(UNDER SECTION 143(3) (i) Of THE Companies Act 2013)
(To be read with Guidance Note on IFC dated 29th August 2015)
Present Scenario in India:
Internal Financial Controls are not new to audit and auditing community. Before the advent of the new Companies Act 2013, the SEBI has its own take regarding Internal Financial Control at least in the case of listed companies. According to Part C of Schedule II (item 11) of SEBI Regulation (Listing obligation & Regulatory requirement)2015 (earlier under Sub-clause III.D of Clause 49 of Equity Listing Agreement), the role of Audit Committee includes inter alia evaluation Internal Financial Controls and Risk Management Systems.
On the top, the CEO and CFO are to certify the Board of Directors that they accept the responsibility for establishing and maintaining internal controls for financial reporting and that they have evaluated the effectiveness of internal control systems of the company relating to financial reporting.
The CARO even in earlier dispensation under the Companies (Auditor's Report) Order, 2003 vide clause 4(iv) requires “is there an adequate internal control procedure commensurate with the size of the company and the nature of its business, for the purchase of inventory and fixed assets and for the sale of goods? Whether there is a continuing failure to correct major weaknesses in internal control'. The new CARO under Section 143(11) also tow the same line in approach to internal controls on these specific areas.
The new CARO 2016 under Section 143(11) has deleted the requirement to report on internal control for reason obvious- that is, reporting requirement on IFC under Sec. 143 (3) (i) of the Act 2013; and as result, the deference between the two is not highlighted.
The above chart distinctly refer to the concerned sections of the companies Act that deal with Internal financial Control, Standards on Auditing and SEBI Regulation (Listing obligation & Regulatory requirement)2015 (previously Clause 49 on Corporate Governance) with their assigned role on Internal Financial Control as indicated in the opening paragraph.
Responsibility of the Board as to 'Internal Financial Control' and its reporting under the Companies Act, 2013:
The Internal financial Controls are mentioned in the Companies Act in five places to have an effective say - to efficiently implement and accomplish this great call of the time, including the one expected of audit report under Section 143 (3) (i) of the companies Act 2013.
- In section 134(5)(e) of the Act , that deals with the Directors' Responsibility Statement vis-à-vis their responsibility, in the case of a listed company, to lay down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively.
- Directors Report under Rule 8 (4) & (5) under Chapter IX.
- In section 177(4)(vii) of the Act, that deals with Audit Committee vis-à-vis evaluation of internal financial controls and risk management systems;
- In Item II (4) on 'Role and functions' of Schedule IV of the Act, that deals with CODE for INDEPENDENT DIRECTORS vis-à-vis satisfy themselves on the integrity of financial information and that financial controls and the systems of risk management are robust and defensible;
- Section 143 (3) (i) of the Companies Act deals with Auditors Report on whether the company has adequate internal financial controls in place and operating effectiveness of such controls?'
Expanded scope of Internal Financial Controls under the New Act:
The Companies Act 2013 (“the Act') has significantly expanded the scope of internal controls to be considered by the management of companies to cover all aspects of the operations of the company as against Section 217(2AA) of the Companies Act, 1956 which required the Directors of a company to specifically state in the Directors' Responsibility statement that they have taken proper and sufficient care for the maintenance of adequate accounting records in accordance with the provisions of the (1956) Act, for safeguarding the assets of the company and for preventing and detecting fraud and other irregularities.
Besides as spelt out earlier, the Companies Act, 2013 specifically requires under Clause (i) of Sub-section 3 of Section 143 that auditors should report,
“Whether the company has adequate internal financial controls in place and operating effectiveness of such controls?'The CARO even in earlier dispensation under the Companies (Auditor's Report) Order, 2003 vide clause 4(iv) requires ''is there an adequate internal control procedure commensurate with the size of the company and the nature of its business, for the purchase of inventory and fixed assets and for the sale of goods? Whether there is a continuing failure to correct major weaknesses in internal control'. The new CARO 2016, under Section 143(11) as has been spelt out earlier has deleted this requirement to report for reason obvious
In this connection, it is relevant to know what internal financial control is.
