Internal control, risk and Shar ī ʿ ah non-compliant income in Islamic ﬁ nancial institutions

Purpose – The existence of internal control for Shar ī ʿ ah-compliance promotes reasonable assurance that the Islamic ﬁ nancial institution ’ s (IFI ’ s) objectives are achieved in the following categories, namely, the effectiveness and ef ﬁ ciency of operations, the reliability of ﬁ nancial reporting and the level of compliance with applicable laws and regulations, as well as accounting and auditing standards. Shar ī ʿ ah non-compliant income (SNCI) is an important issue in IFIs ’ operations. Thus, the purpose of this paper is to identify issues related to governance and internal control of SNCI in selected IFIs in Malaysia. Design/methodology/approach – This research uses a case study approach to gather data on the measures of governance and risk management in relation to the internal control for SNCI in IFIs. Interviews were conducted with of ﬁ cers of the Shar ī ʿ ah and internal audit departments on internal control practices regarding SNCI. Findings – Regulator ’ s guidelines on SNCI are simple and brief, lacking rigour in terms of governance, risk management and audit procedures. The section on SNCI is only a brief statement within the Bank Negara Malaysia ’ s Guidelines on Financial Reporting for Islamic Banking Institutions and also in the Operational Risk Integrated Online Network system operated by IFIs. Most of the respondents in the interviews suggested that there should be a proper guideline in determining the classi ﬁ cation of SNCI. Second, although IFIs have established the puri ﬁ cation account to manage SNCI, the real practice varies from one IFI to another. Third, although there are supposedly documented procedures established in relation to management and administration of SNCI, the following events still occur in practice, namely, no authorisation from the Shar ī ʿ ah Committee (SC) on various types of income channelled to the SNCI account; unauthorised use of SNCI for other purposes; SNCI not being reported in the annual ﬁ nancial reports; and distribution of SNCI prior to obtaining the SC ’ s consent. Fourth, there is an absence of Shar ī ʿ ah risk assessment conducted on operational risk by IFIs to identify any potential Shar ī ʿ ah non-compliant event. Research limitations/implications – This research contributes to the importance of Islamic corporate governance theory and Shar ī ʿ ah risk management, as well as strengthening the case for reporting SNCI to shareholders. It also contributes to the body of knowledge on the capability of the management in managing theinternalcontrolsystem of IFIs ’ SNCI. Originality/value – A new internal controlassessmentmatrixis proposedforShar a comprehensive internal control system for Shar ī ʿ ah-compliance in managing all Shar ī ʿ ah issues. Internal control can also be used to manage Shar ī ʿ ah non-compliant income (SNCI) by having in place a process to purify ineligible income received by the institutions. SNCI is income generated from transactions that breach governing Shar ī ʿ ah principles – principles that are determined by the SCs of IFIs or other Shar ī ʿ ah authorities.


Introduction
The internal control system is a key area, which is audited during the external audit process. In many Islamic financial institutions (IFIs), the internal control system undergoes auditing annually to overcome any weaknesses in the system. The elements of Sharīʿah (Islamic law) are not included in the internal control and auditing framework, and previous studies show that most IFIs still have weak internal control practices (Ahmed and Khan, 2007;Rosman, 2009;Darmadi, 2013;Rahman and Anwar, 2014;Ab Ghani et al., 2019;Ayedh et al., 2019).
Factors that contribute to weak internal control practices include lack of Sharīʿah audit programmes and incompetence of Sharīʿah officers (Yaacob and Donglah, 2012;Kamaruddin and Hanefah, 2017). For instance, due to the lack of Sharīʿah audit programmes in IFIs, several Sharīʿah audit issues need to be dealt with, such as the narrow scope of Sharīʿah audit in practice; lack of an organised internal Sharīʿah audit framework; shortage of qualified internal Sharīʿah audit personnel; extreme brevity of the Sharīʿah Committee (SC) reports; and inadequate training of judges from the muʿ amal at (transactions) bench for dispute resolution purposes (Yussof, 2013). Meanwhile, incompetent Sharīʿah officers could lead to financial losses if Sharīʿah non-compliance entails income purification .
It is, thus, important for IFIs to set up a comprehensive internal control system for Sharīʿah-compliance in managing all Sharīʿah issues. Internal control can also be used to manage Sharīʿah non-compliant income (SNCI) by having in place a process to purify ineligible income received by the institutions. SNCI is income generated from transactions that breach governing Sharīʿah principlesprinciples that are determined by the SCs of IFIs or other Sharīʿah authorities.
