We need to talk about SOX

Back in 2002, when the Sarbanes-Oxley Act (SOX) was introduced in the United States it was widely perceived in the UK as a US over-reaction to a number of major corporate and accounting scandals, including those affecting Enron and WorldCom. Many of the relatively few UK companies to whom it applied complained of the onerous nature of the legislation, the cost of the armies of additional accountants and auditors to whom it gave employment and the over-enthusiasm of the consultancies which sprang up to review internal control processes. UK supporters of SOX spoke of the importance of senior management accountability for financial information with the penalties for fraudulent financial activity being much more severe. They argued, with some justification, that SOX compliance costs spoke more to the lack of confidence that senior management were willing to place in their existing processes by which the accuracy of corporate financial statements was assured. SOX should therefore be seen as a response to this, rather than an unnecessary compliance cost.

In the UK, the Turnbull guidance – more properly Internal Control: Guidance for Directors on the Combined Code – a report drawn up with the London Stock Exchange for listed companies in 1999, was widely felt to be sufficient. This guidance was revised in 2005 and superseded by the FRC’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting published in September 2014.

In the light of a succession of audit and accounting related issues in the UK in recent years – for example at BHS, Carillion, Patisserie Valerie and Tesco to name but four – there has been renewed pressure for the UK to explore the benefits of a strengthened internal controls framework, with both Sir John Kingman in his Independent review of the Financial Reporting Council and Sir Donald Brydon in his Independent Review into the quality and effectiveness of audit recommending that the UK government should give this “serious consideration”.

In March this year, before the Coronavirus pandemic brought all such gatherings to a sudden halt, the Chartered Governance Institute worked with Nasdaq Governance Solutions to convene a group of company secretaries to discuss, with colleagues from the Financial Reporting Council and from the Department for Business, Energy and Industrial Strategy, what the implications might be for UK companies were a UK version of SOX reporting to be introduced and to feed in company views as to the degree to which such reporting should be developed to make it more appropriate for the UK market.

Chairing the roundtable, Peter Swabey, Policy and Research Director at the Institute, began proceedings by asking attendees whether they thought that the current level of internal controls was sufficient for their company.

Are your internal controls sufficient?

Generally, the answer to that question was ‘yes’, although there is clear tension between control and entrepreneurship and nuances of view between companies in different sectors. For example, companies in the financial services sector argued that the Financial Conduct Authority’s Senior Managers and Certification Regime (SMCR) means that they are already subject to a regime that equates to SOX in all but name. Conversely, for many companies there is a significant advantage to proportionate regulation and it would not be helpful if companies were to feel that a UK listing carried with it an excessive regulatory burden. There is some evidence that this was the US experience. A study from Wharton Business School demonstrated that in the year after SOX was passed, the number of American companies deregistering from public stock exchanges nearly tripled and a study from Stanford University and Harvard Business School found that the likelihood of smaller businesses listing in the US rather than on AIM decreased, adding that “The negative effect among small firms is consistent with these marginal companies being less able to absorb the incremental costs associated with SOX compliance”.

Our roundtable participants were unsurprised. Bigger companies tend to face greater public pressure and so are likely to have tight controls in place, while smaller companies want entrepreneurship, which often entails risk-taking. Getting the balance right on controls is hard and for all companies culture is critical as it is very often the human factor – and human error – which leads to issues. Controls tend to work more effectively in areas where human intervention can be minimised. External auditors play a critical role here by creating an extra layer of external challenge.

Do your directors or senior managers take responsibility for the effectiveness of your company’s internal controls?

Of course much depends on two things – the company and the people involved. Many companies may feel that they are doing the right thing, but have not formalised their approach to reporting and testing, especially around the taking of responsibility. In some cases, even where controls are working well, there is a need for improvement in what has been described as “rogatory governance” – that is processes supported by evidence. It is all too easy for companies to rely on individuals’ good behaviour.

And that brings us to the issue of the people. In many companies, but especially in one with international interests, there will be different levels of individual readiness. It takes time to bring everyone up to the right level and as management preparedness varies so will the level of SOX testing necessary.

A further challenge with SOX is the degree to which it can or does apply to non-financial metrics. These are increasingly important to UK companies and yet there is relatively little about non-financial compliance which appears on a Form 20-F, whether it be compliance with operating norms or even with health and safety regulations. One of the interesting features of Sir Donald Brydon’s review is the way in which it begins to talk about expanding audit to sustainability and beyond –not just financial reporting. If a UK version of SOX might extend into these areas, that would create a much greater infrastructure for companies to set up.

