SOX puts UK firms on back foot

Compliance with the US Sarbanes-Oxley law is proving costly for UK firms with US listings

UK firms are coming to terms with a newly effective section of the Sarbanes-Oxley (SOX) corporate governance rules requiring UK companies with a US stock-market listing to show internal controls.

Often cited as one of the most knotty elements of SOX, Section 404 took effect for non-US firms on 15 July and affects over 100 UK-based firms. The code mandates that firms include in financial reports records of controls deployed and their effectiveness. This would include data security measures taken, their ongoing monitoring, and a record of any breaches or attempted breaches, for example.

UK companies will together spend a total of about $350m on compliance, according to estimates by the Association of Chartered Certified Accountants. Those that are remiss face multi-million-pound fines if they cannot demonstrate compliance, as well as brand damage sustained by inevitable bad publicity.

To get around the problem, many firms are choosing to deploy best-practice templates - such as ISO17799 and NIST for security - that help enforce and accelerate compliance in processes.

“There’s no 100 percent SOX compliance,” said Brian Contos, chief security officer of security and compliance reporting firm ArcSight. “Security doesn’t equal compliance and compliance doesn’t equal security but there’s a huge amount of overlap and one of the biggest problems companies face is ‘paralysis by analysis’.”

Others said that controls on asset management are key in mitigating exposure.

Olivier Suard, marketing director at Comptel, a developer of operational support systems for telecoms carriers, said firms need inventory controls for accurate SOX compliance: “One angle of SOX is security but companies also need to be able to report on the accuracy of the filing and for telecoms companies and many others that means asset tracking is vital.”

US regulator the Securities and Exchange Commission (SEC) is showing signs of tempering the complexity of SOX compliance, which has drawn many complaints.

In an 11 July announcement, the SEC reported on feedback, noting that, “the Commission learned from participants that while Section 404 has produced benefits, its implementation has been unduly costly”.

Other rules and regulations are due to hit financial services organisations next year through the Capital Requirements Directive and Markets in Financial Instruments Directive (Mifid).

Jim Fleming of regulatory compliance consulting firm FMConsult said, “They’re proving a real bugbear and there’s going to be a lot of pain.”