Abstract
Purpose
The existence of internal control for Sharīʿah-compliance promotes reasonable assurance that the Islamic financial institution’s (IFI’s) objectives are achieved in the following categories, namely, the effectiveness and efficiency of operations, the reliability of financial reporting and the level of compliance with applicable laws and regulations, as well as accounting and auditing standards. Sharīʿah non-compliant income (SNCI) is an important issue in IFIs’ operations. Thus, the purpose of this paper is to identify issues related to governance and internal control of SNCI in selected IFIs in Malaysia.
Design/methodology/approach
This research uses a case study approach to gather data on the measures of governance and risk management in relation to the internal control for SNCI in IFIs. Interviews were conducted with officers of the Sharīʿah and internal audit departments on internal control practices regarding SNCI.
Findings
Regulator’s guidelines on SNCI are simple and brief, lacking rigour in terms of governance, risk management and audit procedures. The section on SNCI is only a brief statement within the Bank Negara Malaysia’s Guidelines on Financial Reporting for Islamic Banking Institutions and also in the Operational Risk Integrated Online Network system operated by IFIs. Most of the respondents in the interviews suggested that there should be a proper guideline in determining the classification of SNCI. Second, although IFIs have established the purification account to manage SNCI, the real practice varies from one IFI to another. Third, although there are supposedly documented procedures established in relation to management and administration of SNCI, the following events still occur in practice, namely, no authorisation from the Sharīʿah Committee (SC) on various types of income channelled to the SNCI account; unauthorised use of SNCI for other purposes; SNCI not being reported in the annual financial reports; and distribution of SNCI prior to obtaining the SC’s consent. Fourth, there is an absence of Sharīʿah risk assessment conducted on operational risk by IFIs to identify any potential Sharīʿah non-compliant event.
Research limitations/implications
This research contributes to the importance of Islamic corporate governance theory and Sharīʿah risk management, as well as strengthening the case for reporting SNCI to shareholders. It also contributes to the body of knowledge on the capability of the management in managing the internal control system of IFIs’ SNCI.
Originality/value
A new internal control assessment matrix is proposed for Sharīʿah-compliance in IFIs.
Keywords
Citation
Hanefah, M.M., Kamaruddin, M.I.H., Salleh, S., Shafii, Z. and Zakaria, N. (2020), "Internal control, risk and Sharīʿah non-compliant income in Islamic financial institutions", ISRA International Journal of Islamic Finance, Vol. 12 No. 3, pp. 401-417. https://doi.org/10.1108/IJIF-02-2019-0025
Publisher
:Emerald Publishing Limited
Copyright © 2020, Mustafa Mohd Hanefah, Muhammad Iqmal Hisham Kamaruddin, Supiah Salleh, Zurina Shafii and Nurazalia Zakaria.
License
Published in ISRA International Journal of Islamic Finance. Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence maybe seen at http://creativecommons.org/licences/by/4.0/legalcode
Introduction
The internal control system is a key area, which is audited during the external audit process. In many Islamic financial institutions (IFIs), the internal control system undergoes auditing annually to overcome any weaknesses in the system. The elements of Sharīʿah (Islamic law) are not included in the internal control and auditing framework, and previous studies show that most IFIs still have weak internal control practices (Ahmed and Khan, 2007; Rosman, 2009; Darmadi, 2013; Rahman and Anwar, 2014; Ab Ghani et al., 2019; Ayedh et al., 2019).
Factors that contribute to weak internal control practices include lack of Sharīʿah audit programmes and incompetence of Sharīʿah officers (Yaacob and Donglah, 2012; Kamaruddin and Hanefah, 2017). For instance, due to the lack of Sharīʿah audit programmes in IFIs, several Sharīʿah audit issues need to be dealt with, such as the narrow scope of Sharīʿah audit in practice; lack of an organised internal Sharīʿah audit framework; shortage of qualified internal Sharīʿah audit personnel; extreme brevity of the Sharīʿah Committee (SC) reports; and inadequate training of judges from the muʿāmalāt (transactions) bench for dispute resolution purposes (Yussof, 2013). Meanwhile, incompetent Sharīʿah officers could lead to financial losses if Sharīʿah non-compliance entails income purification (Kamaruddin and Hanefah, 2017).
It is, thus, important for IFIs to set up a comprehensive internal control system for Sharīʿah-compliance in managing all Sharīʿah issues. Internal control can also be used to manage Sharīʿah non-compliant income (SNCI) by having in place a process to purify ineligible income received by the institutions. SNCI is income generated from transactions that breach governing Sharīʿah principles – principles that are determined by the SCs of IFIs or other Sharīʿah authorities.
However, recent literature shows that there are only a few studies that examine internal control as a mechanism to manage SNCI in IFIs. The most related study is Shafii and Salleh (2010), which attempted to extend the Sharīʿah audit scope on IFIs’ internal control system by including SNCI as part of the proposed Sharīʿah internal control checklist. Meanwhile, a study conducted by Basiruddin and Ahmed (2017) found a significant relationship between extensive Sharīʿah audit processes and the possibility of uncovering SNCI. There are several related studies on SNCI disclosures, notably Maali et al. (2006), Haniffa and Hudaib (2007), Mallin et al. (2014), Rosman et al. (2017), Shafiai and Ali (2019) and Nor and Sawari (2020), but these studies do not include internal control as an effective mechanism for managing SNCI.
Therefore, to fill in this gap, the purpose of this study is to develop an effective internal control mechanism for SNCI in selected IFIs in Malaysia. This is explored through interview sessions conducted with seven officers from both Sharīʿah and internal audit departments and two SC members of selected IFIs in Malaysia. These officers were selected based on their in-depth knowledge regarding current practices of internal Sharīʿah control in IFIs. By having an understanding of the issues and current governance and internal control practices of IFIs, it is hoped that this study will contribute to the development of an effective internal control mechanism for SNCI.
