Insights and News /

16 February 2022

UK SOx: Internal Controls – What can you do to prepare?

Now is the time to start thinking about your financial controls framework to get a head start on implementing the UK Internal Controls and Governance directive


Following the UK Government’s 2021 consultation on the way major companies are audited (Restoring trust in audit & corporate governance), we know big changes are coming. As we wait for the Government’s response around the exact shape and force of the rules under a "Sarbanes-Oxley" style regime, there are a few things we do know:

  • There will be a new body replacing the FRC – the Audit, Reporting, and Governance Authority (ARGA)
  • Reforms are needed to increase directors’ responsibilities with the aim of avoiding future corporate failures, similar to Carillion, BHS and Patisserie Valerie amongst other

The Government has already shared some preferred options around the directive—and based on these, we expect that businesses will be impacted in five key ways:

  • Control deficiencies may be expected to be disclosed to shareholders
  • Timely MI will be required on key risks faced by the business and the operation of related controls
  • Accurate risk and control catalogues will need to be available to the appropriate control owners and operators
  • Directors will need to have familiarity with risk and control structures, from both a design and an operation perspective
  • Businesses will need to have effective control assessment procedures, covering IA functions and a suitable choice of frameworks

Despite what we do know, there are still many unknowns:

  • Will the existing scope firms—that we expect to be impacted—be extended to include other firms?
  • To what degree will directors and companies need to disclose deficiencies in internal control systems and processes?
  • Will there be the requirement for directors to make a responsibility statement?
  • What external assurance over directors’ statements will be required?

So is it really worth doing anything before the announcement?

Yes! Whether you will be impacted or not, refining your internal controls is a valuable and necessary activity to support transformation and create clearer accountability, as well as more standardised practices across your business. Despite this new regulation, improving your processes ultimately leads to better business and risk management. And there are likely going to be penalties for where reporting doesn’t meet the requirements.

Start with assessing your internal controls framework:

  • Make sure all the material risks faced by the business are written down and logged. The key here is to spot what risks you might be missing and to be precise with the ones you do capture
  • Against each risk identified, list out any mitigating controls already in operation. A common problem here is poor quality control documentation. Do you know who performs the control; what they do to undertake this role, when these actions are carried out, how the work is evidenced, and finally, whether there are any IT systems involved? If you can’t answer these questions, then the control documentation needs improving
  • Look for additional existing technology controls which may also mitigate the risks
  • Assign owners and operators for the identified controls—they will be responsible for maintaining the control documentation and recording evidence of control operation
  • Document the gaps where controls are inadequate, undocumented, or non-operational
  • Design a control testing and assessment schedule based on the potential impact of underlying risks

Train your primary 1LoD stakeholders on the requirements and implications of reform:

  • Develop internal control knowledge within each team, to make sure they know what the key risks and controls are that they operate
  • Upskill capability in each team to enable BAU control monitoring to be performed effectively in the future

Do you want to work with a firm who put people first, and create impact that lasts?

  • We have a different approach—a risk-based approach that allows us to maximise the impact of our work to quickly pin-point where we can help you
  • We are not an audit firm. We set out to build the world’s most trusted consulting firm, focused on people, culture and creating long-lasting impact
    • We adopt a partnership approach and work with internal client teams to ensure we deliver sustainable change
    • We build upon existing processes and risk controls to identify key risks and evaluate the current critical controls landscape
    • We spotlight key risks and design controls that can adapt as the business grows
    • We drive cost savings and efficiencies across businesses

Would you like to work with us or find out more?Get in touch