Jeremy Small, Company Secretary of AXA UK, commented that “Control starts with culture. We have a set of global standards and each year all local CEOs are required to attest that their businesses comply. There is always a danger of a ‘false green’ but our approach reduces the chances and ensures a focus on what matters”.

And do they have sufficient information to do so?

In December 2017, the Chartered Governance Institute published a report on Challenges to Effective Board Reporting which identified that the company secretaries of 80% of organisations with an annual turnover of over £100 million believe that their board packs are too long.

Our roundtable participants felt this is a common problem. Many of them have done a huge amount of work on improving the information flow to the board, but there is still information overload, with a huge reliance on executives to filter appropriately. The board will, in many cases, get specialist coaching on appointment, to help drive the necessary testing. To take just one example, regular meetings between the CFO of major subsidiaries and the audit committee chair, getting the CFO to tell the audit chair about the things which keep them awake at night.

So what are the issues with SOX compliance. Are there significant costs?

A number of the companies at our roundtable have US listings and therefore already comply with the SOX regime. For them, it was generally hard to say what the costs are. SOX is now all so much part of the process that it would be very hard to disentangle, although the costs are certainly significantly higher in establishing the process than in maintaining it once it is up and running. And of course a US delisting would not remove these costs in their entirety as many of the processes would be retained.

Is SOX of any value without external assurance? Who benefits?

The answer to this question, of course, depends on the board and the degree to which they – especially the CEO and CFO – are prepared to rely on management. Many of the costs associated with the controls that we so often refer to as SOX compliance relate to the assurance that the board requires given the potential criminal liabilities. As one company secretary commented, “If you don’t have external assurance, the board will say ‘get me some assurance from somewhere’”.

For a regulated business, assurance will be completely integrated into the process and in some cases it is probably fair to say that the NEDs are a driving force. Under SMCR, NEDs have a slightly conflicted role – part policemen, part mentor – and so they will feel just as exposed as the CEO and CFO. It could be argued that asking individual executive directors to sign off a SOX report does not sit well with the concept of a unitary board, but again financial services companies already see this developing through SMCR.

Of course, this is one of the key differences between corporate governance structures in the UK and in the US, where power rests very much with the CEO, who is often also the chair. It is therefore easy to see that they are responsible – and accountable – for what goes on in the company. SOX therefore recognises that accountability. The UK has taken some steps along that path with SMCR, but the unitary board is a key concept which will significantly affect the way in which any UK version of SOX could operate.

Proportionality is Key

The UK is not starting from zero when it comes to internal controls. The Turnbull guidance and its successors are well-established and we are starting from a much better position than the US was in 2002. If the UK is to develop its own form of SOX, it will need to be very different.

In terms of scope, one thing that companies will not want to face is two different, potentially conflicting regimes against which to report. But there are only 24 companies in the FTSE 350 which are dual-listed and most of those are in the FTSE 100. It might be the case that companies which already comply with US SOX could be treated as compliant with UK SOX. Interestingly, although SOX compliance was perceived to be expensive, all those companies represented at our roundtable which have had to comply with it were felt likely to retain it – there is clearly a perceived benefit beyond the cost of compliance.

There is a clear case for minimum standards across the board although the government should probably think in terms of the size and societal impact of the organisation rather than in what index it appears or its corporate structure. The Brydon report suggests attestation by the CEO and CFO and, if implemented through a broader ‘comply or explain’ style regime, this could allow a lighter-touch regime for smaller organisations.

Audit and Assurance Policy

Another recommendation from the Brydon review was the introduction of a published audit and assurance policy creating an opportunity for engagement with investors. Some investors would argue that there are company circumstances in which they should be able to insist on higher levels of compliance, but it must be acknowledged that investors only meet the company infrequently and are unlikely to be as well-placed as management to assess such a policy. Experience from a number of the company secretaries at our roundtable was that investors are, in most cases, far less interested in audit than in remuneration or, to a lesser extent, ESG issues. Audit is often seen as a hygiene factor until things go wrong.

All in all, this was a very interesting discussion of a topic of which we will no doubt hear more in the coming months and we are grateful to the Financial Reporting Council for hosting the roundtable.

A Sarbanes-Oxley regime in the UK may help to prevent reporting failures, but will it prevent corporate failures such as those in the UK mentioned above? If not, then is it worth the cost of implementation? For example, would a SOX-style regime of internal controls have prevented BHS or Carillion? Or were there other issues which would have led to these companies failing? It is an open question whether SOX controls will make a difference.