The new Company act requires auditors to also opine on whether a company has an adequate Internal Financial Control (IFC) system in place and are operating effectively on such controls. This is in addition to the existing audit opinion on financial statements. The concept is new to India which has thrown up many challenges to the members.
The topic that we are going to deliberate upon is internal financial controls and how to drive the real business values from these controls. What all of need to decide whether internal financial controls introduced must be followed as a mere compliance exercise which would be just tick in the box v/s finding something that is going to really try and add to the business.
Firstly, lets discuss the basic elements like what are internal financial controls? and what does it really mean? The Primary Objective behind introducing internal financial controls is to identify opportunities for improvements, and to draw up a benchmark to develop or strengthen the internal control systems and enhance the reliability of their financial statements.
Other benefits of Internal Financial Controls Are:-
Strategic - High-level goals and objectives, aligned with and supporting the mission.
Operational - Effective and efficient use of resources.
Reporting - Integrity and reliability of reporting.
Compliance - Compliance with applicable laws and regulations.
Stewardship - Protection and conservation of assets.
INTERNAL CONTROLS ARE EVERYWHERE:
You exercise internal control principles in your personal life when you: Lock your house when you leave Keep copies of important papers in your safe box. Keep your ATM/debit card PIN number secret To whom does this apply?
The guidance notes clarify that reporting on ICFR by auditors will be applicable to both listed & unlisted companies, including small and one person companies. This is in line with the requirements of section 143(3)(i) of the Companies Act, 2013. Furthermore: it states that auditor will have to report on IFC in respect of both stand alone and consolidated financial statements.
The approach of new Companies Act is of self-governance and in case of non-governance, stringent penalties are provided in the Act. Management should therefore be cautious as the Non-compliance of this may lead to Monetary Penalty of up to 25 Lakhs. Imprisonment up to 3 years and Auditors Quantification New IFC Compliance Requirements - What's changed? If we go back & see what institute's guidance notes says, revised guidance note being issued in September 2015 says that is very categorically re-clarifies the term internal financial controls from internal financial control over financial reporting being used earlier.
While we earlier had clause 49 of the guidance note issued by ICAI already defining the term internal controls over financial reporting as - A process designed to provide reasonable assurance regarding the reliability of financial reporting and preparation of financial statements for external purpose in accordance with generally accepted accounting principles. Now there is a different term which is referred in the company's act which is internal financial controls, to take a little more holistic view & focus more upon the financial aspects of our operating activities, i.e. 10-15% of the key operating controls that are critical to the business growth have to be included in internal financial controls. The other dimensions to this is to be noted is earlier the clause 49 requirements were largely for the CFOs and CEOs to ensure that there is adequate financial control over financial reporting by way of CFO certification.
Now that responsibility has been completely casted to Board of directors. On one side, while the responsibility has been shifted, a lot of accountability that come up to the Board of director level and has been put up as a part of directors' responsibility statement for listed company. And we have seen that the moment responsibility becomes a part of directors' responsibilities statements, the spectrum changes to a whole new level.
We often get to hear about the work 'framework':
Why do we need a framework? Weren't controls enough? Here has to be a benchmark to say whether an entity is working fairly or not that it where the importance of framework comes in. The 2013 framework has a codification of 17 principles that support five components. The 17 principles are fundamental concepts implicit in 1992 framework.
The five components reclassified in the 2013 COSO framework are defined as follows:-
These are the Foundation for all other standards of internal control. And have pervasive influence on all the decisions and activities of an organization. Some of the Effective organizations set a positive 'tone at the top'.
Factors of soft controls are: Management philosophy, Organizational structure, Communication, Competency of employees
Risks are internal & external events that threaten the accomplishment of objectives. Risk assessment is the process of identifying, evaluating, and deciding how to manage these events. What is the likelihood of the event occurring? What would be the impact if it were to occur? What can we do to prevent or reduce the risk? Have any of you been through a risk assessment with Internal Audit or an outside party?
CONTROL ACTIVITIES are the Tools - policies, procedures, processes - designed and implemented to help ensure that management directives are carried out throughout the organization, at all levels, and in all functions. Includes training, approvals, authorizations, verifications, reconciliations, security of assets, reviews of operating performance, and segregation of duties.
INFORMATION & COMMUNICATIONS, Effective information and communication systems enable the organization's people to exchange the information needed to conduct, manage, and control its operations Pertinent information must be captured, identified and communicated on a timely basis.
Internal control systems must be monitored to assess their effectiveness. Are the controls operating as intended? Ongoing monitoring is necessary to react dynamically to changing conditions- Have controls become outdated, redundant, or obsolete? Periodic testing can be done by the process owner, internal audit and external audit.
The 2013 COSO framework is meant to be applied to all companies. Not that it means that we have to completely borrow what COSO is saying but it is important to draw upon relevant references from its elements. Coming back to my first very point is whether this is something that should really go and add to the business values or is it just a compliance exercise where it just amounts to ticking of the box documentation and its demonstration to statutory auditors.
To achieve business values, following simple illustrative methods can be followed:-
Separation of duties Divide responsibilities between different employees such that no one individual has absolute control all aspects of a transaction thus reducing the opportunity for an employee to commit and conceal errors (intentional or unintentional) or perpetrate fraud.
Documentation Maintaining documents & preserve evidence to substantiate each significant transaction. Critical decisions and significant events typically involving the use, commitment, or transfer of resources. This enables a transaction to be traced from its inception to completion since documentation sets forth the fundamental principles and methods that employees rely on to do their jobs.
Authorization & approvals create an organization structure such that each one documents and communicates the activities which require approval, and by whom, based on the level of risk to the organization. Ensure that transactions are approved and executed only by employees acting within the scope of their authority granted by management.
Security of assets
Restrict access to equipment, cash, inventory, confidential information, etc. To reduce the risk of loss or unauthorized use. Perform periodic physical inventories to verify existence, quantities, location, condition, and utilization.
Reconciliation & review
Examine transactions, information, and events to verify accuracy, completeness, appropriateness, and compliance. Ensure frequency is adequate enough to detect and act upon questionable activities in a timely manner. Every action is littered with costs and consequences:
Consequences of ineffective IFCs:
If an auditor concludes that internal controls are not effective, following would be the consequences:-
The Auditor report will include a qualified opinion. Not only merely for internal control, but also under section 143(3)(f) of the Act as non-existence of appropriate internal control can also have adverse effect on the functioning of the Company. It can be safely concluded that nonexistence of internal control would imply that existence of Fraud cannot be effectively monitored and the financial statements would lack credibility. Credit rating agencies will take it negatively also it may affect negotiation power of the entity with borrowers.
Here is some illustrative list of operating controls: -
Human resources: Job description should exist, at least for key positions and are understood.
Procurement: There must be a formal process of demand forecasting and supply planning, with clear departmental service levels.
Sales: Sales order are tracked and analysed regularly.
Production: Input-output ratios are defined, measured and monitored periodically.
Inventory: Procedure for physical verification at regular interval must be designed and the inventory levels should be fixed.
Beware of the pitfalls - more is not always better, controls must be maintainable Think about the things that worry you in your job and try to think of how internal controls could help elevate your worry. In middle cast, forward thinking companies are already using the framework & internal auditors are using to build awareness around internal control best practices. With this trend, there is no excuse abut not to use it & benefit from it!