Request A demo

What is UK SOX?

The UK’s new corporate governance regime, unofficially referred to as UK SOX, is an initiative introduced by the government in response to the need for reform. The concept of UK SOX emerged in approximately 2019 after a comprehensive examination of auditing practices. Sir Donald Brydon played a pivotal role in this process by releasing a report emphasizing the need for enhanced legal definitions pertaining to auditing.

As a result, efforts to bring about reform in this domain are currently in progress, with the Financial Reporting Council (FRC) taking the initial lead in implementing necessary changes. The FRC, which is the main regulatory authority overseeing UK SOX, will be replaced by the Audit, Reporting, and Governance Authority (ARGA). This change is being implemented to establish a specialized regulatory body that can fully concentrate on enforcing transparent and truthful financial reporting practices.

The Motivation Behind the Regulation

Various regulations, such as the Companies Act 2006 and the Corporate Governance Code, currently govern organizations operating in the UK. However, recent scandals involving companies like BHS, Carillion, and Patisserie Valerie have exposed the shortcomings of the existing regime. These include inadequate audit practices, organizations’ lax approach to compliance, and a lack of accountability.

Recognizing the urgent need to address these issues and improve corporate governance and audit rules, the government embarked on developing a UK equivalent of the US Sarbanes-Oxley Act (SOX). The Sarbanes-Oxley Act is a federal law in the United States aimed at safeguarding investors by enhancing the accuracy and reliability of corporate disclosures. In March 2021, the Department for Business, Energy & Industrial Strategy (BEIS) published a consultation paper titled “Restoring Trust in Audit and Corporate Governance,” outlining proposals for essential reforms.

Who Will Be Affected by UK SOX?

The proposed reforms aim to broaden the scope of Public Interest Entities (PIEs) by including large privately owned companies and businesses listed on the Alternative Investment Market (AIM). These comprehensive reforms are designed to enhance accountability for directors, shareholders, audit firms, and the regulator.

One notable change involves the introduction of new audit requirements for large companies. Regulatory oversight will now extend to large private companies meeting specific criteria, such as having over 750 employees and generating annual turnover exceeding £750 million, even if they are not publicly listed on a stock exchange.

By meeting these criteria, these large private businesses will be categorized as public interest entities (PIEs), joining publicly traded companies such as banks, building societies, and insurance firms. Consequently, they are expected to face increased scrutiny from the newly established regulator, ARGA.

What Changes Can Businesses Expect?

The forthcoming regulation is anticipated to impose significant additional reporting obligations on directors, demanding considerable investments of time and resources to ensure UK SOX compliance. Companies will experience a significant change as they will be required to make public disclosures through various statements, including a Director’s Responsibility Statement, a Statement on Fraud, a Resilience Statement, and an Audit and Assurance Policy (AAP). Fulfilling these requirements will require a substantial commitment to meet the new reporting standards.

UK SOX Estimated Implementation Timeline

The following dates are estimated timeframes and are still subject to change:

  • Spring 2023: The ARGA is scheduled to take control of the legal proceedings.
  • Late 2023: Finalization of the UK SOX legislation.
  • Late 2024: The UK SOX regime will be fully operational, accounting for the time taken to finalize and implement the legislation, as well as the grace period provided. Companies are obligated to ensure UK SOX compliance and submit their reports by the end of their first financial year following the commencement of this legislation.

How to Start Preparing for the New Regulatory Requirements

Assess Your Current Posture: To start off on the right foot, it is crucial to gain a comprehensive understanding of the areas of strength, existing gaps, common pitfalls, and areas for improvement. This assessment will enable the establishment of a roadmap to enhance internal controls. Taking early action will facilitate the timely identification of any control weaknesses, allowing ample time for remedial measures.

Establish a Controls Program: It is important to establish a well-resourced controls program that focuses on enhancing the design, conducting operational testing, and adapting to business changes as necessary. This program should act as a template to identify the right controls, how they should be tested, and their impact on your business once the controls are implemented.

Scaling and Optimization: Emphasize the optimization of controls, aiming for an internal control framework that is appropriately scaled to align with the governance model and tailored to the specific needs of the business operations. This approach ensures an efficient and cost-effective controls testing program.

Implement Automated and Integrated Solutions: Leverage technology and automation to establish an integrated internal control framework that promotes efficiency, improves quality, and facilitates real-time reporting and insights for effective management oversight.

Adopt a Controls Driven Culture: Cultivate a controls culture throughout the organization, starting from the board level and extending to control owners. This entails driving the right behaviors and fostering a culture of change. Enhancing the control environment extends beyond processes and controls alone; it necessitates a focus on transforming behaviors and culture as well.

What Pathlock Can Do to Strengthen Controls and Audit Practices

In today’s modern enterprise, nearly 100% of the financially relevant activity happens in modern applications like SAP, Oracle, Workday, and NetSuite. By connecting directly to your business applications, Pathlock can automatically monitor activity in these applications to surface any violations to controls and pinpoint and quantify the financial impact of any risks. Internal and external auditors alike trust Pathlock’s reports to prove control enforcement and compliance with regulations.

Financial Impact Prioritization

Pathlock automatically prioritizes your most critical violations by quantifying access risk by tying violations to real monetary amounts of the out-of-policy transactions.

Comprehensive Rulebook

Pathlock’s catalog of over 500+ rules can provide out-of-the-box coverage for controls related to SOX, GDPR, CCPA, HIPAA, NIST, and other leading compliance frameworks.

Real-time Access Mitigation

Pathlock allows users to quickly investigate and respond to potential risky transactions by reviewing access, deprovisioning users, forcing 2FA, or even allowing Pathlock to respond intelligently in real-time, terminating suspicious sessions and blocking transactions in real-time.

Out-of-the-Box Integrations

Pathlock’s out-of-the-box integrations extend workflows to the provisioning and service desk tools you already have, such as ServiceNow, SailPoint, Okta, Azure AD, SAP GRC, and more.

Lateral SoD Correlation

All entitlements and roles are correlated across a user’s behavior, consolidating activities and showing cross-application SoDs between financially relevant applications.

Continuous Control Monitoring

Pathlock identifies the most significant risks by monitoring 100% of financial transactions from applications like SAP in real-time, surfacing violations for remediation and investigation.

The Time to Prepare for UK SOX is Now

The UK SOX corporate governance initiative aims to significantly reform the UK’s audit and financial reporting landscape, with an emphasis on stringent UK SOX compliance. Businesses need to invest significant time and resources to ensure transparent and truthful financial reporting. They are encouraged to evaluate their current status, establish a controls program, optimize controls, utilize automation, and promote a control-driven culture to comply. Tools like Pathlock can strengthen audit practices and control enforcement by integrating with business applications, identifying risks, enforcing compliance, and providing real-time, intelligent responses to potential violations.

Schedule a demo with our compliance experts to understand how Pathlock can enable you to achieve compliance using fine-grained controls within your ERP applications.

Table of contents