UK SOX – when’s it coming and what should you be doing to prepare?
In a previous article about the changing landscape of audit, we outlined the impact of the Brydon (2019) and Kingman (2018) reports which would likely pave the way for the introduction of a Sarbanes-Oxley (SOX) style regime across the UK. SOX is a US federal law introduced in 2002 to strengthen internal controls and financial reporting.
The UK government’s response to the reports was to publish a corporate governance whitepaper Restoring trust in Audit & Corporate Governance, with the pre-legislative consultation period ending in July 2021.
In this article, Kainos Audit Principal based in the UK, Qadir Quayum, looks at the next steps, and what “UK SOX” might mean for organisations when it comes to managing compliance and risk.
At the time of writing, there has been no set date as to when the proposed reforms will be put in place, nor detail on what form they will take. However, consensus appears to be emerging across the audit profession that primary legislation will emerge by the end of 2022.
A key development was the release of plans by the Financial Reporting Council (FRC) to create a new regulatory body known as ARGA, (Audit, Governance and Reporting Authority) to be operational by April 2023.
This was a key Kingman report recommendation, namely to establish a ‘a new audit regulatory body with enhanced powers’. It would, therefore, be entirely logical to assume that ARGA will be taking the lead on driving standards and requirements with regard to internal control.
Implication of UK SOX
With the emergence of the new regulatory body scheduled for Spring 2023, the scene has been subtly set for the implementation of an enhanced controls regime which would seem to impact financial years ending December 2023 and beyond.
In practice, and based on lessons from US SOX timelines, it's likely you could expect the grace and implementation period to end in December 2024.
The scope of the regulation appears to focus on FTSE 350s and small cap listed companies with PIEs (Public Interest Entities) drawn into scope during subsequent years. Key tenants of the proposed regulation require the following:
- Identification of key risks over financial reporting faced by the business, and implementation of sufficient mitigating internal controls over risks of material misstatement.
- Company director assessment and attestation of the effectiveness of their internal controls.
- Formal opinion on the director’s annual attestation by the external auditor.
Impact of UK SOX on Workday
With Workday at the centre of your organisation, establishing foundational IT General controls, including appropriate Segregation of Duties (SoD), access rights and change control is a critical consideration for UK SOX readiness.
Workday stores critical business data related to employee, customers, suppliers and financials and as a result, Workday will likely be subject to the new ARGA internal control requirements.
So key areas of IT risk that you should start thinking about in the context of new 'Internal Control over Financial Reporting (ICFR)' requirements include:
- Security & Privileged Access – Failure to restrict access to Workday may result in unauthorised transactions leading to error, unintended consequences or financial loss. Business transactions and downstream internal controls depend on appropriate access rights. Ensure you have the right level of visibility to key security groups, the capabilities granted to security groups, and security group membership.
- Configuration Control – Failure to secure Workday may compromise the integrity of transactional processing and accuracy of reporting. In an ICFR environment, ineffective configuration control may impair your ability to rely on automated and system-dependent controls in Workday. Robust configuration controls and production migration practices are important. If you rely on implementers to make production changes manually, be aware that time intensive monitoring of your implementer activity is likely required.
- Segregation of Duties – Fraud prevention is an important aspect of internal controls over financial reporting. In Workday, SoD considerations must draw upon a combination of multiple business processes, business process definition configurations, and tasks. Understanding exactly what these are, and which combinations are material risks, is fundamental to an effective SoD analysis supporting your system of internal control.
Are you SOX ready?
Using the US experience of SOX as a barometer, it is evident that companies that were well prepared in the IT sphere benefitted from reduced compliance costs and operational efficiency. This will likely be the case with UK SOX too.
As a quick guide, consider incorporating the following into your pre UK-SOX Workday readiness initiative:
Governance - Define policies over Workday IT governance processes and controls practices. Focus areas should be in Account Governance, Privileged Access, Segregation of Duties, and Configuration Control. These should be both current and periodically reviewed for accuracy and completeness.
Risk Assessment & Scoping- Perform a technical Workday risk assessment in order to limit the scope of IT controls to the risks that really matter for in-scope business cycles and organisations. Focus areas are likely to be:
- Configurations across in-scope functional areas
- Privileged access relating to tasks, fields and business processes
- Segregation of Duties for in-scope business cycles. Focus on risks related to material fraud risk and/or control override.
Control Documentation - Document your IT processes and controls in a risk/control matrix. Consider supplementing these with flow charts and process narratives to make them more digestible.
Optimisation - Blend both preventive and detective controls as maximising reliance on automated controls will streamline compliance efforts. In short - higher audit confidence at reduced cost.
Readiness Check - Perform a controls health check across production configurations in advance of UK SOX compliance to identify potential remediation requirements early.
Staffing - Evaluate current organisation structure to ensure adequate staffing for governance activities with sufficient Workday expertise on hand to support control design.
Evidence - Testing evidence must be appropriate in relation to the control and retained for inspection. Focus on what constitutes evidence of timely review and documentation, including level of precision required to demonstrate adequate control design and operation.
While it may be some time before UK SOX is implemented, as we noted, primary legislation is likely to only be a few months away.
SOX in the US made quite a furor 20 years ago due to the time, effort and resource needed to comply, so organisations in the UK need to be planning ahead.
Of course, regulatory technology is helping, not only improving the way organisations manage compliance but also providing piece of mind over Workday foundational controls for the advent of UK SOX.
Isn't it time you started reviewing your governance and risk infrastructure?