According to Resolution No. (1) of 2017, all ADAA subject entities including material subsidiaries, wherever located, need to comply with the resolution, effective for all audits of subject entities contracted after August 2017.
Setting the context
Multiple instances of questionable financial practices in large companies around the world precipitated the need for regulators to reassess and strengthen governance structures and internal control requirements for companies. This includes setting new standards for public accounting firms, corporate management and boards of directors.
Gulf Cooperation Council (GCC) regulations are constantly evaluated and re-assessed to reflect the latest trends and leading global practices. The introduction of Resolution No. (1) by the Abu Dhabi Accountability Authority (ADAA) is an endeavor which aims to strengthen governance structures within its subject entities.
In August 2017, ADAA issued Resolution No. (1) of 2017 pertaining to auditing the financial statements of subject entities. As per the resolution, all ADAA subject entities, including material subsidiaries, need to comply with Resolution No.(1). This is effective for all audits of subject entities contracted after August 2017, stating that the statutory auditor would be required to issue a separate report that includes an opinion on the effectiveness of the internal control systems. This involves assessing design and testing the application of the internal control system.
Leading the change
Most entities subject to ADAA’s regulations initiated their internal controls over financial reporting implementation journey in 2018, in line with the requirements of the resolution. While the resolution covers both internal controls over financial reporting and compliance controls, there was increased focus placed by subject entities on financial reporting in the initial phases of implementation. A few entities have also included fraud controls in their scope of implementation, which is also a mandatory part of any internal control framework. Owing to the initial perception that the resolution is applicable from an external reporting perspective, finance teams played a major role in driving the ICFR implementation and a co-sourced model with external service providers was the prevalent option for entities in the region. The internal audit or risk governance and compliance teams were also significantly involved in some entities. While this was foreseeable considering the nature of the project, determining stakeholder involvement and buy-in beyond the finance department proved to be a key challenge faced in the initial years of implementation.
Implementing the change
The resolution provides flexibility to subject entities for the adoption of an internal control framework that would suit the needs of the organization. As per our experience in the region, entities have chosen to adopt the COSO (Committee of Sponsoring Organizations of the Treadway Commission) internal control framework since it is commonly used by various leading organizations and government entities across the globe.
For most, the ICFR implementation journey was set in motion with an assessment to define materiality thresholds, after discussion and agreement with management and statutory auditors to identify key processes and controls to be included in the scope. A wide range of quantitative and qualitative parameters were used to determine the materiality thresholds and entities have implemented processes for reviewing the scope on a yearly basis. Nearly all organizations have documented process-level, entity-level and IT general controls. A few have also commenced covering fraud and compliance controls as part of their ICFR exercises. Key risks and controls were documented using various tools, such as process maps, process flowcharts, and risk and control matrices.
ICFR implementation goals have been dynamic and moving targets, and stakeholders’ priorities continue to evolve. Nevertheless, over the last three years, organizations have derived great value beyond compliance. Benefits range from standardization of processes and mitigating revenue leakages, to hitherto unexplored changes in the revenue model.
