INTERNAL CONTROL OVER FINANCIAL REPORTING …...3 The Guidance Note on Audit of Internal Financial...
Transcript of INTERNAL CONTROL OVER FINANCIAL REPORTING …...3 The Guidance Note on Audit of Internal Financial...
1
INTERNAL CONTROL OVER FINANCIAL REPORTING
(ICFR)
A HANDBOOK
FOR PRIVATE COMPANIES
AND
THEIR AUDITORS
An Initiative of the
Bombay Chartered Accountants’ Society
July 2016
2
PREFACE
The Companies Act, 2013 read with Companies (Accounts) Rules, 2014, requires all companies, irrespective of their size, ownership pattern, governance structure or nature of business activity, to comply with certain provisions related to Internal Financial Controls (IFC) and/or Internal Controls over Financial Reporting (ICFR). The governance requirements laid down for listed companies have evolved over time and encompass several specific requirements introduced over a span of 10-15 years, such as - composition of the Board of Directors, the need for independent directors, establishment of an Audit Committee, formal mandate and structure of the Audit Committee, quarterly closures and financial disclosures, formal risk management framework, CEO/CFO certification - and so forth. The recent requirement relating to Internal Financial Controls (IFC) thus is incremental in nature and in line with the past changes in corporate governance norms, for these listed companies. Unlike listed companies and certain large companies, most of the smaller private companies do not have an elaborate management structure comprising of independent directors on the Board, a formal Audit Committee or, in many cases, even a designated CEO or CFO. The managements of these companies are not required to have a formal risk management framework in place, where key risks faced by the organization are identified and the internal controls for mitigating these risks are documented with clear allocation of responsibilities. In these companies, the business processes that have evolved over time are most often not documented, in terms of structured policies and Standard Operating Procedures (SOPs); and even if documented, not updated from time to time. For such companies, the ICFR requirements introduced by the Companies Act, 2013 are radical in nature, as these require a paradigm shift in the manner in which internal controls are designed, documented, implemented and evidenced. For audit reports for the years ended 31st March 2016 onwards, Statutory Auditors are also mandatorily required to comment on the adequacy of internal financial controls system and the operating effectiveness of such controls.
3
The ‘Guidance Note on Audit of Internal Financial Control Over Financial Reporting’ released by the Institute of Chartered Accountants of India (ICAI) in September 2015 (hereinafter referred to as “the ICAI Guidance Note” or “the Guidance Note”) is a detailed document explaining the regulatory framework and providing both, technical guidance and implementation guidance for conducting such an audit. This Guidance Note has been prepared for providing guidance to the auditor and has proved to be of immense help in carrying out the first set of ICFR audits, mainly of large and listed companies, most of whom had the benefit of having formal documented policies and processes, risk management framework and a well-defined governance structure in place. This handbook is intended for the next set of companies and their auditors, who are required to cover the distance in a shorter time. It is a humble attempt to guide such private companies and their auditors in their endeavor to comply with the requirements of ICFR. The objective of this book is to provide a simple and jargon-less explanation of what is expected, what is required to be done and how it can be done, in a manner that not only the form, but also the spirit of the regulatory requirement is achieved, without incurring disproportionate costs and without creating a complex structure of policies and documentation that may not be sustainable.
- Nandita Parekh
4
Contents at a Glance Section Topic Page
Numbers 1. Overview – ICFR for Private Companies 1.1 Understanding IFC and ICFR 1.2 The Regulatory Framework in a Nutshell 1.3 So, What Has Really Changed? 2. Roadmap for a Private Company for
adopting an ICFR Framework
2.1 Need for a Framework 2.2 Proposed Framework 2.3 Understanding the components of internal
control with specific reference to ICFR
2.4 Starting the ICFR project 2.5 Component # 1 - Control Environment 2.6 Component # 2 - Risk Assessment 2.7 Component # 3 - Control Activities 2.8 Component # 4 - Information System and
Communication
2.9 Component # 5 - Monitoring of Controls 2.10 Concluding Remarks 3. Roadmap for Auditors of Private
Companies
3.1 Overview 3.2 Pre-audit Approach 3.3 Audit Approach 3.4 Audit Execution – Testing of Controls 3.5 Audit Conclusions and Audit Reporting 3.6 Call to action 4. Making it easy – ready-to-use drafts and
formats
4.1 Entity Level Controls – Specimen 4.2 IT General Controls - Specimen 4.3 Financial Statement Closure Policy -
Specimen
5 Glossary of abbreviations used 6 Useful links and recommended reading
5
SECTION 1: OVERVIEW – ICFR FOR PRIVATE COMPANIES 1.1 Understanding IFC and ICFR:
1.1.1 Definitions: Internal Control:
Standard on Auditing – SA 315 defines Internal Control as: “The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control.”
Internal Financial Controls (IFC): Internal financial controls (IFC) has been defined in the explanation to Section 134(5) (e) of the Companies Act, 2013 as “the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.” Internal Controls over Financial Reporting (ICFR) The ICAI Guidance Note has adopted the definition of ICFR as given in the Auditing Standard 5 (AS 5) issued by the Public Company Accounting Oversight Board (PCAOB), USA, which is as follows: ICFR shall mean: “A process designed by, or under the supervision of, the company’s principal executive and principal financial officers, or persons performing similar functions, and effected by the company’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted
6
accounting principles. A company’s internal financial control over financial reporting includes those policies and procedures that: (i) pertain to the maintenance of records that, in reasonable
detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;
(ii) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorisations of management and directors of the company; and
(iii) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements.”
1.1.2 ICFR and IFC - Simply Stated: ICFR comprises of:
Transaction level controls
(Controls on maintenance of financial books)
Annual/period closure and finalization controls
(Controls on preparation of financial statements)
Controls over unauthorized or fraudulent access over or
use of company's assets
Authorization controls over financial flows of receipts
and payments
ICFR
7
ICFR is a subset of IFC:
Thus, IFC as a concept is much wider than ICFR. ICFR comprises of controls that provide reasonable assurance that financial statements are free of material misstatement. IFC, in addition, covers controls that ensure orderly and efficient conduct of business, controls for safeguarding assets, controls that ensure compliance with company’s policies and prevent/detect frauds and errors. To give an example, Safe Traders Pvt. Ltd. (STPL) is a company that deals in goods that are highly combustible. The fire extinguishers in the company’s warehouse are not in a working condition. This is a failure of IFC, as the operations of the company are not being conducted efficiently and this could pose a material risk, including potential financial loss to the company. However, this failure does not have a direct impact on ICFR, as long as STPL has a process for:
Verifying inventory at year-end and ensuring that only the inventory that actually existed at year-end is considered for financial reporting.
Reporting and accounting for a loss by fire in a timely and accurate manner.
As can be seen, in ICFR, the company and its auditors are concerned with all those controls, the failure of which exposes the financial reporting to a risk of material misstatement – they are not concerned with controls that create a risk of business
IFC
ICFR
Operational controls
Anti-fraud controls
8
loss, non-financial fraud in terms of information leakage, non-adherence to quality control checks etc., all of which would be a subject matter of IFC. For private companies, the present regulatory requirement for reporting by the Board as well as the auditors is restricted to ICFR. Hence, in the rest of this book, the discussion will be restricted to ICFR.
1.2 The Regulatory Framework in a Nutshell: 1.2.1 Maintenance of Financial Books and Preparation of
Financial Statements:
Sections 128 and 129 of the Companies Act, 2013 requires all companies to maintain books of account and prepare financial statements in a manner that they give a true and fair view of the state of affairs of the Company. This requirement was there also in the earlier Act of 1956. So, a company’s responsibility for maintenance of financial records and preparation of financial statements is an age-old requirement. The responsibility for maintenance of financial books and records and preparation of financial statements has been assigned to the Board of Directors, who in turn may delegate this responsibility to the managing director, the whole-time director in charge of finance, the Chief Financial Officer or any other person of a company charged by the Board with the duty of complying with the provisions of these sections. If no such delegation is done, then all the directors are responsible for the same. In many small companies, the practice actually followed is that the Accounts & Finance Department compiles records up to the trial balance and hands over the same to the statutory auditors and the auditors then prepare the financial statements and draft all the notes to accounts and disclosures. This practice blurs the division of role between the Company and its auditors and creates, on one hand, an unhealthy dependence on the auditors by the Company and on the other hand, a conflict in the professional relationship of the statutory auditors with the shareholders of the Company.
9
This practice needs to stop and companies need to take full responsibility for preparation of financial statements, with all due disclosures and which are fully compliant with accounting standards.
1.2.2 Ensuring adequate Internal Controls over Financial
Reporting (ICFR) – Whose Responsibility? Having established that the maintenance of financial books and records and preparation of financial statements is the responsibility of the Company management, we now move to the next question – “Is ensuring adequate internal controls over financial reporting also the responsibility of the Company?” This question needs to be answered at three levels: a) With reference to the Companies Act and Rules b) From a logical and common sense point of view and c) From the perspective of risk management
a) With reference to Companies Act and Rules:
The Companies Act, 2013, vide section 134(5)(e) specifically requires that:
“(5) The Directors’ Responsibility Statement referred to in clause (c) of sub-section (3) shall state that— …… (e) the directors, in the case of a listed company, had laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively.”
As seen, the requirement for listed companies has been spelt out clearly in the section above. What about private companies then? For private companies, there is no specific section of the Companies Act, 2013 that specifies such a requirement. The requirement comes indirectly through Companies (Accounts) Rules, 2014 – more specifically, Rule 8(5)(viii) reproduced herein below for easy reference:
10
“Rule 8. (5) In addition to the information and details in sub-rule (4), the report of the Board shall also contain – ….(viii) the details in respect of adequacy on internal financial controls with reference to the Financial Statements” This requirement applies to every company – listed, unlisted, private, public, and even one-person company. This indirectly makes the Board of Directors accountable for ensuring the adequacy of internal financial controls with reference to financial statements. This is similar to an earlier requirement in CARO, 2003 where the auditors of certain companies were required to report on “whether the company has an internal audit system commensurate with its size and nature of its business”; while the Companies Act, 1956 was silent on the requirement for internal audit, the reporting requirement by the auditors indirectly led to the presumption that such companies were expected to have a formal internal audit system and an adverse remark by the auditors would require the Board of Directors to provide an explanation. Thus, the accountability of the directors was indirectly set/ presumed. Similarly, in the present case, by requiring all companies, in the Board’s Report to the shareholders, to include a statement about the adequacy of internal financial controls over financial reporting, the responsibility for ensuring adequacy of such controls has been identified to be that of the Board.
b) From a logical and common sense point of view:
From the inception of the Companies Act, 1956, directors have been signing the financial statements of a company. The Annual Report, comprising of the financial statements, the Board of Directors’ Report and Auditors’ Report, forms the most significant communication between the Board of Directors and the shareholders/owners of the company on an annual basis. This being the case, one can logically conclude that directors assume the primary responsibility to ensure
11
the truth and fairness, the accuracy and appropriateness of the financial statements.
For small companies, where the owners and the management are the same, and where there are few employees with centralized operations of a small quantum, it may be possible for the directors to present financial statements that are true and fair and fully compliant in terms of disclosure requirements and accounting standards, without the need for elaborate processes, sophisticated IT systems or a detailed analysis of risks and controls. As companies grow in size, the only way for the directors to reasonably ensure that the financial statements are free from material errors and misstatements is by establishing processes and controls that counter the risks effectively and to employ/appoint adequately competent people to discharge the responsibility on behalf of the Board.
c) From the perspective of risk management:
Section 134(3)(n) of the Companies Act, 2013 lays down the responsibility of Board of Directors with reference to risk management; the same is reproduced hereunder:
“There shall be attached to statements laid before a company in general meeting, a report by its Board of Directors, which shall include—
….(n) a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company;….”
The directors are thus required to ensure that the company has designed and implemented a risk management policy for the company. It is expected that one of the key risks that is addressed through the risk management policy is the financial reporting risk or, in other words, the risk of material misstatements in financial statements and financial reporting.
12
The Directors’ Report of all companies provides a statement on the risk management framework/policy adopted by the company; however it is a known fact that for a large number of companies, this statement is not backed by a documented risk management policy or a framework that has actually been implemented with the involvement of the management. The companies and their directors need to take a hard look at how they establish, implement and document a risk management framework for the company in general and with reference to ‘financial reporting risk’ in particular.
Thus, whether one takes a regulatory stand-point or a logical view, or a risk management perspective, it is amply clear that the directors take primary responsibility for presenting annual financial statements that are free from material misstatements. This would, in itself, require them to institute risk management processes and internal controls appropriate to the size of the company, and the nature of its operations. They may discharge this responsibility themselves or through effective delegation.
1.2.3 The Auditor’s Responsibility and Reporting Requirement:
The auditor’s responsibility with respect to IFC/ICFR stems from section 143(3)(i) that requires the auditor’s report to state whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls. To be able to make such a statement, the auditor would need to obtain reasonable assurance to state whether an adequate internal financial control system was maintained and whether such controls were operating effectively as far as financial reporting is concerned. The ICAI Guidance Note makes it clear that the auditor’s responsibility with internal financial controls extends only with respect to financial reporting. Further, Companies Amendment Bill 2016 contains a provision to modify section 143(3)(i), by replacing the words "internal financial controls
13
system", with the words "internal financial controls with reference to financial statements”.
1.2.4 A Summary of Relevant Sections and Rules:
The specific sections of Companies Act, 2013 and rules forming part of Companies (Accounts) Rules, 2014 that fix the responsibility with respect to IFC/ICFR are summarized hereunder:
Section and Rule Reference
Brief Description and Applicability
Section 128 Books of account, etc., to be kept by the company: A company is required to prepare and maintain books, papers and financial statements so as to give true and fair view of the state of affairs.
