Internal Financial Controls (IFC)

Building efficiency Managing risks

Private and Confidential

August 1, 2015

Agenda
Reporting and Implementation of internal financial controls (IFC)
Comparison of IFC with SOX
Responsibilities of Board of Directors
Responsibilities of auditors

22

India... Era of Corporate Governance

IFC
Amended clause 49

MATURITY/ SUSTAINABILITY

Narayan Murthy Committee

Naresh Chandra Committee

DCA Report

DCA - Task Force On Corporate Excellence

Clause 49
Kumar Mangalam Birla Committee
CII
1998

1999

2000

2001

2002

INITIATIVES

2003

2004

2013
3

Regulatory requirements and guidelines

Guidelines for listed entities
Combined Code: Turnbull

UK

1998/99
Amended 2003

Malaysia

2000

South Africa

2002

US

2002

ASX Good Corporate Governance (Principle 7)

AUS

2003/04

Clause 49

India

2000
Amended
2004,
2014
Amended
2004

HK

1 July 2005

Japan

20052005
release

APRA GPS 220 - General insurers

AUS

2002

Basel II Capital Accord Banks to comply by 2007

AUS

2005

Code on Corporate Governance (Part I & II)

King II
Sarbanes-Oxley Act

Code on Corporate Governance (Principle C2)

J-SoX
JSoX
Financial services guidelines

Internal Financial Controls

Companies Act requirements
Section 134(5)(e) - The directors, in the case of a listed company, had laid down
internal financial controls to be followed by the company and that such internal
financial controls are adequate and were operating effectively.
Directors
responsibility
statement

Section 134(5)(f) - The directors had devised proper systems to ensure

compliance with the provisions of all applicable laws and that such systems
were adequate and operating effectively.
Section 134(3)(q), sub-rule 8(5) - In addition to the information and details
specified in sub-rule (4), the report of the Board shall also contain: the details in
respect of adequacy of internal financial controls with reference to the financial
statements.

Explanation - For the purpose of this clause Internal Financial Controls means the policies and procedures adopted by the
company for ensuring the orderly and efficient conduct of its business, including adherence to companys policies, the
safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting
records, and the timely preparation of reliable financial information.

Internal financial controls reporting covers not just financial reporting aspects, but also the strategic and
operational aspects of business and the efficiency with which those operations are carried out
5

Internal Financial Controls

Companies Act requirements (continued)
Section 177(4)(vii) - Every Audit Committee shall act in accordance with the terms
of reference specified in writing by the Board which shall inter alia, include ..,
evaluation of internal financial controls and risk management systems .
Audit
Committee

Auditors
report

Section 177(5) - The Audit Committee may call for the comments of the auditors
about internal control systems, the scope of audit, including the observations of the
auditors and review of financial statement before their submission to the Board and
may also discuss any related issues with the internal and statutory auditors and the
management of the company.
Section 143(3)(i) - Whether the company has adequate internal financial
controls system in place and the operating effectiveness of such controls.

Whilst section 134(5) requires directors to state their responsibility on internal financial controls in case of listed
companies, auditors are required to report on the adequacy and operating effectiveness of such controls in case
of all companies.
Further, Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 requires the board report of all companies to
state the details in respect of adequacy of internal financial controls with reference to the financial statements.
6

What does the law say?

Internal Financial Controls (IFC)
Internal Financial Controls (as per Companies Act of India)
Board of Directors:

Lay down adequate and effective IFCs and include it in Directors'

Responsibility Statement
Independent directors to satisfy themselves on the strength of financial
controls.
Audit Committee :

Evaluate IFC systems

Review Auditors' comments / observations with respect to controls before
submission to the Board
Discuss issues with Management or Internal / Statutory Auditors
Auditors:
Report on adequacy of IFCs system
Report on operating effectiveness of such controls.
IFC to be included as part of Directors Responsibility Statement from March 31, 2015 onwards and as part of
Statutory Auditors Report from March 31, 2016 onwards
7

Internal Financial Controls

Applicability for listed and unlisted companies
Board

Audit Committee

Auditors

Scope:
Listed Companies Adequacy and effectiveness of Internal Financial
Controls
Unlisted Company - Adequacy and effectiveness of Internal Financial
Controls over Financial Reporting (IFCFR)

Responsibility:
Lay down adequate and effective
Internal Financial Controls and
include it in Directors
responsibility statement
Independent Directors to satisfy
themselves on the strength of
internal financial controls

Responsibility:
Evaluate Internal Financial Control
system
Review Auditors comments/
observation on Internal Financial
Controls before submission to the
Board
Discuss issues with management
or internal/ statutory auditors
Investigate and seek external
professional advice.

