You are currently viewing Internal Controls under Corporate Governance – Are we in Control?

Internal Controls under Corporate Governance – Are we in Control?

The availability of reliable financial information reflecting the organization’s state of affairs is significant to all the relevant stakeholders, most notably to its owners. The importance of the same increases ten-fold in case of companies listed on stock exchanges as the owners are not at the helm of the affairs, instead for this purpose, rely on the agents of the company, aka Board of Directors. In order to protect investors’ interest a regulatory regime has to be in place, which in our case is the Securities and Exchange Commission of Pakistan.

Amongst many measures that SECP takes from time to time in order to keep the capital markets reliable, one has been the introduction of the Code of Corporate Governance back in 2002, which is part of the Stock Exchange listing regulations. Directors, in the company’s annual reports, give a statement of compliance and the statutory auditors issue a review report on the same.

Apart from many of the other aspects in this Code, one of the most important ones that are touched upon is the subject of Internal Control. Internal Control is a broad category that includes the need for controls over financial reporting as well as many other areas. The discussion here, however, is confined to Internal Control over Financial Reporting.

In this regard as per the Code of Corporate Governance, Directors are required to ensure the following and make a statement on it in the annual financial statements:

system of sound internal control is established, which is effectively implemented and maintained at all levels within the company.
(d (v) clause 35 – Code of Corporate governance)

What does this statement entail with respect to Financial Reporting?

Let’s discuss some of the important elements mentioned above.

SystemThe existence of a certain framework or methodology through which the effectiveness of Internal Controls can be ensured.

  • Whether ALL the risks in a certain process which can have an impact on the specific objectives i.e. financial statement assertions like completeness, accuracy, and existence have been identified.
  • Whether CONTROLS have been designed against these risks.
  • Whether the design adequately addresses the risk.
  • Whether these controls are operating effectively throughout the year

ImplementedThere must be two considerations for controls being implemented

  1. The controls are clearly defined
  2. Someone is responsible for ensuring the operational effectiveness of the controls.

In a well-designed Internal Control system “Control Owners” are clearly identified against each documented control. Assigning of such responsibility is important for establishing accountability as well as a smooth operation.

Maintained“As is” position of companies in relation to Internal Control vis-a-vis the requirement in the Code of Corporate Governance

This essentially means that controls are not just in the books but are in fact, part of the process and are continuously in operation as per the defined frequency. In order to have the comfort that Internal Controls are maintained, they need to be tested (audited) or self- assessed for their operational effectiveness on a continuous basis.

The above areas can be only be catered to, through the implementation of a comprehensive Internal Control framework. In case of banks/DFIs’, they are required to be compliant with State Bank of Pakistan’s (SBP) detailed ICFR guidelines and it can be said that they already have a requisite system in place. For others, based on our experience and recent interactions on the subject with the Internal Audit Heads of some top-tier listed companies, only multi-nationals which are required to be compliant with SOX 404 due to group requirements have put in place the required system.

In the listed companies, other than Banks/DFIs’ and multi-nationals as identified above, the extent of what they have in place are policies and procedures manuals. These policies and procedures are very relevant for creating an overall conducive internal control environment but are not a substitute for clearly identified controls against the risksDue to the absence of a such Risk Control Matrix the completeness and adequacy of controls cannot be ensured.

One may also argue that the manual might have certain procedures which do not mitigate any risk yet are implemented, creating only inefficiency.

Arguments for implementation of comprehensive Internal Control Framework

First things first, in the interest of shareholders, any communication/statement made to them has to be appropriately backed up in letter and spirit on factual realities. The statement as explained above have certain requirements to be fulfilled and directors before signing should ask for the basis of the underlying statement.

Secondly, as discussed above in case of banks/DFIs’, State Bank of Pakistan has issued detailed guidelines in relation to Internal Control over Financial Reporting (ICFR). A detailed “Statement of Internal Controls” is given by the Management in relation to compliance with SBP instructions and the same is endorsed by the Directors. SBP guidelines on ICFR have been created based on Integrated Internal Control Frameworks like COSO (Committee of Sponsoring Organizations) and few others.

It is understandable that more robust and stringent controls have to be in place in Financial Institutions but the investment made by common shareholders in listed companies other than Banks/DFIs’ is equally important and the significance of having strong control framework in such companies cannot be discounted.

Thirdly, SOX 404 was implemented in the US after accounting scandals such as Enron. SOX 404 deals with ICFR and the directors make the following statement in the annual financial statements which is very similar to the one we have in our Code of Corporate Governance

For listed companies in Pakistan other than Banks/DFIs’ no guidelines exist for ICFR. For banks such guidelines are issued by SBP. Is the investment of shareholders in non- banking companies not worthy of being adequately protected?

The Company’s management is responsible for establishing and maintaining adequate internal control over financial reporting … (Statement as per Sox 404)

In the US, in order for the above-mentioned statement to hold true, a lot of work is done. An integrated Internal Control Framework like COSO is in place, and companies ensure that it is adopted and implemented. One needs to question the adequacy of work done in our country, in order to give a similar statement to shareholders.

Fourthly, no guidelines have been issued by the SECP in relation to ICFR. This along with the external auditors’ comments in the review report (as mentioned below) makes matters much worse when it comes to the effectiveness of Internal Controls.

“As part of our audit of financial statements we are required to obtain an understanding of the accounting and internal control systems sufficient to plan the audit and develop an effective audit approach. We are not required to consider whether the Board of Directors’ statement on internal control covers all risks and controls or to form an opinion on the effectiveness of such internal controls, the Company’s corporate governance procedures and risks”. (Common para in auditors’ review report on Corporate Governance)

Lastly, other than the argument of “doing the right thing” of establishing a system for making a statement on Internal Control there are many other benefits the organizations can reap.

  1. Risk based approach eliminates redundant activities. If there is a control which does not address any risk, it needs not to be there.
  2. Companies depicting the adoption of internationally recognized Internal Control framework like COSO enhances their credibility in the eyes of potential investors.
  3. In today’s highly automated environment many activities which have an impact on financial reporting lie outside the domain of finance. By implementing an IC framework, risks in those areas can be adequately covered.
  4. Implementation of Internal Control framework also provides a comprehensive and structured platform for fraud prevention.


  • Develop comprehensive guidelines for ICFR to be adopted by the listed companies other than Banks/DFIs’.
  • Redesign the statement on Internal Control in the interim which aligns with the situation on ground.


  • If SECP acts as above, then align activities accordingly
  • In case SECP does not issue any guidelines, Management, primarily the CFO should initiate to adopt and implement an internal control framework such as COSO.

Audit Committee

  • Become a project sponsor and advocate for the ICFR implementation


  • In the absence of an Internal Control system as discussed above Directors should amend their statement to reflect the ground realities.
  • Should support the implementation of ICFR framework.

External Auditors

  • Emphasize to BOD through their Management Letter to implement IC framework.
  • Need to reconsider their Review Report on Corporate Governance to make things more clear..

Internal Auaditors

  • Support Audit Committee in their role as identified above.