The UK SOX debate: What are other organisations doing to prepare for proposed UK controls regulation? | Deloitte UK has been saved
As the consultation for the BEIS White Paper unfolded, we gathered the sentiment of organisations toward the proposed UK controls regulation, nicknamed UK SOX, via a series of LinkedIn polls. Regardless of the outcome, it is time for businesses to reflect on the readiness of their organisations. Whilst this isn’t a large-scale survey with formal analysis, this blog post looks at the findings from our poll questions and highlights a number of key themes that businesses may wish to consider1.
When we started our LinkedIn poll series in April 2021, we opened by asking our respondents about their biggest concern in complying with a UK internal controls regulation (see figure 1). It was almost an even response rate for all four options:
Technology keeps you up at night
However, ‘technology, data, & information’ was the leading concern reported with 29% of the vote. Further to this, 33% responded in June that they need to enhance their current digital control framework (see figure 6).
Interestingly, this is consistent with the top lesson learnt over the past 19 years from US SOX; 33% responded in May that the lesson learnt by their organisation from US SOX, which will impact their approach to controls the most, is the need to focus on digital controls over information and data weaknesses early (see figure 5).
Businesses are aware of the critical role technology and digital controls play in an effective control environment and their increasing role in financial processes. While it can be complex and take time to get right, there is a real opportunity to use technology as an enabler when enhancing control environments. In our last blog post, “What role will technology play in a proposed enhanced UK controls regime?” we touched upon six initial questions that technology leaders can ask now to be prepared.
Organisations do not think they are ready
Our second poll in April asked how ready organisations were to comply with the demands of a UK controls regulation (see figure 2). Most businesses saw their organisations as ‘not ready at all’ [32%] or ‘not yet ready’ [27%] for an enhanced controls focus under the UK code (described as UK SOX). This is an understandable sentiment given the implementation of a UK controls regime is likely to lead to additional and, as yet, unknown requirements of organisations and Directors around addressing the effectiveness of internal controls, and how their assessment was undertaken.
How can you get ready and when should you?
Most businesses are seeing their first steps to move toward readiness for regulation as being either the performance of a risk assessment [27%] or gap analysis [45%], per our poll in April (see figure 3). However, a third of organisations were ‘still waiting for further guidance’ before taking action to address control requirements (see figure 3). An interesting correlation is that 59% of organisations know they are not ready for a UK controls regulation (see figure 2).
Our May poll asked “what lessons has your organisation learnt from US SOX which will impact your UK SOX approach?”, and listed, information & data weaknesses [33%]; clear roles and responsibilities [29%]; over-scoping [24%]; and lack of purpose in performance [14%] (see figure 5). Our poll question highlighted lessons around a proportionate response that is embedded in culture and acknowledges the critical role digital controls play in underpinning effective controls and enabling efficiency. However, perhaps we missed the most important lesson from the US SOX roll out of almost two decades ago: done well, strong controls are a business asset, but it takes time and there’s no time like the present.
Whilst the timelines for complying with the future enhanced regulation are currently uncertain, the requirements under current Code are increasingly in the spotlight. The experience of the US SOX implementation tells us that deploying a control environment that is efficient, effective, technology driven, and value adding takes around 18-24 months. Looking back, most US companies wished they had the opportunity to do it properly before going live and would have started earlier. Deploying a strong controls environment is at the heart of good governance.
Preparing for what comes next
As you set out to address the needs of your organisation, learning from experience will be vital to avoiding the pitfalls. Look out for our continued series on questions you can ask now to get ready; how to embed this process in existing transformation programmes; industries in the spotlight; and timely thought pieces to shed light on what organisations are and should be doing.
To discover our insights from many years’ experience implementing, enhancing and streamlining controls, please visit our dedicated UK SOX, Digital Risk and Future of Controls web hubs. If you would like to have a discussion, get in touch with either of our authors.
Lauren is a partner in our Risk Advisory practice, focusing on risk assurance and mitigation related to internal controls over financial reporting from both a business and technology perspective. She started her career with Deloitte US in the early stages of US SOX compliance, progressing her career through the period of SOX rationalisation and into the risk driven governance world we operate in today. She has extensive experience leading IT audits at global, technologically complex clients as well as advising clients on large scale remediation efforts and SOX transformation programmes, across a variety of industries and technology platforms. She is a recognised PCAOB specialist with extensive experience overseeing some of our most complex global SOX IT audits within the US, UK, and Luxembourg.
Andrew is a UK Associate Director in our UK Risk Advisory practice, a Chartered Accounting, with over 16 years' experience. Andrew works with some of our largest global and international clients to delivering Future of Controls, ICFR and SOX projects.