Let's Talk About SOX
Should the Sarbanes-Oxley regime be adopted in the UK?
Should the Sarbanes-Oxley regime be adopted in the UK?
Interview with Tom Kloet, Board Director and chair of the audit committee at Nasdaq, by Sonia Sharma Editor of Governance and Compliance
Sir John Kingman, in his Independent Review of the Financial Reporting Council included as one of his recommendations that the Government should “give serious consideration to the case for a strengthened framework around internal controls in the UK, learning any relevant lessons from operation of the Sarbanes-Oxley (SOX) regime in the US. The pros and cons of such a change should be analysed and consulted upon, giving special consideration to the importance of proportionality in relation to the size of company”.
This approach was supported by the Parliamentary Business, Energy and Industrial Strategy Committee in its report on The Future of Audit, which concluded that “If adapted to the UK regulatory system, a UK equivalent could make a significant contribution to improving the reliability of financial reporting”.
On 11th March, the Department for Business, Energy and Industrial Strategy published an “initial consultation” on Sir John’s recommendations which ‘welcomed’ this particular recommendation but described it as “a detailed and complicated issue”. The Government “will explore options in this area and bring forward a detailed consultation in due course”.
It seems to me that ‘detailed and complicated’ doesn’t begin to cover it. For those UK companies who have to comply with the SOX reporting regime, all who responded to a survey that we undertook in May 2019 reported that compliance is either complex or very complex, with a two to one majority in favour of the latter. In Sir John’s report, he noted that the introduction of a scheme “more closely similar to, though not the same as, the Sarbanes-Oxley regime in the US specifically relating to internal controls, and assurance by directors around internal controls” had been suggested by a number of respondents to his call for evidence, on the basis that, by placing more responsibility on CEOs and CFOs, this will improve the overall reliability of the reporting system. That begs a number of questions – the degree to which the SOX regime in the US has been successful and, even if so, whether it would work in the same way in a market that is so different in terms of law, regulation and ownership structure; whether the cost is disproportionate to the benefit; and, perhaps more fundamentally, whether there really is a problem?
We are working with Nasdaq Governance Solutions, who have considerable expertise on the implementation of SOX requirements by US companies, on a new piece of research – of which this article is the first output - to explore whether a similar solution to the Sarbanes-Oxley regime is an appropriate solution for the UK market and, if so, how can it be made to work?’
As part of our research, we interviewed Tom Kloet, Board Director and Chair of the Audit Committee at Nasdaq, who was formerly the CEO of the Singapore Exchange and the first CEO and Executive Director of TMX Group Limited, the holding company of the Toronto Stock Exchange. Kloet is very used to the Sarbanes-Oxley reporting regime and believes that it has improved the overall control environment within organisations: “There are several factors that I think are important that are outcomes from Sarbanes-Oxley. First, audit committees are made up of completely independent board members, which is a strong attribute. Also, the CEO and CFO sign off on the internal control environment, which has heightened the importance of that in the C-suite. Additionally, PCAOB [the US Public Company Accounting Oversight Board] – which is the oversight regulator of the public accounting industry – was an outcome of Sarbanes-Oxley as well and that has added robustness to the industry in terms of the way that audits are subject to review by a regulator. Overall, the structure that public companies have put into place – in our case a number of sign-offs by managers over control functions – represent that they have exercised control. One of the key things the audit committee wants to hear is that the reporting regime that’s in place is operating as expected, so overall it has had material benefits”.
Sir John Kingman was “particularly struck by the extent of support for these provisions amongst senior audit committee chairs with experience of operating this regime in US-listed companies [including a] number of members of the Review’s own advisory group ...
The arrangements are seen as having led to better financial reporting, fewer significant accounting restatements and stronger reassurances for audit committee members about the robustness of internal controls. The provisions also underline clearly that the primary responsibility for internal financial controls and the accuracy of financial reporting rests with the board and management of a company”.
