Internal Control Review (ICR)

Internal Control Review (ICR)

Internal Control Review (ICR)

Internal Control Definition

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) broadly defines “Internal Control” as:

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Part of the philosophy of this definition is that internal control is not and cannot be limited to finance and accounting activities but rather encompasses the entire organization and a combination of different levels of employees, management and the board.

Internal Control as per the 2013 COSO Framework:

  1. Operations Objectives – These pertain to effectiveness and efficiency of the entity’s operations including operational and financial performance goals, and safeguarding assets against loss.
  2. Reporting Objectives – These pertain to internal and external financial and non-financial reporting, and may encompass reliability, timelines, transparency, or other terms as set forth by regulators, recognized standard setters or the entity’s policies.
  3. Compliance Objectives – These pertain to adherence to laws and regulations to which the entity is subject.

The five components that create effective internal control are as follows:

  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and Communication
  • Monitoring Activities

In the State of Kuwait, Law No. 7 of 2010 concerning the Establishment of Capital Markets Authority and Regulation of Securities Activity was promulgated on 21 February 2010 and its Executive Regulations were issued under Resolution No. 72 of 2015 on 9 November 2015, which address the Internal Control in Module 15 – Corporate Governance.

The Law and its Executive Regulations require the listed companies and licensed persons to comply with the internal control instructions as follows:

Corporate Governance Rule 2 – Establish Appropriate Roles and Responsibilities

Article 3-7Board roles and responsibilities include, but are not limited to:
18-   Periodically ensure that the internal control systems in place in the Company and its subsidiaries are effective including:
  • Ensuring the integrity of financial and accounting systems including those relate to financial reporting.
  • Ensuring the implementation of appropriate controls to measure and manage risks through defining the scope of risks that may encounter the company , creating risk mitigation culture environment across the company, and presenting the same transparently with stakeholders and related parties.
 Article 3-10Below are some roles and responsibilities of the executive management to be complied with, in light of powers and authorities granted to it by the Board of Directors.
7-   Develop internal control systems and risk management systems and ensure effectiveness and adequacy of such systems, and ensure compliance with risks appetite as approved by the Board of Directors.

Rule 4 – Establish Appropriate Roles and Responsibilities

Article 5-5The Board of Directors shall form an audit committee to ensure whose primary role is to ensure soundness and integrity of financial reporting and internal control systems.
Existence of an audit committee is a key feature indicating the application of good corporate governance as such committee shall…etc., in addition to ensuring sufficiency and effectiveness of the internal control systems in place in the company.
Article 5-7The audit committee powers and responsibilities are set out below:
6-   Evaluate the extent of adequacy of internal control systems in place, and prepare a report including the opinion and recommendations of the committee in this regard.

Rule 5 – Develop Sound Systems of Risk Management and Internal Control

Article 6-2The sound risk management requires effective internal control systems that provide a process of control over the soundness of financial statements and efficiency of the company’s activities, and evaluate the compliance with controls.
Article 6-6The Company shall verify the sufficiency of its internal control systems.
The company shall have internal control systems, which cover all the company’s activities. The internal control systems maintain the company’s financial soundness, data accuracy and effectiveness of its operations in various aspects; provided that the company’s organizational structure shall consider the Four Eyes Principles of the internal control process (Four Eyes Principles), which are set out below:
  1. Establish appropriate roles and responsibilities.
  2. Complete separation of duties and no conflict of interest.
  3. Dual inspection and control.
  4. Dual signature.
Article 6-8The internal audit department/ office/ unit shall prepare a report including review and evaluation of the internal control systems in place in the company. Such report will include the following:
  1. Procedures for control and supervision of efficiency and effectiveness of internal control systems as required to protect the company’s assets, authenticity of financial statements, efficiency of its operations including the administrative, financial, and accounting aspects thereof.
  2. Compare the development of company’s risk factors and the systems in place to evaluate the efficiency of the company’s daily operations, and its ability to cope up with unforeseen market changes.
  3. Evaluate performance of the executive management in implementing internal control systems.
  4. Reasons for failure or weaknesses in implementing the internal control, or emergencies, which affected or may affect the company’s financial performance, and the action taken by the company to rectify the failure in internal control implementation.
Article 6-9An independent audit firm shall be engaged to evaluate and review the internal control systems and prepare a report in this regard (Internal Control Report), which shall be submitted to CMA on annual basis. Furthermore, another audit firm shall review and evaluate the performance of internal audit department/office/ unit periodically every three years; provided that a copy of such report shall be submitted to the internal audit committee and the Board of Directors.

