Background
There are number of legislative regulations and rules that have been enacted in order to improve the corporate governance environment in India. Corporate monitoring and accountability plays a pivotal role when any business, legal or ethical issues arise, the significance of Corporate governance is perceived when companies fails to perform, the delinquency of such Companies result in loss of investors’ confidence, economic instability, damage to conducive business environment and plummeting financial market.
An impulse for having a strong governance regulation was felt after “Satyam” imbroglio, which underlined various fraudulent compliance and auditing practices. The Company had misrepresented its financial health to investors,stakeholders andstock exchanges.
When the scam unearthed Satyam stocks plummeted over 78%. It dragged the benchmark Sensex index down 7.3% and Nifty hit intraday low. The scam had impacted the Indian economy and IT sector. The scandal eroded investors’ confidence, raised serious questions over the quality of governance mechanism and the credibility of independent directors, auditors and the Board of Directors.
Enactment of Companies Act, 2013(“Act”) was one of the numerous efforts to resolve the difficulties in corporate governance. One of the key introduction to provision of the Act is pertaining to Internal Financial Control (“IFC") & Internal Control framework. The Provisions enacted would shift the onus on the management to maintain a sound internal financial control and assess its own operating effectiveness through such controls.
Introduction
R. K. Mautz and Hussein A. Sharaf in their book "The Philosophy of Auditing" published in the year 1961 set out the tentative postulates of auditing on page 42, and the following three of them are relevant:
(1)The financial statements and other information submitted for verification are free from collusive and other unusual irregularities;
(2)The existence of a satisfactory system of internal control eliminates the probability of irregularities; and
(3) In the absence of clear evidence to the contrary, what has held true in the past for the enterprise under examination will hold true in the future.
Thus in relation to IFC, the most extensive reform in governance for protecting the interest of investors and to enhance the reliability on disclosures made by corporates. Various Committee had recommended incorporation of such provisions in the statute.
The Kumar Mangalam Birla Committee had made a mandatory recommendation onsuch financial control in its corporate governance report, the extract of the same is presented as under:
“9.3 A proper and well-functioning system exists therefore, when the three main groups responsible for financial reporting – the board, the internal auditor and the outside auditors – form the three-legged stool that supports responsible financial disclosure and active and participatory oversight. The audit committee has an important role to play in this process, since the audit committee is a sub-group of the full board and hence the monitor of the process. Certainly, it is not the role of the audit committee to prepare financial statements or engage in the myriad of decisions relating to the preparation of those statements. The committee’s job is clearly one of oversight and monitoring and in carrying out this job it relies on senior financial management and the outside auditors. However it is important to ensure that the boards function efficiently for if the boards are dysfunctional, the audit committees will do no better. The Committee believes that the progressive standards of governance applicable to the full board should also be applicable to the audit committee.
9.4 The Committee therefore recommends that a qualified and independent audit committee should be set up by the board of a company. This would go a long way in enhancing the credibility of the financial disclosures of a company and promoting transparency.
Thus the preparation of reliable financial information is the responsibility of the management of the Company. The management aptness to fulfill the reporting responsibility is based on the design and effectiveness of controls, in absence of such controls it would be extremely difficult for the business organization to prepare a timely reliable financial statements. Hence the Act has inserted a legal obligation for an entity to have an effective internal control.
What are Controls?
As per the explanation as stated under Sec 134(5) of the Act: IFC is “the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information”
Definition as per Standards of Auditing(SA) 315:The process designed, implemented and maintained bythose charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness andefficiency of operations, safeguarding of assets, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control.
Definition as per COSO1 framework:- “Internal Control is a process, effected by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives, relating to operations, reporting and compliance”.
As per Japanese Financial Services Agency Standards: - “Internal control as a process performed by everyone in an organization and incorporated in its operating activities in order to provide reasonable assurance of achieving four objectives:
- Effectiveness and Efficiency of Business Operations
- Reliability of Financial Reporting
- Compliance with Applicable Laws
- Safeguarding of Assets”
(1-COSO is Committee of Sponsoring Organizations is a joint initiative of five private sector organizations, established in the United States, dedicated to providing thought leadership to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting)
In all definitions of Internal Controls if we analyze,emphasis has been placed on operational effectiveness and efficiency with reliable financial reporting, and compliance with laws, regulations and policies, which would assist in detecting and preventing fraud and protection of the organizations resources.
Global framework on Controls
United States of America
Section 404 of Sarbanes Oxley Act of 2002(“SOX”) states about Internal control, where sub section (a), of said provision would requires the public companies to assess adequate and effective of internal control, besides sub section (b), requires the Auditors to give opinion on management’s assessment of Internal control . Section 302 of SOX require the management to certify its financial statements and report any significant deficiencies in the design or operation in the internal controls on an annual or quarterly basis. The difference between two provisions is that Sec 404 mandates increased level of scrutiny.
