As a professional having spent number of years working in the domains of governance, risk management and internal control it has and will remain an ambition to let these functions realize their true potential for the organizations. For the same reason I do read with an interest the way regulators project these areas, as for many it only gets implemented by the regulatory pressure.
The 1st thing to get something implemented is to know exactly what it is and this is where I feel the scope of Internal Control in Corporate governance regulations published by Capital Market Authority of Saudi Arabia is limited.
Below is how the Internal Control system is described in the regulations
“The Board shall approve an internal control system for the Company in order to assess the policies and procedures relating to risk management, implementation of the provisions of the Company's governance rules approved by the Company and compliance with the relevant laws and regulations. Such system shall ensure compliance with clear accountability standards at all executive levels in the Company, and that Related Party transactions are implemented in accordance with the relevant provisions and controls.”
As opposed to the above this is how Internal Control is defined in COSO
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to
What we can clearly see is the one purely compliance focused with respect to compliance with rules, laws and regulations and the other placing an emphasis on the achievement of objectives. Further, I would just add that the objectives in relation to operations is about achieving the objectives in an efficient and effective manner pertaining to operational and financial performance goals. This gives us the indication of the scope of Internal Control and the value it can add to the entity.
What I have seen on many occasions is the non - linkages between the organizational objectives and the internal control activities that causes this function to be completely redundant and a cost burden
There is a whole methodology and approach as to how make Internal Control activities value adding for the entities. I hope the Saudi Arabian Joint Stock Companies in their journey of Internal Control implementation would consider the above definition of COSO that also takes care of CMA description of Internal Control System as well.