However, recent literature shows that there are only a few studies that examine internal control as a mechanism to manage SNCI in IFIs. The most related study is Shafii and Salleh (2010), which attempted to extend the Sharīʿah audit scope on IFIs' internal control system by including SNCI as part of the proposed Sharīʿah internal control checklist. Meanwhile, a study conducted by Basiruddin and Ahmed (2017) found a significant relationship between extensive Sharīʿah audit processes and the possibility of uncovering SNCI. There are several related studies on SNCI disclosures, notably Maali et al. (2006), Haniffa and Hudaib (2007), Mallin et al. (2014), Rosman et al. (2017), Shafiai and Ali (2019) and Nor and Sawari (2020), but these studies do not include internal control as an effective mechanism for managing SNCI.
Therefore, to fill in this gap, the purpose of this study is to develop an effective internal control mechanism for SNCI in selected IFIs in Malaysia. This is explored through interview sessions conducted with seven officers from both Sharīʿah and internal audit departments and two SC members of selected IFIs in Malaysia. These officers were selected based on their in-depth knowledge regarding current practices of internal Sharīʿah control in IFIs. By having an understanding of the issues and current governance and internal control practices of IFIs, it is hoped that this study will contribute to the development of an effective internal control mechanism for SNCI.
The remainder of the paper is organised as follows. The second section elaborates on sources of SNCI, the internal control mechanism, governance mechanisms and risk and internal control for Sharīʿah-compliance. The third section discusses the methodology of this study, which focuses on the case study method. The fourth section discusses the findings from interview sessions on SNCI and a proposed internal control system for SNCI. The fifth section concludes the study.

Literature review
Sharīʿah non-compliant income There are various definitions of SNCI. SNCI, also known as non-Á hal al (impermissible) income, is defined by al-Ghaz alī as any property acquired by illegal means such as corruption, theft, rib a (usury), hoarding and gambling (Al-Bez, 2004). Generally, the sources of SNCI can be divided into two, namely, non-Á hal al in its essence ( Á har am li dh atihi); and prohibited due to external factors ( Á har am li ghayrihi). Income that is non-Á hal al in its essence is derived from what is prohibited due to its essence and nature; e.g. pork, wine and other impure items. Income that is prohibited due to external factors includes income acquired without the consent of the legal owner. In addition, income is classified as non-Á hal al if it fails to fulfil the basic contract requirements according to Islamic principles. Amongst the Islamic principles are: prohibition of interest, risk-sharing, money as potential capital, prohibition of speculative behaviour, sanctity of contracts and Sharīʿah-approved activities (Iqbal, 1997).
Based on the above Islamic principles, Ali and Hussain (2013) proposed the following SNCI categories for IFI practices, namely, SNCI in its essence; and SNCI because of external factors. SNCI in its essence is identified as income that comes from prohibited businesses such as mixed-income from businesses conducting alcohol or pork sales. Meanwhile, SNCI that arises because of external factors will have one of the following characteristics: A void transaction due to a defect in the subject of the contract. A void transaction due to an absence in one of the pillars of the contract. Irregular transactions due to the presence of an alien condition that is rectifiable. Irregular transactions due to the presence of an alien condition that is not rectifiable. A transaction, albeit with the consent of the owner but without a specific nominate contract permitted by the Sharīʿah. A transaction that is undertaken without the consent of the owner.
Besides these external factors, in Malaysia, SNCI is also recognised if there is noncompliance to rules and regulations including the Islamic Financial Services Act (2013), Bank Negara Malaysia (BNM) guidelines and policies, Sharīʿah Advisory Council (SAC) resolutions and resolutions of the SC of the respective IFI. The various sources of SNCI based on the above factors entail different treatments for purification purposes. SNCI can be purified by excluding it or channelling it to charity or giving it back to the owner. Some SNCI needs no purification at all. The SNCI purification treatment, as suggested by Ali and Hussain (2013), is illustrated in Figure 1.
