Is the UK ready for Sarbanes-Oxley?

Weak internal controls and poor risk management are clear contributors to company failure and the erosion of trust. Whether importing elements of the US Sarbanes-Oxley (SOX) regime is the right direction for the UK to take is part of the discussion we at ICAEW would like to have with you as we build our response to the BEIS White Paper ‘Restoring trust in audit and corporate governance’.

The US SOX law was enacted in 2002 in the wake of the collapse of Enron under which enhanced reporting obligations were placed on public company boards, management and public accounting firms. Importantly, US law includes criminal penalties for certain types of misconduct.

The FRC Review has recommended the UK Government should consider how the UK’s established internal controls framework could be strengthened, including “learning lessons from SOX”. The essence of SOX is put nicely in the White Paper:

• “2.1.4 The key SOX provisions are requirements for the management of public companies to assess and report annually on the effectiveness of their company’s internal control structure and procedures for financial reporting. The company’s auditor is then required to attest to and report on this assessment. SOX also places responsibility for a company’s financial statements and internal controls clearly with the CEO and the CFO. These officers must certify (inter alia) for each annual and quarterly report that they have reviewed the report, acknowledge their responsibility for establishing and maintaining internal controls and that they have evaluated the effectiveness of the internal controls within 90 days prior to each report.”

Let’s not forget the UK already has in place various requirements of companies in relation to internal controls, including those under company law, Listing Rules, UK Corporate Governance Code provisions and auditors’ responsibilities. It is a backdrop worth keeping in mind as conversations about importing a version of SOX unfurl.

Katharine Bagshaw, Manager, Auditing Standards at ICAEW’s Audit and Assurance Faculty, asks whether the UK should adopt SOX-inspired rules in the same form as the US original. Specifically, whether it is necessary for UK-listed and other public interest entity (PIE) companies (which would form part of any new regime) to report against a “COSO” framework (a voluntary framework, developed in the US against which internal control effectiveness can be assessed) as most US companies do? The five components of the framework might or might not travel well from one jurisdiction to another – that is yet to be seen. What’s more, the classification of PIE companies is also under review in this very White Paper, thereby prompting further questions about who will need to do this and whether the framework is appropriate for all of those in scope.

“There are lots of different views on whether the UK should adopt SOX,” says Bagshaw. “Some say we should adopt the US way of working fully while others say it simply won’t work.” Some fear that SOX is just not very exportable, especially if a central tenet of SOX – criminal penalties – are not on the table. How would that work?”

At the same time, others point to the low level of major corporate failures in the US since SOX was introduced as evidence of the regime’s effectiveness in focusing minds on strong controls. BEIS says some stakeholders believe that has led to “better financial reporting, fewer significant accounting restatements and stronger reassurances for investors”. With consultation ongoing, key decisions about the shape of this central element of the corporate governance regime have yet to be made.

We would like to hear from you about ways in which internal controls can be strengthened, about your reaction to the potential for the introduction of elements of SOX in the UK, and whether you are concerned about scope-creep if that were to happen.

You can contact us by emailing: TDAF@icaew.com

Further resources:

• Internal controls reporting: sketching out the options