internal control over financial reporting control over financial report… · ifc & icfr –few...

Internal Control over Financial Reporting

Statutory Requirement

Auditors

• Section 143(3)

• Auditor’s Report tostate whether theCompany hasadequate internalfinancial controls inplace with referenceto financialstatements and theoperatingeffectiveness of suchcontrols.

Directors

• Section 134(5)(e)

• Listed Company –Directors Responsibility Statement to state whether the Company has laid down internal financial controls to be followed and that such internal financial controls are adequate and were operating effectively.

Audit Committee

• Section 177(4)

• Evaluate the internal financial controlsand risk management systems

Independent Directors

• Section 149(8)

• Satisfy themselves on the integrity of financial information and that financial controls and the systems of risk management are robust and defensible.

M.K. Dandeker & Co.,

IFC under the Companies Act, 2013

The policies and procedures adopted by the Company for ensuring:

▪ Orderly and efficient conduct of its business, including adherenceto company’s policies,

▪ Safeguarding of its assets,

▪ Prevention and detection of frauds and errors,

▪ Accuracy and completeness of the accounting records, and

▪ Timely preparation of reliable financial information;


What is ICFR


o A subset of IFC

o ICFR comprises of:

▪ Controls on maintenance of financial books

▪ Controls on preparation of financial statements

▪ Controls over unauthorized or fraudulent access over or use of

company’s assets

▪ Authorization controls over financial flows of receipts and payments

o Concerned with those controls, the failure of which exposes the financial

reporting to a risk of material misstatement and not those controls that create

a risk of business loss, non – financial fraud in terms of information leakage,

non – adherence to quality control check.

Spectrum of IFC


IFC

Anti – Fraud ControlsICFR

Operational Controls

Why ICFR

Fairly reflect all financial

transaction

All transactions are recorded in

accordance with applicable

policies, directives and

standards

Transactions are carried out in accordance with delegated

authorities

Financial resources are safeguarded

against material loss due to waste, mismanagement,

error, fraud, omission


Key Concepts / Definition

Process

Action of taking transaction or event through an established andusually a routine set of procedures or steps

Control

An action or activity taken to prevent or detect misstatement withinprocess

Example

Process – Receipt of purchase order and entry as sales order in thesystem by sales staff

Control – Verification and approval of sales order by head of salesdepartment


Key Concepts / Definition

Design EffectivenessThe right person, using the right informationto make the right decision in a timely manner,to mitigate identified key risks

Operating Effectiveness The consistent application, without exception, of an effectively designed control


Overview of Controls

Entity level

Process level

Levels of control

• Segregation of duties

• Authorization• Application

controls

• Review• Reconciliation

• Physical Verification

Manual

Automated

Preventive

Detective


IFC & ICFR – Few Examples


o Expired Fire Extinguisher in the Warehouse - IFC

o Periodical physical verification of Stock - ICFR

o Compliance with AS 2 – Inventory Valuation - ICFR

o Annual Maintenance Contract for Fixed Asset - IFC

o Periodical physical verification of Fixed Asset - ICFR

o Code of Conduct – Entity Level Control

o Periodical internal meeting where Senior Management team insists on theimportance of ethical behaviour and intolerance to unethical behaviour – EntityLevel Control

o Rigor around performance measures, incentives and rewards to driveaccountability for performance – Entity Level Control

o Whistle Blower policy – Entity Level Control

IFC & ICFR – Few Examples


o Segregation of duties – ICFR / Entity Level Control

o Validation of cash register of a shift by the next shift cashier - ICFR

o Authorisation of purchase by purchase manager and approval of payment byFinance Manager - ICFR

o Surprise physical verification of cash - ICFR

o Multiple level of approval for Bank payments - ICFR

o Joint custody of cash - ICFR

o CFO and Finance Director review the quarterly and financial statement andrelated disclosures. – Entity Level Control

Audit of ICFR – Broad Steps

Planning & Scoping

Design & Implementation

Operating Effectiveness

Final Conclusion & Reporting


Internal Control over Financial Reporting

Entity Level Controls

IT General Controls

Transaction Level Controls


ICFR – Approach

o Top – down, risk based approach to identify and understand the relevant controls.

