UK SOX regulatory compliance: What finance teams need to have in place

If you search "SOX regulatory compliance" right now, most results describe a US federal law that most likely doesn't apply to your UK finance team. The Sarbanes-Oxley Act is American legislation. The UK planned its own equivalent, the Audit Reform and Corporate Governance Bill, but the government abandoned it in January 2026.

However, you still have internal controls obligations. The risk is preparing for the wrong framework, or missing the one that does apply.

Two live frameworks remain: Provision 29 of the 2024 UK Corporate Governance Code and the Economic Crime and Corporate Transparency Act 2023 (ECCTA). Which one applies depends on your listing status and size. Both require evidence that controls actually work in practice, and written policies aren't enough.

This article is general guidance for UK finance teams, not legal advice. Your specific obligations depend on your listing status, size, and structure, so consult a qualified adviser before making decisions based on the frameworks covered here.

Why most SOX compliance guidance misses the UK picture

Most online SOX guidance either describes the US Sarbanes-Oxley Act or treats the scrapped UK Audit Reform Bill as still active. Neither reflects what actually applies to UK finance teams today.

Corporate failures like Carillion and BHS prompted reform reviews recommending stronger audit quality and corporate governance. A draft Audit Reform and Corporate Governance Bill appeared in the July 2024 King's Speech. It proposed a new statutory regulator called the Audit, Reporting and Governance Authority (ARGA), plus extended obligations for large private companies and personal sanctions for directors.

The government scrapped the Bill on 20 January 2026. The Department for Business and Trade said the Bill's costs conflicted with its growth agenda. Everything the Bill proposed was dropped, including ARGA, the extension of public interest entity (PIE) status to large private companies, the statutory Resilience Statement and Audit and Assurance Policy, and personal director sanctions. None of these carry a current compliance obligation.

"UK SOX" is shorthand for the obligations that survived. Which of the two frameworks applies to you depends on whether your company is listed on the UK Official List, a large organisation meeting statutory size thresholds, or both.

What actually applies to your finance team

So which framework applies to your company? Two cover UK SOX compliance: Provision 29 and ECCTA. Some companies are subject to just one; some to both.

Provision 29 of the 2024 UK Corporate Governance Code

Provision 29 is the closest thing the UK has to a SOX-style rule. It's part of the UK Corporate Governance Code and applies to companies on the UK Official List. Unlike US SOX, it isn't statute. It operates on "comply-or-explain": you either follow the Code's provisions, or explain in your annual report why you haven't.

If your company has equity shares on the UK Official List, or is a closed-ended investment fund on the same list, you're in scope for Provision 29. Your board has three reporting obligations. First, it must declare in your annual report that all material controls were operating effectively at the balance sheet date. Second, it must describe how it monitored and reviewed the internal control framework. Third, it must disclose any material controls that weren't operating effectively, along with the action taken or planned to fix them.

It takes effect for financial years beginning on or after 1 January 2026. The first declarations will appear in 2027 annual reports. If your year-end is 31 December, your controls need to be working across the full 2026 financial year. The declaration covers the whole period.

If you've been benchmarking against US SOX, the UK model differs in three important ways. Provision 29 doesn't require external auditor attestation; responsibility for assurance rests with directors, the audit committee, and shareholders. Directors face no statutory sanctions for false declarations. Enforcement sits with the Financial Reporting Council (FRC) under comply-or-explain, not the statutory penalties that back US SOX Section 404.

The UK framework is designed to be proportionate. You have flexibility in how you prove controls work. For mid-market finance teams without large compliance departments, that flexibility can feel more like ambiguity.

The Economic Crime and Corporate Transparency Act 2023

ECCTA is UK statute law, not a governance code. Its Section 199 "failure to prevent fraud" offence has been in force since 1 September 2025, and it applies to large organisations whether or not they're listed. The ECCTA guidance says you're covered if your organisation meets at least two of these thresholds: more than 250 employees, more than £36 million turnover, or more than £18 million in total assets.

Under ECCTA, your board needs to build fraud prevention into how the company is governed, and show that reasonable procedures are in place. For your finance team, that means your spend controls, approval workflows, and procurement processes are all evidence. If you've ever had to explain to the board why a rogue payment got through, you understand the exposure ECCTA is trying to close. The Act is about stopping fraud before it starts. Detection after the event won't satisfy it.

