Position paper: Strengthened internal controls: learning lessons from Sarbanes-Oxley

August 2021

In March 2021, the Department for Business, Energy and Industrial Strategy published its long-awaited white paper entitled ‘Restoring trust in audit and corporate governance’.

The white paper contained significant proposals on audit and corporate governance reform. One of which involves allocating greater responsibility to company directors in relation to internal controls over financial reporting, similar to what is mandated by the Sarbanes-Oxley (SOX) Act in the USA. The Chartered Institute of Internal Auditors, UK and Ireland (Chartered IIA) welcomed the opportunity to contribute our views to the white paper. Our response can be read in full here

This paper focuses on the proposed introduction of new requirements leading to a strengthened internal financial controls framework to the UK, that shares key elements with the SOX legislation in the USA, and commonly referred to as ‘SOX-lite’.

We also look forward to the publication of the Government’s response to the white paper and will continue to inform the policymaking process and our position as these develop over time.


Chartered IIA’s position

The Chartered IIA is broadly supportive of the proposals contained within the UK Government’s white paper ‘Restoring trust in audit and corporate governance’ for a strengthened internal control framework for financial reporting.

These are the key points of our position:

  • We supported the proposals outlined by Sir Donald Brydon in his report of the Independent Review into Quality and Effectiveness of Audit, in which he advocates strengthening the internal controls around financial reporting. In particular, the measures to seek signed attestations from CEOs and CFOs.
  • We believe that within organisations, the responsibility for implementation and oversight of ‘SOX-lite’ should sit with management in the first line, and risk management in the second line, rather than internal audit in the third line. The role of the third line should only be to provide independent assurance.
  • There should be clear guidance published by the audit regulator outlining the responsibilities and implementation (and all other aspects) of ‘SOX-lite’ available for all organisations.
  • The proposals for a strengthened internal control framework related to financial reporting should over time apply to all organisations that are regarded as Public Interest Entities (PIEs).
  • We believe the internal controls related to financial reporting are a good place to start, but in time we would like to see the scope of these requirements go beyond this to other internal control areas where risks should be mitigated to the lowest acceptable level e.g. disclosures related to environmental and climate factors, KPIs used for remuneration purposes and areas such as cyber security and data protection/management. However, we believe this should be done on a phased and incremental basis.

Strengthening the role of company directors over financial reporting through signed attestations

We are particularly interested in the requirements around signed attestations from CEOs and CFOs and were pleased to see that both Sir John Kingman in his Independent Review of the Financial Reporting Council, and Sir Donald Brydon in his Independent Review into the Quality and Effectiveness of Audit, supported the case for a strengthened internal control framework in the UK, learning lessons from the SOX regime in the US. We are pleased that the white paper has taken also taken a similar view, although has said that the internal controls statement should be signed by all company directors to reflect the collective joint and several liability of Boards.

Brydon outlined what the new requirements should be, and specifically recommended that “the Government gives serious consideration to mandating a UK Internal Controls Statement consisting of a signed attestation by the CEO and the CFO to the Board that an evaluation of the effectiveness of the company’s internal controls over financial reporting has been completed and whether or not they were effective, as in SOX 302 (c) and (d).” 

Brydon further recommended that “where weaknesses (and/or failures) in controls have been reported, it should become an obligation on directors to report on what remedial action has been taken and on its effectiveness, supportive of section 404 of the SOX legislation.”  

The Chartered IIA supports these recommendations, as we believe more should be expected of company directors in relation to internal controls over financial reporting. This will help raise corporate governance standards.

The Three Lines Model and distinct responsibilities

There are ongoing discussions around the responsibilities of management in the first line and risk management in the second line, and how these would align with the responsibilities of internal audit’s independent assurance in the third line, if a strengthened internal control framework for financial reporting were to be introduced. These include questions around who exactly should support directors in meeting any new requirements on internal controls over financial reporting, and the extent to which internal audit should act only to verify compliance with new measures.

