Getting Control Effectiveness from the New UK Corporate Governance Reforms

Reform of Audit, Internal Controls and Governance

A UK corporate governance reform, including internal control reporting requirements, is on the horizon. On 18^th March 2021, the Department for Business, Energy & Industrial Strategy released a long-anticipated whitepaper. Specifically, it outlined proposals for its intended reform of audit, internal controls and governance: “Restoring Trust in Audit and Corporate Governance“. The momentum for a UK version of the Sarbanes-Oxley (SOx) legislation has been building pace. However, you may have read or heard many stories of companies feeling like SOx compliance is a beast and adds little value. The truth is that 79% of CFOs surveyed by the Centre for Audit Quality indicated that SOx had improved the quality of the information in their financial statements. This improvement directly benefits more robust control effectiveness that UK CFOs should therefore welcome.

Looking Back at SOx Compliance and Control Effectiveness

The team at Loughridge Transformations has many years of experience working with SOx compliance. During their time at a top-five FTSE company, they worked with the SOx methodology, design, deployment and audit from its inception in 2004. Some readers may remember that the approach in the early days often felt like “quantity over quality”. The result was hundreds, if not thousands, of non-standardised SOx controls and many unhappy SOx control operators. However, in hindsight, organisations likely chose that approach because the alternative of regulatory non-compliance was unacceptable. 

The Next Phase of Compliance

However, the next phase of the compliance journey was to take a step back and re-think their approach for those companies that invested the time and effort. The list of control effectiveness improvement opportunities was inevitably long. It included, for example, standardisation, classification of key- and non-key controls, and improved, more sharply worded control descriptions. 

Ultimately, those companies successfully achieved process and control integration. They reduced the absolute number of SOx controls (not too many or too few) and, most importantly, delivered global standardisation. These efforts led, in turn, to improved adoption from control operators and a much lower percentage of control failures. Consequently, the level and quality of assurance significantly increased.

The Future?

However, some companies still have not yet undertaken the streamlining and rationalising of their SOx control framework. As a result, they “suffer” year after year with an unnecessarily burdensome control framework. 

It is, of course, true that exercising financial controls will typically be more labour-intensive. They require, for example, gathering evidence of execution, secure filing, positive control confirmation, testing of controls, and management reporting.  

So, How Does Successful SOx Design and Deployment Look?

Successful SOx design and deployment relies on analysing where the organisation needs SOx controls and reviewing the associated risks. As a result, a good starting point is to look at materiality. After all, a control framework gives assurance of “materially correct” financial statements. Therefore, the more material the numbers flowing through an account, or set of accounts, or process, the greater the likelihood you will need to assure material correctness.

A Straightforward Example:

For example, say your organisation has a thousand Balance Sheet accounts reconciled monthly, quarterly or annually. Usually, the values in the organisation’s Balance Sheet accounts are substantial. Therefore, you would want a robust SOx control to assure accuracy and completeness.

The critical question is, “should all one thousand accounts be in scope for a SOx control?” If you want to answer yes to that question, you may set yourself up for a monthly or quarterly burdensome and labour-intensive exercise. The result could be that “quick and dirty” reconciliations are performed to complete them before external financial reporting. In the spirit of SOx and any other control framework,  the value-add of the exercise is much lower and will not provide the intended and required assurance. 

Reconsider the Process and Risk

We strongly recommend considering our example and looking into the process and actual risk. Materiality forms an essential component of the assurance of Financial Controls. It is no less the case for SOx compliance. That means that you should review the thousand Balance Sheet accounts. Select the top five to ten per cent of the most material for review and reconcile following a SOx-compliant procedure. It is not uncommon to find that the top five to ten per cent account for eighty per cent or more of the total value of the thousand accounts.

In other words, you can design a control-effective process where the most material accounts are selected. Those executing the reconciliations will have much more time to properly scrutinise these accounts and take corrective action before the external financial reporting. So, what happens to the rest of the Balance Sheet accounts? They should also be subject to proper reconciliation and scrutiny, but this can be a broader process step, not a formal SOx control.

Another Practical Example of Streamlining?

In our consultants’ corporate experience and with clients, we often see examples of manual reconciliations, perhaps between accounts or sub-ledgers. Team members often overlook that the system, or a simple add-on or re-configuration, can automatically perform the reconciliation. Where that option exists, only a system-enabled (SOx) control that describes the automatic reconciliation is required. That control would typically only be subject to control testing every second year.