o Check for the “tone at the top” of the organization

o i.e. Start with Entity – level Controls

Why Entity level Controls:

o Efficiency and effectiveness of the internal control and risk identificationstrategy is equally important

o Benefits from leveraging effective ELC:

▪ Reduce the extent of reliance on transaction level controls▪ Increase the effectiveness of internal controls through leveraging senior

and experienced personnel▪ Better define and communicate the expectations of management across

the organisation (i.e. tone at the top)▪ Reduce redundancy in controls performed across the organisation at

different levels




Entity level control is based on COSO Framework guidelines

5 Components of COSO Framework:

o Control related to control environment

o Risk Assessment

o Control Activities

o Information & Communication

o Monitoring Activities

Entity Level Controls – Control Environment


o Integrity and Ethical Values

o Commitment to Competence

o Board of Directors and Audit Committee

o Management’s philosophy and Operating Style

o Organisational Structure

o Assignment of Authority and Responsibility

o Human Resource Policies and Procedures

Entity Level Controls – Risk Assessment


o Specifies relevant objectives with sufficient clarity to enable identification of risks

o Identifies and assess risk

o Considers the potential for fraud in assessing risk

o Identifies and assesses significant change that could impact system of internal control

Entity Level Controls – Control Activities


o Selects and develops control activities

o Selects and develops general control over technology

o Deploys through policies and procedures

Entity Level Controls – Information & Communication, Monitoring


Information and Communication:

o Quality of Information

o Effectiveness of Communication

Monitoring:

o Ongoing Monitoring

o Separate Evaluations

o Reporting Deficiencies

Transaction Level Controls


o Work backward from the end objective, which in this case is the financial statement

o Step 1 – Identify the significant accounts

o Step 2 – Associate the significant business processes

o Step 3 – Perform a detailed risk assessment

o Significant accounts balance is a matter of judgement of Auditors

o Assess the materiality of the underlying account results, and assess the inherent risks related to each account

o Follow risk based approach

Example: Risk of completeness is greater for liabilities for liabilities based accounts than asset accounts

Key consideration in Controls

Performs the control? Does this person have the requisiteknowledge / authority?Who

Is generated to prove that this control was performed?What

Is this control performed? Is it frequent enough to prevent /detect and correct the risk?When

Is the evidence of control performed retained? For how long?It is accessible for audit?Where

Is this control being performed? What type of errors should beprevented or detected?Why

Is this control being performed? What activities are included?Can these activities be bypassed? Can the bypass be detected?How are issues resolved, once identified, and in whattimeframe? Is this fast enough to mitigate the risk?How


Accounts Balance Assertions

• An item is disclosed, classified anddescribed in accordance with theapplicable financial reporting framework

Presentation & Disclosure

• An asset or liability exists at a given dateExistence

• An asset or a liability pertains to theentity at a given dateRights and Obligations

• There are no unrecorded assets,liabilities, transactions or events orundisclosed items

Completeness

• An asset or liability is recorded at anappropriate carrying valueValuation


Accounts Balance Assertions – Inventory Balance

Inventory recognized in the balance sheet exists at the periodend

Existence

Inventory units should have been recorded have beenrecognized in the financial statement. Any inventory held bya third party on behalf of the entity has been included in theinventory balance

Completeness

Entity owns or controls the inventory recognized in the financial statement. Inventory held on behalf of another entity has not been recognized as part of inventory of the entity.

Rights & Obligations

Inventory has been recognized at the lower of cost or net realizable value in accordance with AS 2. Any abnormal wastage has been excluded from the cost of inventory. Acceptable valuation basis has been used to value cost such as FIFO, Weighted average

Valuation


Transaction Assertions

• Recorded transactions and events haveoccurred and pertain to the entityOccurrence

• All transactions and events that shouldhave been recorded have been recordedCompleteness

• Amounts and other data have beenrecorded accuratelyAccuracy

• Transactions and events have beenrecorded in the correct accounting periodCutoff

• Transactions and events have beenrecorded in the proper accountsClassification


Transaction Assertions – Payroll Cost

• Expenses have been incurred during the period in respectof the personnel employed by the entity and does notinclude the cost of any unauthorized personnel

Occurrence

• Payroll cost in respect of all personnel have been fully accounted forCompleteness

• Payroll cost has been calculated accurately. Any adjustments such as tax deduction at source have been correctly reconciled and accounted for.