Section 129 Financial Statements: The financial statements shall give a true and fair view of the state of affairs of the company or companies, comply with the accounting standards notified under section 133 and shall be in the form or forms as may be provided for different class or classes of companies in Schedule III. At every annual general meeting of a company, the Board of Directors of the company shall lay before such meeting the financial statements for the financial year.
Section 134(3)(n)
Financial statement, Board’s report, etc. Statements laid before a company in general meeting to include a report by its Board of Directors, which shall include— ….(n) a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company;….”
14
Section and Rule Reference
Brief Description and Applicability
Section 134(5)(e)
Financial statement, Board’s report, etc. – Directors’ Responsibility Statement (e) the directors, in the case of a listed company, had laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively. This is applicable only to listed companies.
Rule 8(5)(viii) Matters to be included in Board’s report: The report of the Board, in addition to all other details, to also contain the details in respect of the adequacy of internal financial controls with reference to the financial statements. This Rule, applicable to all companies, has extended the responsibility of reporting on ICFR to all unlisted companies – whether one person company, private or public.
Section 143(3)(i)
Powers and duties of auditors and auditing standards: This sub-section requires the Auditor’s Report to state, among other things, “whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls”.
Companies Amendment Bill 2016 – modification to section 143(3) (i)
Powers and duties of auditors and auditing standards: Contains a provision to modify Section 143(3) (i) by replacing the words “internal financial controls system” with “internal financial controls with reference to financial statements”.
Section 177(4)(vii)
Audit Committee: The terms of reference of Audit Committee to include evaluation of internal financial
15
Section and Rule Reference
Brief Description and Applicability
controls and risk management systems. This is applicable to those listed and specified public companies that are required to form an Audit Committee. This section is not applicable to private companies, as there is no regulatory requirement to form an Audit Committee for a private company.
Schedule IV(II)(4)
Code for independent directors: Independent directors are required to satisfy themselves that financial control and the systems of risk management are robust and defensible. This requirement is applicable to companies that are required to appoint independent directors. As private companies are not required to do so, this requirement does not apply to a private limited company.
1.3 So, What Has Really Changed? This can be explained by a small story.
There was a busy road that was prone to accidents, as cars, 2-wheelers and pedestrians kept driving and walking around in an undisciplined manner. Seeing this, the traffic police and the local authorities created a zebra crossing for the pedestrians, a separate 2-wheeler lane and installed a traffic signal. Now it was for the pedestrians and vehicle drivers to operate within this framework to ensure each other’s safety and to discharge their responsibility for the maintenance of a risk-free environment. After some time, as the accidents continued to occur, a traffic police was placed at the signal. To his utter horror, he found that the signal was being ignored by most, the pedestrians had
16
taken over the 2-wheeler lane, the side-walk was encroached upon by peddlers and the risk of accident had in fact increased for the stray pedestrians who actually walked believing that everyone else would follow the rules! He immediately started catching those who were not following the rules and started issuing notices/levying fines. At this, everyone – the pedestrians, the peddlers and the vehicle drivers – went up in arms, saying there was not enough notice given before the traffic cop showed up. The traffic cop was unmoved. He simply stated that there had been enough advance notice given, that following the traffic rules was in the interest of the various concerned groups and if anyone wanted to avoid the fines, all they had to do was to start following the rules! Now, let’s fast forward and relate this to ICFR:
Directors are responsible for maintenance of financial records and preparation of financial statements that are true and fair and free of material misstatements;
For all companies that have grown over time, that operate from multiple locations, or have complex financial transactions, or deal in multiple lines of business, or have entered into many outsourcing arrangements with delegation of key financial processes, etc. - there is a need to define adequate processes and controls to ensure that the financial statements are not compromised;
If the company has implemented an elaborate IT system, the company ought to have defined access rights, authorization controls and created a set of protocols to ensure that the IT system based controls are robust and do not dilute the quality of financial records or reporting;
Auditors are required to perform an evaluation of internal controls as per Standard on Auditing (SA) 315, “Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment”;
The auditors are required to plan the audit based on evaluation of internal controls and the extent of reliance that can be placed on such controls. Accordingly, auditors, at the time of planning the audit, ought to have
17
documented the results of their evaluation of internal controls;
Now, the regulatory requirement has changed wherein: o the Board, in its report to shareholders, is required
to state the adequacy of ICFR and o the auditors are required to express an opinion on
the adequacy of ICFR and its effectiveness With this, suddenly, companies and their auditors have started feeling the pain and the pressure, because neither had paid keen attention to the rules and the expected conduct till now.
The self-regulated traffic signal is now manned by a traffic cop, namely, the “ICFR reporting requirements” under the Companies Act, 2013 and the subsequent likely scrutiny by regulators…… and suddenly, some companies and some auditors are realizing that perhaps they were lax in observing the traffic rules earlier!!
The scene is not much different from the traffic cop showing up on that busy road. The task on hand appears tougher than it is intended to be, perhaps because neither the company, nor maybe the auditors have performed their evaluations and analyses in a manner that could stand up to an independent review/ scrutiny.
To sum up, the principal change is that the auditor is now required to comment on the adequacy of internal controls over financial reporting (ICFR) and its operational effectiveness. For
18
the auditor to express this opinion, it is necessary for him/her to understand the policies and processes adopted by the company, to obtain evidence in support and to perform testing for confirming operational effectiveness of such controls. This, in turn, will require the management of companies to provide the necessary details and documentation to evidence that they have designed and implemented controls to ensure robustness of financial reporting. This will also require the companies to first identify the risks of material misstatement of financial statements and then map controls for each such identified risk. And therein lies the challenge – it is no longer enough for a company to have sound internal controls over financial reporting, it is equally necessary that they are able to demonstrate the controls. Similarly, it is no longer enough for the auditors to modify their audit plan based on their assessment of internal controls, it is essential for them to evaluate whether these controls are adequate and operational to be able to give an opinion on ICFR. In the chapters that follow, a step-by-step guide is provided for companies to roll out and consolidate the framework for ICFR; followed by a methodology for the auditors to assess the existence, adequacy and effectiveness of ICFR.
19
SECTION 2: ROADMAP FOR A PRIVATE COMPANY FOR ADOPTING AN ICFR FRAMEWORK 2.1 Need for a Framework:
Any assurance or diagnostic activity requires a set of benchmarks based on which the assessment is done to arrive at a conclusion. For all quality control assessments, there is a set of benchmarks that the production facility and the product is required to meet before giving quality assurance. Similarly, in the medical field, before diagnosing a medical condition, a set of parameters are tested and based on the combined results, an indicative diagnosis is arrived at. The same is applicable to ICFR - for the directors to make a statement that the internal financial controls with reference to financial statements are adequate, they would need to use certain benchmarks against which the internal control system adopted by the company would be evaluated. The set of benchmarks collectively are referred to as the ‘framework’. Without a structure or a framework, the entire exercise of assessing internal controls may remain ad hoc and subjective and may not give the desired level of confidence. Further, if the internal control system is found inadequate, the framework would provide a clear identification of the area where the system does not meet the adequacy test, thereby highlighting the specific areas for improvement and strengthening of the controls. Hence, a company needs to adopt a framework for designing and implementing its system of internal controls over financial reporting. A different way of visualizing a framework is to compare it with a map. A map provides an efficient way of reaching one’s destination – a good map, like a Google Map, shows the alternate ways, the fastest way, the road that may have costs attached (tolls) and the road that may be congested at a given point of time. Now, it is possible to reach one’s destination without a guiding map, but that may entail detours, time loss, unexpected costs, placing reliance on the directions indicated
20
by others…. and above all, a high risk of not making it to the destination. Similarly, a framework for internal controls provides a map – an efficient and planned way of achieving a desired state of internal controls over financial reporting (ICFR). Should anything more be said about the need for a framework?
2.2 Proposed Framework:
The directors of all unlisted companies are required to state, in their Director’s Report, “details in respect of adequacy of internal financial controls with reference to the financial statements”, i.e. adequacy of ICFR. The adequacy of ICFR is best assessed with reference to a framework or a benchmark standard. The next question for the directors is – which framework to adopt?
The company and its directors are free to choose a framework that is appropriate for their company; no mandatory format has been prescribed by any regulations, as such, for companies. One of the most common frameworks adopted for establishment and assessment of internal controls is the 5-component framework detailed in AS – 315 “Identifying And Assessing The Risk Of Material Misstatement Through Understanding the Entity And Its Environment”. This framework has also been endorsed by the ICAI Guidance Note. The said Guidance Note states that: “In general, a system of internal controls to be considered adequate should include the following five components:
Control Environment Risk Assessment Control Activities Information System and Communication Monitoring”
This 5-component framework is by far the most frequently used framework globally for designing and reviewing internal controls. Also, the ICAI Guidance Note, read with SA-315, provides ample guidance, ready to use formats and detailed
21
explanations that can be used by the company for the development of its ICFR framework. Hence, it is advisable for companies to adopt this 5-component framework for establishing and evaluating ICFR, which can then be used by the auditors for their review – this would optimize efforts at every level.
2.3 Understanding the components of internal control with specific reference to ICFR:
2.3.1 Components explained through an example:
A clear understanding of each of the five components is essential for those responsible for designing and operating ICFR.
Let us start with an example: A company is concerned about health of its employees and is thus interested in ensuring preventive healthcare of its employees. To this end, it requires each employee to undertake an annual health check-up at a nearby hospital. When an employee goes for his/her routine annual medical examination, the following process is adopted by the hospital: i. General profile:
First, a general profile of the individual is taken in terms of gender, age, past history, hospitalization in the past 5 years, surgeries undertaken, illnesses, medical history of the parents/blood relations, exercise routine, smoking/alcohol habits etc. Also, a certain set of general tests such as CBC, chest x-ray, blood pressure, etc. is prescribed to all.
This corresponds to the 1st component - “Control Environment”.
ii. Identification of potential risks:
Based on age profile, family history, living conditions and lifestyle assessment, some general medical risks are identified. E.g. for someone who has a very demanding work schedule, stress-induced disease is identified as a risk, and
22
for someone with a family history of diabetes, risk of diabetes and related conditions is identified as a risk.
This corresponds to the 2nd component – “Risk Assessment”.
iii. Further testing and medical advice based on identified
risks: Based on the risk profile, a further set of tests is prescribed.
E.g., for persons with a family history of cardiac problem, an ECG and stress test may be advised. The company’s Medical Officer then decides which further tests are required and based on the approval, these tests are conducted. The test results are examined to check if any of the feared risks have shown up as actual medical condition. Based on the results of all the tests and an assessment of general profile and lifestyle, the doctor prescribes/ recommends: a. Certain corrective medication and activities e.g. for an
obese person, a serious exercise routine would be prescribed.
b. Certain preventive medication and activities – e.g. for a woman over 50, the doctor may advise taking calcium supplements.
c. Certain general advice on lifestyle, e.g. blinking of eyes every 5 minutes when there is extended computer usage.
d. Recommendation for certain further testing or specialist intervention, e.g., if moderate loss of eyesight is detected, the need to examine eye-pressure and test the retina may be identified and recommended.
This corresponds to the 3rd component – “Control Activities”.
iv. Creating awareness and communication of findings:
The annual medical examination ends with the hospital handing over to the patient, a health summary, accompanied by all the test reports and prescriptions, duly signed by the attending physician. The findings are shared with the
23
company, giving due respect to privacy and confidentiality norms.
Also, the Medical Officer of the company is required to give a brief report to the management about the general health of the employees and changes in trends observed, if any.
The company, in association with the hospital, creates awareness to ensure good health by sending out periodic updates on developments in the medical field that are of general interest to company’s employees. All this helps the management of the company to conclude on the general health of its employees and whether the pro-active steps taken by the company are effective in improving the health standards.
This corresponds to the 4th component – “Information System and Communication”
v. Periodic Monitoring:
The company takes steps to confirm that the annual health check-ups have been completed for all employees during the year. Further, for certain key employees or those at higher risks, the company adopts a more involved plan for regular monitoring the parameters at a greater frequency.
This corresponds to the 5th component – “Monitoring”.
This easy to understand example explains the role of each component of internal controls.
2.3.2 Internal control components explained in the context of
ICFR: The objective set by the company is “to establish and
implement a system of internal controls such that it provides reasonable assurance that the financial statements prepared by the company are free from material misstatements.” A supplementary objective is also to test the adequacy and operating effectiveness of these internal controls periodically.
24
Using the 5-component framework for ICFR, the company may start with examining the control environment, and then move to the next component and the next one. Readers are advised to refer to SA 315 for detailed explanation of each of the five components. A brief overview of each of the components in the context of ICFR is given hereunder: Control Environment: Control environment refers to the tone set at the top by the senior management/owners of the company. With reference to ICFR, the control environment refers to the organization-wide values, policies and protocols that create an environment conducive to accurate, fair and transparent financial reporting. The control environment encompasses the direction given by the management for eliciting ethical behavior, ensuring competency, emphasizing structured processes and automation to reduce errors and control lapses, instituting audit and quality control processes, ensuring management deliberations on key issues relating to financial reporting, etc. Risk Assessment: Risk assessment with reference to ICFR refers to the process adopted by the company to identify the Risk of Material Misstatements (RoMM) in financial statements. This component calls for a structured analysis of potential risks of misstatements, at two levels:
Financial statement level Account balance and transaction type level
Risk assessment for ICFR needs to be conducted by persons competent to understand the financial reporting process, the disclosure requirements, the vulnerabilities to fraud, the temptations for misstatement at employee and or management levels, etc. The risk assessment needs to be done keeping in view the known stakeholders and expected readers of the financial statements.
