INTERNAL FINANCIAL

CONTROL REPORTING
UNDERSTANDING AND IMPLEMENTATION STEPS

Presentation on Internal Financial Control (IFC)

|
|
Internal Financial Controls over financial reporting

“Internal Financial Controls over financial reporting”

mean…
“A process designed by, or under the supervision of, the company's principal
executive and principal financial officers, or persons performing similar
functions, and effected by the company's board of directors, management,
and other personnel, to provide reasonable assurance regarding the reliability
of financial reporting and the preparation of financial statements for external
purposes in accordance with generally accepted accounting principles. A
company's internal financial control over financial reporting includes those
policies and procedures that

(1) pertain to the maintenance of records that, in reasonable detail, accurately

and fairly reflect the transactions and dispositions of the assets of the
company;

(2) provide reasonable assurance that transactions are recorded as necessary

to permit preparation of financial statements in accordance with generally
accepted accounting principles, and that receipts and expenditures of the
company are being made only in accordance with authorisations of
management and directors of the company; and
|
Internal Financial Controls over financial reporting

(3) provide reasonable assurance regarding prevention or timely detection of unauthorised

acquisition, use, or disposition of the company's assets that could have a material effect
on the financial statements.”

(4) The process may also be designed by, or under the supervision of a committee or group
of the aforesaid persons.

Considering the above, the auditor should obtain reasonable assurance to state whether an
adequate internal financial controls system was maintained and whether such internal
financial controls system operated effectively in the company in all material respects with
respect to financial reporting only.

(page 16 of ICAI guideline)

|
 Internal Financial control

As per Section 134 of Companies Act, 2013:

The term Internal Financial Control means:

• Policies and procedures adopted by company for ensuring orderly and efficient conduct of its
business, including adherence to company’s policies
• Safeguarding of its assets
• Prevention and detection of fraud and errors
• Accuracy and completeness of the accounting records, and
• Timely preparation of reliable financial information

Internal control over Operational Fraud Internal

financial reporting control prevention Financial
(ICFR) Control

Sales reporting Correct dealer Access of control

Revenue recognition selection as per rights
Correct disclosure approved Pricing + discount
guidelines Incentives
|
Internal Financial control - Requirement

For this purpose, it is essential to establish an Internal control framework “for

identification or risks and controls” established for mitigation of risk and monitoring of
laid down controls on periodic basis.

This also includes a robust mechanism of well-defined authorities within the organization
for authorizing various business functions.

What a business has to do?

 Make control everyone’s “responsibility”
 Create consistent in operations across location
 Focus just not on compliance but enhancing the business performance

|
 Related sections in Companies Act, 2013

Key compliances
Section 134 (5) ( e): The Directors’ Responsibility
Statement referred to in clause ( c) of subsection (3) shall
state that:
The directors, in the case of a listed company, had laid
down internal financial controls to be followed by the
company and that such internal financial controls are
adequate and were operating effectively.

Section 134 (3) ( c): There shall be attached to statements

laid before a company in general meeting, a report by its
Board of Directors, which shall include Director’s
Responsibility Statement.

Section 143 (3) (i): The auditor’s report should also state
whether the company has adequate IFC system in place
and the operating effectiveness of such controls

|
Related sections in Companies Act, 2013

Key compliances
Section 177: Every Audit Committee
shall act in accordance with the terms of
reference specified in writing by the
Board which shall, inter alia, include:
- evaluation of internal financial
controls and risk management systems.

Rule 8 (5) (viii) of Companies (Accounts)

Rules 2014: The report of the Board shall
also contain:
The details in respect of adequacy of
internal financial controls with
reference to the Financial Statements

|
Related sections in Companies Act, 2013

Key compliances
Schedule IV (II) (4) of Companies Act 2013:
The independent directors shall satisfy
themselves on the integrity of financial
information and that financial
controls and the systems of risk
management are robust and defensible

|
|
What Companies Need to do ?