This is certainly a concern for a number of company secretaries to whom we have spoken. The UK regulatory model of ‘apply and explain’ for Principles and ‘comply or explain’ for Provisions is very different from the rules-based system to which US companies are subject. Some argue that the requirement to ‘apply’ Principles is a more robust approach than ‘rules’ as it requires broader application of both the letter and the spirit, not just compliance with a rule in a ‘tick box’ fashion. As two of our survey respondents commented, “I am all in favour of accountability and strengthened controls in listed companies but would prefer a broad framework approach rather than a highly prescriptive regime, like SOX” and “whilst a UK internal controls regime will undoubtedly strengthen control environments for UK corporates on a market basis, it will also lead to standardisation of controls, introduce standards that are inappropriate or inefficient for many UK businesses, and reduce scope for directors to apply their judgement to the circumstances. It is therefore less consistent with an overarching comply or explain approach to governance and compliance”.
Tom Kloet was clear that cost can be an issue.“There are aspects which have made it more expensive and can impact the decision of the company to go public or stay private”. Sir John Kingman agreed that “Introducing SOX-style provisions would clearly be a very major step. It could impose significant costs, at least initially, particularly on smaller listed companies. The US experience shows that smaller companies are affected disproportionately and listing could become less attractive”. However, “ongoing, recurring costs...are said to be lower. So too are the costs of auditing automated and centralised systems which, in itself, provides an incentive to improve controls”. Kloet agrees: “I think one would have to say that the outcome of Sarbanes-Oxley has been a better control environment. The ‘one-size-fits-all’ method is something that might need to be revisited over time, but I think the regime is widely viewed now – 17 years later – as just an element of being a public company”. Our survey respondents also had concerns about cost, as one put it: “It will be costly to implement and require additional resource. Having worked previously for a company caught by SOX requirements, it will be a shock to UK companies.
The benefit of the system is a more regimented internal controls process. However, it will not necessarily make the reporting more robust”.
There is clearly a perception of one, but we must put some context around this discussion. The background to the Kingman review was one of concern that the Financial Reporting Council was not a sufficiently robust regulator to deal with issues of perceived accounting or auditing failure and that, by extension, company reporting needs to be more effective in identifying risks of potential corporate failure. This was not a view widely shared by our survey respondents. More than three-quarters of them believed that the level of internal control is sufficient in their company and 82% believed both that their directors and senior managers already take responsibility for their company’s internal controls and that they have the necessary information to do so. More than 70% believed that the introduction of a UK internal controls regime similar to SOX would not improve their company’s internal controls mechanism.
We asked Tom Kloet, with his deep experience of the SOX regime, whether it made him feel more responsible for the effectiveness of his company’s internal controls but, like our survey respondents, this wasn’t the case: “I would have felt responsible for it to begin with. Having Sarbanes-Oxley out there does not change my view as an audit committee chairman of what my responsibilities are. We work for the shareholders and stakeholders of the company and I like to think we would undertake our responsibilities whether Sarbanes-Oxley was out there or not because it’s good corporate governance and the right thing to do. What I think it has resulted in is a more universally adopted set of processes and controls by which companies and management display their compliance with those good governance principles”.
Kloet went on to say that he believes that he has the necessary information to accept his responsibility for the effectiveness of the company’s internal controls, but that “I wouldn’t say that is solely because of Sarbanes-Oxley, but rather the corporate culture of the company of which I have the privilege of being on the board. Nasdaq is a company that prides itself on outstanding corporate governance and I think we would have had the tools anyway. But, yes, we now have the appropriate structure to adjudicate those responsibilities very well”. So there are arguments both ways. Perhaps, as one of our survey respondents suggested, the answer is that “more prescriptive guidance for Audit or Risk Committees drawing on the strengths of Sarbanes Oxley may provide more flexibility in the UK and better integrate the two models”. We will look at this issue further in a future article.