With this uncertainty we understand many CFOs don’t want to think about UK SOx and controls improvements just yet, but we think the time to act is now, for five reasons:
1) You should have good controls now – Many of the tenets of US SOx internal controls regime (‘COSO 13’) should already be in place – we have often heard that when a company lists on the U.S. Securities and Exchange Commission that its Board are surprised to learn controls aren’t being executed to the right standards already. The UK Corporate Governance Code requires the Board form a view on Internal Controls based on reporting from management and the Senior Manager’s regime in financial services requires an accountability framework. While the level of documentation and reporting may differ the building blocks should be there to build a COSO 13 model which would give extra assurance to stakeholders.
2) It takes time to get it right – First time US SOx 404 reporting entities grapple with issues such as fragmented IT architecture, lack of automated controls, the need to develop second line and testing capabilities and, crucially, cultural change.
We have seen companies take up to four years of investment to get to a position where there are no material weaknesses or significant deficiencies reported. First time adopters of a COSO style framework must take steps to address the basic foundations. For example we have worked with large companies to design, test and embed an automated control environment for SOx and have found this typically takes 12-36 months.
While the specific rules and regulations are not yet known we have existing frameworks outlining what good looks like. Starting to baseline processes so you know what your journey to compliance looks like is a beneficial resource and time investment so that you are ready to go when the standards are finalised.
3) You’ll reap the benefits sooner – The US saw restatements and reissuances of financial statements peak after SOx was introduced but as time has moved on, 79% of CFOs surveyed (Source: CAQ Pulse Poll: CFO Perspectives on the Sarbanes-Oxley Act (May 2017)) said they felt SOx had improved the quality of the information in the financial statements. Some of those benefits were: clearer financial reporting, an early warning for fraud, early sight of issues across the business and better controls allowing management a better grip of the business.
4) Get synergies with transformation – More and more companies are re-designing their finance and IT environments with a view to digitising processes and controls, accelerated by COVID-19. This presents an opportunity to build in the basis of a SOx compliant control framework upfront – something we have been able to do already with several large UK companies, across a variety of sectors, which has helped them avoid a costly re-design later.
The same is true of process redesign for new accounting standards or guidance, a good example being the change from LIBOR to alternative rates in contracts – now is the time to think about building the right controls.
Including controls workstreams in current transformation programmes makes good business sense to invest in top quality controls from the outset.
5) Know your business better – Companies who implement US SOx well start by understanding the risks in their business and scope and size their SOx controls appropriately. This gives CFOs a line of sight into all aspects of finance and enables problems to be remediated before they become big issues.
For more details on how we can transform your controls, click here.