Preparing for UK SOX

Back in 2002 when the Sarbanes-Oxley (SOX) Act came into force I was working in the global corporate audit department at State Street in Boston.Although the title of the Act refers to public accounting reform, I remember having to explain to our internal clients around the world what the purpose of the legislation was, and how it affected them.  I had to explain the key elements of sections 302 and 404, which assigned senior manager accountability and called for robust testing of the framework of internal controls over financial reporting.  At State Street, and at major financial services organisations since, I had to help senior stakeholders to articulate what the SOX control framework was, and to identify specific SOX controls.  Further, I had to assess the gaps in the framework once it was documented and design internal audit testing for those controls such that external auditors could rely on internal audit work.

This was enough of a challenge for public reporting companies, but I worked in the investment management, brokerage and markets lines of business where there were further control attestation and testing requirements.  SOX proper is very rules-based and compliance focused, but brokers and asset managers had less prescriptive rules, such as FINRA 3120 and 3130 and SEC sections 38A-1 and 206(4)-7 of the Investment Advisors Act of 1940.  These require organisations to have internal control frameworks and supervisory compliance programmes that are fit for purpose, and that are tested and attested on an annual basis.  These are more aligned with the principles-basis supervisory approach found in the UK.

When identifying the control framework for SOX controls only, one starts with the lines on the financial reports that require attestation and works backwards into the financial and operational business processes that generate the values in those lines.  To test whether a framework is suitable to ensure fair customer outcomes and prevent market abuse, the approach is more nuanced.

From my reading of the BEIS consultation paper and the results of the Brydon Report I see a focus on public accounting reform coming to the UK.  Similar to the U.S. rules there are expectations of the organisation’s leadership to provide assurance over the effectiveness of the internal control framework and there are expectations that the supervisory programme will be proven fit for purpose.  In the UK though, accountable responsibility for the framework’s effectiveness will be with the Board and not senior operational leadership.  Due to their distance from daily operations they will likely require an assurance opinion from an independent party.  In the UK circumstance this is not necessarily an external auditor, as an external opinion might not be required.  This makes a common understanding of benchmarks for effectiveness more important; indeed the guidance suggests that the Treadway Commission’s COSO framework could be employed.  This makes sense.  The COSO framework was agreed upon by industry when SOX came into force and it has been revised and amended along the way to stay relevant.

I have been the one to build SOX programmes from the ground up in the past and it is not easy.  After many lessons learned here are some steps that you should be sure not to skip:

  • Gather key stakeholders – this is a big project and senior people should be present, as control owners, process owners and champions, but senior people often do not have the detailed knowledge of the controls in practice to keep the project moving forward. Be sure to get the correct mix of functional knowledge and organisational knowledge on the steering committee and working group.
  • Build context – make sure that stakeholders understand the scope and purpose of the project itself. Make sure everyone knows what success looks like and agree milestones to gauge progress.  Whenever there are cross-functional bodies with both senior and mid-level management present, mission creep and fear-based paralysis could stop your project in its tracks.
  • Map the framework – this is where the rubber meets the road. Mapping the control framework could be done using process maps or maps of systems interactions as a basis; if both are present then that could be a very good start.  Compare your map to pre-existing Risk and Control Self-Assessments (RCSAs).  There is likely to be some remedial discussion here about what a control objective is and how it differs from business objectives.
  • Eliminate controls that are not key – mapping the framework rather than just refreshing existing RCSAs can show where redundancies exist, or discussion of control objectives could identify controls that are either not controls at all or are not key controls. Focus exclusively on true controls that are key.  Parsimonious frameworks are among the most effective.
  • Refine the controls – populate new RCSAs with key controls and include as much data about the controls as you can. Identify whether controls are detective or preventive.  Identify where controls are supervisory, operational or financial.  Clearly articulate the operand of the control, not just the objective, and identify auditable evidence for each.
  • Design tests – using the control objectives, operands and auditable evidence, design tests for each control. At this point you should clarify the sampling methodology, sample size and identify sources of data to be sampled each quarter.
  • ‘Road test’ the programme – set an expectation that the first quarter’s testing (at least) will have some learning opportunities. Provide opportunities for collaborative feedback to further refine the controls or the test programme until the programme is fully embedded.
  • Report honestly – as with any project delayed dependencies or failure to deliver due to unforeseen circumstances could arise. Use conservative assumptions when revising timelines and be as clear as possible when reporting status and identifying accountability for missed targets.  Senior management and the Board can only work with the information they have and providing high quality information is part of your duty of loyalty to your company or to your client.

Naturally I want you to contact Zenith Audit UK and speak with me about your control framework and test plan; I honestly don’t think there are many others in the London market who have more direct hands-on experience.  But even if you don’t then you should speak to someone.  This is a major undertaking with a significant amount of pain involved, and getting an experienced project manager with an independent eye to help formulate and direct your organisation’s response could save frustration, time and undue exposure to regulatory scrutiny.

Author: Arthur Flynn