25
Control Activities: Control activities with reference to ICFR refer to all the policies, processes and practices designed and applied by an organization for mitigating its RoMM to an acceptable level. Control activities are embedded in the daily processes (e.g. a bill is accounted only after authorization), or introduced as periodic activities (reconciliations or verifications or budgetary reviews) or as an annual exercise (financial closure related controls). Controls may be automated or manual and may be preventive or detective.
For an effective ICFR framework, one starts with RoMM and maps the controls to each identified risk with a view to conclude that the controls are existing and adequate to address the risks.
Periodic testing is required to be done to establish the operational effectiveness of controls i.e. to conclude whether the controls operate effectively. Information System and Communication: In the context of ICFR, this component refers to multiple types of information flows and communication channels: First, the entire flow of information from the occurrence or non-occurrence of all relevant events or transactions, its flow into the accounting system and ultimately into financial statements to ensure that the financial statements are complete, accurate and present a true and fair view. Second, the flow of relevant information including regulatory developments to those charged with governance and/or those responsible for selection of accounting policies, finalizing accounting treatment and making financial estimates, to ensure transparency and fairness in financial reporting. Third, the communication of financial statements from the company to the owners and other stakeholders, including regulators.
26
The presentation of financial statements free from any material misstatement necessitates that all these information and communication channels are operating effectively. Monitoring (of Controls): This component entails the processes established by the management to ensure that controls as designed are operating effectively and that lapses are identified and remedied in a timely manner.
The monitoring activities may be carried out by introducing Control Self-Assessment (CSA), where each process owner periodically tests the process controls, or by an independent review by the internal auditors, quality auditors or management representatives, or by periodic management reviews.
Now that we have understood the need for a framework and examined the relevance of each of the component, it is time to apply all this knowledge to create a practical and sustainable framework for ICFR. For this, the steps to be taken to start the ICFR Project and then to be taken under each component are explained in sections 2.4 to 2.10 below, with certain ready-to-use templates.
2.4 Starting the ICFR Project: 2.4.1 A company would be required to consider the ICFR exercise as
a project initially, and thereafter integrate the ICFR review as an ongoing company process/activity. The following steps may be considered to start with: a) The Board of Directors (BoD) should formally acknowledge
their responsibility for establishing Internal Controls over Financial Reporting. This may be recorded in the Board Minutes.
b) If the BoD has delegated the responsibility for ensuring ICFR to one or more of the directors or officers of the company, then such delegation may also be formally recorded, ideally
27
as a Board Resolution. It may be noted that private companies are not required to have an Audit Committee by law – however, they can voluntarily constitute an Audit Committee or its equivalent, to provide guidance in matters of internal audit, financial reporting and ICFR.
c) It is advisable to designate a senior employee or a whole-time director with requisite understanding of financial reporting and company’s way of functioning, to champion the ICFR initiative. This role is generally played by the CFO, Chief Internal Auditor, Company Secretary/ Compliance Officer or Finance Director. This role may also be played by an external advisor, other than the statutory auditors. If the company has outsourced its internal audit function, then the outsourced firm of internal auditors may be appointed to assist the company in design and documentation of ICFR.
d) Since the statutory auditors are required to review the ICFR framework for the purpose of ICFR audit, they cannot be involved in designing the framework (either directly or through any other entity within their network) – else, they will find themselves in conflict when it comes to expressing their opinion based on review of ICFR framework.
e) The ICFR Champion needs to be supported by requisite team members – ideally, the team members may be freed up from their day-to-day responsibilities to focus exclusively on the ICFR project – alternatively, support may be sought from external agencies/advisors.
f) The quality of the ICFR framework will be directly related to the importance and commitment displayed by the directors throughout the ICFR Project and thereafter. Considering that this is an important responsibility cast on the directors, it is advisable for the directors to effectively communicate the importance of this project across the company, to assign competent persons to drive this project and to stay involved with the project, through ongoing review and monitoring.
2.4.2 ICFR Project – First Steps in a Nutshell:
28
2.4.3 Each company and its directors need to make a choice –
Either treat ICFR as a means of formalizing and strengthening the entire process leading to preparation of financial statements, and thereby create a company-wide focus on internal controls; or
Treat this as one more ‘check the box’ exercise that holds no significance.
At a regulatory level, ICFR is one more provision to comply with. At a deeper level, ICFR provides a means for revisiting, strengthening and documenting the entire process, starting with the core values of the organization, governance principles, policies and processes and level of automation, down to operating instructions that together ensure reliable financial statements with due disclosures.
The author believes that ICFR is an opportunity for forward looking companies who want to adopt best practices in the way they function; it is a step towards improving governance and inculcating control awareness across the organization.
2.4.4 Risk Control Matrix (RCM) – an important tool for
documentation for ICFR:
Board to acknowledge its primary responsibility for ICFR
Board to formally delegate the responsibility to a designated ICFR Champion
ICFR Champion to formulate a team of persons from within and outside the company to drive ICFR
Board to provide support through communication and resource allocation
29
A Risk Control Matrix (RCM) refers to a tool used for documentation of risks and controls in a structured manner, on a standard template. An RCM prepared for ICFR documentation generally provides the following details:
Process and sub-process name Risk description Characteristics of risk in terms of fraud risk, risk level,
etc. Control description Nature of control – preventive/ detective, manual/
automated, frequency of control, etc. Evidence of control Result of design testing Result of testing operational effectiveness.
An RCM provides a one-point documentation of business process, risks, controls and control testing details and is extensively used for ICFR documentation. A specimen RCM template has been provided along with ICAI Guidance Note. A simplified version of the same may be adopted by smaller, private companies.
2.5 Component # 1 - Control Environment: 2.5.1 Control environment may be visualized as the sentinels or
security guards at the main entrance of a large building, say, a mall. If the entrance security is strong, the likelihood of miscreants entering the mall is reduced and to that extent, the security at each of the shops need not be as strong. Similarly, if the control environment is strong and reliable, the process and account level controls do not need to be very strict. However, if the control environment is not strong, then each process/account level controls need to be strong and frequently tested.
30
2.5.2 The directors of a private company need to assess the control
environment by introspecting on the availability of the following:
These parameters define the broad framework that forms the foundation of ensuring adequate ICFR.
Clearly stated structure,
responsibility allocation
and governance framework
Effective risk management framework,
with identified "financial reporting
risks"
Documented policies and processes
related to key activities,
with identified
control points
IT system is effectively
used, secure, tested and
documented
Documented financial reporting
and period closure process
31
The key issues that the management needs to debate and answer are: What role do the directors play in reviewing the financial
statements to ensure that they meet the disclosure requirements and are free for material misstatements?
Do the directors possess the necessary knowledge and do they spend adequate time to discharge this role?
If the directors are themselves not reviewing the financial statements as required, then whom do they rely upon? The CFO, the Controller, any external advisor?
What are the policies and protocols adopted by the company to create an ethical environment that discourages frauds, misappropriations and misreporting?
What is the direction given by the management to encourage automation, smart IT systems for financial accounting, documented processes and adequate training?
Are the IT systems used by the company tested for accuracy and controls by periodic audit of the IT security and systems?
Are there management processes such as budgeting, periodic reviews, analyses of deviations, performance reviews etc. that would result in timely preparation of accounting records and early detection of errors and potential problems?
Is the company able to source and retain talent appropriate to its requirements? Is sufficient importance given to training and knowledge building so that the employees are able to perform well in the changing regulatory environment?
In short, there needs to be an assessment of all those steps that have been taken by the management, whether documented or not, that give confidence to the management on the quality of financial statements prepared by the company.
2.5.3 The directors’ assessment of the control environment, done
with the help of functional experts such as CFO, IT head and internal auditor, results in the documentation of:
Entity Level Controls (ELC) IT General Controls (ITGC)
32
2.5.4 Assessment of ELC and ITGC is facilitated by use of questionnaires or checklists. These assessments are likely to reveal certain control gaps and some areas for improvement that need to be addressed by the management.
Addressing control weaknesses in ELC will enhance the
governance of the company and strengthen the work culture and environment.
Addressing control weaknesses in ITGC will enable greater reliance to be placed on the IT systems and automated controls, thereby reducing the need for manual controls and extensive testing. ELC and ITGC are generally used to judge the internal control climate in the company – weaknesses at these levels may not automatically result in a conclusion that internal controls over financial reporting are inadequate unless the weaknesses are indicative of a serious governance failure or a controls breakdown.
2.5.5 For a private company that falls in the SME category or has a
simple business model, there is expected to be a gap in the documentation of policies and statements that evidence the organization’s vision, mission, code of ethics, compliance focus, fraud prevention, etc. Absence of documentation is not the same as absence of controls. However, documentation of certain key policies will need to be taken up on a priority basis for the management to be able to rely upon and demonstrate the internal controls.
An easy-to-use table is provided hereunder to enable a
company to make a self-assessment of its ELC and decide the action plan for improvement, where the score is low.
You may rate your company on a scale of 0-3, where: 0 represents ‘total absence’: 1 represents ‘somewhat available/known’; 2 represents ‘substantially available and evidenced’; and 3 represents ‘fully in place and well-documented/
evidenced’
33
Sr#
Parameter Description Your Score
1 Board structure, delegated authority for ICFR and role of CFO
Clarity of role of the Board.
Regularity of meetings. Timely recording of
minutes. Specific responsibility
assigned for ensuring adequacy of ICFR to Audit Committee or Board members with relevant experience.
CFO empowered and independent, to ensure full and fair reporting.
2 Values, vision and Code of Ethics
Mission, vision and values of the company defined and demonstrated.
Code of Ethics and Code of Conduct documented, explained and enforced.
Anti-bribery policy, self-disclosure of conflicts and whistleblower policies introduced and explained.
3 Organization structure, roles and responsibilities and authority matrix
Clearly defined, updated organization chart.
Well-defined roles, responsibilities and authority structure.
Formal delegation of powers.
Segregation of duties and functional roles across the company to improve internal controls.
4 Risk management framework
Formal risk management policy and framework implemented.
Financial reporting and
34
Sr#
Parameter Description Your Score
fraud risks considered in the risk management framework.
Risks mapped with controls.
Risk management framework revisited and revised to ensure on-going relevance.
5 Documented process flow diagrams and process narratives/ policies/SOPs
Documented policies and processes for all key areas of the company.
Process diagrams with identified control points.
Authority matrix defined. Work flow and document
flow well designed.
6 Policy for financial reporting and closure
Written policy and process note for financial statements closure with assigned responsibilities.
Process for incorporating regulatory changes in disclosure requirements.
Adequate segregation and maker/checker controls.
Basis for making financial estimates and approval authority for the same clearly defined.
7 Talent development
Policy established to ensure right people for the right job.
Effective sourcing, retention and training of people.
Ensuring employee empowerment and growth.
35
Sr#
Parameter Description Your Score
8 Performance review & MIS
Budgetary controls. Performance review by
management, with deviation analysis.
Well-structured MIS generated from IT system used for financial reporting.
Periodic analysis to identify aberrations, exceptions and unusual trends.
9 Monitoring and internal audit
System of internal audit for periodic review of controls.
System of quality checks and self-checks of controls.
Periodic review of adequacy of processes and controls by functional heads and management.
10 Management’s philosophy on IT usage, compliance and employee policies
Emphasis on IT-enabled processes and automation.
Compliance framework and compliance reporting to the Board established.
Employee policies and performance appraisal process that encourages commitment, integrity and competency.
This table is only indicative, and may be modified to suit each company’s needs based on its specific structure and nature of its business. The self-assessment will help the management to determine the areas to focus on and also on the level of reliance that may be placed on these controls for the purpose of ICFR. While a
36
score of perfect 30 may seem a distant dream, companies with scores less than 15 have reasons to worry. For a more purposeful analysis, the table needs to be supplemented by 2 additional columns: Description of the current status, based on which score has
been assigned; Proposed action/remediation plan, with timelines and
responsibility.
In larger companies, the ELC documentation is done using a spreadsheet (Excel template). A sample template is provided in Section 4 of this book.
2.5.6 IT General Controls:
Almost all companies use some IT platform and applications for conducting their day-to-day business, including for financial accounting. The use of IT systems is all-pervasive, in maintaining fixed asset records, for generating Purchase Orders, for printing sales invoices, for uploading statutory returns and so forth. From the ICFR perspective, a company is concerned with the review of the overall IT infrastructure initially, and thereafter, the specific applications and modules used for recording information that are directly or indirectly used in the preparation of financial statements. The overall review of the IT policies and infrastructure is referred to as ITGC, or Information Technology General Controls. As a starting point, a company should document the IT infrastructure and applications used by it, how each one connects with other applications of the company and who is the ‘owner’ of each IT application in use, in terms of controlling access and modification thereto. The IT risks that are expected to be addressed through effective ITGC are: Risk of inadequate management focus on IT function and IT
environment, inadequate policies for integrity of IT systems. Risk of interruption and breakdown leading to inability to
compile accurate financial statements.
37
Risk of unauthorized access to servers, computers and application programs.
Risk of misuse by the IT department, by gaining back-end access to IT systems and making unauthorized changes.
Risk related to outsourcing and loss of data integrity or leakages of information/funds/resources.
Risk of undocumented IT applications, leading to sub-optimal or inappropriate usage.
Risk of inadequate change management process, leading to uploading untested patches and modifications.
Risk of ineffective review and monitoring, leading to errors, processing flaws, threats and unauthorized access remaining undetected.