Rule 6 – Promote Code of Professional Conduct and Ethical Standards

Article 7-3The code of conduct shall include a set of parameters and standards, which address the following as minimum:
Develop a mechanism that allows the company’s employees to report internally their concerns and doubts about any unsound practices or issues that raise suspicions about the financial reports, the internal control systems or any other issues. Moreover, proper arrangements should be made to allow conducting an independent and fair investigation in such issues along with ensuring confidentiality for the bona fide whistleblower to ensure protecting them against any negative reaction or damage that may be suffered by them due to such practices.

Rule 10 – Promote and Enhance Performance

Article 11-4The company shall develop systems and mechanisms to evaluate the performance of each member of the Board of Directors and executive management periodically through developing a set of performance appraisal indicators related to the extent of achieving the company’s strategic goals, quality of risk management, and adequacy of internal control systems. In addition, the performance appraisal and measurement procedures shall be clearly and transparently written and disclosed to all employees.

Summary of internal controls as set out in the Executive Regulations of Law No. 7 of 2010 for all listed companies and licensed persons

Policies and procedures manual should be developed to ensure compliance with Law No. 7 of 2010 and its Executive Regulations. These policies and procedures shall particularly govern the following aspects:

  1. Organizational structure, which should include mandatory organizational units, committees and functions, such as Audit Committee, Risk Management Committee, Nomination and Remuneration Committee, Risk Management Department and Internal Audit Department as well as two organizational units for Compliance and Investors Relations.
  2. Competencies manual for the organizational structure units, which will include the implementation of the eleven corporate governance rules.
  3. Job structure.
  4. Job descriptions for all organizational structure jobs.
  5. Charters of the Board of Directors and its committees.
  6. Code of Conduct (Code of professional conduct and ethics);
    It shall include a set of parameters and standards addressing the protection of whistleblowers who report illegal practices.
  7. Delegation of authority matrix.
  8. Operational policies and procedures manuals for all organizational executive units, which include the business processes and the relevant documentation.
  9. Supporting IT systems to carry out the activities of organizational units.
  10. Internal control systems and programs.
  11. Management system to evaluate the performance the members of the Board of Directors and executive management.
  12. Engage an independent audit firm to conduct evaluation and review of the internal control systems, and prepare a report in this regard (Internal Control Report).

Furthermore, the licensed persons shall comply with additional internal control systems in accordance with Module Six – Internal Policies and Procedures of Licensed Persons as follows:

  1. Comply with the requirements of competence and integrity of licensed persons.
  2. Separation among activities carried on by the Licensed Person in order to ensure that information is not disclosed among such activities except for discretionary portfolio management and the incorporation and management of collective investment schemes.
  3. Handle customers’ complaints.
  4. Risk management (more detailed level than that required from listed companies).
  5. Implementation and management of the operations of the licensed activities, including the documentary cycle required to be followed in performing the business.
  6. Disaster recovery and business continuity plans.
  7. Sharia control for persons licensed to operate in accordance with Islamic Sharia.

Internal Audit Review

The Board of Directors is responsible for ensuring the integrity of internal control systems, while the executive management is responsible for developing and implementing the internal control systems.

The role of the independent audit firm is to issue reasonable, but not absolute, assurance regarding internal control systems in accordance with Law No. 7 of 2010 and its Executive Regulations.

Deadline of ICR Report submission to CMA

Circular No. 11 of 2016 dated November 9, 2016 sets forth that listed companies and licensed persons shall submit to CMA the said report on an annual basis within maximum ninety days from the end of financial year.

Added value to business entities from Internal Control Review

  1. Comply with laws, regulations, resolutions and instructions issued by Capital Markets Authority.
  2. Identify efficiency and effectiveness of the internal control systems in place in the business entity through addition or updates to ensure sustainable updates.
  3. Enhance the business entity’s performance efficiency and competitive capabilities through having the ability to face unforeseen changes in the market and define the causes of failure to implement the internal control systems.

Services offered by Baker Tilly

  1. Internal Control Report
    Prepare an annual report on assessment of internal control systems for KSE-listed companies and companies licensed by Capital Markets Authority.(Reference: Capital Markets
    (Reference: Capital Markets Authority, Resolution No. 72 of 2015 regarding issuance of Executive Regulations of Law No. 7 of 2010 concerning the Establishment of Capital Markets Authority and Regulation of Securities Business, as amended – Rulebook XV: Corporate Governance, Chapter 6, Article 6.9)

Other related services