The Internal Control Toolkit Guide
About Red Sea Global Red Sea Global (RSG) is one of the world’s most visionary developers, wholly owned by the Public Investment Fund (PIF) of Saudi Arabia. We are spearheading a new model of development, putting people and planet first and leveraging the most innovative concepts and technologies to deliver projects that actively enhance the well-being of customers, communities and environments. Our portfolio includes two world-leading destinations announced by HRH Crown Prince Mohammad bin Salman bin Abdulaziz Al-Saud, The Red Sea and Amaala. Collectively, these responsible and regenerative tourism destinations will aim to enhance Saudi Arabia’s luxury tourism and sustainability offering, going above and beyond to not only protect the natural environment, but to enhance it for future generations to come. A cornerstone of Vision 2030, RSG will help transform the nation, creating significant economic opportunities for the people of Saudi Arabia and actively enhancing the Kingdom’s rich environmental and cultural heritage.
2
Group Chief Executive Officer Message Message from our CEO
John Pagano John Pagano
At Red Sea Global, preserving and enhancing the natural environment whilst we deliver regenerative tourism is why we exist. This means the regeneration of the environment, society, and the economy. In order to do this successfully, we have set ourselves ambitious goals and a clear pathway to success. The governance standards we have established are what inform how we deliver what matters most, and I believe the Toolkit can be just as significant in driving success for other businesses across the Kingdom.
3
Group Chief Governance Officer Message Dr. Maryam Ficociello At RSG, we aim to set new standards in Johndevelopment, Pagano respecting the regenerative natural world, creating opportunities for the local communities, and protecting the destination for the future. Good governance is so much more than simply complying with a set of rules and regulations. It binds all functions of a business together, irrespective of their different priorities, by ensuring everyone abides by the same set of ethical standards. Our experience has taught us that investing time and resource into setting high standards from the outset pays back dividends. When strong governance principles are defined, they play a key role in establishing credibility with employees, shareholders, investors, and business partners. All businesses should view governance as an opportunity to not only set themselves up for success but to demonstrate responsible business management.
With this in mind, I am delighted to share with you our Toolkit. As part of our commitment to good governance, we have set out for ourselves comprehensive Internal Control targets that take us through the different maturity stages of the internal governance life cycle that we have and are committed to implementing from day one right up until the project is fully developed and delivered. Our Toolkit is periodically reported to the Board of Directors and to the Audit Committee to provide assurance of our robust internal control mechanisms. In essence, it provides us with a roadmap of what good controls look like, and how we can reach and even surpass them.
4
Message from the Board Member and Minister of Commerce H.E. Dr. Majed Al Qasabi
Minister of Commerce and Board Member
John Pagano
Governance is a key enabler and cornerstone of the Kingdom of Saudi Arabia’s ambitious Vision 2030. I am impressed by the Internal Control Toolkit that has been developed and implemented by Red Sea Global Company. This Toolkit aims to help organizations develop and enhance their governance, risk and compliance practices in order to ensure that they are not only adopting world leading practices in terms of governance, but also to support in complying with all applicable laws and regulations. I hope to see many more organizations follow suit in adopting such governance practices.
5
Message Minister of Municipal and Rural Affairs and Housing H.E. Mr. Majed Al-Hogail
Minister of Municipal and Rural Affairs and Housing Board Member andPagano Chairman of Audit Committee John Red Sea Global adoption of world-leading internal control practices and making them available to all is a commendable endeavor and truly reflects their commitment to enhancing governance practices across the Kingdom. Having witnessed the evolution of the Internal control Toolkit and the praiseworthy effort exhibited by the team, I am truly proud to share it for everyone's benefit.
6
Contents
01
Approach
8
02
COSO Framework Overview
14
03
Implementation Roadmap
19
04
Samples and Templates
25
05
Contact Us
26
7
01
Approach
8
The Purpose of this Document is to Provide:
An introduction to the process
A brief background on the
which was utilized in the
Internal Control framework
creation of the IC Toolkit
that was adopted
An overview on the Internal Control implementation
Access to the developed
roadmap, spanning across two
tools and templates
stages of implementation
9
The process initiated with the development of a simple “4 step” process to guide in the development of the IC Toolkit…
Definition & Framework Selection
Identify Controls
Define Internal Control, framework selection criteria and select a framework
Identify Internal Controls and Develop standard templates to support start-up
Step 1
+
Step 2
Define Maturity Phases
Develop implementation Roadmap
Identify Maturity Model for the organization and foundation for the implementation roadmap
+
Step 3
Assign internal controls to different stages and phases of maturity for implementation
=
Step 4 10
The first step was to define “Internal Control” and then identify the key selection criteria for the internal control framework… Definition of Internal Control Different definitions exist for internal control. The below was selected as most suitable.
