Navigating ICFR Implementation: A Comprehensive Strategic Overview and Initial Steps

In recent years, there have been more and more governmental initiatives requiring Middle Eastern businesses to strengthen the Internal Control environment, especially around financial reporting. The regulations in the UAE, which require the implementation of internal controls over financial reporting (ICFR), include the following:?

• The Governance Guide for Public Joint-Stock Companies Attached to the Securities and Commodities Authority (SCA) Board Chairman’s Decision No. 3/Chairman of 2020, which applies to Public Joint Stock Companies (PJSCs) listed on the Abu Dhabi Securities Exchange or the Dubai Financial Market (https://www.sca.gov.ae/assets/923a6983/the-governance-guide-for-public-joint-stock-companies-attached-to-the-sca-board-chairmans-decision.aspx );?
• Circular no. 21 of 2019 by the Insurance Authority of the UAE https://www.centralbank.ae/media/u2nncduh/circular-no-21-of-2019-on-reporting-requirements-of-2020-for-insurance-companies.pdf ;
• Article 4 of Abu Dhabi Accountability Authority (ADAA) Resolution 1 of 2017. The regulation applies to the Abu Dhabi government entities and institutions, whether local or international, in which the Abu Dhabi government has a vested interest of over 25%.

The above-mentioned governance states that the company’s management should implement a sound internal control system aimed at the management of the company’s risk and verify that the company and its staff comply with those, including a review of the financial information presented to the company’s management and used for the drafting of its financial statements. The company’s auditor shall express an opinion on the effectiveness of the company's internal control regulations and their conformity with the appropriate internal control framework that has been determined by the Board by issuing a separate report that includes its opinion on the effectiveness of the internal control regulations to identify their deficiencies and take the necessary action to remedy them.

The regulations issued by the UAE authorities are in line with well-established international practices, for example with the U.S. Sarbanes-Oxley Act of 2002 and requirements for the management’s annual assessment of its system of internal control over the financial reporting required by Section 404 of the Act.?

The assessment of internal controls over financial reporting should be made using a recognized framework. Most global companies apply COSO’s internal control – Integrated framework, although some use the Control Objectives for Information and Related Technology (COBIT 2019) framework as a supplement to COSO for IT controls.

Implementation of the internal controls framework is a very comprehensive and interesting project covering all levels of the company including shareholders, top management, all management levels and employees.??

There are formal and practical sides to the ICFR project and its consequences and each company and its shareholders decide which approach to this project is more suitable for their needs.?

The formal side of the project aims at formal compliance with the legislation and the successful completion of any ICFR review from the government or any other interested parties.? Often this approach does not include deep involvement and understanding of business processes and controls framework beyond material financial statements sections. The company invests only in compliance tasks.

There is another view on the ICFR implementation, let’s call it the practical value-added approach.? It is less cost-effective and rather long-term but, from our point of view this approach, besides compliance tasks, significantly improves the transparency of the business, and its processes, identifies ineffective areas and approaches and finally increases shareholder value of the business.? Further, we will discuss and focus on the second approach and the topic of this article will cover the planning section of the ICFR implementation.

For our purposes, we will use an example of a business, which is not advanced in this area and starts ICFR from scratch.???

Step 1:? Linking the financial statements to the business processes?

The first step of the ICFR project is to identify the reporting areas where the internal controls are to be identified or implemented and to which business processes these reporting sections relate. Here you also can use two approaches:

Top–down approach:? in accordance with this approach you should identify the priority of ICFR reporting areas based on the level of risk or significance.? Initially, the most significant and risky reporting areas are to be covered within the project and further – the areas with lower levels of risk and materiality.??

Continuous approach: ? In accordance with this approach the internal controls are specified, formulated and implemented for each reporting section (item by item) continuously.? This approach is not very effective and may take too much time and resources. So, further, we will discuss the top-down approach.

In order to identify material and risky reporting areas you can use the common technics for calculation of materiality used in the audit.? The materiality level can be defined as the % of total revenue (PL) and an item of the statement of financial position (for example, 0,5% of revenue and 1% of total assets). The % level is subject to the industry's best practices and other criteria.? In order to be consistent and use more representative financial data you can take more than one reporting period (for example, 3 reporting periods) and apply horizontal and vertical analysis to these data. ? An example of horizontal and vertical analysis is given below:

Based on the materiality level you should be able to identify as a result of horizontal and vertical analysis the most material and risky reporting areas.

The next task is to identify the business processes which directly influence the reporting areas.

Example:?

Cash: Treasury, cash management, bank account procedures.

Inventory: Purchases, stock-count procedures, COS (recognition process).

As a result of these procedures, you will have an analysis (let’s say in MS Excel) with most material reporting areas linked to main processes or sub-processes.

Step 2:? Identification of business process design and its participants

The next step is to identify roles/employees who are involved in these business processes and who can give a brief description of the process itself, responsible for this and/or could provide some formal documents if they exist.

All companies have different levels of formalization in terms of corporate and business procedures.

Companies with advanced controls have the following set of documents for each significant business process: process scheme (usually in BPMN notation), process supporting documents with the description of the process, responsible persons, document flows, and internal control matrixes, which are linked to the scheme.?

Companies, which only started or are in the process of implementation of internal controls (and this group is significantly larger than the first one), do not have or have in part formalized controls.? For example, they could have an organizational chart of the entity or business with the names of departments and functions, a brief description of employee position (for the purposes of HR) and no formal description of the process itself.

I will elaborate more on why the ICFR project is implemented more effectively and more quickly for the “advanced” Group in the next article.

Step 3:? Analysis of business process and identification of risks and corresponding internal controls

For each selected business process you should perform the analysis and identify or state the situation with the risks and corresponding internal controls.

In terms of risks you should identify and answer the following questions:?

• What risks are embedded or associated with the process?
• Type of risk depending on the type of mistake/distortion of the financial statements;
• Level of risk (acceptable/high).

In terms of controls you should identify and answer the following questions:

• Are there any controls in relation to the risks identified?
• Type of control: detecting, preventative, corrective

Usually, the result of this step represents the internal controls matrix with risks identified and corresponding controls as is.?

Step 4:? Testing of internal controls identified

This step is the most difficult and time and resources consuming.? You should perform good quality internal controls testing and make a conclusion for each significant control procedure:

• Is the control design within the process effective??
• Is the control enough or it should be supported by some other?

We are not going to go deep within this article on how to define testing programs and how the results should be documented.? The important thing to mention here is that in advanced companies with formalized incident management procedures in place, this could be a very good and effective source of information in terms of the effectiveness or weakness of some internal controls.?

The types of conclusions (examples) in this step could look like the following:

• The XX number of internal controls is concluded to be ineffective.
• The design of the controls in this business process is not effective and requires re-engineering of the process in terms of adding additional control or changing the design of the existing procedure.
• The level of mistake/negative materialized outcome for the entity is higher than the acceptable risk level, i.e. the control is ineffective?

Step 5:? IC Improvement Plan

Based on the step 4 results the management performs the program/plan for the improvement of the control environment which usually covers the following:?

• Business processes involved and controls/process parts to be re-engineered/improved;
• Deadlines for this project (usually this is linked to the reporting period, i.e. next 6 or 12 months the improvement plan should be completed);
• Responsible within the entity: usually the controls process owner + independent review of implementation (internal or external auditor).

Briefly, this is the high-level structure of the ICFR project. Further in the next articles, we will go into detail about each part of this ICFR project.