In recent years, there are more and more governmental initiatives requiring Middle East businesses to strengthen the Internal Control environment especially around the financial reporting. The regulations in the UAE, which require implementation internal controls over the financial reporting (ICFR), include the following:
The above-mentioned governance states that the company’s management should implement the sound internal control system aimed at management of the company’s risk and verify that the company and its staff comply with those, including review of the financial information presented to the company’s management and used for drafting of its financial statements. While the company’s auditor shall express an opinion on the effectiveness of the company's internal control regulations and their conformity with the appropriate internal control framework that has been determined by the Board by issuing a separate report that includes its opinion on the effectiveness of the internal control regulations to identify their deficiencies and take the necessary action to remedy them.
The regulations issued by the UAE authorities are in line with well-established international practices, for example with the U.S. Sarbanes-Oxley Act of 2002 and requirements for the managements’ annual assessment of its system of internal control over the financial reporting required by Section 404 of the Act.
The assessment of internal controls over the financial reporting should be made using recognized framework. Mos global companies apply COSO’s internal control – Integrated framework, although some use the Control Objectives for Information and related Technology (COBIT 2019) framework as a supplement to COSO for IT controls.
Implementation of the internal controls framework is a very comprehensive and interesting project covering all levels of the company including shareholder, top management, all management levels and employees.
There are formal and practical sides of ICFR project and its consequences and each company and its shareholders decide which approach of this project is more suitable for their needs.
Formal side of the project aims at formal compliance with the legislation and successful completion of any ICFR review from governmental or any other interested parties. Often this approach does not include deep involvement and understanding of business processes and controls framework beyond material financial statements sections. The company invests only in compliance tasks.
There is another view on the ICFR implementation, let’s call it practical value-added approach. It is less cost effective and rather long-term but, from our point of view this approach, besides compliance tasks, significantly improves transparency of the business, its processes, identifies ineffective areas and approaches and finally increases shareholder value of business. Further we will discuss and focus on the second approach and the topic of this article will cover planning section of the ICFR implementation.
For our purposes we will use an example of the business, which is not advanced in this area and starts ICFR from scratch.
Step 1: Linking the financial statements to the business processes
The first step of ICFR project is to identify the reporting areas where the internal controls are to be identified or implemented and to which business processes these reporting sections relate to. Here you also can use two approaches:
Top – down approach: in accordance with this approach you should identify the priority of ICFR reporting areas based on the level of risk or significance. Initially the most significant and risky reporting areas are to be covered within the project and further – the areas with lower level of risk and materiality.
Continuous approach: In accordance with this approach the internal controls are specified, formulated and implemented for each reporting section (item by item) continuously. This approach is not very effective and may take too much time and resources. So, further we will discuss the top-down approach.
In order to identify material and risky reporting areas you can use the common technics for calculation of materiality used in the audit. The materiality level can be defined as the % of total revenue (PL) and an item of the statement of financial position (example, 0,5% of revenue and 1% of total assets). The % level is subject to the industry best practices and other criteria. In order to be consistent and use more representative financial data you can take more than one reporting period (for an example, 3 reporting periods) and apply horizontal and vertical analysis to these data. The example of horizontal and vertical analysis is given below:
Based on the materiality level you should be able to identify as a result of horizontal and vertical analysis the most material and risky reporting areas.
The next task is to identify the business processes which directly influence the reporting areas.
Example:
Cash: Treasury, cash management, bank account procedures.
Inventory: Purchases, stock-count procedures, COS (recognition process).
As a result of these procedures, you will have an analysis (let’s say in MS Excel) with most material reporting areas linked to main processes or sub-processes.
Step 2: Identification of business process design and its participants
Next step is to identify roles/employees who are involved in these business processes and who can give a brief description of the process itself, responsible for this and/or could provide some formal documents if they exist.
All companies have different level of formalization in terms of corporate and business procedures.
Companies with advanced controls have the following set of documents for each significant business process: process scheme (usually in BPMN notation), process supporting documents with the description of the process, responsible persons, document flows, internal control matrixes, which are linked to the scheme.
Companies, which only start or are in process of implementation of internal controls (and this group is significantly larger than the first one), do not have or have in part formalized controls. For example, they could have organizational chart of the entity or business with the names of department and functions, brief description of employee position (for the purposes of HR) and no formal description of process itself.
I will elaborate more on why the ICFR project is implemented more effectively and more quickly for the “advanced” Group in the next article.
Step 3: Analysis of business process and identification of risks and corresponding internal controls
For each selected business process you should perform the analysis and identify or state the situation with the risks and corresponding internal controls.
In terms of risks you should identify and answer the following questions:
In terms of controls you should identify and answer the following questions:
Usually the result of this step represent the internal controls matrix with risks identified and corresponding controls AS IS.
Step 4: Testing of internal controls identified
This step is most difficult and time and resources consuming. You should perform good quality internal controls testing and make conclusion for each significant control procedure:
We are not going to go in deep within this article how to define testing program and how the results should be documented. The important thing to mention here is that in advanced companies with the formalized incident management procedures in place, this could be very good and effective source of information in terms of effectiveness or weakness of some internal controls.
The types of conclusions (examples) on this step could look like the following:
Step 5: IC Improvement Plan
Based on the step 4 results the management performs the program/plan for the improvement of the controls environment which usually covers the following:
Briefly, this is the high-level structure of ICFR project. Further in the next articles I will go in details in each part of this ICFR project.
