The topic of the pending UK SOx is well known to governance, risk and compliance practitioners, but do we know the extent to which it will affect organisations running SAP? In this article, we take a deeper dive into what UK SOx is, how it came about, and what impact it will have on organisations running SAP.
The system, which was first suggested as part of the Kingman and Brydon investigations to enhance the UK’s internal control’s structure, is likely to be less stringent than the US Sarbanes-Oxley Act (SOx), which became law in 2002.
In a nutshell, SOx compliance is a Regulation that compels businesses to publish accurate financial statements and to have internal controls in place to protect financial information, with the primary goal of preventing malpractice that would affect investors and the public.
If the system is implemented, it would apply mainly to premium listed companies, but the proposals also seek to expand the definition of public interest entities (PIEs). This will include large privately owned companies as well.
The requirements of UK SOx will apply to financial years ending in December 2023 or after.
What will the main requirements be?
- Public disclosure of a Director’s Responsibility statement on the effectiveness of controls. The new regulations will be enforced by a newly formed regulator, the Audit, Reporting and Governance Authority (ARGA) which will replace the Financial Reporting Council (FRC).
- Directors will be required to conduct an annual review on the effectiveness of internal controls over financial reporting and report on the results in their annual report. This will support their Director’s Responsibility statement.
- Directors will need to disclose an Audit and Assurance Policy – An Audit and Assurance Policy (AAP) will likely be used to determine the level of assurance necessary for internal controls over financial reporting.
- Boards and directors are responsible for overseeing the company’s risk management and internal control systems under the UK Corporate Governance Code. This includes a need to conduct an annual evaluation of their efficacy, as well as a report on the results of that review. According to the proposed recommendations, directors must include the following in their yearly review:
- New disclosures and insights on the efficacy of internal controls
- The yearly review’s findings
- A statement stating whether they consider the systems to have operated effectively
Directors to be guided by auditing best practices
BEIS will establish a new Auditing, Reporting, and Governance Authority (ARGA) to replace the Financial Reporting Council (FRC), following consultation. When this occurs, the shared principles and rules will establish auditing best practices. These principles should guide directors; however, like with SOX 404 audits in the United States, they will not be required to perform the actual testing and reporting. They will instead rely on management to develop review systems that strictly adhere to best practices.
How will UK SOx impact organisations running SAP?
Controls can come in many different forms and are used to ensure that exposure to risk and misstatement of financial data is limited. It is the responsibility of management to ensure that these controls are performed and adequately reduce the company’s risk exposure to fraud and misstatement.
UK SOx provides the framework for organisations to act on risk activities and developments.
Internal controls can include mitigation controls that are used to ensure the accuracy and completeness of financial data such as:
- Continuous review on the applicability and efficiency of controls within the SAP environment. Efficiency of controls can change because of configuration or business process changes.
- Ensuring access to systems is controlled and limited to authorised personnel only.
What are the associated costs with being SOx compliant?
Many firms are already listed in the United States and so comply with the SOx framework. SOx is so ingrained in the process that it would be difficult to separate the two and estimate the associated costs of being UK SOx compliant, even if the costs of creating the process are unquestionably higher than the price of sustaining it once it is up and running.
Of course, a US delisting would not eliminate all of these expenses because many of the processes would be kept.
Steps organisations can take to prepare
Steps to prepare for the additional requirements could look something like this:
- Define a Policy and Procedures document for all processes
- Identify Risks relevant to the company
- Determine the appropriate response for the identified risks
- Develop controls that would adequately reduce the risks that were identified for mitigation
- Build and test controls
- Review and sign-off
Our advice – act now!
With a lengthy process to define risks, document responses, policies and procedures as well as define appropriate controls, we recommend looking at your organisation’s existing controls early to ensure they are adequate in reducing risk exposure.
Many companies struggle to perform certain controls effectively. Take the User Access Review process as an example. When performed manually (in spreadsheet), this typically becomes a challenging activity for the business users as they are presented with limited information such as:
- Which roles are risk bearing roles?
- Has the end-user used any of the transaction codes in the roles being reviewed?
With limited information, the business users often carry out their review merely to appease audit – and the control adds minimal value to the organisation. The implementation of the correct solutions to provide the business users with all the necessary information to make quick and informed decisions, as well as being supported by a trusted partner, could save significant time and money.
Soterion is a leading governance, risk and compliance software provider. Our GRC solution suite assists organisations in effectively and efficiently managing their risk in SAP. Up and running in only a few days, Soterion’s software very quickly provides an overall view of the organisation’s risk and performs controls to mitigate this risk. Speak to an expert SAP Security consultant by emailing [email protected] if you’d like advice on how we can assist you in the journey to becoming UK SOx compliant.