The internal controls framework your board needs

Your board needs to document and monitor an internal controls framework built around three categories: entity-level, business process, and IT general. The 2024 Code sets the expectation but doesn't give you a template, so each company designs its own.

The board has explicit responsibility for overseeing the framework, including monitoring and reviewing its effectiveness at least once a year. So where do you start when the regulator won't prescribe a model?

Entity-level controls

Entity-level controls underpin everything else. You need a board-approved code of conduct and a documented Delegation of Authority matrix that spells out who can approve what, and up to what amount. You also need a formal annual risk assessment covering financial, operational, compliance, and reporting risks. Most finance teams have some version of these already, even if it's a spreadsheet that hasn't been updated since the last audit.

Budget controls link approval authorities to cost centres. Your board then has a documented view of what's approved at each level. Under ECCTA, your whistleblowing policy also counts as one of the reasonable fraud prevention procedures the Act requires.

Business process controls

Business process controls are where your framework meets day-to-day transactions across financial close, procurement, payroll, and reporting. Start with internal controls over financial reporting (ICFR), then add operational and compliance controls in later cycles. The ICAEW argued for this sequencing in its formal consultation response. For a finance controller without a large compliance team, ICFR-first makes a real difference to workload.

Your month-end close needs preparer and reviewer sign-off on every journal. Balance sheet reconciliations need a second person's review and sign-off. Revenue recognition controls need a written policy and cut-off controls at period end. Building this documentation from scratch often takes longer than project plans anticipate, especially when your team is also running the normal month-end close.

Segregation of duties means no single person controls an entire transaction. Authorising, recording, holding custody, and reconciling should sit with different people. In mid-market teams of two to eight people, full segregation often isn't practical. When one person raises, approves, and reconciles the same transaction, compensating controls like enhanced management review and more frequent reconciliation become essential.

IT general controls

IT general controls (ITGC) cover access management and change management in your systems. Weak access controls undermine the wider framework, because if your auditors can't trace who had access to what, they'll have a hard time trusting your other controls.

ISA (UK) 315 identifies segregation of duties as a relevant control activity. Shared logins make that hard to demonstrate. If three people use the same system credentials, you can't prove who approved a specific transaction. The gap weakens both your Provision 29 declaration and your ECCTA fraud prevention evidence.

How spend management controls support your board's declaration

Spend management is one of the clearest places where internal controls affect day-to-day work. Every purchase order, expense claim, and invoice payment either strengthens your board's declaration or creates a gap in it.

Provision 29's scope goes beyond financial reporting. The ICAEW conference on internal controls described it as "broader and shallower than the US SOX regime." The scope explicitly includes spend management, expense control, and procurement compliance.

Segregation of duties in your procure-to-pay process

In procure-to-pay, segregation of duties means different people handle raising, approving, receiving, and paying for a purchase. Your procurement process is one of the first areas auditors examine. A budget holder raises the requisition, then a separate authorised signatory approves the purchase order under your Delegation of Authority matrix. Someone independent confirms goods receipt. Finance then matches the invoice and authorises payment as a separate step.

Three-way matching enforces this separation. The system compares the purchase order, goods receipt, and supplier invoice before any payment goes out. When this is automated, discrepancies get flagged for review before they reach the payment queue. Your team ends up with documented, repeatable control evidence auditors can test efficiently.

When your team is too small for full manual segregation, technology can close the gap. Role-based access controls in your software enforce the separation automatically. Spendesk is a spend management platform covering company cards, expense management, accounts payable, procurement, and budgeting; its approval workflows create timestamped, named records of every approval decision. For finance teams building Provision 29 or ECCTA evidence, that audit trail turns manual segregation into an enforceable, documented control.

Audit trails and attestation evidence

Provision 29 requires evidence of how the board monitored and reviewed controls. Your auditors need more than an assertion that controls exist.

They're looking for preventive controls such as approval workflows, spend limits, and purchase requisition requirements that stop unauthorised transactions before they happen. Detective controls such as duplicate payment detection, anomaly alerts, and supplier statement reconciliation matter, too. So do compensating controls, including audit preparation processes, exception reporting, and management override logs.

Automated controls behave consistently: the same input produces the same output every time. ISA 330 recognises this, noting that auditors don't need to increase sample sizes for automated controls the way they do for manual ones. The reduced sampling cuts audit effort materially.

