Internal Control
over Financial
Reporting (ICFR)
Driving governance through effective
nancial reporting
Table of
Contents
01
05
02
06
03
07
04
Executive Summary - The vision for ICFR
ICFR and its regulatory regime
Understanding ICFR stakeholder’s expectations and respon-
sibilities
ICFR Maturity Landscape
PwC’s FOCUSED approach
Case Studies
Contacts
Executive Summary
The vision for ICFR
The Securities &
Exchange Commission
(SEC) - USA
Canadian
Securities
Administrators
(CSA) - Canada
Registrar of
Companies -
India
The Council
of European
Union -
Europe
Financial
Reporting
Council (FRC)
- UK
Public
Company
Accounting
Oversight Board
(PCAOB) - USA
The current landscape for ICFR
The Internal Control over Financial Reporting (ICFR) remains an essential part of the Chief Financial Ofcer (CFO)
agenda in order to ensure that the information reported in the nancial statements is accurate and does not contain
any material misstatement.
The Internal Control and nancial reporting disciplines have evolved signicantly over past two decades due to
various international business incidents including the Enron collapse, global nancial crisis, oil price volatility, amongst
other events. This has resulted in major regulatory reforms that aims for governing the internal control environment,
especially focused towards the nancial reporting. Many international and regional regulators have since implemented
various laws, regulations and guidelines in relation to ICFR, a few of which are listed below:
International
Regional
Abu Dhabi
Accountability
Authority
(ADAA) - UAE
Securities and
Commodities Authority
(SCA) - UAE
Insurance
Authority - UAE
Qatar Financial
Markets Authority
(QFMA) - Qatar
Over more recent years, the Middle East region has unfortunately witnessed some organisational crises within
various sectors including healthcare, private equity, nancial services and construction. This, paired with the overall
increase of business challenges due to COVID-19 situation, have raised concerns from the following key stakeholders
on the quality of ICFR. In this paper, we have captured the expectations of these stakeholders as well as their key
responsibilities.
Internal External
• Boards
• Audit Committees
• Senior Management
• Finance Department
• Audit department
• Regulators
• Shareholders / Owners
• Investors
• Creditors
• Statutory Auditors
Extracting maximum value from ICFR investment
The value an organisation extracts from ICFR exercise depends on various factors, including the size, operations,
accounting framework, complexities, internal control team, governance, and culture of the business. The below “PwC
Maturity Landscape” not only helps organisations to assess their maturity level in ICFR domain but also helps them in
getting the maximum value from the investment in ICFR agenda.
Level 1 - Regulatory
Compliance
Maturity Level
Maturity Dimensions
Role Clarity
Unclear Informal Formal
Defensive Responsive Collaborative
Intermediate Advanced
Beginner
Governance
Culture
Data Analytics
Efciency focus Value focusCost focus
Value
Level 2 - Controls
Insights
Level 3 - Value
Enhancement
Rethinking ICFR to help you stay “FOCUSED” and achieve
resilience
At PwC we have recognised how important ICFR is for the Middle East region in terms of scope, maturity landscape,
reporting and digital upskilling, when compared with the rest of the world. Therefore, we have analysed international
leading practices and considered Middle East business practices to develop our bespoke “FOCUSED” approach.
Framework
development
Operational
assessment
Control design
review
Upgrading
internal
practice
Sampling
techniques
Documentation
and representation
Effectiveness
testing
The FOCUSED approach, extends beyond just achieving regulatory compliance is based on international leading
practices, internal control frameworks (COSO, SOX etc.) and lessons learned from advanced economies tailored to
the specic requirements of organisations in the Middle East region operating in various sectors. At PwC we leverage
from FOCUSED approach to help organization in their ICFR maturity journey and get maximum value from it. A
couple of case studies are added in the later part of this paper.
Introducing the
importance of ICFR
How does ICFR make a difference in the
nancial reporting world?
