The internal control review is a critical exercise for business entities, which should be conducted on annual basis in order to ensure adequacy and completeness thereof with view to maximizing effectiveness and efficiency in managing the operations and business at minimal risks associated with the business.
The internal control review is also a necessary requirement in light of the constant changes in information technology worldwide and legislations governing the environment in which the organization operates.
Furthermore, the internal control review is vitally important for the internal audit function as it enables them to verify the extent of application of internal control systems within the business entity, and the absence of application thereof, take the corrective actions and establish the measures to prevent reoccurrence of the same.
What is Internal Control?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) broadly defines “Internal Control” as:
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
Part of the philosophy of this definition is that internal control is not and cannot be limited to finance and accounting activities but rather encompasses the entire organization and a combination of different levels of employees, management and the board.
What are the Objectives of Internal Control?
Internal Control Objectives as per the 2013 COSO Framework:
- Operations Objectives – These pertain to effectiveness and efficiency of the entity’s operations including operational and financial performance goals, and safeguarding assets against loss.
- Reporting Objectives – These pertain to internal and external financial and non-financial reporting, and may encompass reliability, timelines, transparency, or other terms as set forth by regulators, recognized standard setters or the entity’s policies.
- Compliance Objectives – These pertain to adherence to laws and regulations to which the entity is subject.
What are the Components of Internal Control Systems?
The five components that create effective internal control are as follows:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring Activities
What are the regulatory requirements related to establishing Internal Control Systems for listed and licensed companies?
In the State of Kuwait, Law No. 7 of 2010 concerning the Establishment of Capital Markets Authority and Regulation of Securities Activity was promulgated on 21 February 2010 and its Executive Regulations were issued under Resolution No. 72 of 2015 on 9 November 2015, which address the Internal Control in Module 15 – Corporate Governance.
The Law and its Executive Regulations require the listed companies and licensed persons to comply with the internal control instructions as follows:
Corporate Governance Rule 2 – Establish Appropriate Roles and Responsibilities
|Article 3-7||Board roles and responsibilities include, but are not limited to:|
|18- Periodically ensure that the internal control systems in place in the Company and its subsidiaries are effective including:|
|Article 3-10||Below are some roles and responsibilities of the executive management to be complied with, in light of powers and authorities granted to it by the Board of Directors.|
|7- Develop internal control systems and risk management systems and ensure effectiveness and adequacy of such systems, and ensure compliance with risks appetite as approved by the Board of Directors.|
Rule 4 – Establish Appropriate Roles and Responsibilities
|Article 5-5||The Board of Directors shall form an audit committee to ensure whose primary role is to ensure soundness and integrity of financial reporting and internal control systems.|
|Existence of an audit committee is a key feature indicating the application of good corporate governance as such committee shall… In addition to ensuring sufficiency and effectiveness of the internal control systems in place in the company.|
|Article 5-7||The audit committee powers and responsibilities are set out below:|
|6- Evaluate the extent of sufficiency of internal audit systems in place, and prepare a report including the opinion and recommendations of the committee in this regard.|
What are the regulatory requirements related to the Internal Control Systems Review for listed and licensed companies?
Rule 5 – Develop Sound Systems of Risk Management and Internal Control
|Article 6-2||The sound risk management requires effective internal control systems that provide a process of control over the soundness of financial statements and efficiency of the company’s activities, and evaluate the compliance with controls.|
|Article 6-6||The Company shall verify the sufficiency of its internal control systems.|
|The company shall have internal control systems, which cover all the company’s activities. The internal control systems maintain the company’s financial soundness, data accuracy and effectiveness of its operations in various aspects; provided that the company’s organizational structure shall consider the Four Eyes Principles of the internal control process (Four Eyes Principles), which are set out below:|
|Article 6-8||The internal audit department/ office/ unit shall prepare a report including review and evaluation of the internal control systems in place in the company. Such report will include the following:|
|Article 6-9||An independent audit firm shall be engaged to evaluate and review the internal control systems and prepare a report in this regard (Internal Control Report), which shall be submitted to CMA on annual basis. Furthermore, another auditing firm shall review and evaluate the performance of internal audit department/office/ unit periodically every three years; provided that a copy of such report shall be submitted to the internal audit committee and the Board of Directors. Rule 6 – Promote Code of Professional Conduct and Ethical Standards|
Rule 6 – Promote Code of Professional Conduct and Ethical Standards
