Two weeks on from the release of the government white paper ‘Restoring trust in audit and corporate governance’ and internal controls over financial reporting (UK SOx) is, perhaps unsurprisingly, at the top of the corporate agenda.
The proposed reforms are wide ranging and while significant questions remain around exact timing and scope what is clear is that Directors will have increased personal accountability and need to provide greater visibility to external stakeholders on why and how they are comfortable with the information disclosed on the performance of their business.
At this early stage, and as a number of my clients mobilise impact assessments with a view to standing up programmes in the second half of 2021, I think it is critical for senior management to define the principles (and associated metrics) against which a successful implementation of UK SOx will be measured.
What we have learned from the implementation of other SOx regimes around the world is that without clear definition of achievable business outcomes not only do implementation and BAU run costs increase but the opportunity is missed to transform business and risk management.
Defining success for UK SOx implementation
Success will undoubtedly be split into those primary outcomes which must be achieved on Day 1 and a range of longer-term outcomes which while harder to measure are equally important. UK SOx implementation is not a one-off exercise, whatever is implemented will live on in business as usual – it must be sustainable, cost efficient and value adding.
- No significant issues or material weaknesses in the control environment to report in the first external opinion- securing confidence from the market at the outset.
- Increased accuracy, reliability and confidence in the information being generated and presented to shareholders - resulting in increased levels of external investment.
- Increased reliance on the control environment by the external auditor – moving towards control based external audits.
Longer term outcomes:
- A sustainable control framework founded on risk assessment and driving the fixing of issues at source - guaranteeing time and effort is spent on material risks and strategically resolving issues.
- A greater emphasis on preventative controls - reducing the need for manual, time consuming and expensive detective controls.
- A clearly defined and embedded set of control standards which enable programmes and projects to deliver on-going change in a compliant manner – reducing costly remediation and delivering first time compliance.
- An automated control environment that quickly identifies issues through continuous control monitoring - reducing the cost of control and freeing up time to focus on value adding activity.
- Clear alignment of roles and responsibilities across the three lines of defence - integrating risk, controls and assurance management to drive better business decisions
- An integrated ecosystem of tools and systems encompassing regulations, risks, controls, processes and account balances - delivering end-to-end traceability and a cost effective ‘test once, use multiple’ approach.
- Enhanced processes and controls with embedded ownership - enabling the right corporate governance culture which fosters and celebrates success but is not afraid to raise concerns and escalate issues.
And that last point is key.
Make no mistake, success will require a cultural shift, and that is difficult. But going into this with a transformation mindset that is supported by senior leadership, focused on benefits and not simply about ticking the compliance box will allow you to explain to the wider organisation why they need to change and greatly improve your chances of success.
How can we help?
We provide end-to-end support, from design and implementation all the way through to the ongoing management of your financial controls framework.
- Measure the health of your existing controls. We draw on our vast experience of implementing US SOx to identify the effectiveness of your current controls and the extent of the work required to comply. We will perform a gap analysis assessing as-is controls against COSO 13 principles, providing a diagnostic and maturity report which will give you clarity on your journey to achieve a sustainable and embedded control environment for your UK internal controls.
- Run a vision workshop. Through a series of interactive workshops, we will support your executive and management teams in setting a clear path to compliant controls, framework covering governance, controls and culture. We will look at how existing and future technology to best aide your journey.
- Implementation (accelerated by Powered Enterprise) Leveraging the latest target operating model, underpinned by functional process designs, technology and people roles to implement a full suite of effective controls with a high degree of automation. This will be complemented by a newly constructed attestation model.
- Manage and embed change. Governance and culture are vitally important for efficient controls. We help you to engage your people and embed effective corporate governance within the fabric of your organisation.
For more information on how we can support you on your implementation journey click here.