The remainder of the paper is organised as follows. The second section elaborates on sources of SNCI, the internal control mechanism, governance mechanisms and risk and internal control for Sharīʿah-compliance. The third section discusses the methodology of this study, which focusses on the case study method. The fourth section discusses the findings from interview sessions on SNCI and a proposed internal control system for SNCI. The fifth section concludes the study.
Literature review
Sharīʿah non-compliant income
There are various definitions of SNCI. SNCI, also known as non-ḥalāl (impermissible) income, is defined by al-Ghazālī as any property acquired by illegal means such as corruption, theft, ribā (usury), hoarding and gambling (Al-Bez, 2004). Generally, the sources of SNCI can be divided into two, namely, non-ḥalāl in its essence (ḥarām li dhātihi); and prohibited due to external factors (ḥarām li ghayrihi). Income that is non-ḥalāl in its essence is derived from what is prohibited due to its essence and nature; e.g. pork, wine and other impure items. Income that is prohibited due to external factors includes income acquired without the consent of the legal owner. In addition, income is classified as non-ḥalāl if it fails to fulfil the basic contract requirements according to Islamic principles. Amongst the Islamic principles are: prohibition of interest, risk-sharing, money as potential capital, prohibition of speculative behaviour, sanctity of contracts and Sharīʿah-approved activities (Iqbal, 1997).
Based on the above Islamic principles, Ali and Hussain (2013) proposed the following SNCI categories for IFI practices, namely, SNCI in its essence; and SNCI because of external factors. SNCI in its essence is identified as income that comes from prohibited businesses such as mixed-income from businesses conducting alcohol or pork sales. Meanwhile, SNCI that arises because of external factors will have one of the following characteristics:
A void transaction due to a defect in the subject of the contract.
A void transaction due to an absence in one of the pillars of the contract.
Irregular transactions due to the presence of an alien condition that is rectifiable.
Irregular transactions due to the presence of an alien condition that is not rectifiable.
A transaction, albeit with the consent of the owner but without a specific nominate contract permitted by the Sharīʿah.
A transaction that is undertaken without the consent of the owner.
Besides these external factors, in Malaysia, SNCI is also recognised if there is non-compliance to rules and regulations including the Islamic Financial Services Act (2013), Bank Negara Malaysia (BNM) guidelines and policies, Sharīʿah Advisory Council (SAC) resolutions and resolutions of the SC of the respective IFI.
The various sources of SNCI based on the above factors entail different treatments for purification purposes. SNCI can be purified by excluding it or channelling it to charity or giving it back to the owner. Some SNCI needs no purification at all. The SNCI purification treatment, as suggested by Ali and Hussain (2013), is illustrated in Figure 1.
Under Section 28 of Islamic Financial Services Act (2013), the IFI is responsible to ensure that all its businesses, operation affairs and activities are Sharīʿah-compliant. Failure to do so will affect both financial and non-financial aspects of the IFI. On the financial front, for cases of SNCI, Section 28(5) of Islamic Financial Services Act (2013) imposes a punishment of imprisonment for a term not exceeding eight years; or a fine not exceeding RM25m; or both. Besides that, SNCI will affect the capital adequacy ratio (CAR). In the non-financial aspect, SNCI is against the command of Allah and impedes Allah’s barakah (blessing), as well as jeopardising the IFI’s reputation (Chik, 2013).
Under the Financial Reporting for Islamic Banking Institutions 2016 issued by BNM (2016), an IFI is required to disclose the following information pertaining to SNCI:
Nature of Sharīʿah non-compliant activities.
Amount of SNCI.
Number of Sharīʿah non-compliant events that occurred during the year.
Irregular transactions due to the presence of an alien condition that is not rectifiable.
Rectification process and control measures to avoid recurrence of such Sharīʿah non-compliant activities.
In recent literature, a few scholars attempted to analyse the extent of SNCI disclosure by IFIs in Malaysia. For instance, Haniffa and Hudaib (2007) and Mallin et al. (2014) used several SNCI indicators such as involvement in impermissible activities, percentage of profit, reason for involvement in impermissible activities and handling of impermissible activities. However, these studies only used these indicators as part of a list of Islamic values that Islamic banks should disclose. Similarly, Maali et al. (2006) proposed several indicators for SNCI including the nature of unlawful transactions, reasons for undertaking such transactions, the Sharīʿah board’s view about the necessity of these transactions, the amount of revenue or expenses from these transactions and how the bank disposed or intends to dispose, of such revenues.
Meanwhile, a study by Rosman et al. (2017) on SNCI disclosure in 17 IFIs in Malaysia and another 17 IFIs in Bahrain for the period 2013–2015 found that IFIs in both countries have high SNCI disclosures. In this case, eight SNCI indicators were used:
Nature of SNCI.
Amount of SNCI.
Number of SNC occurrences.
Account classification for SNCI.
Reason for SNCI.
Sharīʿah Supervisory Board’s verdict on the necessity of SNCI.
Disposal of SNCI.
Strategy to control for SNCI.
Moreover, a comparison between SNCI disclosure amongst IFIs in Malaysia in 2016 and 2017 found an increasing SNCI pattern where the amount of average SNCI in 2017 was higher than in 2016 (Shafiai and Ali, 2019). Last but not least, an investigation on the application of the BNM policy document for IFIs in terms of reporting SNCI in their annual reports found that seven out of 16 IFIs in Malaysia did not properly disclose their SNCI in their report (Nor and Sawari, 2020).
Internal control mechanisms
In general, internal control is a process that is designed to provide:
Reasonable assurance on financial reporting.
Effectiveness and efficiency of operations.
Compliance with applicable laws and regulations (COSO, 2013).
There are five main components of internal control as listed in the Committee of Sponsoring Organization (COSO) internal control – integrated framework:
Control environment – refers to policies, processes, procedures, structures and standards of internal control set by the board of directors (BOD) or the top management of an organisation that reflects their attitudes towards the importance of internal control practices.
