INTERNAL CONTROLS OVER FINANCIAL REPORTING

I C F R 

‐ CA SAMEER KARYEKAR

COMPANY LAW REFRESHER COURSE(10TH & 17TH MAY 2019)

PUNE BRANCH OF WIRC

AGENDA

Quick Revision• Applicability• Important aspects of Guidance Note• IFC / ICFR Process

Processes Typically CoveredPractical Scenarios / ChallengesProcess of Forming an OpinionExhibits

APPLICABILITYementCompanies013

Public Listed Co.

Public Un‐listed‐ Paid up Share Capital >= 10 Cr‐ Turnover >= 100 Cr.  (Audit Committee)

‐ Loans, Borrowing in aggregate >= 50 Cr. (S. 139(2)‐Rule 6)

Pvt. Ltd. Cos.

ctors nsibility ment. [S.134]

√

itor Report ]

√ √ √it Committee ]

√ √ependent ors [Sch. IV]

√ √Accounts Rules (5)(viii)

√ √

IFC / ICFR ‐ Exemption

otification No G.S.R. 583(E) dated 13th June, 2017

ction 143(3)(i) of the Companies Act 2013 shallt be applicable for those audit reports issuedter 13th June 2017 of private limited companiesne‐person companies (OPC) which: ‐– has Annual turn over of less than Rs 50 Crores or– has aggregate borrowings of less than 25 Crores frombanks, Financial institutions or body corporate at anytime during the financial year

Consequences [Company]

ction 134 (8) If a company contravenes theovisions of this section: ‐the company shall be punishable with fine whichshall not be less than fifty thousand rupees butwhich may extend to twenty‐five lakh rupees andevery officer of the company who is in defaultshall be punishable with imprisonment for a termwhich may extend to three years or with finewhich shall not be less than fifty thousand rupeesbut which may extend to five lakh rupees, or withboth.

Consequences [Auditors]ction 147 (2): If an auditor of a company contravenes any ofe provisions of section 139, section 143, section 144 orction 145, the auditor shall be: ‐punishable with fine which shall not be less than twenty‐five thousand rupees but which may extend to five lakhrupees:Provided that if an auditor has contravened such provisionsknowingly or wilfully with the intention to deceive thecompany or its shareholders or creditors or tax authorities,he shall be punishable with imprisonment for a term whichmay extend to one year and with fine which shall not beess than one lakh rupees but which may extend to twenty‐five lakh rupees.

Consequences [Auditors]

ction 147 (3) Where an auditor has beennvicted under sub‐section (2), he shall beble to—(i) refund the remuneration received by him to thecompany; and(ii) pay for damages to the company, statutorybodies or authorities or to any other persons for lossarising out of incorrect or misleading statements ofparticulars made in his audit report.

ICAI Guidance

Guidance Note on Audit of Internal FinancialControls Over Financial Reporting (Sep‐2015,218 pages)

Implementation Guide on Audit of InternalFinancial Controls over Financial Reporting withSpecific Reference to Smaller, Less ComplexCompanies (SLC‐Guidance) (Aug‐2016, 67 Pages)(should be read in conjunction with the aforesaidGuidance Note)

ICFR Definition

or this purpose, “internal financial controls over financialeporting” shall mean “A process designed to provideeasonable assurance regarding the: ‐reliability of financial reporting and the preparation offinancial statements for external purposes in accordance withgenerally accepted accounting principles.

company's internal financial control over financial reportingncludes those policies and procedures that) pertain to the maintenance of records that, in reasonableetail, accurately and fairly reflect the transactions andispositions of the assets of the company;

ii) provide reasonable assurance that transactions are recordedas necessary to permit preparation of financial statements inaccordance with generally accepted accounting principles, andhat receipts and expenditures of the company are being madeonly in accordance with authorizations of management anddirectors of the company; and

iii) provide reasonable assurance regarding prevention orimely detection of unauthorized acquisition, use, or dispositionof the company's assets that could have a material effect onhe financial statements.”

ICFR Definition …. Contd.

IMPORTANT ASPECTS OFGUIDANCE NOTE 

(15th Sept. 2015)

ON

AUDIT OF

INTERNAL FINANCIAL CONTROLS OVER FINANCIAL REPORTING

(ICFR)

IMPORTANT ASPECTS

A material weakness in internal financial controls may exist evenwhen the financial statements are not materially misstated.

S. 143 does not specify if auditor report should report that: such internalfinancial controls existed and operated effectively during the period underreporting of the financial statements or as at the balance sheet date.Guidance Note prescribes Balance Sheet DateNew CARO has no Internal Control clause.

Section 129(4) of the 2013 Co. Act : All Subsidiaries (of a Company)will be covered

CFR not applicable to Interim reporting, unless required by anyother law or regulation.