Dening ICFR: In simple terms, ICFR means a process which is implemented by those charged with governance
and management to provide reasonable assurance that a mechanism of Internal Control is in place to achieve the
following objectives:
The nancial statements are prepared as per the applicable nancial reporting framework e.g.
IFRS, local GAAPs e.g. IPSAS, SOCPA
The transactions and events reported
in the nancial statements are duly authorised as per the protocols implemented by management and
those charged with governance.
A process is in place to prevent or timely detect and amend any unauthorized use of assets /
resources employed by the organisation.
The organisation maintains accurate
records / evidence to back all transactions which are reported in a nancial period.
International Regulatory Regime on ICFR to achieve
resilience
Internal Control are often an area of focus for investors, creditors, shareholders and Board members, among other
stakeholders, when ensuring that the organisation provides accurate nancial reporting which shows its state of
operations in today’s constantly changing business environment.
However, the ICFR agenda became more critical with situations such as those raised in 2002 (Enron), 2008 (global
nancial crisis), and 2016 (oil price slump) etc. Each of these historical business world challenges brought key
stakeholders (regulators, investors, creditors etc.) together to better legislate reporting protocols and introduce new
practices to assess the risks facing the businesses and having sound Internal Control to mitigate those risks. In this
regard many initiatives were taken by regulators across the globe to implement an ICFR agenda, such as the below:
The introduction of Middle East regulatory initiatives
In recent years, the collapse of many Middle East businesses in the private equity domain, nancial services,
healthcare and construction sectors has raised many concerns among the stakeholder community. The year 2020
brought another major challenge with the unforeseen COVID-19 pandemic, which created even more pressure on the
business world.
In this situation many regulators have taken initiatives to further strengthen the Internal Control environment especially
around the nancial reporting domain. The regulations mentioned in the below table are a few examples where subject
entities are required to implement an ICFR framework. At present, many other regulators in the region are exploring
this agenda to better manage nancial reporting.
2016
2016
Qatar UAE
Qatar Financial
Markets
Authority
(QMFA) - Qatar
Securities and
Commodities
Authority (SCA)
- UAE
Abu Dhabi
Accountability
Authority
(ADAA) - UAE
Insurance
Authority -
UAE
Article 8 of
Governance code
for companies and
legal entities listed
on the main market.
Article 50 of Resolution
No. (7 R.M) of 2016
Article 4 of ADAA
Resolution 1 of 2017
Circular no. 21 of 2019
2017 2019
UAE UAE
Controls survey
PwC 2020 Internal
of the respondents perceive Internal Control
as valuable but feel that not all levels in the
organisation are proactively participating in the
internal control journey
Almost 60% of the respondents declared that
they do not have a specic governance, risk
management and compliance system for managing
Internal Control
76%
60%
expectations and
responsibilities
stakeholder’s
Understanding ICFR
ICFR agenda allows organisations to work collaboratively as a single unit and ensure that the operations are
accurately translated into gures which are reported in the nancial statements. As many stakeholders have different
expectations on this agenda, there are certain responsibilities which are expected from them to implement an effective
ICFR model.
External Stakeholders
Regulators
Investors & Creditors
Shareholders
Statutory Auditors
ICFR expectations
Adopt an internationally acclaimed internal control framework.
ICFR expectations
The nancial statements provide accurate information about the organisation’s state of affairs.
ICFR expectations
Accurate nancial reporting through deployment of sound Internal Control.
ICFR expectations
Management should adopt and effectively implement an ICFR framework.
Responsibilities
Develop a monitoring mechanism to assess the effective implementation across regulated
organisations.
Responsibilities
Encourage organisations to provide ICFR audit opinions.
Responsibilities
Encourage the culture of leading practices around Internal Control and governance.
Responsibilities
Perform independent assessment of management ICFR practices..
