WHY (ICFR) INTERNAL CONTROL OVER FINANCIAL REPORTING IS IMPORTANT

WHY (ICFR) INTERNAL CONTROL OVER FINANCIAL REPORTING IS IMPORTANT

Recently Credit Suisse Group, still reeling from significant losses tied to the 2021 collapses of Archegos Capital Management and Greensill Capital, disclosed in its annual report its internal control over financial reporting (ICFR) was “not effective” for the fiscal year ending December 2022.

“Management did not design and maintain an effective risk assessment process to identify and analyse the risk of material misstatements in its financial statements,” Credit Suisse said in its report.

WHAT IS INTERNAL CONTROL OVER FINANCIAL REPORTING (ICFR)?

According to the Financial Accounting Standards Board (FASB) in the United States, internal control over financial reporting (ICFR) is defined as,

“A process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles (GAAP).”

ICFR encompasses the policies and procedures that a company puts in place to ensure that:

• Transactions are authorized and recorded properly.
• Access to assets and records is limited to authorized personnel.
• Assets are safeguarded against loss, theft, or misuse.
• Accounting records are accurate and complete.
• Financial statements are prepared in accordance with GAAP and regulatory requirements. 

BACKGROUND

The Internal Control and financial reporting disciplines have evolved significantly over past two decades due to various international business incidents including the in 2002 (Enron collapse), 2008 (global financial crisis), and 2016 (oil price slump) amongst other events. This has resulted in major regulatory reforms that aim to govern the internal control environment, especially focused towards the financial reporting.

Strong internal control over financial reporting (ICFR) has been a priority for corporate governance and regulatory compliance ever since the Sarbanes-Oxley Act first underlined the importance of ICFR nearly 20 years ago in 2002.

INTERNATIONAL REGULATORY REGIME ON ICFR

International Regulatory Regime on ICFR to achieve resilience Internal Control are often an area of focus for investors, creditors, shareholders, and Board members, among other stakeholders, when ensuring that the organization provides accurate financial reporting which shows its state of operations in today’s constantly changing business environment.

Many international and regional regulators have since implemented various laws, regulations, and guidelines in relation to ICFR, a few of which are listed below:

 (Source: PWC)

REGIONAL REGULATORY REGIME ON ICFR IN THE UAE

(Source: PWC)

INTERNAL CONTROL FRAMEWORK FOR ICFR IMPLEMENTATION

Management is responsible for maintaining a system of internal control over financial reporting (ICFR) that provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with the applicable accounting principles framework.

In the UAE management of insurance companies and Abu Dhabi government owned companies and departments in the UAE are required to obtain an independent auditor’s opinion of the effectiveness of internal controls over financial reporting. In supporting its assessment, management is responsible for maintaining evidential matter, including documentation.

The regulators in UAE have not specifically mentioned any particular framework to be followed for the ICFR implementation. However, as per the leading best practices, internal control framework based on COSO is adopted by the companies to comply with the regulatory requirements in terms of Internal Controls Over Financial Reporting (ICFR). QFMA and ADAA entities have widely accepted the Committee on Sponsoring Organizations framework (COSO) for internal controls.

ICFR AND COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION (COSO)

“ICFR is one element of the broader concept of internal control.”

ICFR is one element of the broader concept of internal control. Released in 1992 and updated in 2013. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control over financial reporting (ICFR) as

“A process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles (GAAP).”

The COSO framework defines internal control as a process designed to provide reasonable assurance that the following objectives are achieved:

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations

ICFR specifically refers to the internal control processes that are designed to achieve the objective of reliable financial reporting. It includes the policies and procedures implemented by management to ensure that financial information is accurate, complete, and timely, and that financial transactions are properly recorded, classified, and summarized.

ICFR also involves the assessment of risks associated with financial reporting, the monitoring of internal control effectiveness, and the communication of control deficiencies to management and those charged with governance.

KEY COMPONENTS OF ICFR

THE COSO FRAMEWORK’S FIVE INTEGRATED COMPONENTS OF INTERNAL CONTROL

The Committee on Sponsoring Organizations (COSO) has laid out an integrated framework for robust internal controls. The COSO framework consists of five components, Internal Controls Deficiencies can be evaluated with these components.

1. Control Environment: This component sets the tone of an organization and establishes the foundation for all other components of internal control. It includes factors such as the integrity, ethical values, and competence of an organization’s personnel, as well as the management style, organizational structure, and assignment of authority and responsibility.

Some indicators of a positive control environment include.

• • Statements and actions of the board of directors and senior management that demonstrate support for effective controls,
  • Issuance and enforcement of an appropriate corporate code of conduct, and
  • Training programs that equip employees to identify and deal with ethical issues.

2. Risk Assessment: This component involves the identification, analysis, and management of risks that may prevent an organization from achieving its objectives. Risk assessment includes assessing the likelihood and potential impact of risks and determining appropriate risk responses.

