Internal control review assumes greater importance in the light of current economic downturn. Monitoring and assessment of internal controls across various functions is performed through continuous evaluations to ensure whether the implemented internal control system is effective as intended by the Board of Directors. The assessment facilitates identification of internal control deficiencies for further corrective actions.

Frequently Asked Questions

1. What is Internal Control Review – ICR and how different it is to Internal Audit?

ICR is an overall assessment of the internal control system and its adequacy of each business area in an organization to address the relevant risks. Through control review, an organization's resources are directed, monitored, and measured in an effective manner. It plays an important role in protecting the organization's tangible and intangible resources.

Whereas, Internal audit as defined by the Institute of Internal Auditors is "an activity that provides independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes".

2. What is an internal control?

The framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as "a process effected by an entity's Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories":

  • Effectiveness and efficiency of operations;
  • Reliability of financial reporting;
  • Compliance with applicable laws and regulations.

3. How can an effective internal control system established?

To create an effective internal control system, an organization should establish the following:

  • Policies and procedures including, among others, organizational structure, job descriptions, authorization matrix;
  • Segregation of duties and responsibilities;
  • Authorization and approval process;
  • Performance monitoring and control procedures;
  • Safeguarding assets, completeness and accuracy;
  • Manpower management;
  • Independent internal audit function;
  • Regulatory compliance and risk management.

4. Then, what are the components of the internal control system?

As per the COSO model, the components of the internal control system are:

  • Control Environment: This sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control.
  • Risk Assessment: The identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed.
  • Control Activities: The policies and procedures that help ensure management directives are carried out.
  • Information & Communication: Systems or processes that support the identification, capture, and exchange of information in a form and time frame that enables people to carry out their responsibilities.
  • Reporting & Monitoring: Processes used to identify, monitor and report the quality of internal control performance or deficiencies to appropriate levels.

5. Are the controls in your organization appropriate?

Controls over the business activities in an organization is said to be appropriate by establishing the following:

  • Adequacy & compliance of policy and procedures;
  • Proper governance structure;
  • Monitoring the manpower management;
  • Proper periodical review of business activities;

6. What are the benefits of Internal Control Review?

  • Encourage adherence to prescribed policies and procedures;
  • Effectiveness and efficiency of operations;
  • Reliability of financial reporting;
  • Compliance with applicable laws and regulations;
  • Detection and prevention errors and irregularities in a timely manner;

7. Is Internal Control Review mandatory?

As per the various circulars issued by Central Bank of Kuwait (CBK) from time to time, banking and investment companies are mandated to comply with ICR regulations. The ICR auditors are to provide their opinions and remarks on whether the regulations and internal control systems are sufficient enough in quality and quantity to manage the risks that the company faces in its day-to-day business.

As has been the practice, all banks have to submit ICR reports by June 30 every year to CBK. However, this is notified year on year.