What comes to mind when we think about the importance of internal controls?
“If one of your employees is determined to steal from you, you probably can’t stop them from trying. But, you can stop them from succeeding. And even if they get away with it once, you should be able to catch it early on — not two years and $700,000 later” (Schaeffer, Internal Control Breakdown Study, 2009)
Internal controls are vital to the success of any company because they ensure reliability of financial records and reporting, compliance with laws and regulations, prevent companies from being exposed to fraud or theft, and support the achievement of corporate objectives. While some companies in Zambia are now required by regulation to implement and monitor a system of internal controls over financial reporting, all other companies could equally derive significant benefits from implementing and monitoring an effective system of internal controls.
Current regulatory landscape
On 19th July 2019, the Government Republic of Zambia, issued the Securities Guidelines (Internal Control Reporting Framework for Issuers of Registered Securities) (“the Guidelines”). These Guidelines were issued to provide guidance to issuers and auditors on the application of Sections 146, 147 and 149 of the Securities Act, No.41 of 2016 regarding the implementation of internal control reporting framework. The Guidelines define internal control over financial reporting as “a process designed by, or under the supervision of the company’s Chief Executive Officer and Chief Financial Officers or persons performing similar functions, and implemented by a company’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial statements for external purposes in accordance with generally accepted accounting principles.”
The implementation of these Guidelines will be in two (2) phases as summarized below.
Phase 1 – All submissions to the Securities Exchange Commission (the Commission) during this phase will not be made available to the public.
Key outputs or reports | |
Year 1 (31 December 2019) | Gap analysis of existing internal control system against a widely recognized framework such as COSO framework. |
Year 2 (31 December 2020) | Management self-certification of effectiveness of the internal control environment. |
Year 3 to Year 5 (31 December 2021 to 31 December 2023) | – Management self-certification of the effectiveness of the internal control environment.
– External auditor’s assurance report on the existence, adequacy and effectiveness of the internal control environment. |
Phase 2 – Annual reports, management self-certifications and auditor’s assurance report on internal controls submitted to the Commission but made available to the public.
Common internal control challenges
Section 4.3.3 of the Guidelines precludes management from concluding that a company’s internal control over financial reporting is effective if it identifies one or more material weaknesses in the company’s internal control over financial reporting. The Guidelines do not define a material weakness but we can make reference to its definition by the Public Company Accounting Oversight Board (regulator of US public audits) as a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.
Common internal control challenges which are indicative of the possible existence of a material weakness in the company’s internal control system are discussed below.
- Auditor identified misstatements – Material adjustments identified in the financial statements during the audit which were not initially identified by management are indicative of a material weakness in the company’s internal controls. In addition, misstatements that are not material could still be indicative of a material weakness when the deficient controls that resulted in the immaterial misstatement in the current period are assessed for their severity. When assessing the severity of a control deficiency one must look at what “could” have happened not only “what” happened. For example, an immaterial error identified in the depreciation expense recognized by the company could be indicative of a material weakness when the deficient control is assessed for the likelihood of the entire property, plant and equipment account balance being exposed to a material misstatement.
- Restatement of previously issued financial statements – Restatements to reflect the correction of a material error (which does not include restatements to reflect a change in accounting principles to comply with new accounting standards) are also indicative of a material weakness in the internal control environment.
- Lack of segregation of duties – There is an opportunity that is created to commit fraud or misappropriate assets when an individual performs incompatible tasks, such as a controller who approves his or her own purchase requisitions.
- Inadequate training of staff/lack of the necessary qualifications – This applies to control owners or operators. For example, there is a risk that the person responsible for the accounting and reporting function lacks the skills and knowledge to apply generally accepted accounting principles in recording the company’s financial transactions or preparing its financial statements.
