UK version of Sarbanes-Oxley in force today

Out-Law News | 18 Apr 2005 | 1:25 pm | 1 min. read

New rules are in force today that place companies under stricter auditing controls, similar to the issues addressed by the Sarbanes-Oxley Act in the US. They aim to ensure that company directors provide auditors with correct information, and allow the government to investigate suspected breaches.

The new UK regime, set out in the Companies (Audit, Investigations and Community Enterprise) Act of 2004, has obvious knock-on effects for records management. This may require companies to adopt more stringent information security measures to ensure the accuracy and integrity of their records.Included in the sections of the Act brought into force today is a requirement that directors issue a statement in the auditor's report, confirming that they provided the auditors with all of the relevant information needed to properly prepare the report. Directors who fraudulently or negligently make this statement – or other directors who fraudulently or negligently allow the statement to go into the report – commit an offence under the Act punishable by fine or imprisonment.Another big change is a widening of powers for government to investigate company records – giving the Secretary of State, or an investigator authorised by her, the right to require the production of any records which she or the investigator specifies.As well as changes to company law reporting procedures, today's changes mean an increasing burden on companies to ensure that their information security practices are up to scratch.Companies already have a number of legal obligations to make sure that they manage and control information securely, including rules relating to the security of personal data under the Data Protection Act. These obligations include a duty to ensure that the information retains its accuracy and integrity.The provisions under the new Act augment these existing legal duties. Moreover they will require directors to create an audit trail, to prove that they have carried out due diligence on the required information. It is not enough just to put in place information security measures – directors now need to be able to demonstrate that they have done so.