A reference to explanation under section 134(5) (e) will bring out what is internal financial control. To quote, it runs as follows
“For the purposes of this clause, the term “internal financial controls' means the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company's policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information'
But, this explanation is highly vocal that this is applicable for this particular clause of the section. It could not be a full-fledged definition for reason, there is a caveat that it means for the purposes of this specific clause and hence it has no reach of the general definition.
Then, what's the difference? A meaning is what it is to you and me individually. A glance through of the above explanation highlights among other things that the term referred only 'means' as distinct from 'Definition'. On the other hand, a definition is 'the words we use to describe it'. When a definition is standardized for uniform application, it is unvarying. In other words, meaning is individualistic, while definition is defining moment for all to follow religiously and consistently to eschew misunderstanding.
Besides, there is a caveat in the said explanation that substantiates the validity of the above argument—that is, the explanation is only for the purpose of this clause, that is, Sec.134 (5) (e). On this, it is vocal and speaks clearly without ambiguity. Therefore, the above explanation may not be applicable wholesale to the auditors for the purpose reporting under section 143 (3) (I) of the Act, especially as to ensuring the orderly and efficient conduct of its business
Auditors Reporting Responsibility on IFC:
Further, the Companies Act, 2013 is conspicuous by silence on the definition of Internal Financial Controls in Section 2 that deals with definitions. In the absence of any definition of internal financial controls in the Act, naturally one has to fall back upon the relevant SAs to understand and unknot the obligation to report on whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls.
But, SA 315 also defines Internal Control and not specific on Internal Financial Controls Definition of Internal control, “The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity's objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets, and compliance with applicable laws and regulations. The term “controls' refers to any aspects of one or more of the components of internal control.'
Since the Audit Report is based on section 143(3) (i) of the Act that is specially on Internal Financial Controls over Financial Reporting, the ICAI has found it relevant to take on its shoulders the responsibility by introducing a specific Para on 'Meaning of Internal Financial Controls Over Financial Reporting' for the proper understanding of the stakeholders' spread across. Accordingly, the term 'internal financial controls' wherever used in this Guidance Note in the context of the responsibility of the auditor for reporting on such controls under Section 143(3)(i) of the Act, per se implies and relates to internal financial controls over financial reporting. For this purpose, “internal financial controls over financial reporting' shall mean
“A process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company's internal financial control over financial reporting includes those policies and procedures that
(i) Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;
(ii) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorisations of management and directors of the company; and
(iii) Provide reasonable assurance regarding prevention or timely detection of unauthorised acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements.'
'The auditor's opinion therefore does not assure, for example, the future viability of the entity nor the efficiency or effectiveness with which management has conducted the affairs of the entity. (Emphasis added)'( Para 24 GN)
The next question that arises is whether this reporting on internal financial control under section 143 is applicable for all companies listed and unlisted?
A visit to section 143(3) (i) of the Act makes it very clear that it does not restrict the reporting on internal financial control to any set of companies. But, under Section 134(5) (e), the directors, in the case of a listed company including perhaps debt listing, had laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively and this has to be stated in the Directors' Responsibility Statement.
Then, what about other than Unlisted Companies?
Rule 8(5) (viii) of the Companies (Accounts) Rules, 2014 requires the Board of Directors' report of all companies to state the details in respect of adequacy of IFC with reference to the “financial statements'
Clause (vii) of Sub-section 4 of Section 177 of the Act states that every audit committee shall act in accordance with the terms of reference specified in writing by the board which shall, inter alia, include, “evaluation of internal financial controls and risk management systems'. Further, Sub-section 5 of Section 177 provides that the audit committee may call for the comments of the auditors about internal control systems including the observations of the auditors and may also discuss any related issues with the internal and auditors and the management of the company.
Again, as per section 143(3) (i), the report should be on all the companies.