Report on adequacy and operating

effectiveness of Internal Financial
Controls over Financial Reporting

Comparison
SOX vs IFC
Description

SOX

Internal Financial Control

Applicability

Parent company and major consolidated subsidiaries,

affiliated companies.

Every listed company registered under

Companies Act.

Entity Level
Controls
Assessment

Applicable

Applicable

Assessment of
business
processes

Assess business process relating to material financial

statement accounts e.g. Procure to Pay, Order to
Cash etc.

Assess business process relating to material

financial statement accounts e.g. Procure to
Pay, Order to Cash etc.

Assessment
method of
business
processes

Understand and classify business processes

Document business process in the form of
flowchart and process narratives.
Identify risks and controls (RCMs)
Evaluate design effectiveness of internal controls
Evaluate operational effectiveness of internal
controls

IT General Controls
Business processing IT controls

IT General Controls
Business processing IT controls

Report on adequacy of IFC system

Report on operating effectiveness of
such controls.

Evaluation of
controls over IT
environment

Auditors Opinion

Express opinion on managements evaluation of the

effectiveness of internal controls.

Understand and classify business

processes
Identify risks and controls (RCMs)
Evaluate design effectiveness of internal
controls
Evaluate operational effectiveness of
internal controls

Internal Financial Controls common myths

We have a good
SLA with service
providers. We dont
need to evaluate
their controls

Scope and
plan

Materiality is for
financials. It doesn't
really impact control
considerations

Meeting CARO
requirement is
sufficient

There is no need
to document
processes and
controls

We dont need to
revisit processes
and controls

We dont need to
link risks with
controls

Assess and
define

Why do we need to
look at cost / benefit
for controls?
Everything is
essential

Identify and
document

Automation
through ERP
Controls are
automatically in
place

Testing of
controls and
remediation of
deficiencies is
the responsibility
of auditors

Test and
remediate

We dont need an
oversight body to
oversee all changes
in processes /
controls

We dont need a
process for IFC
certification to Board
/ AC. We know
people are doing it
and no exceptions
are identified by the
auditors

Monitor,
certify and
assert

We understand
controls. There is no
need for training and
development of our
people
10

Internal Control Environment

11

Key drivers of the framework in the value chain

Internal Control Environment
1

Governance

Enhancements
for
effective risk governance

Finalize lines of defense

and aspects to be
covered under each line
of defense

Suggest improvements in
the framework
Compliance
as
per
various
regulations
(Companies Act Rules
2013 and SEBI Listing
agreement.)

Operations

Identify
areas
of
improvement
and
reducing
financial
reporting risk

Identify
areas
of
improvement from design
perspective

Eliminate
controls

Automate
financial
reporting related controls

Identify
automation
opportunities.

Segregation of Duty

Evaluate
the
control
activities for each process

Identify
redundancies

Financial
Reporting

control

Strengthening all lines of defense within the value chain

redundant

Three lines of Defense

Board of Directors/Audit Committee
CEO/Senior Management

First Line of Defense

Second Line of Defense

Third Line of Defense

Supervisory Authority

Controllers

External Audit

Compliance

Internal Audit

Internal Control

Operational Management

Risk Management

Source: Institute of Internal Auditors: The Role of Internal Auditing in Governance, Risk, and
Compliance

Internal Financial Controls What to do?

IFC Objective

Operations
Objectives

Reporting
Objectives

What to do ?

