UK SOX is coming. However, many organizations are feeling worried about exhausting all existing compliance resources, incurring high costs, or the amount of testing and data management required to ensure UK SOX compliance. If you’re reading this and nodding your head, don’t worry. The good news is that through proactive planning and clever implementation of the right technologies, you won’t just be able to minimize the impact of UK SOX but benefit from it too.
As a brief introduction to this legislation, in March 2021 the Department for Business & Industrial Strategy (BEIS) published a whitepaper setting out its proposals for a UK version of Sarbanes-Oxley (SOX), a piece of US governance first brought into law in 2002. Designed to restore confidence in the auditing of listed companies and protect investors from fraud, when it’s brought into law, UK SOX would force UK listed companies to adopt a more rigorous internal framework that requires directors to attest the internal controls are robust and effective to ensure the company’s financial statements are reliable.
Though the government has outlined its intentions to bolster Britain’s compliance landscape, the exact timeline for the implementation of UK SOX remains unclear. The lack of certainty is understandably unnerving, but we can look to our US counterparts for guidance on what the roadmap to UK SOX might look like.
Drawing on experience from the US, we can see that companies had two full years of reporting to prepare for SOX compliance. Given that we don’t expect legislation to be finalized until some point in 2022, the earliest listed companies will need to be SOX compliant is 2024. If you are a listed company in the UK, then you need to proactively start preparing your UK SOX strategy in 2022, thus allowing adequate time to lay the foundations for operationalizing UK SOX and implementing technologies that will help you to achieve a future-proofed risk and compliance solution.
Whether it’s the evolving nature of business or the leveraging of new technologies, the compliance landscape is constantly shifting. There are more challenges today in the security and compliance world than ever before, so it’s easy to see why so many view UK SOX as an additional headache.
But the implementation of UK SOX is not without its benefits. Not only would the legislation provide us with a more detailed and controlled compliance environment, it would also improve documentation, increase audit committee involvement, standardize processes and reduce complexity.
Those benefits will only be achieved, however, by taking a proactive approach to risk and compliance, using the run-up to legislation to understand how we can simplify different regulatory needs alongside the amount of testing and evidence collection that will be needed.
Technology can also help. Implementing the right system, or stack of systems, can greatly reduce the strain by automating tasks and providing ongoing monitoring across an entire organization. This will in turn save you time and money, allowing you to reallocate your resources to achieve other business benefits.
If we consider the US case, the companies that have thrived since the introduction of SOX were those that have understood the bigger picture. These companies haven’t just focused on providing the auditor with the information they need, but on wider objectives from across the compliance landscape. This broader approach means that SOX can become a catalyst to mature your existing risk and compliance culture, or to develop new ways of working that maximize your return on investment.
Proactivity is key. Though your organization may be years away from having to tackle SOX, by acting now you can lay the foundations of frameworks that will enhance your entire risk and compliance infrastructure. This means that instead of operating reactively to address any issues that SOX may create, you are proactively monitoring your business, identifying any areas in which you may fall short and taking action before you even begin your end-of-year reporting.
Today, most listed companies utilize large technology stacks in order to monitor different areas of risk and compliance. But to fully operationalize your approach to UK SOX you need to expand these frameworks and look beyond what the auditors might look for and instead consider localized risk factors from across your entire operation.
There are a number of modern GRC tools on the market that can help and change the way risk management is delivered within your organization. Covering strategic planning and process automation, they are designed to seamlessly integrate with your existing systems and level up your compliance culture. Through a process of continuous control monitoring, you can constantly evaluate all aspects of your business with the insights feeding back into one central point of evaluation – a single source of truth that gives you a line of sight on compliance across your entire operation.
Because everything is centrally managed you can adapt your current processes to any changes in the legislative landscape. This means that understanding how your organization will be impacted by UK SOX can be rolled in with your existing compliance activities, greatly reducing both time and expense.
Continuous monitoring also means that you can react to issues in real-time. By taking steps to implement these processes now, your company will understand how the current risks within the business map to UK SOX, enabling you to proactively remediate problems before they become a compliance issue.
The uncertainty around UK SOX and its impact on the risk and compliance community is understandable. While we won’t have concrete information on specific rules and regulations until any legislation comes into effect, businesses can work proactively using existing frameworks and evidence from the US to prepare for the future. By implementing new technologies and laying the foundations of your processes now, you can get a better picture of what your roadmap to compliance looks like. It’s an investment that will not only harmonize your compliance strategy but save you valuable time and resources when the standards are eventually finalized.