Japan
On February 15, 2007, the Business Accounting Council of Japan has released standards on Internal Control for achieving objectives as enunciated in the statute and to attain those objectives the management is required to design and effectively operate a process in which internal components are in place.
United Kingdom
As per UK corporate governance code, Principle C.2. puts obligation on the Board to maintain sound system of risk management and internal control for safeguarding shareholders’ investment and companies’ assets. The code further states to annually reviews the system of internal controls and reports to shareholders that it has done so.
Indian framework on Controls
The Act enumerates following provision as a part of controls:-
1. Section 134(5) of the Act,In case of listed entities the directors shall confirm on the adequacy of internal financial controls of the company and that they are operating effectievely.The Directors would have to rely on the evaluation made by the management on adequacy and effective operationally of such controls.
2. Section 143 of the Act , Pursuant to Sec 143(3)(i) the Auditors of the Companies shall report on adequacy of Internal Financial Controls.ICAI had issued a notification stating therein the provisions would be apply to audit in respect of financial year on or after April 1,2014.
3. Section 177 of the Act, As per Sec 177(5) the Audit Committee shall call for the Comments of the Auditors about Internal Control system before submission to the Board. Pursuant to Sec 177(4) (vii), the Audit Committee shall act in accordance with the terms of reference specified in writing by the Board pertaining to evaluation of IFC
4. As per Section 149(8) of the Act , which states the company and Independent Directors have to abide by Schedule IV ,the said schedule has put the onus on Independent Directors to satisfy themselves with financial control and risk management are robust and defensible.
As per SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015:-
Regulation 17(8),CEO& CFO shall provide compliance certificate specifying effectiveness of internal controls for listed entity; significant changes have been indicated to auditors and audit committee; Deficiency in design and operation of internal controls which they are aware and steps for rectification of such deficiency.
Case Laws
K. M. Venkateswaran v. Securities and Exchange Board of India APPEAL NOS. 347, 350 TO 352 OF 2004 dated December 8, 2005
“The failure to observe the prescribed procedure led to a big hole in the internal compliance of the company which allowed certain individuals to resort to fraudulent activities. It is also the duty and responsibility of the directors of the company to ensure that proper systems and controls are in place and to monitor the efficacy of such systems and controls. Failure to do so will obviously render them liable to the charge of negligence. [Para 8]”
Tri-Sure India Ltd. v. A.F. Fergusan& Co. [1987] 61 Comp. Cas. 548 (Bom.)
“The first step is ………………The plan should be based on a knowledge of the client’s business and should cover, among other things, (a) acquiring knowledge of the client’s accounting system, policies and internal control procedures; (b) establishing the expected degree of reliance on internal control;……….
The second step is to ascertain the accounting system and internal controls provided by the management. The management is responsible for maintaining an adequate accounting system incorporating various internal controls to the extent appropriate to the size and nature of the business. The auditor should gain an understanding of the accounting system and related internal controls and where the auditor concludes that he can rely on certain internal controls, the substantive procedures would normally be less extensive than would otherwise be required and may have also to differ as to the nature and timing. …………………. An effective internal control system provides for the communication of the delegation of authority and the scope of responsibilities. It should be so designed as to preclude an individual from overriding the control system and should provide for segregation of incompatible functions.
The next stage is known as selective verification or compliance procedure. After being satisfied that the internal controls are adequate and function effectively throughout the period, the auditor selects certain transactions for verification.”
Scope of IFC
The definition as asserted in the Act for IFC has broader coverage as it states:“policies and procedures adopted by the company………” Thus the IFC not only covers financial statements but also non-financial information as well.The scope of IFC would include:
i. Pursuant to provision of Sec 134(5) (n) which states it is the responsibility of the Board to implement the Risk management policy and identify therein the elements of risk. Thus designing a process of identification and evaluation of risks would be under purview of IFC.
ii. Department wise ledger accounts that would sum up in the Financial Statement.
iii. The Entities have business in multiple locations and those location which are significant in respect of various factors.
iv. The Business Processes that manages transactions which have a significant impact on the entity.
v. Key material transaction that has an immense impact on the balance of accounts. The Material Transactions could be interpreted as those transaction which would generate considerable income for the Company. However considering just income as an aspect for materiality would not be equitable, thus determination of what would be material should be made after discussions between key managerial persons and the auditors.
As per Standards of Auditing (SA)240,the auditors responsibility for obtaining reasonable assurance that the financials statement are free from material misstatements whether caused by fraud or error. Thusauditor review of entities shall be inclusive of control activities relevant to such risks.
