In 2002, the USA implemented the Sarbanes Oxley Act (SOX). It caused quite a stir at the time due to the time and effort required to make changes to comply with it. Some felt that it was too onerous. Others felt it was an overreaction to some large corporate failures.
Let’s take Enron as an example. It inflated its figures, embezzled funds and manipulated the energy markets. This resulted in the senior executives being convicted. Its auditor also fell under scrutiny with Arthur Andersen being convicted of obstruction of justice for shredding documents related to its audit of Enron. Arthur Andersen’s conviction was overturned in 2005, but the reputational damage was done. Formerly a global firm employing 85,000 staff, it's now run from Chicago with 200 staff.
At the time the UK had already made improvements following various reviews. It felt that its audit standards were appropriately robust. However, recently the UK has seen its share of scandals:
BHS audited by PwC
Carillon audited by KPMG
Patisserie Valerie audited by Grant Thornton
More recently, August 2021 saw the FRC take action against Ernst & Young and its Audit Engagement Partner, Mark Harvey regarding its audit of Stagecoach. In this case, the auditors failed to:
obtain sufficiently appropriate audit evidence
adequately evaluate expert evidence
demonstrate sufficient professional scepticism and challenge management, and
prepare proper audit documentation
It should be no surprise to learn that the UK is getting ready for its own version of SOX.
Earlier this year, the Department of Business, Energy & Industrial Strategy (BEIS) issued its consultation paper: Restoring trust in audit and corporate governance. The overall goal is to reduce malpractice that would harm investors and the public. The proposals require firms to:
provide accurate financial statements and
have internal controls in place to protect financial information.
The proposals set out strict requirements for:
enhanced financial disclosure
internal control assessment
corporate governance and
In setting out its proposals, the BEIS aims to take a holistic approach to “drive meaningful and lasting change”. To this end, the proposals impact directors, auditors, shareholders as well as the audit regulator. Only the largest companies will need to comply, i.e. those listed on the FTSE.
The current UK Corporate Governance Code holds boards and directors responsible for
monitoring risk and internal controls. Under the new proposals, directors will need to
Details of the effectiveness of their internal controls
Report upon the effectiveness of the company internal controls over financial reporting (ICFR)
Findings of the review
Attest that they consider the systems are operating effectively
Additional proposals include replacing the Financial Reporting Council (FRC) with a new Auditing, Reporting & Governance Authority (ARGA) to provide guidelines on audit best practices. ARGA will have authority to investigate the accuracy and completeness of directors’ disclosures.
The consultation period closed in July 2021 and requires changes to legislation before any reforms are confirmed. Bearing this in mind, we're probably looking at 18-24 months before requirements are implemented.
Whilst we await confirmation of the framework, listed companies should be reviewing their governance infrastructure. Firms should aim to improve their systems and controls and ensure processes are documented.
Escalation processes and change management are equally important including the review and oversight of business risks. Early assessment of improvements will help firms to meet the agreed requirements on time.
How Ruleguard can help you:
Ruleguard is an end to end platform that enables firms to log and manage regulatory risks. Ruleguard has been designed to help firms demonstrate and evidence compliance, by using its comprehensive rules-mapping, risk and control tools, automated reporting features and powerful dashboards.
Get in touch with the Ruleguard team to learn more on: 020 3965 2166 or firstname.lastname@example.org
Visit our website to find out more about how Ruleguard can help:
Ruleguard hosts regular events, to find out more, please click here.
Contact the author
Head of Client Regulation| Ruleguard