Sanjay Rameshwar Dass & Co. (CHARTERED ACCOUNTANTS) IMPLEMENTING INTERNAL FINANCIAL CONTROL
PHASE OF INTERNAL FIANCIAL CONTROL UNDER- STANDING OF INTERNAL FINANCIAL CONTROL AUDITING OF INTERNAL FINANCIAL CONTROL
INDEX Understanding of Internal Financial Control 1. Introduction – What is IFC 2. Benefits of Internal Control 3. IS There Any Prescribed Framework 4. Regulatory Mandate Under Companies Act, 2013 5. Internal Financial Controls Journey 6. Key Drivers Of Framework In IFC 7.Components Of Internal Financial Control 8. Implementation of Internal Financial Control
What is IFC? As Per Section 134 of the Companies Act, 2013 : Internal financial controls means policies and Procedure adopted by the company for ensuring orderly and efficient conduct of its business, including – adherence to company’s policies, safeguarding of assets, prevention and detection of frauds and errors, accuracy and completeness of accounting records, and timely preparation of reliable financial information. Adherence to company’s policy Safeguarding of Asset Prevention and detection of frauds and error Accuracy of Accouning records Timely preparation of Financial information IFCR
Benefits of Internal Financial Control Ensures reliable financial reporting and improves overall confidence on reported numbers to various stakeholders. Helps in achievement of desired objectives on financial, operational and compliance side. Exhibits better governance standards of an organization. Help prevent errors and irregularities from occurring. If errors or irregularities do occur, internal controls will help ensure they are detected in a timely manner. Encourage adherence to prescribed policies and procedures. Brings in efficiencies in operations.
Is there any Prescribed Framework? No Framework Prescribed for IFC under Companies Act 2013 Guide To Internal Controls over Financial Reporting’ ‘Guidance note On Audit of IFC over Financial reporting’
IFC: Regulatory Mandate under Companies Act, 2013 Relevant clauses Requirement Applicability Directors’ Responsibility Statement: Sec. 134(5)(e) Board to confirm that IFCs are adequate and operating effectively Listed companies Board report: Rule 8(5) of Companies (Accounts) Rules Board report to state the details in respect of the adequacy of IFC with reference to the financial statements All companies Code for IDs: Sec. 149(8) and Schedule IV IDs to satisfy themselves on the integrity of financial information and that financial controls are robust and defensible having IDs AC terms of reference: Sec. 177 Evaluation of IFC having an AC Auditor’s report: Sec. 143(3)(i) Auditors to report if the company has adequate IFC systems and that they are operating effectively (from 2015-16) AC= Audit Committee, IFC= Internal Financial Control, ID= Independent Director
ROLE OF VARIOUS AUTHORITIES Management In case of LISTED companies, section 134(5)(e) of the Companies Act, 2013 requires Directors Responsibility Statement to state that the Directors had laid down internal financial controls and the same were adequate and operating effectively. In case of ALL companies, Rule 8(5)(viii) of Companies (Accounts) Rules, 2014 requires the Board of Directors’ Report to state the details in respect of adequacy of internal financial controls with reference to the financial statements. Clause 49 IX(C) of Equity Listing Agreement requires CEO’s of listed entities to certify effectiveness of internal control systems pertaining to financial reporting. Auditor Section 143(3)(i) of the Companies Act, 2013 requires the auditors of ALL companies to state in his report whether the company has adequate internal financial control system in place and the operating effectiveness of such controls. The auditor will have to modify its audit methodology to obtain reasonable assurance on the adequacy of internal financial controls over financial reporting and its operating effectiveness
Independent Director Schedule IV of the Companies Act, 2013 requires the Independent Directors of the Company to satisfy themselves on the integrity of financial information and financial controls and also to ensure that the systems of risk management are robust and defensible. Audit Committee Section 177(4)(vii) requires Audit Committee to evaluate internal financial controls and risk management systems. Also, section 177(5) gives power to the Audit Committee to call for comments of the auditors on internal control systems, scope of audit, their observations on internal control systems and financial statements before submission of the same to the board. They may also discuss any related issues with the internal auditors and the management of the Company
Internal Financial Controls Journey
Process Road Map:- Identification of significant financial reporting elements (accounts & disclosures) Identification of material financial statement risk associated with these elements Conduct walkthroughs & Evaluate the design effectiveness of entity and process level controls Mapping of entity and process level controls established by the management to address these risks. Test & Evaluate operating effectiveness of controls Identify deficiencies along with recommendations to remediate the same.