Efficiency and
effectiveness in
Operations

Defined Policies and procedures to

ensure effective and efficient operations.
Effective Delegation of Authority and
Entity level controls

Prevention and
detection of fraud and
error

Preventive controls to address Fraud risk

Mechanism for timely detection of fraud
and errors

Define and ensure compliance to

appropriate policies and procedures and
Delegation of Authority
Define appropriate Entity level controls
Define and monitor operating
effectiveness of appropriate controls
over various activities.
Fraud Risk Management

Safeguarding of
assets

Adequate control over asset movement,

storage, loss or theft.
Risk identification and mitigation plan to
reduce loss of asset

Define appropriate asset movement

controls
Effective asset verification program

Controls over accurate and timely update

of accounting records
Control over completeness of accounting
records

Defined effective controls and ensure

operating effectiveness
(ELC, PLC, ITGC and Fraud Risk)

Timely preparation of financial reports

Adequate controls over preparation of
financial reports

Defined appropriate controls over

preparation of financial reports
Adequate review mechanism

Adequate framework to ensure compliance

to applicable laws and regulations
Adequate framework to monitor the
compliance

Legal Compliance Framework

Accuracy and
completeness of
Accounting records

Reliability of Financial
reporting

Compliance
Objectives

IFC Requirements

Compliance with
applicable laws and
regulations

14

Internal Financial Controls

Entity Level Controls
ELC Component
Business Risk
Management
Business Ethics
Framework

Requirement
Whether risk management policy and procedures are in place? Whether formal risk assessment has
been carried out or not?
Whether whistle-blower policy and Code of conduct exists and implemented ?

Internal Audit and

Financial Integrity

Whether internal audit function is independently reporting to Audit Committee? Whether roles and
responsibilities of senior management is defined and documented? And Whether adequate
segregation of duties exists?

Legal Compliance
Framework

Whether legal compliance framework is documented and compliance health to checked on periodic
basis?

Fraud Risk
Management

Whether Fraud Risk Management policy exists, detailing structure of fraud deterrence, prevention and
investigation, fraud incidence response guidelines. Whether Key controls to mitigate fraud risks are
identified and monitored for compliance on regular basis.

Business and
Operations Continuity

Whether Disaster Recovery Plan, Business continuity plan and crisis management policy defined and
implemented?

Succession Planning

Whether formal process of succession planning defined and implemented?

Management
Operational Review

Whether formal process management oversight and review mechanism exist and followed?

15

Internal Financial Controls

Process Level Controls
PLC Component

Requirement
Significant policy and procedures are defined. Process of assessing adequacy and
appropriateness of policies and process to be developed

Design
Effectiveness

Completeness of RCM documented for all business cycles to be assessed. Example RCM for
Treasury etc. to be prepared. Existing RCMs to include following:

Review and update RCMs for all financial assertions.

Controls description to be elaborated
Fraud Risk to be highlighted
Whether Policy/ Procedure exists or not to be documented
Control Category specifying COSO control level
Control Owner and responsibility for testing and reporting

Illustrative RCM

Policy of control testing and operating effectiveness, containing the sampling criteria and
strategy to be defined
Operating
Effectiveness

Standard documentation to be maintained in the forms of test scripts and support documents
to evidence the operating effectiveness of the identified controls

Illustrative Test Script

16

Control Assessment Dashboard P2P

Control Universe

Risk Universe

Count

Count

Business Cycle

Business Cycle
Total

Fraud

Planning and Budgeting

10

Vendor Management

11

Ordering

Total

Manual

Automated

Planning and budgeting

Vendor Management

16

Ordering

12

Receiving

Receiving

Invoice Processing

10

Invoice Processing

Control Effectiveness Test Result

Count

Business Cycle

Compliance Percentage
Total

Ineffective

Manual

Automated

Planning and budgeting

Vendor Management

Ordering

12

92%

Receiving

100%

Invoice Processing

90%

77%

78%
<= 50%

<= 90

>90

17

Internal Financial Controls Roadmap

The following is the typical risk-based internal controls journey:

Ability to sustain
controls based audit

Business value

Document
results

Perform risk
assessment
Plan and
scope

Evaluate
Identify
significant control
design
Controls

Document
Controls

Build
sustainability
Identify and
remediate
deficiencies
Evaluate
operating
effectiveness

Internal Control compliance

18

Risk and control matrix

Payment process
Control Activities to mitigate the Risk:
What can go Wrong

Advances to vendors not being adjusted

against the bills
Payment made in excess of invoice
amount
Duplicate payment made to the vendors
Payment made to wrong vendor

Periodical process of review of open/long

pending advances
Payments are made only after reconciling it with
appropriate invoice. System based control
payment only as per the invoice amount
Process for periodical review of list of pending
invoices.
Purchase requisitions are reviewed and approved
by an individual with the appropriate signatory
authority approval limits
Obtain balance confirmations from vendors

18

Control Activities
Control Activities are actions established by policies and procedures
rather than being the policies and procedures themselves

Process vs. control: Example

Company engages XYZ

Actuary Firm to prepare
the actuarial analysis.