The IT systems used by companies vary widely. The IT system adopted by a company may be an off-the-shelf package or a customized system, a single location system or a cloud-based multi-location system, a stand-alone financial accounting package or an integrated ERP. Considering the wide differences, it is difficult to arrive at a standard checklist or assessment criteria. An attempt is made hereunder to provide a set of parameters for evaluation of ITGC – these will need to be modified to suit the specific circumstances of a company. Sr #
Parameters for Assessment of ITGC Self-Assessment
1. IT Policy and department structure: Well-documented IT policy
explaining the company’s philosophy and IT vision.
IT department’s structure, with clear identification of the roles and responsibilities.
Policy on anti-piracy, preferred platforms and mode of development.
2. IT procurement and outsourcing: Policy for procurement of IT
hardware and software. IT outsourcing policy clearing
38
Sr #
Parameters for Assessment of ITGC Self-Assessment
indicating the activities that need to be done in-house and those that may be outsourced.
Vendor KYC and due diligence policy. Policy on access rights to outsourced
vendors and control on data security. Review of Service Level Agreements
(SLA) at pre-defined periodicity. 3. Physical security and access to IT
resources: Physical control on access to IT
servers and data rooms. Safeguarding of IT hardware. Custody and safekeeping of archived
data and source code files. Software license management.
4. Logical access controls: Access rights allocation, approval
and periodic review. “Need to know” basis of access right
allocations. Log reports for detection of threats
and penetration. Blocking and de-blocking of access
rights. Password change policy. Controls on sharing of passwords.
5. Data security: Back-up policy. Data archival and access policy. Choice of media for data storage. Firewalls for safety from
unauthorized access. Protection of data stored on third
party servers and on the cloud.
6. Business Continuity and Disaster Recovery Plan: Documented BCP/DRP Testing of backups periodically
39
Sr #
Parameters for Assessment of ITGC Self-Assessment
Communication of DRP to all employees
Identification of mission-critical IT activities for effective BCP/DRP
7. IT manuals and source code: Availability of manuals for all IT
applications and systems in use. All modifications to IT systems duly
updated in IT manuals. For customized software, availability
of source code for future modifications and for fixing bugs.
8. Change management process for modification to IT applications: Tracking of IT change requests Modifications only in test server. User Acceptance Test and technical
test for all changes prior to go live. Process for ensuring seamless data
processing pre and post changes to the software.
9. IT audit, log monitoring: Periodic IT security management
audits Ongoing generation of log reports
and effective review. System-based alerts for all security
threats and unauthorized access.
10. Review of IT controls of significant outsourced vendors: For all significant outsourced
activities, assessment of IT systems used and related controls implemented by the vendor e.g. outsourced payroll processing.
The parameters listed above help a company to assess its areas of strength and areas for improvement.
40
For a company to rely on the data processed by the IT system and use the same for financial statements, it is necessary to ensure that ITGC are adequate to ensure accuracy and integrity of the data processed and reports generated using these systems. Assessment of ITGC is also required to prevent frauds and vulnerabilities arising out of unauthorized IT access. IT systems directly interfacing with financial accounting system need to be reviewed in greater detail as part of the process reviews undertaken, as explained later.
The ITGC assessment may lead to one of the following conclusions: The ITGC are substantially in place and hence, the IT
systems can be relied upon at the time of process review. The ITGC are in place in some areas but need significant
strengthening – hence, limited reliance may be placed on IT systems and controls embedded therein; alternate manual controls need to be identified and tested for the specific areas where the ITGC are found to be inadequate.
The ITGC are almost non-existent making it difficult to rely on the IT systems and the output processed through these systems. This may warrant the directors (and the auditors) to report that the ICFR are inadequate as far as they relate to the IT environment and IT systems, unless a complete system of manual controls is in place and can be relied upon.
Many companies develop a Risk Control Matrix (RCM) based on IT General Risks and ITGC using a spreadsheet (Excel template). A sample template of ITGC RCM is provided in Section 4 of this book.
2.6 Component # 2 - Risk Assessment: 2.6.1 Risk assessment with reference to ICFR refers to the
management’s assessment of the Risk of Material Misstatement (RoMM) in preparation of financial statements and in financial reporting. Ideally, this risk assessment should be part of a larger, company-wide risk management exercise.
2.6.2 The key sources of financial reporting risks are:
41
2.6.3 The sources of risks identified above are typically addressed through Entity Level Controls (ELC) and Process Level Controls (PLC) as follows:
Principal Sources of Risk Manner of addressing the risk Management override or management fraud
Governance Structure, Code of Ethics and reputation of the Board members. Mainly through ELC.
Employee initiated misreporting (due to targets set, incentives, fear)
Code of Ethics, well-designed incentive and performance measurement systems, pre-emptive controls. Combination of ELC and PLC.
Misinterpretation or lack of awareness of regulatory provisions related to financial reporting
Commitment to competency, training plans, access to knowledge resources and professional experts. Mainly through ELC.
Errors, omissions and inefficiency resulting from people, processes or IT systems
IT application controls, maker checker controls, authorization, verifications, reconciliations, financial statement closure policy, etc. Mainly through PLC.
Management override or
management fraud
Employee initiated misreporting – due
to targets or incentives/fear
Errors, omissions and inefficiency resulting from
people, processes or IT systems
Misinterpretation of regulatory
provisions related to financial reporting
42
2.6.4 Next, a detailed exercise is undertaken for identifying account
balances that meet the materiality considerations. The purpose of this exercise is to identify the corresponding business processes and map the related risks and internal controls to confirm adequacy of internal controls. Steps for identification of material items are as follows: Based on the analysis of the previous year’s financial
statements and current year’s projected financial figures, a percentage-based threshold for materiality needs to be determined. Typically, this is fixed as % of turnover or a % of profit for the year or a % of total assets of the company. The selection of the base and the % is based on judgement and understanding of the business.
The materiality level determined as aforesaid is then applied to the account balances as per the last audited financial statements and all balances in excess of the threshold are selected.
Based on the nature of business, the account balances susceptible to material errors and misreporting are identified – e.g. stock valuation in a jewelry manufacturing company, revenue recognition in a construction company, and so forth. These items are added to the list of ‘material’ items.
An additional qualitative analysis of financial statements and related disclosures is done to determine additional items that may be considered material from the point of view of true and fair reporting – e.g. related party disclosures, disclosures related to derivative transactions, etc.
Based on the above, a final list of potentially material items is determined. These items, if misstated, are considered to pose a material risk of misstatement – hence, for these items, it is necessary to identify the controls implemented.
Against each item, the broad business process (procurement, sales, administration, payroll etc.) where the accounting item originates is mapped.
A list of those business processes for performing process analysis and preparation of RCMs is compiled.
43
Some residuary items may need to be individually dealt with e.g. dividend, taxation, etc. or will be dealt with in terms of “Financial Statement Closure Policy/Process”.
To summarize:
The end product of the risk assessment exercise is: Establishment of materiality threshold; Identification of account balances and processes for
which Risk Control Matrices need to be documented; Documentation of the first section of RCMs dealing with
account/process, risks and characteristics of the risk. 2.6.5 A simpler and more intuitive process that may be considered is
presented hereunder: Step I:
Categorize financial transactions generally entered into by the company into:
Routine, repetitive transactions – purchase, sales, expense booking, payment processing, payroll, etc.
Non-routine financial transactions – these are transactions that occur at uncertain intervals and are event based – e.g. issue of fresh shares, borrowing, capitalization, insurance claim, arbitration settlements, etc.
Determine percentage threshold for materiality assessment
Apply the materiality threshold to trial balance as on the selected date and filter the account balances qualifying as 'material'.
Identify additional items as 'material' based on qualitiaitve analysis of fiancial statements and disclosures and based on the nature of business.
Map the account balances selected as 'material' to underlying business processes.
Identify the key processes that need to be analyzed to ensure that all material items are covered.
44
Estimations – bad debt provisions, diminution in investment value, provision for employee benefits, tax provision, inventory valuation, deferred taxation etc.
Period Closure Entries – based on reconciliations, verifications, interest accounting, cut-off based accruals etc.
Step II: Routine Transactions: Examples – purchase, sales, expense booking, payment
processing, payroll, etc. These generally cover at least 60-70% of total transactions
of the company and equivalent man-hours of the accounting personnel.
These need to be covered by a process flow and narrative, and ideally well-established IT platform/s.
These may also be subjected to internal audit and periodic MIS review.
For each material category/significant process, ideally a Risk Control Matrix (RCM) needs to be prepared, focusing on only material risks.
For an SME company, the analysis of routine transactions and materiality would result into identification of 5-6 processes for which RCMs would need to be prepared.
Step III: Non-Routine Transactions: Examples - issue of fresh shares, borrowing, capitalization,
insurance claim, arbitration settlements, declaration of dividends.
For these, it may be very difficult, especially for SME & private companies, to have a documented process.
For all such transactions, based on pre-defined monetary limit, the company may establish a maker-checker-approver process and document the same under “Policy/Process for processing of material non-routine transactions”
This will cover various categories of transactions and ensure that the quality of review will ensure accurate accounting, with due scrutiny and authorization at an appropriately senior level.
Step IV:
45
Estimations: Examples -bad debt provisions, diminution in investment
value, provision for employee benefits, tax provision, inventory valuation, deferred taxation.
Estimations require exercise of judgement and hence, need to be based on proper working, rationale, policy and approval.
A due process for basis of significant estimations and approval of the same needs to be documented.
This area poses the highest risk of error and management override – there is a need for increased attention to this area, both, by the company and its auditors.
Step V: Period closure transactions: Examples –entries based on reconciliations, physical
verifications, interest accounting, cut-off based accruals, outstanding liabilities, pre-paid expenses, etc.
These may be covered in the Financial Statement Closure Policy (FSCP).
Trail to be maintained for establishing cut-offs may be specified.
Authority matrix identifying the maker-checker –approver may be documented.
Clear trail of year-end processing may be established from the first trial balance to final financial statements.
For most SME & private companies, the FSCP and the related RCM may be the most relevant document in support of ICFR review and assurance.
The alternate approach to risk assessment proposed for SMEs is summarized hereunder:
46
Under this approach, the company would be required to document policies/process narratives and RCMs as follows: Financial Statement closure Policy (FSCP) and related RCM. Policy for accounting estimates and related RCM. Policy for processing non-routine material transactions and
related RCM. Based on analysis of routine transactions, documentation of
Policies and standard Operating Procedures for 5-6 key processes (e.g. purchase, payroll, sales, inventory, fixed assets)
2.6.6 The Company may perform materiality assessment and
determine the RCMs to be prepared by using either of the approaches presented in 2.6.4 or 2.6.5.
The risk assessment exercise ends with the identification of
material financial reporting risks for the selected processes and activities. The risk assessment exercise leads to completion of the first part of all RCMs that deal with description and detailing of risks.
Documentation template for documenting RoMM has been
provided in the CD accompanying the ICAI Guidance Note and may be used with desired modification.
Routine transactions
Covers 60-70% of total
transactions
5-6 RCMs identifed based
on main processes
Non-routine transactions
Covers 10-20% of transactions
RCM for material non-routine transactions
Estimations Based on
judgement, material in
nature
Policy for estimations +
RCM
Period closure entries
Based on cut-off, closures,
reconciliations and verifications
Finanical Statement
Closure Policy (FSCP)
47
2.7 Component # 3 - Control Activities: 2.7.1 This component of internal control deals with establishment of
controls appropriate to the identified risks. ICFR are considered to be adequate and effective when it can
be established and demonstrated that all key risks identified through the risk assessment process have been addressed through institution of appropriate controls.
2.7.2 In most business organizations, there are several controls
implemented to support preparation of financial statements that are free from material errors or misstatements. However, a formal structured linking of identified risks with corresponding controls is not done. The ICFR project would enable this formal mapping of risks with controls and as a result, is likely to reveal: Risks that have not been envisaged or visualized and hence
controls have not been designed e.g. company has recently shifted to net banking and electronic payments; however, the underlying risk was not identified and hence, specific controls not mapped to the risk.
Controls that are operational for risks that are no longer relevant.
Multiple controls are there for addressing the same risk, giving an opportunity for optimizing.
Several controls are embedded in the IT system, but due to untested IT systems, these controls cannot be relied upon.
Such revelations would help the company in optimizing its controls and enhancing its management of financial reporting risk.
2.7.3 Documentation of policies and process narratives forms an
integral part of the control activities and ICFR framework. In case a company does not have well-documented and updated policy and process notes, the company may consider documentation of the following policies to start with:
Policy Name Brief Contents
Financial Statement Closure Policy
Entire process from year-end trial balance to finalization of financial
48
Policy Name Brief Contents (FSCP) statements. This policy should detail the
information called from various functional heads, the manner of determining cut-offs, checklist for disclosures, etc. Specimen of FSCP is provided in Section 4 of this book.
Routine transactions –standard processing cycles
The following standard processes may be documented:
Procurement (indent to pay) Income Cycle (order to cash) Employee costs and benefits
(joining, termination, monthly processing and periodic allowances)
Expenses (order to payment) Fixed assets (procurement,
verification, retirement, depreciation)
For all these processes, it would be ideal to document process flow diagrams with clear demarcation of controls, in addition to the process note.
Special transactions Policy & process note for approving non-routine transactions
Policy and process note for approving accounting estimates
General Organization chart Delegation of Authority (DoA) Anti-fraud policy Code of conduct, ethics policy IT policy
2.7.4 The documentation of controls can be quite tedious and
demanding. A practical approach would be to make a list of commonly applied controls and assign a number to each such control. An indicative list is provided hereunder:
49
Control # Control Description C1 Availability of documented policy and process
note C2 Maker-checker control C3 Segregation of duties C4 Authorization control C5 Verification of assets /documents C6 Reconciliation of balances – bank balances,
vendor & customer balances, investments, etc. C7 3-way matching of records – financial records,
asset records and physical verification records (fixed assets, inventory, etc.)