Key drivers of the framework in the IFC Governance Operations Financial Reporting • Enhancements for effective risk governance •Finalize lines of defense and aspects to be covered under each line of defense •Suggest improvement sin the framework •Compliance as per various regulations (Companies Act Rules 2013 and SEBI Listing agreement.) •Evaluate the control activities for each process. •Identify control redundancies •Identify areas of improvement from design perspective •Identify automation opportunities. •Identify are as of improvement and reducing financial reporting risk. •Eliminate redundant controls •Automate financial reporting related controls •Segregation of Duty
Component of IFC Control Environment Risk Assessment Process Control Activities Information System & Communication Monitoring of Controls
Control Environment The organization demonstrates a commitment to integrity and ethical values. The enforcement of integrity and ethical values includes for example, management actions to eliminate or mitigate incentives or temptations that might prompt personnel to engage in dishonest, illegal or unethical acts. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Management establishes, with oversight of BOD, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
TYPES OF CONTROLS Preventive Detective Manual Automated Prevent errors initially before recording in the books. Example-verification of accounting entry computation prior to recording, approvals before action. Detective Expose the errors after their initial recording. Example - Review of BRS/ reconciliation of subsidiary ledger balances with G.L. control A/c balances. Manual People perform manual controls Example– Authorization of purchase orders. Automated The Operating system or application software performs automated controls. Example – Recording and monitoring attendance through biometric machine.
Risk Assessment Process The organization specifies objectives with sufficient clarity to objectives. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The organization considers the potential for fraud in assessing risks to the achievement of objectives. The organization identifies and assesses changes that could significantly impact the system of internal control. Changes can be due to circumstances such as Change in operating environment New personnel Rapid growth New or improved IT system New accounting pronouncement
Control Activities The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. The organization selects and develops general control activities over technology to support the achievement of objectives. The organization deploys control activities through policies that establish what is expected and procedures that put policies into place.
Information system and Communication The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. The organization communicates with external parties regarding matters affecting the functioning of internal control. The Information system relevant to financial reporting objectives encompasses methods and records • Identify and record all valid transactions • Describe the transaction in sufficient detail to permit proper classification for financial reporting • Determine the time period in which transactions occurred • Present properly the transaction and related disclosure in FS
Monitoring of control The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. For example - Timely preparation of BRS- Role of Internal Auditor The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Implementation of Internal Financial Control GROUP LEVEL ENTITY LEVEL FUNCTIONAL LEVEL Policies Including Risk Management Mechanism Policy MIS Reporting Whistleblower Mechanism KPI/ Compensation Policy* Organizational Structure Statutory Compliance Mechanism Internal Audit Mechanism Disaster Recovery * Business Continuity * Delegation of Authority Matrix Segregation of Duty Risk Control Matrix Standard Operating Procedures (SOP)* IT General Control including Access Rights *All are not mandatory for IFC Compliance but a “must have” for operating business efficiently be it listed or unlisted
Examples of Control Deficiencies Design deficiency •Inadequate documentation of components of internal controls. •Absence or inadequate SOP within a significant account or process. •Inadequate design of ITGC and application controls. •Absence of process to report deficiency on Internal controls to management. Operating deficiency •Failure of control of dual authorization. •Management override of controls. •Failure of application controls. •Failure to perform reconciliations of significant accounts.
Significant deficiency •Deficiency in control over selection and application of accounting principles. •Deficiency in antifraud programs and controls. •Deficiency in non-routine /manual transactions. •Deficiency in period end financial reporting process. Material Weakness •Ineffective oversight on financial reporting and internal controls. •Ineffective Internal Audit or risk assessment function for large /high complex entity. •Identification of fraud of any magnitude on part of senior management.
INTERNAL FINANCIAL CONTROL AUDITING OF INTERNAL FINANCIAL CONTROL
INDEX Auditing of Internal Financial Control 1. Statutory Auditor’s Role- How to Audit of Internal Financial Controls on Financial Reporting. 2. Applicability of SAs for Audit of IFCFR 3. Audit methodology for Internal Control 4. Planning Stage 5. Top- Down Approach to IFCoFR 6. Operating Effectiveness (OE) Stage 7. Reporting Stage 8. Issues
STATUTORY AUDITORS’ ROLE How to Audit Internal Financial Controls on Financial Reporting?
