The Internal Controls Toolkit Guide

Page 1

The Internal Control Toolkit Guide


About Red Sea Global Red Sea Global (RSG) is one of the world’s most visionary developers, wholly owned by the Public Investment Fund (PIF) of Saudi Arabia. We are spearheading a new model of development, putting people and planet first and leveraging the most innovative concepts and technologies to deliver projects that actively enhance the well-being of customers, communities and environments. Our portfolio includes two world-leading destinations announced by HRH Crown Prince Mohammad bin Salman bin Abdulaziz Al-Saud, The Red Sea and Amaala. Collectively, these responsible and regenerative tourism destinations will aim to enhance Saudi Arabia’s luxury tourism and sustainability offering, going above and beyond to not only protect the natural environment, but to enhance it for future generations to come. A cornerstone of Vision 2030, RSG will help transform the nation, creating significant economic opportunities for the people of Saudi Arabia and actively enhancing the Kingdom’s rich environmental and cultural heritage.

2


Group Chief Executive Officer Message Message from our CEO

John Pagano John Pagano

At Red Sea Global, preserving and enhancing the natural environment whilst we deliver regenerative tourism is why we exist. This means the regeneration of the environment, society, and the economy. In order to do this successfully, we have set ourselves ambitious goals and a clear pathway to success. The governance standards we have established are what inform how we deliver what matters most, and I believe the Toolkit can be just as significant in driving success for other businesses across the Kingdom.

3


Group Chief Governance Officer Message Dr. Maryam Ficociello At RSG, we aim to set new standards in Johndevelopment, Pagano respecting the regenerative natural world, creating opportunities for the local communities, and protecting the destination for the future. Good governance is so much more than simply complying with a set of rules and regulations. It binds all functions of a business together, irrespective of their different priorities, by ensuring everyone abides by the same set of ethical standards. Our experience has taught us that investing time and resource into setting high standards from the outset pays back dividends. When strong governance principles are defined, they play a key role in establishing credibility with employees, shareholders, investors, and business partners. All businesses should view governance as an opportunity to not only set themselves up for success but to demonstrate responsible business management.

With this in mind, I am delighted to share with you our Toolkit. As part of our commitment to good governance, we have set out for ourselves comprehensive Internal Control targets that take us through the different maturity stages of the internal governance life cycle that we have and are committed to implementing from day one right up until the project is fully developed and delivered. Our Toolkit is periodically reported to the Board of Directors and to the Audit Committee to provide assurance of our robust internal control mechanisms. In essence, it provides us with a roadmap of what good controls look like, and how we can reach and even surpass them.

4


Message from the Board Member and Minister of Commerce H.E. Dr. Majed Al Qasabi

Minister of Commerce and Board Member

John Pagano

Governance is a key enabler and cornerstone of the Kingdom of Saudi Arabia’s ambitious Vision 2030. I am impressed by the Internal Control Toolkit that has been developed and implemented by Red Sea Global Company. This Toolkit aims to help organizations develop and enhance their governance, risk and compliance practices in order to ensure that they are not only adopting world leading practices in terms of governance, but also to support in complying with all applicable laws and regulations. I hope to see many more organizations follow suit in adopting such governance practices.

5


Message Minister of Municipal and Rural Affairs and Housing H.E. Mr. Majed Al-Hogail

Minister of Municipal and Rural Affairs and Housing Board Member andPagano Chairman of Audit Committee John Red Sea Global adoption of world-leading internal control practices and making them available to all is a commendable endeavor and truly reflects their commitment to enhancing governance practices across the Kingdom. Having witnessed the evolution of the Internal control Toolkit and the praiseworthy effort exhibited by the team, I am truly proud to share it for everyone's benefit.

6


Contents

01

Approach

8

02

COSO Framework Overview

14

03

Implementation Roadmap

19

04

Samples and Templates

25

05

Contact Us

26

7


01

Approach

8


The Purpose of this Document is to Provide:

An introduction to the process

A brief background on the

which was utilized in the

Internal Control framework

creation of the IC Toolkit

that was adopted

An overview on the Internal Control implementation

Access to the developed

roadmap, spanning across two

tools and templates

stages of implementation

9


The process initiated with the development of a simple “4 step” process to guide in the development of the IC Toolkit…

Definition & Framework Selection

Identify Controls

Define Internal Control, framework selection criteria and select a framework

Identify Internal Controls and Develop standard templates to support start-up

Step 1

+

Step 2

Define Maturity Phases

Develop implementation Roadmap

Identify Maturity Model for the organization and foundation for the implementation roadmap

+

Step 3

Assign internal controls to different stages and phases of maturity for implementation

=

Step 4 10


The first step was to define “Internal Control” and then identify the key selection criteria for the internal control framework… Definition of Internal Control Different definitions exist for internal control. The below was selected as most suitable.

