Accounts Payable Resources | Xelix

UK SOx 2024: Compliance & Internal Audit Controls

Written by Paul Roiter - Co-Founder and CEO | Dec 22, 2023 9:06:33 AM

 

“UK SOx” has been one of the 2023 buzzwords for most finance departments in the UK. But what exactly is UK SOx and more importantly, what is needed to ensure your business is compliant by January 1st 2025? 

After speaking to a broad range of our customers at our 2023 UK Customer Day, we learned that there’s still much uncertainty around the topic of UK SOx, which is understandable considering the requirements are not fully locked down yet. 

So, let's get started on the topic of UK SOx and how Xelix can help you. 

What is UK SOx? 

The United Kingdom has introduced a new corporate governance regime known as UK SOx, mirroring the US Sarbanes-Oxley (SOx) regulations in the US. 

SOx is a federal law that has been in effect in the US for more than two decades. It mandates that public companies establish internal controls for processes and systems that impact financial reporting; with the aim to protect market value and shareholders from fraudulent activity like the Enron scandal in 2001

The main objective of SOx regulations is to ensure that all financial information and reporting is accurate and reliable while fostering investor trust, especially in the wake of high-profile financial fraud cases and scandals. 

 

What is the difference between standard internal controls and SOx controls? 

Many people find it challenging to grasp the concept of SOx controls. This confusion primarily comes from distinguishing between SOx controls and standard internal controls.

Put simply, SOx compliance refers to internal controls that are specifically tied to SOx. 

But what exactly does that mean? 

The SOx legislation has a well-defined scope that includes controls aimed at ensuring all financial information is accurate, transparent and trustworthy. To determine if a control is relevant for SOx, you can consider two key questions:

  1. Does the control relate to, or input into, financial information used for financial reporting? 
  2. Does the control affect any systems or processes that feed into financial reporting analysis? 

If the answer is yes to any of these questions, a business may want to include that control and scope for SOx testing.

Who is responsible for UK SOx? 

SOx compliance is typically handled by either management, internal auditors or both, as well as by external auditors from a public accounting firm.

The objective of SOx testing is to confirm that controls are designed appropriately and are working as intended; and to determine if there are any gaps in the internal control process that could lead to a misstatement on a company's financial statement. 

What will change with UK SOx? 

One of the biggest changes will be the introduction of the Audit, Reporting and Governance Authority (ARGA), replacing the Financial Reporting Council (FRC) which will be a big shift in the corporate governance landscape. Directors will then face enhanced audit reporting obligations, forced to invest both time and resources to guarantee full compliance.

There will also be new requirements for public disclosures by the directors of a company, such as the Director's Responsibility statement, the Statement on Fraud, the Resilience statement and the Audit and Assurance Policy (AAP).

Which businesses are affected by UK SOx? 

Private businesses with more than both 750 employees and annual revenue in excess of £750m. will have to face higher compliance regulations, even if they aren't listed companies. 

That means that not only publicly traded businesses fall under the UK SOx legislation, but also larger private companies will become public interest entities (PIEs) and will most likely will face more scrutiny from the new regulator, ARGA. 

“Large businesses will have to be more transparent about their profits and losses – not dishing out dividends while on the brink of collapse,” the government notes. Auditors should also know that these businesses will have to increase transparency “about what they have done to prevent fraud, which company metrics have been independently checked and about the risks their company faces”.

 

 

Is UK SOx the same as US SOx? 

US SOx applies to all publicly traded companies in the US, so all companies on the stock exchange have to be SOx compliant. Also, any foreign companies that wish to do business in the US fall under the legislation. 

The UK SOx regime is similar to the US SOx regime, but there are some significant differences and it's important to note that both laws are not interchangeable. Both aim to enhance financial reporting, internal controls and corporate governance. 

Reuters reports that the reason for that mismatch is that “UK companies pushed back against enshrining in law a version of mandatory U.S. Sarbanes-Oxley rules, which forces U.S. directors to personally attest to the adequacy of internal controls and face prison for breaches", meaning that directors will be personally held accountable for any misreporting. 

While UK SOx might not go as far as the corporate governance in the US, UK directors at FTSE listed companies will, as part of the Corporate Governance Code, still need to confirm that their internal controls are effective and they could face monetary penalties in some instances.

UK SOx has its own unique requirements that are tailored to the UK market. It is based on the UK Corporate Governance Code and the Financial Reporting Council's guidance. UK SOx focuses on internal control effectiveness, risk management and the roles of directors and the audit committee. While there are some similarities, it is crucial to understand the specific regulations and compliance obligations of each country's SOx framework.

UK SOX compliance plays a vital role in the finance and funding ecosystem, ensuring integrity and transparency. By implementing robust internal controls, it improves investor confidence, safeguards against fraud and promotes accurate financial reporting. 

How Xelix can help prepare for UK SOx

The good news is that meeting SOx requirements doesn't have to be overly complicated.

Even if the regulations haven't been fully locked down yet, there are some practical steps your business should already be taking to make sure all internal controls are Sox compliant by 2025.

Xelix is an Accounts Payable control centre, designed for safeguarding and preventing Accounts Payable risks like overpayment or fraudulent activity. That makes it a sophisticated layer of protection to meet UK SOx controls, enhance internal auditing and boost corporate governance.

  • Transactions module: Surfaces a wide range of risks including duplicates, overpayments, incorrect payments, fraudulent activity and more, in near real-time.
  • Statements module: Fully automates your supplier statement reconciliation process to ensure accurate ERP data, accurate vendor balances and an overall streamlined audit process.
  • Vendors module: Manages your master vendor data in one secure place. Xelix can alert you to missing data or potential threats like bank accounts changes, ensuring your vendor data is up to date, complete and risk-free.
  • Helpdesk module: Spots email phishing and scam attempts to safeguard your business from fraud attacks.

By tracking user activity, the whole platform leaves a full audit trail for review. If you want to see all that in action, please feel free to book a personalised demo with us.