C8 Review controls – month/year closure review, MIS review, budgetary review, etc.
C9 Third party balance confirmations C10 Independent review by internal auditor, or other
agencies C11 System-based alerts and blocking C12 Expert opinion (for determination of valuation,
statutory liabilities, diminution/impairment, gratuity valuation etc.)
C13 Physical security controls – safe custody, security agencies, web-cameras for remote vigilance
C14 KYC and due diligence requirements C15 Automation controls for validation, computation
and data transfer C 16 …… C 17 ……
Making this list of commonly deployed controls saves time at
the time of preparing RCMs – instead of writing description of control against each identified risk, only the relevant control number may be entered. The list may be expanded to cover additional controls, or residuary control # may be assigned – for this residuary control, the description of the control will need to be stated in the RCM.
2.7.5 With respect to those risks for which controls have not been
clearly identified, maker-checker controls, with a senior level authorization may provide sufficient control in most cases. To this end, a comprehensive summary of all delegation of
50
authority and segregation of duties across functions may prove helpful in demonstrating effective controls.
Areas that are found to have inadequate controls may be
included in the scope of internal audit to provide additional controls/assurance.
For all control gaps identified, the management must insist on a
time-bound remedial plan. 2.7.6 Based on overall assessment of risks and controls, including
alternate and compensating controls, the management should conclude on the adequacy of ICFR for the purpose of the Directors’ Report.
2.8 Component # 4 - Information System and Communication: 2.8.1 This component of internal control deals with establishment of
clear channels for information flow and communication to ensure: The completeness and integrity of the information that
flows into the financial statements. The accuracy and integrity of financial information,
including financial statements, disseminated by the company to regulators, shareholders and other stakeholders.
2.8.2 The risk of inaccurate or incomplete information flowing into
financial statements is examined as part of documentation of process flows and RCMs.
2.8.3 The risk of errors in financial statements disseminated to
external agencies may be addressed through the Financial Statement Closure Policy (FSCP).
2.8.4 In addition, the directors and senior management should
undertake a review of all other information flows from the functional heads and remote locations, to those responsible for preparing financial statements. Very often, information critical to preparing financial statements that is free from material misstatements does not reach the Accounts department in a timely manner – e.g. intimation of rejection by a customer
51
before the year-end may not be communicated by the Sales head; receipt of a favorable order from Income Tax department that warrants reversal of past provisions may not be communicated by the Taxation manager to the Accounts department.
ICFR project provides an opportunity to undertake a
comprehensive review of information flow and remove all bottlenecks that may be causing delay or breakdown in the information flow.
2.8.5 This component does not call for any separate documentation
by the company; as all related documentation is included in the RCMs and policy/process notes.
2.9 Component # 5 - Monitoring of Controls: 2.9.1 The last component of internal controls deals with instituting
adequate processes for ongoing monitoring of controls. This is most important for ensuring that the controls as desired and designed by the management have actually been operationalized and their continuing effectiveness is ensured.
2.9.2 Monitoring of controls is achieved by maintaining the ICFR
framework as a dynamic framework by: Ensuring periodic review of all documented policies and
processes. Requiring all RCMs to be updated periodically to reflect the
changes in the risk profile and controls. Including, as part of internal audit scope, testing of controls
depicted in the RCMs. Getting IT system independently tested periodically to
continue placing reliance on IT system-based controls. Creating a control-centric organization by introducing
Control Self-Assessment (CSA) where appropriate. Formalizing risk management framework across the
company.
The directors may prioritize and set timelines for monitoring and strengthening of controls on an ongoing basis.
52
2.9.3 For private companies, the statement to be made in the Directors’ Report does not require any specific mention about the ‘operational effectiveness ‘ of controls; hence, as such, no specific responsibility has been cast on the directors for the testing of operational effectiveness.
2.10 Concluding Remarks: The first year of implementation of ICFR framework will pose a
challenge for most companies and will require significant management time.
All regulatory changes are internalized initially in form, to meet the compliance requirements. After the basic compliance is achieved, some companies will take the initiative forward to aim to comply in spirit, by understanding the intent of the regulations. As far as ICFR is concerned, only those companies that choose to go beyond the initial compliance will stand to benefit.
Companies that make a sincere effort to implement the ICFR framework in spirit are likely to benefit from improved control consciousness across the company, stronger policy and process documentation, improved processes and stronger IT systems.
53
SECTION 3: ROADMAP FOR THE AUDITORS OF A PRIVATE COMPANY FOR AUDIT OF ICFR 3.1 Overview: 3.1.1 The ICAI Guidance Note provides detailed guidance for
auditors, including formats of engagement letters, specimen audit reports and sample documentation templates.
Section 2 above provides a roadmap for private companies
along with certain practical solutions - this is also relevant to the auditors of private companies. The objective of this section is to provide certain practical guidance and methodology for the auditors of private companies, without replicating what is already available in the ICAI Guidance Note.
3.1.2 Some salient points related to ICFR audit, based on ICAI
Guidance Note and other reference material, are summarized here: The reporting requirements under section 143(3)(i) are
applicable to financial years starting on or after 1st April 2015.
The auditor’s reporting on internal financial controls is only with reference to audit of financial statements.
The auditor is required to report on the adequacy of internal financial controls system – the use of the word ‘system’ presupposes a structured approach of internal controls adopted by the company.
In the Indian context, the Internal Control Components specified in Appendix I of SA 315 provide the necessary criteria for internal financial controls – these may be used as benchmark system for evaluating ICFR.
As with financial statements audit, the auditor is required to obtain reasonable assurance with respect to adequacy and effectiveness of ICFR.
The adequacy and effectiveness of ICFR has to be examined as at the balance sheet date – auditor need not comment adversely on companies that did not have adequate ICFR during the year, but managed to have the same in place as at the balance sheet date.
54
The reporting requirement on ICFR applies to financial statements prepared under the Companies Act, 2013 and hence, applies to annual financial statements and consolidated financial statements; but not to any interim or unaudited financial statements.
3.1.3 Some additional points that merit consideration for the auditor
in determining the audit approach are presented hereunder: The audit of ICFR needs to be customized based on the size
of the company and complexity of its operations. For smaller companies or companies with less complex operations, the controls defined may be simpler and the documentation may be less structured and less detailed.
Risk of Material Misstatements (RoMM) needs to be assessed keeping in mind the likely readers of the financial statements and the purpose for which the statements are likely to be used by the company. This is an important consideration for identification of material risks.
The reporting by auditors and by directors on ICFR is independent of each other. Hence, the company and the auditors need to maintain their independent documentation to support their individual conclusions and opinions. The company and the auditors may follow different methodology for determining materiality and identifying material items – as long as the method followed by the company is reasonable, the same need not be objected by the auditor.
The auditor may use the documentation created by the company as a base (e.g. RCMs or ELC document), but is not justified in insisting the same to be in a specific format. The company may use formats that are easy for them to compile and sustain – the auditors may enhance this documentation based on their own requirements. E.g. specification of audit assertion as part of the RCM may be done by the auditors, but may not be done by the company. Also, the company may document ELC as a narrative, whereas the auditor may document the same as an Excel spreadsheet with several columns.
The auditor’s review of adequacy and effectiveness of ICFR needs to be driven by the content of the internal control system and documentation adopted by the company and not merely by the formats used. However, the company needs to
55
adopt a framework for designing and assessing its internal financial controls, as mentioned in Section 2 above.
The auditor must give due consideration to the past experience of audit and other relevant evidence where the financial statements have been subjected to external scrutiny – if significant errors or irregularities have been identified, these need to be considered in the assessment of risks.
3.2 Pre-audit Approach:
3.2.1 The auditors need to communicate the ICFR audit
requirements to the companies audited by them. For this, they need to be clear about their audit approach and requirements. Effective communication, with the board of directors and the senior management of the company sets the ball rolling to achieve superior compliance and more efficient audit. In many cases, the auditors are not clear as to their requirements and audit approach – this creates irritation and confusion for the companies, as the company is not able to prepare the records and documentation expected by the auditors in advance.
Engage
With the directors and senior management
Educate
All those who will drive ICFR within the company
Empathize
With the constraints of skills and documentation - provide easy tools to achieve compliance
Encourge
The company to achieve higher standards of governance and internal controls
56
3.2.2 Based on prior years’ audit experience, the auditor may be able to help the company identify areas of control weaknesses, giving the company management time to establish alternate controls or strengthen existing controls in such areas.
Areas that have been error free in the past and do not pose a
serious risk of misstatement may be deferred for documentation of policies and preparation of RCMs.
3.2.3 The auditor may guide the company in creating documentary
trail for controls already in existence. E.g. the auditor is aware that at the time of finalization, all changes to the financial statements are being approved by the CFO and the CEO, but this is not documented as a formal sign-off. In such a case, the auditor may guide the company to ensure sign-offs for evidencing the control.
3.2.4 Similarly, the auditor may guide the company in identifying
controls that have already been implemented, but have not been reflected in RCMs. E.g. the company monitors the activity of its factory remotely through viewing the images from the web-cameras installed at the factory, particularly when new machinery is being installed. This may not have been identified as a control for validating the date of installation of new machinery as part of the RCM.
3.2.5 To conclude, auditors of private companies need to take an
approach based on appreciation of their size and structure, and aim to help the company achieve higher levels of governance and controls through the ICFR exercise. In the initial years of compliance, the auditor may want to focus on creating awareness, encouraging compliance in spirit and not just in form, and enabling a directional or a mindset change in the company being audited, rather than focus on insisting on meticulous documentation done with the help of external agencies/advisors who have limited understanding of the company’s business and style of working.
3.3 Audit Approach: 3.3.1 Risk assessment in a structured manner:
57
As part of the usual audit process adopted for audit of financial statements, and as required by SA -315, auditors do carry out an assessment of financial reporting risks and plan their audit in a manner that areas with weak or inadequate controls are checked more extensively. The auditor now is required to perform such a risk assessment in a more structured manner, with determination of materiality levels and documentation of material/significant weaknesses or inadequacies observed in the controls. Also, the risk assessment is not merely for the purpose of planning the audit of financial statements, but also for assessing the adequacy of ICFR.
3.3.2 Documentation of ELC, ITGC and RCMs:
Next, the auditor needs to review all available documentation prepared by the company and then suitably modify/enhance the same to meet the requirements of ICFR audit documentation. The documentation formats given as part of the ICAI guidance Note may be suitably simplified for smaller companies or companies with less complex operations.
3.3.3 ITGC and IT systems testing:
The auditor may consider taking the assistance of an IT specialist for assessing ITGC and the IT systems. This may be particularly necessary for companies with advanced IT systems and where a high level of reliance is placed on IT based controls. Alternatively, the auditor may place reliance on findings of the IT systems audit conducted for the company by independent IT audit specialists. A commonly used accounting package, such as Tally, also needs to be tested for access rights, back-ups, customization carried out, monthly/quarterly locking of system to prevent back-dated accounting entries or modification to past data, year-end closing entries, etc.
58
It is expected that in case of many of the small and medium sized companies, it may not be possible to place reliance on the IT systems in the first year, as they may not be adequately documented and tested. In such cases, the auditor may need to consider alternate manual controls.
3.4 Audit Execution - Testing of Controls: 3.4.1 The auditor’s report is required to state whether the company
has adequate internal financial controls system in place and the operating effectiveness of such controls. Essentially, this requires the auditors to identify the financial reporting risks or the risk of material misstatements and review the controls to confirm:
The audit of ICFR is expected to be integrated with audit of financial statements. The auditors need to maintain adequate documentation to support their conclusion on ICFR – this requires effective design and use of smart templates for work paper documentation. The testing of controls is done at 2 levels:
Testing design effectiveness of controls Testing operating effectiveness of the controls
Are the controls adequate
and effective?
Do the controls
exist?
Is the design
effective? Are they operating
effectively?
59
Testing design effectiveness of controls is essentially confirming that the controls, as indicated by the company, are in existence and designed properly. E.g. one of the stated controls is that a purchase invoice cannot be entered into the IT system without entering a purchase order, duly approved by the Head- Procurement. Here, the design effectiveness testing would require a walkthrough of the IT system to check that the system does not permit entering a purchase invoice without a PO and that the IT system-based approval rights are available only with the Head – Procurement. Testing design effectiveness is best done at the time of review/documenting of controls by means of process walkthrough and live testing of 1-2 sample transactions. Testing operational effectiveness comprises of the substantive testing done to confirm that a control is operating consistently and as intended. For manual controls, this entails checking of a sample of transactions against the control parameters. For automated controls, this entails testing the system configuration and logic and then testing a very small sample for validation of the automated control. It is expected that most of the controls identified as key controls in the ICFR exercise would get tested as part of normal audit of financial statements. The controls that may not have been tested adequately are:
IT system related controls Financial statement closure process and related controls,
specifically with reference to estimates and year-end provisions; (the working and the accounting entries would be tested in normal course, but the underlying controls and evidence of controls may not have been tested).
Hence, the auditor needs to ensure that the testing of controls is done in a manner that there is no duplication of efforts, and that the documentation of testing is sufficient for both - the financial statements audit and ICFR audit.
3.4.2 Timing of testing:
The ICAI Guidance Note states that the ICFR need to be examined as at the balance sheet date.
