- In light of recent high-profile corporate and accounting scandals, UK regulators are proposing the introduction of a new “SOX-Lite” regime, based on the US Sarbanes-Oxley Act of 2002 (SOX), with the aim of creating greater accountability in corporate financial systems and reporting. The UK is also instituting related reforms intended to improve corporate transparency and accountability.
- Since the introduction of SOX over 20 years ago, its effectiveness has been subject to continued debate, scrutiny and reassessment, which has played a significant role in informing the proposals for a UK approach and partially explains divergences between SOX and the proposed UK SOX-Lite regime.
- The introduction of a UK SOX-Lite regime represents a material regulatory change for certain UK companies that may require significant assistance to navigate and comply with the new regime.
Nearly two decades after the enactment of SOX, which was precipitated by several high-profile corporate and accounting scandals in the US during the late 1990s and early 2000s, UK and European regulators are grappling with a string of notable accounting scandals.
As part of efforts to prevent future corporate scandals and collapses (such as the notorious collapses of Carillion and BHS) and to strengthen audit standards and internal systems and controls, the UK government began a series of consultations in March 2021. Following the completion of these consultations, in May 2023 the UK Financial Reporting Council (FRC) commenced its public consultation on significant amendments to the UK Corporate Governance Code — which consultation closes in September 2023. Also in May 2023, the FRC published the final version of its guidance on audit committees’ roles in external audits, which established a “minimum standard” of responsibility.
In this article, we examine the successes and challenges of implementing SOX Section 404 in the US, which section relates to management’s oversight of internal control over financial reporting, and consider the proposals for a similar framework in the UK. Adopting certain SOX-equivalent provisions in the UK as a tool to combat negligent and sometimes fraudulent financial reporting merits careful consideration in light of SOX’s continued evolution. Lawmakers and practitioners must also consider how the UK’s approach to adopting these new measures can serve an overarching goal to strike an appropriate balance between, on the one hand, protecting investors and on the other, revitalising the UK capital markets and ensuring London’s place as a global listing venue.
Overview of Section 404 of SOX and Implementation of Section 404 in the US
Section 404, which is one of the most litigated and controversial provisions of SOX, requires a US public company’s management to maintain and annually report on the operational effectiveness of the company’s internal control over financial reporting. Furthermore, an auditor must attest to management’s assertions on the effectiveness of such internal controls. Sections 302 and 906 of SOX complement Section 404 by requiring chief executive officers and chief financial officers of public companies to attest personally to the effectiveness of the internal controls and imputing personal liability on these officers for knowingly or wilfully misrepresenting the conditions of such controls and the company’s overall financial status (with accompanying fines of up to $5 million and/or 20 years in prison).1
Section 404 has been criticised for resulting in high expenses related to: (i) allocating significant time and human resources to establishing, implementing and monitoring internal controls; (ii) external consulting and increased technology needs; and (iii) audit fees, especially for smaller companies.2 Furthermore, initial concerns surfaced that such high compliance costs would drive smaller public companies to exit the public market or otherwise deter initial public offering (IPO) activity in the capital markets.3
At the same time, Section 404 has been generally praised for compelling the production of more insightful and accurate accounting information based on effective internal control systems, which is more useful for managerial decision-making, and helping remove from the public markets companies that had inadequate financial reporting systems.
Recent SOX Developments in the US
SOX established the Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of audit standards and auditors of public companies, effectively acting as a regulator of audit firms. Currently, SOX Sections 105(c)(2) and 105(d)(1)(C) prohibit public hearings of any disciplinary proceedings conducted by the PCAOB against an audit firm or issuer, unless the PCAOB finds a reason to open the proceedings and the auditor or investigated company agrees. The public does not have access to key proceeding details, such as which actions are being sanctioned, the parties that the PCAOB has charged, the issues being litigated or whether the PCAOB prevailed in its actions. Shareholders also do not know whether an issuer’s auditors are facing sanctions from the PCAOB until the end of proceedings, as disciplinary actions are closed until there is a settlement or the US Securities and Exchange Commission has rendered a decision on the PCAOB’s sanctions.4
Legislative efforts to bring more transparency to the PCAOB’s disciplinary proceedings have recently gained momentum. Conversely, audit firms generally continue to oppose such changes, citing concerns about reputational risk during an ongoing investigation in which the outcome or charges remain pending and contested. If adopted in the US, these transparency reforms would substantially shift the enforcement scope of SOX and the PCAOB. As the UK adopts a SOX-Lite regime, lawmakers and regulators will similarly need to consider the scope and “regulatory bite” of the regime’s enforcement mechanism.