|Article 7-3||The code of conduct shall include a set of parameters and standards, which address the following as minimum:|
|Develop a mechanism that allows the company’s employees to report internally their concerns and doubts about any unsound practices or issues that raise suspicions about the financial reports, the internal control systems or any other issues. Moreover, proper arrangements should be made to allow conducting an independent and fair investigation in such issues along with ensuring confidentiality for the bona fide whistleblower to ensure protecting them against any negative reaction or damage that may be suffered by them due to such practices.Rule 10 – Promote and Enhance Performance|
Rule 10 – Promote and Enhance Performance
|Article 11-4||The company shall develop systems and mechanisms to evaluate the performance of each member of the Board of Directors and executive management periodically through developing a set of performance appraisal indicators related to the extent of achieving the company’s strategic goals, quality of risk management, and adequacy of internal control systems. In addition, the performance appraisal and measurement procedures shall be clearly and transparently written and disclosed to all employees.|
Summary of internal controls as set out in the Executive Regulations of Law No. 7 of 2010 for all listed companies and licensed persons:
Policies and procedures manual should be developed to ensure compliance with Law No. 7 of 2010 and its Executive Regulations. These policies and procedures shall particularly govern the following aspects:
- Organizational structure, which should include mandatory organizational units, committees and functions, such as Audit Committee, Risk Management Committee, Nomination and Remuneration Committee, Risk Management Department and Internal Audit Department as well as two organizational units for Compliance and Investors Relations;
- Competencies manual for the organizational structure units, which will include the implementation of the eleven corporate governance rules;
- Job structure.
- Job descriptions for all organizational structure jobs;
- Charters of the Board of Directors and its committees;
- Code of Conduct (Code of professional conduct and ethics);
It shall include a set of parameters and standards addressing the protection of whistleblowers who report illegal practices.
- Delegation of authority matrix.
- Operational policies and procedures manuals for all organizational executive units, which include the business processes and the relevant documentation;
- Supporting IT systems to carry out the activities of organizational units;
- Internal control systems and programs;
- Management system to evaluate the performance the members of the Board of Directors and executive management;
- Engage an independent audit firm to conduct evaluation and review of the internal control systems, and prepare a report in this regard (Internal Control Report).
What are the Additional Requirements of Internal Control Systems of Licensed Persons?
Furthermore, the Licensed Persons shall comply with additional internal control systems in accordance with Module Six – Internal Policies and Procedures of Licensed Persons as follows:
- Comply with the requirements of competence and integrity of licensed persons;
- Separation among activities carried on by the Licensed Person in order to ensure that information is not disclosed among such activities except for discretionary portfolio management and the incorporation and management of collective investment schemes;
- Handle customers’ complaints.
- Risk management (more detailed level than that required from listed companies);
- Implementation and management of the operations of the licensed activities, including the documentary cycle required to be followed in performing the business;
- Disaster recovery and business continuity plans; and
- Sharia control for persons licensed to operate in accordance with Islamic Sharia.
What is the organizational level responsible for establishing controls and the Internal Control Review within business entities?
The Board of Directors is responsible for ensuring the integrity of internal control systems, while the executive management is responsible for developing and implementing the internal control systems.
What is the Limit of Auditor’s Responsibility for Internal Control Review Report?
The role of the independent audit firm is to issue reasonable, but not absolute, assurance regarding internal control systems in accordance with Law No. 7 of 2010 and its Executive Regulations.
What is the Deadline of Internal Control Review Report submission to Capital Markets Authority?
Circular No. 11 of 2016 dated November 9, 2016 sets forth that listed companies and licensed persons shall submit to CMA the said report on an annual basis within maximum ninety days from the end of financial year.
What is the Added value to business entities from Internal Control Review?
- Comply with laws, regulations, resolutions and instructions issued by Capital Markets Authority;
- Identify efficiency and effectiveness of the internal control systems in place in the business entity through addition or updates to ensure sustainable updates; and
- Enhance the business entity’s performance efficiency and competitive capabilities through having the ability to face unforeseen changes in the market and define the causes of failure to implement the internal control systems.
What are the Services offered by Baker Tilly?
Internal Control Review Report
Prepare an annual report on assessment of internal control review for KSE-listed companies and companies licensed by Capital Markets Authority.
(Reference: Capital Markets Authority, Resolution No. 72 of 2015 regarding issuance of Executive Regulations of Law No. 7 of 2010 concerning the Establishment of Capital Markets Authority and Regulation of Securities Business, as amended – Rulebook XV: Corporate Governance, Chapter 6, Article 6.9)