The Benefits of Standardisation

Global standardisation is another opportunity for those companies likely to be subject to UK SOx. If there are operations in multiple regions worldwide, it can be hugely beneficial to standardise the (SOx) controls. The same mitigating control can apply if there is the same risk in several locations. It saves time in the design, training and eventual testing. Those savings translate into a significant positive impact on the bottom line.

Recent Control Effectiveness Experiences

All companies in scope for UK SOx-like requirements will likely already have a control framework in some shape or form. For example, at Loughridge Transformations, we recently worked with a client where we reviewed the control framework. We will use one real-life example to illustrate how you can enhance existing AS-IS controls. The result is more robust and ultimately compliant with regulation.

The Existing Description

Our client’s AS-IS Key Control on the monthly review and approval of the “Board Pack” was written down in the organisation’s Financial Manual. It read, more or less, as follows:

1. Month-End closed to ensure adequate time for review
2. Finance performs Board report analysis
3. Results reviewed by the CFO before being presented in the Board Pack.

For this process, no associated risks were detailed in the Finance Manual.

It is not uncommon, but what is described here is the process. It is not a control that gives any form of assurance to the management. To be clear – there is nothing inaccurate in the client’s AS-IS description of the process. However, it is inadequate in terms of control effectiveness.

Enhancing the Control Description

A standalone control description will be more meaningful when enhanced to include the following:

• Who
• What
• Why
• Where
• When and
• How

Including these in the description facilitates proper testing of the control effectiveness. A Control Operating Procedure will usually accompany a control description. Nevertheless, it would be best to aim for a crisp and clear control description that allows the reader to understand the critical points of the control and perform a test for effectiveness.

Our Proposal

Based on a couple of video meetings with our client to discuss the end-to-end process, our proposal for a TO-BE control description was as follows: 

• Risk – every control should have an associated risk – otherwise, there is nothing to mitigate.
  • “Reported Management Information is not complete/accurate and/or inadequate corporate performance management – both resulting in the inability of management to make sound business decisions.”
• Control Objective – every control should also have a control objective
  • “To ensure that Management Information is complete and accurate and compiled in a fit for purpose format/layout allowing management to analyse the presented data and make sound business decisions.”
• Control Description – based on the above risk and objective
  • “To ensure that the monthly Board Report information is complete/accurate and analysed, including commentaries, the Senior Finance Manager runs BS & P&L reports (insert exact report names) from ERP in preparation for the Board Pack. They perform 1st-level analysis with commentaries, including variances, fluctuations against budget, cash flow, and other highlights. At least four workdays in advance of the Board Report meeting, the Board Pack is sent to the CFO for final review. The CFO reviews the pack with commentaries and their own analytical review, highlights any queries or review points, and, where applicable, sends them back to the Senior Finance Manager for clarification/investigation before the Board Report meeting.
  • The CFO presents the Board Pack to the Board at their meeting. The results are discussed and challenged by the Board. Minutes and actions from the meeting are captured and, where applicable, cascaded to the Senior Finance Manager for follow-up.
  • The Senior Finance Manager files the minutes/actions from the Board meeting together with the Board pack and ERP reports on SharePoint site XYZ as evidence.”

You will now see that this control description identifies the Control Owner and Operator. In addition, the description states the control frequency, and you can determine the control characteristic and its type. The description also includes evidence that makes the eventual testing much more efficient and easy. It covers all elements required for assurance of effectiveness to the management.

Control Effectiveness Enhances Governance

Our key message is that it is crucial to educate your C-suite and board as we move towards a UK-wide SOx-like governance framework. Equally important will be to ensure that senior and middle management has a good understanding of the requirements. Their support early on will enable your success. It results in the new internal controls reporting requirements not being seen as simply a checkbox for the organisation but instead strengthening its governance. 

Need More Support on Control Effectiveness?

If you need support, we can provide as little or as much as you need to get going or dig deeper, process your findings and implement improvements to your processes and controls – including fit-for-purpose design, testing and implementation. So don’t hesitate to get in touch by e-mail or arrange a call with us!

Find Out More About Working with Loughridge Transformations

Get the Latest from Loughridge Transformations

Alternatively, take a look at our most popular blog posts:

Looking for something else? Here’s what we have been blogging about recently:

Agile Analytics Associates Automation Behaviours Building Trust Business-Partnering CFO Remit Change Management Coaching Collaboration Continuous Improvement Control Design Corporate Governance Data Deployment Design Principles Digital ERP ESG Finance Function Finance Transformation Implementation Migration Off-Shoring Organisation Organisation Design Process Process Design Process Governance Process Performance Productivity Programme Management Office Project Management Readiness Risk & Controls Skills sponsorship Standard Organisational Model Strategy Systems Systems Design Technology Transformation Virtual Working