Applicability of SAS for Audit of IFCFR Identifying and Assessing the Risks of material misstatements - SA 315 Sampling - SA 530 and SIA 5 Agreeing the terms of Audit engagement SA 210 Auditor’s responsibility relating to fraud – SA 240 Documentation – SA 230 Using work of another auditor – SA 600 Written Representation Letters – SA 580 Subsequent Events - SA 560 Joint Audits – SA 299
AUDIT METHODOLOGY FOR INTERNAL CONTROL For auditors to comment on the adequacy and operating effectiveness of internal financial controls, they will have to follow four stages methodology. Planning Design & Implementation Operating Effectiveness Reporting Planning Design & Implementation Operating Effectiveness Reporting
PLANNING STAGE Identify significant account balances / disclosure items - Identify relevant Assertions (existence/ occurrence, completeness, valuations/ allocation, rights & obligations, presentation and disclosure) Basis of identification of account balances – volume, complexity, recurring/ one time, materiality, contingency nature, related party transaction. Identify & understand significant flow of transactions - Inquire and Verify evidence to understand the activities performed for processing particular type of transaction (initiated, recorded, authorized and processed) Identify ROMM (Risk of Material Misstatements) - Identify Source of Risk associated with all significant processes related to relevant financial statement line items - Understand the role of IT in flow of transactions and associated risk Identify control (TOP-DOWN) activities which addresses ROMM . Identify application associated IT environment & ITGC - If the organization is using several ERP’s, controls at each ERP needs to be checked as output of such ERP’s would impact Financial Statement reporting Also, IT general controls covering various domains like access to programs and data, programme changes and development and computer operations
Criteria for Designing and Implementing IFC Adopting a Risk-based methodology as specified in Standard on Auditing ‘SA’ - 315, Identifying an d Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment”, issued by (ICAI) SA 315 explains the five components of any internal control as they relate to a Financial statement audit. Controls have to be pervasive in the Company and Operate in all divisions.
DESIGN AND IMPLEMENTAION (DI) STAGE Assess the design of controls (D) Appropriate DI ? Assess Audit impact and plan other suitable procedures Assess the implementation(I) Of controls No Yes Plan operative effectiveness testing
Top-Down Approach to Internal Financial Control over Financial Reporting :
Operating Effectiveness (OE) Stage Plan nature timing and extent of texting OE Perform OE testing Assess findings and conclude on OE Form opinion on IFC - Nature: Inquiry, observation, inspection and re-performance Timing: Samples selected should represent the period to be covered by audit. Extent: Frequency of control, manual or automated, IT General Control /IT (sample size is prescribed by GN) Perform and document the testing at focus points . Analyze the combination of findings (favorable and un-favorable) and conclude on the OE of the controls for the period covered by audit. Form appropriate opinion on IFC
Reporting Stage Assess impact on Audit Opinion The auditor to evaluate the severity of each control deficiency that comes to his attention to determine whether the deficiencies individually or in combination are significant deficiencies or material weaknesses and impact on audit opinion on financial statements as a whole. Assess impact on Audit Opinion Form Audit Opinion on Financial Statements
ISSUES Company has prepared document of SOP describing process of operation /activity. During Audit of IFCFR it was found that some activities actually being carried out by the employees are not included in SOP. How to deal with such situation? The company does not have any document evidencing internal financial control. What should be audit methodology for review of IFCFR in this situation? Whether any qualification or adverse comment in separate report IFCFR would also require auditor to qualify or give adverse opinion in report on FS? Whether any qualification or adverse comment in audit report on FS would also require auditor to qualify or give adverse opinion in separate report on IFCFR? In the report on IFCFR the auditor has given adverse opinion on account of material weakness in IFC. However in the Directors’ Report it is stated that the company has laid down IFC which are adequate and were operating effectively. How the auditor should deal with the situation? Whether documentation prepared for audit of IFCFR can be used as documentation for control risk assessment in connection with audit of FS ?
Thank you CA Sanjay Goyal +91 9810730080 sanjgoyal@gmail Thank you CA Sanjay Goyal +91 9810730080 sanjgoyal@gmail.com, sg@cainfoindia.com Office 1 : LG-791, Near Bharat Petroleum Petrol Pump,Sector-47, Gurgaon-122018, Haryana (India) Ph. 0124-4188123, 9810730080 Office2 : 303, Vipul Agora, MG Road, DLF City-II, Gurgaon-122004,Haryana (India) Ph. 0124-4102247 Web : www.cainfoindia.com