Therefore, this guidance also applies for reporting on internal financial controls in respect of unlisted companies and small companies and one person companies as defined in the Companies Act, 2013, more so because of concentration of ownership and management in a small number of individuals where qualitative reports are to be necessarily exercised.
What is the specified date for reporting on the adequacy and operating effectiveness of IFC system over financial reporting?
The reporting by the auditor on IFC under Section 143(3) (i) does not specify whether the auditor's report should state if such IFC existed and operated effectively during the period under reporting of the financial statements or as at the balance sheet date
Attention is invited to paragraph (k) of Clause 57 of the Statement on the Companies (Auditor's Report) Order, 2003 issued by the Institute of Chartered Accountants of India on the auditor's responsibility for reporting on internal control and continuing failure in the internal control under CARO. The said paragraph states that “The auditor, while commenting on the clause, makes an assessment whether the major weakness noted by him has been corrected by the management as at the balance sheet date. If the auditor is of the opinion that the weakness has not been corrected, then the auditor should report the fact while commenting upon the clause (Para 40 0f GN).
Thus, when forming the opinion, the auditor should test the internal controls during the financial year under audit and not just the internal controls as at the balance sheet date, though the extent of testing at or near the balance sheet date may be higher.
The auditor should report if the company has adequate internal control systems in place and whether they were operating effectively as at the balance sheet date.
What is the applicability or otherwise in case of interim financial statements?
Reporting on internal financial controls will not be applicable with respect to interim financial statements unless such reporting is required under any other law or regulation( Para 42 GN).
What is Auditors' responsibility for reporting on internal financial controls in case of consolidated financial statements? (Para 46&47 of GN)
Section 129(4) of the 2013 Act states that the provisions of the 2013 Act applicable to the preparation, adoption and audit of the financial statements of a holding company shall, mutatis mutandis, apply to the consolidated financial statements.
As such, on a strict reading of the aforesaid provision in the 2013 Act, it appears that the auditor will be required to report under Section 143(3)(i) of the 2013 Act on the adequacy and operating effectiveness of the internal financial controls over financial reporting, even in the case of consolidated financial statements.
In the case of components included in the consolidated financial statements of the parent company, reporting on the adequacy and operating effectiveness of internal financial controls over financial reporting would apply for the respective components only if it is a company under the 2013 Act. Accordingly, in line with the approach adopted in case of reporting on the consolidated financial statements on the clauses of section 143(3) and reporting on the Companies (Auditor's Report) Order, 2015 notified under section 143(11) of the 2013 Act, the reporting on adequacy and operating effectiveness of internal financial controls would also be on the basis on the reports on section 143(3)(i) as submitted by the statutory auditors of components that are Indian companies under the Act.The auditors of the parent company should apply the concept of materiality and professional judgment as provided in the Standards on Auditing and this Guidance Note while reporting under section 143(3)(i) on the matters relating to internal financial controls over financial reporting that are reported by the component auditors.
WHETHER SEPARATE AUDIT REPORT ON INTERNAL FINANCIAL CONTROLS OVER FINANCIAL REPORTING IS REQUIRED/MANDATED?(Refer Paragraph 157 -164 of GN on IFC) APPENDIX III
Section 143(3)(i) forms part of the Audit Report. Sub-section 3 of Section 143 deals with what Auditors' Report shall state. Therefore, the section does not mandate any separate report on Internal Financial Controls over Financial Reporting. But, considering the importance and the enormity of the work involved in forming an opinion on Internal Financial Controls over Financial Reporting, ICAI in its guidelines on Audit of Internal Financial Controls over Financial Reporting has also suggested for a separate report, perhaps as an addendum to the main report. The structure of the Audit Report on Internal Financial Control over Financial Reporting is by and large fashioned on the structure of the main audit report like Independence of the Audit Report, separate paragraph on Management Responsibility, identification of management's framework on internal financial control, Auditors' Responsibility, a statement that audit was conducted in accordance with the Guidance Note and SAs to the extent and as applicable, etc.. The contents of the audit report are necessarily tailor-made to Internal Financial Controls over Financial Reporting. Leaving the main structure of the separate audit report, Illustrative Reports on Internal Financial Controls over Financial Reporting on the opinion Unmodified/Qualified/Disclaimer/Adverse- portion are extensively dealt with in Guidance Note that may be referred to .