Internal Stakeholders
Board / Audit Committees
Senior Management - CEO / CFO
Process Owners
Internal Control (IC) Team under (Finance / Risk Management)
Internal Audit
ICFR expectations
The nancial statements prepared by management is based on effective ICFR framework.
ICFR expectations
Receive required budget approvals from Board / AC and authority to implement effective
ICFR practices.
ICFR expectations
Obtain required guidance from the IC team in understanding nancial reporting controls and
their role in managing it.
ICFR expectations
Obtain due support from senior management in terms of resources, skill set, training and
governance.
ICFR expectations
Involve in discussion with the IC team where any specic input is required on critical or
complex controls.
Responsibilities
Approve required budgets, policies, procedures etc. associated with ICFR.
Responsibilities
Sign off organisation’s conformance with effective ICFR practices and endorsing it for Board /
AC approval.
Responsibilities
Exercise the compliance with organisation’s internal control practices during day to
day operations.
Responsibilities
Lead the ICFR mandate in the organisation to ensure controls are adequately
designed and operating effectively.
Responsibilities
Provide advisory support to the nance department in effective implementation of ICFR.
Landscape
ICFR Maturity
The value a company can extract by implementing ICFR is highly dependent on the maturity level of the organisation
from ICFR perspective. Based on the international leading practices, we have developed a four dimensions of ICFR
maturity landscape which provide a basis to assess at which level your organisation sits among the three maturity
levels:
Organisations consider ICFR as a regulatory burden and mainly focus to comply with regulatory
requirements.
Organisations take ICFR as an opportunity to bring processes efciencies through control optimization,
eliminate redundant / duplicate controls and extend control automation.
Organisations focus more on controls issues related to new projects / ventures whereas existing
critical controls get monitored through continuous monitoring tools.
Maturity Level 1: Regulatory Compliance
Maturity Level 2: Process Efciencies
Maturity Level 3: Value Enhancement
Role clarity
Role clarity
Role clarity
Value
Value
Value
Governance
Culture
Governance
Culture
Governance
Culture
Data Analytics
Data Analytics
Data Analytics
Unclear: Lack of clarity
on the overall roles
and responsibilities in
relation to ICFR project
among nance and other
departments.
Informal: The Internal
Control Team leads the
ICFR exercise while
educating other process
owners to play the required
role.
Formalised: The user
departments clearly
understand their role and
proactively manage control
agenda with oversight
support from the Internal
Control Team.
Defensive: Highlighting
Internal Control failures are
discouraged in a fear to get
a qualied opinion from the
statutory auditors.
Responsive: Each
stakeholder is encouraged
to highlight any control
deciency to put
remediations on a timely
basis.
Collaborative: Control
failures are corrected
on a real-time basis by
collaboration across
functions and are taken as
an opportunity to improve
internal practices
Beginner: Internal Control
are tested on conventional
sample testing basis
with review of limited
transactions, without use
of any digital tools or data
analysis.
Intermediate: Various data
tools are used to analyze
the whole population for
targeted sample testing.
Advanced: Continuous
monitoring tools are used to
monitor controls on a real-
time basis and focus more
on value-added areas.
Cost Focus: ICFR exercise
is considered as a cost
center with a perception of
minimum value addition to
comply with regulations.
Efciency Focus: ICFR
exercise is considered
as a business process
re-engineering project to
eliminate duplication and
introduce efciencies.
Value Focus: ICFR
exercise is taken as an
opportunity to enhance
value by introducing leading
practices in the existing
control environment.
benchmarking survey
PwC 2019 ICFR
of the company do not have a process for
scoping to identify to which extent and level
the ICFR framework is applied.
of the company do not apply digital
tools to support the ICFR process
41%
60%
approach can help
the ICFR journey
How PwC’s FOCUSED
your organisation in
The success of an ICFR exercise highly depends on the way it is planned, executed and monitored. An ICFR exercise
complying with all requirements may not be able to highlight key control design or operating failures if a correct
approach is not used. Therefore, based on the leading practices in the regulated economies along with the specic
business needs of the Middle East region, PwC has developed its ICFR-centric approach “FOCUSED” that addresses
all of the key pain points for organisations of any size and support them in the ICFR maturity journey.
