|

INTERNAL FINANCIAL CONTROL REPORTINGUNDERSTANDING AND IMPLEMENTATION STEPS

Presentation on Internal Financial Control (IFC)

|

UNDERSTANDING OF INTERNAL FINANCIAL CONTROL

|

“Internal Financial Controls over financial reporting” mean…

“A process designed by, or under the supervision of, the company's principal executive and principal financial officers, or persons performing similar functions, and effected by the company's board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company's internal financial control over financial reporting includes those policies and procedures that

(1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;

(2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorisations of management and directors of the company; and

Internal Financial Controls over financial reporting

|

(3) provide reasonable assurance regarding prevention or timely detection of unauthorised acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements.”

(4) The process may also be designed by, or under the supervision of a committee or group of the aforesaid persons.

Considering the above, the auditor should obtain reasonable assurance to state whether an adequate internal financial controls system was maintained and whether such internal financial controls system operated effectively in the company in all material respects with respect to financial reporting only.

(page 16 of ICAI guideline)

Internal Financial Controls over financial reporting

|

Internal Financial control

As per Section 134 of Companies Act, 2013:

The term Internal Financial Control means:

• Policies and procedures adopted by company for ensuring orderly and efficient conduct of its

business, including adherence to company’s policies

• Safeguarding of its assets• Prevention and detection of fraud and errors• Accuracy and completeness of the accounting records, and

• Timely preparation of reliable financial information

Internal control over financial reporting (ICFR)

Operational control

Fraud prevention

Internal Financial Control

Sales reporting Revenue recognitionCorrect disclosure

Correct dealer selection as per approved guidelines

Access of control rightsPricing + discountIncentives

|

Internal Financial control - Requirement

For this purpose, it is essential to establish an Internal control framework “for identification or risks and controls” established for mitigation of risk and monitoring of laid down controls on periodic basis.

This also includes a robust mechanism of well-defined authorities within the organization for authorizing various business functions.

What a business has to do? Make control everyone’s “responsibility” Create consistent in operations across location

Focus just not on compliance but enhancing the business performance

|

Related sections in Companies Act, 2013

Key compliancesSection 134 (5) ( e): The Directors’ Responsibility Statement referred to in clause ( c) of subsection (3) shall state that:The directors, in the case of a listed company, had laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively.

Section 134 (3) ( c): There shall be attached to statements laid before a company in general meeting, a report by its Board of Directors, which shall include Director’s Responsibility Statement.

Section 143 (3) (i): The auditor’s report should also state whether the company has adequate IFC system in place and the operating effectiveness of such controls

|

Related sections in Companies Act, 2013

Key compliancesSection 177: Every Audit Committee shall act in accordance with the terms of reference specified in writing by the Board which shall, inter alia, include: - evaluation of internal financial controls and risk management systems.

Rule 8 (5) (viii) of Companies (Accounts) Rules 2014: The report of the Board shall also contain:The details in respect of adequacy of internal financial controls with reference to the Financial Statements

|

Related sections in Companies Act, 2013

Key compliancesSchedule IV (II) (4) of Companies Act 2013: The independent directors shall satisfy themselves on the integrity of financial information and that financialcontrols and the systems of risk management are robust and defensible

|

MANAGEMENT ROLE

|

• Define controls, policy and procedures• Develop delegation of Authority• Review of policies and procedures

Control Policies and Procedures

• Assess Adequacy of protection and use of Assets• Carry out periodic Physical Verification of AssetsSafeguarding of Assets

• Implement Anti-Fraud Program• Carry out fraud Risk Assessment

Prevention and Detection of Fraud and Errors

• Perform an assessment of:• Entity level controlsAccuracy and Completeness

of Accounting Records

• Develop accounting Policy manual• Develop a robust financial close process with inbuilt control for

oversight and monitoring

Timely preparation of Reliable Financial Information

• Process Level Control • IT Control• Fraud Control

What Companies Need to do ?