3. Control Activities: Control activities—the specific actions established through policies and procedures designed to mitigate financial reporting risk—are another key component of ICFR. Examples of control activities include approvals, authorizations, verifications, reconciliations, and segregation of duties.

The following concepts are helpful to understanding control activities:

1. 1. Segregation of duties,
   2. Information technology (IT) general controls,
   3. Entity-level and process-level controls, and
   4. Preventive and detective controls.

“The design, implementation, and evaluation of controls need to be tailored to the reporting risks of the company.”

4. Information and Communication: This component involves the identification, capture, and exchange of information in a timely and accurate manner. It includes communicating internal control responsibilities and expectations to personnel, as well as providing information necessary to carry out those responsibilities.

5. Monitoring Activities: This component involves ongoing evaluations of the effectiveness of internal control over time. Monitoring activities may include regular management and supervisory activities, as well as separate evaluations by internal auditors or other independent parties. The results of monitoring activities should be communicated to management and the board of directors.

“Effective ICFR provides reasonable assurance that corporate records are not intentionally or unintentionally misstated.”

ICFR ROLES AND RESPONSIBILITIES

The roles and responsibilities related to ICFR can vary depending on the size, complexity, and nature of the organization, but here are some common ones:

• Management: The top management of the organization is responsible for designing, implementing, and maintaining effective internal controls over financial reporting. This includes identifying and assessing the risks related to financial reporting, designing, and implementing controls to mitigate those risks, and monitoring the effectiveness of those controls.

“It is important that competent, well-trained individuals are involved in the

Design and oversight of ICFR.”

• Audit Committee: The audit committee of the board of directors is responsible for overseeing the organization’s financial reporting process and ensuring that it is accurate, reliable, and in compliance with applicable laws and regulations. This includes reviewing and approving the organization’s internal control framework, monitoring the effectiveness of internal controls, and overseeing the external audit process.
• Internal Audit: The internal audit function is responsible for providing independent and objective assurance on the effectiveness of the organization’s internal controls over financial reporting. This includes assessing the design and operating effectiveness of controls, identifying control deficiencies, and making recommendations for improvement.
• External Audit: The external auditor is responsible for expressing an opinion on the accuracy and reliability of the organization’s financial statements. This includes evaluating the effectiveness of internal controls over financial reporting and testing the accuracy of financial data.
• Employees: All employees of the organization have a responsibility to comply with internal controls over financial reporting. This includes following established policies and procedures, reporting any control deficiencies or potential fraud, and ensuring the accuracy and completeness of financial data.

Overall, an effective ICFR is essential for maintaining the integrity of an organization’s financial reporting process and ensuring that stakeholders can rely on its financial statements. The roles and responsibilities outlined above are critical for achieving this goal.

INTERNAL CONTROL OVER FINANCIAL REPORTING DEFICIENCIES

• Material Weakness: A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.
• Significant Deficiency: A significant deficiency is a deficiency, or a combination of deficiencies, in ICFR that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting.
• Deficiency: A deficiency in ICFR exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

When deficiencies in the design or operation of a control are found, management needs to assess how serious the impact may be on the integrity of the company’s financial reporting processes.

More serious deficiencies are classified as either significant deficiencies or material weaknesses. The determination as to whether a deficiency in ICFR represents a material weakness depends on

1. The likelihood of a misstatement occurring as a result of the deficiency.
2. Whether the magnitude of the potential misstatement that is reasonably possible to have occurred or could occur in the future as a result of the deficiency, was or could be material to the financial statements; and
3. Whether management’s controls in the ordinary course of business would have timely prevented or detected a misstatement had it become material.

KEY TAKEAWAY

The design, implementation, and evaluation of controls need to be tailored to the reporting risks of the company. These risks may be influenced by the size of the company. Designing and maintaining effective ICFR becomes more challenging as the size of a business and the scope of its activities increase. At the same time, smaller companies may face challenges as a result of limitations in qualified resources.

Benefits of internal financial controls are beyond the compliance, IFC will facilitate in

• Regulatory Compliance
• Rationalizing the number of controls across organizations
• Standardizing policies & procedures for multi-location/multi- business companies
• Developing control conscious work culture for people
• Assurance to Top Management as well as optimizing business performance.
• Enhance Senior Management Accountability & Responsibility
• Improved stockholder confidence in company’s financial reporting progression

HOW WE CAN HELP

“Connect internal controls to strong processes.”

How Ahmad Alagbri Chartered Accountants can help Strengthen Internal Controls:

• Documentation & Revision of Controls
• Testing of Controls
• Remedial Planning & Recommendations
• Remediation of Control Weaknesses
• Implementation of Control Framework
• Best Practices
• Procedural & Regulatory Compliance

Alia Noor (FCMA, CIMA, MBA, GCC VAT Comp Dip, Oxford fintech programme, COSO Framework)

Associate Partner
Ahmad Alagbari Chartered Accountants