Under Section 28 of Islamic Financial Services Act (2013), the IFI is responsible to ensure that all its businesses, operation affairs and activities are Sharīʿah-compliant. Failure to do so will affect both financial and non-financial aspects of the IFI. On the financial front, for cases of SNCI, Section 28(5) of Islamic Financial Services Act (2013) imposes a punishment of imprisonment for a term not exceeding eight years; or a fine not exceeding RM25m; or both. Besides that, SNCI will affect the capital adequacy ratio (CAR). In the non-financial Islamic financial institutions aspect, SNCI is against the command of Allah and impedes Allah's barakah (blessing), as well as jeopardising the IFI's reputation (Chik, 2013).
Under the Financial Reporting for Islamic Banking Institutions 2016 issued by BNM (2016), an IFI is required to disclose the following information pertaining to SNCI: Nature of Sharīʿah non-compliant activities. Amount of SNCI. Number of Sharīʿah non-compliant events that occurred during the year. Irregular transactions due to the presence of an alien condition that is not rectifiable. Rectification process and control measures to avoid recurrence of such Sharīʿah non-compliant activities.
In recent literature, a few scholars attempted to analyse the extent of SNCI disclosure by IFIs in Malaysia. For instance, Haniffa and Hudaib (2007) and Mallin et al. (2014) used several SNCI indicators such as involvement in impermissible activities, percentage of profit, reason for involvement in impermissible activities and handling of impermissible activities. However, these studies only used these indicators as part of a list of Islamic values that Islamic banks should disclose. Similarly, Maali et al. (2006) proposed several indicators for SNCI including the nature of unlawful transactions, reasons for undertaking such transactions, the Sharīʿah board's view about the necessity of these transactions, the amount of revenue or expenses from these transactions and how the bank disposed or intends to dispose, of such revenues. Meanwhile, a study by Rosman et al. (2017) on SNCI disclosure in 17 IFIs in Malaysia and another 17 IFIs in Bahrain for the period 2013-2015 found that IFIs in both countries have high SNCI disclosures. In this case, eight SNCI indicators were used:  Source: Ali and Hussain (2013) (1) Nature of SNCI.
(3) Number of SNC occurrences. (4) Account classification for SNCI. Moreover, a comparison between SNCI disclosure amongst IFIs in Malaysia in 2016 and 2017 found an increasing SNCI pattern where the amount of average SNCI in 2017 was higher than in 2016 (Shafiai and Ali, 2019). Last but not least, an investigation on the application of the BNM policy document for IFIs in terms of reporting SNCI in their annual reports found that seven out of 16 IFIs in Malaysia did not properly disclose their SNCI in their report (Nor and Sawari, 2020).

Internal control mechanisms
In general, internal control is a process that is designed to provide: Reasonable assurance on financial reporting. Effectiveness and efficiency of operations. Compliance with applicable laws and regulations (COSO, 2013).
There are five main components of internal control as listed in the Committee of Sponsoring Organization (COSO) internal controlintegrated framework: (1) Control environmentrefers to policies, processes, procedures, structures and standards of internal control set by the board of directors (BOD) or the top management of an organisation that reflects their attitudes towards the importance of internal control practices.
(2) Risk assessmentrefers to processes used to identify and analyse an organisation's risks to achieve its objectives. (3) Control procedurerefers to actions established based on policies and procedures that drive management directives to meet organisational objectives. (4) Information and communicationrefers to methods used to provide information needed to carry out day-to-day internal control activities in terms of initiating, recording, processing and reporting an organisation's transactions. (5) Monitoringrefers to on-going and/or separate evaluations carried out to measure the quality of the system's performance over time.
Internal control is recognised as one of the important processes or procedures in every organisation including IFIs (Kamaruddin and Ramli, 2018). This is because internal control helps in controlling all possible risks, coordinates organisational activities accordingly and assists in managerial decision-making (Devi et al., 2007). From a risk management perspective, internal control is seen as an effective tool to manage risk. It means that if an organisation fails to implement good internal control practices, the organisation will face high risk that will eventually jeopardise its objectives. Meanwhile, from the Sharīʿah-Islamic financial institutions compliance management aspect, internal control also plays significant roles. In this case, the internal control system, combined with liaison between the SC and Sharīʿah management team, is used to ensure Sharīʿah-compliant practices by IFIs (Lewis, 2005).
