Keeping up with Internal Controls

Since 2018, several Middle East regulators have introduced regulatory mandates aimed at strengthening internal control over financial reporting (ICFR) in the region. The trend looks set to continue, with further activity in the UAE suggesting a wider range of organizations soon to be required to meet ICFR requirements. 

The article “Inspiring trust through enhanced governance,” in the Middle East Point of View Spring 2021 issue, described how a number of government bodies had introduced a regulatory mandate for internal control aiming to strengthen governance structures within subject entities. It is clear that this journey continues today.

Following the Abu Dhabi Accountability Authority (ADAA), Qatar Financial Markets Authority (QFMA), and the UAE Insurance Authority (IA), the UAE Securities and Commodities Authority (SCA) issued a revised draft Governance Code for public consultation in the UAE in September 2022. Although the Code has not yet been issued in final form, the consultation indicates that the auditor’s responsibilities will be enhanced to include an opinion on the effectiveness of ICFR for all listed entities in the UAE; this will broaden the scope for ICFR compliance to a wider range of organizations across the country.  What does this mean for UAE listed companies and what steps can be taken to prepare for the new requirements?

What does the SCA release mean for companies and auditors?

As a result of the ICFR requirements as currently drafted in the Governance Code, there will be a wide range of implications for management, boards, and auditors of all listed entities in the UAE. 

Companies will be required to establish or formalize their internal controls within a specific framework, against which to judge the effectiveness of internal controls. 

As mentioned in the article “Inspiring trust through enhanced governance,” a well-established and well-recognized internal control framework is the Committee of Sponsoring Organizations (COSO) Internal Control Integrated Framework 2013 (the COSO Framework). 

Formalizing internal controls against the COSO Framework involves a series of activities to formalize scoping: development of an ICFR policy, a risk assessment, control definition, and allocation of roles and responsibilities.

To provide comfort to management, the board and the audit committee around the effectiveness of ICFR at the year end, companies need to have a monitoring process in place, aligned with the monitoring principles of the framework. 

Furthermore, the level of work performed on internal controls as part of the external audit is likely to increase significantly as testing the operating effectiveness of controls for an ICFR audit is a significant step up from the minimum control testing requirements for a financial statement audit. 

What are the benefits of ICFR?

As well as meeting regulatory requirements, developing an internal control framework brings several significant benefits to organizations as described below:   

• Effective internal controls increase the reliability of financial reporting. ICFR facilitates the availability of accurate and timely information to manage the business better and reduce the risk of errors, which can add time and effort to personnel. 
• ICFR increases a company’s credibility with internal and external stakeholders and potential investors.  
  
• Internal controls support a company to achieve their objectives of being effective and efficient. Roles and responsibilities of management and employees are defined and processes are in place, thereby providing great operating efficiency and enhanced performance. 
  
• Fraud opportunities are significantly reduced by effective internal controls; and 
  
• Data used in the organization is more reliable, facilitating better and quicker decision-making. 

Key observations from implementing ICFR

Deloitte has practical experience in supporting organizations implement and enhance internal controls, both in the Middle East and globally. Key observations from this experience include the following:

1. Timing of implementation: Starting the process early is critical. This ensures that time is available to remediate and implement controls before year end, thereby gaining the operational benefit of the controls and helping to achieve an unqualified ICFR assurance report. Gap assessments should be focused on meeting the ICFR audit requirements in the first instance, with practical and achievable recommendations.
2. Focus on the right areas: The foundation of an ICFR framework is the risk assessment. Management should aim for smart and focused risks and controls to cover the principles of the applied control framework and financial reporting risks. Knowing the level and type of documentation helps avoid audit issues and drives an efficient and effective process.
3. Auditor engagement: Up-front and continuous engagement with the audit team ensures that issues are addressed and resolved throughout the year, rather than at year end. This supports achievement of an unqualified ICFR opinion, a smooth ICFR audit process, and operational benefits from the establishment of ICFR.
4. Project approach: Having an established project approach ensures that the many pieces of the puzzle can be managed smoothly. Establishing ICFR is a complex process and an ICFR opinion is a significantly increased reporting requirement. It is critical that all aspects of the control framework are in place before the auditor begins the engagement.
5. Change management: Embedding controls and control frameworks is more than an exercise in documentation. It is critical to communicate across stakeholders and process owners at all levels of the organization through a change management program to ensure that a control implementation brings real benefits in the longer term.

Thinking of the future 

Setting the foundation for an ICFR journey is often a manual exercise initially – clearly defined and documented processes, risks, and controls are critical as a baseline. However, it is important to think about the future at the same time. This includes how organizations are responding to financial reporting risks arising from the confluence of technology revolution, a global pandemic, merger and acquisitions, and private equity funded disrupters. But it also covers how technology and data are used as a greater enabler for a company’s control environment. A robust risk and controls environment can help organizations become more agile and resilient, and support accelerated digital transformation—all of which help companies better utilize automation in operating and monitoring their financial reporting controls. However, the regulatory requirements for companies to adopt ICFR represents an opportunity to consider how controls, data, and technology can be used to help manage financial reporting risk - and at the same time - drive strategic benefit. Those organizations that see this as an opportunity, rather than a compliance exercise, stand a greater chance of driving better financial reporting, and at the same time, driving value for stakeholders. 

By Aderita von Glahn, Senior Manager, Assurance and James Smith, Partner, Assurance, Deloitte Middle East