Internal Financial Controls - Practical approach in evaluating a Control

In continuity to my earlier article on Internal Financial Control (IFC), in current article we delve on the aspect of “Auditors Role” and take one practical example of evaluating the control which influences the “Financial Reporting” (FR). The journey begins with the ambiguity endowed by plain reading of Section 143(3)(i), and the rescue that we decipher from the “Guidance Note On IFC”.

Let us begin with contents of bare reading of Section 143(3)(i):

……143(3) The auditor’s report shall also state—

(i) whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls;

Mere bare reading as above may cause reader to interpret that the auditor has role to comment on “Internal Financial Control System”, and this makes the scope too wide since IFC could be applicable to “Financial Reporting, Operational Conduct and Compliance Management”. Here IFC Guidance Note comes for rescue, and below is the relevant extract of the Guidance Note.

Point 34 of Section II of IFC Guidance Note:

“……the term ‘internal financial controls’ wherever used in this Guidance Note in the context of the responsibility of the auditor for reporting on such controls under Section 143(3)(i) of the Act, per se implies and relates to “internal financial controls over financial reporting”

Based on joint reading of above two, viz 143(3)(i) and Point 34 of Section II of IFC Guidance Note, one may conclude that the scope of auditor is to comment on adequacy and operating effectiveness of “Internal Financial Control System” over “Financial Reporting”.Therefore all the work that an Auditor needs to do in context of his comment on IFC is restricted only to “IFC over FR”.

Next we embark on to know what all is to be included in “IFC” and for this we refer to Explanation to Section 134(5)(e) as reproduced below.

134(5)(e) the directors, in the case of a listed company, had laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively.

Explanation.—For the purposes of this clause, the term “internal financial controls” means the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information;

Based on above, the auditor’s role can be summarized as in below chart:

Thus at onset the Auditor needs to obtain from the reporting entity “Financial Reporting Framework”, and this shall comprise of “The Policies and Procedures” adopted by the entity, which delineates:

1. Periodicity at which “Financial Reporting” is being done,
2. Methodology adopted in generating and reporting of “Financial Statements”,
3. Established procedure that is adopted for generation of “Financial Statements”,
4. Listing of Primary and Secondary Controls for generation and reporting of Financial Information,
5. “Vulnerability – Risk – Mitigation” matrix for each control set.

Let us take an example of one of the critical activity in “Financial Reporting Framework”, which is say “Trial Balance Generation & Dissemination” and we walk through with the process that auditor will have to undergo. The objective before the auditor is to conclude on adequacy and operating effectiveness of controls that would influence this activity in the Financial Reporting. There could be several controls that are relevant to this activity, and for our example we refer to the  “Control That Ensures Completeness”. The auditor here needs to obtain sufficient and appropriate evidence that would substantiate on below referred points:

a. Are there listed numbers of users whose activity influences the completeness of Trial balances?

b. In case of multi locational organization, is there an established procedure that communicates to listed users the periodicity at which “Accounting Periods” will be closed and dates and timings of the period closure.

c. What is the process and system control for locking of the closed accounting period and opening of the new accounting period?

d. What is the system control for “Books Closure Activity”. Evidences that substantiate unique access control to predefined users for “Closure of Accounting Period”.

e. System Control to manage interface of “Material Management (MM) (Material Management) and Finance (FICO)(Financial Accounting & Controlling) (In ERP like SAP).

f. Controls that confirm, “Revenue – Cost” match. Say for example in pure trading concern, every entry for

• (i) Debtor Account Dr
• To Sales Account

Has to be followed by

• (ii) Cost Of Goods Sold Account Dr
• To Inventory Account

Thus what are the controls that ensure that entry (i) and (ii) both fall in one accounting period and never different accounting periods.

g. What are the controls that corroborate completeness and accuracy of Segmental Profitability viz a viz the profitability at organizational level.

Above is merely an indicative list and ideally the IFC framework should have a matrix that maps each of the control to relevant Risk/Vulnerability and the relevant mitigation measure.

The author here wishes to broach the readers to ponder over the aspect of the humongous amount of efforts needed in setting of an effective and efficient IFC. Further another point that emerge here is that if the IFC is rationally structured and documented, then this though would not reduce the tasks that auditor will have to execute but certainly would reduce the complexity of auditors activities.

The Author has practical exposure in IFC and Corporate Presence for 18 years and can be reached at rajeevj12@gmail.com