However, previous studies on risk management practices in IFIs proved that adequate internal control as part of risk management components is still at a moderate level (Ahmed and Khan, 2007). Besides, a study by Rosman (2009) found that a high perception of risk in IFIs is due to the absence of risk control by internal control, especially on operational risk. Another study on the corporate governance index in IFIs also found that internal control practices achieved the lowest score: 38% (Darmadi, 2013). IFIs are urged to have a checkand-balance mechanism to identify any weaknesses in internal control systems and to upgrade any obsolete internal control practices (Rahman and Anwar, 2014).
Therefore, it is the responsibility of the BOD and the SC of an IFI to ensure that internal control is appropriately implemented and monitored regularly, especially for Sharīʿahcompliance matters. To do so, both the board and management of IFIs need to be equipped with adequate knowledge, not only on the internal control aspect but also in terms of having an understanding of Sharīʿah-compliance.

Governance mechanisms
According to the Sharīʿah governance framework (SGF) issued by BNM in 2011, IFIs shall establish formal reporting channels to ensure that the reporting on Sharīʿah matters is carried out effectively and in a timely manner. When performing Sharīʿah audit on the adequacy of the Sharīʿah governance process, the auditor shall collect evidence on the reporting process in an IFI. In September 2019, BNM issued the Sharīʿah Governance Policy Document (SGPD), which has superseded SGF 2011. SGPD 2019 has strengthened the oversight accountabilities of the BOD, the SC and other key organs involved directly in the implementation of Sharīʿah governance in Malaysian IFIs. Besides, this policy document relates to the SC's objective of achieving effective management of Sharīʿah non-compliance risks by strengthening their decision-making process and internal control functions. By implementing SGPD 2019, IFIs are expected to establish a strong Sharīʿah-compliance risk department. The BOD, SC and senior management of IFIs are now expected to be responsible and accountable in discharging their duties . Based on the previous SGF 2011, the SC is required to report to the BOD on Sharīʿah matters. To do so, the SC is supported by all four Sharīʿah functions, which are: (1) Sharīʿah risk management; (2) Sharīʿah review; (3) Sharīʿah research; and (4) Sharīʿah audit.
Under SGF 2011, Sharīʿah risk management must report on Sharīʿah risk matters to the management and the Board Risk Management Committee. Meanwhile, Sharīʿah review needs to report on the Sharīʿah-compliance of on-going business operations concurrently to the SC and management. Next, Sharīʿah research is responsible for tabling new products and services to both the SC and management before getting approval from the BOD. Sharīʿah audit must report audit findings to the Board Audit Committee and the SC. The findings on Sharīʿah non-compliant events shall be documented by the IFIs for the auditors to review during the auditing period. However, in the SGPD 2019, these four Sharīʿah functions have become only three; the Sharīʿah research function is combined with the secretariat in the SC function and is no longer classified under the control function . Furthermore, the SGPD 2019 Part E strongly encourages IFIs to have robust Sharīʿahcompliance functions, comprising risk management, review and audit functions (BNM, 2019). Part E of SGPD 2019 also outlines in detail the functions of Sharīʿah risk management, review and audit as shown in Table 1.
Basically, every IFI in Malaysia has two levels of Sharīʿah supervision: (1) Micro supervision at the IFI level.
The above-mentioned Sharīʿah functions are covered under the first micro supervision level. At this level, it is the IFIs' responsibilities to ensure that sound Sharīʿah governance is practiced. Meanwhile, the macro supervision is exercised by BNM, which plays the role of the regulator. Besides the Sharīʿah scope covered in SGPD 2019, a new paradigm of Sharīʿah governance proposed by Mansour and Bhatti (2018) requires IFIs to manage their operations in a more diverse role, including: Improving the competitiveness of the global Islamic finance industry. Associating IFIs' business practices to the ethical fulfilment of the maq a Á sid al-Sharīʿah (Islamic objectives). Serving a larger spectrum. Synchronizing the quantitative and qualitative speed of the Islamic finance industry. Reduction of Sharīʿah non-compliance risk. To report to the BOD, the SC and senior management on Sharīʿah non-compliance risk exposures To challenge decisions that may give rise to Sharīʿah non-compliance risks Sharīʿah review To identify, assess and monitor Sharīʿah-compliance by the IFI To report on a regular basis Sharīʿah non-compliance issues and findings to the BOD, the SC and senior management To inform and provide latest updates on regulatory requirements, especially SAC rulings to the BOD, the SC and senior management To ensure the IFI's officers are provided with adequate training and guidance on relevant Sharīʿah requirements Sharīʿah audit To assess the risk profile and each auditable area's exposures by developing a strong audit methodology To develop a comprehensive Sharīʿah audit plan for the Sharīʿah audit process To provide guidance on gathering information, auditing procedures and audit assessment by developing a clearly documented Sharīʿah audit programme To communicate the audit findings, recommendations for rectification measures and auditee's responses and action plans to the BOD and the SC through an audit report Source: Bank Negara Malaysia (BNM, 2019) Islamic financial institutions All these Sharīʿah functions highlighted by SGPD 2019 aim to achieve five main principles: (1) accountability; (2) trustworthiness; (3) transparency; (4) fairness; and (5) responsibilities (Hanefah and Kamaruddin, 2019).
