UK SOX: Automation & Technology Opportunities the Second Time Around

The UK’s Financial Reporting Council (FRC) has been working on an equivalent of the U.S. Sarbanes-Oxley Act (or SOX) for several years. A consultation with UK companies, audit firms and other stakeholders was launched by the government in March 2021, and closed in early July. What are the regulations going to look like, and who will be affected? When are regulations likely to be introduced and is there anything companies can do now in preparation?

What is SOX and why was it introduced?

In the early 2000s, a number of factors combined to create an environment ripe for corporate scandals in the United States, namely conflicts of interest, inadequate overseeing of accounts, a lack of independent auditors, and weak corporate governance policies/procedures. The highest-profile and best-known of these scandals was at Enron. In response to this corporate climate, auditing and financial regulations were established for companies listed on the U.S. Stock Market, set out in the Sarbanes-Oxley Act of 2002. SOX, as it is also known, set out minimum requirements for publicly-traded companies for greater transparency and accountability in financial reporting.

Winterhawk CEO Steve Hewison recalls:

“From my experience working in America at an international company in the early 2000s, the arrival of SOX felt quite sudden. We found ourselves behind the curve and scrambling to put the necessary controls in place. We needed to start much earlier than we did, it was very reactionary.”

Why is UK SOX needed?

The UK has had its own share of accounting and audit-related issues, with recent financial scandals at Patisserie Valerie and BHS deemed to be “indicative of a wider crisis of trust in the audit industry.” Recent independent reviews (the Bryden Report and Sir John Kingman’s 2018 FRC review) have recommended reforming audit and government regulations.

Legislation is expected to be finalised in late 2022 but as with other recent regulations, it’s unlikely to come into force for a year or two after that which is good news since, based on U.S. experiences, it’s going to take a couple of years for companies to prepare.

Will it really happen?

Winterhawk and SAP ran a GDPR-focussed event in October of 2016 in London, the first of its kind in the UK at the time. A captive audience of leaders from various UK companies attended to hear lawyers and leading experts speak about GDPR, what it would mean, and the changes that would be required. Feedback at the end of the day was that the content was interesting, but attendees were sceptical that it would have much impact on their businesses, let alone be rolled-out. Then in May 2018 the regulations were introduced, people raced to understand and comply with them, and we are seeing fines being handed out all over Europe.

Similarly, UK SOX is going to happen and it will take time (years) to prepare.

“Companies are already thinking about it,” says Andrew Sawyer, Winterhawk COO. “We’ve got FTSE-listed clients telling us that they’re worried about UK SOX and asking what they should do in preparation.”

What can you do right now?

Now is the time to start planning. A compliance project could take years depending on the size of the organisation and the number of stakeholders involved; it can take time to get it right, to get to the stage where significant deficiencies aren’t being reported.

We suggest you start by considering the following questions:

  • Do we have an effective programme of risk & controls?
  • Do we have clearly defined risks properly aligned with the business?
    What about Key Risk Indicators (KRIs)?
  • Are the right people in place with ownership of controls and processes?
  • Can we automate and/or innovate to leverage our existing technology?

Past Learnings

Steve Hewison, Winterhawk CEO: “When I was responsible for implementing SOX at Kraft Foods, some 20 years ago, we reviewed the ‘404 General Computer Control’ requirements. It became clear that it was going to be a significant undertaking for the organisation and would be a multi-year effort. Finding future state control owners was the first major challenge, and was rarely something people wanted to sign up for – it was adding work to their often already busy schedules. To gain buy-in, as the programme evolved, we were able to find ways to streamline, optimise and automate controls, reducing the burden on control owners, not just from a SOX perspective but also saving them and their teams time in the day-to-day roles.”


As an independent consulting practice, Winterhawk has deep experience in using technology to help achieve SOX compliance. In 2002, when U.S. SOX was introduced, GRC solutions were still in their infancy and compliance projects were very much a manual effort, but the ways we managed SOX (U.S.) are still relevant here. Today we have solutions such as SAP Risk Management and SAP Process Control which will be of significant benefit to companies in the UK who are starting their UK SOX journey.

All UK companies that are listed on the stock market (or planning to be listed in the future) are likely to be in scope for SOX; it will become part & parcel of their internal & external audits on an annual basis. For organisations that are running SAP, as their existing ERP Systems are looking after their financials, it makes absolute sense that you’d want to have GRC solutions embedded to help with that journey towards UK SOX compliance (not to mention looking after your data, preventing Fraud, Cyber-attacks etc.).

It’s never too early to start thinking about upcoming regulations and preparing for them – get in touch to discuss ways Winterhawk can support you in preparing for UK SOX.