Internal Control in Malaysia: A 2025 Guide to Assessment, Management Letters, and Governance

The Critical Role of Internal Control in Malaysia's 2025 Business Landscape

In the fast-paced and digitally-driven Malaysian economy of 2025, a robust system of internal control is no longer just a matter of compliance; it is a fundamental pillar of good corporate governance and a critical driver of sustainable business success. With rising regulatory complexity, escalating fraud risks, and a growing focus on Environmental, Social, and Governance (ESG) factors, a proactive and forward-looking approach to internal control is essential for navigating the challenges and opportunities of the modern business environment.

The Modern Internal Control Framework

An effective internal control system is designed to provide reasonable assurance regarding the achievement of a company's objectives. The framework is built on five core components, which are now being viewed through a modern lens:

  1. Control Environment: This is the "tone at the top" set by management and the board. In 2025, this includes a clear commitment to ethical values, integrity, and, increasingly, sustainability and ESG principles.
  2. Risk Assessment: This involves identifying and analyzing the risks to achieving the company's objectives. In the current environment, this must include a thorough assessment of cybersecurity, data privacy, and other technology-related risks.
  3. Control Activities: These are the policies and procedures that help ensure management directives are carried out. This includes everything from traditional controls like segregation of duties and authorization procedures to modern controls like automated reconciliations and AI-powered anomaly detection.
  4. Information and Communication: This involves the systems and processes that support the identification, capture, and exchange of information in a timely and useful manner.
  5. Monitoring: This is the process of assessing the quality of the internal control system's performance over time. This can include regular management reviews, as well as separate evaluations by the internal audit function.

The Auditor's Assessment and the Management Letter

During a statutory audit, external auditors are required to obtain an understanding of a company's internal control system to assess the risk of material misstatement in the financial statements. While the primary purpose of an audit is not to identify all control weaknesses, the auditor will often identify areas for improvement. These are typically communicated to management and the board through a **management letter**.

The management letter is a valuable tool that provides:

  • A clear description of the internal control deficiencies identified during the audit.
  • An explanation of the potential risks and implications of these weaknesses.
  • Practical and actionable recommendations for improvement.

For more serious issues, such as significant deficiencies or material weaknesses in internal control, the auditor will communicate these formally to those charged with governance, in accordance with International Standards on Auditing (ISAs).

Common Control Weaknesses in the 2025 Malaysian Context

While traditional control weaknesses remain relevant, the modern business environment has given rise to new challenges:

  • IT General Controls: With the move to cloud-based systems, weaknesses in IT general controls are a major concern. This includes issues like inadequate user access controls, poor password policies, and a lack of formal change management processes for IT systems.
  • Segregation of Duties in Digital Systems: In a digital environment, a single individual may have broad access to multiple parts of a system, creating a risk of fraud or error. It is crucial to ensure that there is proper segregation of duties within the IT systems themselves.
  • Remote and Hybrid Work Environments: The shift to remote and hybrid work has created new challenges for maintaining internal controls. Companies need to ensure that their control activities are effective in a decentralized work environment.

The Broader Corporate Governance Context

Internal control does not exist in a vacuum. It is an integral part of a company's overall corporate governance framework. In Malaysia, the **Malaysian Code on Corporate Governance (MCCG)** places the ultimate responsibility for the company's system of internal control on the board of directors. The new **Global Internal Audit Standards**, effective from January 2025, and the **SORMIC Guide 2025** from the Institute of Internal Auditors Malaysia, further emphasize the need for a strategic, risk-based, and technology-driven approach to internal audit and control.

Conclusion

In the complex and demanding business environment of 2025, a "set it and forget it" approach to internal control is no longer viable. Malaysian companies must adopt a proactive and continuous approach to assessing and improving their internal control systems. By leveraging the insights provided by their external auditors in the management letter, and by embracing the principles of good corporate governance, companies can build a resilient and reliable internal control framework that not only mitigates risk but also supports sustainable growth and long-term value creation.

A 2025 guide to internal control assessment and management letters for Malaysian companies. Learn about the latest trends in internal control, including ESG integration and cybersecurity, the role of the auditor in assessing controls, and how to leverage the management letter to strengthen your company's governance and operational efficiency. This guide provides practical advice on addressing common control weaknesses in the modern business environment.
Let us know how we can help
Start the conversation