To help enhance the understanding of an organisation’s governance, risk management, audit and assurance functions, we use and promote the Three Lines Model, something which the Chartered IIA endorses and promotes.

We see the role of internal audit to provide independent assurance and specialist consultation as part of its work as the third line. This means, essentially, we see compliance as a responsibility of management. Internal audit plays a distinct role in providing independent assurance and verifying that compliance measures are in order.

Our view is that internal audit – in partnership with colleagues in risk management in the second line - would play an important role in verifying compliance with a strengthened internal control framework. Application of the system is best placed as part of the responsibility of management, consistent with other legal and regulatory requirements. This is because these requirements are operational and so should primarily sit with the first and second lines. Internal audit would then be responsible for auditing the design, effectiveness and operational efficiency of the processes put in place by the first line, and the effectiveness of the second line in providing oversight and assurance in relation to compliance with legislation.

If the responsibility for SOX compliance fell on internal audit, an unintended policy consequence could be that it diverts internal audit resources and focus away from auditing significant business-critical risks such as cyber security, climate change, HR, supply chains or corporate culture. These unintended consequences are discussed at greater length later in this paper and within our white paper response.

As a result, careful thought and consideration should be given to how ‘SOX-lite’ is introduced, and in particular, where responsibilities should lie with regard to implementation.

We believe the audit regulator should publish clear guidance on implementation of the proposals for a strengthened internal control framework related to financial reporting, including guidance on the roles, responsibilities and interaction of the first, second and third lines in relation to ‘SOX-lite’ compliance.

Scope of new requirements and Public Interest Entities

There is an ongoing debate around which companies should be defined as ‘Public Interest Entities’ (PIEs). Linked to this, there is debate around the potential scope of any ‘SOX-lite’ requirements to strengthen the internal controls related to financial reporting. Notably, around which organisations should be included within the scope, and which should not. We believe that the proposals for a strengthened internal control framework should eventually apply to all companies deemed to be public interest entities under the proposed broader definition.

We support widening the definition of a PIE, which at present, in the most part, only includes companies that are listed on the main London Stock Exchange. This would help to ensure that more organisations and companies of public interest would be included within the scope of more stringent corporate governance regulations. 

In the white paper, one of the government’s proposals is that a company be considered a PIE (and within scope) if:

(a) it has more than 2000 employees

(b) it has:

  • a turnover of more than £200 million, and
  • a balance sheet total of more than £2 billion.

We believe that expanding the definition of a PIE in this way would be proportionate, and also consistent with the definition used for the Companies Reporting Regulations of 2018 (which led to the creation of the Wates Principles for Large Private Companies).

The Government also intends that a new definition of a PIE includes companies on the exchange-regulated AIM market, with market capitalisations above €200m. This too would offer a positive and proportionate step to reasonably increase the number of companies that would potentially fall within the SOX-style framework.

Background to the Sarbanes-Oxley Act and key components

The SOX legislation on internal controls became law in the US in 2002, in the wake of the Enron and WorldCom corporate collapses, with the aim to better protect investors from fraudulent financial reporting.  

The legislation has notably made mandatory the publication of annual, public, and explicit reports by CEOs and CFOs on the effectiveness of internal controls over financial reporting. What is more, the legislation requires the senior officers (CEO or CFO) who sign the company’s accounts, to certify that the accounts do not contain misrepresentations or untrue statements.

More specifically, section 404 of the legislation states that “all annual financial reports must include an Internal Control Report stating that management is responsible for an ‘adequate’ internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the company management’s assertion that internal accounting controls are in place, operational and effective.”

Lessons to learn from the Sarbanes-Oxley Act

The SOX Act was originally criticised, mainly because of the additional cost it imposed on companies, particularly within the earlier stages when companies first had to implement and understand the new requirements. Another concern was not with the legislation itself, but with the lack of guidance issued to companies to help them comply.