Framework Selection Criteria
Detailed Guidance Readily Available
Entity-wide Approach
Internal control is a process effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance
Internal Control Maturity
regarding the achievement of objectives relating to operations, reporting, and compliance.
Source: COSO Internal Control – Integrated Framework (2013)
General Industry Application
11
Accordingly, the COSO framework was selected as it provided detailed guidance, views internal control through an entity-level perspective, considers maturity in implementation, and provides general guidance without a specific focus on an industry or field. COSO Framework
Internal Control-Integrated Framework Published by The Committee of Sponsoring Organizations of the Treadway Commission’s initiative.
12
Message from Former COSO Chairman Paul J. Sobel
COSO Chairman
John Pagano
Red Sea Global Company’s Internal Control Toolkit is impressively easy to use and follow. By embracing COSO's Internal Control – Integrated Framework as a foundation, they have compiled a comprehensive, and simple guide to structuring governance practices. Bringing this guide into circulation will assist entities in adopting a principles-based approach towards developing, managing and monitoring their internal controls
13
02
COSO Framework Overview
14
The below chart sets out the main hierarchical elements of the COSO internal control framework.
5 Components 17 Principles
Points of Focus
Controls Controls
Source: COSO Internal Control – Integrated Framework (2013)
Components
The framework consists of five integrated components.
Principles
The framework sets out 17 principles representing the fundamental concepts associated with each component.
Points of Focus
In addition to the 17 principles, the framework also details points of focus to aid in the application of each principle.
Controls
Controls provide persuasive evidence that relevant principles are present and functioning across the entity
15
The framework consists of five integrated components Control Environment
“The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.”
Risk Assessment
“Risk assessment involves a dynamic and iterative process for identifying and analysing risks to achieving the entity’s objectives, forming a basis for determining how risks should be managed.”
Control activities
“Control activities are the actions established by the policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out.”
Information & Communication
“Information is necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives. Communication occurs both internally and externally and provides the organization with the information needed to carry out day-to-day internal control activities.”
Monitoring Activities
“Continuous evaluations are used to ascertain whether each of the five components of internal control, are present and functioning. Findings are evaluated and deficiencies are communicated, with serious matters reported to senior management and to the board.”
Source: COSO Internal Control – Integrated Framework (2013)
16
Using the COSO framework as a base, controls were identified across the 5 components and 17 principles Illustrative Example
1. Control Environment
Component
Principles
1. Commitment to integrity and ethical values • Set the “Tone at the top”
Points of Focus
• Establish Conduct Standards. • Evaluate adherence to these Standards • Address deviations in timely manner
Controls
• Mandate • Board appointment • Code of Conduct • Whistleblowing platform • Internal Audit
2. Independent Board that exercises oversight
3. Established structures and Authorities and responsibilities
• Establish oversight responsibility. • Apply relevant expertise • Operate independently • Provide oversight on the five components of internal control.
• Consider all structures of the entity • Establish reporting lines • Define, assign and limit authorities and responsibilities.
• Governance Charter • Committee Appointment • Audit committee Charter • Internal Audit Charter • Internal Audit
• Organization Structure • Governance charter • Job Descriptions • Delegation of Authority Matrix • IT infrastructure
4. Demonstrate commitment to competence • Establish policies and practices
• Evaluate competence and address weakness
• Attract, develop and retain people • Plan for succession
5. Enforce accountability
• Enforce through structures, authority and responsibility
• Establish and evaluate KPIs, incentives and rewards
• Consider excessive pressure
• Job Descriptions
• HR Policies
• HR Policies
• Key Performance Indicators
• Succession Plan
• Governance Manual
17
Message from Board Member and Secretary General of the Board H.E. Dr. Fahad Toonsi
Board Member and Secretary General of the Board As the Secretary General of Red Sea Global Company, one of my main responsibilities is to ensure that our Shareholder and Board of Directors are provided with the requisite reporting in relation to our governance practices, whilst providing them with the assurances that the company has both the adequate and appropriate controls and mechanisms in place. In order to do this, we have developed a comprehensive Toolkit, which has supported and guided us throughout our journey. Accordingly, we are pleased to share this tried and tested Toolkit to support other entities with their governance journey and thereby improving governance practices across KSA. As more and more entities in KSA become better governed, our economy will become more sustainable over the long term.
