On March 18, 2021, the UK’s Department for Business, Energy & Industrial Strategy (BEIS) released a long-anticipated whitepaper. It outlines a proposal for its intended reform of audit, internal controls and governance. This effectively seals the introduction of a UK version of the Sarbanes-Oxley Act (SOX).
It’s simple to predict what the UK’s compliance and audit landscape could look like within the next few years. One has to look no further than the US equivalent as the benchmark. Executives, such as the CEO and CFO, will be responsible for having robust controls over the company’s financial statements. As with the US, it is expected that there will be significant penalties, fines and bans for failures.
SOX aims to protect investors from corporate fraud. To that end, it lays out strict requirements for enhanced financial disclosures, internal control assessments, corporate governance, and auditor independence.
More About SOX
SOX is originally a US regulation that came from the aftermath of financial accounting scandals in the early 2000s. Ever since it passed in 2002, publicly traded companies across all industries must follow its guidelines. In order to maintain compliance, companies typically create an internal controls framework to increase reporting accuracy and data integrity.
What are the Effects of UK SOX?
Released in 1985, Excel continues to be the tool of choice throughout the accounting and finance field. It would likely be easier to count the number of public companies that don’t use it than do. Spreadsheets are used for analyzing data, managing budgets, forecasting and modeling financial performance.
This ubiquity is recognized by regulators and auditors, and they’re scrutinizing the controls and monitoring of these user developed applications (UDA).
If you cannot confidently list your processes that depend on Excel and other UDAs, read on!
UDA Alphabet Soup
Compliance and audit professionals call Excel and similar applications these names:
- UDA: User Developed Application
- EUC: End User Computing application
- EUCT: End User Computing Tool
- EUA: End User Application
- EUDA: End User Developed Application
Don’t let the acronyms confuse you. They’re all interchangeable.
Other applications or programming languages in this category include Access databases (.ACCDB & .MDB), Python scripts (.PY), R scripts (.R), Matlab (.M & .MAT), and others.
First Steps to UK SOX Compliance
Executing the following steps will provide the necessary visibility and controls expected by regulators and auditors. While these steps can be implemented manually, it will quickly become apparent why this is not a good idea.
- Locate the most important spreadsheets & UDAs
- Check for changes and updates to these important UDAs
- Will these critical spreadsheets be replaced with more robust, IT-supported, applications?
Step 1: Locate the most important spreadsheets & UDAs
Step 1 is to build a list, an inventory, of your critical processes that depend on Excel and other UDAs. The inventory needs to always be accurate and up to date. Regulators will inevitably ask, “how do you know that you haven’t missed something important?” For this reason, many US organizations use Apparity’s automated tools that are designed and optimized for this purpose.
Once an inventory has been created, you will also be able to rank these UDAs in order of importance. This ensures the most critical are monitored accordingly. Again, Apparity’s award winning solution includes this capability
Step 2: Check for changes and updates to these important UDAs
Errors and mistakes may be unintended but that won’t cut the mustard with regulators if it results in a misstatement. You need to ensure all changes are known and reviewed. This process needs to be fast, efficient, and not frustrate your users. Apparity’s software includes full change and version management and is recognized as best in breed for user acceptance.
Step 3: Will these critical spreadsheets be replaced with more robust, IT-supported, applications?
Citibank was recently fined $400m and told to reduce its dependence on UDAs. This demanded purging of UDAs is expected to become the norm. However, which spreadsheets and UDAs should be redacted, and in what order?
Apparity enables you to rank UDAs and shows its data connections and links. We also enable you to capture all the components in an entire process. This gives your IT team a comprehensive understanding to build viable alternatives.
Get Help with UK SOX Compliance
Many organizations freeze at the notion of trying to understand and control their UDA landscape. Apparity is familiar with concerns such as “my UDA environment is too complex.” Our tools and software are used by many of the world’s largest and most complex organizations. SOX and financial controls are usually the first place needing attention.
We would be delighted to help you navigate these new rules and requirements.