Since 2018, several Middle East regulators have introduced regulatory mandates aimed at strengthening internal control over financial reporting (ICFR) in the region. The trend looks set to continue, with further activity in the UAE suggesting a wider range of organizations soon to be required to meet ICFR requirements.
The article “Inspiring trust through enhanced governance,” in the Middle East Point of View Spring 2021 issue, described how a number of government bodies had introduced a regulatory mandate for internal control aiming to strengthen governance structures within subject entities. It is clear that this journey continues today.
Following the Abu Dhabi Accountability Authority (ADAA), Qatar Financial Markets Authority (QFMA), and the UAE Insurance Authority (IA), the UAE Securities and Commodities Authority (SCA) issued a revised draft Governance Code for public consultation in the UAE in September 2022. Although the Code has not yet been issued in final form, the consultation indicates that the auditor’s responsibilities will be enhanced to include an opinion on the effectiveness of ICFR for all listed entities in the UAE; this will broaden the scope for ICFR compliance to a wider range of organizations across the country. What does this mean for UAE listed companies and what steps can be taken to prepare for the new requirements?
As a result of the ICFR requirements as currently drafted in the Governance Code, there will be a wide range of implications for management, boards, and auditors of all listed entities in the UAE.
Companies will be required to establish or formalize their internal controls within a specific framework, against which to judge the effectiveness of internal controls.
As mentioned in the article “Inspiring trust through enhanced governance,” a well-established and well-recognized internal control framework is the Committee of Sponsoring Organizations (COSO) Internal Control Integrated Framework 2013 (the COSO Framework).
Formalizing internal controls against the COSO Framework involves a series of activities to formalize scoping: development of an ICFR policy, a risk assessment, control definition, and allocation of roles and responsibilities.
To provide comfort to management, the board and the audit committee around the effectiveness of ICFR at the year end, companies need to have a monitoring process in place, aligned with the monitoring principles of the framework.
Furthermore, the level of work performed on internal controls as part of the external audit is likely to increase significantly as testing the operating effectiveness of controls for an ICFR audit is a significant step up from the minimum control testing requirements for a financial statement audit.
As well as meeting regulatory requirements, developing an internal control framework brings several significant benefits to organizations as described below:
Deloitte has practical experience in supporting organizations implement and enhance internal controls, both in the Middle East and globally. Key observations from this experience include the following:
Setting the foundation for an ICFR journey is often a manual exercise initially – clearly defined and documented processes, risks, and controls are critical as a baseline. However, it is important to think about the future at the same time. This includes how organizations are responding to financial reporting risks arising from the confluence of technology revolution, a global pandemic, merger and acquisitions, and private equity funded disrupters. But it also covers how technology and data are used as a greater enabler for a company’s control environment. A robust risk and controls environment can help organizations become more agile and resilient, and support accelerated digital transformation—all of which help companies better utilize automation in operating and monitoring their financial reporting controls. However, the regulatory requirements for companies to adopt ICFR represents an opportunity to consider how controls, data, and technology can be used to help manage financial reporting risk - and at the same time - drive strategic benefit. Those organizations that see this as an opportunity, rather than a compliance exercise, stand a greater chance of driving better financial reporting, and at the same time, driving value for stakeholders.
By Aderita von Glahn, Senior Manager, Assurance and James Smith, Partner, Assurance, Deloitte Middle East