Inspiring trust through enhanced governance

ME PoV Spring 2021 issue

The emergence of regulatory mandate for Internal Control over Financial Reporting

Business failures happen—it is an economic fact of life. But when that failure is due to poor internal controls, organizations question what, exactly, went wrong. We have witnessed recent examples of accounting incidents in the Middle East, where the simplest of internal controls were overlooked, and which could have uncovered the scale of fraud years earlier. The effectiveness of internal controls may not have saved the companies entirely, but they might have minimized the losses to shareholders and helped retain trust in their financial reporting.

Regulators in the Middle East have become more vigilant to the importance (and value) of a company’s effective internal control system. In the UAE and Qatar the regulators have embraced the fact that monitoring and reporting on Internal Controls over Financial Reporting (ICFR) directly correlates to investor and stakeholder trust in the reliability of financial and other corporate disclosures made by regulated companies.

The Abu Dhabi Accountability Authority (ADAA) Law Number 1 (2017) and the Qatar Financial Markets Authority (QFMA) Governance Code first applied to entities for the year ended 31 December 2018, and established requirements for certain entities to not only issue a Board of Directors report on the Design and Operating Effectiveness of the ICFR, but for the external auditor to also obtain assurance and issue a report on ICFR.

Following ADAA and QFMA, in 2020, the UAE’s Insurance Authority (IA) issued ICFR reporting requirements for insurance companies.

These regional developments around ICFR reporting demonstrate a shift in the regulators’ mindset towards a risk-based, internal controls-dependent approach for enforcing regulatory compliance. It is expected that other regulatory bodies may soon follow suit and that compliance with ICFR requirements will likely become essential for certain other regulated companies.

Response from management and the Board of Directors

The new ICFR regulations in the Middle East have been met, for the most part, with broad support and a focused effort to comply with the regulations.

Data from QFMA and ADAA for the first two years demonstrate a drive by most entities to engage consultants for ICFR readiness to help develop their internal control framework, risk assessment, and universe of relevant internal controls; while a minority elected to use in-house resources to complete ICFR readiness work.

QFMA and ADAA entities have widely accepted the Committee on Sponsoring Organizations framework (COSO) for internal controls. COSO was chosen based on its broad recognition and history of adoption in worldwide ICFR compliance regulations; such as in the United States and India, with many other countries including Japan, China, and South Korea having modeled requirements related to internal control using concepts from the COSO framework.


Perspectives and lessons learned

Based on a survey of Qatar and Abu Dhabi organizations, below are the top five lessons learned from the first three years of ICFR compliance.

  1. Early planning and budgeting
    Internal effort needed to complete the ICFR assessment work appropriately is significant. It is like an iceberg; what you see above the water represents only a fraction of the effort needed to get to a position where the attestation can be made with confidence. The ICFR report issued at year-end is only the final deliverable of what, in essence, is a year-long project. The process to conduct a risk assessment, revisit and test the design and operating effectiveness of all relevant controls, and allow sufficient time to remediate (and possibly retest) any control deficiencies before year-end, is rigorous and requires a dedicated ICFR compliance team who can take ownership of the program. Early planning and budgeting is a key indicator of companies who have successfully transitioned to ICFR Compliance.
  2. Liaising with the external auditor
    The risks that companies face are not just limited to financial numbers. Controls need to be vigorously applied to governance, data, security, staff conduct, culture, ethics and other aspects of organizational structure. Therefore, the scope of the work can be much wider than initially anticipated by companies. The relevancy of Information Technology (IT) to ICFR, in particular, has taken longer for entities to appreciate as it is not immediately obvious how IT systems can, and do, impact the reliability of financial statements. Ensuring the external auditor is closely involved in the ICFR scoping process leads to consensus and fewer possible points of contention in the concluding phase.
  3. Vocal messaging by the senior management and those charged with governance
    Before the regulator’s mandate for ICFR reporting, company internal control systems were less formalized, both in terms of documentation and assessment. Educating department heads on the purpose of management’s assessment process in the context of the ICFR reporting requirement is key to garner broad buy-in from management across the organization. This buy-in can be the deciding factor in where or not sufficient resources from each department are made available to identify, document, and support the control testing process throughout the year.
  4. Complexity of assessing controls across the group
    Management is required to monitor all relevant control activities including those that exist at a subsidiary level. These subsidiaries may operate in multiple geographical locations; resulting in a range of unique challenges for the parent entity. These challenges include: decentralized control environments, lack of internal control expertise by subsidiary management, non-integrated software systems, and ineffective or untimely monitoring of subsidiaries’ internal control and financial reporting.

  5. Outsourced service provider controls
    It is common business practice to outsource IT services such as security monitoring, application maintenance and disaster recovery, to third parties. When IT services are outsourced, managing IT risks related to the service(s) and ensuring relevant controls are effective is also the responsibility of the third party. Without an independent auditor report on effectiveness of 3rd party controls, Management is left with the option of independently assessing the IT risks and controls themselves – a suboptimal option both in terms of logistics and cost.

    The last two insights are challenges that can lead to road blocks in compliance. Planning early in the year with all parties involved can prevent the scramble at year-end to address component and third party controls.


The way forward

The region is going through a transformative, yet uncertain period given the geopolitical developments, the double dipping impact of oil price decrease and the economic impact of Covid-19, while embracing Industry 4.0 and a shift to automation, digitization, and sustainability. Effective implementation of internal control over financial reporting will surely help shield capital markets from the impacts of uncertainty and support investor confidence in the region to thrive.

As ICFR regulations develop further in the Middle East, it will create opportunities for regulators and organizations to incorporate effective programs by leveraging on early adopter experience.

Organizations in Qatar and Abu Dhabi, entering their fourth year of compliance, are also at a critical juncture; how their ICFR compliance programs will evolve and mature will be dependent on continued effort to drive longer term value from the investments being made in controls.


by Zaynah Vohra, Director, Audit & Assurance, Deloitte Middle East

Inspiring trust through enhanced governance
Did you find this useful?