|

Implementation process road map

One time

ReportingControl TestingSeek

confirmation for changes

ChangeManagement

ReportingPrepare test strategy & plan

Corrective action

Validate & Document

designDetailed scope

On going

One time

Corrective action

|

Detailed Analysis (Implementation)

SCOPING

• Map / identify significant processes / location

• Segregate the processes between business process / IT process

• Discuss / align the scope with external auditor

• Define materiality

• Finalize scope exclusions

• Define process and activities / processes performed by third parties

• Nominate the IFC process leader across process / location

• Align audit committee and company board

• Finalize template, standards, SOP’s, reporting process

• Conduct training work shop with process owner.(For detailed analyses refer Para 87 (Page 33) ICAI Guidance Note, September 2015)

|

Detailed Analysis (Implementation)

DESIGN ASSESSMENT

• Finalize process owner for each process

• Perform and document the walkthrough

• Document the process maps (input, output, risk/controls, IPE)

• Segregate the controls into entity/ process/IT

• Perform segregation of duties analysis

• Perform IT General Control

• Identify the design gaps based on walkthroughs, interviews, discussions

• Benchmark IFC controls – consolidate and remove redundancy

|

Detailed Analysis (Implementation)

DESIGN GAP REMEDIATION

• Prioritize financial gaps into material / non-material

• Prioritize operational gaps into High/ Medium/Low

• Co-develop remedies with owners and implementation timeline

• Periodic monitoring of remedial plans

• Enhance / optimize IT controls

• Standardize / centralize process

• Interim testing to confirm remediated gaps

|

Detailed Analysis (Implementation)

OPERATIVE EFFECTIVENESS & TESTING

• Align sampling strategy with external auditor

• Prepare the testing plans with templates, formats

• Timing of testing – mid year, roll forward

• Resourcing – competency, independence, objectivity

• Documenting testing results

• Identify the testing gaps into material / non-material

ASSESSMENT & REPORTING

• Finalize material weakness

• Update the executive management

• Report to audit committee & Board

|

How to design process & SOP

A process document should ideally contain the following:

• Objective – The purpose for which SOP is prepared

• Extent of coverage – Broad process outline

• Policy – List of all the associated policies

• Delegation of authority (DOA matrix)

• Key process owners (Name of person involved in the process)

--------------------------------------------------------------------------------------------------------------------

Individual responsibilities

Key inputs and outputs

Process flowchart

Process narratives

|

Risk control matrix

Risk control Matrix is a matrix which defines the various levels of risk and the harm probability and the associated controls design by the organization to mitigate the risk.

The risk control matrix should ideally cover the following areas for effective analysis of risk and the related controls

Process Fraud risk

Risk ControlObjective

Sub Process

Risk categoryHigh/Medium/Low

Core/Non-core

Preventive/Detective

Automated/Non-Automated

Assertions

|

MANAGEMENT AND AUDITOR RESPONSIBILITY

|

Management and auditor responsibility

Clause (e) of sub-section 5 of section 134 of the Companies Act 2013 requires the directors’ responsibility statement to state that the directors, in the case of a listed company, had laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectivelyClause (e) of Sub-section 5 of Section 134 explains the meaning of the term, “internal financial controls” as “the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.”

AUDITOR RESPONSIBILITY

MANAGEMENT RESPONSIBILITY

To express an opinion on the effectiveness of the company's internal financialcontrols over financial reporting and the procedures in respect thereof are carriedout along with an audit of the financial statements the auditor must plan andperform the audit to obtain sufficient appropriate evidence to obtain reasonableassurance about whether material weakness exists as of the date specified inmanagement's assessment. (Sec 143(3)(i) of Companies Act 2013)

|

Planning of audit

Preliminary knowledge about the company’s IFC.

Matters effecting the industry in which the

company operated

Matter relating to company’s business

including capital structure & operations

Recent changes in operation and IFC.

Materiality, risk and other consideration.

Control deficiencies previously

communicated to the audit committee.