Why stress on Controls?
Implementation of IFCwould swell the compliance and audit cost however the benefits could outweigh the cost. Since the Act, dictates significant direction of Corporate Governance inciatives, key amendments in the Act gave governance direction to the Company as a whole. The Internal Control will enhance the efficacy of provisions of the Act.
Responsibility on Audit Committee
Since the responsibility for overseeing the internal control systems & audit has been delegated to the Audit Committee. Thus the members of the Audit Committee shall holistically consider all information brought forth to its attention from all the sources inclusive of assessment of IFC by internal and external audit information. In addition to this, as per Standards of Auditing (SA) 260 the auditors shall appraise the Audit Committee in relation to audit of Financial Statements which would be inclusive of Internal Control.
Regaining Investors Confidence
Reliable financial reporting assist various entities in regaining the Investors confidence. As discussed earlier the aftermath of Satyam plightwhich left stock markets beleaguered. Having an internal financial control would help the entities to save the cost that they would incur in winning back the public confidence.
Management Effectiveness and Awareness
Reporting of effective internal control as a part of mandatory requirement assures the reliability of financial reporting.IFC would help in involvement of employees among various levels of organization and developing awareness about needs of these controls.
Assessment of Controls
Under COSO framework, internal control consist of components like Control Environment, RiskAssessment,Controls Activities, Information &Communication,and Monitoring. The effective working of these controls is a key for an entity to achieve its mission, strategies and business objectives. The assessment of these components is essential for effective functioning of internal control.
The CEO and CFO are entrusted responsibility in assessing and evaluating control procedure that are established and implemented within entity. Self-Assessment can be used for ascertaining the effectiveness of internal controls. Since self-assessment includes self-audit, participation of entities employees would rather be more apt as they are more intimate to the operations and risk involved.
Assessment can be initiated by determining current scenario and examining the existing internal control and annual review can be performed on implementation and effectiveness of internal controls.
The entities practicing the technique of self-assessment shall be documented which will enable the CEO, CFO and employees participating to:
- Identify Risk and areas of Risk
- Assessing controls that would reduce those identified risk
- Devising an Action Plan and framing controls that would minimize risk
- Ascertaining the likelihood of achieving the goals of organization
It must be noted that assessment of internal control is not a single but ongoing process. The persons responsible shall be engaged with the possibility of improving the operations of internal controls.
Illustration:
|
Sr. No |
Factors for Assessment |
Stronger Controls criterion |
Weaker Control criterion |
Assessment |
|||
|
Strong-Weak* |
|||||||
|
1 |
2 |
3 |
4 |
||||
|
1. |
Entities Policy and Procedure |
All policies and procedures are available and been implemented accordingly |
Policy and procedures are not available or are rarely used |
||||
|
2. |
Key controls effectiveness |
Management routinely checks transactions /records and ensures the expectations are met |
Management never performs checks on key controls |
||||
|
3. |
Accounting policies |
Accounting policies are defined and adopted .Policies are being effectively communicated |
Accounting policies are impromptu and not properly communicated |
||||
(*- Here self-assessment can be produced and rated accordingly, where 1 depicts Stronger controls, 2 depicts Moderate Controls, 3 depicts Weak Controls , 4depicts Weakest controls, the strength of controls would be less effective as per the score of assessment post 1)
Limitations of Controls
Regardless of the system of Internal Controls is designed and implemented, it is not a full proof mechanism and an assured tool for achieving the objective,however, it may provide a reasonable assurance on certain issues. The limitation of the internal controls listed as under:-
- Human error cannot be ruled out , the interpretation of the findings and their implementation can be wrong
- Evading controls as a result of an agreement between two or more persons
- The procedure set out by management could be neglected and limitation of resources
Thus Internal Control can only provide information to management regarding the progress of the entity or lack of progress on achieving goals. The progress of effective Internal Controls would depend on the management of the Company, an entity with poor management cannot do well.
Another factor to be considering for implementation and evaluation of internal controls is cost. The challengefaced here is to find a right balance. Implementation of excessive control would be costly and counterproductive. On other hand too little control would spearhead high level of risk.
Conclusion
Impetus on effective Controls has been articulated in response to numerous high profile corporate and accounting scandals of well established companies in India. Furthermore it is stated that company may showcase upward earning due to frequent and prompt reporting of internal controls. Every key managerial personnel should be alert for new and changing risks at all times. When management takes the time to find out if controls are being implemented as designed, a message is sent to all employees that internal controls are important.
Reference:
- Companies Act 2013
- The Sarbanes–Oxley Act of 2002
- Standards of Accounting issued by ICAI
Shri Kumar Mangalam Birla Committee Report on Corporate Go
CAclubindia