F
C
U
S
E
D
O
ramework Development
perations Assessment
ampling Techniques
ocumentation and Representation
ffectiveness Testing
ontrol Design Review
pgrading Internal Practices
brings an effective governance
culture and provides role clarity
by developing entity specic ICFR
framework based on nancial
reporting standards and leading
control practices.
assesses company’s operations and
provides value centric mechanism
to identify process universe,
reporting risks and their mapping
with nancial statements.
leverages from various walk-through,
data analytics and control dynamic
techniques to assess design
adequacy of existing controls related
to nancial reporting.
Based on the control design gaps,
this phase brings value to business
through re-engineering existing
processes and introducing leading
digital practices to strengthen control
design.
deploys various data driven sampling
methodologies to select the right
value centric approach to get wider
insights and assurance on target
population.
use a mix of Data Analytics and
conventional testing techniques to
ensure that transactions executed
during the period comply with
nancial reporting requirements.
remains active throughout ICFR
life cycle and provides an effective
governance culture identifying
clear roles, timelines, templates etc.
requirements.
At PwC, we leverage the FOCUSED
approach to help organisations in
their maturity journey. Our tools,
techniques and team members are
well versed with ICFR requirements
and comfortably diagnose the maturity
level of an organisation as well as the
dimension which require more focus.
Case Studies
We have listed below a couple of examples where we partnered with some organisations in the Middle East region
while leveraging our FOCUSED approach and helping them in various dimensions of ICFR maturity landscape:
The client was involved in issuing
multiple sets of nancial statements on
two different accounting frameworks. The
ICFR agenda was implemented a few
years ago, however the management
was not condent that all key risks / gaps
were identied and addressed.
The client managed a portfolio of more
than 100+ subsidiaries, associates, joint
ventures, etc. The parent was required
to issue ICFR opinion on individual as
well on group level nancial statements.
However, there was no precedent
in the region to manage a similar
ICFR mandate especially with such a
diversied portfolio and the complex
nature of group entities (listed, private,
foreign, greeneld projects, etc.).
Through deploying the FOCUSED approach, the PwC
team employed various data analytical tools to re-analyze
the scoping model. The work helped to identify multiple
areas which were not considered in the previous ICFR
exercises. This identication not only helped to enhance
nance department oversight on those processes
but also helped management to x numerous gaps
which could result in material errors in overall nancial
reporting.
Through deploying the FOCUSED approach PwC
team developed a group tailored ICFR framework
which provided synergies through optimising design
and effectiveness testing process. In addition, the PwC
team performed a comprehensive analysis over group
structure and proposed a data model which classies
entities based on multiple risk factors. This data model
helped the group in objectively identifying high risk
entities and steer the efforts towards the most important
controls.
Client Industry and Region: Energy Sector | Middle East Region
Client Industry and Region: Government Funded Investment Conglomerate |
Middle East Region
Client Situation
Client Situation
How PwC supported the client to resolve the issue
How PwC supported the client to resolve the issue
Contacts
About PwC
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of rms in 155 countries with over
284,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what
matters to you by visiting us at www.pwc.com.
Established in the Middle East for 40 years, PwC has 22 ofces across 12 countries in the region with around 6,000 people. (www.
pwc.com/me).
PwC refers to the PwC network and/or one or more of its member rms, each of which is a separate legal entity. Please see www.
pwc.com/structure for further details.
© 2021 PwC. All rights reserved
Adnan Zaidi
Middle East Assurance
Clients & Markets Leader
T: + 971 56 682 0630
John Saeed
Middle East Internal Audit
& GRC Leader
T: +966 56 007 9699