WHETHER SEPARATE ENGAGEMENT LETTER IS THE CALL OF THE GUIDANCE NOTE ON IFC?(Refer to Paragraph 75 on Planning the Audit–APPENDIX I)
The auditor may issue a combined engagement letter for reporting on financial statements and reporting on internal financial controls or a separate engagement letter for each, as per the GN .As has been spelt out in the earlier paragraph, though it has been included as part of sub-section 3 of section 143 of the Act, because of the enormity of the work involved on reporting on adequate internal financial controls in place and operating effectiveness of such controls, it is an exercise by itself warranting a separate engagement letter vide Para 75 of the Guidance Note and illustrative Engagement Letter on'Agreeing the terms of audit engagement for the audit of internal financial controls'.. A cursory study of the illustrative engagement letter (Refer Appendix I of the GN) will highlight the scope among other things- determining the acceptability of the internal financial controls framework, limitation on scope prior to audit engagement acceptance, agreement on audit engagement terms, form and content of the audit engagement letter.
The moot point for drafting separate engagement letter for section 143(3)(i) of the Act on Internal Financial Controls over Financial Reporting is conduct our audit of the internal financial controls over financial reporting,
- in accordance with the relevant provisions of the Companies Act 2013 to be read with the Guidance Note on Audit of Internal Financial Controls Over Financial Reporting (“the Guidance Note') and
- The Standards on Auditing issued by the Institute of Chartered Accountants of India (ICAI) and deemed to be prescribed by the Central Government in accordance with Section 143(9&10) of the 2013 Act, to the extent applicable to an audit of internal financial controls over financial reporting.
- Appendix 1 on Internal Control Component of SA 315 on ' Identifying and Assessing the risk of Material misstatements through Understanding the Entity and its Entertainments'
- Gide to Internal Controls over Financial Reporting-Internal Audit Control Board – Standard on Internal audit (SIA)
Criteria for Internal Financial Controls over Financial Reporting
To state whether a set of financial statements presents a true and fair view, it is essential to benchmark and check the financial statements for compliance with the financial reporting framework. The Accounting Standards specified under the Companies Act, 1956 (which are deemed to be applicable as per Section 133 of the 2013 Act, read with Rule 7 of Companies(Accounts) Rules, 2014) is one of the criteria constituting the financial reporting framework based on which companies prepare and present their financial statements and against which the auditors evaluate if the financial statements present a true and fair view of the state of affairs and operations of the company in an audit of the financial statements carried out under the 2013 Act. Similarly, a benchmark internal control system, based on suitable criteria, is essential toenable the management and auditors to assess and state adequacy of and compliance with the system of internal control. In the Indian context, for example, Appendix 1 “Internal Control Components' of SA 315, “Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment' provides the necessary criteria for internal financial controls over financial reporting for companies.
WHETHER A SEPARATE MANAGEMENT REPRESENTATION LETTER FOR MATTERS RELATING TO AUDIT OF INTERNAL FINANCIAL CONTROLS OVER FINANCIAL REPORTING? (APPENDIX II OF GN Paragraph 150-152)
Appendix II of the Guidance Note deals with illustrative management representation letter. This draft management representation letter is prepared in consonance with paragraphs 150-152 of the Guidance Note on obtaining written representation. The draft engagement letter/ management representation letter for internal financial controls over financial reporting may be gone through (Appendix I&II Guidance Note)
In the Indian context, the Committee on Internal Audit of the Institute of Chartered Accountants of India (ICAI) (now the Internal Audit Standards Board), has issued a Guide to Internal Controls over Financial Reporting. This Guide, read with Appendix 1 “Internal Control Components' of SA 315 “Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity and its Environment'(Refer Section III of this Guidance Note), could also provide the necessary framework for companies. The aforesaid Guide to Internal Controls over Financial Reporting is currently under revision by the ICAI.
