Are financial firms ready for the ‘UK version’ of Sarbanes–Oxley?
This article was first published in FT Global Risk Regulator
The UK government published the outcome of the consultation on the “Restoring trust in audit and corporate governance” white paper on May 31, 2022 and though it does not go as far as the US Sarbanes–Oxley Act, it will still have a significant impact on firms. By Ridhima Bhasin, financial services expert at PA Consulting.
The response will result in significant changes in corporate reporting requirements, greater director accountability and enhanced powers for investors. Financial services firms should understand and appreciate both the letter and the spirit of the government’s response to the white paper. It is a golden opportunity for the sector to set a positive tone and lead by example.
This should start by recognising that directors’ accountability around internal controls, dividends and capital maintenance is going to increase. The UK corporate governance code will require an explicit directors’ statement about the effectiveness of the company’s internal controls and the basis for that assessment. There will also be legislation to require directors of Public Interest Entities (PIEs) to report on actions they have taken to prevent and detect fraud.
They will then need to prepare for the new statutory resilience statement and audit and assurance policy (AAP) and the requirement for companies to report on matters they consider a material challenge to resilience over the short and medium term and to perform at least one reverse stress test. The AAP will also bring additional burdens around outlining internal auditing and assurance processes and the tendering of external audit services, accompanied by a summary update of how the assurance activity outlined in the AAP is working in practice.
Firms should note the wider definition of PIEs and the new regulatory requirements that will apply. These will include disclosing distributable reserves and providing an explanation of the board’s long-term approach to the amount and timing of shareholder returns. Directors are likely to be asked to make an explicit statement confirming the legality of proposed dividends and any dividends paid in-year. In addition, there will be implications for the Audit Industry and the Financial Reporting Council (FRC) as it becomes the new regulatory body the Audit, Reporting and Governance Authority (ARGA).
The experience of previous new regulatory requirements suggests that there will be a two- to three-year implementation period during which an effective programme needs to be designed and existing controls embedded and enhanced in line with the requirements. This does not give much time to digest and implement all the changes. However, the FRC has already published a position paper and a high-level plan on how it will transition into the ARGA.
Responding to these changes is more complex because they are happening in the context of a number of high-profile failures, and the increased regulatory focus has already resulted in a record amount of financial and non-financial sanctions imposed by the FRC this year.
So how can financial services firms prepare for future legislation now?
The biggest challenge firms will face will be to align directors’ accountability for internal controls, dividends, and capital maintenance with the expectations of the investors and other stakeholders. They will need to note that this increases their accountability and will go beyond the current Senior Managers and Certification Regime requirements.
While the government works on finalising exactly how these requirements will be implemented, firms should carry out an early assessment of the current environment supported by a gap analysis. They should use this opportunity to mobilise early, understand any control weaknesses and proactively engage with their board, investors and shareholders.
This should start with the identification of the directors who will be involved in providing this assessment and developing an approach to assessing the effectiveness of the internal control framework. They should also complete a gap analysis to assess if any changes are needed in that control framework, particularly around management information monitoring and reporting. Finally, they should discuss if they will need to undertake an external assurance process to provide the public attestation on the effectiveness of the internal control environment.
It is also important to start to set up processes for the new Corporate Reporting requirements. The publication of the new resilience statement and the AAP will require significant background work to be completed to ensure the new corporate reporting requirements are accurate and fact-based.
Firms will also need to begin discussions regarding the length of the assessment period for the medium-term section of the new resilience statements and determine the material challenges to resiliency. This includes talking about the approach they will take to maintain or enhance the company’s operational and financial resilience.
To meet the requirements on the AAP, directors should evaluate how they will evidence that it is working in practice. That should include engagement with investors, the auditors and the other stakeholders.
Following the new 750:750 rule, companies should check if they will be classified as PIEs and if their PIE’s current control environment is robust enough to meet new regulatory expectations. This is a new area for the industry, and around 600 additional entities are expected to come under the scope of the classification.
Although the government has not set out the timelines for these changes, it is clear that a great deal of preparatory work will be needed to get ahead of the requirements and meet investor and board expectations. That work needs to start now.