Control Description #1

Hiring a specialist is a
procedure which may
enhance competency, but
is not a control.

Issue

Management reviews and

discusses the Actuarial
Report, including key
assumptions with the
specialist to assess the
appropriateness of the
assumptions and
conclusions reached.

Control Description #1

19

Control Activities
Process vs. control

The billed revenue file

is summarized at
months end and the
total is recorded into
revenue.

Control Description
#2

Someone recording
something is typically a
process step; not a
control.

Issue

The Accounting
Manager verifies that
the billed revenue was
properly recorded to
revenue by comparing
the billed revenue file
to the revenue
recorded in the
general ledger.

Control Description
#2

20

Control Activities
Control mitigates the risk?

Risk:
All shipments are not
recorded
(completeness).
Control Description:
The general ledger is
reconciled to the XYZ
file.

Control Description
#3

It is not clear based on

the description how this
control mitigates the
completeness risk.

Issue

The general ledger is

reconciled to the XYZ
file, which is a
download from the
warehouse shipping
system of all shipments
processed for the
period.

Control Description
#3

21

Controls An overview
Illustrative Controls
Life sciences

Operational Control

Performance
evaluation
of
vendors is conducted on an
annual basis.
Physical counting and checking
of material / goods received at
the warehouse to ensure that the
correct quantity and quality of
material / goods have been
received.
Setting of credit limit for
customers
The
SCM
team
takes
comparative quotes from a
minimum of 3 vendors prior to
selection of the final vendor.

Key Controls
(Operational and Financial)

Financial Control
Accounting of vendor related
invoices
Creation of GRN on receipt of
goods at the warehouse.
Recording of invoices on dispatch
and monitoring of accounts
receivables
Creation of vendor master with all
the requisite fields

ICFR
IFC

Non Key Control

Review of the existence of nonkey fields within master data
stored in the system
Review of inactive accounts with
low and immaterial balances
Physical verification of C
category inventory (low value
items)

Physical verification of fixed

assets/stock on a periodic basis
and reconciling them with records
maintained
Segregation of duties at various
stages of financial reporting
IT General controls are kept in
place
Proper authorization as per the
authorization matrix for all the
transactions entered into the
system
employees and 'covered persons'
must sign an Insider Trading
Certification per the corporate
policy prior to trading in the
company stock.

Fraud Controls
Presence
of
multiple
authorization at various stages of
high value transactions
Periodic review of debtors ageing
Proper vendor evaluation process
to avoid collusion with third
parties.
23

Mr. Ajay Minocha

Partner
Deloitte Haskins & Sells LLP

Mr. Sidheshwar Bhalla

Director
Deloitte Haskins & Sells LLP

E-mail: ajaminocha@deloitte.com
Main: +91 (124) 679-2000

E-mail: sibhalla@deloitte.com
Mobile: +91 98997 87786

7th Floor, Building 10 Tower B

DLF Cyber City Complex, DLF City Phase II
Gurgaon, Haryana 122002
India

7th Floor, Building 10 Tower B

DLF Cyber City Complex, DLF City Phase II
Gurgaon, Haryana 122002
India

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (DTTL), its network of member firms, and their related
entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global) does not provide services to clients.
Please see www.deloitte.com / about for a more detailed description of DTTL and its member firms.
This material and the information contained herein prepared by Deloitte Touche Tohmatsu India Private Limited (DTTIPL) is intended to provide general information on a
particular subject or subjects and is not an exhaustive treatment of such subject(s). This material contains information sourced from third party sites (external sites). DTTIPL
is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such external sites. None of DTTIPL, Deloitte Touche Tohmatsu
Limited, its member firms, or their related entities (collectively, the Deloitte Network) is, by means of this material, rendering professional advice or services. The
information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that
might affect your personal finances or business, you should consult a qualified professional adviser.
No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this material.
24