Is a U.K. version of SOX compliance on the horizon?

Almost 20 years ago, the U.S. Congress passed the sweeping Sarbanes-Oxley Act (SOX) that improved how companies register with the U.S. Securities and Exchange Commission (SEC) and report their financial performances. These tougher regulations have come a long way in helping reduce financial fraud in the U.S., but interestingly, no other country has adopted similar rules. However, the tide appears to be turning, at least in the U.K.

Earlier this year, Kwasi Kwarteng, secretary of state at the U.K.’s Department of Business, Energy and Industrial Strategy, backed proposed legislation that would hold company directors to account for serious corporate failings. And like SOX, directors would have to attest to the accuracy of financial statements. He also indicated his support for laws to strengthen Britain’s corporate governance regime and reform audit regulation and competition. (See Kwasi Kwarteng gives the green light for holding directors to account, by Louisa Clarence-Smith, The Times, Jan. 30 and UK company directors face personal liability for financial statements - sources, by Huw Jones, Reuters, Feb. 5.)

Over the past few years, U.K. regulators and politicians have discussed implementing their version of SOX following widely reported accounting scandals. (See UK watchdog backs tougher Sarbanes Oxley-style rules for top companies, by Huw Jones, Reuters, March 9, 2020.)

Since 2018, U.K. experts have assembled a series of reports with recommendations on how to improve audits. These led to the creation of a new regulatory body called Audit, Reporting and Governance Authority (ARGA), among other initiatives.

The latest report came in December 2019 from Sir Donald Brydon, a U.K. businessman and former chairman of the London Stock Exchange Group. (See The quality and effectiveness of audit: independent review, Gov.UK, last updated Feb. 18, 2019.)

In addition to the many recommendations about audit and director responsibilities, the public trust and a “redefinition of audit,” Brydon’s report specifically calls for a U.K. version of SOX that requires CEO and CFO attestation:

13.1.8 – I recommend that the Government gives serious consideration to mandating a U.K. Internal Controls Statement consisting of a signed attestation by the CEO and CFO to the Board that an evaluation of the effectiveness of the company’s internal controls over financial reporting has been completed and whether they were effective, as in SOX 302(c) and (d). The board should then report to the shareholders that it has received such an attestation.

Potential new demand for anti-fraud professionals

Brydon’s report also suggests audits should reflect a heightened focus on fraud, particularly if some of the recommendations set forth in Section 14 are adopted. Some of the more notable recommendations in that anti-fraud section include:

14.1.5 – that ARGA, the successor body to the U.K.’s Financial Reporting Council ISA (U.K.) 240, make clear that it is the obligation of an auditor to endeavor to detect material fraud in all reasonable ways.

14.2.2 – that directors should report on the actions they have taken to fulfil their obligations to prevent and detect material fraud against the background of their fraud risk assessment.

14.3.3 – that training in both forensic accounting and fraud awareness be part of the formal qualification and continuous learning process for a financial statements auditor. In developing qualifications for auditors of other areas of activity, parallel training should be established.

14.3.5 – that the auditor’s report states explicitly the work performed to conclude whether the directors’ statement regarding the actions they have taken to prevent and detect material fraud is appropriate. Furthermore, the auditors should state what steps they have taken to assess the effectiveness of the relevant controls and to detect any such fraud.

14.4.3 – that ARGA maintains an open access case study register detailing corporate frauds that have occurred in order that auditors can learn in real time from these frauds.

14.5.4 – that ARGA establish an independent Auditor Fraud Panel to which it would refer the results of any investigations into auditor failure to detect material frauds and that such a Panel should be equipped with the ability to levy sanctions on auditors as appropriate.

What U.K. organizations should consider

With the U.K. regulatory environment set to change, experts say that organizations should act sooner rather than later to adapt to the new landscape.

“Please don’t wait for the legislation to pass before you implement best practices in a corporate fraud risk management program,” says Sam Eastwood, a partner in Mayer Brown’s global litigation practice in London and a member of the firm’s white-collar defense and compliance practice. “If you do, you could indeed be too late to the game.”

Eastwood notes that for many U.K.-based organizations, there are notably few internal corporate investigations and that companies with full-time dedicated investigation personnel are relatively rare in the U.K. corporate environment. But that’s likely to change, he says.

Eastwood is an advocate for the five principles from the ACFE/COSO Fraud Risk Management Guide (FRMG) that address fraud risk management governance, fraud risk assessment, preventive and detective controls, investigations and reporting channels, and continuous monitoring activities. He also suggests companies ask these questions to assess their fraud risk management maturity:

• Are you conducting annual fraud risk assessments? If not, when did you complete the last fraud risk assessment? Did you document it?
• Have you mapped fraud risks against your controls?
• Have you assigned responsibilities for fraud risk management to identified individuals?
• Are senior management and the board of directors involved in setting a culture of compliance, and making it clear they won’t tolerate fraud within the organization?
• Have you communicated your anti-fraud policies and code of conduct to your employees, and conducted fraud awareness training?
• Do you have an anonymous whistleblower hotline for employees? Do employees know that it exists? And is management sufficiently equipped to address whistleblower compliance?
• Do you use data analytics to underpin your fraud risk program? That is, do you incorporate preventative and detective tests, including transaction monitoring, to identify potentially improper payments, sales or other financial transactions?
• Do you have an investigation protocol and established investigative processes?
• Have you engaged professionals, such as CFEs and/or legal counsel, to conduct an external, independent review of your fraud risk management program?

