“SOx is a beast”, a client recently told us, and they’re not wrong.

We’ve seen first-hand how many organisations are still struggling to get US SOx right many years after it should have become second nature. The Government’s White Paper, “Restoring trust in audit and corporate governance”, is suggesting that this doesn’t have to be the case in the UK. Hindsight allows us to learn from the US SOx success stories and avoid the mistakes made by those that created a cumbersome and expensive compliance burden with no added value. 

Today we have unprecedented change in the regulatory landscape, personal liability for directors in cases of non-compliance, and increasing market expectations around the value of good internal control. Corporate governance reform, including internal control reporting requirements proposed on 18 March 2021 for the UK, has to be a boardroom-level priority which makes having answers to the questions we’re hearing every day – ‘where do we start?’ and ‘how do we maximise benefits?’ – all the more critical.

We have the White Paper, we now know what’s required… so, how do you get started?

This is the biggest reform of UK corporate governance that has happened in most (possibly any) of our lifetimes. It is important that the Board and the Executive Team understand what White Paper suggestions for a ‘UK SOx’ style approach to internal controls reporting, and the broader corporate governance reforms, mean both for them personally and for their organisation. 

Does everyone understand that this goes beyond the core finance team and their processes?  And that the CEO and CFO will undoubtedly be looking to all of their wider Board members for assurance and support in implementing and complying with these new rules?

The new requirements will have a direct impact on governance arrangements for Public Interest Entities.  The burden of compliance will not be limited to just the CEO and CFO. Getting the right senior understanding and support early on will ensure that you are set up for success and that the new internal controls reporting requirements (be they determined by Legislation or amends to the UK Corporate Governance Code) are not seen as simply a check-box, finance compliance exercise.

We recommend that a board meeting is called as soon as possible with a view to educating the leadership as to what the proposals for enhanced internal controls and risk management reporting means for them.

The steering committee must be empowered to take timely decisions, responsible for agreeing how to address the proposed requirements in detail, and accountable for defining the implementation strategy and the related investment requirements as well as developing the wider business benefits case.

And, don’t forget communication. This group should plan clear and regular communication across the wider organisation to ensure internal controls and risk management is front of mind for everyone who is involved or impacted. 

We recommend that you set up a steering committee now and include (as a minimum) the CFO, CIO, CISO, CRO, COO, and Head of Internal Audit; all will have a part in delivering this change. Given the proposed reporting expectations extending to the CEO as well as the CFO, then you may decide for them to be involved too.

Be very clear what you want to achieve through your internal controls reporting programme – what are the benefits for the wider business? Remember, this shouldn’t just be about compliance. Share this vision widely and come back to it regularly in your communications. That way everyone understands the end game and why this is important.

Our experience suggests that a ‘UK SOx’ like implementation programme could take between 12 - 24 months.  Your roadmap should cover how you address all aspects of governance, controls, cultural change and education that you need to address to deliver your new internal control framework. One of the biggest challenges is going to be how to resource your programme of work. Skills will be in short supply so you should get started on this now.

Given the length of the journey we recommend that you approach this in the same way you would any transformation programme.  Strong programme and change management and clearly defined milestones and checkpoints will not only ensure you can be ready well before the legislation comes into effect, but also enable you and the wider team to have confidence in (and hopefully celebrate!) progress along the way.

This shouldn’t simply be a compliance exercise. We know that our US clients who have been most successful in their SOx programmes took a more holistic view and focussed the added value that this exercise can bring – broader transformation, clearer accountabilities, simpler more standardised ways of working, improved process (and control) ownership and understanding – the benefits are many-fold.

The Government’s preferred option to internal controls reporting starts with directors being required to acknowledge their responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. As part of your investment case consider whether you need to select a trusted partner to support your internal resources in executing the planning, design and implementation of your controls framework and the annual review of the effectiveness of the company’s internal controls thereafter.

Working in partnership to get your controls rationalised and embedded across your key processes can help to accelerate your programme but it also means you will need to think about how you will transition to your longer term, sustainable model with controls owned and operated by your own team.  

Your investment case needs to reflect what’s required to transition to business as usual and not only implementation. 

You’ve got your vision, you’ve got your roadmap, you have a programme team to manage and monitor progress, your business case has been approved and you have resources … what now?

Clearly you need to start designing your controls framework but new requirements drive new ways of working.

Some of your teams will need to be set up differently to accommodate the new requirements that enhanced reporting will bring, including rethinking how the traditional 3 lines of defence interact with each other.

Roles and responsibilities will change, processes and controls will change. 

One of your earliest steps should be to define your target operating model (considering all six of the key design layers). Investing time in doing this first means that you will start with clarity about how and where your key controls should be operating across into your organisation limiting the risk of unnecessary work or indeed the need for re-work at a later date.

KPMG’s Powered solutions support our clients in accelerating this thinking.

We know that the journey to implementing the Government’s proposals today may seem daunting. We believe that by taking the approach above and ensuring C-suite and Board support from the start, you will set yourself up for success.

We are here to help. To learn more about how KPMG can help with your controls transformation, click here.