Framework Selection Criteria

Detailed Guidance Readily Available

Entity-wide Approach

Internal control is a process effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance

Internal Control Maturity

regarding the achievement of objectives relating to operations, reporting, and compliance.

Source: COSO Internal Control – Integrated Framework (2013)

General Industry Application

11


Accordingly, the COSO framework was selected as it provided detailed guidance, views internal control through an entity-level perspective, considers maturity in implementation, and provides general guidance without a specific focus on an industry or field. COSO Framework

Internal Control-Integrated Framework Published by The Committee of Sponsoring Organizations of the Treadway Commission’s initiative.

12


Message from Former COSO Chairman Paul J. Sobel

COSO Chairman

John Pagano

Red Sea Global Company’s Internal Control Toolkit is impressively easy to use and follow. By embracing COSO's Internal Control – Integrated Framework as a foundation, they have compiled a comprehensive, and simple guide to structuring governance practices. Bringing this guide into circulation will assist entities in adopting a principles-based approach towards developing, managing and monitoring their internal controls

13


02

COSO Framework Overview

14


The below chart sets out the main hierarchical elements of the COSO internal control framework.

5 Components 17 Principles

Points of Focus

Controls Controls

Source: COSO Internal Control – Integrated Framework (2013)

Components

The framework consists of five integrated components.

Principles

The framework sets out 17 principles representing the fundamental concepts associated with each component.

Points of Focus

In addition to the 17 principles, the framework also details points of focus to aid in the application of each principle.

Controls

Controls provide persuasive evidence that relevant principles are present and functioning across the entity

15


The framework consists of five integrated components Control Environment

“The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.”

Risk Assessment

“Risk assessment involves a dynamic and iterative process for identifying and analysing risks to achieving the entity’s objectives, forming a basis for determining how risks should be managed.”

Control activities

“Control activities are the actions established by the policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out.”

Information & Communication

“Information is necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives. Communication occurs both internally and externally and provides the organization with the information needed to carry out day-to-day internal control activities.”

Monitoring Activities

“Continuous evaluations are used to ascertain whether each of the five components of internal control, are present and functioning. Findings are evaluated and deficiencies are communicated, with serious matters reported to senior management and to the board.”

Source: COSO Internal Control – Integrated Framework (2013)

16


Using the COSO framework as a base, controls were identified across the 5 components and 17 principles Illustrative Example

1. Control Environment

Component

Principles

1. Commitment to integrity and ethical values • Set the “Tone at the top”

Points of Focus

• Establish Conduct Standards. • Evaluate adherence to these Standards • Address deviations in timely manner

Controls

• Mandate • Board appointment • Code of Conduct • Whistleblowing platform • Internal Audit

2. Independent Board that exercises oversight

3. Established structures and Authorities and responsibilities

• Establish oversight responsibility. • Apply relevant expertise • Operate independently • Provide oversight on the five components of internal control.

• Consider all structures of the entity • Establish reporting lines • Define, assign and limit authorities and responsibilities.

• Governance Charter • Committee Appointment • Audit committee Charter • Internal Audit Charter • Internal Audit

• Organization Structure • Governance charter • Job Descriptions • Delegation of Authority Matrix • IT infrastructure

4. Demonstrate commitment to competence • Establish policies and practices

• Evaluate competence and address weakness

• Attract, develop and retain people • Plan for succession

5. Enforce accountability

• Enforce through structures, authority and responsibility

• Establish and evaluate KPIs, incentives and rewards

• Consider excessive pressure

• Job Descriptions

• HR Policies

• HR Policies

• Key Performance Indicators

• Succession Plan

• Governance Manual

17


Message from Board Member and Secretary General of the Board H.E. Dr. Fahad Toonsi

Board Member and Secretary General of the Board As the Secretary General of Red Sea Global Company, one of my main responsibilities is to ensure that our Shareholder and Board of Directors are provided with the requisite reporting in relation to our governance practices, whilst providing them with the assurances that the company has both the adequate and appropriate controls and mechanisms in place. In order to do this, we have developed a comprehensive Toolkit, which has supported and guided us throughout our journey. Accordingly, we are pleased to share this tried and tested Toolkit to support other entities with their governance journey and thereby improving governance practices across KSA. As more and more entities in KSA become better governed, our economy will become more sustainable over the long term.

