FRC risk and controls reforms: Lessons from SOX

With the introduction of the updated Financial Reporting Council (FRC) Corporate Governance Code, UK-listed companies face a significant shift in expectations around risk management and internal controls (Provision 29). This came into effect for financial years starting on 1 January 2026 and requires boards to evaluate and disclose the effectiveness of risk management and internal control framework and any limitations.

Two additional aspects shape the challenge and add a wider range of risks to consider:

Going beyond financial reporting to include operational, reporting and compliance. In practice, this means considering conduct risk, technology, data governance, sustainability and third-party risk management.
Focusing on material controls, which boards need to define.

In some ways, this mirrors the US Sarbanes–Oxley Act (SOX) of 2002, enacted in response to corporate scandals like Enron and WorldCom. Both SOX and the FRC share an intent, trust in financial reporting, but there are differences:

SOX focuses on financial reporting and FRC on wider risks (see above).
The consequences of misleading under SOX legislation were more severe, so the sign-off process was more ‘extensive’ - but not necessarily value adding.

As UK companies make investment decisions about FRC code implementation, the SOX implementation journey offers valuable lessons. With less than 18 months until the first declarations are due, now is the time to learn from SOX’s legacy, aiming to avoid common pitfalls and accelerate readiness.

Key lessons from SOX implementation

After 23 years of SOX compliance, US-listed companies have developed mature practices. There are a few key lessons with the most relevance for UK organisations.

Rationalise risk management frameworks

Adopt a unified approach to risk management. A consistent framework simplifies control assessments, highlights duplication and overlap, and clarifies ownership, especially within the first line of defence.

We often see that layering requirements have arisen from the need to respond to increased regulatory scrutiny. Each layer allows the organisation to claim compliance, but the outcomes are neither effective nor efficient.

Prioritise relevant financial controls first

Start with financial controls, then expand to non-financial areas now in scope, using a consistent approach. This phased approach allows organisations to build on proven processes before tackling broader control environments.

Apply rigour proportionately

Focus documentation and testing efforts on high-risk controls. For example, management review controls should be clearly documented, detailing specific checks and how they are performed. Equally, we encourage clients to avoid gold plating and excessive detail in process documentation, step-by-step procedures are not always necessary. The focus should be on finding the right solution for the business.

Manage third-party oversight

Don’t rely solely on third-party reports. Establish robust relationship management practices that challenge and validate the effectiveness of outsourced controls. It becomes apparent that you are as strong as your weakest link, and consequently, remediation of risks within the supply chain is necessary.

Understand cost dynamics

SOX compliance costs didn’t decline significantly over time. Each company’s needs are unique, there’s no one-size-fits-all approach. Outsourcing and technology can help, but they are not a definitive solution.

Commit to continuous improvement

Despite years of SOX practice, control deficiencies persist. Manual spreadsheets remain common. A mindset of ongoing enhancement is essential to move beyond basic compliance.

Positive outcomes from SOX

SOX has delivered tangible benefits that UK organisations can aim to replicate.

Improved documentation – Enhanced clarity and completeness of controls by enhancing sustainability assurance.
Standardised processes – Streamlined operations and reduced duplication.
Stronger outsourcing controls – Better oversight of third-party activities, especially those affecting financials.
Simplified control environments – Testing requirements drove simplification of overly complex processes. For example, our insights on challenges for effective scenario testing of operational resilience have helped clients to take action to actually enhance resilience.
Reduced human error – Increased automation of manual controls.
Greater audit committee engagement – More rigorous oversight and challenge from board members.

Efficiency gains

SOX has also paved the way for meaningful operational efficiencies. Effective control testing and business remediation (where necessary) can enhance business efficiency. At the same time, when organisations demonstrate a strong and well-documented control environment, they often require relatively fewer internal tests or contain a potential growth in testing where controls are weak, resulting in lower audit costs over time. In addition, organisations can avoid spending money on compensating controls.

In addition, SOX processes can be aligned with other regulatory or certification obligations, such as anti-money laundering requirements or employee record keeping requirements. This convergence helps break down silos across teams and departments, allowing organisations to streamline efforts and reduce duplication in compliance activities.

Moving forward

The journey to compliance with Provision 29 of the FRC code doesn’t have to start from scratch. By leveraging lessons from SOX, organisations can build structured, focused, and efficient implementation plans. These insights not only support compliance but also drive long-term value through improved governance, risk management, and operational resilience.

As the deadline approaches, now is the time to assess your readiness, align your frameworks, and take proactive steps. We work in a collaborative manner, provide practical insights and understand that making sense of the FRC expectations in the context of your business is crucial to ensure that any solutions are effectively implemented in the timescales available. If you're looking to continue this discussion, please get in touch with your usual Crowe contact.