SCA’s updates to internal control and risk management

In January 2025, the Securities and Commodities Authority (SCA) released a new circular that introduces essential amendments to the Governance Guide for Public Joint-Stock Companies. These changes emphasise enhancing internal controls and the risk management framework, aiming to improve corporate governance practices across the UAE.

This amendment updates the previous governance guidelines (No.3 I R.M) of 2020, specifically amending Article (14) concerning the board of directors' obligations by revising Clause (7).

This circular provides companies with an opportunity to bolster their governance frameworks, which can foster greater market confidence, support sustained growth, and enhance accountability and transparency in financial reporting, ultimately boosting investor trust.

Steering through the latest amendments

The amendments highlight the importance for public joint-stock companies to implement robust internal control and risk management systems that meet global standards, specifically the COSO framework, while tailoring the framework to the company size and operational complexity.

Phase one – fiscal year 2024

Senior management must oversee the implementation of internal control over financial reporting (ICOFR), by conducting a self-assessment of such controls and risk management systems and further addressing any identified gaps.
This may be carried out internally by the concerned department or through third-party expert assessments.
An independent auditor will review and present a report to the board of directors.

Phase two – fiscal year 2025

Senior management must conduct a self-assessment with respect to internal control systems and risk management, including ICOFR and address any identified gaps.
This may be carried out internally by the concerned department or through third-party expert assessments.
An independent auditor will provide a detailed report and express an opinion on the effectiveness of the company’s internal control and risk management systems, including effective internal controls over financial reporting (ICOFR).
The auditor may express an opinion in line with the appropriate internal control framework determined by the board of directors by issuing a separate report.
This report will include their opinion, identify deficiencies, and capture the necessary actions to address them.
Public joint-stock companies must take immediate corrective actions in response to auditors' findings, ensuring that any weaknesses in the internal control systems are addressed to maintain compliance with the governance framework.

Accountability

Board of directors

The board retains ultimate responsibility for ensuring the existence of effective risk management systems and internal controls that align with the company's risk tolerance, evaluate their effectiveness, and implement corrective measures where needed.
The board is responsible for establishing and approving an appropriate internal control and risk management framework that align with global best practices (COSO Framework).

Senior management

Senior management is responsible for implementing sound policies, effective procedures, and robust systems that align with the risk management and internal control frameworks approved by the board.

Independent auditors

The auditor shall only express an opinion on the effectiveness of internal control systems and risk management related to financial reporting (ICOFR) for the financial year 2024.
The auditor shall express an opinion on the effectiveness of the overall internal control systems and risk management, including (ICOFR) for the financial year 2024.

How can Forvis Mazars help?

Our team is well-equipped to help companies evaluate the adequacy and effectiveness of their controls while implementing and enhancing their ICOFR processes. We have considerable experience in conducting ICOFR Gap Assessments and in designing, implementing, and reporting on the COSO framework, acquired through our advisory work with entities regulated by the Abu Dhabi Accountability Authority (ADAA).

As your advisors, we will specifically assist with the following:

Conduct a thorough analysis and gap assessment of the company’s governance structure, as well as its operating and IT controls.
Evaluate control adequacy from a design perspective and control effectiveness from an operational standpoint for controls that directly or indirectly impact financial reporting.
Develop a tailored internal control framework based on the COSO model to meet ICOFR requirements.
Develop a comprehensive risk and control matrix that addresses both operational and financial risks, ensuring alignment with the control framework, regulations, and other requirements.
Prepare a gap assessment report for senior management and the audit committee, detailing the results of the ICOFR assessment.
Assist in remediating identified control gaps and testing the operational effectiveness of ICOFR.
Provide recommendations for integrating automation and emerging technologies into internal control and risk management processes, enhancing efficiency, monitoring capabilities, and reporting effectiveness.
Establish monitoring mechanisms to ensure compliance with regulatory expectations.
Facilitate training and knowledge transfer to relevant teams across the organisation.

We recommend that management proceed with establishing a formalised methodology in alignment with the applicable COSO framework for Internal Control over Financial Reporting (ICoFR) and entity-wide controls. This will help ensure that internal controls are effectively in place while we await final confirmation from the regulators.