ICFR PROCESS

other major ounts  or sclosure  apping to r processes

Walkthrough& Process Document

RCM Test of Controls

PROCESS – IN DETAIL

ESS IFICATION

DESIGN REVIEW CONTROLS IDENTIFICATION

OPERATIONAL EFFECTIVENESS

CONCLUSIONS

ntification on ality

major ures

ed Process ication 

RISK‐What can go wrong?

Likelihood‐Is it likely to happen?

Impact‐What will happen if it does?

Identification of Controlsmitigating risks

Identification ofKey controls

Control Pass / Failure Strategy & agreement

Define SamplingStrategy

Testing of Sample

Remediation plan testing

Testing documentation

Final RCM

Failed ControlsIdentification 

Failed Controls Risk Rating

hrough  & Process harts

RISKs IDENTIFICATION

Risk and Control Matrix (RCM)

Sample StrategyTesting Template (TT)

‐ Failed Controls Reporting‐ Overall 

Challenges

How to assess whether all controls in a process are covered?– SA‐315 / COSO / ICQs / Experience (reference)How to identify test attributes to ensure control is effective ? – Breakdown the control into smaller parts (TOC exhibit)Standard method to grade the failure in to Low, Medium and High– Professional Judgement (covered in later slides)How to define sample size– Guidance note is very clear (GN)

Processes Typically Covered2 3

re to Pay  & Creditors Journal Entry Entity Level Controls(Budget,  Business Reviews, Ethics, Appraisals, Authority Matrix, ERM, Audits, Whistle blower, MIS, ), 

to Receipt & Debtors Expenses Provisioning(Employee Benefits, Bonus, warranty, Deferred Tax, IT/MAT)

ll (Per Diem, TDS)

& Settlements

Taxes Reconciliations (DT, IDT)

IPE (Information Produced by EntityAssets & Depreciation

(Cut offs, Books re, AS Compliance, , Notes, CFS, olidation)

Inventory (Physical, cost roll ups, write offs)

ITGC  (User management, Change management, logs, passwords, custom software, backup, DRP, BCP, Infra‐Security)

Consumption Statutory Compliance

C h B k T F

Scenarios / ChallengesO Documents

esting Done by external party not management

perational – Financial classification

ubsidiaries not covered

o flow chart only Narratives given

o Remediation plan / testing done

o documented evidence =? no control

ntity Level Control Process not documented

…contd. ‐1            

Scenarios / ChallengesWalkthroughs not documented

gnature / Authorization =? Control

E / supporting workings not present

ey Control / process / activity or not

ntity Level Authority Matrix not defined

egregation of Duty (Licenses constraints) ‐ ITGC

ut off procedures (Tally ERPs) ‐ ITGC

OC – Key controls or All controls

…contd. ‐2            

Scenarios / Challengesontrols exercised by Parent / HO

xceptional instances are not control failure

rectors report v/s. Auditors report

l the activities not included in SOP

ateriality at Standalone or Consolidated level

Forming an Opinion

A `deficiency’ in ICFR exists when design or operation of a controldoes not allow management or employees in normal course ofperforming their assigned functions, to prevent or detectmisstatements on timely basis.A `Significant Deficiency’ is a deficiency or combination ofdeficiencies, in ICFR that is important enough to merit attention ofthose charge with governance since there is a reasonable possibilitythat a misstatement of company’s annual or interim FS will not beprevented or detected on timely basis.A `Material Weakness’ is a deficiency or combination ofdeficiencies, in ICFR, such that there is a reasonable possibility thata material misstatement of the company’s annual or interim FS willnot be prevented or detected on a timely basis

Deficiencies ‐ Exerciseventory listing does not match withInventory GLs . A JV is passed tore it matches and the physicalntory is verified quarterly but notmented properly.sence of the entity level  Delegation uthority matrix. But ERP access rights efined and operatingree‐Way match in the ERP for hase bills booked  is not operational. ases.cess rights review not done for ss to ERP, excess access rights 

Deficiency ? Significant ? Weakness?

ubstantive Audit Procedures Planventory listing does not match withInventory GLs . A JV is passed tore it matches and the physicalntory is verified quarterly but notmented properly.sence of the entity level  Delegation uthority matrix. But ERP access rights efined and operatingree‐Way match in the ERP for hase bills booked  is not operational. ases.cess rights review not done for ss to ERP, excess access rights 

Audit Risk Substantive Procedure/ Conclusions

Net Audit Risk

(Expected)

Physical verification

Modify IFC opinion

Obtain DOA for major areas and conduct testing

Select higher sample for verification 

of correctness

Analyze transactions by

Deficiency Examplesegory of Deficiency Examples

ificant deficienciessign / operating)