Illustrative Risks of Material Misstatement, Related Control Objectives and Control Activities Appendixes (Referred to in paragraphs 77 and 100) SA 315
This appendix has been developed to provide guidance and examples to assist in identifying risks of material misstatement at the assertion level and relevant controls that may address the applicable risks of material misstatement. For each class of transactions and account balance, risks of material misstatement and relevant controls are divided into two categories: “Core Risks and Controls,' which may be applicable for normal risks of material misstatement on most entities, and “Other Possible Risks and Controls,' which may or may not be applicable.
Illustrative list of Risks of Material Misstatement - Control Objectives - Control Activities and illustrative work paper templates for testing controls have been provided in a CD along with this Guidance Note for the following account balances and processes that may be referred to
- Cash/Bank Balances
- Prepaid Expenses
- Fixed Assets
- Goodwill and Intangible Assets
- Trade payables
- Provision for expenses
- Employee Benefits
- Income Taxes
- Deferred Taxes
- Provision for Income taxes/Advance Income taxes
- Share Capital
- Revenue from Operations
- Cost of Sales
- Depreciation/ Amortisation and Other Expenses
- Finance Cost
- Journal Entries
- Financial Reporting.
Role of Internal audit (Standard on Internal Audit (SIP) 5- Sampling- Appendix VI with reference to IG 14:
Therefore, we may have to rope in the internal audit also to determine the adequacy and operating effectiveness of the internal financial controls on financial reporting. Appendix VI deals with the above standard issued by the Council of the Institute of Chartered Accountants of India. These Standards should be read in conjunction with the Preface to the Standards on Internal Audit, issued by the Institute. In terms of the decision of the Council of the Institute of Chartered Accountants of India taken at its 260th meeting held in June 2006, the following Standard on Internal Audit shall be recommendatory in nature in the initial period. The Standards shall become mandatory from such date as notified by the Council.
The purpose of this Standard on Internal Audit (SIA) is to establish standards on the design and selection of an audit sample and provide guidance on the use of audit sampling in internal audit engagements. The SIA also deals with the evaluation of the sample results. This SIA applies equally to both statistical and non-statistical sampling methods. Either method, when properly applied, can provide sufficient appropriate audit evidence. When using either statistical or non-statistical sampling methods, the internal auditor should design and select an audit sample, perform audit procedures thereon, and evaluate sample results so as to provide sufficient appropriate audit evidence to meet the objectives of the internal audit engagement unless otherwise specified by the client.
Since it would be difficult to deal with the SIA in an article on IFC without making it unduly lengthy, readers are requested to visit the SIA for comprehensive understanding of the Standard in the context of IFC over financial reporting.
The first and foremost duty of auditors with regard to Internal Financial Controls over Financial Reporting is to see and get satisfied as to the framework set in place as declared in Directors Responsibility Statement as vetted by the Audit Committee and independent directors and where after, give suggestions if required for improving the controls. For each area of the financial statement, the management is expected to place process and implementation controls. For example, in the case of inventory, it should keep process controls right from requisitions from production departments to purchase departments- it must be ensured at the point of time, the purchase department should ensure to initiate—minimum quantity available, terms for inviting quotations with well set conditions to ensure quality and quantity controls, inviting tenders in sealed covers, at least above a particular value, tenders are opened in the presence of purchase committee members and participants to ensure confidentiality, in the case of new/ not repeated items, whether technical review gone through, whether cost calculated as per relevant standards, material received in good conditions, any insurance to cover risks. Very similarly process and implementation controls are considered for all items of financial statements. A checklist of internal controls is to be installed for each area so that adequacy of controls ensured in all respects. Besides, as spelt out earlier, the GAPP adopted compliance of Accounting Standards, Standards on Audits and other legal and Regulatory requirements are properly monitored to eschew any untoward.