- Inappropriate reliance on third parties – There is a risk that management may be placing inappropriate reliance on the effectiveness of key controls within significant business processes executed by third parties. When these key controls at the third party are not tested or the third party does not provide a report on the results of the tests of its controls, the company’s transactions could be exposed to material misstatements due to the likelihood of the existence of deficient controls at the third party.
Benefits of implementing an internal control reporting framework
Several benefits can be derived from maintaining an effective internal control environment to prevent the occurrence of common internal control challenges such as those described above.
- Increased attention from investors – Implementing an internal control framework that is regularly assessed for its effectiveness signals strong corporate governance principles in the company, which should translate into strong business results and increased shareholder value. The resulting benefits will be cheaper sources of capital.
- Initial Public Offering (IPO) readiness or issuance of securities – Companies that intend to raise capital by going public or issuing debt securities would benefit immensely from implementing a system of internal controls that is compliant with the requirements of the Commission well before the IPO to allow sufficient time for implementation readiness.
- Reduced regulatory compliance costs – Maintaining an effective internal control framework could ultimately result in streamlined processes and better management of regulatory compliance. For example, if the company does not have effective controls in place to ensure compliance with regulations issued by the Zambia Revenue Authority (ZRA), it is highly likely that penalties and fines will be regularly incurred for non-compliance. The cost of penalties and fines in certain instances far exceed the cost of implementing effective controls specific to regulatory compliance and one such example is the penalty that could be assessed by ZRA of up to ZMW 24,000,000 (approximately $1,000,000) for non-compliance with the transfer pricing policy documentation requirements.
- Detection of significant issues – With a well-established internal control framework, management can expect to detect significant issues well before the external audit. Misstatements or errors identified during the external audit have a root cause of either a missing control or an inadequately designed control. As discussed above, material misstatements identified by the external auditors would be indicative of a material weakness in the internal control environment. However, with an effective internal control reporting framework, management should expect to have adequate controls in place to mitigate the occurrence or the identification by the external auditors of significant issues.
- Comprehensive assessment of control deficiencies – In the absence of the requirement to provide reasonable assurance on the effectiveness of the internal control environment, management’s assessment of the severity of identified control deficiencies will not be as robust. To evaluate the effectiveness of an internal control system, management must qualitatively and quantitatively assess the severity of identified control deficiencies to arrive at a conclusion as to whether a material weakness exists.
- Timely response to changes in the business and regulatory environment including accounting standards – The risk of material weaknesses in the internal control environment is heightened when significant changes occur in the business, regulatory and financial reporting environment. However, with an effective internal control reporting framework companies should be able to respond timely to these changes. Over the last few years there have been three (3) significant new accounting standards i.e. IFRS 9 – Financial Instruments, IFRS 15 – Revenue from Contracts with Customers and IFRS 16 – Leases. Companies that had established internal control systems were more prepared and had less adjustments to effect after the external audit. However, companies that did not have adequate internal control systems in place specific to complying with these new accounting standards did very little and this likely resulted in material audit adjustments and additional audit costs. The latter is indicative of a material weakness in the internal control environment.
Closing thoughts
Management should carefully assess the adequacy of their company’s existing internal control reporting framework. If one or more of the common internal control challenges described in this article are prevalent, this may be an indication that the existing internal control system may not be adequate. Maintaining an effective system of internal controls is a continuous process and significant benefits can be derived from this iterative process. Now is the time to evaluate the adequacy of the internal control environment and not “two years and $700,000 later.”
References
GRZ (Government of the Republic of Zambia). 19 July 2019. Securities Act, 2016 (No. 41 of 2016): Securities (Guidelines Internal Control Reporting Framework for Issuers of Registered Securities) Guidelines (Notice 6781). Government Gazette, 734 of 2019.
Schaeffer M (2009) Internal Control Breakdown Case Study, AICPA Newsletters, Internal Control Breakdown Case Study (aicpastore.com)
Rabecca Hichilo is an Associate Director with KPMG Zambia. The views expressed in this article are her own and not necessarily those of KPMG.