Introducing a UK ‘SOX-Lite’ Regime
After many years of consultation by the UK government and the FRC and amid recent corporate and accounting scandals in the UK, an overarching framework, or “SOX-Lite regime”, designed to reinforce and increase board accountability over internal controls is emerging. Unlike the statutory, mandatory approach featured by SOX, the proposed UK SOX-Lite regime encompasses a combination of statutory provisions, regulatory rules, standards, guidance and a voluntary compliance and disclosure regime. The UK is taking this approach in an attempt to strengthen investor confidence in financial reporting, external and internal oversight, and fraud prevention while also keeping the new rules proportionate and not overly burdensome on companies in order to help London remain an attractive listing venue.
Corporate Offence of Failure To Prevent Fraud
The UK Parliament is considering the Economic Crime and Corporate Transparency Bill, which would introduce, among other things, the strict liability offence of failure to prevent fraud. The new offence would make an in-scope organisation5 criminally liable if it failed to prevent fraud by an associate (broadly meaning an employee, contractor, agent or subsidiary) where the fraud was committed with the intention of benefitting (directly or indirectly) the organisation or those to whom it provides services. An organisation can be liable even if it was unaware of the fraud being perpetrated. The new offence can have extraterritorial effect and hold liable foreign-domiciled companies and partnerships with UK operations.
A defence is available where the organisation can prove that, at the time the fraud offence was committed, the organisation either had such prevention procedures as was reasonable in all the circumstances to expect it to have in place, or that expecting the organisation to have such prevention procedures in place was not reasonable in all the circumstances.
In-scope UK and overseas organisations with UK-based operations would need to consider carefully whether they need to establish or strengthen fraud prevention and detection procedures in order to avoid potential prosecution once this offence becomes law. The offence, as currently drafted, does not extend criminal liability to directors or officers of an in-scope organisation.
Any person implicated in the perpetration of a fraud or aiding and abetting such a fraud will continue to be subject to potential criminal prosecution under the offences in the Fraud Act 2006, whether or not the company is prosecuted for the offence of failing to prevent fraud.
PIE Reporting Regulations
The UK government is consulting on new regulations to impose additional reporting obligations on “public interest entities” (PIEs). The definition of a PIE is expected to include companies (both listed and unlisted) and limited liability partnerships with 750 employees or more and an annual turnover of at least £750 million. The regulation would require PIEs to prepare, among other things:
- an annual resilience statement to address matters that the board considers to be a material challenge to the PIE’s financial resilience over the short and medium term;
- a triennial publication to report the audit and assurance policy; and
- an annual statement to report steps taken by directors to prevent and detect material fraud.
In addition, the FRC advises all companies reporting under the UK Corporate Governance Code (the Code), whether or not they are PIEs, to consider producing such an audit and assurance policy on a comply-or-explain basis, using the reporting regulations as a guide for what to include.
- The audit and assurance policy would set out the company’s approach to assuring the quality of the information it reports to shareholders beyond that contained in the financial statements.
- The policy should also explain what independent assurance, if any, the company proposes to seek over its resilience statement (in whole or part) or over the effectiveness of its internal controls framework.
- Companies would complement the triennial publication with an annual implementation report in which the directors (typically through the audit committee) provide a summary update of how the assurance activity outlined in the policy is working in practice.6
It is unclear at this stage when these regulations will take effect or whether transitional arrangements will be designed to allow in-scope entities time to put in place the necessary systems and procedures to comply with these obligations.
