Image: Supplied
Shaped by past global corporate reporting shortfalls, regulatory expectations on governance and financial integrity have become significantly more stringent than they were previously.
Companies are strengthening their internal control frameworks as investors, regulatory bodies, and rating agencies demand reduced risks, transparency, and accountability.
After the Sarbanes-Oxley Act (SOX) (2002) was introduced in the US, following Enron’s collapse, many countries, including Canada, India, the UK, and EU nations, introduced regulations to strengthen the internal controls on financial reporting of listed companies.
New regulations have also been issued in the UAE following the UAE’s Securities and Commodities Authority (SCA) establishing Internal Control on Financial Reporting (ICFR) as mandatory for all UAE-listed companies in 2024.
In 2024, the requirements were limited to performing a self-assessment of ICFR and addressing identified gaps. Auditors were requested to provide an opinion, which was not made publicly.
From 2025 onwards, the SCA requirements are that the company’s external auditor must provide an opinion on the effectiveness of the overall internal control and risk management system (going even beyond ICFR), and this opinion must be publicly disclosed.
The evolving expectations around financial reporting governance
As financial reporting became more complex and need for compliance with financial accounting standards grew, companies started shifting from traditional financial checks to more digitalised, integrated, and continuous internal control systems such as continuous controls monitoring (CCM).
These systems produce real-time results and reduce human error, ensuring accuracy, greater time and cost-efficiency. This transformation reflects a new mindset in governance and risk management.
Most, if not all, internal control systems are based on the COSO framework, a global benchmark that emphasises risk management, continuous monitoring, and process automation through technology. SOX mandates internal control documentation and independent control assessments and has set a standard for accountability and transparency in the US, and various countries in the MENA region.
Furthermore, IFRS highlights consistent and reliable financial reporting, compelling organisations to align their internal controls with international standards to ensure data integrity for adequate external reporting.
As previously mentioned, the UAE’s SCA has expanded ICFR requirements to all listed companies, mandating independent audits and covering operational, IT, and compliance risks. This regulation does require adherence to the COSO framework but emphasises that internal controls must align with global standards, improving transparency, risk management, and strengthening stakeholder trust.
Additionally, SOX requires audit committees, boards, and external auditors to regularly request evidence of operational control effectiveness and risk assessments. This ensures controls are properly embedded and consistently maintained, supporting the financial integrity of institutions. I expect it will not be different in the UAE.
Key pillars of a strong internal control framework
According to the COSO framework, a strong internal control framework relies on five key pillars: control environment, risk assessment, control activities, information and communication, and monitoring. Effective leadership establishes the ‘tone at the top’, creating a strong control environment, solidifying ethical standards, structure, and accountability. Conducting regular risk assessments maintains effective internal financial monitoring.
Control activities set policies and structures to mitigate identified risks. Clear communication among finance, audit, risk teams, and external stakeholders ensures transparency in the reporting process.
Lastly, ongoing monitoring of all control activities and internal assessments are crucial for enhancing operational effectiveness. These pillars create a robust control environment, promoting accurate and transparent financial monitoring.
The role of technology: Enabling real-time financial governance
Automation, data analytics, and AI-driven monitoring tools have fundamentally transformed internal control processes, enhancing accuracy in control data and reducing manual errors. As a CFO, these technological developments are indispensable. CCM systems audit transactions in real-time, rapidly identifying anomalies and ensuring the accuracy of financial records.
In comparison to periodic reviews, they use real-time monitoring and automated reconciliations to maintain financial integrity and transparency. More organisations are already implementing CCM solutions to improve operational efficiency, minimise manual errors and recovery costs, effectively manage risks, and comply with increasing regulations.
CFOs evolving responsibility: Building resilience and trust
The CFO is instrumental in promoting a culture of accountability and risk awareness throughout the organisation. They are responsible for overseeing all key systems, processes, and internal controls as well as ensuring financial integrity.
By embodying an ethical mindset and leadership role in championing these actions, they set the ‘tone at the top’, cultivating an environment that emphasises strengthening internal controls, maintaining accuracy and efficiency.
Today, internal control frameworks are more than a tick-of-the-box on regulatory compliance. Robust internal controls underpin not just compliance, but long-term value creation, ethical decision-making, and sustained stakeholder trust.
The establishment of a proper ICFR framework, as now prescribed in the UAE by SCA, is a positive step in further professionalising companies.
Based on my experience, it helps organisations ensure controls on financial reporting are implemented and function effectively, limiting the risk of reporting errors.
As a CFO, I believe ICFR is a highly effective ‘tool’ to ensure financial reporting is correct and of stakeholder quality. Although experience teaches us that it takes a couple of years to get it optimally embedded within a company.
There are various pitfalls in implementing ICFR, for example, identifying too many separate controls. Yet, I believe firmly that the mandatory implementation of ICFR for listed companies is an important step in setting the foundation for the UAE to fulfill its vision of becoming the world’s top financial hub.
The writer is the group CFO at Mashreq.
Read: The modern CFO: Risk taker or business maker?