Risk assessment – refers to processes used to identify and analyse an organisation’s risks to achieve its objectives.
Control procedure – refers to actions established based on policies and procedures that drive management directives to meet organisational objectives.
Information and communication – refers to methods used to provide information needed to carry out day-to-day internal control activities in terms of initiating, recording, processing and reporting an organisation’s transactions.
Monitoring – refers to on-going and/or separate evaluations carried out to measure the quality of the system’s performance over time.
Internal control is recognised as one of the important processes or procedures in every organisation including IFIs (Kamaruddin and Ramli, 2018). This is because internal control helps in controlling all possible risks, coordinates organisational activities accordingly and assists in managerial decision-making (Devi et al., 2007). From a risk management perspective, internal control is seen as an effective tool to manage risk. It means that if an organisation fails to implement good internal control practices, the organisation will face high risk that will eventually jeopardise its objectives. Meanwhile, from the Sharīʿah-compliance management aspect, internal control also plays significant roles. In this case, the internal control system, combined with liaison between the SC and Sharīʿah management team, is used to ensure Sharīʿah-compliant practices by IFIs (Lewis, 2005).
However, previous studies on risk management practices in IFIs proved that adequate internal control as part of risk management components is still at a moderate level (Ahmed and Khan, 2007). Besides, a study by Rosman (2009) found that a high perception of risk in IFIs is due to the absence of risk control by internal control, especially on operational risk. Another study on the corporate governance index in IFIs also found that internal control practices achieved the lowest score: 38% (Darmadi, 2013). IFIs are urged to have a check-and-balance mechanism to identify any weaknesses in internal control systems and to upgrade any obsolete internal control practices (Rahman and Anwar, 2014).
Therefore, it is the responsibility of the BOD and the SC of an IFI to ensure that internal control is appropriately implemented and monitored regularly, especially for Sharīʿah-compliance matters. To do so, both the board and management of IFIs need to be equipped with adequate knowledge, not only on the internal control aspect but also in terms of having an understanding of Sharīʿah-compliance.
Governance mechanisms
According to the Sharīʿah governance framework (SGF) issued by BNM in 2011, IFIs shall establish formal reporting channels to ensure that the reporting on Sharīʿah matters is carried out effectively and in a timely manner. When performing Sharīʿah audit on the adequacy of the Sharīʿah governance process, the auditor shall collect evidence on the reporting process in an IFI. In September 2019, BNM issued the Sharīʿah Governance Policy Document (SGPD), which has superseded SGF 2011. SGPD 2019 has strengthened the oversight accountabilities of the BOD, the SC and other key organs involved directly in the implementation of Sharīʿah governance in Malaysian IFIs. Besides, this policy document relates to the SC’s objective of achieving effective management of Sharīʿah non-compliance risks by strengthening their decision-making process and internal control functions. By implementing SGPD 2019, IFIs are expected to establish a strong Sharīʿah-compliance risk department. The BOD, SC and senior management of IFIs are now expected to be responsible and accountable in discharging their duties (Kamaruddin et al., 2020). Based on the previous SGF 2011, the SC is required to report to the BOD on Sharīʿah matters. To do so, the SC is supported by all four Sharīʿah functions, which are:
Sharīʿah risk management;
Sharīʿah review;
Sharīʿah research; and
Sharīʿah audit.
Under SGF 2011, Sharīʿah risk management must report on Sharīʿah risk matters to the management and the Board Risk Management Committee. Meanwhile, Sharīʿah review needs to report on the Sharīʿah-compliance of on-going business operations concurrently to the SC and management. Next, Sharīʿah research is responsible for tabling new products and services to both the SC and management before getting approval from the BOD. Sharīʿah audit must report audit findings to the Board Audit Committee and the SC. The findings on Sharīʿah non-compliant events shall be documented by the IFIs for the auditors to review during the auditing period. However, in the SGPD 2019, these four Sharīʿah functions have become only three; the Sharīʿah research function is combined with the secretariat in the SC function and is no longer classified under the control function (Kamaruddin et al., 2020).
Furthermore, the SGPD 2019 Part E strongly encourages IFIs to have robust Sharīʿah-compliance functions, comprising risk management, review and audit functions (BNM, 2019). Part E of SGPD 2019 also outlines in detail the functions of Sharīʿah risk management, review and audit as shown in Table 1.
Basically, every IFI in Malaysia has two levels of Sharīʿah supervision:
Micro supervision at the IFI level.
Macro supervision at the country level (Hamza, 2013).
The above-mentioned Sharīʿah functions are covered under the first micro supervision level. At this level, it is the IFIs’ responsibilities to ensure that sound Sharīʿah governance is practiced. Meanwhile, the macro supervision is exercised by BNM, which plays the role of the regulator. Besides the Sharīʿah scope covered in SGPD 2019, a new paradigm of Sharīʿah governance proposed by Mansour and Bhatti (2018) requires IFIs to manage their operations in a more diverse role, including:
Improving the competitiveness of the global Islamic finance industry.
Associating IFIs’ business practices to the ethical fulfilment of the maqāṣid al-Sharīʿah (Islamic objectives).
Serving a larger spectrum.
Synchronizing the quantitative and qualitative speed of the Islamic finance industry.
Reduction of Sharīʿah non-compliance risk.
All these Sharīʿah functions highlighted by SGPD 2019 aim to achieve five main principles:
accountability;
trustworthiness;
transparency;
fairness; and
responsibilities (Hanefah and Kamaruddin, 2019).
These five main principles are important, not only to ensure smooth IFIs’ daily operations but also to avoid mismanagement and Sharīʿah non-compliance. As Islam requires these principles to be practiced by all Muslims, these obligations must also be adhered to by the Sharīʿah officers in IFIs. Therefore, the BOD and the SC of an IFI need to ensure that these Sharīʿah governance functions are being put into consideration in delivering their roles and responsibilities.