These five main principles are important, not only to ensure smooth IFIs' daily operations but also to avoid mismanagement and Sharīʿah non-compliance. As Islam requires these principles to be practiced by all Muslims, these obligations must also be adhered to by the Sharīʿah officers in IFIs. Therefore, the BOD and the SC of an IFI need to ensure that these Sharīʿah governance functions are being put into consideration in delivering their roles and responsibilities.

Risk and internal control for Sharīʿah-compliance
It is undeniable that the risks faced by IFIs will have a negative effect on the effectiveness of IFIs' daily operations. There are three major types of risks that are faced by IFIs: (1) credit risk; (2) market risk; and (3) operational risk.
Credit risk is the probability of loss due to a counterparty's failure to make payment in accordance to the agreed terms (Ahmed and Khan, 2007). Meanwhile, market risk is the possibility of experiencing losses due to factors affecting the overall performance of the financial market (Alexander, 2009). On the other hand, operational risk is the remaining risk after determining financial and systematic risk, including Sharīʿah non-compliance risk (Ali Basah et al., 2018). These risks are mainly derived from IFIs' lack of management practices in risk hedging, underdeveloped money market and government securities, problems of transparency and holding large amounts of assets in the central bank under reserve account or correspondent account (Ali Basah et al., 2018). Therefore, adequate risk management knowledge, especially on Sharīʿah matters, is essential for IFIs to ensure that they are operating in Sharīʿah-compliance. This includes the measurement of Sharīʿah non-compliance risk management practices.
Risk measurement techniques for Sharīʿah non-compliance risk involve a process of estimating risk levels for Sharīʿah non-compliance, whereby risk levels depend on their impact and likelihood (Shafii et al., 2017;Hanefah et al., 2020). The measurement is used as a base for prioritising actions and for controlling impact and minimising risk. The risk level of Sharīʿah non-compliance may be determined once the impact has been established. The impact of Sharīʿah non-compliance can be categorised as "minor", "moderate" or "major".
As established by Hanefah et al. (2020), major Sharīʿah non-compliance risks can lead to the invalidation of contracts and non-recognition of profits. Moderate Sharīʿah noncompliant events comprise inaccurate/incomplete conditions of the contract that have not been fulfilled. Minor Sharīʿah non-compliance risks comprise inadequate explanations on product information or incorrect marketing materials on IFIs' websites.
Besides, there are four important elements that need to be given attention to ensure the effectiveness of the internal control system for Sharīʿah-compliance (Shafii et al., 2017;Hanefah et al., 2020). These are: (1) Qualified human resources -They refer to the personnel involved in IFIs' operations and activities who are required to have specialised knowledge to perform their duties efficiently. They include personnel in the entire business operation involving not only the research and development department and SC members but also the Sharīʿah secretariat and marketing personnel involved directly in IFIs' products.
(2) Adequate Sharīʿah policies and procedures -They refer to Sharīʿah policies and procedures that cover all products offered by the IFI, the processes involved, steps of the product offering and the required elements of control for the processes involved.
(3) Avoidance of conflict of interest -This refers to some functions that should be separated, but are instead grouped together, such as SC and Sharīʿah secretariat, SC and internal Sharīʿah audit, Sharīʿah secretariat and Sharīʿah audit and Sharīʿah audit and external audit. (4) Assessment on internal Sharīʿah audit findings -This refers to the internal Sharīʿah audit conducted to ensure that the management of the IFI is discharging it responsibilities in accordance to Sharīʿah rules and principles as prescribed by the SC.
