Pull your SOX up – enhanced assurance for regulatory reporting is on the way
In the early 2000s a number of major corporate and accounting scandals such as Enron and WorldCom resulted in a major shake-up of financial reporting. The accuracy of publically reported financial information was put under increased scrutiny and the Sarbanes-Oxley Act (SOX), also known as the “Public Company Accounting Reform and Investor Protection Act” was introduced as a result.
Sarbanes-Oxley is a US federal law and came into force in 2002. It introduced major changes to the regulation of corporate governance and financial practice for all US public company boards, management and public accounting firms. Its components range from enhanced corporate responsibility for the accuracy and completeness of financial reports, to specific criminal penalties for manipulation, destruction or alteration of financial records.
One of the key requirements is that companies must obtain an independent audit of internal control practices for reporting. Despite the high cost this brings and increasingly negative industry sentiment toward the regulation, evidence shows that it has proved beneficial. Markets have been able to use the information to assess companies more effectively, managers have improved internal processes, and internal control testing has become more cost effective over time.
Sarbanes-Oxley is viewed by many as the gold-standard of financial governance laws, which has led to SOX-type regulations being enacted in a number of other countries.
At present in the UK there are no requirements for regular external assurance of banks’ financial reporting. However, there has been an indication that this may change through a paper published by the ICAEW (Institute for Chartered Accountants in England and Wales) in November 2016.
This paper responds to a request from the PRA to consider how assurance on bank capital ratios and risk-weighted assets could support confidence in these critical measures of banks’ financial strength. It proposes a framework that banks might choose to adopt in undertaking assurance which will support confidence in capital ratios, drive enhancements in data quality and highlight areas of inconsistency and variations arising as a result of bank-specific modelling and methodology differences. Standards required by Sarbanes-Oxley are provided as an example to assist in the design and implementation of this framework.
Although the paper proposes only a framework rather than mandatory rules for banks to follow, the ICAEW suggests that banks review existing internal governance and control procedures and decide on the most appropriate scope and level of work effort required to ensure they are providing reliable, timely and useful RWA and regulatory capital information. Indeed, a more consistent and comprehensive assurance process would likely be welcomed by the board who, under the Senior Managers Regime, should see this as an opportunity to better demonstrate the effective implementation of regulatory reporting standards and, more importantly, the sound running of the bank.
From the perspective of the market I can see this also being embraced. Repeatable, uniform assurance of financial reporting across the industry, coupled with more stringent capital calculation methodologies –such as those outlined by the Fundamental Review of the Trading Book (FRTB) – should provide confidence in the reported capital ratios to both regulators and shareholders alike.
Despite the perceived benefits, experience suggests that additional assurance will inevitably place pressure on the reporting timeline. A more robust internal assurance process will likely increase the role of the bank’s audit committee, a move which could add days to the reporting timeline, whilst the provision of external advice will similarly squeeze the production process for regulatory reports. Furthermore, whilst PRA Chief Executive Sam Woods may have hinted that the regulatory revolution is coming to an end, with potential additional rules expected under Basel IV, the aforementioned FRTB and MiFID II, among others, I expect that, in the short-term at least, banks’ will have limited capacity to deal with further additional standards. For all these reasons US SOX rules have in recent weeks come under fire from the Trump administration and supporters of deregulation as costly and overbearing, leading to speculation of further regulatory repeal.
Over time, there are certainly compelling reasons to put in place mechanisms that begin to review the degree and effectiveness of internal and external assurance across financial reporting processes, within the context of a single, robust and sustainable regulatory control framework. This holistic view should draw out efficiencies and best practice across the business, rather than within functional silos. The ICAEW’s paper was closed for feedback in February 2017, with technical guidance expected towards the end of this year. I think it would be prudent for banks to consider how this guidance could be introduced across the regulatory operating model rather than simply within regulatory reporting, appreciating the continuous advent of new regulation as well as the need to embed and improve those obligations that have long since been introduced.