ICOFR- AN INTRO Venkatesan Murali CA

AGENDA FOR THE HOUR 1.Intro to ICOFR – Company’s ACT Risk vs Activity vs Control 3.Assertions - Meaning 4.Contents of ICOFR - Risk Control Matrix & Process Narratives – An Intro 5.What to do for ICOFR & Stat Audit ?

Intro to ICOFR – Company’s ACT 2013

INTRO TO ICOFR – COMPANY’S ACT 2013 Section 143(3)(i) – Powers and Duties of Auditors : The auditor’s report shall also state whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls. (Applicable to all companies)

INTRO TO ICOFR – COMPANY’S ACT 2013 Section 143(3)(i) – Powers and Duties of Auditors : The auditor’s report shall also state whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls. (Applicable to all companies) Schedule IV – Code for Independent Directors : II (4) satisfy themselves on the integrity of financial information and that financial controls and systems of risk management are robust and defensible. (Applicable only to Public Companies):

INTRO TO ICOFR – COMPANY’S ACT 2013 Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 – Matters to be included in the Board report : (Applicable to all Companies) : The details in respect of adequacy of internal financial controls with reference to the Financial Statements. Sec 177 (4)– Audit Committee : (Applicable only to Public Companies): Every Audit Committee shall act in accordance with terms of reference specified in writing by the Board which shall include inter alia – (vii) Evaluation of Internal Financial controls and risk management systems Sec 177 (5)– Powers of the Audit committee (Applicable only to Public Companies) The Audit committee shall have the authority – To call for the comments of the auditors about internal control systems, the scope of audit, including the observations of the auditors and review of financial statement before their submission to the Board

Risk Vs Activity vs Control

WHAT IS RISK? Dict Meaning - a situation involving exposure to danger.

OUR DEFINITION Risk – Threat for Financial statements Materially misstated. * Duplicate Invoices Booked * Not Following Accounting Standards * Improper Payment Authorisation

WHAT IS CONTROL ?  They are Policies and Procedures ensuring Management directives are carried out  Information Processing ( Transactional Controls)  Segregation of Duties  It consist of activities such as approvals, verifications, operating reviews, segregation of duties (Mitigate or Reduce the Opportunity of exploitation of Risk)

DESCRIBING THE CONTROL SCENARIO(S) ? 1)“All purchase invoices are verified with the goods received notes (GRN) “ 2)“All sub contractor bills are verified with work orders for booking corresponding expenses” 3)“Scrutiny the debtor balances are done periodically” 4)“All Cheque payments are signed by 2 signatories.“ 5)“A procedure is established to monitor and review all valid orders with the invoices raised during the period

GOOD CONTROL DESCRIPTION WILL CONTAIN ? Why ?? – To Mitigate Risk Where he Performs What is the control Who performs the control When is the control performed How is the control performed

DESCRIBING THE CONTROL SCENARIO(S) ? 1)“All purchase invoices are verified for correctness/ accuracy with the goods received notes (GRN) by senior clerk – accounts department before recording the transaction“ 2)“All sub contractor bills are verified by Asst. clerk – accounts with work orders for confirming the rates accepted before booking the corresponding expenses” 3)“Scrutiny the debtor balances are done periodically monthly by Accounts receivable manager to determine the long outstanding debtor balances for further follow up using bill on bill receivable report obtained from ERP“ 4)“All Cheque payments are signed by 2 signatories (one from the finance and other from technical department) as per LOA (Levels of Authority) defined” 5)“All invoices generated in the system are required to be reviewed for the quantities of items and prices charged and signed off by Mr. Kathikeyan, Executive – Finished Goods Warehouse, before goods can be dispatched against them.”

SPECIFIC EXAMPLE Bank reconciliation is carried out – Is this a control – if not ? What is missing in this ?

ASSERTIONS

ACTIVITY What could be possible errors and what to look at when we are auditing Fixed Assets? (4 Points)

ASSERTIONS Existence: assets, liabilities and equity interests exist Completeness: all transactions and events that should have been recorded have been recorded Rights and obligations: the entity holds or controls the rights to assets and liabilities are the obligations of the entity Valuation and allocation: assets, liabilities and equity interests are included in the financial statements at appropriate amounts and any resulting valuation adjustments are appropriately recorded

CONTENTS OF ICOFR - RISK CONTROL MATRIX & PROCESS NARRATIVES – AN INTRO

RCM CONTENTS 1.Process 2.Process Owner 3.Risk 4.Control Objective 5.Entity actual Control 6.Key Control/ Non Key Control 7.Type of Control(Automated or Manual) 8.Nature of Control(Preventive or Detective) 9.Fraud Risk 10.Frequency 11.Test Strategy 12.Documents Examined 13.Control Existence 14.Test of control design (Pass / Fail)

RCM CONTENTS ParticularsObservation ProcessPayables Process OwnerMr. Venkat RiskThe invoice may be processed despite differences in quantity and/ or price. Control ObjectiveThree-way match between PO, GRN and invoice is required for material purchases Entity Control ObjectiveERP is configured to ensure a three-way matching of PO, GRN and invoice is performed. To ensure that GRN cannot be raised without having a valid PO. To ensure that GRN quantity does not exceed PO quantity. To ensure that if invoice exceeds PO value in excess of the tolerance limit, payment cannot be released except by raising a revised PO

RCM CONTENTS ParticularsObservation Key Control/ Non Key ControlKey Type of Control(Automated or Manual) Automated Nature of Control(Preventive or Detective) Preventive Fraud RiskYes FrequencyTransactional

RCM CONTENTS ParticularsObservation Test StrategyVerify whether ERP restricts / highlights prior to payment processing against a vendor having unadjusted advance Documents ExaminedScreenshot from ERP wherein payment against PO is made after manually checking advance paid Control ExistenceAs is Test of control design (Pass / Fail) Pass

What to do for ICOFR & Stat Audit?

STEPS IN ASSESSING CONTROLS !! Understanding the process and the controls built therein (Process of two clients in similar line of business need not be the same)

EVALUATE DESIGN- EFFECTIVENESS OF CONTROLS Evaluation is started during the understanding phase itself Purchase invoice can be generated only on the basis of a Material receipt note. However found that in the system, MRN reference is not mandatory for the PO. So, design not effective.

EVALUATE OPERATING EFFECTIVENESS OF CONTROLS (DRILL DOWN ) Determined using various evidence gathering tech. Invoice authorizations – to be authorized by manager. During testing found that 5 out of 25 invoices tested were not authorized by the Manager. Reconciliations are done but not regularly – e.g.. Monthly recon to be done but they are done only once a quarter /with no specific regularity. Recons do not cover all critical accounts.

AUDIT PLAN 1.Understand Process 2.Refer RCM of Management 3.Check Whether Design Defects are existing 4.Test Controls Existence 5.Test whether Controls are operating 6.Decide on Audit Opinion on ICOFR 7.Tailor Audit Procedure for Stat Audit ( 4 to 7 is a loop) 8.Obtain Sufficient & Appropriate Audit Evidence 9.Form Audit Opinion

Question(s) if any??

Thank You CA VENKATESAN MURALI