What role will technology play in a proposed enhanced UK controls regime? | Deloitte UK has been saved
Limited functionality available
As many organisations start to consider how they enhance their control environment in preparation for complying with a proposed UK controls regulation (sometimes referred to as “UK SOX - Sarbanes Oxley”), following the Department for Business, Energy & Industrial Strategy (BEIS) White Paper published in March 2021, it is vital that technology and digital control play a key role. Not just in terms of the systems, tools, infrastructure and service providers that support your financial processes but also the opportunity for technology to become a greater enabler for your control environment.
From this perspective we explore six initial questions that technology leaders can ask now, to prepare for what may come later.
One of the most identified pitfalls and root causes for control deficiencies is a lack of understanding, accountability, and integration between business and technology functions which leads to failure around digital controls.
Action: Foster an environment of integration where quality and control effectiveness is owned by all and not a select few in the finance function. Also, consider creating a governance structure that clearly defines shared accountability between business and technology functions for the effectiveness of all controls, especially those which represent a point of integration and reliance between the two areas.
As we know, technology and digital controls continue to form an increasingly significant part of Internal Controls, from ERP systems to automation and robotics. We therefore expect technology to form a significant part of how companies respond to the proposed regulation. So, is there an opportunity for you to use technology as an enabler to improve and digitise your risk and control environment?
Action: Formally explore options to use technology enablers in your plan for technology and general UK SOX readiness.
Understanding your financial processes is key to correctly identifying the systems and technology that support complete and accurate financial reporting and may therefore be in scope to comply with the proposed regulation. All too often, relevant technology is overlooked during the scoping process which can mean issues with the reliability of financial information, or with the controls that help to ensure reliability of financial information, go unnoticed. Furthermore, where external auditors determine systems and technology are relevant and find deficiencies, this can lead to delay and further costs as the controls are remediated. This could even potentially lead to a conclusion that internal control over financial reporting is not effective and therefore an adverse ICFR audit opinion issued.
The root cause of this is often a lack of integration between business and technology (see previous question).
Action: Work with finance to document your understanding of financial processes and the systems and technology elements that support them. Start at the initiation of data and flow through to financial reporting and identify all systems, technology, digital capabilities, and tools that appear in the process for scoping consideration.
A comprehensive risk assessment will lead to a more complete risk and control register, which is central to the effectiveness of your chosen framework in meeting current or future requirements to attest on the operating effectiveness of Internal Controls. A comprehensive risk assessment also helps address two of the more common challenges we see:
Action: Perform a comprehensive risk assessment by understanding: (i) how technology and digital controls support your business model(s); (ii) how significant its role is; and (iii) the principal technology and digital risks in relation to financial reporting or other in scope areas.
There are many factors that influence the scale of effort required to implement and comply with a new control regulation. Some of these factors include your current technology estate, maturity of your risk and control framework, effectiveness of your control environment, budget to transform, and the list goes on. If you do not currently operate IT controls, or if you do but your auditor does not rely on them, you may require an increased effort to achieve readiness versus if you have a relatively mature and effective control environment. In addition to considering the maturity of your control environment, don’t miss the chance to consider whether there is an opportunity to streamline your IT control environment and consider other risks (cyber, resilience, change) as part of your journey to readiness. This drives value by creating a sustainable, value add environment that also addresses your compliance needs.
Action: Perform a current state assessment of your IT control environment against your desired future state and identify a roadmap to technology and digital readiness. Consider some of the following:
Following the BEIS White Paper, the assurance requirement over a new regulation is still unknown, but whether an audit or other form of assurance is needed, management will still need to be able to support their statement that their controls are effective.
If you speak to technology and business functions at US registrants, they will likely speak to the challenges of the early SOX implementations when everyone did too much and to the ongoing challenge of documentation and satisfying a controls based external audit in terms of time, resource, and level of detail. If controls are implemented purely to satisfy a compliance requirement then the business is missing an opportunity to take control and safeguard value for their own purposes.
Many UK businesses might say “we’re doing a lot of this already, we just don’t document it”. However at some point, UK businesses will likely need to be able to demonstrate the effectiveness of their controls to the regulator, their auditor, or other assurance provider, and that will require some level of documentation. Arguably good documentation is how a robust thought process is developed and captured. Provided UK business are very tight on their risk assessment, and efficient in their selection of relevant controls, and use tech wisely in their approach to documentation, the incremental workload should be achievable. The key lesson from the early US implementations was that doing too much is not the same as good control. You can save money and time on an annuity basis by putting good thought in upfront.
Creating an effective, value adding method of assurance that delivers on the purpose of protecting public interest is going to be a critical success factor for the UK.
Action: Engage with finance on this topic. Understand what framework implementation success and assurance needs to look like to add value to your business and to protect the public interest. You should also ensure that technology (not just general IT Controls, think digital landscape, programme implementation, cyber security, etc.) has been included and aligned in your audit and assurance policy.
Whilst the timelines for complying with the future legislation are currently unknown, the experience of the US SOX implementation tells us that deploying a control environment that is efficient, effective, technology driven, and value adding takes time. Many organisations find that when they start this process, they uncover challenges that will take time to resolve. Looking back, most wish they had the opportunity to do it properly before going live, so the lesson learned is to start now and leverage technology as much as possible.
Although some of these conversations and actions may seem daunting, once underway they will provide a strong basis for developing an effective tech-enabled controls environment.
If you’d like to explore this further, get in touch with one of our team. You can also find other blogs and content on UK SOX on our hub, www.deloitte.co.uk/uksox.
Lauren is a partner in our Risk Advisory practice, focusing on risk assurance and mitigation related to internal controls over financial reporting from both a business and technology perspective. She started her career with Deloitte US in the early stages of US SOX compliance, progressing her career through the period of SOX rationalisation and into the risk driven governance world we operate in today. She has extensive experience leading IT audits at global, technologically complex clients as well as advising clients on large scale remediation efforts and SOX transformation programmes, across a variety of industries and technology platforms. She is a recognised PCAOB specialist with extensive experience overseeing some of our most complex global SOX IT audits within the US, UK, and Luxembourg.
David has been part of our Technology & Digital Risk team since 2012 and in that time has gained considerable experience in leading and delivering our largest and most complex PCAOB external audits and SOx advisory projects. He also works across a number of clients on IT Internal audit, regulatory and IT risk and controls engagements.