• Define controls, policy and procedures

Control Policies and • Develop delegation of Authority
Procedures
• Review of policies and procedures

• Assess Adequacy of protection and use of Assets

Safeguarding of Assets • Carry out periodic Physical Verification of Assets

Prevention and Detection of • Implement Anti-Fraud Program

Fraud and Errors • Carry out fraud Risk Assessment

• Perform an assessment of:

Accuracy and Completeness • Entity level controls• Process Level Control • IT Control
of Accounting Records
• Fraud Control

• Develop accounting Policy manual

Timely preparation of Reliable
• Develop a robust financial close process with inbuilt control for
Financial Information oversight and monitoring

|
Implementation process road map

Onetime
One time
Validate &
Corrective Prepare test Reporting
Detailed scope Document
design action strategy & plan

Seek
Change
confirmation for Corrective Control Testing Reporting
Management action
changes

On going

|
Detailed Analysis (Implementation)

SCOPING

• Map / identify significant processes / location

• Segregate the processes between business process / IT process
• Discuss / align the scope with external auditor
• Define materiality
• Finalize scope exclusions
• Define process and activities / processes performed by third parties
• Nominate the IFC process leader across process / location
• Align audit committee and company board
• Finalize template, standards, SOP’s, reporting process
• Conduct training work shop with process owner.
(For detailed analyses refer Para 87 (Page 33) ICAI Guidance Note, September 2015)

|
Detailed Analysis (Implementation)

DESIGN ASSESSMENT

• Finalize process owner for each process

• Perform and document the walkthrough
• Document the process maps (input, output, risk/controls, IPE)
• Segregate the controls into entity/ process/IT
• Perform segregation of duties analysis
• Perform IT General Control
• Identify the design gaps based on walkthroughs, interviews, discussions
• Benchmark IFC controls – consolidate and remove redundancy

|
Detailed Analysis (Implementation)

DESIGN GAP REMEDIATION

• Prioritize financial gaps into material / non-material

• Prioritize operational gaps into High/ Medium/Low
• Co-develop remedies with owners and implementation timeline
• Periodic monitoring of remedial plans
• Enhance / optimize IT controls
• Standardize / centralize process
• Interim testing to confirm remediated gaps

|
Detailed Analysis (Implementation)

OPERATIVE EFFECTIVENESS & TESTING

• Align sampling strategy with external auditor

• Prepare the testing plans with templates, formats
• Timing of testing – mid year, roll forward
• Resourcing – competency, independence, objectivity
• Documenting testing results
• Identify the testing gaps into material / non-material

ASSESSMENT & REPORTING

• Finalize material weakness

• Update the executive management
• Report to audit committee & Board
|
How to design process & SOP

Process Process Key inputs Individual

flowchart narratives and outputs responsibilities

|
Risk control matrix

Risk control Matrix is a matrix which defines the various levels of risk and the harm
probability and the associated controls design by the organization to mitigate the risk.

The risk control matrix should ideally cover the following areas for effective analysis of
risk and the related controls

Process Sub Control Risk Fraud

Process Objective risk

Risk
category Automated/
High/Mediu Assertions Non- Preventive/ Core/Non
m/Low Detective
Automated -core

|
|
Management and auditor responsibility

MANAGEMENT RESPONSIBILITY

Clause (e) of sub-section 5 of section 134 of the Companies Act 2013 requires the directors’
responsibility statement to state that the directors, in the case of a listed company, had laid down internal
financial controls to be followed by the company and that such internal financial controls are adequate and
were operating effectively
Clause (e) of Sub-section 5 of Section 134 explains the meaning of the term, “internal financial controls” as
“the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its
business, including adherence to company’s policies, the safeguarding of its assets, the prevention and
detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely
preparation of reliable financial information.”

AUDITOR RESPONSIBILITY

To express an opinion on the effectiveness of the company's internal financial

controls over financial reporting and the procedures in respect thereof are carried
out along with an audit of the financial statements the auditor must plan and
perform the audit to obtain sufficient appropriate evidence to obtain reasonable
assurance about whether material weakness exists as of the date specified in
management's assessment. (Sec 143(3)(i) of Companies Act 2013)
|
Planning of audit

Matter relating to
Matters effecting the company’s business
Preliminary knowledge about
industry in which the including capital
the company’s IFC.
company operated structure &
operations

Control deficiencies
Recent changes in operation and Materiality, risk and previously
IFC. other consideration. communicated to the
audit committee.