18
03
Implementation Roadmap
19
The next step was to align the maturity framework adopted for the organization with the maturity levels for Internal Control as defined by COSO, setting the foundation for the implementation roadmap The development of minimum legal and operational requirements to incorporate the entity and to commence its assigned preliminary function.
Objective: The development of the internal structure including the necessary appointments and infrastructure needed to cement the corporation as an operational entity.
Phase Zero:
Phase One:
Entity
Objective:
INCUBATE
LAUNCH
COSO
Informal or Ad-hoc
• • •
Control activities fragmented. Control activities may be managed in “silo” situations. Control activities dependent upon individual heroics. Inadequate documentation and reporting methods. Inadequate monitoring methods.
Objective: The establishment of a fully sustainable structure including the necessary support functions, controls etc.
Phase Two:
GROW
• •
Control awareness exists. Control activities designed. Control activities in place. Some documentation and reporting methodology exists. Automated tools and other control measures may exist but are not necessarily integrated within all functions. Accountability and performance monitoring requires improvement.
Phase Four:
ACCELERATE
STABALIZE
Level 3
Level 4
Managed & Monitored
Standard • • • •
Objective: Maintain and continuously improve the established system of internal control.
Phase Three:
Level 2
Level 1
• •
Objective: The development of the support functions within the entity.
•
• • •
Key Performance Indicators (KPIs) are defined for monitoring effectiveness. Well-understood chains of accountability exist. A formal control framework exists. Automated tools and other control measures are used to generate more standardized assessments.
Optimized • •
•
Highly automated control infrastructure. Benchmarking, best practices and continuous improvement elements incorporated into monitoring efforts. Real-time monitoring.
20
A two-stage implementation roadmap was developed by applying the identified internal controls across the maturity framework
1
Establishment (Stage One) Support establishment of entity by providing the minimum required Internal Controls
Phase Driven
2
On-Going Operations (Stage Two) Add a layer of Internal Controls to facilitate monitoring and continuous improvement once stage one is complete
Control Type Driven
21
Roadmap - Stage One: Establishment Entity COSO
Completed
Level 1: Informal or Ad-hoc Phase Zero – from Day 1: INCUBATE 1
Interim legal status defined
2
BoD and Committees appointed
3
Key Controls
4
5
Mandate/high level strategy defined Preliminary Governance Charters developed
Level 2: Standard
10
11 12
Sample provided – Refer to Page Number 25
Interim CEO appointed and preliminary authorities defined
13
6
Preliminary HR, Procurement, and Finance Manuals developed
7
Core Functions Heads /Managers (HR, Finance, Legal) appointed
8
Preliminary Budget defined
9
12-month operational plan prepared
Sample provided – Refer to Page Number 25
Phase Three – within 12 – 18 months: ACCELERATE
CEO and Core Function Heads appointed
21
Governance Policies developed including Related party transactions policy)
28
Code of conduct and business ethics developed
22
Risk Appetite defined
29
Sector-specific Policies (Compliance, Env. Sustainability, etc.) developed
23
External Auditors appointed
30
Detailed job descriptions and appraisal policy developed
Sample provided – Refer to Page Number 25
Detailed Strategy Document /Business Plan developed Org. structure (JDs, manpower plan, Comp & Benefits) designed
24
Sample provided – Refer to Page Number 25
Legal Manual developed
Sample provided – Refer to Page Number 25
Sample provided – Refer to Page Number 25
25
IT Manual developed
14
Delegation of Authority Matrix (N-2) prepared
26
CEO KPIs are set
15
HR, Finance, and Procurement Manuals developed
27
Project Execution Manual developed
16
Marketing and PR Strategy developed
17
Office space allocated
18
Basic IT infrastructure set-up
19
Budget defined
20
Legal Entity established
Sample provided – Refer to Page Number 25
Not Started
Level 3: Managed & Monitored
Phase Two – within 6-12 months: GROW
Phase One – within 3 – 6 months: LAUNCH
Delayed
In-Progress
Sample provided – Refer to Page Number 25
