A system of sound internal control is established, which is effectively implemented and maintained at all levels within the company.
(d (v) clause 35 - Code of Corporate governance)
In a well-designed Internal Control system “Control Owners” are clearly identified against each documented control. Assigning of such responsibility is important for establishing accountability as well as a smooth operation.
This essentially means that controls are not just in the books but are in fact, part of the process and are continuously in operation as per the defined frequency. In order to have the comfort that Internal Controls are maintained, they need to be tested (audited) or self- assessed for their operational effectiveness on a continuous basis.
The above areas can be only be catered to, through the implementation of a comprehensive Internal Control framework. In case of banks/DFIs’, they are required to be compliant with State Bank of Pakistan’s (SBP) detailed ICFR guidelines and it can be said that they already have a requisite system in place. For others, based on our experience and recent interactions on the subject with the Internal Audit Heads of some top-tier listed companies, only multi-nationals which are required to be compliant with SOX 404 due to group requirements have put in place the required system.
In the listed companies, other than Banks/DFIs’ and multi-nationals as identified above, the extent of what they have in place are policies and procedures manuals. These policies and procedures are very relevant for creating an overall conducive internal control environment but are not a substitute for clearly identified controls against the risks. Due to the absence of a such Risk Control Matrix the completeness and adequacy of controls cannot be ensured.
One may also argue that the manual might have certain procedures which do not mitigate any risk yet are implemented, creating only inefficiency.
First things first, in the interest of shareholders, any communication/statement made to them has to be appropriately backed up in letter and spirit on factual realities. The statement as explained above have certain requirements to be fulfilled and directors before signing should ask for the basis of the underlying statement.
Secondly, as discussed above in case of banks/DFIs’, State Bank of Pakistan has issued detailed guidelines in relation to Internal Control over Financial Reporting (ICFR). A detailed “Statement of Internal Controls” is given by the Management in relation to compliance with SBP instructions and the same is endorsed by the Directors. SBP guidelines on ICFR have been created based on Integrated Internal Control Frameworks like COSO (Committee of Sponsoring Organizations) and few others.
It is understandable that more robust and stringent controls have to be in place in Financial Institutions but the investment made by common shareholders in listed companies other than Banks/DFIs’ is equally important and the significance of having strong control framework in such companies cannot be discounted.
Thirdly, SOX 404 was implemented in the US after accounting scandals such as Enron. SOX 404 deals with ICFR and the directors make the following statement in the annual financial statements which is very similar to the one we have in our Code of Corporate Governance
In the US, in order for the above-mentioned statement to hold true, a lot of work is done. An integrated Internal Control Framework like COSO is in place, and companies ensure that it is adopted and implemented. One needs to question the adequacy of work done in our country, in order to give a similar statement to shareholders.
Fourthly, no guidelines have been issued by the SECP in relation to ICFR. This along with the external auditors’ comments in the review report (as mentioned below) makes matters much worse when it comes to the effectiveness of Internal Controls.
“As part of our audit of financial statements we are required to obtain an understanding of the accounting and internal control systems sufficient to plan the audit and develop an effective audit approach. We are not required to consider whether the Board of Directors’ statement on internal control covers all risks and controls or to form an opinion on the effectiveness of such internal controls, the Company’s corporate governance procedures and risks”. (Common para in auditors’ review report on Corporate Governance)
Lastly, other than the argument of “doing the right thing” of establishing a system for making a statement on Internal Control there are many other benefits the organizations can reap.
ADAA - Internal Control - COSO - Abu Dhabi - Corporate Governance - Bahrain - KSA - Governance Consultant - Internal Control Consultancy