Risk and internal control for Sharīʿah-compliance
It is undeniable that the risks faced by IFIs will have a negative effect on the effectiveness of IFIs’ daily operations. There are three major types of risks that are faced by IFIs:
credit risk;
market risk; and
operational risk.
Credit risk is the probability of loss due to a counterparty’s failure to make payment in accordance to the agreed terms (Ahmed and Khan, 2007). Meanwhile, market risk is the possibility of experiencing losses due to factors affecting the overall performance of the financial market (Alexander, 2009). On the other hand, operational risk is the remaining risk after determining financial and systematic risk, including Sharīʿah non-compliance risk (Ali Basah et al., 2018).
These risks are mainly derived from IFIs’ lack of management practices in risk hedging, underdeveloped money market and government securities, problems of transparency and holding large amounts of assets in the central bank under reserve account or correspondent account (Ali Basah et al., 2018). Therefore, adequate risk management knowledge, especially on Sharīʿah matters, is essential for IFIs to ensure that they are operating in Sharīʿah-compliance. This includes the measurement of Sharīʿah non-compliance risk management practices.
Risk measurement techniques for Sharīʿah non-compliance risk involve a process of estimating risk levels for Sharīʿah non-compliance, whereby risk levels depend on their impact and likelihood (Shafii et al., 2017; Hanefah et al., 2020). The measurement is used as a base for prioritising actions and for controlling impact and minimising risk. The risk level of Sharīʿah non-compliance may be determined once the impact has been established. The impact of Sharīʿah non-compliance can be categorised as “minor”, “moderate” or “major”.
As established by Hanefah et al. (2020), major Sharīʿah non-compliance risks can lead to the invalidation of contracts and non-recognition of profits. Moderate Sharīʿah non-compliant events comprise inaccurate/incomplete conditions of the contract that have not been fulfilled. Minor Sharīʿah non-compliance risks comprise inadequate explanations on product information or incorrect marketing materials on IFIs’ websites.
Besides, there are four important elements that need to be given attention to ensure the effectiveness of the internal control system for Sharīʿah-compliance (Shafii et al., 2017; Hanefah et al., 2020). These are:
Qualified human resources – They refer to the personnel involved in IFIs’ operations and activities who are required to have specialised knowledge to perform their duties efficiently. They include personnel in the entire business operation involving not only the research and development department and SC members but also the Sharīʿah secretariat and marketing personnel involved directly in IFIs’ products.
Adequate Sharīʿah policies and procedures – They refer to Sharīʿah policies and procedures that cover all products offered by the IFI, the processes involved, steps of the product offering and the required elements of control for the processes involved.
Avoidance of conflict of interest – This refers to some functions that should be separated, but are instead grouped together, such as SC and Sharīʿah secretariat, SC and internal Sharīʿah audit, Sharīʿah secretariat and Sharīʿah audit and Sharīʿah audit and external audit.
Assessment on internal Sharīʿah audit findings – This refers to the internal Sharīʿah audit conducted to ensure that the management of the IFI is discharging it responsibilities in accordance to Sharīʿah rules and principles as prescribed by the SC.
Based on these requirements, there is a need for an adequate internal control system on Sharīʿah non-compliance, especially on SNCI, that consists of policies and procedures designed to provide the management with reasonable assurance that IFIs are operating in line with the Sharīʿah. The elements of Sharīʿah should be integrated with the components of the internal control system based on the following Qurʾānic verse:
O you who believe, do not consume one another’s property unjustly; rather, exchange it through trade by mutual consent; and do not kill one another. Indeed, Allah is ever Merciful to you (Qurʾān, 4:29).
A combination of Sharīʿah criteria and the five major components of internal control as addressed by COSO can be proposed as the internal control system for Sharīʿah-compliance. For instance, to develop qualified human resources to conduct Sharīʿah functions, the management of IFIs can educate their Sharīʿah officers on Sharīʿah knowledge and business and accounting knowledge concurrently. This is to ensure that Sharīʿah officers are competent to conduct their functions in line with the Sharīʿah. Failure to do so will lead to financial losses, especially when Sharīʿah non-compliance involves income purification (Kamaruddin and Hanefah, 2017). Thus, competent Sharīʿah officers will be able to reduce Sharīʿah risks, including SNCI.
Methodology
Data can be gathered in several ways such as by interviews, observation or analysis of documents. Sometimes all three methods can be used together to gather information. However, this study uses the interview method as it is the best approach to gain information regarding current internal Sharīʿah control practices in selected IFIs. This is because interviewing people who are directly involved with the internal control practice is the best method for identifying fraud and internal control deficiencies (Hansen and Buckhoff, 2000).
For the purpose of this study, interviews were conducted by using the shorter case study interview method (Yin, 2014). In this case study approach, interviews only take about 1 h or less. These interviews are conducted using an open-ended questionnaire but strictly follow the case study protocol. This method ensures that interviewees answer specific questions related to the scope of current internal Sharīʿah control practices for SNCI more openly and freely. For interviewees’ selection, seven officers from the Sharīʿah audit department, the internal audit department and two SC members of designated IFIs in Malaysia were selected for this study. These officers were selected based on the in-depth knowledge they have on current practices of internal Sharīʿah control in two selected IFIs in Malaysia.
The interview sessions were conducted over a period of three months from August to October 2018. All interview data were then transcribed, and thematic analysis was conducted for data analysis. During the interview, the participants were guided by a series of questions developed based on the SGF (BNM, 2011) on Sharīʿah-compliant income. The overall research objective, question and proposition and guided questions for the interview are shown in Table 2.
The interviewees were Sharīʿah officers and Sharīʿah auditors who were involved in the day-to-day operations of IFIs’ operations, and SC members who are responsible to monitor and give opinions on SNCI governance, risk management and control within the institution.
