Restoring Trust in Audit and Corporate Governance asks whether there is a case for strengthening the internal control framework for the UK and considers the Sarbanes-Oxley provisions. But what could that look like in the UK and what can we learn from the US experience?

The US Sarbanes-Oxley (SOX) Act established, amongst other things, the Public Company Accounting Oversight Board (PCAOB). This is the board that regulates the audits of companies with securities listed in the US. ICAEW has its own PCAOB Panel. Justin Shakespeare is its current Chair and Kevin Moore is the former Chair. They both have extensive experience of SOX implementation in the US, the UK and elsewhere in the world. 

“The challenge for developing something along the lines of SOX in the UK includes understanding the key objective of rolling out a common control framework,” says Shakespeare, Partner in KPMG’s US Accounting and Reporting Group, ICAEW member and US CPA. “With that in mind, what framework should be selected in the UK, how should that be implemented, and what are the costs of doing that? This control framework is what is ultimately going to be compared with SOX in the US.”

Section 404 of the Sarbanes-Oxley Act relates to the ‘Management Assessment of Internal Controls’. It is highly complex and generally requires all annual financial reports to include an ‘ICoFR (Internal Controls over Financial Reporting) Report’ for management to sign off and all annual financial reports for companies with a market capitalisation of £75m or above to include external auditor attestation. The framework to which Shakespeare alludes is the COSO framework, adopted by default by US corporates for meeting SOX requirements.

“There are several challenges in rolling out the framework,” says Shakespeare. “But equally, that doesn't necessarily mean that everything that's been rolled out in the US is perfect.” He points out, however, that should the UK go down the SOX route and require a framework to support a SOX-like regime, it will have the benefit of almost 20 years’ experience of SOX and COSO in operation in the US to draw on.

Public trust is vital

Moore concurs. He is also an ICAEW member, a US CPA, and a member of both ICAS and the South African Institute of Chartered Accountants. He was formerly the Head of KPMG UK’s US Accounting and Reporting Group. He says that it is vital that the public has trust in any chosen framework.

By way of background, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was set up in the US by five private sector organisations to establish an internal control model as a point of reference against which companies can compare their internal controls. COSO is based around five components and seventeen principles, all of which have to be present and functioning for internal controls to be effective. 

“The only common comprehensive framework that exists on a global basis is the COSO framework,” Moore says. “However, despite it being the default framework in the US, the COSO framework is not mandated by SOX. Companies have to state in their reports which framework they are using.”

Therein lies the rub: any common framework adopted under a potential UK SOX-like or SOX-light regime should require enough depth and detail to inspire confidence that a public company has the right controls in place, says Moore. If there were to be a UK version of SOX, the choice of the common framework against which it operates would therefore be critical.

Shakespeare points out that there could be a cost and consistency issue if a UK version of SOX works to a framework other than COSO. If global businesses end up complying with two or more frameworks, that could add a huge burden to companies’ reporting obligations, and there could also be a comparability problem. “Consistency is a big deal, particularly if external auditors are attesting on it. Having a commonly understood standard is very important,” says Shakespeare.

Will a lightweight framework achieve trust and transparency?

Moore returns to the thorny issues of what is to be achieved by any potential introduction of a version of SOX to the UK. “My interpretation is that we're trying to achieve a greater level of trust in how businesses are run and the transparency and accuracy of how they report,” says Moore. Will a lightweight framework achieve this trust and transparency? And will any reporting on internal controls resulting from the use of such a lightweight framework create an expectation gap with stakeholders?

“It would not be unreasonable for the expectation to be that a common control framework is going to have a material impact on corporate failures, be it companies running out of cash, fraud, or restatements,” says Shakespeare. “However, any control framework, like any security system, is only good to a point.” 

The COSO framework is much more comprehensive than the prevailing debate suggests is required – COSO is about rolling out a comprehensive suite of controls across every process that’s material in business. The UK proposals, like the SOX requirements in the US, will only relate to ICoFR. Also, it is very important to understand that any framework introduced would not be a sticking plaster for corporate failure.

Change ‘doesn’t happen overnight’

Moore points out that younger companies, such as those established in the last 20 years, both US and non-US, with securities listed in the US, have grown up in the SOX environment and have established control frameworks as part of their corporate DNA. The challenges for long-established companies, which have had to adapt to the SOX environment, have been much greater. “But whatever the background, there’s a huge role for corporate culture to play here,” says Moore. 

“A shift to a new way of doing things doesn’t happen overnight. There’s a huge education process. Even though SOX 404 has been in operation for nearly 20 years, it's only in the last five years or so that you have seen people in positions of power and responsibility that have grown up within a SOX controls and reporting environment,” says Moore. “Before that, people were having to relate back to what they were doing before. It's like learning a new language: if you're taught that language from day one, you can think in that new language without going back to the old language and translating across.”

Shakespeare adds: “The benefits of a control environment are absolutely worth having. Operationally, companies are undertaking most elements of a control framework anyway or else the company would not operate effectively. However, a key difference is the documentation of those controls and the depth of detail that has to be documented.” He reminds us that a control framework means controls over everything: in an ICoFR context that includes tax, non-recurring transactions, business combinations and impairments. Currently, for many areas of the corporate control environment, that can often be too high level.

Moore concludes that if the UK is to implement a version of SOX, for it to be meaningful and stand up to scrutiny, it has to be somewhat granular, albeit that it can still be principles-based. Importantly, any such regime has to be supported, in many cases, by changes in corporate culture. 

Views expressed in this article by interviewees are personal and do not represent those of any other person or organisation.

Further resources

• ICAEW Sarbanes-Oxley library resources 
• Is the UK ready for Sarbanes-Oxley?