Robust internal controls form the foundation of good governance in an organisation. Within environmental, social and governance (ESG) frameworks, the governance pillar relates to how businesses are administered, including risk, oversight and ethics.
Unfortunately, this is overlooked by many organisations. The systems and processes designed to support effective business outcomes and ensure operational efficiency and compliance are either ineffective, overlooked or simply not up-to-date. This could negatively impact business processes in an organisation.
As the 14th century nursery rhyme and proverb ‘For want of a nail’ illustrates, you are only as strong as your weakest link. The failure to correct a minor issue can snowball into an issue of great magnitude. Therefore, organisations must evaluate internal controls as fundamental to enhance trust in business and improve reporting quality. There are a plethora of companies with internal controls across various levels – from processes to anti-fraud and IT general controls.
These processes are surrounded by transactions and material reporting gaps. There are also growing pressures on management to meet the increasing expectations of stakeholders. In all this clutter, internal controls are often overlooked to focus on more pressing issues and bigger problems, including upcoming mergers and acquisitions, the latest expansion plan, new product launches, or mitigating new challenges as a result of unforeseen events like Covid-19. But adopting this stance can be catastrophic for companies. Robust internal controls can help gain insight into potential fraud risks and evaluate if the established controls that prevent and recognise fraudulent behaviour are still in place and are operating effectively.
Identifying internal control vulnerabilities
If internal control vulnerabilities are allowed to linger, they can slowly multiply and spread, and may spiral completely out of hand. An easy recovery may become either a massive financial charge or a cover up, and instead of things getting better, they could grind to a sudden halt.
Common areas where missing internal controls are identified in companies in the region include:
- Revenue recognition of delayed invoicing, resulting in under recognition of revenue
- Revenue recognition of the over estimation of percentage completion, resulting in excess recognition of revenue
- Poor controls over cut-off procedures
- Lack of robust financial close processes
- Under accruals of expenses and liabilities
- Lack of documented policies, procedures and delegation of authority
- Absence of a robust legal compliance framework and fraud risk management
- Poor controls over bank reconciliations, vendor reconciliations and inter-company reconciliations
- Absence of checks on segregation of duties
In the last two years alone, companies had to adapt to Covid-19 with remote working, which brought its own set of challenges to systems and processes. The wide-scale shift to remote work rapidly increased organisations’ vulnerability to cyberattacks.
Cryptocurrencies are also exploding into the mainstream along with climate change, ESG policies and decarbonisation. Companies in the region, which were just getting accustomed to VAT will soon need to also adapt to corporate taxes and the new global minimum tax regime. Therefore, it is critical to ensure that processes and controls are robust enough to navigate these changes without losing momentum along the way.
A top-down approach
Many CEOs, CFOs and board members believe they should spend their time resolving urgent matters and leave internal controls with junior management or individual employees. However, it has been proven that the tone at the top is the overarching factor that determines whether the company continues to grow.
Regulators’ investigations into failures at companies such as Enron, Worldcom, Xerox, Barings, and Satyam always come back with the same recommendations to make it mandatory for companies to establish proper internal controls and make boards, management and auditors responsible for testing these controls every year. The Abu Dhabi Accountability Authority (ADAA), Insurance Authority (IA) and Securities and Commodities Authority (SCA) have also made it compulsory for companies in the UAE under their remit to move in this direction. Organisations should not wait for regulators to fix gaps.
They would do well to instead proactively establish a strict internal control framework. They must consider what are the significant risks and assess how they have been identified, evaluated and managed. They must identify any significant failings or weaknesses that have been reported and consider whether necessary actions are being taken promptly to address significant failings or weaknesses. Finally, they must consider the need for more extensive monitoring of internal control systems.
Siddharth Behal is a partner – Governance, Risk and Compliance at KPMG Lower Gulf