18


03

Implementation Roadmap

19


The next step was to align the maturity framework adopted for the organization with the maturity levels for Internal Control as defined by COSO, setting the foundation for the implementation roadmap The development of minimum legal and operational requirements to incorporate the entity and to commence its assigned preliminary function.

Objective: The development of the internal structure including the necessary appointments and infrastructure needed to cement the corporation as an operational entity.

Phase Zero:

Phase One:

Entity

Objective:

INCUBATE

LAUNCH

COSO

Informal or Ad-hoc

• • •

Control activities fragmented. Control activities may be managed in “silo” situations. Control activities dependent upon individual heroics. Inadequate documentation and reporting methods. Inadequate monitoring methods.

Objective: The establishment of a fully sustainable structure including the necessary support functions, controls etc.

Phase Two:

GROW

• •

Control awareness exists. Control activities designed. Control activities in place. Some documentation and reporting methodology exists. Automated tools and other control measures may exist but are not necessarily integrated within all functions. Accountability and performance monitoring requires improvement.

Phase Four:

ACCELERATE

STABALIZE

Level 3

Level 4

Managed & Monitored

Standard • • • •

Objective: Maintain and continuously improve the established system of internal control.

Phase Three:

Level 2

Level 1

• •

Objective: The development of the support functions within the entity.

• • •

Key Performance Indicators (KPIs) are defined for monitoring effectiveness. Well-understood chains of accountability exist. A formal control framework exists. Automated tools and other control measures are used to generate more standardized assessments.

Optimized • •

Highly automated control infrastructure. Benchmarking, best practices and continuous improvement elements incorporated into monitoring efforts. Real-time monitoring.

20


A two-stage implementation roadmap was developed by applying the identified internal controls across the maturity framework

1

Establishment (Stage One) Support establishment of entity by providing the minimum required Internal Controls

Phase Driven

2

On-Going Operations (Stage Two) Add a layer of Internal Controls to facilitate monitoring and continuous improvement once stage one is complete

Control Type Driven

21


Roadmap - Stage One: Establishment Entity COSO

Completed

Level 1: Informal or Ad-hoc Phase Zero – from Day 1: INCUBATE 1

Interim legal status defined

2

BoD and Committees appointed

3

Key Controls

4

5

Mandate/high level strategy defined Preliminary Governance Charters developed

Level 2: Standard

10

11 12

Sample provided – Refer to Page Number 25

Interim CEO appointed and preliminary authorities defined

13

6

Preliminary HR, Procurement, and Finance Manuals developed

7

Core Functions Heads /Managers (HR, Finance, Legal) appointed

8

Preliminary Budget defined

9

12-month operational plan prepared

Sample provided – Refer to Page Number 25

Phase Three – within 12 – 18 months: ACCELERATE

CEO and Core Function Heads appointed

21

Governance Policies developed including Related party transactions policy)

28

Code of conduct and business ethics developed

22

Risk Appetite defined

29

Sector-specific Policies (Compliance, Env. Sustainability, etc.) developed

23

External Auditors appointed

30

Detailed job descriptions and appraisal policy developed

Sample provided – Refer to Page Number 25

Detailed Strategy Document /Business Plan developed Org. structure (JDs, manpower plan, Comp & Benefits) designed

24

Sample provided – Refer to Page Number 25

Legal Manual developed

Sample provided – Refer to Page Number 25

Sample provided – Refer to Page Number 25

25

IT Manual developed

14

Delegation of Authority Matrix (N-2) prepared

26

CEO KPIs are set

15

HR, Finance, and Procurement Manuals developed

27

Project Execution Manual developed

16

Marketing and PR Strategy developed

17

Office space allocated

18

Basic IT infrastructure set-up

19

Budget defined

20

Legal Entity established

Sample provided – Refer to Page Number 25

Not Started

Level 3: Managed & Monitored

Phase Two – within 6-12 months: GROW

Phase One – within 3 – 6 months: LAUNCH

Delayed

In-Progress

Sample provided – Refer to Page Number 25

Sample provided – Refer to Page Number 25

Sample provided – Refer to Page Number 25

Sample provided – Refer to Page Number 25

Sample provided – Refer to Page Number 25

Internal Audit Function Head appointed, and IA Charter developed Sample provided – Refer to Page Number 25

31

Succession Plan drafted

32

Enterprise Risk Management Framework designed

33 34 35 36

Sample provided – Refer to Page Number 25

Sample provided – Refer to Page Number 25

Business Continuity Policy/Plan developed Sample provided – Refer to Page Number 25

