Availability of reliable financial information reflecting the organization’s state of affairs is significant to all the relevant stakeholders, most notably to its owners. The importance of the same increases ten-fold in case of companies listed on stock exchanges as the owners are not at the helm of the affairs, instead for this purpose, rely on the agents of the company, aka Board of Directors. In order to protect investors’ interest a regulatory regime has to be in place, which in our case is the Securities and Exchange Commission of Pakistan.
Amongst many measures that SECP takes from time to time in order to keep the capital markets reliable, one has been the introduction of the Code of Corporate Governance back in 2002, which is part of the Stock Exchange listing regulations. Directors, in the companies’ annual reports, give a statement of compliance and the statutory auditors issue a review report on the same.
Apart from many of the other aspects in this Code, one of the most important one that is touched upon is the subject of Internal Control. Internal Controls is a broad category that includes the need for controls over financial reporting as well as many other areas. The discussion here, however, is confined to Internal Control over Financial Reporting.
In this regard as per the Code of Corporate Governance, Directors are required to ensure the following and make a statement on it in the annual financial statements:
Let’s discuss some of the important elements mentioned above.
In a well-designed Internal Control system “Control Owners” are clearly identified against each documented control. Assigning of such responsibility is important for establishing accountability as well as a smooth operation.
This essentially means that controls are not just in the books but are in fact, part of the process and are continuously in operation as per the defined frequency. In order to have the comfort that Internal Controls are maintained, they need to be tested (audited) or self-assessed for their operational effectiveness on a continuous basis.
The above areas can be only be catered to, through the implementation of a comprehensive Internal Control framework. In case of banks/DFIs’, they are required to be compliant with State Bank of Pakistan’s (SBP) detailed ICFR guidelines and it can be said that they already have a requisite system in place. For others, based on our experience and recent interactions on the subject with the Internal Audit Heads of some top-tier listed companies, only multi-nationals which are required to be compliant with SOX 404 due to group requirements have put in place the required system.
In the listed companies, other than Banks/DFIs’ and multi-nationals as identified above, the extent of what they have in place are policies and procedures manuals. These policies and procedures are very relevant for creating an overall conducive internal control environment but are not a substitute for clearly identified controls against the risks. Due to the absence of a such Risk Control Matrix the completeness and adequacy of controls cannot be ensured.
One may also argue that the manual might have certain procedures which do not mitigate any risk yet are implemented, creating only inefficiency.
In the US, in order for the above-mentioned statement to hold true, a lot of work is done. An integrated Internal Control Framework like COSO is in place, and companies ensure that it is adopted and implemented. One needs to question the adequacy of work done in our country, in order to give a similar statement to shareholders.
Fourthly, no guidelines have been issued by the SECP in relation to ICFR. This along with the external auditors’ comments in the review report (as mentioned below) makes matters much worse when it comes to the effectiveness of Internal Controls.
“As part of our audit of financial statements we are required to obtain an understanding of the accounting and internal control systems sufficient to plan the audit and develop an effective audit approach. We are not required to consider whether the Board of Directors’ statement on internal control covers all risks and controls or to form an opinion on the effectiveness of such internal controls, the Company’s corporate governance procedures and risks”. (Common para in auditors’ review report on Corporate Governance)
Lastly, other than the argument of “doing the right thing” of establishing a system for making a statement on Internal Control there are many other benefits the organizations can reap.