Findings and discussion
Based on the interviews, several weaknesses were identified in SNCI practices in the selected IFIs, which are summarised in the following discussion:
Firstly, in terms of the level of SNCI, most of the respondents suggest that there should be a proper guideline in determining the classification of SNCI. The majority of respondents share the view that SNCI should be classified into minor, moderate and major Sharīʿah non-compliance. However, three respondents aver that SNCI should be classified as minor and major only. In their opinion, SNCI should be treated strictly without any classification of moderate SNCI. The following quote articulates this opinion:
[…] I think actually there is no moderate Sharīʿah non-compliance. Like sin, there are only minor sins and major sins. There is no moderate sin. Therefore, it should be applied to this Sharīʿah non-compliant matter […] (Interviewee 2; cf. Interviewee 4, Interviewee 7).
In this situation, the regulator must play its role by providing a standardised SNCI guideline for IFIs. This is to prevent Sharīʿah non-compliant events from occurring. This finding is similar with previous findings by Mahyudin (2017), who found that different approaches were adopted by IFIs to disclose information about SNCI; most IFIs disclosed such information in the SC’s Report, Notes to Financial Statement and Pillar 3 Disclosure. However, very few disclosed the information in the Director’s Report even though the ultimate body responsible to observe Sharīʿah non-compliance is the BOD.
Based on the interviews, the majority of respondents agree that if the front-liners of IFIs do not give a proper explanation of their products, it should be considered a minor event. However, respondents who agree to a moderate classification suggest that in the event that the guidelines of the product process are not followed – but there is no impact on the validity of the contract – then it shall be classified as a moderate SNCI. In terms of the classification as major, the respondents agree that events such as incorrect formula calculation, repetition of offences by the same personnel and misconception of contracts that need immediate attention and rectification should be classified as major SNCI.
Secondly, even though IFIs have established a specific account for SNCI, the income earned is not properly channelled to charity. In the case of Interviewee 3’s IFI, due to lack of governance, the audit and risk management on various types of SNCI are also not being reported, and worse, the fund was used for other purposes. In addition, although IFIs have established the purification account to manage SNCI, the real practice varies from one IFI to another. This situation confirms previous findings that internal control on SNCI is still a weak practice amongst IFIs (Rosman, 2009; Darmadi, 2013). This is based on the following quote:
[…] Although our IFI established a specific account for SNCI, there is no further monitoring by the management especially of the beneficiaries of SNCI. Sometimes, SNCI is used for corporate social responsibility (CSR) events and not properly channelled to the ‘truly right’ beneficiaries, assuming these events also can be considered as part of purification of SNCI […] (Interviewee 3).
Thirdly, although there are supposedly documented procedures established in relation to management and administration of SNCI, the following events still happen in practice:
No authorisation from the SC on various types of income channelled to the SNCI account.
Unauthorised use of SNCI for other purposes.
SNCI not reported in the annual financial reports.
Distribution of SNCI prior to obtaining SC’s consent.
Fourthly, there is an absence of Sharīʿah risk assessment conducted on operational risk by IFIs to identify any potential Sharīʿah non-compliant event. This is based on the following quote:
[…] As far as we know, there is no Sharīʿah risk assessment conducted to identify any potential Sharīʿah non-compliant event. Basically, SNCI is only recognised or identified during Sharīʿah review or Sharīʿah audit processes […] (Interviewee 1, Interviewee 4).
Sharīʿah risk management in IFIs should systematically identify, measure, monitor and control Sharīʿah non-compliance risks to mitigate any possible non-compliant events. The management should identify and understand inherent Sharīʿah non-compliance risks that will affect the reputation of IFIs. The management must ensure that proper internal controls are in place and ensure their effectiveness in mitigating risks (including reputational risk). The potential impact of risks on the bank, based on historical and actual de-recognition of income from Sharīʿah non-compliant activities, should be measured. IFIs should monitor Sharīʿah non-compliance risks and send a report on the risk indicators to the BOD, SC and management. There should be proper internal control to avoid recurrences. This is to keep track of unrecognised income arising from Sharīʿah non-compliant activities and assess the probability of occurrences in the future. Sharīʿah non-compliance risk management policies, procedures and guidelines should be formulated and implemented (Shafii et al., 2017; Hanefah et al., 2020).
Based on the above findings, this study supports the proposition that “findings of SNCI shall be classified as minor, moderate and major”, as the majority of respondents agree that SNCI should be classified in that manner. This is also to ensure prioritisation in resolving the SNCI events.
Therefore, this paper proposes a matrix for assessment of the internal control system for Sharīʿah-compliance. The matrix can be used as a tool to assess the parameter of an internal control system for Sharīʿah-compliance in IFIs. The matrix assesses the people, process and system of the IFI, in line with the Sharīʿah-compliance scope highlighted in SGPD 2019. However, this matrix requires further in-depth research to ensure the effectiveness of the measurement in determining the classification of SNCI. Further research is needed in terms of the practicability of the proposed matrix.
The Sharīʿah non-compliant events in Table 3 are classified as minor, moderate and major. The risks affected are also categorised as reputational, financial and regulatory. The person-in-charge of Sharīʿah non-compliant events is also proposed in the SNCI matrix. This is to ensure that any Sharīʿah non-compliant event is rectified immediately by the person-in-charge. The level of an internal control system for Sharīʿah-compliance is shown in Table 3.
Based on the above findings, it is proposed that regulators of IFIs in Malaysia and worldwide should adopt the matrix suggested in this paper. Regulators should educate the IFIs on the importance of SNCI and monitor how they deal with it. IFIs should train their staff on SNCI. This is important because if IFIs’ staffs do not follow guidelines – although it does not necessarily affect the validity of the contract – this would still amount to moderate Sharīʿah non-compliant events. However, if the errors are repeated many times due to misunderstanding by the staff or miscalculation, then this would be a major Sharīʿah non-compliant event.
Also, incorrect information or marketing materials uploaded on the IFI’s website can be considered a minor Sharīʿah non-compliant event. However, if the contract itself is incomplete or inaccurate, this would lead to a moderate Sharīʿah non-compliant event. Worst, invalid contracts that have financial implications and are non-mitigatable would lead to major Sharīʿah non-compliant events.