Although not without its critics, now, 19 years after its inception, it is widely acknowledged to have improved the reporting of control effectiveness. In 2009, the IIA Research Foundation carried out research into section 404 of the SOX legislation which suggested that “the Sarbanes-Oxley Section 404 compliance process helped most organisations and that better controls lead to more successful businesses.”

There are indeed fewer significant accounting restatements and a higher focus on greater clarity on the robustness of internal financial controls within an entity. Evidence from Audit Analytics shows, since the introduction of SOX, a reduction in the number of reissuance statements from accelerated filers in the US, from 460 in 2005 to just 29 in 2017.

Furthermore, in public discourse and academia, SOX is often credited with resulting in better reporting of financial controls, despite some of the criticisms levelled against it.

Implementation of ‘SOX-lite’

The responsibility of ‘SOX-lite’ should sit with management. This is because the responsibility for managing risk remains a part of first line roles and within the scope of management, as shown in the IIA’s revised Three Lines Model. We would like the audit regulator to recognise and articulate that it is management’s responsibility to ensure that the internal controls are in place to mitigate risks.

In the eventuality where ‘SOX-lite’ is implemented in the UK, it has been mooted by some stakeholders that it will be left up to the companies themselves to decide which teams should have responsibility over a strengthened internal control framework related to financial reporting. However, we believe this could lead to inconsistency across organisations that would then impact on any reliance provided through internal audit or indeed organisational integrated reporting requirements.

Learning the lessons from the introduction of SOX in the USA, we instead advocate that the audit regulator should establish clear responsibilities for the implementation and adherence of a strengthened internal controls framework by publishing supporting implementation guidance that includes comprehensive principles and best practice.

Second line roles provide support with managing risks. Some second line roles may be assigned to specialists to provide complementary expertise, support, monitoring, and challenge to those with first line roles. Second line roles can focus on specific objectives of risk management, such as: compliance with laws, regulations, and acceptable ethical behaviour; internal control; information and technology security; sustainability; and quality assurance. It may be that using the new Three Lines Model, responsibility for SOX may be deemed to be a specialism and therefore appropriately sits in the second line.

We have previously commented on the potential risk of unintended policy consequences that could arise if internal audit were involved in doing the “heavy-lifting” with any new measures around strengthened internal controls regarding financial reporting. Diverting internal audit resources away from auditing key business risks such as cyber security, climate change, supply chains, HR, business resilience or corporate culture could certainly reduce the effectiveness of internal audit at assessing business-critical risks. This issue was reflected in interviews with company directors who expressed concern that a compliance focus comes at the cost of appropriate risk management.

These are legitimate concerns that warn of the negative unintended consequences that would arise if internal audit functions were to devote disproportionately more time and resources to implementing new SOX-style measures, rather than in risk-based auditing.

The case for ‘SOX-lite’ being applied more broadly to non-financial controls on a phased/incremental basis

In his final report, Brydon said that it might be a step too far to extend his proposed UK Internal Controls Framework to non-financial controls, as this would create a lot more work for organisations.

We recognise that a strengthened internal controls framework must in the first instance mean reinforcing financial controls. However, a good and strong control environment needs to cover the whole organisation, including financial controls but also other key controls such as cyber security, supply chains, and crisis management.

We therefore believe that the scope of ‘SOX-lite’, should over time, go beyond financial controls, and that this should be rolled out on a phased and incremental basis. In order to make it easier for companies to implement the new regulation, we propose that they first focus on financial controls, but the audit regulator should make it clear that they expect organisations to expand the compliance of the new regulation into other key control areas where risks should be mitigated to the lowest acceptable level. One such area might be the proposed external climate reporting requirements to be made mandatory in the UK by 2025. GDPR and information security controls might be other appropriate areas for consideration.