Your team should be able to produce this evidence for last quarter's transactions within 48 hours. If you can't, that's a signal your controls aren't documented well enough.

Implementation mistakes that cost time and credibility

So where do finance teams go wrong once they've mapped the framework? Four mistakes catch most teams out: over-scoping, under-scoping, bad timing, and treating compliance as finance-only. Each one costs time and credibility with the board and auditors.

The first trap is over-scoping to match US SOX. UK guidance doesn't spell out what counts as "effective," and teams that over-compensate end up with something as costly and burdensome as the early US experience. The practical starting point is ICFR, then operational and compliance controls in later cycles.

The opposite trap is scoping too narrowly to avoid work. Some companies define "material weakness" and "covered controls" so narrowly that nothing substantive changes, and the annual report tells investors nothing new. If your Provision 29 declaration tells investors nothing they couldn't already see, it may fall short of the aim.

Timing catches teams out too. If your December 2026 year-end triggers your first Provision 29 declaration, your controls need to work across the whole year. A realistic implementation takes 12 to 24 months from scoping to first declaration. Starting in Q3 2026 for a December year-end leaves almost no room to find and fix weaknesses.

Treating compliance as a finance-only project is the fourth failure. The Code's scope cuts across functions, covering financial, operational, compliance, and reporting controls. The cross-functional scope means it needs board-level sponsorship and control ownership across finance, operations, IT, and legal.

What preparing for the wrong framework actually costs

Searching for SOX compliance and finding the wrong framework wastes research time. It leads to controls programmes built for the wrong standard, budgets allocated to the wrong priorities, and boards briefed on requirements that don't apply.

If Provision 29 applies, your board needs a defensible declaration on material controls. If ECCTA applies, you need to show reasonable fraud prevention procedures. If both apply, your finance team needs documented, testable controls that work across day-to-day spend, reporting, and governance. The main risk is building for the wrong framework and finding out too late that your evidence doesn't fit what actually applies.

For mid-market teams with limited compliance headcount, you may be further from ready than you think. Investing early in documented, automated controls is both a compliance move and a practical one. It gives your board the evidence they need for the declaration, and gives your auditors less to question during testing.

See how Spendesk handles expense automation and automated audit trails for growing finance teams.

Frequently asked questions about UK SOX compliance

Does UK SOX apply to private companies?

Provision 29 doesn't apply to private companies, but ECCTA does if you meet the size thresholds. You're in scope for ECCTA if your organisation meets at least two of three criteria: more than 250 employees, more than £36 million turnover, or more than £18 million in total assets. Private companies that hit those thresholds have internal controls obligations under ECCTA even without a stock exchange listing.

Does Provision 29 apply to AIM-listed companies?

No. Provision 29 applies to commercial companies with equity shares on the UK Official List, and to closed-ended investment funds on the same list. AIM is a London Stock Exchange market, but it sits outside the Official List, so AIM-listed companies aren't directly in scope. AIM companies usually follow the QCA Corporate Governance Code instead. They may still fall within ECCTA if they meet the size thresholds.

We're dual-listed on a US exchange. Do we need to comply with both US SOX and Provision 29?

Yes, both apply. US SOX Sections 302 and 404 still apply if you're subject to US SEC registration, and Provision 29 adds a board declaration on material controls for your UK annual report. Dual-listed companies often align their UK control framework with existing US SOX infrastructure, since the US regime demands more prescriptive testing. But the governance routes still differ: the UK operates on comply-or-explain with no external auditor attestation, while US SOX 404(b) requires an auditor opinion on internal controls for most filers.

What counts as a material control under Provision 29?

The 2024 Code doesn't give a prescriptive definition of "material." It leaves your board to judge which controls are material to the company's strategy and to protecting stakeholders from financial, operational, compliance, and reporting risk. Your audit committee should document the materiality judgement each year, so the board can point to it if challenged on the declaration.

Where should a mid-market finance team start with UK SOX preparation?

Map which framework applies: Provision 29, ECCTA, or both. Build from internal controls over financial reporting (ICFR) as your foundation, then extend to operational and compliance controls in later cycles. Document your existing controls, identify gaps in segregation of duties and approval workflows, and establish a monitoring and testing schedule that your board can reference in its annual declaration.