Accuracy

• Payroll cost recognized during the period relates to the current accounting period. Any accrued and prepaid expenses have been accounted for correctly in the financial statements

Cut - off

• Allocation between operating, general & administration expenses are fairClassification


Presentation & Disclosure Assertions

• Disclosed events, transactions haveoccurred and pertain to the entityOccurrence

• All disclosures that should have beenincluded have been includedCompleteness

• Financial information is appropriatelypresented and described and disclosuresare clearly expressed

Classification and Understandability

• Financial and other information aredisclosed fairly and at appropriateamounts

Accuracy and Valuation


Presentation and Disclosures Assertion - RPT

• Transactions with related party disclosed in the Notes toFinancial Statement have occurred during the period andrelate to the entity.Occurrence

• All related parties, related party transactions have been identified and disclosed in the notes to financial statement.

Completeness

• Nature of related party transactions, balances and events has been clearly disclosed so that users can easily ascertain their financial effect

Classification and Understandability

• Related party transactions, balances and events have been disclosed accurately at their appropriate amounts.Accuracy &

Valuation


IT General Controls


o Protects data integrity and is a significant component of an organization’s ICFR.

o Improve the consistency of control operations

o Improve the security (confidentiality, integrity and availability) of corporateinformation

o Reduce the extent of testing and reliance on manual transaction – level controls

o Improve reliability of manual controls dependent on IT information

IT General Controls


IT General Controls broadly encompasses:

o User Management

o Logical Access Controls

o Change and Incident Management

o Database Management

o Software acquisition and maintenance

o Install and accredit system

o Network Security

Not all IT Controls impact financial statements directly. Absence of those controlaffect timely availability of reliable financial information

Execution Strategy


Testing Design Effectiveness


o Perform and document walkthroughs to understand the design of existing IFCSystem

o Document process and application controls

o Identify What could go wrong

o Focus on segregation of duties

o Review strength of IT General Controls

o Prepare Risk Control Matrix with control description, owner, frequency, controlevidence

o Perform and document walkthroughs

o Identify controls into Manual, Automated, IT dependent, Preventive or Detective.

o Prioritize control gaps into Material and non – Material

Testing Operating Effectiveness


o Design testing methodology including the sample size

o Identify the Information produced by Entity (IPE) for the controls to be tested

o Test samples are not selected basis the materiality instead it is selected basis thefrequency of appearance of the transaction (daily, weekly, monthly, quarterly,annually)

o Timing of testing

o Document testing results

o Prioritize testing gaps into Material and non – material

o Identify mitigation / compensating controls for material gaps

Assessment and Reporting


o Evaluate severity of each control deficiency

o Communicate to Management and those charged with Governance of all materialweaknesses and significant deficiencies

o Inquire about subsequent events

o Form an Opinion on the Internal Control over Financial Reporting

Significant deficiency and Material weakness


o A deficiency (or combination of deficiencies) that is less severe than a materialweakness, yet important to merit attention of the Audit Committee or thosecharged with Governance – Significant deficiency

o A deficiency (or combination of deficiencies), such that there is a reasonablepossibility that a material misstatement of the entity’s annual financialstatements will not be prevented or detected on a timely basis – MaterialWeakness

o Evaluate the severity of each control deficiency to determine whetherindividually or in the aggregate it is a material weakness

o Severity of a deficiency does not depend on whether a material misstatementactually has occurred but rather on whether there is a reasonable possibility thatthe company’s controls will fail to prevent or detect a misstatement

Thank You

M. K. Dandeker & Co.,Chartered Accountants


internal control over financial reporting control over financial report… · ifc & icfr –few...

Documents