Indian Compliance of Internal Controls over Financial Controlling in the Indian Perspective
Towards regaining public confidence
In the year 2009, we have seen the investor confidence under the Indian scenario falling from Rs. 300 to Rs. 10 per share. The money so invested was systematically wiped off and withdrawn over a number of years by the management of Satyam and falsified its accounts. Satyam had betrayed the trust and belief of its investors. This led to a big blow in the accountability and transparency of Accounts and Internal Controls in India.
Incidentally this problem was highlighted during the Enron, WorldCom and other such scams surfaced the public world-wide.
It is evident that there is a growing need for the protection of the interest of public on companies. The Money invested by the shareholders need to be well protected from ill use and must be used for the sole purpose of the objectives levied down by the company. Apart from investors, various other parties rely on the efficient performance of the companies. They include regulators, bankers, vendors, customers, suppliers etc.
Government as a regulator has an implied responsibility to protect the interest of the public. It has come up with stringent regulations for all those types of business entities that run on public money. To quote a few examples we have the Companies Act 2013, SEBI Act, Clause 49, Multi state co-operative society act etc. Time and again, the Government continues to update the regulation and enforces its compliance by virtue of its regulators. Regulators include SEBI, MCA, and RBI etc.
In the USA, which is known for its benchmark regulations, the Sarbanes-Oxley Act of 2002 was enacted as a reaction to scandals due to Enron and WorldCom and other notable scams The following major sections are enforced on the companies of US origin –
1. Section 302 – Disclosure of Controls
Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are "responsible for establishing and maintaining internal controls" and "have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared."
2. Section 404 – Assessment of Internal Controls
The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control on financial reporting (ICFR). This includes documenting and testing important financial manual and automated controls deployed in the company.
Under the Indian scenario, we have the Companies Act revised in the year 2013. This act was revised as a response to the Satyam Scam and to prevent further financial losses. Under the new Companies Act 2013, the following sections pertain to ICFR –
1. Section 134 –Directors Statement of Internal Controls being adequate and operating effectively
Clause (e) of Sub-section 5 of Section 134 to the Act requires the directors’ responsibility statement to state that the directors, in the case of a listed company, had laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively.
Clause (e) of Sub-section 5 of Section 134 explains the meaning of the term, “internal financial controls” as “the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.”
2. Section 143 –Auditor’s assessment on the operating effectiveness of Internal Controls -
The Companies Act, 2013 specifies the auditor’s reporting on internal financial controls only in the context of audit of financial statements. Consistent with the practice prevailing internationally, the term ‘internal financial controls’ stated in Clause (i) of Sub-section 3 of Section 143 would relate to ‘internal financial controls over financial reporting’.
Considering the above, the auditor needs to obtain reasonable assurance to state whether an adequate internal controls system was maintained and whether such internal financial controls system operated effectively in the company in all material respects with respect to financial reporting only.
A company's internal financial control over financial reporting includes those policies and
Procedures that –
i. Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company.
ii. Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorisations of management and directors of the company; and
iii Provide reasonable assurance regarding prevention or timely detection of unauthorised acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements.”
Thus the companies act has created a new challenge for the management to design and implement internal controls over the business processes of the company and even a difficult task to the auditor of testing the design and operating effectiveness of the implemented controls and to check if the deployed controls are sufficient and adequate against the risk that is present in the company’s business environment.
The Management thus have the following responsibilities –
1. Identify and Evaluate the risk present in the business environment
2. Design a control
3. Implement the control
4. Monitor the control
5. Design compensating controls in-case if a preventive control cannot be implemented.
The management would refer to internal control frameworks such as COSO (Company of Sponsoring Organisations) Internal Control Framework, COBIT 5 (Control Objectives in Information and Related Technology), ISO Standards etc. for guidance of implementing the control.
It is crucial to note that the controls need to be deployed uniformly at all business units of the company. Each control has to be documented and reviewed periodically by the management. The Internal control component can be broken into the following –
a. Control Environment – it refers to the company’s entire business environment.
b. Risk Assessment – It refers to identification and assessment of the risks present in the environment. This is performed to decide the design of the control.
c. Control Activities – A control objective is a statement which emphasis the extent of which the control is to be achieved. A control objective is set after assessing the level of risk that is present in the control environment. These refer to the activities that may be in the form of Policies, Procedures, organisation structure that would be developed and implemented in the company. A set of control activities are mapped to one control objective.
d. Information System and Communication – It refers to the IT Controls that have to be implemented in the system. IT Controls can be broadly classified into IT Application controls and IT General Controls.