Next, for the IT systems adopted by IFIs, if there exists Sharīʿah non-compliant terms such as interest, it is considered a minor Sharīʿah non-compliant event. Meanwhile, inflexibility of the system to conduct specific Sharīʿah requirements, such as a sequence of the contract, would lead to moderate Sharīʿah non-compliant events. If the system does not support Sharīʿah requirements or in a worst-case scenario, the conventional system is used for IFIs’ operations, it is considered a major Sharīʿah non-compliant event. These three factors (people, process and system) can be monitored and managed by using proper internal control systems.
There are also other factors that can affect Sharīʿah non-compliant events. These include reputational, financial and regulatory risks. For reputational risk, if the Sharīʿah non-compliant event has no media coverage or no reputational issue, it will be considered a minor Sharīʿah non-compliant event. However, if there is low media coverage, it will be considered a moderate Sharīʿah non-compliant event. Meanwhile, if the event has wide media coverage, it will be considered a major Sharīʿah non-compliant event.
As for financial risk, if there is no loss from the event, it can be considered a minor Sharīʿah non-compliant event. If there is a low financial implication, it is considered a moderate Sharīʿah non-compliant event. However, if there is a major financial implication or identification of unrecognised income, this will lead to a major Sharīʿah non-compliant event.
Finally, for regulatory risk, if there is low possibility for regulatory action, it is considered a minor Sharīʿah non-compliant event. If there is a moderate possibility for non-compliance and regulatory actions, then it is considered a moderate Sharīʿah non-compliant event. However, if the possibility of a non-compliance classification and regulatory action is high, it should be then considered a major Sharīʿah non-compliant event.
These Sharīʿah non-compliant events must be resolved and action must be taken by management based on the category of Sharīʿah non-compliant events. For example, for minor Sharīʿah non-compliant events, the head of the Sharīʿah department is responsible to resolve those events, and at the same time, he is responsible to notify the SC. For moderate Sharīʿah non-compliant events, the board audit and board risk committees are responsible to resolve those events and inform the SC. Meanwhile, for major Sharīʿah non-compliant events, the BOD and SC are responsible to resolve them.
Based on the classification of Sharīʿah non-compliant events, the level of internal control practices by IFIs can be determined:
If a minor Sharīʿah non-compliant event occurs, it can be said that current internal control practices are weak.
Meanwhile, if a moderate Sharīʿah non-compliant event occurs, it shows that current internal control practices are very weak.
Worst, if major Sharīʿah non-compliant events occur, current internal control practices are considered extremely weak.
Conclusion
As the requirement for IFIs is to carry out their activities in accordance with the principles of Sharīʿah, there is no doubt that Sharīʿah audit functions should be in place and practised. Based on the findings, there is a lack of authorisation and control of the governance and internal control system for Sharīʿah-compliance in the sampled IFIs. This leads to major Sharīʿah non-compliance in the operations. SNCI will increase IFIs’ risk management and impact on the integrity of IFIs amongst their current and potential customers.
In this regard, it is essential to have a comprehensive, robust and well-functioning internal control system for Sharīʿah-compliance to ensure that all SNCI is properly governed and managed. Therefore, all processes and procedures relating to SNCI must be developed and implemented by all staff of IFIs. Proper checks and balances must also be in place to ensure such events do not recur. Besides, the impact of SNCI also needs to be clearly explained not only to related staff but also to all staff in the IFIs.
One important contribution made by this study is the new internal control system assessment matrix for Sharīʿah-compliance. This matrix can be used and adopted by Sharīʿah auditors in Sharīʿah audit programmes for SNCI. It is highly recommended that this matrix be adopted into other Sharīʿah audit programmes to mitigate Sharīʿah risks in IFIs.
Future research in this area, especially on SNCI in IFIs, could be very fruitful. One point for investigation is: to what extent would the implementation of the SNCI matrix have an impact on the IT system in reducing and mitigating Sharīʿah risks? Besides, Sharīʿah audit procedures and programmes for SNCI could be studied to get a clearer picture on the best practices to prevent such risks in the future. In addition, SC roles for SNCI and the way management responds to this issue can also be explored in future studies. Last but not least, purification processes for SNCI and Sharīʿah audit in this particular area should be given attention in future research.