Legal and regulatory mattersType & Extent of evidence to be

obtained .

Preliminary judgement obtained

Public information available regarding the likelihood of

misstatement

Knowledge about risk as per auditor’s KYC

guidelinesComplexity of

company’s operation

Refer Page 30 of ICAI guidance note

|

Scoping of audit

A Top Down Begins at the financial statement level and with the auditor's understanding of the overall risks to internal financial controls over financial reporting.

The auditor then focuses on entity-level controls and works down to

significant accounts and disclosures and their relevant assertions.

The auditor then verifies his or her understanding of the risks in the

company's processes and selects for testing those controls.

(For illustrative list refer page 187 of ICAI Guidance Note, September 2015)

|

Understanding process of organization

• Understand the flow of transactions related to the relevant assertions, including how these transactions are initiated, authorised, processed, and recorded.

Flow of transactions

• Identified the points within the company's processes at which a misstatement (individually or in combination) with other misstatements, would be material.

Possibility of misstatement

• The classes of transactions in the company's operations that are significant to the financial statements

Significance

• The procedures, within both automated and manual systems, by which those transactions are initiated, authorised, processed, recorded, and reported.

Information System Flow

|

Materiality selection

Para 86 of ICAI Guidance Note : In planning the audit of internal financial controls over financial reporting, the auditor should use the same materiality considerations he or she would use in planning the audit of the company's annual financial statements as provided in SA 320 “Materiality in Planning and Performing an Audit”.

SA 320 Issued by ICAI : Materiality means the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. If applicable, performance materiality also refers to the amount or amounts set by the auditor at less than the materiality level or levels for particular classes of transactions, account balances or disclosures.

Schedule III (Sec 129) of Companies Act 2013 :Any item of income or expenditure which exceeds one per cent. of the revenue from operations or Rs.1,00,000, whichever is higher;

|

Test of controls

Criteria for test of controls:

Para 107 of ICAI Guidance Note : The decision as to whether a control should be selected for testing depends on which controls, individually or in combination, sufficiently address the assessed risk of misstatement to a given relevant assertion rather than on how the control is labelled (e.g., entity-level control, transaction-level control, control activity, monitoring control, preventive control, detective control).

Para 109 of ICAI Guidance Note: Procedures the auditor performs to test design effectiveness include a mix of inquiry of appropriate personnel, observation of the company's operations, and inspection of relevant documentation. Walkthroughs that include these procedures ordinarily are sufficient to evaluatedesign effectiveness.(Note : Materiality will be selected based on the Risk control Matrix)

Sample selection for test of controls:

Appendix VI of ICAI Guidance Note, September 2015

Standard on Internal Audit (SIA) 5 – “Sampling”

Methods for sample selections are as follows:1. Random selection and use of CAATs2. Systematic selection3. Haphazard selection4. Block selection

|

Test of Control (Process)

• The auditor should test those controls that are important to the auditor's conclusion about whether the company's controls sufficiently address the assessed risk of misstatement.

Importance of controls

• Auditor should test the design effectiveness of controls by determining the company's controls objectives that can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements.

• Walkthroughs that include these procedures ordinarily are sufficient to evaluate design effectiveness.

Testing design effectiveness

• Test the operating effectiveness of a control by determining whether the control is operating as designed and whether the person performing the control possesses the necessary authority and competence to perform the control effectively

Testing operative effectiveness

|

Design ,implementation & operating effectiveness

The auditor should test design effectiveness of controls by determining whether company’s

controls, if they are operated as prescribed by persons possessing necessary

authority and competence to perform control effectively, satisfy the company’s

control objectives and effectively prevent or detect errors or fraud that could result in

material misstatements in the financial statement.

|

Deficiency / Gap report

Definition of Deficiency:

Para 128 of Guidance note ICAI :

‘Deficiency’ in internal financial control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

‘Material weakness’ is a deficiency, or a combination of deficiencies, in internal financial control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.