Sample provided – Refer to Page Number 25
Sample provided – Refer to Page Number 25
Sample provided – Refer to Page Number 25
Sample provided – Refer to Page Number 25
Internal Audit Function Head appointed, and IA Charter developed Sample provided – Refer to Page Number 25
31
Succession Plan drafted
32
Enterprise Risk Management Framework designed
33 34 35 36
Sample provided – Refer to Page Number 25
Sample provided – Refer to Page Number 25
Business Continuity Policy/Plan developed Sample provided – Refer to Page Number 25
Subsidiary governance (based on subsidiary need assessment) developed General Services Policies developed
Sample provided – Refer to Page Number 25
Supplier Code of Conduct and Employment Practices Policy
Sample provided – Refer to Page Number 25
22
Roadmap - Stage Two: On-going Operations Up to date
Entity COSO
Illustrative Example
Delayed
Not Started
Level 4: Optimized Phase Four – after 18 months: STABALIZE Performance & Operational Enablers
Strategic Planning & Governance
Key Controls
Under Review/ Development
1
Entity Strategy
2
Departmental strategies
Next Review Cycle: Q2 2021 Next Review Cycle: Q1 2021
3
Risk Appetite
4
Business Continuity Plan
Next Review Cycle: Q3 2021 Next Review Cycle: Q4 2021
90%
11
63%
12
100%
54%
5
Charters
6
Policies
12%
7
CEO DoA (N-1)
100%
8
Next Review Cycle: Q4 2021 Next Review Cycle: Q3 2021 Next Review Cycle: Q2 2021
Organization Structure
Next Review Cycle: Q1 2021
9
Succession plan
10
Annual / Phase Budget
Next Review Cycle: Q4 2021 Next Review Cycle: Q3 2021
23%
13 14
Job Descriptions
Next Review Cycle: Q2 2021
Departmental DoA (N-2) Next Review Cycle: Q1 2021
CEO KPIs
Next Review Cycle: Q2 2021
CEO Performance Evaluation
Next Review Cycle: Q3 2021
15
Key Risk Indicators
16
Departmental KPIs
17
Next Review Cycle: Q4 2021 Next Review Cycle: Q3 2021
Compliance Operating Model
34%
100%
100%
100%
95%
50%
100%
28%
ERM Operating Model
19
Manpower Plan
20
Departmental Procedures 70%
Next Review Cycle: Q3 2021
22 23 24 25 26
54%
Continuous Audit mechanism
Next Review Cycle: Q1 2021
Business Intelligence
Next Review Cycle: Q3 2021
ERP system
Next Review Cycle: Q4 2021
EGRC
Next Review Cycle: Q2 2021
Whistleblowing platform Next Review Cycle: Q1 2021
Board and Committee portal Project management information system
Next Review Cycle: Q4 2021
Monitoring and Improvement
0%
28
Risk Report (includes Risk Register)
100%
36
0%
29
Compliance Report (includes 100% compliance universe)
37
100%
30
Audited Financial Statements
67%
38
Audit Committee Report
90%
39
Annual Report
100%
47%
100%
100%
Next Review Cycle: Q3 2021
27
18
Next Review Cycle: Q2 2021
21
76%
Next Review Cycle: Q4 2021 90%
Technology (infrastructure and security)
75%
Next Review Cycle: Q2 2021
Next Review Cycle: Q4 2021
Next Review Cycle: Q1 2021
31 32 33 34 35
Next Review Cycle: Q2 2021 Next Review Cycle: Q3 2021
GRC Culture Survey
100%
IC Awareness Workshop
100%
Internal Audit Plan
100%
Next Review Cycle: Q3 2021 Next Review Cycle: Q4 2021 Next Review Cycle: Q2 2021
40
QA Reviews
Next Review Cycle: Q4 2021
Annual IC Toolkit Review Next Review Cycle: Q4 2021
Policy Needs Assessment Next Review Cycle: Q4 2021
BoD/Committees Review Next Review Cycle: Q2 2021
External Auditor Assessment Next Review Cycle: Q1 2021
68%
Next Review Cycle: Q4 2021
23
04
Samples and Templates
24
Samples and Templates These templates are applicable to both private and public entities
Download Toolkit
Detailed Toolkit Guidance
This toolkit in editable version (Unbranded)
Preliminary Governance Charters developed
Manpower Plan
Procurement Policy Manual
Enterprise Risk Management Manual (Incl. Risk Appetite)
Internal Audit Charter
CEO (or equivalent) preliminary authorities
Sample Job Descriptions
Detailed Budget
Legal and Regulatory Compliance Manual
Compliance Management Manual
Information Technology Policy Manual
Business Continuity Plan
Preliminary Budget
Code of Conduct
Organization structure
Delegation of Authority
Governance Policies
Finance and Accounting Policy Manual
Shareholder Engagement Policy
CEO (or equivalent) KPIs
General Services Policy
Human Resources Policy Manual (incl. succession planning)
Related Party Transactions Policy
Project Management Policy Manual
Supplier Code of Conduct
25
For further details on the IC Toolkit please contact the following: Governance@redseaglobal.com
26