The Companies Act, 2013 (the '2013 Act') has imposed specific responsibilities of Company's internal financial controls on the Board of Directors ('Board'), Audit Committee as well as auditors. It requires the stakeholders to specifically state that internal financial controls are adequate and are operating effectively. Consequent to the formal responsibility introduced under the 2013 Act, the role of the Audit Committee in the oversight of internal control has become increasingly critical. Audit Committees play a critical role in overseeing internal control. Although their primary focus may be on IFCFR, now, more than ever, Audit Committees are taking the lead in overseeing controls pertaining to compliance and operational matters. Expectations of the Audit Committee's role have expanded due to enhanced company and external auditor reporting requirements, along with an increased focus on compliance by regulators.
Let us review the role of an audit committee and the applicability of the audit committee as per the Companies Act, 2013 to understand its importance in Corporate Governance & role in Internal Financial Control.
Audit committee (Section 177 Rule 6 & 7)
Audit committee is one of the major operating committees of a Company's Board of Directors that is in charge of seeing financial reporting and disclosures. The requirements relating to audit committee was first introduced by the Companies (Amendment) Act, 2000. Audit committees are a measure of ensuring self-discipline, constituted with the object to strengthen and oversee management in public companies and to ensure that the board of directors discharge their functions effectively. It is considered to be one of the main pillars of the Corporate Governance of Public Company. The Companies Act, 2013 acknowledges the importance of an audit committee and entrusts it with additional roles and responsibilities. Section 177 of the Companies Act, 2013 ('the Act') read with Rule 6 and 7 of Companies (Meetings of Board and its Powers) Rules, 2014 ('the Rules') deals with Audit Committee.
The Audit Committee is the cornerstone of corporate governance. The applicability of the audit committee has been widened and the scope has also increased thereafter as compared to the erstwhile act.
Section 177(1) of the Act read with Rule 6 set forth the requirement of constitution of audit committee:
- all listed companies; and
- all public companies
- with a paid-up capital of Rs.10 Crores or more;
- having turnover of Rs.100 Crores or more;
- having in aggregate, outstanding loans or borrowings or debentures or deposits exceeding Rs.50 Crores or more.
[The paid-up share capital or turnover or outstanding loans, or borrowings or debentures or deposits, as the case may be, as existing on the date of last audited Financial Statements shall be taken into account for the purposes of this rule.]
One of the primary purposes of audit committee is to provide oversight of financial reporting process, the company's system of internal controls and compliance with laws and regulations.The audit committee can expect to review significant accounting and reporting issues and recent professional and regulatory pronouncements to understand the potential impact on financial statements. An understanding of how management develops internal interim financial information is necessary to assess whether reports are complete and accurate.
The committee reviews the results of an audit with management and external auditors, including matters required to be communicated to the committee under generally accepted auditing standards. Controls over financial reporting, information technology security and operational matters fall under the purview of the committee.
Internal Financial control and Role of Audit Committee
Companies Act, 2013 provides a provides a formal structure to the Internal Financial controls (which was also prevalent earlier) for ensuring orderly and efficient conduct of business, safeguarding company's assets, prevention and detection of frauds and errors, accuracy and completeness of accounting records and timely preparation of reliable information. It emphasizes the role of the board—and, by delegation or regulation, the role of the audit committee—in overseeing internal control, which remains an essential aspect of effective governance. In particular, the highlights are:
- The board's role in the control environment, including clarification of expectations for integrity and ethics, conflicts of interest, adherence to codes of conduct, and other matters
- The board's assessment of the risk that management could override internal controls and careful consideration of the possibility that management may override such controls
- The establishment and maintenance of open lines of communication between management and the board and the provision of separate lines of communication.
177 (4)(vii) of Companies Act, 2013 requires audit committee to evaluate Internal financial controls and risk management systems. S.177 (5) gives power to Audit Committee to call for comments of auditors on Internal Control Systems, scope of audit, their observations on Internal Control Systems and financial statements before submission of the same to the Board.
Role of audit committee in overseeing cyber risk
It is often challenging for even the most tech-savvy business leaders to keep up with the scope and pace of developments related to big data, social media, cloud computing, IT implementations, cyber risk, and other technology matters. These developments carry a complex set of risks, the most serious of which can compromise sensitive information and significantly disrupt business processes. Cyber risk is often at the top of the agenda for management and boards at companies of all sizes and industries. The pervasiveness of cyber risk significantly increases concerns about financial information; internal controls; and a wide variety of risks, including the reputational risks that can result from a cyber incident. Oversight of a successful cyber risk management program requires proactive engagement and is most frequently the responsibility of the full board. In some organizations, a level of oversight may be delegated to a risk committee or the audit committee
For those audit committees charged with this oversight, engaging in regular dialogue with the chief information officer, chief information security officer, and other technology-focused leaders can help the committee determine where attention should be focused. Although cyber risk is frequently on the full board's agenda, audit committees are increasingly receiving regular updates from relevant technology leaders, with some technology risk-related topic on almost every meeting agenda. The audit committee chairman can be a particularly effective liaison with other groups in enforcing and communicating expectations regarding cyber and financial risk mitigation.
The audit committee plays a very important role in the Corporate Governance process. It is responsible for providing oversight over the organisation's audit and other areas involving financial management. This group serves a key role in helping the board fulfil its fiduciary responsibilities in overseeing the organization's finances. One of the stakeholders of the responsibility of the Internal Financial lies in the shoulder of the Audit Committees. The Audit Committee has to be vibrant and vigilant with the recent changes taking place and the effects on the internal control of the company.