No Authority MatrixNo SOPs for significant accounts / processesInadequate ITGC / IPE testing

Failure to perform reconciliations of significant accountsCut off procedures not exercisedJournal entries not authorized

erial Weaknesses Analytical procedures not conductedInternal Audit / Risk Assessments not done for a complex organization or scope is not adequateIdentification of fraud Large number of rectification entries passed in inventory or other areas

Auditor will be issuing separate report for ICFR

Exhibits

Process Document TemplateWalkthrough Template (to prove process was discovered not documented based on interviews) Or Test of Design (TOD)

Risk Control Matrix (RCM) Test of Control (TOC) document

so Refer ICAI templates

Benefits as Seen by Clients

Clarity of responsibility & authority, Transparency & accountabilityStandardization of controls across locations/ entitiesDuplication of work identifiedElimination of smaller inefficient controls and adding monitoring controls, automating controlsEnhanced oversight & governance

THANK YOU !!

CA Sameer Karyekar, PartnerM/s. P.G.BHAGWAT, CA

9822275133sameer_karyekar@pgbhagwatca.com

Company Act 2013: Section 134(5) The Directors’ Responsibility Statement shall state that—

the directors, in the case of a listed company, had laid down internalncial controls to be followed by the company and that such internalncial controls are adequate and were operating effectively.

Explanation.—For the purposes of this clause, the term “internal financialcontrols” means the policies and procedures adopted by the company forensuring the orderly and efficient conduct of its business, includingadherence to company’s policies, the safeguarding of its assets, theprevention and detection of frauds and errors, the accuracy andcompleteness of the accounting records, and the timely preparation ofreliable financial information;

Company Act 2013: Section 177AUDIT COMMITTEE

ation of Internal Financial Controls (IFC) by Audit Committee: ‐

4) (vii) Every Audit Committee shall act in accordance with the terms of

ence specified in writing by the Board which shall, inter alia, include,—

evaluation of internal financial controls and risk

management systems;

6 of Companies (Meetings of Board and its powers) Rules,2014 : Audit Committee s to be appointed by: ‐l public companies with a paid up capital of Rs.10 Crores or more; l public companies having turnover of Rs.100 Crores or more; l public companies having in aggregate outstanding loans or borrowings or

ompany Act 2013: Section 143 (3)(3) The auditor’s report shall state—

(i) whether the company has adequate internal financial controls system inplace and the operating effectiveness of such controls;

The section has cast onerous responsibilities on the statutory auditorsbecause reporting on internal financial controls is not covered under theStandards on Auditing issued by the ICAI also because of the fact that noframework has been prescribed under the Companies Act, 2013 and theRules thereunder for the evaluation of internal financial controls.

This was deferred earlier by 1 year; now applicable from the FY 2015‐16.

Company Act 2013: Sch. IVSCHEDULE IV

[See section 149(8)]

CODE FOR INDEPENDENT DIRECTORS

Role and functions:

independent directors shall:

(4) satisfy themselves on the integrity of financial information and 

that financial controls and the systems of risk management are 

robust and defensible;

Board Report Contents

Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 – BOD Report

le 8: Matters to be included in Board’s report.‐In addition to the information and details specified in

b‐rule (4), the report of the Board shall also contain ‐ii) the details in respect of adequacy of internalancial controls with reference to the Financialatements.

II. COSO FRAMEWORK (1992)

(Confederation of Sponsoring Organizations of Tread way Commission)

Controls are Evaluated by us using the COSO Framework’s three dimensional criteriats of three objectives:ctiveness and Efficiency of Operationsability of Financial Reportingpliance with Applicable laws and regulationssts of five objectives:rol EnvironmentAssessmentrol Activitiesmation/Communicationtoring

res an entity level focus and an activity level focus

MONITORING

INFORMATION AND COMMUNICATION

CONTROL ACTIVITIES

RISK ASSESSMENT

CONTROL ENVIRONMENT

OPERATIONS

FINANCIA

L

REPORTING

COMPLIANCE

UN

IT AU

NIT B

AC

TIVITY 1A

CTIVITY 2

AC

TIVITY 3

Sampling ‐ ICFRendix 4 to SIA 5 – Sampling ency of Control Activity and Sample Sizeowing guidance related to the frequency of the performance of control may be considered wheng the extent of tests of operating effectiveness of manual controls for which control deviationsexpected to be found.nternal auditor may determine the appropriate number of control occurrences to test based onowing minimum sample size for the frequency of the control activity dependent on whetherment has been made on a lower or higher risk of failure of the control.te: Although +1 is used to indicate that the period–end control is tested, this does not mean that more frequent control operations the year‐end operation cannot be tested.