Based on these requirements, there is a need for an adequate internal control system on Sharīʿah non-compliance, especially on SNCI, that consists of policies and procedures designed to provide the management with reasonable assurance that IFIs are operating in line with the Sharīʿah. The elements of Sharīʿah should be integrated with the components of the internal control system based on the following Qurʾ anic verse: O you who believe, do not consume one another's property unjustly; rather, exchange it through trade by mutual consent; and do not kill one another. Indeed, Allah is ever Merciful to you (Qurʾ an, 4:29).
A combination of Sharīʿah criteria and the five major components of internal control as addressed by COSO can be proposed as the internal control system for Sharīʿah-compliance. For instance, to develop qualified human resources to conduct Sharīʿah functions, the management of IFIs can educate their Sharīʿah officers on Sharīʿah knowledge and business and accounting knowledge concurrently. This is to ensure that Sharīʿah officers are competent to conduct their functions in line with the Sharīʿah. Failure to do so will lead to financial losses, especially when Sharīʿah non-compliance involves income purification . Thus, competent Sharīʿah officers will be able to reduce Sharīʿah risks, including SNCI.

Methodology
Data can be gathered in several ways such as by interviews, observation or analysis of documents. Sometimes all three methods can be used together to gather information. However, this study uses the interview method as it is the best approach to gain information regarding current internal Sharīʿah control practices in selected IFIs. This is because interviewing people who are directly involved with the internal control practice is the best method for identifying fraud and internal control deficiencies (Hansen and Buckhoff, 2000).
For the purpose of this study, interviews were conducted by using the shorter case study interview method (Yin, 2014). In this case study approach, interviews only take about 1 h or less. These interviews are conducted using an open-ended questionnaire but strictly follow Islamic financial institutions the case study protocol. This method ensures that interviewees answer specific questions related to the scope of current internal Sharīʿah control practices for SNCI more openly and freely. For interviewees' selection, seven officers from the Sharīʿah audit department, the internal audit department and two SC members of designated IFIs in Malaysia were selected for this study. These officers were selected based on the in-depth knowledge they have on current practices of internal Sharīʿah control in two selected IFIs in Malaysia.
The interview sessions were conducted over a period of three months from August to October 2018. All interview data were then transcribed, and thematic analysis was conducted for data analysis. During the interview, the participants were guided by a series of questions developed based on the SGF (BNM, 2011) on Sharīʿah-compliant income. The overall research objective, question and proposition and guided questions for the interview are shown in Table 2.
The interviewees were Sharīʿah officers and Sharīʿah auditors who were involved in the day-to-day operations of IFIs' operations, and SC members who are responsible to monitor and give opinions on SNCI governance, risk management and control within the institution.

Findings and discussion
Based on the interviews, several weaknesses were identified in SNCI practices in the selected IFIs, which are summarised in the following discussion: Firstly, in terms of the level of SNCI, most of the respondents suggest that there should be a proper guideline in determining the classification of SNCI. The majority of respondents share the view that SNCI should be classified into minor, moderate and major Sharīʿah noncompliance. However, three respondents aver that SNCI should be classified as minor and major only. In their opinion, SNCI should be treated strictly without any classification of moderate SNCI. The following quote articulates this opinion: [. . .] I think actually there is no moderate Sharīʿah non-compliance. Like sin, there are only minor sins and major sins. There is no moderate sin. Therefore, it should be applied to this Sharīʿah noncompliant matter [. . .] (Interviewee 2; cf. Interviewee 4, Interviewee 7).
In this situation, the regulator must play its role by providing a standardised SNCI guideline for IFIs. This is to prevent Sharīʿah non-compliant events from occurring. This finding is similar with previous findings by Mahyudin (2017), who found that different approaches were adopted by IFIs to disclose information about SNCI; most IFIs disclosed such information in the SC's Report, Notes to Financial Statement and Pillar 3 Disclosure. However, very few disclosed the information in the Director's Report even though the ultimate body responsible to observe Sharīʿah non-compliance is the BOD. Based on the interviews, the majority of respondents agree that if the front-liners of IFIs do not give a proper explanation of their products, it should be considered a minor event. However, respondents who agree to a moderate classification suggest that in the event that the guidelines of the product process are not followedbut there is no impact on the validity of the contractthen it shall be classified as a moderate SNCI. In terms of the classification as major, the respondents agree that events such as incorrect formula calculation, repetition of offences by the same personnel and misconception of contracts that need immediate attention and rectification should be classified as major SNCI.