Area / Process Control Deficiencies:1. System Gap2. Process Gap

Responsibility Timeliness

Following are the suggestive columns for gap report:

|

COSO Framework

|

Principles Of Effective Controls (Coso)

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

1. Demonstrates commitment to integrity and ethical values2. Exercises oversight responsibility3. Establishes structure, authority and responsibility4. Demonstrates commitment to competence5. Enforces accountability

6. Specifies suitable objectives7. Identifies and analyzes risk8. Assesses fraud risk9. Identifies and analyzes significant change

10.Selects and develops control activities11. Selects and develops general controls over technology12.Deploys through policies and procedures

13.Uses relevant information14.Communicates internally15.Communicates externally

16.Conducts ongoing and/or separate evaluations17.Evaluates and communicates deficiencies

|

INTEGRATION WITH INTERNAL AUDIT

|

IFC & Internal Audit

Internal Financial Control and Internal Audit

Para 82 of ICAI Guidance Note: The auditor should evaluate the extent to which he or she will use the work of others to reduce the work the auditor might otherwise perform himself or herself. SA 610 “Using the Work of Internal Auditors” and SA 620 “Using the Work of an Auditor’s Expert” apply in a combined audit of internal financial controls over financial reporting and financial statements.

Para 152 of ICAI Guidance Note: Since the primary responsibility for establishing and maintaining an adequate internal financial controls system over financial reporting is that of the management and the board of directors of the company, the auditor should ensure that the board of directors approving the financial statements of the company also approve the management assertion and conclusion on the adequacy and operating effectiveness of internal financial controls over financial reporting and also take on record the deficiencies, significant deficiencies and material weaknesses identified by the management, internal auditors and the auditor.

IG 18.9 of ICAI Guidance Note: The extent to which the auditor may use the work of others in an audit of internal control also depends on the risk associated with the control being tested. As the risk associated with a control increases, the need for the auditor to perform his or her own work on the control increases.

|

IMPORTANT HIGHLIGHTS FROM GUIDANCE NOTES ISSUED BY ICAI

|

Topic Paragraph Reference

Page No.(ICAI)

Auditors’ responsibility for reporting on Internal financial controls over financial reporting in India

4 – 5 11

Objective in an audit of internal financial controls over financial reporting and interpretation of the term ‘internal financial controls’ for auditor’s reporting under Section 143(3)(i)

26 – 35 15

Auditors’ responsibility for reporting on internal financial controls over financial reporting in the case of unlisted companies

43 – 45 18

Components of internal control 48 – 60 21

Planning the audit 75 30

Materiality 86 33

Indicators of material weakness 135 – 136 45

Audit Report 158 – 160 50

Audit documentation 165 51

Implementation Guidance (IG) IG 1 – IG 21 52 – 157

|

Topic Paragraph Reference

Page No.(ICAI)

Difference between Process and Control 65 – 66

Automated Controls 74 – 76

Information Produced by the Entity (IPE) 76 – 84

Internal Financial Controls – Testing of Design 88 – 91

Internal Financial Controls – Walk Through 91 – 93

Internal Financial Controls – Testing of Operative Effectiveness

93 – 104

Sampling IG 14.1 – IG 14.10 105

Sample selection IG 14.11 – IG 14.13 106

Roll Forward Testing 110 – 116

Rotation Plan for Testing Internal Financial Controls IG 16.1 – IG 16.3 116 – 117

Remediation Testing IG 17.1 – IG 17.3 117

Using the Work of Internal Auditors and an Auditor’s Expert

IG 18.1 – IG 18.9 117 – 118

|

Topic Paragraph Reference

Page No.(ICAI)

IT-dependent controls IG 19.32 132

Documentation of processes and controls IG 19.44 139

Reporting Considerations 144 – 150

Scope limitations IG 20.20 – IG 20.22 149

Understanding the process of recording journal entries IG 21.10 – IG 21.12 155

Standard on Internal Audit (SIA) 5 – Sampling 192

| 37

| 38 A Journey of Professionals……