On 18 March 2021, BEIS published its consultation paper on restoring trust in audit and corporate governance. The paper contains a wide range of proposals which are designed to strengthen the UK’s framework for major companies and the way in which they are audited. We are working our way through the paper and will publish a series of articles and posts on some of the key proposals. Our summary of the consultation paper is available at https://www.burges-salmon.com/news-and-insight/legal-updates/corporate/corporate-governance-and-audit-a-wide-ranging-programme-of-reforms/

Our third post looks at options put forward in the white paper for strengthening the UK’s internal controls framework.  The proposals suggest that the UK may soon have its own SOX style regime.


The obvious reference point in this context is the US Sarbanes-Oxley Act (SOX) introduced in 2002. The white paper notes that the key SOX provisions include requirements for the management of public companies to assess and report annually on the effectiveness of their company’s internal control structure and procedures for financial reporting. The company’s auditor is then required to attest to and report on this assessment. SOX places responsibility for a company’s financial  statements and internal controls clearly with the CEO and the CFO. 

The details of the certification requirements are set out in section 302 of SOX. In summary, the CEO and CFO must certify in each annual or quarterly report that:

  • the signing officer has reviewed the report

  • the signing officers
    • are responsible for establishing and maintaining internal controls
    • have designed such internal controls to ensure that material information relating to the issuer is made known to such officers
    • have evaluated the effectiveness of the issuer’s internal controls within 90 days prior to the report and
    • have presented in the report their conclusions about the effectiveness of their internal controls
  • the signing officers have disclosed to the issuer’s auditors and the audit committee
    • all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls and 
    • any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls

Is SOX coming to the UK?

We will know the answer to that when the consultation closes and the government reports back - however the preferred option appears to be less onerous than the US SOX regime. For now the consultation paper considers the following options:

  • Option A: Require an explicit directors’ statement about the effectiveness of the internal control and risk management systems

  • Option B: Require auditors to report more about their views on the effectiveness  of companies’ internal control systems

  • Option C: Require auditors to express a formal opinion on the directors’ assessment of the effectiveness of the internal control systems

What's the preferred option?

The white paper sets out the government's preferred option as follows:

  • Directors’ responsibility statement: Directors should be required to acknowledge their responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting

  • Annual review of internal control effectiveness and new disclosures: Directors should be required to:
    • carry out an annual review of the effectiveness of the company’s internal controls over financial reporting
    • explain the outcome of the annual  review, and make a statement as to whether they consider the systems to have operated effectively
    • disclose the benchmark system that has been used to make the assessment and 
    • explain how they have assured themselves that it is appropriate to make the  statement
  • If deficiencies have been identified, these should be disclosed and the directors should set out the remedial action that is being taken and over what timeframe

  • External audit and assurance: Decisions about whether the internal control effectiveness statement should be subject to external audit and assurance should usually be a matter for audit committees and shareholders

  • However, companies should be required to have their internal controls assured by an external auditor in limited circumstances (e.g. where there has been a serious and demonstrable failure of internal controls or where material control weaknesses have persisted over several years)

If introduced the UK SOX style regime will apply initially to premium listed companies. We anticipate that issuers will want to respond to the consultation and make their views known especially as regards the costs of the new regime.