UK SOX (Sarbanes Oxley) impact on business

UK SOX (Sarbanes Oxley) impact on business

 

Regularity compliance has always been a major priority for running a business in the UK. Making executives at top listed companies personally accountable for the accuracy of financial statements would drive better company behaviour and ensure effective prevention against fraudulent activities.

In 2018, the UK government-commissioned review stated that there was a discussion taking place regarding the introduction of a Sarbanes-Oxley style regime in the UK.

In the last few years, there has been a debate about UK Sarbanes Oxley (SOX) potentially becoming the new reality. In the Brydon report, Sir John Kingman recommended that in order to strengthen the UK audit framework, the UK should also have their own SOX Act.

Since the introduction of the Sarbanes–Oxley Act of 2002, a number of global organisations have strengthened their internal IT and Business controls and ensured that they detect and remediate any risks of material mis-statement to their financial statements.

SOX requires top officials to attest that the internal controls of their company are robust enough to ensure all financial statement are reliable and accurate. These assertions would be verified by an external auditor.

Regardless of legislation, it is highly recommended that Businesses across the UK consider implementing SOX type frameworks. It will help them reap the benefits of better risk and control management, process improvements and significant savings that SOX reviews can identify. In many cases ZR Consultants have identified savings that significantly exceed the cost of implementing SOX, these have included revenue leakages, inaccuracies in complex models etc.

 

Legislative Implications

Sarbanes-Oxley provides assurance over financial statements by reviewing all the processes ensuring there are no material misstatements in the financial records of an organisation. Such a framework would mark a significant toughening up of the governance rules by making top executives personally liable for breaches.

Compliance with section 404 of the Sarbanes-Oxley Act 2002 implies that businesses now have to document and attest to their operational effectiveness. This includes reviewing all processes that have a material impact on their financial statements.

The UK has increasingly strengthened its governance to tighten the reporting requirements under the Companies Act 2006. The European Union has also introduced a system that aims to increase the level of confidence and transparency in corporate governance. This results in enhanced investors’ protection for employees, and the public against corporate theft, fraud, mismanagement, and cheating.

 

Business Impact

Implementation of such a regime would raise the standards of corporate governance, financial management, financial accounting, risk management and accountability within the organisations.

They will also be answerable to the auditors, and to make sure that everything goes smoothly, ZR consultants will ensure that the process is as efficient as possible. We focus on addressing the numerous cultural challenges that organisations face in terms of auditing. Here is what you need to get ready:

  • SOX requires a considerable investment of time and robust planning with clearly articulated milestones to achieve any success. So, the earlier you start, the more issues you will be able to address during testing.
  • Secondly, you need to make sure that staff involved in SOX have clearly defined roles. For instance, assigning the roles of process owners, control owners, and control operators.
  • Third, you need to have a clear structure that outlines how you will be monitoring progress. It is recommended you set up a governance forum where risks and issues can be escalated under the attendance of key decision-makers.

 

Why ZR Consultants?

At ZR Consultants, we take pride in delivering only high-quality outputs to organisations within their budget and deadlines. We ensure your expectations are managed effectively, and your business has a strong relationship with both internal and external stakeholders.

For 15 years, ZR Consultants have been delivering SOX, and our performance has always been appraised and relied upon by the Big 4. Accredited with PRINCE2 and ACCA/ICAEW qualification, every member of our team has IT and Business SOX experience.

Our consultants are available to help you regarding any queries you might have and address the challenges you face.

We are equipped with the latest technology and offer you support safely, effectively, and remotely.

Call us on 0208 054 5033 or visit us at www.zrconsultants.co.uk . For a one to one with our CEO please contact Zeshan Raja on 07968 443 471, or email zeshan.raja@zrconsultants.co.uk.

 

 

Top 10 Pitfalls to Avoid When Implementing Sarbanes Oxley (SOX)

Top 10 Pitfalls to Avoid When Implementing Sarbanes Oxley (SOX)

At ZR Consultants we have been responsible for implementing SOX programmes for a number of international blue-chip clients at competitive prices. With widespread discussions around the topic of UK SOX potentially becoming a reality, as well as the number of US acquisitions in the UK increasing, we thought it would be worthwhile sharing the lessons we have learnt over nearly two decades of delivering SOX programmes:

Do Not Leave it Too Late

SOX is a time-sensitive deliverable and which requires various activities to be carried out at specific times during the financial year. This includes scoping, design effectiveness review and testing, operational effectiveness and more importantly remediation of any issues identified during testing. Having a robust plan with clear milestones in place is critical to the success of any SOX programme. When US SOX first came out a number of clients left it too late and were suddenly faced with significant deficiencies at year-end.

