By Neil Mathur, Director, Advisory, EY.
After a series of scandals that rocked the global financial markets, the Sarbanes-Oxley Act was signed into law in 2002. Named after co-sponsors US Senators Paul Sarbanes and Michael Oxley, it created a new accountability framework for financial reporting of public company’s, with the establishment of the Public Company Accounting Oversight Board (PCAOB), and brought an end to the self-regulation of the audit profession.
More than 15 years on, the act has proved largely successful in improving the quality of both financial reporting and audit quality, as well as going a long way to restoring investor and public confidence.
So, why are we still talking about it? There are two main reasons, one regulatory and one market-related.
Firstly, a cornerstone of SOX’s continuing success is the willingness by Congress and other stakeholders to allow the regulatory framework to evolve. And as it does so, it presents new compliance challenges for organisations. Keeping up to speed with these new requirements is essential.
Secondly, as SOX applies to all US-listed companies, the renewed strength of the North American initial public offering (IPO) market is making more businesses tackle compliance for the first time. Drivers include the strength of the US economy, its buoyant stock markets, Trump’s tax reforms – which is starting to make it easier to invest in the US, plus M&A activity relating to UK and European entities. At the same time, challenges relating to Brexit and the Eurozone are making those markets less desirable to tap into for capital funds. As a result, any company attracted to the US IPO market, needs help getting rapidly up to speed with SOX.
Meeting today’s requirements
Taking the regulatory pressures first, external auditors are finding themselves facing a push by the PCAOB to further raise the quality of their audits. As a consequence, management need to beef up their compliance teams to achieve more control over the processes and be able to robustly challenge their auditors to make sure they themselves are meeting the tougher requirements.
There are two main areas of focus causing problems for organisations:
- Spreadsheet controls: spreadsheets play a major role in tracking and monitoring financial risk and performance. However, companies need to provide further assurance over where that data came from and how it is secured. An example would be how are spreadsheet formulas locked (or the access is restricted) and where and how they are stored on a shared drive, for instance, and again how is access restricted to that shared drive.
- Information provided by the Entity (IPE): when information and reports come out of your financial management system, can you demonstrate that they are accurate and complete? What checks do you have in place within your internal IT and business resources to ensure this happens?
The right approach for your organisation
When addressing these issues and more, the key is to tailor SOX requirements to the size, scale of and nature of your organisation. The requirements of, say, a small pharma and an oil major will vary enormously.
And don’t think that SOX compliance is irrelevant unless you are listed, or about to list in the US. The success of SOX has led many other countries to introduce SOX-like legislation. Examples include Japan, India and China and this is bringing many more companies into the fold. For example, a UK car company with a dual listing in Japan will need to be ‘J-SOX’ compliant.
In terms of sectors, some are particularly relevant. One is Technology, Media and Telecommunications where consolidation and digital disruption is pushing M&A activity to new levels. With the US market currently in the driving seat as acquirers of overseas companies, the need to bring an acquisition swiftly into line with SOX is clear. Another relevant sector is life sciences. For example, a small UK company may be seeking a first US listing to provide the capital it needs to bring a new drug to market. This creates an urgent need to build SOX compliance into their processes as the company goes through the IPO process
Advances in technology, including the use of data analytics, are allowing businesses to track large volumes of information about their operations. They also, of course, make businesses vulnerable to cybercrime and in the future we believe cybersecurity and its links to financial controls may become of increasing interest to regulators.
Just as the SOX framework has evolved over the last 15 years, it will continue to do so going forward. Some of the areas in which we expect to see significant change are the use of RPA, technology in audits and corporate reporting.
Source: EY, The Sarbanes Oxley Act at 15