Audit Committees and the External Audit: Minimum Standard
In May 2023, the FRC published Audit Committees and the External Audit: Minimum Standard (the Standard), which applies to the audit committees of FTSE 350 companies. Currently, complying with the Standard is voluntary; however, once primary legislation is passed to establish the Audit, Reporting and Governance Authority (ARGA) (replacing the FRC), we anticipate that adopting the Standard will become mandatory. Among other things, the Standard requires audit committees to review the effectiveness of the external audit process and to review and monitor the external auditor’s independence and objectivity.
Revisions to the UK Corporate Governance Code
The FRC is currently consulting on revisions to the Code.7 As part of the proposed UK SOX-Lite regime, Provision 30 of the revised Code would ask the board of each company subject to the Code:
- to declare whether the board can reasonably conclude that the company’s risk management and internal control systems have been effective throughout the reporting period and up to the date of board approval of the annual report;
- to explain the basis for the board’s declaration (including an explanation of how the board has monitored and reviewed the effectiveness of these systems and controls during the period and any other relevant information); and
- to report any material weaknesses identified in these systems and controls during the reporting period and the actions taken by the board to address such material weaknesses.
Ultimately, the board would need to be comfortable that the internal controls framework is sufficiently effective and robust to enable the board to make the annual declaration. In this respect, a key difference between SOX and the proposed UK SOX-Lite regime is that the UK framework would require the directors’ declaration to cover all internal controls (i.e., operational, reporting and compliance), not just those relating to financial reporting.
The FRC also proposes introducing new Provisions 18 and 24 of the Code, relating to diversity and inclusion in the composition of boards. These provisions would ask companies to ensure development of diverse pipelines for succession and to disclose additional information about this succession planning and the effectiveness of the companies’ overall diversity and inclusivity policies in their annual reports.
The role of the audit committee would also be expanded under Provision 26 of the Code to cover monitoring the integrity of narrative reporting, including sustainability matters (especially given the increasing desire among stakeholders for reliable and transparent sustainability reporting). The inclusion of additional ESG-focused oversight responsibilities shows a difference in the position regulators see UK companies playing in the ESG movement (compared to diverging approaches in the US to the topic).
UK regulators hope that reporting on how the risk management and internal control systems have performed will reinforce directors’ accountability for these systems and strengthen directors’ focus on maintaining the systems’ effectiveness. The new reporting should also give shareholders and other stakeholders a clearer picture of a company’s ability to manage risk and of the board’s ability to address any identified weaknesses, and so contribute in the medium to longer term to enhanced investor confidence and trust in the reporting and resilience of the company.
Regarding timing, the FRC’s intention is that the revised Code will apply to accounting years commencing on or after 1 January 2025 to allow sufficient time for implementation.
Drawing on certain provisions of SOX, the UK is proposing to adopt a patchwork of measures aimed at enhancing board accountability, building trust and confidence in UK public companies, and supporting investment and stewardship decisions by shareholders and other investors in UK businesses. Companies are likely to require additional assistance and advice in navigating and complying with this complex web of statute, regulation and guidance — both in establishing the necessary systems and protocols ahead of these measures taking effect and in monitoring systems’ effectiveness going forward. Companies may even opt to follow a “gold standard” approach to compliance, making these new rules mandatory in practice even if they are only technically applicable on a comply-or-explain basis. Overall, the impact of these proposed rules on investor protection and on internal controls and systems, as well as how UK SOX-Lite fits into broader reforms to UK equity capital markets, remain to be seen.
Knowledge strategy lawyer Sharon Jenman and summer associate Natalia McLaren contributed to this article.
3 RAND Corporation, “Do Benefits of Sarbanes-Oxley Justify the Costs?” (2007); Harvard Law and Economics Discussion Paper No. 758 “SOX After Ten Years: A Multidisciplinary Review” (p. 19-20)(May 2014).
4 Thomson Reuters, “Enforcement Staff Supports Legislation To Make PCAOB Disciplinary Proceedings Public” (15 June 2022).
5 The new offence will apply to body corporates and partnerships (wherever incorporated or formed) that meet at least two of the three following conditions in the financial year that precedes the year of the fraud offence: (i) having more than £36 million turnover; (ii) having more than £18 million in aggregate assets on balance sheet; and (iii) having more than 250 employees.
7 See the UK Corporate Governance Code — Consultation document (May 2023).
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.