Figures
Summary of the key organ functions
| Key organs | Functions |
|---|---|
| Sharīʿah risk management | • To integrate Sharīʿah non-compliance risk with conventional risk management • To identify potential Sharīʿah non-compliance risk exposures; • To assess and measure potential impact of Sharīʿah non-compliance risk exposures • To develop appropriate risk mitigation measures • To closely monitor both Sharīʿah non-compliance risk exposures and effectiveness of the risk mitigation measures • To report to the BOD, the SC and senior management on Sharīʿah non-compliance risk exposures • To challenge decisions that may give rise to Sharīʿah non-compliance risks |
| Sharīʿah review | • To identify, assess and monitor Sharīʿah-compliance by the IFI • To report on a regular basis Sharīʿah non-compliance issues and findings to the BOD, the SC and senior management • To inform and provide latest updates on regulatory requirements, especially SAC rulings to the BOD, the SC and senior management • To ensure the IFI’s officers are provided with adequate training and guidance on relevant Sharīʿah requirements |
| Sharīʿah audit | • To assess the risk profile and each auditable area’s exposures by developing a strong audit methodology • To develop a comprehensive Sharīʿah audit plan for the Sharīʿah audit process • To provide guidance on gathering information, auditing procedures and audit assessment by developing a clearly documented Sharīʿah audit programme • To communicate the audit findings, recommendations for rectification measures and auditee’s responses and action plans to the BOD and the SC through an audit report |
Source: Bank Negara Malaysia (BNM, 2019)
Research objective, question, proposition and guided questions
| Scope | Details |
|---|---|
| Research objective | To determine the classification of SNCI |
| Research question | What are the perceptions of the practitioners (Sharīʿah and internal audit department, SC) on the internal control of SNCI in the IFIs? |
| Research proposition | Findings of SNCI shall be classified as minor, moderate and major |
| Guided questions | a) Define SNCI and its current practices in your institution from your own perspective b) Is SNCI a misunderstood concept? c) What is the appropriate treatment for SNCI in your institution? d) How do you determine the level of SNCI in your institution? e) What are the current issues in SNCI faced by IFIs in Malaysia? |
Internal control system assessment matrix for Sharīʿah-compliance
| Classification of Sharīʿah non-compliant event |
Minor | Moderate | Major | ||
|---|---|---|---|---|---|
| Impact | Internal control | People | Inadequate explanation on product information | Guidelines not followed (no impact on the validity of the contract) | Incorrect formula calculation, repetition of offences by the same personnel, misconception of contracts, business policies not approved by the SC |
| Process | Incorrect information in marketing materials on IFIs’ website | Incomplete/inaccurate contract | Invalid contract, financial implication, non-mitigatable | ||
| System | Sharīʿah non-compliant term; e.g. interest | Inflexibility of system to accommodate specific Sharīʿah requirement (i.e. sequence of the contract) | System does not cater for Sharīʿah requirements Conventional system used in IFIs’ operations |
||
| Other risk | Reputational | No media coverage, no reputational issue | Low media coverage | Wide media coverage | |
| Financial | No financial loss | Low financial implication | Major financial implication, unrecognised income | ||
| Regulatory | Low possibility of regulatory action | Moderate possibility of non-compliant event and regulatory action | High possibility of a non-compliant event and regulatory action | ||
| Assessment | Responsibility | Action/resolve | Head of Department/SC | Board audit committee/board risk and management/SC | Board of directors/SC |
| Level of internal control |
Indicator | Weak | Very weak | Extremely weak | |
References
Ab Ghani, N.L., Ariffin, N.M. and Rahman, A.R.A. (2019), “The measurement of effective internal Shari’ah audit function in Islamic financial institutions”, International Journal of Economics, Management and Accounting, Vol. 27 No. 1, pp. 141-165.
Ahmed, H. and Khan, T. (2007), “Risk management in Islamic banking”, in Hassan, M.K. and Lewis, M.K. (Eds), Handbook of Islamic Banking, Edward Elgar, Northampton, MA, pp. 144-158.
Al-Bez, A. (2004), Aḥkām al-Māl al-Ḥarām wa Ḍawābit al-Intifāʿ wa al-Taṣarrruf Bihi fī al-Fiqh al-Islāmī, Dar Nafais, Jordan.
Alexander, C. (2009), Market Risk Analysis: Values at Risk Models, Vol. 4, John Wiley and Sons, West Sussex.
Ali Basah, M.Y., Mohamad, S.N.A., Ab Aziz, M.R., Khairi, K.F., Laili, N.H., Sabri, H. and Md Yusuf, M. (2018), “Risks in Islamic banks: challenges and management”, Journal of Engineering and Applied Sciences, Vol. 13 No. 8, pp. 2081-2085, doi: 10.36478/jeasci.2018.2081.2085.
Ali, M.M. and Hussain, L. (2013), “A framework of income purification for Islamic financial institutions”, Proceeding of Sharia Economics Conference-Hannover, pp. 109-117.
Ayedh, A.M., Mahyudin, W.A.T., Samat, M.S.A. and Isa, H.H.M. (2019), “The integration of Shari’ah compliance in information system of Islamic financial institutions”, Qualitative Research in Financial Markets, doi: 10.1108/QRFM-05-2017-0042.
Basiruddin, R. and Ahmed, H. (2017), “The role of corporate governance on Shari’ah non-compliant risk: evidence from Southeast Asia”, KFUPM Islamic Banking and Finance Research Conference, 19-20 November, Dhahran.
BNM (2011), Shariah Governance Framework for Islamic Financial Institutions, Bank Negara Malaysia, Kuala Lumpur.
BNM (2016), Financial Reporting for Islamic Banking Institutions (FRIBI), Bank Negara Malaysia, Kuala Lumpur.
BNM (2019), Shariah Governance Policy Document, Bank Negara Malaysia, Kuala Lumpur.
Chik, M.N. (2013), “Sharīʿah governance framework – Shari’ah compliance risk management”, 4th Asia Islamic Banking Conference, Kuala Lumpur, available at: www.bankislam.com.my/en/Documents/cinfo/2013-4thAsiaIslamicBankingConference-CRM.pdf (accessed 15 February 2017).
COSO (2013), Internal Control – Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Darmadi, S. (2013), “Corporate governance disclosure in the annual report: an exploratory study on Indonesian Islamic banks”, Humanomics, Vol. 29 No. 1, pp. 4-23, doi: 10.1108/08288661311299295.
Devi, S.S., Hooper, K. and Davey, H. (2007), Accounting Theory and Practice: A Malaysian Perspective, Pearson Malaysia, Petaling Jaya.
Hamza, H. (2013), “Sharia governance in Islamic banks: effectiveness and supervision model”, International Journal of Islamic and Middle Eastern Finance and Management, Vol. 6 No. 3, pp. 226-237, doi: 10.1108/IMEFM-02-2013-0021.
Hanefah, M.M. and Kamaruddin, M.I.H. (2019), Shariah Governance and Assurance in Islamic Financial Sectors, USIM Press, Nilai.
Hanefah, M.M., Shafii, Z., Salleh, S., Zakaria, N. and Kamaruddin, M.I.H. (2020), Governance and Shariah Audit in Islamic Financial Institutions, 2nd ed., USIM Press, Nilai.
Haniffa, R. and Hudaib, M. (2007), “Exploring the ethical identity of Islamic banks via communication in annual reports”, Journal of Business Ethics, Vol. 76 No. 1, pp. 97-116.
Hansen, J.D. and Buckhoff, T.A. (2000), “To catch a thief”, Journal of Accountancy, Vol. 189 No. 3, pp. 43-46.
