City of London - UK Compliance with SOX GRC
City of London - UK Compliance with SOX GRC

UK SOX: Government Gets Tough on British Corporate Governance

The UK Government recently served notice on large businesses, and their auditors, that the standards of business conduct and transparency in the UK are set to rise significantly.

The Department of Business, Energy and Industrial Strategy (BEIS) published a white paper, Restoring trust in audit and corporate governance”, proposing changes to the accountability of Boards of large UK companies, and their auditors, that will likely bring UK corporate reporting standards line with the US Sarbanes-Oxley (SOX) requirements.

These planned changes are a response to recent corporate failures, including major contractor Carillion, the large retailer BHS, and the café chain Patisserie Valerie. While each faced unique situations, a common theme common to all of them?  Mismanagement at a senior level that was not picked up or challenged sufficiently by their auditors.

The UK Government’s concern is that the situation erodes trust and confidence in “UK PLC“, impacting investment and overall economic performance. These corporate failures involved large job lossesand had asignificant impact on local communities.

Model Risk Management: Leverage Best-Practice to Enhance Your Capabilities

Potential changes in UK SOX compliance expectations?

The white paper is a consultation document, seeking feedback from business leaders and other interested parties about the scale, scope, and detail of the proposals. Nevertheless, the potential changes it hints at are significant.

Amongst the likely changes are proposals for new “reporting and attestation requirements covering internal controls, dividend and capital maintenance decisions, and resilience planning for senior management.”  These will force senior management to ensure they are reporting an accurate and fully representative picture of the business to their auditors and shareholders.

Other proposals may provide the new audit regulator with “effective investigation and civil enforcement powers to hold to account directors of large businesses which are of public importance for breaches of their duties in relation to corporate reporting and audit.”  For the first time, company directors may be faced with significant fines and other penalties if they breach the rules.

The UK audit sector is in for major change too. A new regulator – the Audit, Reporting and Governance Authority (ARGA), blessed with powers greater than its predecessor, will oversee “a common purpose and principles – including a clear public interest focus – and with a reach across all forms of corporate reporting, not just the financial statements.”  This will provide auditors with the responsibility of scrutinizing and challenging, in greater depth, the financial results presented to them. There are also plans to open the UK audit market to more participants, to reduce the dominance of the “Big Four.” 

Other impacts?

The scale and scope of organizations that might be affected are significantly larger than had been anticipated, going beyond the FTSE 350 businesses, and affecting some 2,000 Public Interest Entities (PIEs). These are organizations that, whether publicly or privately owned, or in the public sector, are economically significant and, should they experience management or audit issues,  impact the UK economy.

While no compliance date has been fixed, many companies potentially affected are wasting little time in reviewing their systems and processes, to see where there are gaps that may need to be addressed. Many are working with Mitratech to address these gaps.

Based on these discussions, we’ve observed that most organizations are already well-placed to handle issues around the transparency and attestation of results, through their extensive investment in applications like SAP, Oracle, and other corporate IT systems.

Where they are challenged?  Where they use uncontrolled spreadsheets, whether as part of final mile reporting or in core business processes, where their flexibility is prized.

The compliance hazards involved in EUCs

The absence of any controls in spreadsheets will cut across the spirit and detail of the new regulations that will emerge from the white paper. Where management or audit issues develop, spreadsheets will be an early suspect.

Businesses are going to be forced to move spreadsheets onto corporate applications or ensure that adequate controls are in place if critical spreadsheets cannot be retired. The regulations will demand that people can quickly identify what changes have been made to key spreadsheets, by whom, on whose authority, and when.

To remain compliant, businesses need to acquire a range of capabilities that allow them to find, assess and control their most important spreadsheets. The solution they employ must be able to identify which can be migrated to corporate applications and can provide corporate standards of control to those that cannot.

The solution they choose should provide the foundation for complying with the likely requirements, helping to mitigate the risks of uncontrolled spreadsheets embedded in core business processes.

Manage your Shadow IT spreadsheets

With ClusterSeven, take control of the End User Computing assets hidden across your enterprise that can create hidden risk.