An overview of Internal Controls Structure & Mechanism Dr. S.K.Gupta M.Com, FCS, FCMA, Ph.D

Internal Financial Controls The Companies Act, 2013 has imposed specific responsibilities on the Board of Directors towards the company’s internal financial controls and, inter alia, requires the Board to state that they have laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively. These changes are effective from the financial years beginning on or after 1 April, 2014.

Internal financial controls include policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including regulatory compliance and prevention and detection of frauds and errors, thereby covering not only the controls over reliable reporting of financial statements , but also include all other controls pervasive across the business.   Statutory auditors are required to report on the adequacy and operating effectiveness of the company’s IFCFR. The reporting by the auditors is mandatory for financial year beginning on or after 1 April, 2015.

Context for IFC Major corporate and accounting scandals – Satyam, Financial Technologies (India) Limited, Enron Decline of public trust in accounting and reporting practices Indian regulations modified to reflect the regulatory developments in the western world. Introduction of Internal Financial Controls (IFC) in the Companies Act 2013, reflect the continuation of this trend.

Then Board Auditors Audit Committee Management CARO   CARO required statutory auditors to report on internal control matters relating to inventory, fixed assets and sale of goods and services Directors - Section 217 (2AA)   Directors of a company to specifically state in the Directors Responsibility statement that they have taken proper and sufficient care for the maintenance of adequate accounting records in accordance with the provision of the Act for safeguarding the assets of the company and for preventing and detecting fraud and other irregularities Clause 49 of listing agreement   CEO / CFO certification - Responsibility of control system and significant changes in internal control

Now Sec 134 (5) (e) CFO & CEO – Clause 49 of listing agreement Directors’  to Responsibility states that they have laid down IFC to be followed By the company And such controls are adequate and operating effectively (Listed company) Sec 177(4) (vii)& Clause 49 (III)(D)  Audit committee to Evaluate internal financial control and Risk management systems   CFO & CEO – Clause 49 of listing agreement Accept responsibility for establishing and maintaining IC for FR and that they have evaluated the effectiveness of ICS of the company Sec 143 (3) (i) & Sec 143 (12)  The auditor’s report shall also state whether the company has adequate internal financial control system in place and the operating effectiveness of such control

IFC definition as per Companies Act Internal financial controls means  Policies and procedures adopted by the company for ensuring orderly and efficient conduct of its business Including Adherence to company’s policies The safeguarding of its assets The Prevention and detection of frauds and errors The accuracy and completeness of the accounting Records and The timely preparation of reliable financial information

What is required ? A demonstrable documented framework for internal financial controls Documentation of controls that actually mitigate the risk of significant misstatements Requisite accountability for financial reporting structure Fraud risks and controls at the process level to be understood and are demonstrable Testing of operating effectiveness of controls

Components of Internal Control-COSO Internal control consists of five interrelated components, derived from the way management runs a business, and are integrated with the management process:  Control Environment  Risk Assessment  Control Activities  Information & Communication  Monitoring

Control Environment – Principles 1. Organization demonstrates a commitment to integrity and ethical values. 2. Board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. Organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. Organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk Assessment – 4 Principles 6. Organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. Organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. Organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. Organization identifies and assesses changes that could significantly impact system of internal control.

Control Activities – 3 Principles 10. Organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. Organization selects and develops general control activities over technology to support the achievement of objectives. 12. Organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Information and Communication – 3 Principles 13. Organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. Organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. Organization communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring Activities – 2 Principles 16.Organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. Organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate

Questions to consider Has a framework for internal financial controls been identified for the company ? Does the framework include operations and regulatory compliance as well? Has the internal controls been mapped to the framework defined? Based on the defined frameworks are there any gaps in current processes, control activities, or documentation, and if so, how are these being addressed? Is the company educating leadership & executive management, and control owners regarding the content in the framework? What policies are in place and who is responsible for communicating internal control considerations . Does the company use information technology and data analytics to help continuously monitor IC systems

To Sum up….Placing more accountability and responsibility on the Board and AC with respect to IFC, the 2013 act has attempted to align the corporate governance and financial reporting standards with global best practices Senior Management Accountability Enhanced control Improved compliance to laws Improved Control over FR processes Accountability of operational Management Improved investors confidence Benefits of IFC Support to CEO / CFO Certification More accurate and reliable FS Audits more comprehensive Promotes culture of transparency

***Thank You***