Clarifications & amendments by Securities and Commodities Authority

WHAT ARE THE LATEST KEY AMENDMENTS TO THE SCA GUIDE?

The SCA Circular inter-alia details the responsibility of the Board, Senior management, and auditors as follows:

Board

1. Article 14 of the SCA Guide relates to “Board Obligations”. Clause (7) of the Article has been amended to clarify the Board’s responsibilities with respect to ensuring the existence of effective risk management and an appropriate control environment within the company.
2. The Board retains ultimate responsibility for ensuring the existence of effective risk management systems and internal controls that align with the company’s potential risks, assess their effectiveness, and take corrective actions as necessary, regardless of the specific responsibilities delegated to senior management.
3. The Board is responsible for establishing, defining, and approving an appropriate internal control and risk management framework for the company’s operations that align with global best practices (COSO Framework) and ensuring its implementation through guidelines as specified in the Circular.

While the former Clause included reference to compliance with international practices and recommended COSO Framework, the amended clause clarifies that the internal control and risk management framework must be aligned with the COSO Framework.

Senior management

Senior management is responsible for implementing sound policies, effective procedures, and robust systems that align with the risk management and internal control frameworks approved by the Board.

Auditors

The amendment to the SCA Guide clarifies that the Board is responsible for establishing mechanisms that enable the auditor to express an opinion on the effectiveness of the company’s internal control and risk management systems, including effective internal controls over financial reporting (ICOFR).

Further, Article 73(4) (as amended), provides that the auditor may express an opinion on the effectiveness of the company’s internal control systems and their compliance with the appropriate internal control framework determined by the Board of Directors by issuing a separate report. This report will include their opinion on the effectiveness of internal control systems, identifying deficiencies, and taking necessary actions to address them.

WHAT DOES THIS MEAN FOR REPORTING PERIODS – FY 2024 & FY 2025?

1. Phase One – FY 2024

Management responsibility

• Self-assessment to be conducted with respect to internal control systems and risk management related to financial reporting (ICOFR)
• Address any gaps

Auditor responsibility

The auditor shall only express an opinion on the effectiveness of internal control systems and risk management related to financial reporting (ICOFR) for the financial year 2024. A separate report in this regard shall be issued (without disclosure at this stage), which will be reviewed by the external auditor.

2. Phase Two – FY 2025

Management responsibility

• Self-assessment to be conducted with respect to internal control systems and risk management, including ICOFR
• Address any gaps

Auditor responsibility

The auditor will express an opinion on the effectiveness of internal control systems and risk management, including effective internal controls over financial reporting (ICOFR), for the financial year 2025. A separate report shall be issued (with disclosure) containing the auditor’s opinion on the effectiveness of the internal control systems, identifying deficiencies, and recommending necessary actions to address them (Audited).

Phase One focuses on internal control systems and risk management related to financial reporting (ICOFR). Phase Two focuses on internal control systems and risk management, including ICOFR.

Regarding FY 2024, it is suggested that companies should plan to timely initiate control testing and development of required frameworks (internal controls & risk management) to enable the auditor to express an opinion.

KEY CONSIDERATIONS FOR THE MANAGEMENT

• Develop a comprehensive risk & internal controls framework based on the COSO Framework
• The management of the organization should (i) conduct planning & scoping and (ii) test internal controls (design & operating effectiveness) & remediate the control deficiencies
• Work with auditors to obtain opinions on internal controls for FY 2024 (not to be disclosed) and FY 2025 (to be disclosed)
• Ensuring a comprehensive view of all material risks to which the company is or could be exposed, as well as the interrelation of such risks, at both the public joint-stock company level and its subsidiaries, as applicable. This includes strategies, policies, processes, procedures, and controls necessary to identify, assess, measure, monitor, and control risks, as well as report them transparently and mitigate their sources promptly.
• The company’s organizational / governance structure should include the “Three Lines of Defense” methodology, where applicable