Do Not Underestimate the Impact on Your Business

The impact on your staff can be significant; suddenly they will find themselves having to work in new ways and ensure evidence is adequately retained when operating their controls. They will also need to be able to answer numerous questions from auditors. At ZR Consultants we work closely with the business in its entirety to ensure this transitional period is as painless as possible. We have delivered numerous initiatives to address the cultural challenges that SOX presents.

Remediate Any Issues as Quickly as Possible

You have until the end of your financial year to remediate any issues identified. However, this does not mean that you ought to leave matters to the last month of the year, as any remediation must be allowed time to mature and then be re-tested. You also need to ensure that you have enough samples to evidence that the control, once fixed, is now operating effectively. For example, if you have a December 2020 year-end and a monthly control fails, then the latest it can be remediated by is October as it will need to have operated at least two times (November and December samples) before it can be tested to prove it is now working.

Clearly Define Roles and Responsibilities

The roles of all your staff involved in SOX will change dynamically. As a result, it is crucial that roles must be clearly defined. Our SOX Experts generally assign the roles of process owners, control owners and control operators. We also provide training and issue regular communications to remind colleagues what each role entails. Finally, we issue regular communications prior to the commencement of each major cycle of SOX, explaining exact requirements, milestones and deadlines.

Identify an Independent Programme Sponsor

It is important that the programme sponsor holds an adequately senior position in the organisation (e.g. CEO, CRO etc.) and is independent of operating the processes being tested. A common concern we have come across is that most organisations believe SOX should be owned by the finance team. Historically, however, we have frequently found that the majority of issues identified generally are owned by the finance functions, leading to a potential conflict of interest. This manifests particularly in awkward conversations when informing the Head of Finance (who is also your project sponsor) that the controls in his or her area are failing.

Define Your Materiality

This is crucial in order to identify the processes and businesses that need to be in scope for SOX. It is critical that this is agreed with your external auditors from the start. Also clearly define (preferably in a fully documented SOX methodology) how you plan to rate any issues you identify. For example, an issue identifying an error of £2,000 is not going to have a significant impact on your financial statements and therefore will not warrant the same level of escalation and priority. At ZR Consultants we generally put these in buckets of low, medium and high, as well as creating an additional bucket for process improvements. Each bucket defines the levels of governance, priority and scrutiny required.

Ensure Robust Action Plans

When issues are identified, ensure you enforce the need for robust action plans that are regularly tracked and reported on. The number of times we have been presented “woolly” plans is unbelievable and it is our job to ensure we push back on them immediately. Plans should clearly state WHAT we plan to do, WHEN we plan to do it by, and WHO will be responsible for what. Plans must also be challenged to ensure that they are in fact completely fixing the issue identified.

Implement a Governance Structure

It is important that you implement a clear structure which delineates how you plan to monitor progress. We also recommend setting up a forum attended by empowered decision makers, where issues and risks can be escalated. Our SOX experts have consistently chaired various Steercos and ensured packs are targeted and to the point. This enables stakeholders to rapidly see where we are in relation to our milestones and identify where the programme needs their support.

Avoid an Excessive Number of Key SOX Controls

Another common mistake we have seen is that businesses are led to believe that every control they can identify needs to be a SOX control. SOX is all about preventing a “material misstatement to the financial statements.” Therefore, it is essential to identify the right SOX controls that are able to detect and prevent such a material mis-statement. We have previously taken over large-scale SOX projects where we have reduced the number of SOX controls from over 600 to 400 and in one case from over 300 controls to 60 controls. Such reductions have been implemented with the agreement and approval of external auditors and senior management. From our experience the cost per SOX control can be anything from £1,500 to £5,000+.

Let Your Internal Audit (IA) Department do the Job They Were Brought in to do

Another common theme we have encountered is where businesses decide to use their internal audit departments to deliver SOX. Whilst there are a number of synergies between SOX and IA, there are an equal number of differences. SOX is inherently about material misstatement and therefore the approach and requisite processes can differ vastly from the traditional audit approaches of IA departments. SOX also involves project managing, IT testing and remediation. As such, it can become highly challenging and technical, thereby requiring support from a solid SOX partner. Additionally, if IA team is focussing on SOX (which is very demanding) there will be an inefficient trade-off against internal audit hours.

The above is by no means is an exhaustive list. We have successfully helped many organisations overcome many challenges over the years, including IPE’s (information produced by entities), ITAC’s (IT application controls), ITGC’s (IT general computer controls), scoping in the right IT systems, management reviews and SOD (segregation of duties) and many many more.

If you have any further questions or simply wish to chat with us about your needs, then please feel welcome to contact us.

No alt text provided for this imageContact our Director, Zeshan Raja, directly on:

UK Mobile: 07968 443 471

Email: zeshan.raja@zrconsultants.co.uk