60
In practical terms, for smaller companies, most of the key controls will be exercised as part of the financial statement closure process, i.e. after the year end when the finalization is underway. In this case, can it be said that the controls were effective as at the year-end? The author is of the view that controls envisaged and designed before the year-end, to be exercised at the time of finalization of accounts, may be considered adequate if they were indeed exercised and could be evidenced by the auditors. As many of these controls could not have been exercised earlier, as the underlying activity is performed only at or after the year-end (e.g. inventory verification and valuation, assessment of impairment, provision for doubtful debts, provision for taxation, etc.), the question of testing whether these were operating prior to the year-end does not arise, especially in the first year of review.
3.4.3 Optimizing the quantum of testing:
A company, in its design of controls, will need to implement controls at various stages in a transaction cycle. E.g. for procurement cycle, there may be controls on PO placement, on receipt of materials, on bill approval and on payment release. The company may also monitor and test all these controls as and when the activity is taking place. The auditors need not test each of the controls individually, if they can get an assurance that all the controls are existing and operational by checking the documentation of the last stage (payment release) with all related approvals and documentation for PO, GRN and invoice booking. Such composite controls testing can reduce the time and efforts of the auditors. Similarly, for a company that normally gives 30 days’ credit to its customers, one of the risks identified is the ‘risk of raising sales invoices without rendering services’. The corresponding control is ‘obtaining an email confirmation from the customer at the time of billing’. Now, in this case, at the year-end, the control needs to be tested only for invoices that have not been
61
paid – the fact that a customer has paid for the services billed automatically implies that the services were rendered during the year. Thus, for effective testing of this control, a sample may be drawn from outstanding invoices. It is thus important for the auditors to perform controls testing in a manner that it optimizes efforts and gives greater assurance or identifies weaknesses effectively. Selection of controls, timing of testing and method of testing are important considerations for the auditors.
3.5 Audit Conclusions and Audit Reporting: 3.5.1 Based on testing of controls, and evaluation of ELC and ITGC,
the auditor is required to arrive at conclusion about the adequacy and effectiveness of internal controls. The ICAI Guidance Note provides that only in case of a material weakness, the auditors need to qualify their opinion. Further, the qualification or disclaimer, as the case may be, needs to specify the specific area of weakness rather than provide a blanket qualification. Whether a weakness identified is material or not is a matter of professional judgement, and needs to be exercised by the auditor considering the financial statement as a whole. The identified control weakness needs to be evaluated based on likelihood of occurrence of the underlying risk and the potential impact on the financial statements.
The ICFR audit is concluded as follows:
62
3.5.2 The Audit Report on ICFR may be issued as a separate report or
may be combined with the Audit Report on financial statements. The ICAI Guidance Note provides detailed guidance on the contents of the Audit Report and also several illustrative reports covering different scenarios.
The auditor may also be able to issue a combined report based
on audit of financial statements and ICFR, particularly for small companies. The following paragraph may be included for giving an unqualified report on ICFR in such cases:
“In our opinion, the Company has, in all material respects,
an adequate internal financial control system over financial reporting and such internal financial controls over financial reporting were operating effectively as at 31 March 2016, considering the essential components of internal control stated in the Guidance Note on Audit of Internal Financial Controls over financial reporting issued by the Institute of Chartered Accountants of India”
3.5.3 An issue that often comes up for discussion is whether there is
a case for increase in audit fees as a result of increased reporting responsibility.
Material Weakness Qualify the ICFR
report
Significant deficiency or
weakness
Inform those charged with governance
Other weaknesses and deficiencies
Inform the CFO/CEO so that corrective action
may be taken
63
The move to require audit reporting on ICFR is a move to align the audit requirements with global practices, as a means of improving investor confidence in not only the financial statements, but also in the process adopted and controls established for preparing financial statements.
Reporting on ICFR requires additional work to be done by the
auditors in terms of assessing the controls, testing their effectiveness and documenting the basis for their conclusion. The ICFR audit requires interactions with the senior management of the company, ability to understand the organizational culture and control systems in a holistic manner and thus requires the auditors to deploy persons with sufficient seniority. The ICFR report requires auditors to give additional assurance, assume additional professional responsibility and thus needs to be compensated accordingly.
In case of companies where the audit appointment and the fees
for the year have been fixed at the Annual General Meeting, the fee increase on account of ICFR reporting may be ratified by the general body at a subsequent meeting. This practice has been observed in some large listed entities.
3.5.4 The responsibility of reporting on ICFR is an onerous
responsibility and exposes auditors to professional risk in case they fail to discharge the same judiciously. The auditors of private companies need to exercise balance and judgement whereby, they take a practical and fair approach to the audit – ensuring that on one hand, they do not compromise in their professional duty, and on the other hand, they do not overwhelm their private company client by expecting systems and documentation generally found only in large listed companies. A fine distinction needs to be maintained between ‘the need to have’ and ‘the nice to have’ – the ‘need to have’ must be insisted upon and the ‘nice to have’ must be encouraged without reporting consequences. Business community normally responds to anything in which it sees a value, or fears consequences of non-compliance. Many of them obtained an ISO certification when their customers insisted on the same. They got their environmental clearances when they faced factory shutdowns. They documented an Anti-
64
Bribery Policy when their vendors and customers refused to do business with them otherwise. So, if the auditors refuse to give an unqualified opinion where controls are inadequate, the community will respond by ensuring an adequate internal controls system. Even better, if the auditors are able to drive home the value proposition that ICFR holds for a company, they may be able to encourage the company to embrace the ICFR regulations as a business improvement tool. Creating such a win-win situation will require some auditors with extraordinary convincing skills and some companies with extraordinary openness to change.
3.6 Call to Action:
The audit profession is undergoing a sea change: the professional risk is increasing, the rotation of auditors is here to stay, the reporting requirements are ever-changing and the expectations from auditors are sky-high. In this scenario, it is up to the audit profession to decide the approach that it wants to take towards ICFR. The questions that each auditor needs to answer:
Am I willing to give an unqualified opinion on ICFR where there are material weaknesses in ICFR?
Am I feeling compelled to give an unqualified opinion in spite of material weaknesses, due to a fear of losing my client otherwise?
Am I using the regulatory change to gain personal benefit by forcing my client to appoint my firm or an associate to undertake the documentation for ICFR, and earn handsome fees for the same?
Am I willing to work with my client to enhance the ICFR framework, so that it benefits my client and also reduces the audit risk in the medium-to-long term?
Am I going beyond the formats and templates to understand the intent of the regulations and work towards complying with the regulations in form and in spirit?
The approach that the auditing profession adopts will decide the way Corporate India and the regulators respect and value the auditors in times to come. For some auditors, ICFR is one
65
more box to tick, for some other auditors, this is an earning opportunity, and for a handful of auditors, it is a stepping stone to playing a catalyst’s role in shaping the way Corporate India considers its financial reporting responsibility. The members of the auditing fraternity need to decide their approach with responsibility, knowing that their individual choice may impact the collective future of the auditing profession.
66
4. Making it easy – ready-to-use drafts and formats 4.1 Entity Level Controls – Specimen (refer paragraph 2.5.5)
ABC Private Limited
ICFR for the year ending 31st March, 2016 Entity Level Controls (ELC)
LIST OF CONTROL GROUPS
Control Ref Control Group C01 Roles and responsibilities of Board of Directors C02 Formal SOPs for various crucial processes C03 Admin Manual covers various policies C04 Risk Management policy C05 Background Verification process in place C06 Manpower planning and recruitment policy/process to ensure right crew for the
right job C07 Board Review of business plans, budgets, budget vs. actual, periodic
performance and Internal Audit reports C08 Monthly MIS reporting C09 Staff hired through a management approved placement agency C10 Promotions based on well-defined Performance Evaluation system. C11 Talent growth through need-based and compliance related training C12 Attrition management C13 Independent Review and periodic updates by External Professional Consultant C14 Access rights restrictions C15 Independent Review by Internal Auditor C16 Validation controls - confirmation, verifications of assets/bank balances,
valuations C17 Compliance framework, tracker and reporting - controls on compliances and
regulatory reporting C18 Sexual Harassment Policy C19 Appointment letter covers ethical standards and other required terms and
conditions which is signed-off by employees at the time of joining C20 Board/Management Approval C21 Formal roll out of ICFR policy and testing C22 Data Back-up strategy C23 Defined BCP/DRP process C24 Periodic department reviews C25 Defined Financial Closure Policy C26 Compliance with related-party transactions and disclosures C27 Periodic updation and communication of ISO manual C28 Formal KRA definition and communication of the same C29 Information and Communication
67
ABC Private Limited ICFR for the year ending 31st March, 2016 Entity Level Controls (ELC) Sr No
Attribute Principle Process Activity
Risk Control Ref No.
Control Description
Audit Step
1 Control Environment
Management establishes structure, authority and responsibility in pursuit of objectives
Board Oversight
Board does not clearly define authority to be exercised at Board level and authority delegated to other Directors
C01 Board powers are clearly defined
1. Confirm the documentation of Board powers and delegation of authority done by the Board. 2. Verify Board minutes and meeting frequency. Verify attendance records to ensure participation and insights.
2 Control Environment
Board of Directors exercises oversight of the development and performance of internal controls
Board Oversight
Board does not acknowledge its responsibility towards oversight for establishing and performance of internal controls Board does not formally delegate the responsibility for establishment of internal financial controls and for ensuring effective performance thereof.
C02 1. Board minutes includes a statement acknowledging its responsibility for ICFR 2. Board provides broad guidelines for internal controls and records formal delegation of authority for establishment of controls.
1. Verify that formal guidelines have been provided by the Board. 2. Verify that specific responsibility has been allocated for establishing internal financial controls
3 Control Environment
Board of Directors exercises oversight of the development and performance of internal controls
Board Oversight
Board does not have a mechanism to review ICFR adequacy and performance
C07, C08
Board of Directors review the performance of the company and adequacy of internal controls through regular interactions with the Finance Manager Budgets are established on yearly basis
1. Verify Board meeting minutes where adequacy and effectiveness of internal controls have been reviewed. 2. Confirm that there are regular interactions between Board members and Finance Manager through CFO, and other key management personnel to assess quality of controls and review business
68
Sr No
Attribute Principle Process Activity
Risk Control Ref No.
Control Description
Audit Step
Monthly reporting is done by Finance Manager to the Group CFO who in turn reports to BOD.
performance. 3. Review budget variances, exceptional items to assess internal control gaps, if any.
4 Control Environment
Demonstrates commitment to integrity and ethical values
Board Oversight
Board of Director does not set the right tone at the top to encourage ethics and integrity.
C03 Policies are framed by the Board w.r.t. ethical conduct, anti-bribery and corruption, anti-fraud.
1.Verify minutes of Board meeting and Admin Manual/ directions issued by the Board of Directors from time to time. 2. Review Appointment letter of an employee.
5 Control Environment
Holds individual accountable for the internal control responsibilities
Board Oversight
Board of Directors does not set the right tone at the top to encourage institution of controls and systems and ensure accountability for lapse of controls
C02 Directions are given by the Board to encourage process-driven conduct, automation and effective monitoring across the organization.
Verify minutes of Board meeting and policies/directions issued by the Board of Directors from time to time.
6 Control Environment
Management establishes structure, authority and responsibility in pursuit of objectives
Delegation of Authority
Ambiguity in delegation of financial powers reduces the control over financial transactions and increase the risk of financial losses
C01 1. Financial powers in terms of signing /effecting banking transactions is with the Director. 2. Also, all the major contracts, agreements, Purchase Orders are signed/approved by the Directors. 3. All the major decisions are closely reviewed by the respective HODs at Group level
Confirm that authorization/approvals of Directors is in place, review Board resolution to define powers of Director
69
Sr No
Attribute Principle Process Activity
Risk Control Ref No.
Control Description
Audit Step
before approval by the Director.
7 Control Environment
Demonstrates commitment to integrity and ethical values
Ethics & Integrity
Flawed performance incentive/ compensation policy not in line with ethical tone and standards may increase the risk of compromise / non-compliance to ethical standards of conduct
C03, C19
1. Admin Manual gives a reference to ethical standards expected from employees. 2. Appointment Letter includes relevant clauses
1. Verify Admin Manual to ensure all updations are included. 2. Verify Appointment Letter of employee
8 Control Environment
Demonstrates commitment to integrity and ethical values
Ethics & Integrity
If management does not take timely and appropriate disciplinary action, it would encourage non-adherence to established policies and procedures
C03 Management takes disciplinary action for violations/ non-adherence, in a timely and appropriate manner.
1. Verify the mechanism for recording non-adherences/ violations. 2. Verify the evidence of action being taken.
9 Control Environment
Demonstrates commitment to integrity and ethical values
Ethics & Integrity
Applicant screening procedures do not adequately consider integrity and ethical values
C05, C09
1.Adequate background verification is done for employees (Police Clearance, Experience letter, etc.) 2.Majority of office staff is hired through a placement agency which is selected by the management to ensure right person for the right job 3.Declarations are obtained from employees for non-disclosure and code of conduct
70
Sr No
Attribute Principle Process Activity
Risk Control Ref No.
Control Description
Audit Step
adherence as a part of joining formalities
10 Control Environment
Demonstrates commitment to attract, retain and develop competent individuals
Recruitment & Selection
Lack of adequate talent or mismatches in requirements and skill sets may severely impact achievement of objectives
C05, C06, C09
1. A rigorous recruitment and selection process is adopted to ensure selection of right employees for the right job. 2. Majority of office staff is hired through a placement agency which is selected by the management
1. Confirm the no. of exits and the principal underlying reason/s. 2. Confirm that key positions are not left vacant for a long time.