Type & Extent of

Preliminary judgement
Legal and regulatory matters evidence to be
obtained
obtained .

Public information available Knowledge about risk

Complexity of
regarding the likelihood of as per auditor’s KYC
company’s operation
misstatement guidelines

|
Refer Page 30 of ICAI guidance note
 Scoping of audit

A Top Down Begins at the financial statement The auditor then focuses on entity- The auditor then verifies his or her
level and with the auditor's understanding of the level controls and works down to understanding of the risks in the
overall risks to internal financial controls over significant accounts and disclosures company's processes and selects
financial reporting. and their relevant assertions. for testing those controls.

(For illustrative list refer page 187 of ICAI Guidance Note, September 2015)
|
Understanding process of organization

• Understand the flow of transactions related to the

relevant assertions, including how these
Flow of transactions transactions are initiated, authorised, processed,
and recorded.

• Identified the points within the company's processes

Possibility of at which a misstatement (individually or in
misstatement combination) with other misstatements, would be
material.

• The classes of transactions in the company's

Significance operations that are significant to the financial
statements

Information System • The procedures, within both automated and manual

systems, by which those transactions are initiated,
Flow authorised, processed, recorded, and reported.

|
Materiality selection

Para 86 of ICAI Guidance Note : In planning the audit of internal financial controls over
financial reporting, the auditor should use the same materiality considerations he or she
would use in planning the audit of the company's annual financial statements as provided
in SA 320 “Materiality in Planning and Performing an Audit”.

SA 320 Issued by ICAI : Materiality means the amount or amounts set by the
auditor at less than materiality for the financial statements as a whole to reduce to an
appropriately low level the probability that the aggregate of uncorrected and undetected
misstatements exceeds materiality for the financial statements as a whole. If applicable,
performance materiality also refers to the amount or amounts set by the auditor at less
than the materiality level or levels for particular classes of transactions, account balances
or disclosures.

Schedule III (Sec 129) of Companies Act 2013 :

Any item of income or expenditure which exceeds one per cent. of the revenue from
operations or Rs.1,00,000, whichever is higher;

|
Test of controls

Criteria for test of controls:

Para 107 of ICAI Guidance Note : The decision as to whether a control should be selected for testing
depends on which controls, individually or in combination, sufficiently address the assessed risk
of misstatement to a given relevant assertion rather than on how the control is labelled (e.g., entity-
level control, transaction-level control, control activity, monitoring control, preventive control, detective
control).

Para 109 of ICAI Guidance Note: Procedures the auditor performs to test design effectiveness include a
mix of inquiry of appropriate personnel, observation of the company's operations, and inspection of
relevant documentation. Walkthroughs that include these procedures ordinarily are sufficient to evaluate
design effectiveness.
(Note : Materiality will be selected based on the Risk control Matrix)

Sample selection for test of controls:

Appendix VI of ICAI Guidance Note, September 2015

Standard on Internal Audit (SIA) 5 – “Sampling”

Methods for sample selections are as follows:

1. Random selection and use of CAATs
2. Systematic selection
3. Haphazard selection
4. Block selection |
Test of Control (Process)

Importance of • The auditor should test those controls that are important to the
auditor's conclusion about whether the company's controls
controls sufficiently address the assessed risk of misstatement.

• Auditor should test the design effectiveness of controls by

determining the company's controls objectives that can
Testing design effectively prevent or detect errors or fraud that could result in
effectiveness material misstatements in the financial statements.
• Walkthroughs that include these procedures ordinarily are
sufficient to evaluate design effectiveness.

• Test the operating effectiveness of a control by determining

Testing operative whether the control is operating as designed and whether the
effectiveness person performing the control possesses the necessary
authority and competence to perform the control effectively

|
Design ,implementation & operating effectiveness

The auditor should test design effectiveness of controls by determining whether company’s
controls, if they are operated as prescribed by persons possessing necessary

authority and competence to perform control effectively, satisfy the company’s

control objectives and effectively prevent or detect errors or fraud that could result in
material misstatements in the financial statement.

|
Deficiency / Gap report

Definition of Deficiency:

Para 128 of Guidance note ICAI :

‘Deficiency’ in internal financial control over financial reporting exists when the design or
operation of a control does not allow management or employees, in the normal course of
performing their assigned functions, to prevent or detect misstatements on a timely basis.