Secondly, even though IFIs have established a specific account for SNCI, the income earned is not properly channelled to charity. In the case of Interviewee 3's IFI, due to lack of governance, the audit and risk management on various types of SNCI are also not being reported, and worse, the fund was used for other purposes. In addition, although IFIs have established the purification account to manage SNCI, the real practice varies from one IFI to another. This situation confirms previous findings that internal control on SNCI is still a weak practice amongst IFIs (Rosman, 2009;Darmadi, 2013). This is based on the following quote: [. . .] Although our IFI established a specific account for SNCI, there is no further monitoring by the management especially of the beneficiaries of SNCI. Sometimes, SNCI is used for corporate social responsibility (CSR) events and not properly channelled to the 'truly right' beneficiaries, assuming these events also can be considered as part of purification of SNCI [. . .] (Interviewee 3).
Thirdly, although there are supposedly documented procedures established in relation to management and administration of SNCI, the following events still happen in practice: No authorisation from the SC on various types of income channelled to the SNCI account.
Unauthorised use of SNCI for other purposes. SNCI not reported in the annual financial reports. Distribution of SNCI prior to obtaining SC's consent.
Fourthly, there is an absence of Sharīʿah risk assessment conducted on operational risk by IFIs to identify any potential Sharīʿah non-compliant event. This is based on the following quote: [. . .] As far as we know, there is no Sharīʿah risk assessment conducted to identify any potential Sharīʿah non-compliant event. Basically, SNCI is only recognised or identified during Sharīʿah review or Sharīʿah audit processes [. . .] (Interviewee 1, Interviewee 4).
Sharīʿah risk management in IFIs should systematically identify, measure, monitor and control Sharīʿah non-compliance risks to mitigate any possible non-compliant events. The management should identify and understand inherent Sharīʿah non-compliance risks that will affect the reputation of IFIs. The management must ensure that proper internal controls are in place and ensure their effectiveness in mitigating risks (including reputational risk).
The potential impact of risks on the bank, based on historical and actual de-recognition of income from Sharīʿah non-compliant activities, should be measured. IFIs should monitor Sharīʿah non-compliance risks and send a report on the risk indicators to the BOD, SC and management. There should be proper internal control to avoid recurrences. This is to keep track of unrecognised income arising from Sharīʿah non-compliant activities and assess the probability of occurrences in the future. Sharīʿah non-compliance risk management policies, procedures and guidelines should be formulated and implemented (Shafii et al., 2017;Hanefah et al., 2020).

Islamic financial institutions
Based on the above findings, this study supports the proposition that "findings of SNCI shall be classified as minor, moderate and major", as the majority of respondents agree that SNCI should be classified in that manner. This is also to ensure prioritisation in resolving the SNCI events.
Therefore, this paper proposes a matrix for assessment of the internal control system for Sharīʿah-compliance. The matrix can be used as a tool to assess the parameter of an internal control system for Sharīʿah-compliance in IFIs. The matrix assesses the people, process and system of the IFI, in line with the Sharīʿah-compliance scope highlighted in SGPD 2019. However, this matrix requires further in-depth research to ensure the effectiveness of the measurement in determining the classification of SNCI. Further research is needed in terms of the practicability of the proposed matrix.
The Sharīʿah non-compliant events in Table 3 are classified as minor, moderate and major. The risks affected are also categorised as reputational, financial and regulatory. The person-in-charge of Sharīʿah non-compliant events is also proposed in the SNCI matrix. This is to ensure that any Sharīʿah non-compliant event is rectified immediately by the person-incharge. The level of an internal control system for Sharīʿah-compliance is shown in Table 3.
Based on the above findings, it is proposed that regulators of IFIs in Malaysia and worldwide should adopt the matrix suggested in this paper. Regulators should educate the IFIs on the importance of SNCI and monitor how they deal with it. IFIs should train their staff on SNCI. This is important because if IFIs' staffs do not follow guidelinesalthough it does not necessarily affect the validity of the contractthis would still amount to moderate Sharīʿah non-compliant events. However, if the errors are repeated many times due to misunderstanding by the staff or miscalculation, then this would be a major Sharīʿah noncompliant event.
Also, incorrect information or marketing materials uploaded on the IFI's website can be considered a minor Sharīʿah non-compliant event. However, if the contract itself is incomplete or inaccurate, this would lead to a moderate Sharīʿah non-compliant event. Worst, invalid contracts that have financial implications and are non-mitigatable would lead to major Sharīʿah non-compliant events.
