UK SOx is on the way – Here’s What you Should Know

December 12, 2022 By Emile Steyn

The topic of the pending UK SOx is well known to governance, risk and compliance practitioners, but do we know the extent to which it will affect organisations running SAP? In this article, we take a deeper dive into what UK SOx is, how it came about, and what impact it will have on organisations running SAP.

The system, which was first suggested as part of the Kingman and Brydon investigations to enhance the UK’s internal control’s structure, is likely to be less stringent than the US Sarbanes-Oxley Act (SOx), which became law in 2002.

In a nutshell, SOx compliance is a Regulation that compels businesses to publish accurate financial statements and to have internal controls in place to protect financial information, with the primary goal of preventing malpractice that would affect investors and the public.

If the system is implemented, it would apply mainly to premium listed companies, but the proposals also seek to expand the definition of public interest entities (PIEs). This will include large privately owned companies as well.

The requirements of UK SOx will apply to financial years ending in December 2023 or after.

What will the main requirements be?

Public disclosure of a Director’s Responsibility statement on the effectiveness of controls. The new regulations will be enforced by a newly formed regulator, the Audit, Reporting and Governance Authority (ARGA) which will replace the Financial Reporting Council (FRC).
Directors will be required to conduct an annual review on the effectiveness of internal controls over financial reporting and report on the results in their annual report. This will support their Director’s Responsibility statement.
Directors will need to disclose an Audit and Assurance Policy – An Audit and Assurance Policy (AAP) will likely be used to determine the level of assurance necessary for internal controls over financial reporting.
Boards and directors are responsible for overseeing the company’s risk management and internal control systems under the UK Corporate Governance Code. This includes a need to conduct an annual evaluation of their efficacy, as well as a report on the results of that review. According to the proposed recommendations, directors must include the following in their yearly review:
- New disclosures and insights on the efficacy of internal controls
- The yearly review’s findings
- A statement stating whether they consider the systems to have operated effectively

Directors to be guided by auditing best practices

BEIS will establish a new Auditing, Reporting, and Governance Authority (ARGA) to replace the Financial Reporting Council (FRC), following consultation. When this occurs, the shared principles and rules will establish auditing best practices. These principles should guide directors; however, like with SOX 404 audits in the United States, they will not be required to perform the actual testing and reporting. They will instead rely on management to develop review systems that strictly adhere to best practices.

How will UK SOx impact organisations running SAP?

Controls can come in many different forms and are used to ensure that exposure to risk and misstatement of financial data is limited. It is the responsibility of management to ensure that these controls are performed and adequately reduce the company’s risk exposure to fraud and misstatement.

UK SOx provides the framework for organisations to act on risk activities and developments.

Internal controls can include mitigation controls that are used to ensure the accuracy and completeness of financial data such as:

Continuous review on the applicability and efficiency of controls within the SAP environment. Efficiency of controls can change because of configuration or business process changes.
Ensuring access to systems is controlled and limited to authorised personnel only.

What are the associated costs with being SOx compliant?

Many firms are already listed in the United States and so comply with the SOx framework. SOx is so ingrained in the process that it would be difficult to separate the two and estimate the associated costs of being UK SOx compliant, even if the costs of creating the process are unquestionably higher than the price of sustaining it once it is up and running.

Of course, a US delisting would not eliminate all of these expenses because many of the processes would be kept.

Steps organisations can take to prepare

Steps to prepare for the additional requirements could look something like this:

Define a Policy and Procedures document for all processes

Identify Risks relevant to the company

Determine the appropriate response for the identified risks

Develop controls that would adequately reduce the risks that were identified for mitigation

Build and test controls

Review and sign-off

Our advice – act now!

With a lengthy process to define risks, document responses, policies and procedures as well as define appropriate controls, we recommend looking at your organisation’s existing controls early to ensure they are adequate in reducing risk exposure.

Many companies struggle to perform certain controls effectively. Take the User Access Review process as an example. When performed manually (in spreadsheet), this typically becomes a challenging activity for the business users as they are presented with limited information such as:

Which roles are risk bearing roles?
Has the end-user used any of the transaction codes in the roles being reviewed?

With limited information, the business users often carry out their review merely to appease audit – and the control adds minimal value to the organisation. The implementation of the correct solutions to provide the business users with all the necessary information to make quick and informed decisions, as well as being supported by a trusted partner, could save significant time and money.

Soterion is a leading governance, risk and compliance software provider. Our GRC solution suite assists organisations in effectively and efficiently managing their risk in SAP. Up and running in only a few days, Soterion’s software very quickly provides an overall view of the organisation’s risk and performs controls to mitigate this risk. Speak to an expert SAP Security consultant by emailing [email protected] if you’d like advice on how we can assist you in the journey to becoming UK SOx compliant.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

UK SOx is on the way – Here’s What you Should Know

You may find this interesting

Type [To] Search

UK SOx is on the way – Here’s What you Should Know

You may find this interesting

Why Organisational Level Controls are Important for Effective Access Risk Management.

Mastering SAP Conference – 22 to 23 May 2024

SAP Security & GRC Podcast (E17) – Security Risks and Opportunities of S/4HANA Transformations

Type [To] Search