- orderly and efficient conduct of business, including adherence to company's policies,
- safeguarding of its assets,
- prevention and detection of frauds and errors,
- accuracy and completeness of the accounting records, and
- timely preparation of reliable financial information.
The Act has set increased responsibility and accountability on Board of Directors, Audit Committee, Senior Management and Independent Auditors. The approach that should be adopted by Companies should be that of a comprehensive risk management program - Enterprise Risk Management (ERM).
Primary objective of IFC to identify opportunities for improvement and to draw up recommendations & good practices that can be used as a benchmark to develop or strengthen their internal control systems and enhance the reliability of their financial statements.
- Efficiency and effectiveness in operations
- Prevention and detection of fraud and error
- Safeguarding of assets
- Accuracy and completeness of accounting records
- Reliability of Financial Reporting
Internal Control = Internal Control over financial reporting + Operational control reporting + Fraud prevention reporting
- Assess the current state of internal controls
- Embrace a widely acceptable framework or guidelines
- Set the right tone at the top i.e. those charged with governance
- Ascertain organizational risks which have a financial impact
- Define the Control Objectives and Control Activities to mitigate the risk
- Ongoing continuous monitoring of the functioning of controls
- Obtain independent assurance on the effectiveness of the internal controls i.e. Independent Auditors
By placing more accountability and responsibility on the Board and Audit Committee with respect to internal financial controls, the 2013 Act is attempting to align the corporate governance and financial reporting standards with global best practices. With adequate and effective internal financial controls, some of the benefits that the companies would experience include:
- Senior Management Accountability
- Improved controls over financial reporting process
- Improved investor confidence in entity's operations and financial reporting process
- Promotes culture of openness and transparency within the entity
- Trickling down of accountability to operational management
- Improvements in Board, Audit Committee and senior management engagement in financial reporting and financial controls
- More accurate, reliable financial statements
- Making audits more comprehensive
Internal financial controls also become important as they help derive values in the form of
- Fresh independent look at key business processes
- Identification of potential operating process opportunities
- Updated formal, centralized, and managed internal financial controls documentation for the company
- Enhanced support to CEO/CFO certifications
- Enhanced control environment, thereby mitigating risk
- Better understanding of inherent and residual control risks in internal controls
- Helps in business process redesigning to plug revenue leakages & cost
- Containment opportunities
- Helps in rationalizing the number of controls across organization - moving to smart and automated controls
- Helps in standardizing policies and procedures for multi-location/ multi-business companies
- Fosters a control conscious work culture for people behind controls
- Provides assurance to the CEO/ CFO as well as improves business performance
- In some instances, also serves as a base for blue print of optimal procedures while thinking about ERP.
Section 134: In the case of a listed company, the Directors' Responsibility states that directors, have laid down IFC to be followed by the company and that such controls are adequate and operating effectively.
Section 143: The auditor's report should also state whether the company has adequate IFC system in place and the operating effectiveness of such controls.
Section 177: Audit committee may call for comments of auditors about internal control systems before their submission to the Board and may also discuss any related issues with the internal and statutory auditors and the management of the company.
Schedule IV: The independent directors should satisfy themselves on the integrity of financial information and ensure that financial controls and systems of risk management are robust and defensible.
Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014: The director's report should contain details in respect of adequacy of internal financial controls with reference to the financial reporting.
A. Company Management
Create & test the framework of internal controls
- IFC (including operational & Compliance)
- Controls documentation
- Focus on Internal Control to the extent these relates to the financial Reporting (ICFR)
- Responsibility limited to evaluation of "Financial Reporting Controls"
C. Audit Committee /Independent Director
- Would like to see a robust framework that is aligned to acceptable standards
- Review & question the basis of your controls design and ongoing assessment
D. Board of Directors
- Would rely on the assessments and view of the audit committee
- They may ask for additional information
Under section 143(3)(i) of the Act, an auditor of a company is required to state in his/her audit report whether the company has an adequate Internal Financial Controls (IFC) system in place and the operating effectiveness of such controls. Explanation to Section 134(5)(e) of the Act defines IFC to include policies and procedures adopted by the company for ensuring orderly and efficient conduct of its business, accuracy and completeness of the accounting records, and timely preparation of reliable financial information.
As per the Guidance Note "Internal Financial Controls Over Financial Reporting" (ICFR) shall mean:
"A process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles". A company's internal financial control over financial reporting includes those policies and procedures:
Pertain to the maintenance of the records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company:
Provides reasonable assurance that transactions are recorded as necessary to permit preparation of financial statement in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and director of the company.
Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company's assets that could have a material effect of the financial statement.
Internal Control Over financial Reporting = Maintenance of financial records (details & Accuracy) + Authorization of Transactions + Safeguarding of assets of the Company
The overview of revised Guidance Note issued by the ICAI are as follows:
Section 134(5)(e) of the Act (which deals with the directors' responsibility statement) requires directors of listed companies to state whether they had laid down IFC to be followed by the company and that such IFC are adequate and were operating effectively.
Section 133 of the Act, read with Rule 7 of the Companies (Accounts) Rules, 2014.
This responsibility also includes -
- Maintenance of adequate accounting records in accordance with the provisions of the Act for safeguarding of the assets of the Company and for preventing and detecting frauds and other irregularities
- Selection and application of appropriate accounting policies
- Making judgments and estimates that are reasonable and prudent
- And design, implementation and maintenance of adequate internal financial controls, that were operating effectively for ensuring the accuracy and completeness of the accounting records, relevant to the preparation and presentation of the financial statements that give a true and fair view and are free from material misstatement, whether due to fraud or error.
Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 (Rules) requires Board's report of every company to state the details in respect of adequacy of IFC with reference to the financial statements.
Though not specifically mentioned, the Guidance Note appears to suggest that for:
Listed Companies: The directors' responsibility statement to state that IFC are adequate and operating effectively. The Board's report to state the adequacy of IFC with respect to financial statements.
Other Companies: The Board's report to state adequacy of IFC with respect to financial statements.
The auditor's objective in an audit of IFC - FR (which is generally carried out along with an audit of financial statements) is to express an opinion on the adequacy and operating effectiveness of the company's IFC - FR. A company's internal financial control cannot be considered effective if one or more material weakness exists.
Globally also, auditor's reporting on internal controls is together with the reporting on financial statements and such internal controls reported upon relate only to internal controls over financial reporting.
To truly unlock the value that can be achieved by adopting the internal financial controls, management should take a step back and evaluate how it is addressing the risks to its organization in light of the company's size, complexity, global reach, and risk profile. In companies' implementation of the internal financial controls, there is a difference between doing the minimum and doing the right thing to effectively address the requirements. Companies that choose to do the right thing will unlock the value, reduce fraud risk, avoid financial reporting surprises, and support sustained business performance over the long term.