UK SOX-Lite Update

UK SOX-Lite – Your Questions Answered

UK SOX is the unofficial name given to new corporate governance reforms coming into place soon. The long-awaited overhaul is designed to help prevent scandals that beset companies such as Carillion and BHS. However, after a push-back from UK boardrooms, the current plans are a more watered down version of what had been proposed. In fact, more of a UK SOX “Lite.”

The plans are designed to reinforce and increase board accountability over internal controls. Unlike the mandatory nature of US SOX which has been in place for around two decades, the proposed UK SOX-Lite regime is a rather messier combination of statutory provisions, regulatory rules, standards, guidance and a voluntary compliance and disclosure regime. But the drive behind the measure is the same – an attempt to restore confidence in financial reporting, audit and fraud prevention. The UK approach is an attempt to address this, while at the same time, attempting to avoid time-consuming red tape and allowing London to remain an attractive listing venue for business.

What is the Corporate Offence of Failure To Prevent Fraud?

Currently, Parliament is considering the Economic Crime and Corporate Transparency Bill, which would introduce the offence of failure to prevent fraud. The new offence would make an organisation criminally liable if it failed to prevent fraud, even if it was unaware of the fraud being perpetrated.

Following a debate of the House of Lords amendment to the bill in the House of Commons at the beginning of September, an exemption for SMEs has been agreed, and the extension of the proposed offence of failure to prevent money laundering has been removed. The Bill is currently in its final stages and expected to receive Royal Assent by the end of this year.

However, there will be permissible defences. The law will not apply if an organisation can prove that it had taken all reasonable procedures to prevent the fraud at the time it had happened, or if that expectation was not in itself reasonable in the first place.

But before the offence becomes law, UK and UK based organisations should look at their current processes and fraud prevention technology, to ensure that they do not fall foul of the new legislation.

Audit Committees and the External Audit: Minimum Standard

As mentioned, in May this year, the FRC published their Audit Committees and the External Audit: Minimum Standard which applies to the audit committees of FTSE 350 companies. At the moment, compliance is voluntary, but once legislation is passed to establish the Audit, Reporting and Governance Authority (which is replacing the FRC), it’s expected to become mandatory. With an eye towards recent audit failures, one of the objectives of the Standard is to ensure that the audit process has been independent and objective.

PIE Reporting Regulations

The UK government is also consulting on new regulations to impose additional reporting obligations on “public interest entities” (PIEs). The definition of a PIE is expected to include companies (both listed and unlisted) and LLPs with 750 employees or more and an annual turnover of at least £750 million. The regulation would require PIEs to prepare:

• An annual resilience statement to address areas that might impact the company’s financial resilience
• A triennial publication to report the audit and assurance policy
• An annual statement to report steps taken by directors to prevent and detect material fraud

On top of that the FRC advises all companies reporting under the UK Corporate Governance Code to consider producing such an audit and assurance policy on a “comply-or-explain” basis.

What are the Revisions to the UK Corporate Governance Code?

The FRC is currently consulting on revisions to the Code, and as part of the proposed UK SOX-Lite changes, would ask the board of each company subject to the measures:

• To declare whether the board can reasonably say that the company’s risk management and internal controls have been robust throughout the reporting period.
• To explain the basis for the board’s declaration and include details of the systems and reporting capabilities.
• To declare any breakdown or breach of controls during the reporting period and the subsequent actions taken.

The proposed UK SOX-Lite would require the directors’ declaration to cover all internal controls (operational, reporting and compliance), not just those relating to financial reporting.

Diversity and Inclusion

The FRC also proposes introducing measures relating to diversity and inclusion in the composition of boards. The measures would include details of how companies are building diversity into their succession and include this in their annual reports.

ESG and Sustainability

The role of the audit committee would also be expanded to cover sustainability issues, to ensure that all necessary steps have been taken to ensure that organisations have acted responsibly and adhered to their ESG commitments in their supply chain and stakeholders internal and external, in a traceable and visible way.

So What’s the End Result?

Regulators hope that the new tightened legislation with a focus on risk management and internal controls will focus Board level attention on preventative measures and encourage strengthened process and up-to-date technology where appropriate. On top of that, adherence to the new measures should help give confidence to investors and the wider supply chain, as to the resilience of UK based organisations. It is hoped that many organisations may decide to make all changes mandatory for their own purposes (even if not required to be) to create a kind of Gold Standard. However, with the leeway given after the push-back from the original plans, and the somewhat flexible approach of the new measures, only time will tell whether the planned changes go far enough to deliver the behavioural changes needed.