureCloud help?

SureCloud offers a combination of compliance software and services to guide you through your SOX compliance change management activities. GRC is what we do, which means our expertise will keep you on the right side of regulation and uncover opportunities to improve your risk and compliance posture.

To learn more about UK SOX, and get insights from our team on compliance-driven best practice, catch this episode from our Capability-Centric GRC & Cybersecurity Podcast.