The Why, When, Who, What, Where and How of the BEIS Consultation
In my career to date, following two acquisitions by SEC-regulated American companies, I put in place SOX programmes from scratch in UK subsidiaries. Recently I headed up the UK SOX function of a NASDAQ-listed insurer, which is where I came across Decision Focus and ultimately joined the team here as Governance, Risk and Compliance (GRC) Implementation Specialist.
Following the March 2021 Department for Business, Energy & Industrial Strategy (BEIS) white paper, Restoring trust in audit and corporate governance, UK legislation is still taking shape, but there is no denying that what some practitioners are calling “UK SOX” is coming fast down the track.
With our unequalled expertise in risks, controls and audit, our subject-matter experts here at Decision Focus have the domain knowledge and the award-winning platform to prepare you for the new regime, according to your specific Audit, Risk and Finance methodology.
WHY: The Case for Reform
Following the failure of Carillion, BHS and Patisserie Valerie, to name a few, the UK audit profession has been crying out for reforms to widen Directors’ responsibilities, in order to prevent future corporate collapses.
The publication of the FRC review by Sir John Kingman in 2018 and the 2019 Brydon Report on the quality and effectiveness of audit culminated in the BEIS white paper, published in March 2021.
Under the current BEIS legislative proposals, the accountability of directors would broaden to cover internal controls over financial reporting (ICFR) and other non-financial information including Environmental, Social, and Governance (ESG) and supplier payment practices.
There will be a new body replacing the Financial Reporting Council (FRC): the Audit, Reporting, and Governance Authority (ARGA), which will continue to execute audit quality reviews as the FRC does currently, but it is expected to have a broader remit, including regulation of the audit profession. In particular, ARGA may have to power to direct changes to a company’s annual accounts without a court order, and to require an expert review where it has significant concerns about a company’s reporting and auditing.
WHEN: Timeline for Implementation
Given the timeframes for new UK legislation to be drafted and approved, this law is unlikely to come to fruition until towards the end of 2023, with December 2024 likely to be the earliest date of attestation.
From my experience of implementing risk and control frameworks from the ground up on two separate occasions, it’s a well-worn path that can take at least 18-24 months to prepare the ground for; possibly longer if you want to have a dry run year to avoid a plethora of deficiencies in your first official compliance year. Therefore the time is now for both the business and your assurance functions to get off the starting line.
WHO: The Scope of the Legislation
The BEIS code will probably apply to premium listed UK companies in the first instance, then be extended to all public interest entities (PIEs) after two years. The BEIS white paper seeks to expand the definition of PIEs to large privately owned companies and AIM listed businesses.
That said, small-to-medium-sized companies may see this as a gold standard and adopt the methodology, even if at least partially, as best practice. External auditors, Boards, Audit Committees and Risk Committees that I have sat on, even in smaller organisations, have certainly kept a watchful eye on the internal control environment, with particular focus on financial controls and data quality.
Even if you are not a listed company or a PIE, you should see this as an opportunity to edge ahead of your competitors as having the most credible financials and internal control environment – assets which are oft as prized as profit in the eyes of customers and investors alike.
WHAT: The Implications for Your Organisation
Although the UK regime is expected to be lighter touch than the US SOX equivalent, it is anticipated that the Directors of in-scope organisations will have increased accountability for having in place robust controls, control self-assessments, and quarterly certifications – with testing carried out by the second and third lines of defence.
Directors will likely make an explicit statement (which may be subject to examination by the external auditor) about the effectiveness of ICFR, set out the benchmark system used to make the assessment, and detail how assurance over the statement is to be provided.
The Government intends to adopt Sir Donald Brydon’s recommendation that PIEs produce an annual Resilience Statement, which will build on existing going concern and viability statements. It is also expected that PIEs will produce an Audit and Assurance Policy (AAP), which will be the method by which the level of required assurance over ICFR is determined.
Based on the US SOX and audit implementations that we at Decision Focus have accomplished, it is envisaged that a requirement for advanced technology will be inevitable, with a particular need to streamline and workflow audit deliverables in one connected hub.
And this is where Decision Focus comes in. I have truly felt the pain of running a SOX function on innumerable disparate spreadsheets, documents and e-mails. As one of Decision Focus’ clients in a previous role, I saw the benefit of having a fully integrated assurance platform, with risks, controls, audits, findings and actions linked in one streamlined repository.
WHERE: The Assurance Functions and Beyond
A lot of companies I’ve worked for see ICFR – and control activity in general – as a second- or third-line activity falling within the remit of Risk, Compliance or Internal Audit functions. However, it goes without saying that controls must be owned by the first line business functions. Instilling this philosophy is paramount to successfully building a sturdy ICFR framework
Your organisation should seize this opportunity to perform a drains-up of your existing risks and controls across your whole business. There is no time like the present to delve in and assess the design and operating effectiveness of your controls, and to close any control gaps.
Beyond day-to-day operations, under the BEIS reforms as they currently stand, companies should prepare for significant challenge from the Board, the Audit Committee and even shareholders on the strength on internal controls, and the assurance imparted thereon. I have increasingly seen financial and other controls go under the microscope in over the 17 years I have been working in risk, audit and finance roles, and this legislation will only intensify such scrutiny in this ever-shifting landscape.
HOW: The Decision Focus Integrated Assurance Solution
Decision Focus offers a fully customisable end-to-end GRC solution that will equip you for the BEIS legislation and US SOX. Having embarked on a GRC implementation journey while working at a client of Decision Focus, I was so passionate about their integrated assurance solution that I stepped across to join the team here.
All audit planning, testing, deficiency and reporting data is captured in one repository and connected with risk and control data, to effect a speedy, cost-effective implementation on a no-code platform. Click here to arrange for a free no-commitment demo.
- Link to Audit and Assurance Policy (AAP) standards with clearly assigned responsibilities
- Prioritised controls scoping relative to risks, financial statement line items, processes and systems
- Quarterly planning and testing of financial controls with embedded sampling and risk-based methodology for all relevant roles, from tester to control owner
- Integrated progress tracking of audit evidence, controls tested, and reviews, with separate test points for IT general controls, IT dependencies and management reviews
- Deficiency reporting documenting root cause analysis, findings and remediation plans, with interactive action tracking
- Inform decision-making with intuitive dashboards and powerful reports
- Automated generation of certifications, reporting packages and Audit Committee papers