Next, for the IT systems adopted by IFIs, if there exists Sharīʿah non-compliant terms such as interest, it is considered a minor Sharīʿah non-compliant event. Meanwhile, inflexibility of the system to conduct specific Sharīʿah requirements, such as a sequence of the contract, would lead to moderate Sharīʿah non-compliant events. If the system does not support Sharīʿah requirements or in a worst-case scenario, the conventional system is used for IFIs' operations, it is considered a major Sharīʿah non-compliant event. These three factors (people, process and system) can be monitored and managed by using proper internal control systems.
There are also other factors that can affect Sharīʿah non-compliant events. These include reputational, financial and regulatory risks. For reputational risk, if the Sharīʿah noncompliant event has no media coverage or no reputational issue, it will be considered a minor Sharīʿah non-compliant event. However, if there is low media coverage, it will be considered a moderate Sharīʿah non-compliant event. Meanwhile, if the event has wide media coverage, it will be considered a major Sharīʿah non-compliant event.
As for financial risk, if there is no loss from the event, it can be considered a minor Sharīʿah non-compliant event. If there is a low financial implication, it is considered a moderate Sharīʿah non-compliant event. However, if there is a major financial implication or identification of unrecognised income, this will lead to a major Sharīʿah non-compliant event. Finally, for regulatory risk, if there is low possibility for regulatory action, it is considered a minor Sharīʿah non-compliant event. If there is a moderate possibility for noncompliance and regulatory actions, then it is considered a moderate Sharīʿah non-compliant event. However, if the possibility of a non-compliance classification and regulatory action is high, it should be then considered a major Sharīʿah non-compliant event.
These Sharīʿah non-compliant events must be resolved and action must be taken by management based on the category of Sharīʿah non-compliant events. For example, for minor Sharīʿah non-compliant events, the head of the Sharīʿah department is responsible to resolve those events, and at the same time, he is responsible to notify the SC. For moderate Sharīʿah non-compliant events, the board audit and board risk committees are responsible to resolve those events and inform the SC. Meanwhile, for major Sharīʿah non-compliant events, the BOD and SC are responsible to resolve them.
Based on the classification of Sharīʿah non-compliant events, the level of internal control practices by IFIs can be determined: If a minor Sharīʿah non-compliant event occurs, it can be said that current internal control practices are weak. Meanwhile, if a moderate Sharīʿah non-compliant event occurs, it shows that current internal control practices are very weak. Worst, if major Sharīʿah non-compliant events occur, current internal control practices are considered extremely weak.

Conclusion
As the requirement for IFIs is to carry out their activities in accordance with the principles of Sharīʿah, there is no doubt that Sharīʿah audit functions should be in place and practised. Based on the findings, there is a lack of authorisation and control of the governance and internal control system for Sharīʿah-compliance in the sampled IFIs. This leads to major Sharīʿah non-compliance in the operations. SNCI will increase IFIs' risk management and impact on the integrity of IFIs amongst their current and potential customers. In this regard, it is essential to have a comprehensive, robust and well-functioning internal control system for Sharīʿah-compliance to ensure that all SNCI is properly governed and managed. Therefore, all processes and procedures relating to SNCI must be developed and implemented by all staff of IFIs. Proper checks and balances must also be in place to ensure such events do not recur. Besides, the impact of SNCI also needs to be clearly explained not only to related staff but also to all staff in the IFIs.
One important contribution made by this study is the new internal control system assessment matrix for Sharīʿah-compliance. This matrix can be used and adopted by Sharīʿah auditors in Sharīʿah audit programmes for SNCI. It is highly recommended that this matrix be adopted into other Sharīʿah audit programmes to mitigate Sharīʿah risks in IFIs.
Future research in this area, especially on SNCI in IFIs, could be very fruitful. One point for investigation is: to what extent would the implementation of the SNCI matrix have an impact on the IT system in reducing and mitigating Sharīʿah risks? Besides, Sharīʿah audit procedures and programmes for SNCI could be studied to get a clearer picture on the best practices to prevent such risks in the future. In addition, SC roles for SNCI and the way management responds to this issue can also be explored in future studies. Last but not least, purification processes for SNCI and Sharīʿah audit in this particular area should be given attention in future research.