The internal control review is a critical exercise for business entities, which should be conducted on annual basis in order to ensure adequacy and completeness thereof with a view to maximizing effectiveness and efficiency in managing the operations and business at minimal risks associated with the business.
The internal control review is also a necessary requirement in light of the constant changes in information technology worldwide and legislations governing the environment in which the organization operates.
Furthermore, the internal control review is vitally important for the internal audit function as it enables them to verify the extent of application of internal control systems within the business entity, and the absence of application thereof, take the corrective actions and establish the measures to prevent reoccurrence of the same.
What is Internal Control?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) broadly defines “Internal Control” as:
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
Part of the philosophy of this definition is that internal control is not and cannot be limited to finance and accounting activities but rather encompasses the entire organization and a combination of different levels of employees, management, and the board.
How is internal control review different from internal audit?
The following table summarizes the main differences between internal control review and internal audit as follows:
|Comparison aspects||Internal control review||Internal audit|
|Nature of activity||Independent by third-party. In Kuwait, it is mandated to be a licensed auditor||Internal activity within the organization|
|Reporting to||Board of Directors. In Kuwait, a copy of the report to be submitted to the regulator||Audit Committee|
|Scope||overall assessment of internal control system throughout all business units to the completeness, effectiveness, and efficiency of internal control system||activity that provides independent, objective assurance, and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes|
What are the Objectives of Internal Control?
Internal Control Objectives as per the 2013 COSO Framework:
- Operations Objectives – These pertain to the effectiveness and efficiency of the entity’s operations including operational and financial performance goals, and safeguarding assets against loss.
- Reporting Objectives – These pertain to internal and external financial and non-financial reporting, and may encompass reliability, timelines, transparency, or other terms as set forth by regulators, recognized standard setters or the entity’s policies.
- Compliance Objectives – These pertain to adherence to laws and regulations to which the entity is subject.
What are the Components of Internal Control Systems?
The five components that create effective internal control are as follows:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring Activities
What are the regulatory requirements related to establishing Internal Control Systems?
For listed companies in Kuwait Boursa
In the State of Kuwait, Law No. 7 of 2010 concerning the Establishment of Capital Markets Authority and Regulation of Securities Activity was promulgated on 21 February 2010 and its Executive Regulations were issued under Resolution No. 72 of 2015 on 9 November 2015, which address the Internal Control in Module 15 – Corporate Governance, which can be summarized as follows:
- Organizational structure, which should include mandatory organizational units, committees, and functions, such as Audit Committee, Risk Management Committee, Nomination and Remuneration Committee, Risk Management Department and Internal Audit Department as well as two organizational units for Compliance and Investors Relations.
- Competencies manual for the organizational structure units, which will include the implementation of the eleven corporate governance rules.
- Job structure.
- Job descriptions for all organizational structure jobs.
- Charters of the Board of Directors and its committees.
- Code of Conduct (Code of professional conduct and ethics).
- It shall include a set of parameters and standards addressing the protection of whistleblowers who report illegal practices.
- Delegation of authority matrix.
- Operational policies and procedures manuals for all organizational executive units, which include the business processes and the relevant documentation.
- Supporting IT systems to carry out the activities of organizational units.
- Internal control systems and programs.
- Management system to evaluate the performance the members of the Board of Directors and executive management.
- Engage an independent audit firm to conduct evaluation and review of the internal control systems and prepare a report in this regard (Internal Control Report).
For licensed persons by the Capital Markets Authority (CMA)
In addition to internal controls that are mandated for listed companies, the licensed persons shall comply with additional internal control systems in accordance with Module Six – Internal Policies and Procedures of Licensed Persons as follows:
- Comply with the requirements of competence and integrity of licensed persons.
- Separation among activities carried on by the Licensed Person to ensure that information is not disclosed among such activities except for discretionary portfolio management and the incorporation and management of collective investment schemes.
- Handle customers’ complaints.
- Risk management (more detailed level than that required from listed companies).
- Anti-money laundering and combating the finance of terrorism (AML-CFT).
- Implementation and management of the operations of the licensed activities, including the documentary cycle required to be followed in performing the business.
- Disaster recovery and business continuity plans.
- Sharia control for persons licensed to operate in accordance with Islamic Sharia.
For licensed financial institutions by the Central Bank of Kuwait (CBK)
As per the Central Bank of Kuwait (CBK) circular dated 14 November 1996, the internal control system shall cover the following:
- Internal controls related to accounting records and other records.
- Organizational structure.
- Performance monitoring and control procedures.
- Segregation of duties and responsibilities.
- Authorization and approval.
- Completeness and accuracy.
- Safeguarding assets.
- Controls in an information technology environment.
- Internal audit activity.
Is internal control review mandatory reporting in Kuwait?
Yes, it is mandated that the following entities shall conduct internal control review by independent auditor:
|Entity subject for internal control review||Regulatory body|
|Listed companies in Kuwait Boursa||The Capital Market Authority|
|Licensed persons by the Capital Market Authority||The Capital Market Authority|
|Licensed local Banks in Kuwait||The Central Bank of Kuwait|
|Licensed foreign banks’ branch in Kuwait||The Central Bank of Kuwait|
|Licensed financing companies||The Central Bank of Kuwait|
|Licensed exchange companies||The Central Bank of Kuwait|
What is the organizational level responsible for establishing controls and the Internal Control Review within business entities?
The Board of Directors is responsible for ensuring the integrity of internal control systems, while the executive management is responsible for developing and implementing the internal control systems.
Who is reviewing internal control systems?
Licensed auditor registered in Kuwait Ministry of Commerce and Industry as well as related regulatory body.
What is the Limit of Auditor’s Responsibility for Internal Control Review Report?
The role of the independent audit firm is to issue reasonable, but not absolute, assurance regarding internal control systems in accordance with Law No. 7 of 2010 and its Executive Regulations.
What is the Deadline of Internal Control Review Report submission to the Capital Markets Authority?
Circular No. 11 of 2016 dated November 9, 2016, sets forth that listed companies and licensed persons shall submit to CMA the said report on an annual basis within maximum ninety days from the end of financial year.
What is the Deadline of Internal Control Review Report submission to the Central Bank of Kuwait?
Licensed financial institutions – subject to CBK supervision – shall submit to CBK the said report on an annual basis by 30th June of each year.
What is the Added value to business entities from Internal Control Review?
- Comply with laws, regulations, resolutions, and instructions issued by Capital Markets Authority, Central Bank of Kuwait and other regulatory and administrative authorities.
- Identify efficiency and effectiveness of the internal control systems in place in the business entity through addition or updates to ensure sustainable updates.
- Enhance the business entity’s performance efficiency and competitive capabilities through having the ability to face unforeseen changes in the market and define the causes of failure to implement the internal control systems.
What are the Services offered by Baker Tilly?
Prepare an annual report on assessment of internal control review for listed companies and companies licensed by Capital Markets Authority, as well as licensed entities by the Central Bank of Kuwait.