Audit and corporate governance reform: UK SOX and the case for strong internal controls

The Department for Business, Energy & Industrial Strategy (BEIS) published its consultation on these proposals in March 2021, setting out a broad programme of reform for auditors, companies, directors, audit committees, investors, other stakeholders and the regulator to improve corporate transparency.

The Government’s recent announcement to bring forward a Draft Audit Reform Bill indicates that it is unlikely to propose legislation for a strengthened internal controls regime over financial reporting (ICFR). It is possible this could be adopted through regulation, for example by amendment to the UK Corporate Governance Code and/or introduction of a new minimum standard for audit committees. There are a number of other measures proposed in the reforms that further emphasise the need for and the importance of strong internal controls.

Why you need to act now to strengthen your internal controls

The Government’s proposed reforms to audit and corporate governance include measures that emphasise the need for and importance of better internal controls. These include:

  • A recommendation for companies to publish an Audit and Assurance Policy that sets out the independent assurance the company intends to obtain over the annual report and other company disclosures (beyond that required by the statutory audit)- subject to shareholder comment and advisory vote. Whatever the actual structure of an Audit and Assurance Policy, it should be transparent about the company’s approach to determining how it has ensured the information it reports is reliable and the extent to which it has been scrutinised (by the company auditors or someone else). The BEIS suggestion that the policy includes a description of the approach to independence assurance specifically over disclosure relating to resilience, risk and internal controls highlights the significance of these areas.
  • Proposal for directors of Public Interest Entities to disclose the steps they have taken to prevent and detect material fraud. Fraud is on the rise, with new working practices, market and supply chain disruption and global instability all increasing the motivation, rationalisation and opportunity to commit fraud. A robust fraud risk management framework is critical to a company's overall risk management structure and the success of its business.
  • A resilience statement with disclosure of specific threats to the company’s survival. This covers any digital security risks, including external cyber security threats and the risk of major data breaches arising from internal lapses, which puts increased scrutiny on the controls in place to mitigate these threats.
  • Increased accountability of directors and strengthened review enforcement regime over corporate reporting, including the directors’ disclosures around internal controls.

How you can strengthen your internal controls - what does good look like?

Beyond the proposed audit and governance reforms, this is an opportunity for organisations to rethink control more broadly - through Enterprise Control. What we mean by this is an optimised, right-sized control environment that is focused on key risks and strategic objectives beyond internal control over financial reporting.

Enterprise Control provides panoramic insight, underpinned by trusted data sources and enabled by technology. It allows organisations to balance the need for transformation and creating new opportunities for growth with building resilience and creating trust and confidence among stakeholders, investors and customers.

A successful control implementation programme requires significant effort, resource and planning from a broad range of stakeholders across an organisation. In our experience, and learnings from US SOX and other similar regimes, there are a number of critical success factors.

Understanding what the change means for your business and taking a pragmatic approach will enable you to enhance and optimise your control environment.

This means:

  • Start early by understanding the areas of strength, gaps, common pitfalls and improvement needed, and establishing a roadmap to enhance internal controls. Acting now will result in early identification of any control weaknesses, allowing time to remediate.
  • Establishing an appropriately resourced controls programme to enhance the design, perform operational testing and modify for business changes.
  • Focus on optimising controls - a right size internal control framework that is aligned to the governance model and tailored to the business operations for an efficient and cost effective controls testing programme.
  • Making use of technology and automation to establish an integrated internal control framework that drives efficiency, improves quality and provides real-time reporting and insight for management oversight.
  • Embedding controls culture across the organisation from Board level to control owners to drive the right behaviours and embed change. Enhancing your control environment is not just about processes and controls. Changing behaviours and the culture is vital too.

Now is the time to step back and take a panoramic view of the whole system of governance and control to ensure that the target operating model, frameworks, processes and controls are defined, proportionate and able to stand up to much greater scrutiny.

Speak to us now to find out what these proposed reforms mean for your organisation and how we can help you strengthen your internal controls regime.

Contact us

Richard Bailes

Richard Bailes

Workiva Alliance Leader, PwC United Kingdom

Tel: +44 (0)7715 034917

Lisa Bark

Lisa Bark

Partner - Business Risks and Controls - FS, PwC United Kingdom

Katie Griffin

Katie Griffin

Director, Governance, Risk and Compliance, PwC United Kingdom

Tel: +44 (0)7841 567879

James Houston

James Houston

Risk and Resilience Partner, PwC United Kingdom

Tel: +44 (0)7876 207850

Jonathan Lucas-Lucas

Jonathan Lucas-Lucas

Partner, Risk Assurance, PwC United Kingdom

Tel: +44 (0)7803 152524

Simon Perry

Simon Perry

Risk Head of Markets and Services, PwC United Kingdom

Tel: +44 (0)7740 024957

Follow us