‘Material weakness’ is a deficiency, or a combination of deficiencies, in internal financial

control over financial reporting, such that there is a reasonable possibility that a material
misstatement of the company's annual or interim financial statements will not be
prevented or detected on a timely basis.

Following are the suggestive columns for gap report:

Area / Process Control Deficiencies: Responsibility Timeliness

1. System Gap
2. Process Gap
|
|
Principles Of Effective Controls (Coso)

Control Environment 1. Demonstrates commitment to integrity and ethical values

2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies suitable objectives
Risk Assessment
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Control Activities 10. Selects and develops control activities

11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information & 13. Uses relevant information

Communication 14. Communicates internally
15. Communicates externally

Monitoring Activities 16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies

|
|
 IFC & Internal Audit

Internal Financial Control and Internal Audit

Para 82 of ICAI Guidance Note: The auditor should evaluate the extent to which he or she
will use the work of others to reduce the work the auditor might otherwise perform himself or
herself. SA 610 “Using the Work of Internal Auditors” and SA 620 “Using the Work of an
Auditor’s Expert” apply in a combined audit of internal financial controls over financial
reporting and financial statements.

Para 152 of ICAI Guidance Note: Since the primary responsibility for establishing and
maintaining an adequate internal financial controls system over financial reporting is that of
the management and the board of directors of the company, the auditor should ensure that
the board of directors approving the financial statements of the company also approve the
management assertion and conclusion on the adequacy and operating effectiveness of
internal financial controls over financial reporting and also take on record the deficiencies,
significant deficiencies and material weaknesses identified by the management, internal
auditors and the auditor.

IG 18.9 of ICAI Guidance Note: The extent to which the auditor may use the work of others
in an audit of internal control also depends on the risk associated with the control being
tested. As the risk associated with a control increases, the need for the auditor to perform
his or her own work on the control increases.
|
|
Topic Paragraph Page No.
Reference (ICAI)
Auditors’ responsibility for reporting on Internal financial 4–5 11
controls over financial reporting in India
Objective in an audit of internal financial controls over
financial reporting and interpretation of the term ‘internal 26 – 35 15
financial controls’ for auditor’s reporting under Section
143(3)(i)
Auditors’ responsibility for reporting on internal
financial controls over financial reporting in the case of 43 – 45 18
unlisted companies
Components of internal control 48 – 60 21
Planning the audit 75 30
Materiality 86 33
Indicators of material weakness 135 – 136 45
Audit Report 158 – 160 50
Audit documentation 165 51
Implementation Guidance (IG) IG 1 – IG 21 52 – 157
|
Topic Paragraph Page No.
Reference (ICAI)
Difference between Process and Control 65 – 66
Automated Controls 74 – 76
Information Produced by the Entity (IPE) 76 – 84
Internal Financial Controls – Testing of Design 88 – 91
Internal Financial Controls – Walk Through 91 – 93
Internal Financial Controls – Testing of Operative 93 – 104
Effectiveness
Sampling IG 14.1 – IG 14.10 105

Sample selection IG 14.11 – IG 14.13 106

Roll Forward Testing 110 – 116

Rotation Plan for Testing Internal Financial Controls IG 16.1 – IG 16.3 116 – 117

Remediation Testing IG 17.1 – IG 17.3 117

Using the Work of Internal Auditors and an IG 18.1 – IG 18.9 117 – 118
Auditor’s Expert
|
Topic Paragraph Page No.
Reference (ICAI)
IT-dependent controls IG 19.32 132
Documentation of processes and controls IG 19.44 139
Reporting Considerations 144 – 150
Scope limitations IG 20.20 – IG 20.22 149
Understanding the process of recording journal entries IG 21.10 – IG 21.12 155
Standard on Internal Audit (SIA) 5 – Sampling 192

|
| 36
A Journey of Professionals……
|
37