David Cotton, chairman of Cotton & Company (a CPA firm) and one of the primary authors of the ACFE/COSO FRMG, says that the FRMG represents the future of efforts to combat major fraud in organizations of all sizes. Cotton believes that “when the U.K. and EU follow the U.S.’s lead in implementing a SOX-like program to protect shareholders and stakeholders, the FRMG will undoubtedly be adopted.

“In the U.S. non-governmental sector, the FRMG is considered ‘best practices,’ as is the COSO Internal Control Framework, where virtually all publicly traded U.S. companies have adopted both the Internal Control Framework and the FRMG,” he says. “It’s pretty clear that all organizations are recognizing that the benefits of proactive fraud risk management far outweigh the costs.”

80-year-old criticism of auditors

I leave you with this rather cheeky accounting poem, said to originate from the 1930s, found in Appendix 9 of Brydon’s report. According to the report, it’s taken from a 1951 edition of The Accounting Review. The poem demonstrates how many of the same criticisms have been leveled against auditors for more than 80 years:

The Accountant's Report

We have audited the balance sheet and here is our report:

The cash is overstated, the cashier being short;

The customers' receivables are very much past due,

If there are any good ones there are very, very few;

The inventories are out of date and practically junk,

And the method of their pricing is very largely bunk;

According to our figures the enterprise is wrecked...

But subject to these comments, the balance sheet's correct.

Vincent M. Walden, CFE, CPA, is a managing director with Alvarez & Marsal’s Disputes and Investigations Practice and assists companies with their anti-fraud, investigation and compliance monitoring programs. He welcomes your feedback. Contact Walden at vwalden@alvarezandmarsal.com. Walden thanks his colleague, Daniel Barton, of the Alvarez & Marsal U.K. office, who contributed to this column. Contact Barton at dbarton@alvarezandmarsal.com.

How SOX has benefited corporate America

The Sarbanes-Oxley Act of 2002 (SOX) rocked the U.S. corporate world, and set new standards for auditors, corporate management and boards of directors. SOX introduced sweeping financial controls, reporting requirements and tough penalties for those who commit financial misstatement fraud at public companies that are registered with the U.S. Securities and Exchange Commission (SEC). Under SOX, corporate officers who knowingly certify false financial statements can go to prison. (See: Sarbanes-Oxley Act Revisited, by Dick Carozza, CFE, Fraud Magazine, May/June 2007.)

Congress adopted SOX in response to the widely reported financial scandals in the early 2000s involving publicly traded companies including Enron Corporation, Tyco International and WorldCom. These high-profile frauds shook investor confidence in the trustworthiness of corporate financial statements and led many to demand an overhaul of decades-old regulatory standards.

(On a personal note, at the time I was a manager at Arthur Andersen LLP, Enron’s accounting firm, where I conducted electronic discovery and investigative technology support work. I witnessed the heartbreaking fall of arguably one of the most prestigious accounting firms in the world as Enron collapsed.)

As a result of SOX (See Sarbanes-Oxley Act of 2002), companies overhauled their internal controls and risk management processes, at considerable expense, to comply with the new rules, which included hotly debated sub-sections:

Section 302 mandates that senior corporate officers personally certify in writing that the company's financial statements comply with SEC disclosure requirements, and fairly present in all material aspects the operations and financial condition of the issuer. Officers who sign off on financial statements they know to be inaccurate are subject to criminal penalties, including prison terms.

Section 404 requires management and auditors to establish internal controls and reporting methods to ensure the adequacy of those controls. The 404-compliance metrics were accomplished, in large part, with the help of the internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission, or COSO.

Section 802 contains the three rules that affect recordkeeping. The first rule deals with the destruction and falsification of records. The second rule strictly defines the retention period for storing records. The third rule outlines the specific business records that companies need to store, including electronic communications.

SOX cost benefits

Many critics of SOX have complained that the cost of compliance, in particular section 404, can have a negative impact on publicly traded companies. At more than $1 million per year, the average costs of SOX compliance can be substantial. (See SOX Compliance Amid a New Business Equilibrium, Protiviti Inc., 2020.)

However, most anti-fraud professionals (I included) would argue that SOX compliance did have a profound impact on improving fraud risk management (and related disclosures), financial reporting and reduced financial statement fraud for SEC-registered companies in the U.S. Evidence shows that since the introduction of SOX, adverse auditor attestations decreased by more than 50% from 454 in 2004 to 217 in 2018. (See SOX 404 Disclosures: A Fifteen Year Review, by Nicole Hallas, Audit Analytics, Sept. 30, 2019.)

The $1-million-plus per year annual cost for a company to sustain SOX compliance might seem high. But think about the millions, if not billions, lost in economic value if that company is accused or convicted of a large-scale financial fraud.