Subsidiary governance (based on subsidiary need assessment) developed General Services Policies developed

Sample provided – Refer to Page Number 25

Supplier Code of Conduct and Employment Practices Policy

Sample provided – Refer to Page Number 25

22


Roadmap - Stage Two: On-going Operations Up to date

Entity COSO

Illustrative Example

Delayed

Not Started

Level 4: Optimized Phase Four – after 18 months: STABALIZE Performance & Operational Enablers

Strategic Planning & Governance

Key Controls

Under Review/ Development

1

Entity Strategy

2

Departmental strategies

Next Review Cycle: Q2 2021 Next Review Cycle: Q1 2021

3

Risk Appetite

4

Business Continuity Plan

Next Review Cycle: Q3 2021 Next Review Cycle: Q4 2021

90%

11

63%

12

100%

54%

5

Charters

6

Policies

12%

7

CEO DoA (N-1)

100%

8

Next Review Cycle: Q4 2021 Next Review Cycle: Q3 2021 Next Review Cycle: Q2 2021

Organization Structure

Next Review Cycle: Q1 2021

9

Succession plan

10

Annual / Phase Budget

Next Review Cycle: Q4 2021 Next Review Cycle: Q3 2021

23%

13 14

Job Descriptions

Next Review Cycle: Q2 2021

Departmental DoA (N-2) Next Review Cycle: Q1 2021

CEO KPIs

Next Review Cycle: Q2 2021

CEO Performance Evaluation

Next Review Cycle: Q3 2021

15

Key Risk Indicators

16

Departmental KPIs

17

Next Review Cycle: Q4 2021 Next Review Cycle: Q3 2021

Compliance Operating Model

34%

100%

100%

100%

95%

50%

100%

28%

ERM Operating Model

19

Manpower Plan

20

Departmental Procedures 70%

Next Review Cycle: Q3 2021

22 23 24 25 26

54%

Continuous Audit mechanism

Next Review Cycle: Q1 2021

Business Intelligence

Next Review Cycle: Q3 2021

ERP system

Next Review Cycle: Q4 2021

EGRC

Next Review Cycle: Q2 2021

Whistleblowing platform Next Review Cycle: Q1 2021

Board and Committee portal Project management information system

Next Review Cycle: Q4 2021

Monitoring and Improvement

0%

28

Risk Report (includes Risk Register)

100%

36

0%

29

Compliance Report (includes 100% compliance universe)

37

100%

30

Audited Financial Statements

67%

38

Audit Committee Report

90%

39

Annual Report

100%

47%

100%

100%

Next Review Cycle: Q3 2021

27

18

Next Review Cycle: Q2 2021

21

76%

Next Review Cycle: Q4 2021 90%

Technology (infrastructure and security)

75%

Next Review Cycle: Q2 2021

Next Review Cycle: Q4 2021

Next Review Cycle: Q1 2021

31 32 33 34 35

Next Review Cycle: Q2 2021 Next Review Cycle: Q3 2021

GRC Culture Survey

100%

IC Awareness Workshop

100%

Internal Audit Plan

100%

Next Review Cycle: Q3 2021 Next Review Cycle: Q4 2021 Next Review Cycle: Q2 2021

40

QA Reviews

Next Review Cycle: Q4 2021

Annual IC Toolkit Review Next Review Cycle: Q4 2021

Policy Needs Assessment Next Review Cycle: Q4 2021

BoD/Committees Review Next Review Cycle: Q2 2021

External Auditor Assessment Next Review Cycle: Q1 2021

68%

Next Review Cycle: Q4 2021

23


04

Samples and Templates

24


Samples and Templates These templates are applicable to both private and public entities

Download Toolkit

Detailed Toolkit Guidance

This toolkit in editable version (Unbranded)

Preliminary Governance Charters developed

Manpower Plan

Procurement Policy Manual

Enterprise Risk Management Manual (Incl. Risk Appetite)

Internal Audit Charter

CEO (or equivalent) preliminary authorities

Sample Job Descriptions

Detailed Budget

Legal and Regulatory Compliance Manual

Compliance Management Manual

Information Technology Policy Manual

Business Continuity Plan

Preliminary Budget

Code of Conduct

Organization structure

Delegation of Authority

Governance Policies

Finance and Accounting Policy Manual

Shareholder Engagement Policy

CEO (or equivalent) KPIs

General Services Policy

Human Resources Policy Manual (incl. succession planning)

Related Party Transactions Policy

Project Management Policy Manual

Supplier Code of Conduct

25


For further details on the IC Toolkit please contact the following: Governance@redseaglobal.com

26



Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.