A gradual rolling-out of SOX-style requirements makes sense, as control frameworks are particularly interdependent. For example, in areas such as IT security and financial technology, there are very significant interdependencies with the financial controls. It is becoming increasingly impossible to attempt to separate financial controls from non-financial controls.

However, introduction of ‘SOX-lite’ beyond financial controls should be done on a phased and incremental basis but with a clearly stated implementation timeline, with its effectiveness monitored and reviewed on a periodic basis.

We recognise that this may potentially present an increased financial burden on organisations. However, we think that this could be managed by putting in place the correct framework. If there is already a strong risk management framework with a risk committee - the members of whom are non-executive directors - perhaps created on similar lines to an audit committee (this is already in place in the financial services sector), then it should be possible to overlay SOX on the risk framework already in place and allow members of the risk team and internal audit to focus on business-critical risks and the key controls that mitigate them.

The UK Corporate Governance Code and internal controls

As well as SOX-style requirements around strengthened reporting of financial controls, we would also like to see the strengthening of the UK Corporate Governance Code as an additional (yet closely related) measure. This would also act to increase the effectiveness of governance, risk management and internal controls and help raise corporate governance standards.

Though we fully support the UK Corporate Governance Code, we would like to see it strengthened in relation to the provision and role of internal audit. Specifically, we advocate for a strengthening of the wording around internal audit to include that companies within scope of the UK Corporate Governance Code, should have an internal audit function that operates in accordance with the recommendations of the Chartered IIA’s Internal Audit Code of Practice and the International Professional Practices Framework (IPPF).

The UK Corporate Governance Code already makes many important requirements of the boards to carry out a range of assessments and reviews of risks and internal control systems generally. Sections 4.25 and 4.26 make specific requirements of the audit committee in relation to internal audit. In addition, section 4.27 requires directors to state that the annual report is fair and balanced. 

Strengthening of the wording around internal audit would be a welcome way to align these requirements and sure up ‘SOX-lite’.

Unintended policy consequences of SOX – a summary

Whilst the Chartered IIA supports the introduction of a possible version of the ‘SOX-lite’ system as envisaged by Brydon and outlined in the white paper, we have suggested that depending on how such a regime is implemented it could lead to unintended policy consequences.

  • Tick-box culture

From discussions with stakeholders and professionals, notably in the US, it transpired that compliance may encourage a tick-box approach with regards to internal controls rather than seeking to innovate or improve practices. This is something that must be avoided.

  • Internal audit resources diverted away from key risks beyond financial controls

Internal audit functions have a broader scope in providing assurance than external audit functions. Internal audit considers risks that are both financial and operational, whereas external audit focus solely on financial reporting. Therefore, it is important that internal audit functions’ resources are not diverted away from looking at the business’ critical risks as this is, arguably, where they can add most value to the organisations they serve. This also informs our recommendation that compliance of ‘SOX-lite’ should sit with management and not internal audit.

  • Compliance could place an administrative and financial burden disproportionately on smaller companies

The additional cost that the SOX Act imposed on companies was one of the main criticisms of the new legislation when it came into force in the US. This is why Kingman, in his review, pointed out that if ‘SOX-lite’ was introduced it could “impose significant costs, at least initially, particularly on smaller listed companies. The US experience shows that smaller companies were affected disproportionately, and listing could become less attractive.”

However, as Kingman stated, if a SOX system was “introduced carefully and monitored to avoid these unintended consequences, it could contribute to a more robust financial reporting system.”


Appendix

The Sarbanes-Oxley Act 2002

UK Corporate Governance Code (2018)

Report of the Independent Review into the Quality and Effectiveness of Audit, Sir Donald Brydon, December 2019

Independent Review of the Financial Reporting Council, Sir John Kingman, December 2018

Chartered IIA’s response to the Independent Review into the Quality and Effectiveness of Audit: call for views, June 2019

Chartered IIA’s response to the BEIS Future of Audit Inquiry, January 2019

Chartered IIA’s Internal Audit Code of Practice, January 2020