11 Control Environment
Demonstrates commitment to attract, retain and develop competent individuals
Incentive In absence of a proper work environment the company may have to deal with high attrition levels
C10, C12
1. Promotions are based on well-defined Performance Evaluation system. 2. Management ensures a very low attrition rate.
1. Review the appraisal process for appropriateness and confirm that there is due process for redressal of appraisal related grievances. 2. Review attrition rate and related analysis
12 Control Environment
Board of Directors exercises oversight of the development and performance of internal controls
Internal Audit
A robust system of monitoring through periodic internal audits or control Self Assessments has not been established
C07, C15
1. Internal audits are done quarterly as per pre-defined scope which is approved by the management. 2. Board meetings discuss internal audit reports - key findings.
1.Verify Internal audit scope and reports 2.Review Board Minutes
71
Sr No
Attribute Principle Process Activity
Risk Control Ref No.
Control Description
Audit Step
13 Control Environment
Demonstrates commitment to attract, retain and develop competent individuals
Training Inadequate attention to training may result into skill dilution, lack of awareness about policies and regulatory requirements and inability to discharge assigned responsibilities.
C11 1. Training for regulatory and process changes is imparted on a timely basis as per either client's requirement or regulatory requirement 2. Training is identified and imparted as needed
Verify training process
14 Risk Assessment
Specifies objectives with clarity to identify and assess the risks
Risk Management Framework
Absence of enterprise-wide risk assessment and absence of documented risk management policy
C04 Formal risk management policy is presented to the Board and approved by the Board of Directors.
Review the risk management policy adopted by the Company
15 Risk Assessment
Identifies and analyzes significant changes that could impact internal controls
Business Continuity Plan, Disaster Recovery Plan
Absence of BCP/DRP may lead to business interruptions and may jeopardize business continuity
C22, C23
1. Business Continuity Plan (BCP) and Disaster Recovery Plan(DRP) are in place. 2. Data recovery plan is established and operational.
1. Review the BCP and DRP. 2. Review the data recovery plan.
16 Risk Assessment
Identifies and analyzes significant changes that could impact internal controls
Financial reporting
Regulatory changes impacting business, financial conduct or reporting requirements are not understood, analyzed or internalized.
C17 1. Regulatory changes are understood and assessed for their impact on business. 2. Compliance tracker is filled in at defined frequency and updated periodically for
Verify formal assessment of key regulatory changes.
72
Sr No
Attribute Principle Process Activity
Risk Control Ref No.
Control Description
Audit Step
amendments.
17 Risk Assessment
Identifies and analyzes significant changes that could impact internal controls
Financial reporting
Improper channels to communicate the changes in business practices to the accounting department may affect the method or the process of recording the transactions in financial statements
C24 Periodic departmental reviews are done wherein Finance team is also present; review covers discussions on changes in business practices affecting financial statements.
Review modification in processes, if any, by the accounts team
18 Risk Assessment
Identifies and analyzes significant changes that could impact internal controls
Financial reporting
Risk of regulatory non-compliance and financial misstatements if suitable accounting principles, policies or rules not followed
C13, C15, C25
1.Management specifies financial reporting rules and standards which are consistent with accounting principles suitable and appropriate for the entity. 2. Reviews by/consultations with the Statutory Auditors as required by the regulation (annual review) or as considered necessary by the management, are done. 3.Internal audit coverage extends to compliance review and financial reporting review.
1. Verify financial statements with adequate disclosures 2. Verify statutory auditor's report 3. Verify internal audit reports
19 Risk Assessment
Identifies and analyzes
Financial reporting
Non identification of changes in
C13, C25
1. Defined and
Review financial statements and all
73
Sr No
Attribute Principle Process Activity
Risk Control Ref No.
Control Description
Audit Step
significant changes that could impact internal controls
accounting principles or financial reporting requirements may lead to non-compliance and the financial statements will not show true and fair figures or may not include disclosures as required.
documented Financial Statement Closure Process is in place. 2. Periodic updates are received from professional consultants.
other relevant information.
20 Risk Assessment
Identifies risks to the achievement of objectives and analyzes risks to manage them
Financial reporting
Absence of an appropriate mechanism of related party transactions identification can lead to regulatory non-compliance and/ or financial misstatements
C20, C26
1. Various compliances under different statutes in relation to transactions with related party (transfer pricing related compliance and return filing) are verified. 2. Board approval is taken for related party transaction
Verify Board noting and approval of related party transactions.
21 Risk Assessment
Assesses fraud risk to the achievement of objectives
IT Security Company infrastructure and IT systems being used for fraudulent activities thereby affecting the reputation and increasing the legal risks attached
C14 1. Access is restricted to users who are either employees or authorized personnel. 2. Password and user id protected systems exist. 3. Deactivation of external storage devices on company PC's has been done. 4. Access to all public sites and domains is
1. Review list of user-ids with access rights 2. Verify protocol for access to systems and policy highlighting security of user id and passwords
74
Sr No
Attribute Principle Process Activity
Risk Control Ref No.
Control Description
Audit Step
restricted. 22 Risk
Assessment Identifies risks to the achievement of objectives and analyzes risks to manage them
Training Changes in the procedure manual of a particular department without the knowledge of its employees leads to dilution of the impact of the changes implemented
C27 Periodic review of process manual is done and updates are communicated to all employees concerned.
1. Verify that the manuals are periodically reviewed. 2. Verify evidence of communication of changes to employees.
23 Control Activities
Selects and develops control activities to mitigate risks
Evaluation Risk of recurrence of issues if not evaluated and policies/ procedures not modified accordingly
C15 Periodic internal audit is done by an external agency and changes made basis agreed actions.
Verify internal audit reports available, and record of resolution of agreed actions.
24 Control Activities
Selects and develops control activities to mitigate risks
Financial reporting
Risk of financial loss and/ or financial misstatement in the absence of an established physical verification of assets mechanism
C16, C20
1. Physical verification of fixed assets, cash is done. 2. Third party and bank balance confirmations statements are taken. 3. Board discusses findings of physical verification of assets/ discrepancy resolution
1. Verify fixed asset verification report and check for periodicity (CARO, 2015) 2. Verify third party confirmations. 3. Verify records showing full particulars - quantitative details and situation of fixed assets (CARO, 2015) 4. Verify Board meeting minutes
25 Control Activities
Deploys control activities through policies and procedures
Payments and reimbursements
Absence of policies will lead to reimbursement/ allowance of non agreed expenses to the employees or reimbursement of expenses over and above the set limit to the employees.
C03 All financial policies relating to employees are in place along with defined level of approvals.
Verify remuneration structure for financial policies relating to employees.
26 Information & Communication
Communicates externally regarding matters affecting internal controls
External Communication
May result in reputational/financial/reporting risk due to erroneous communications to external parties/ external reporting
C03 1. Clear identification of persons authorized to communicate with external parties on
Verify the Admin Manual for communicating with external parties
75
Sr No
Attribute Principle Process Activity
Risk Control Ref No.
Control Description
Audit Step
relevant company matters. 2. A formal social media policy is in place.
27 Information & Communication
Communicates externally regarding matters affecting internal controls
External Communication
In the absence of clear communicating channels for external parties, employee/ management malpractices may not come to light, may have a reputation risk with respect to third parties
C03, C18
There are properly identified communication channels (email ids) for third parties under grievance mechanism, sexual harassment policy
Review grievance mechanism and sexual harassment policy
28 Information & Communication
Communicates internally, information including objectives and responsibilities of internal control
Internal Communication
Absence of clear communication on performance measures may lead to ambiguities and increase in attrition levels
C28 Clear communication of the Key Result Areas in the evaluation process
Verify the communication for the KRAs
29 Information & Communication
Communicates internally, information including objectives and responsibilities of internal control
Management Oversight
Risk events, exceptional and unusual events remain unreported to the management and hence the risk management framework is not duly enhanced.
C07, C08, C29
1. Formal communication process established for escalating disruption to operations, occurrence of risk events and any material exceptional event. 2. Periodic MIS/ dashboards, highlighting of all exceptions. 3. Board meeting, management review meeting discuss unusual events.
1. Verify periodic MIS on sample basis 2. Verify management and Board meeting minutes
30 Monitoring Evaluates and
Financial reporting
Inadequate process for obtaining third
C16 1. Third party
Verify confirmations
76
Sr No
Attribute Principle Process Activity
Risk Control Ref No.
Control Description
Audit Step
communicates deficiencies, to enable corrective actions being taken
party confirmations to validate financial figures and to detect financial frauds.
confirmations obtained from banks, debtors, related parties 2. Web based review done to assess tax status, TDS status, regulatory compliance related numbers.
obtained from counter parties and Government website (such as Income Tax) for reconciling statutory figures and other balances.
31 Monitoring Conducts ongoing/ separate evaluations to confirm that internal controls are functioning
Financial reporting
Absence of review of the financials by management
C07, C08
Monthly MIS consisting of financial statements and other operations, reconciliations prepared by Finance Manager are reviewed and analyzed by Group CFO
Verify financial statements/ reports, periodic MIS and reconciliations
32 Monitoring Evaluates and communicates deficiencies, to enable corrective actions being taken
Grievance and dispute resolution mechanism
Inappropriate grievance processes may lead to delay in detection of frauds, misreporting of financial figures, need for provisioning due to disputes
C03 Employee grievance policy (to resolve complaints and grievances) forms part of Admin Manual
Verify policy to resolve complaints and grievances, as stated in Admin Manual
33 Monitoring Conducts ongoing/ separate evaluations to confirm that internal controls are functioning
Management Oversight
Process gaps, errors and misstatements may not be identified by the management which may also lead to fraud or non-compliance due to absence of well-established risk and internal audit review system
C03, C07, C15
1. Internal audit function reports to Board of Director and highlights deficiencies observed. 2. Polices and processes are introduced and revised from time to time to plug identified gaps and controls
1. Verify Internal Audit reports 2. Verify meeting minutes 3. Verify sample policies and process notes
77
Sr No
Attribute Principle Process Activity
Risk Control Ref No.
Control Description
Audit Step
lapses.
34 Monitoring Conducts ongoing/ separate evaluations to confirm that internal controls are functioning
Management Oversight
Absence of communication of deficiencies and monitoring corrective action may lead to un-remediated deficiencies and resultant control gaps w.r.t. ICFR
C21 Formal roll out of ICFR policy and testing process for control design and effectiveness
1. Check ICFR framework and documented RCMs 2. Check the process adopted for testing control design and operational effectiveness
Note: The above work-sheet can be enhanced with columns such as department, details with respect to controls (whether key or non-key, whether control exists – yes or no, type of control – manual or automated, nature of control – preventive, detective or both preventive and detective, control frequency – daily, weekly, fortnightly, monthly, half-yearly, annually, event-based, as and when),document/ evidence, deficiencies, remedial plan, reference to document and remarks
78
4.2 IT General Controls – Specimen (refer paragraph 2.5.6)
ABC Private Limited ICFR for the year ending 31st March, 2016
RCM - IT General Controls
LIST OF CONTROL GROUPS
Control Ref Control Group/ Attribute ITGC 01 Comprehensive IT Policy
ITGC 02 Access Rights Restrictions
ITGC 03 User account management - User id and password security
ITGC 04 Data management - back up and restoration of data and system
ITGC 05 Connectivity management - LAN, internet, firewall, anti-virus,
ITGC 06 Sign-off of stakeholders/management for changes made to key applications
relevant to financial reporting
ITGC 07 Restriction to share data
ITGC 08 Controls or authorization for acquisition / development of new system / migration /
subsequent changes
ITGC 09 Incident handling – In-house IT Personnel
ITGC 10 Approval/periodic review of user access rights
79
ABC Private Limited ICFR for the year ending 31st March, 2016 IT General Controls (ITGC)
Sr. No.
Attribute Activity Description
Identification of Risk of Material Misstatement
("What Could Go Wrong")
Control Ref Number
Control That Addresses Risk of Material Misstatement
— Control Name
Risk Description
1 Risk Assessment
IT Policy Intended IT related processes not followed due to absence of defined comprehensive IT policy document
ITGC 01 A defined comprehensive IT policy document to provide various guidelines to work in the IT environment, is in place
2 Control Environment
Access Rights Editable access of Financial System (Accounting Software) provided to persons other than Company employees (Internal and Statutory Auditors, Consultants, etc.)
ITGC 02 View-only access of Accounting Software provided to persons other than Company employees (Internal and Statutory Auditors, Consultants, etc.) who are not required to modify the financial transactions
3 Control Environment
Closing of Accounting period/year in the Accounting Software
Erroneous/intentional posting of Accounting entry in the earlier closed period/year
ITGC 02 Closing of previous period/year to restrict back-dating of transactions
4 Control Environment
Selects and develops general controls over technology
Unauthorized access to IT systems, applications and data results in errors in financial reporting
ITGC 03 1. For CMS System - all new users are given pre-expired password and the system prompts the user to set new password at the time of first login 2. For Tally - all new users are given pre-expired password and the system prompts the user to set new password at the time of first login
5 Control Environment
Selects and develops general controls over technology
Unauthorized access to IT systems, applications and data results in errors in financial reporting
ITGC 02 1. For CMS - Users access rights are granted by IT only upon specific approval by the concerned functional head 2. For Tally - Users access rights are granted by IT only upon specific approval by the concerned functional head
6 Control Environment
Selects and develops general controls over technology
Unauthorized access to IT systems, applications and data results in errors in financial reporting
ITGC 03 System prompts the user to change the password after the expiration of 30 days.
7 Control Environment
Selects and develops general controls over technology
Unauthorized access to IT systems, applications and data results in errors in financial reporting
ITGC 03 Password must contain at least 7 characters, alpha numeric (alphabets, numbers and special characters).