The internal control frameworks generally provide for three categories of objectives, which allow organisations to focus on differing aspects of internal control:
a) Operations Objectives - These pertain to effectiveness and efficiency of the entity's operations, including operational and financial performance goals, and safeguarding assets against loss.
b) Reporting Objectives - These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognised standard setters, or the entity's policies)
c) Compliance Objectives - These pertain to adherence to laws and regulations to which the entity is subject.
Components of Internal Control:
Appendix I to SA 315 explains the five components of internal control that are essential in any control environment, as they relate to a financial statement audit.
The five components are
(i) Control environment: that covers---
a. Communication and enforcement of integrity and ethical values.
b. Commitment to competence-knowledge and competence to accomplish.
c. Participation by those charged with governance.
d. Management's philosophy and operating style.
e. Organisational structure.
f. Assignment of authority and responsibility.
g. Human resource policies and practices
(ii) Entity's risk assessment process:
a. Changes in operating environment
b. New personnel
c. New or revamped information systems.
d. Rapid growth.
e. New technology.
f. New business models, products, or activities.
g. Corporate restructurings.
h. Expanded foreign operations
i. New accounting pronouncements.
(iii) Control activities:
- Performance reviews
- Information processing
- Physical controls
- Segregation of duties.
(iv) Information system and communication:
a. Identify and record all valid transactions.
b. Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.
c. Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.
d. Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.
e. Present properly the transactions and related disclosures in the financial statements.
(v) Monitoring of controls:
Monitoring various areas of processes and operations by different levels of management by different at different departments concerning controls.
TECHNICAL GUIDANCE ON AUDIT OF INTERNAL FINANCIAL CONTROLS OVER FINANCIAL REPORTING is copiously dealt with in Section IV of the Guidance Note
The section copiously deals inter- alia Planning the Audit, Role of Risk assessment, Customising the Audit, Addressing the Risk of Fraud, Using the Work of Others (Refer IG 18), Materiality, Using a Top-down Approach, Identifying Entity-level Controls (Refer IG 5, IG 19.7, IG 19.8, 19.15 & 19.20), Identifying significant accounts and disclosures and their relevant assertions, Understanding likely sources of misstatement, Selecting controls to test, Testing controls-testing design effectiveness (Refer IG 11 and IG 12), Testing controls-testing operating effectiveness Refer IG 13), Relationship of risk to the evidence to be obtained, Special considerations for subsequent years' audits (Refer IG 16 and IG 20), Evaluating identified deficiencies, Indicators of Material Weakness, Subsequent Events, Obtaining Written Representations, Forming an Opinion (Refer IG 20), Reporting on Internal Financial Controls over Financial Reporting, Audit Report, Audit Documentation, Considerations for Joint Audits and Branch Audits, Considerations for using this Guidance for Internal Financial Controls Assessments on behalf of Company's Management. These areas are to be examined with the help of the Implementation Guide in Section V of the GN
Implementation Guidance (IG) In Section V of the Guidance Note:
There are 21 IGs with sub IGS in all in the Guidance Note. It is advisable to prepare Risk Based Audit Programme forms to address the points dealt with the respective IGs so that nothing is left unaddressed in addressing IFCs. In fact, most of the audit firms have their own Risk Based Audit Programme forms that may be suitably revised to the demands and needs of the IGS so illustrated in list of Risks of Material Misstatement - Control Objectives - Control Activities and illustrative work paper templates for testing controls have been
The Companies Act do not spell out or specify any particular frame work to be followed while establishing Internal Financial control System, but the Guidance Note. Therefore, the first and foremost duty of auditors with regard to Internal Financial Controls over Financial Reporting is to see and get satisfied as to the framework set in place as specified in the Guidance Note and as declared in Directors Responsibility Statement as vetted by the Audit Committee and independent directors are fool proof, infallible and watertight. To achieve that, a check list of internal controls is to be installed for each area so that adequacy of controls ensured in all respects. Besides, as spelt out earlier, the GAPP adopted compliance of Accounting Standards, Standards on Audits and other legal and Regulatory requirements are properly monitored to eschew any untoward.