A new UK controls regime: What role will technology play?

What is our relationship between business and technology functions?

One of the most identified pitfalls and root causes for control deficiencies is a lack of understanding, accountability, and integration between business and technology functions which leads to failure around digital controls.  

Action: Foster an environment of integration where quality and control effectiveness is owned by all and not a select few in the finance function. Also, consider creating a governance structure that clearly defines shared accountability between business and technology functions for the effectiveness of all controls, especially those which represent a point of integration and reliance between the two areas. 

How do we – or could we - use technology to enhance our control environment?

As we know, technology and digital controls continue to form an increasingly significant part of Internal Controls, from ERP systems to automation and robotics. We therefore expect technology to form a significant part of how companies respond to the proposed regulation. So, is there an opportunity for you to use technology as an enabler to improve and digitise your risk and control environment?  

Action: Formally explore options to use technology enablers in your plan for technology and general UK SOX readiness.   

How do I define a proportionate and right-fit scope?

Understanding your financial processes is key to correctly identifying the systems and technology that support complete and accurate financial reporting and may therefore be in scope to comply with the proposed regulation. All too often, relevant technology is overlooked during the scoping process which can mean issues with the reliability of financial information, or with the controls that help to ensure reliability of financial information, go unnoticed. Furthermore, where external auditors determine systems and technology are relevant and find deficiencies, this can lead to delay and further costs as the controls are remediated. This could even potentially lead to a conclusion that internal control over financial reporting is not effective and therefore an adverse ICFR audit opinion issued. 

The root cause of this is often a lack of integration between business and technology (see previous question).  

Action: Work with finance to document your understanding of financial processes and the systems and technology elements that support them. Start at the initiation of data and flow through to financial reporting and identify all systems, technology, digital capabilities, and tools that appear in the process for scoping consideration. 

What do I really need to control?

A comprehensive risk assessment will lead to a more complete risk and control register, which is central to the effectiveness of your chosen framework in meeting current or future requirements to attest on the operating effectiveness of Internal Controls. A comprehensive risk assessment also helps address two of the more common challenges we see: 

• Lack of understanding risk leading to misaligned scope and unknown but relevant deficiencies that are identified too late 
• Over scoping controls and / or assigning elevated risk categories which may create unnecessary work that drains time and resources without creating value 

Action: Perform a comprehensive risk assessment by understanding: (i) how technology and digital controls support your business model(s); (ii) how significant its role is; and (iii) the principal technology and digital risks in relation to financial reporting or other in scope areas.

Do we have the right IT controls?

There are many factors that influence the scale of effort required to implement and comply with a new control regulation. Some of these factors include your current technology estate, maturity of your risk and control framework, effectiveness of your control environment, budget to transform, and the list goes on. If you do not currently operate IT controls, or if you do but your auditor does not rely on them, you may require an increased effort to achieve readiness versus if you have a relatively mature and effective control environment. In addition to considering the maturity of your control environment, don’t miss the chance to consider whether there is an opportunity to streamline your IT control environment and consider other risks (cyber, resilience, change) as part of your journey to readiness. This drives value by creating a sustainable, value add environment that also addresses your compliance needs.   

Action: Perform a current state assessment of your IT control environment against your desired future state and identify a roadmap to technology and digital readiness. Consider some of the following: 

• Will this consist of improvements to existing systems or a technology overhaul and transformation?   

• Is complying with a UK controls regulation part of your technology vision?   
• Do you have enough skilled resources in your team to implement the new requirements and deploy your plan?   
• Are you aligned with business functions to drive efficiency and integration? 

How do I know if controls are working?

Following the BEIS White Paper, the assurance requirement over a new regulation is still unknown, but whether an audit or other form of assurance is needed, management will still need to be able to support their statement that their controls are effective.   

If you speak to technology and business functions at US registrants, they will likely speak to the challenges of the early SOX implementations when everyone did too much and to the ongoing challenge of documentation and satisfying a controls based external audit in terms of time, resource, and level of detail. If controls are implemented purely to satisfy a compliance requirement then the business is missing an opportunity to take control and safeguard value for their own purposes. 

Many UK businesses might say “we’re doing a lot of this already, we just don’t document it”. However at some point, UK businesses will likely need to be able to demonstrate the effectiveness of their controls to the regulator, their auditor, or other assurance provider, and that will require some level of documentation. Arguably good documentation is how a robust thought process is developed and captured. Provided UK business are very tight on their risk assessment, and efficient in their selection of relevant controls, and use tech wisely in their approach to documentation, the incremental workload should be achievable. The key lesson from the early US implementations was that doing too much is not the same as good control. You can save money and time on an annuity basis by putting good thought in upfront. 

Creating an effective, value adding method of assurance that delivers on the purpose of protecting public interest is going to be a critical success factor for the UK.  

Action: Engage with finance on this topic. Understand what framework implementation success and assurance needs to look like to add value to your business and to protect the public interest. You should also ensure that technology (not just general IT Controls, think digital landscape, programme implementation, cyber security, etc.) has been included and aligned in your audit and assurance policy.  

Whilst the timelines for complying with the future legislation are currently unknown, the experience of the US SOX implementation tells us that deploying a control environment that is efficient, effective, technology driven, and value adding takes time. Many organisations find that when they start this process, they uncover challenges that will take time to resolve. Looking back, most wish they had the opportunity to do it properly before going live, so the lesson learned is to start now and leverage technology as much as possible. 

Although some of these conversations and actions may seem daunting, once underway they will provide a strong basis for developing an effective tech-enabled controls environment.  

If you’d like to explore this further, get in touch with one of our team. You can also find other blogs and content on UK SOX on our hub, www.deloitte.co.uk/uksox.