Iqbal, Z. (1997), “Islamic financial systems”, Finance and Development, Vol. 34 No. 2, pp. 42-45.
Islamic Financial Services Act (2013), “Laws of Malaysia, Putrajaya”, available at: www.bnm.gov.my/documents/act/en_ifsa.pdf
Kamaruddin, M.I.H. and Hanefah, M.M. (2017), “Enhancing Shari’ah audit practices in Islamic financial institutions in Malaysia”, Journal of Modern Accounting and Auditing, Vol. 13 No. 11, pp. 457-470, doi: 10.17265/1548-6583/2017.11.001.
Kamaruddin, M.I.H. and Ramli, N.M. (2018), “The impact of internal control practices on financial accountability in Islamic non-profit organizations in Malaysia”, International Journal of Economics, Management and Accounting, Vol. 26 No. 2, pp. 365-391.
Kamaruddin, M.I.H., Hanefah, M., Shafii, Z. and Salleh, S. (2020), “Comparative analysis on Shari’ah governance in Malaysia: SGF 2010, IFSA 2013 and SGPD 2019”, Journal of Public Administration and Governance, Vol. 10 No. 1, pp. 110-131, doi: 10.5296/jpag.v10i1.16157.
Lewis, M.K. (2005), “Islamic corporate governance”, Review of Islamic Economics, Vol. 9 No. 1, pp. 5-29.
Maali, B., Casson, P. and Napier, C. (2006), “Social reporting by Islamic banks”, Abacus, Vol. 42 No. 2, pp. 266-289, doi: 10.1111/j.1467-6281.2006.00200.x.
Mahyudin, W.A. (2017), “The disclosure practices of Shari’ah non-compliant income in the annual reports of Islamic banks in Malaysia”, Master thesis, Universiti Sains Islam Malaysia.
Mallin, C., Farag, H. and Ow-Yong, K. (2014), “Corporate social responsibility and financial performance in Islamic banks”, Journal of Economic Behavior and Organization, Vol. 103, pp. 21-38, doi: 10.1016/j.jebo.2014.03.001.
Mansour, W. and Bhatti, M.I. (2018), “The new paradigm of Islamic corporate governance”, Managerial Finance, Vol. 44 No. 5, pp. 513-523, doi: 10.1108/MF-01-2018-0043.
Nor, N.M. and Sawari, M.F.M. (2020), “The practice of reporting Shari’ah non-compliant income in the annual financial report of Islamic commercial banks in Malaysia”, Islāmiyyāt, Vol. 42 No. 1, pp. 93-102, doi: 10.17576/islamiyyat-2020-4201-11.
Rahman, R.A. and Anwar, I.S.K. (2014), “Effectiveness of fraud prevention and detection techniques in Malaysian Islamic banks”, Procedia – Social and Behavioral Sciences, Vol. 145, pp. 97-102, doi: 10.1016/j.sbspro.2014.06.015.
Rosman, R. (2009), “Risk management practices and risk management processes of Islamic banks: a proposed framework”, International Review of Business Research Papers, Vol. 5 No. 1, pp. 242-254.
Rosman, R., Azmi, A.C. and Amin, S.N. (2017), “Disclosure of Shari’ah non-compliance income by Islamic banks in Malaysia and Bahrain”, International Journal of Business and Society, Vol. 18, pp. 45-58.
Shafiai, S. and Ali, E.R.A.E. (2019), “The need for credible reporting of Shari’ah non-compliance event by Islamic banks in Malaysia”, in Sidek, N.Z.M., Said, R. and Hasan, W.N.W. (Eds), Islamic Development Management, Springer, Singapore, pp. 249-261.
Shafii, Z. and Salleh, S. (2010), “Enhancing governance, accountability and transparency in Islamic financial institutions: an examination into the audit of Shari’ah internal control system”, Management and Accounting Review, Vol. 9 No. 2, pp. 23-42, doi: 10.24191/mar.v9i2.243.
Shafii, Z., Hanefah, M.M., Abdul Rahman, A.R., Salleh, S., Zakaria, N. and Kamaruddin, M.I.H. (2017), Shariah Audit and Assurance: Process and Programme, USIM Press, Nilai.
Yaacob, H. and Donglah, N.K. (2012), “Shari’ah audit in Islamic financial institutions: the postgraduates’ perspective”, International Journal of Economics and Finance, Vol. 4 No. 12, pp. 224-239, doi: 10.5539/ijef.v4n12p224.
Yin, R.K. (2014), Case Study Research: Design and Methods, Sage Publications, Thousand Oaks, CA.
Yussof, S.A. (2013), “Prospects of a Shari’ah audit framework for Islamic financial institutions in Malaysia”, Islam and Civilisational Renewal, Vol. 4 No. 1, pp. 80-102.
Acknowledgements
The authors would like to thanks Universiti Sains Islam Malaysia for the financial assistance from a research grant under the title of “Sharīʿah Audit, Governance and Risk Management in IFIs (USIM/UNISSA/MG/FEM/052002/70118)”, which funded this paper.
Corresponding author
About the authors
Mustafa Mohd Hanefah, PhD, is a Professor of Sharīʿah Governance and accounting at the Faculty of Economics and Muamalat, Universiti Sains Islam Malaysia.
Muhammad Iqmal Hisham Kamaruddin is a graduate fellow of Islamic accounting at the Faculty of Economics and Muamalat, Universiti Sains Islam Malaysia.
Supiah Salleh, PhD, is a Senior Lecturer of Sharīʿah audit at the Faculty of Economics and Muamalat, Universiti Sains Islam Malaysia.
Zurina Shafii, PhD, is a Professor of Sharīʿah audit and halal audit at the Faculty of Economics and Muamalat, Universiti Sains Islam Malaysia.
Nurazalia Zakaria is a Lecturer of Islamic accounting at the Faculty of Economics and Muamalat, Universiti Sains Islam Malaysia.