IT Application Controls vary depending on the applications that have been installed by the enterprise for its revenue generation. Application software is the software that processes business transactions. The Application software could be a retail banking system, an Inventory system or possibly an integrated ERP. Controls which relate to business applications leading to judicial use of the application and enforced through the application itself to the end user are called IT Application Controls.
IT General Controls are those controls other than IT Application Controls, which relate to the environment within which computer-based application systems are developed, maintained and operated and are therefore applicable to all applications These are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems.
Monitoring Activities–These refer to the controls that are deployed by the management which would monitor the regular activities that are performed using the controls. Usually this is performed by conducting periodic reviews initiated by the Compliance team and audited by the internal audit team.
Management would be able to comply with Section 134, if they are successful in designing, implementing and monitoring the internal controls against the identified risks.
The Auditor would have the following responsibilities –
Financial reporting is like singing a success for any organisation. Just as we see a transition from complex classical music to the modern music, there has been a steady change in from Historical Reporting to Responsible Reporting. The need for effective presentation of the results makes a difference in decision making to diverse groups of end users who are spread across geographical bodies. Thus financial reporting makes it a very challenging and a complex exercise.
Because of Section 143, Responsible Reporting now includes that the auditor to provide an opinion on the financial statements and additionally provide an opinion on the operating effectiveness of the internal controls that is in place in the company. Operating Effectiveness refers to the effectiveness of actual performance of the Control in the business environment.
Thus the auditor has now become accountable regarding the financial statements and the internal controls. Penalties would be levied on the auditor by the regulators in case if he has not fulfilled his responsibility of gaining assurance on the effectiveness of the controls.
The Institute of Chartered Accountants of India has come out with a Guidance note for auditors which provides guidance towards their responsibility for Internal Financial controls over financial reporting. This guidance note suggests the following methodology that can be followed by the auditor.
Picture adopted from the ICAI Guidance Note for compliance for ICFR released in 2014. Courtesy: ICAI
In addition to the above mentioned approach, the auditor will have to ensure that he performs the following tasks–
a. Perform Design Effectiveness of every control that is being deployed in every business process, business applications and general applications.
b. He would have to obtain sufficient and adequate evidences that would help him substantiate his report in accordance with SA 500. Evidences would include raw system logs, screen shots, tickets, raw files, policy documents, organisation chart etc.
c. He would have to test the controls and document the results as part of his work-papers in accordance with SA 230 (Audit Documentation).
d. His documentation should include testing lead sheets which would provide the following details –
i, Test Date
ii. Risk, Control Objective and Control Activities and Control Number
iii. Details of the entity which is being audited.
iv. Details of evidence provided and the person who provided the evidence
v. Completeness check details
vi. Evaluation of design effectiveness. Design simply refers to a documented blueprint of a control. The documentation includes the control objective and the risks being addressed, the control activities, control owner etc.
vii. Evaluation of Operating effectiveness.
viii. Population details and Sampling Methodology.
Testing Summary of the chosen samples and references to the supporting work-papers created as evidence.
In case if the auditor would rely on the work of the internal auditor/another auditor in accordance with SA 610/600, he would have to provide his opinion on the quality of testing performed by the Internal Auditor/another auditor.
Thus the ultimate test of Internal Controls is performed here. Based on the inquiries, findings and observations, an Auditor would be able to provide sufficient assurance whether the incorporated controls are adequate and ensuring that there is no harmful effect on the figures presented in the financial statements.
A good chartered accountant loves good challenges and it also means good money, and the big bonus has come out in the form of the companies’ act 2013. It’s only the number which sounds unlucky, but, it is nothing but a baggage of new riverside opportunities. One such opportunity for the Chartered Accountant is his services that he can render to ensure that the company would stay compliant to the Internal Controls over Financial Reporting regulatory requirements and thus he will be able to restore, cultivate and protect the confidence of the investors and other stakeholders of the company.
Bharath Rao B