80
Sr. No.
Attribute Activity Description
Identification of Risk of Material Misstatement
("What Could Go Wrong")
Control Ref Number
Control That Addresses Risk of Material Misstatement
— Control Name
8 Control Environment
Selects and develops general controls over technology
Unauthorized access to IT systems, applications and data results in errors in financial reporting
ITGC 03 If the password is wrongly entered continuously for 5 times within 30 minutes, the respective login id gets locked.
9 Control Environment
Selects and develops general controls over technology
Unauthorized access to IT systems, applications and data results in errors in financial reporting
ITGC 03 If a user is not accessing the system for more than specified time, the system gets automatically locked.
10 Control Environment
Identifies and analyses significant changes that could impact internal controls
Unauthorized access to IT systems, applications and data results in errors in financial reporting
ITGC 10 There exists a periodic review of the user profiles for systems access, to confirm appropriateness.
11 Information & Communication
Selects and develops general controls over technology
Unauthorized access to IT systems, applications and data results in errors in financial reporting
ITGC 03 Requests for creation of new user ids are received by the IT Executive on standardized form, duly signed by the respective HOD.
12 Information & Communication
Selects and develops control activities to mitigate risks
Unauthorized access to IT systems, applications and data results in errors in financial reporting
ITGC 03 1. User termination, resignation is informed to IT Executive through email by HR. 2. User account is disabled immediately after receiving an email request. Before processing this request, IT archives the mail box of the user. 3. Full & Final Settlement Form is signed by the IT Executive only when the necessary access rights have been disabled in the system.
13 Control Environment
Selects and develops general controls over technology
Absence of regular back-up which may lead to loss of crucial data
ITGC 04 1. Regular back-up strategy defined for server and auto-back up is taken at defined frequency. 2. Retrieval is tested at reasonable frequency
14 Control Environment
Selects and develops general controls over technology
Absence of regular back-up which may lead to loss of crucial data
ITGC 04 Off-site storage of back-up to tackle any unforeseen event at the office premises.
81
Sr. No.
Attribute Activity Description
Identification of Risk of Material Misstatement
("What Could Go Wrong")
Control Ref Number
Control That Addresses Risk of Material Misstatement
— Control Name
15 Control Environment
Identifies risks to the achievement of objectives and analyses risks to manage them
Servers and end users PCs are infected with virus
ITGC 05 1. Desktops: All the user desktops are installed with anti virus scanner, which scans the new files on an ongoing basis 2. Servers: All servers are installed with anti virus scanner. 3. Gateway: Mail server is managed and all the Emails are scanned by threat management gateway. 4. The anti virus gets automatically updated with the latest version through process of auto updates
16 Control Environment
Assesses fraud risk to the achievement of objectives
Unauthorized access to the IT systems, applications and data by external parties
ITGC 05 1. Firewalls have been installed. 2. The logs are regularly reviewed by IT Executive
17 Control Environment
Selects and develops control activities to mitigate risks
Unauthorized access to IT systems, applications and data results in errors in financial reporting
ITGC 06 Changes in programs can be made only with prior approval of the Board of Directors or the HOD concerned, with the simultaneous involvement and approval of the IT personnel.
18 Control Environment
Selects and develops control activities to mitigate risks
Significant developments and changes to information systems relevant to financial reporting are made, resulting in errors in financial reporting.
ITGC 06 Decisions around significant developments and changes to information systems relevant to financial reporting are made in conjunction with Finance Manager and after approval of BOD
19 Control Environment
Identifies and analyses significant changes that could impact internal controls
Errors in changes made to key applications relevant to financial reporting.
ITGC 06 Specific changes are made to key applications relevant to financial reporting only after sign off from the relevant stakeholders
20 Control Environment
Selects and develops general controls over technology
Problems and incidents are not effectively managed.
ITGC 09 An in-house IT personnel resolves issues faced by users as required
21 Control Environment
Selects and develops general controls over technology
Intentional sharing of crucial and confidential data of the company by staff to outsiders (e.g. competitors)
ITGC 07 1. Deactivation of external storage devices on company PCs. 2. Restricting access to all public sites and domain
Note: The above work-sheet can be enhanced with columns such as department, details with respect to controls (whether key or non-key, whether control exists – yes or no, type of control – manual or automated, nature of control – preventive, detective or both preventive and detective, control frequency – daily, weekly, fortnightly, monthly, half-yearly, annually, event-based, as and when),document/ evidence, deficiencies, remedial plan, reference to document and remarks
82
4.3 Specimen - Financial Statement Closure Policy and sample checklists (refer paragraph 2.7.3)
ABC Pvt. Ltd.
Financial Statements Closure Policy (FSCP)
1. OBJECTIVES:
This policy is prepared to achieve the following broad objectives: Provide guidance for the financial closure process leading to preparation of financial
statements.
Ensure adherence to applicable laws, regulations and disclosure requirements relevant to
the financial reporting.
Ensure completion of the financial closure efficiently and in a timely manner.
Ensure adherence to the approval matrix laid out for the closure process.
Retain and protect related documents, evidences and approval trails.
2. SCOPE:
This policy covers the following:
Financial reporting framework applicable to the entity.
IT application (system), if any, used for financial closure
Checklist to be used to ensure completeness of financial statements
Approval matrix related to financial closure activities.
Document Management Policy, including retention policy for documents related to financial
closure.
3. STAGES OF FINANCIAL CLOSURE:
# Particulars Review Responsibility
Approval/ Authorization
Suggested Timeline
1. Financial Reporting Framework The financial closure process shall
be carried out in adherence to the following The Companies Act, 2013 and
allied Rules
Applicable accounting
standards
Pronouncements of the ICAI
applicable to preparation of
financial statements and
financial reporting
Adequate care shall be taken to
incorporate the effects of
modifications to existing regulations
and pronouncements.
Any new pronouncements impacting the financial accounting, closure process or reporting requirements will be reviewed internally, approved as per Authority matrix and incorporated in the appropriate checklist, SOP or
Senior Person of A & F Dept
CFO or equivalent position
By end December/ January
83
# Particulars Review Responsibility
Approval/ Authorization
Suggested Timeline
templates. Knowledge update provided by the
statutory auditors or other accounting/law firms from time to time may be reviewed and where appropriate, to be considered for updating respective checklist.
The CFO is required to hold a formal meeting with the statutory auditors to confirm that all additional reporting requirements for the financial year have been duly identified by the company – if there has been a miss out, the same may be incorporated after review.
2. System Environment List all the systems from which data
will flow into financial statements either directly or indirectly.
Proposed changes/ enhancements to the IT applications which have a bearing on the financial closure process or the financial statements need to be pre-approved by the Finance Department as per authority matrix.
For any changes in the financial reporting requirements, Finance Department to review if the required information is available from the IT system and if not, initiate a request for configuring the IT system to ensure the availability of the requisite information.
Senior Person of A & F Dept.
CFO or equivalent position
By end December/ January
3. Pre-planning for Closure & Closure Activity for Operational Areas Activity wise pre-planning checklist to be prepared as per Company’s defined SOPs, Policies and Business Requirements. A specimen general format indicating illustrative checkpoints and processes is presented in Annexure – I.
As per Checklist As per Checklist For Pre-planning by end December/ January and For Closure at year end date and subsequent month
4. Process for Preparation of Financial Statements A specimen general format indicating illustrative checkpoints and processes is presented in Annexure – II.
As per Checklist As per Checklist As per defined timeline by the management for finalizing audited Financials
5. Process for Disclosure requirements
A specimen general format indicating
illustrative checkpoints and processes is
presented in Annexure – III.
As per Checklist As per Checklist As per defined timeline by management for finalizing audited Financials
6. Approval Matrix for closure process Senior Person of A & F Dept.
CFO or equivalent
Approval Matrix to be
84
# Particulars Review Responsibility
Approval/ Authorization
Suggested Timeline
The closure process will follow the approval matrix defined as per the SOP of Accounts & Finance department. If it is not defined then define the same for maker-checker control at various stages and documentation trail
position defined as part of SOP of A& F dept. or at the beginning of the year
7. Retention of Documents All documents related to the
financial closure process shall be retained in a safe manner.
Clear naming protocols will be followed to ensure version control on financial statement drafts.
Soft copies of the financial statements need to be stored in a folder, access rights to which have been approved by the Chief Financial Officer.
Documents to be retained at least until the time required to comply with related regulations.
Senior Person of A & F Dept.
CFO or equivalent position
N.A.
8. Post Closure Process Take printout of Final Trial balance. Keep printed copies of audited
Financial Statements. Close the books of account for the
Financial Year. Block the IT system for amendment
in that financial year. Review opening balance in the
subsequent period with audited financial statement.
Senior Person of A & F Dept.
CFO or equivalent position
Within 15 days of completion of Annual Accounts closure
85
Annexure – I ABC Pvt. Ltd. Sample and Specimen Checklist for Activity wise Pre-planning & Closure # Area Process Process
Owner Reviewer Proposed
Start Date Proposed End Date
Status
1 Cash Circular to be sent to various branches to send cash expenses statement with closing balance as on Year end
Co-ordination with the statutory auditors if they want to conduct year end physical verification of cash
conduct physical verification on the last working day of the Financial year
Document the Physical verification papers with sign of maker and checker
2
Bank Bank Reconciliation statements to be called from all branches for all bank accounts
BRS to be prepared for all the HO Accounts as per the BRS process defined by the company
Un-reconciled items in BRS to be investigated and necessary adjustments to be carried out with proper approvals
Cheques pending to be deposited to be presented to bank for clearance
Online transfers from customers, kept in suspense / unexplained accounts, to be knocked off from customer balances
Print out of Final Copies of BRS to be taken and signed by the maker and checker
Balance confirmations to be called from banks to assert bank balances
3 Inventory Circular to be sent to branches to inform them to carry year end stock verifications
Factory / Warehouse / Operations of any other inventory holding location to be suspended during the period of verification , if required
86
# Area Process Process Owner
Reviewer Proposed Start Date
Proposed End Date
Status
Necessary co-ordinations to be made with Internal / Statutory auditors in case they are to attend inventory verification
Year-end transactions for sales and purchases to be meticulously recorded keeping in mind cut off procedures affecting inventory position
Plan for Inventory verification to be decided basis certain methods suitable for Company's inventory such as: 1. ABC analysis 2. Analysis based on fast / slow moving items 3. Critical and non-critical items 4. Form of inventory i.e. size, weight, state of matter etc.
Confirmations to be called from third party holding company's inventory (on consignment basis, for job work purposes etc.)
Value of inventory as per books to be compared with actual value
Adjustments , if required, to be made to inventory value with proper approvals
4 Fixed Assets /Capitalization
FA register to be updated, finalized
FA register to be compared with books of account
Scrutinize the major repairs account to find out if any item of capital nature has been debited
Capitalisation of expenses to the point of installations such as transportation, octroi, testing charges, training for operation of FA
Review CWIP Account to review completion stage and capitalization if required
Physical verification of Fixed Assets with
87
# Area Process Process Owner
Reviewer Proposed Start Date
Proposed End Date
Status
proper internal controls such as verification by independent verifier , maker checker control on verification process, reporting of discrepancy, if any and appropriate accounting of the same Review of sale / scrap of assets , profits / loss on disposal of Assets
Depreciation workings based on applicable accounting standards
5 Investment Accounting of accrued income based on year end investment
Accounting of gains / losses on sale of investments
Validation of investment balance with counter party statements
Physical verification of investment instruments to ensure ownership of the same
Revaluation of investments as per applicable accounting standards
6 Income Booking
Circular to be sent to various branches / depots from where sales are effected to send information / data for dispatches made till cut-off date
Ensure invoice booking for materials where ownership has been transferred to customers
Ensure invoice booking / billing for services where provision of service is completed as per defined terms and conditions
Accounting of pending Debit and credit notes (rejections / sales returns / disputed provision of services)
7 Expense Booking
Circular to be sent to various branches / depots calling for all relevant details of expenses incurred within defined timeline after year end
Advances paid for
88
# Area Process Process Owner
Reviewer Proposed Start Date
Proposed End Date
Status
expenses to employees be settled against reimbursable expenses Provision of expenses based nature of expense i.e. time based or otherwise backed by actual supporting documents to be accounted
Provision of expenses basis estimation - Company policy for estimation to be reviewed and adhered
Review accounting of prepaid expenses
Review provisions / prepaid expenses of previous periods / years for its existence and continuity
8 Debtors/ Receivables
Debtors balances to be knocked off against money received but accounted in suspense / unexplained accounts
Initiate communication for debtors confirmation
Prepare reconciliation of differences in debtors balances and post adjustments with appropriate approvals
Scrutinize debtors accounts and follow up with the sales/ marketing team for status of long standing debtors
Provide for doubtful debts / disputed debtors in consultation with marketing / legal dept. / Management
9 Creditors /Payables
Initiate communication for creditors confirmation
Prepare reconciliation of differences in creditors balances and post adjustments with appropriate approvals
Scrutinize advance to creditors accounts and follow up with the procurement team for status of long standing advances
Write back creditors balances which are not payable in consultation with procurement /
89
# Area Process Process Owner
Reviewer Proposed Start Date
Proposed End Date
Status
legal dept. / Management
10 Related Party Reconciliation
Obtaining account confirmation from all the related parties
Prepare reconciliation of differences in balances and post adjustments with appropriate approvals
90
Annexure – II ABC Pvt. Ltd. Sample and Specimen Checklist for Preparation of Financial Statements
# Area Process Process Owner
Reviewer Proposed Start Date
Proposed End Date
Status
1 Opening balances validation
Validation of opening balances at the time of audit of subsequent year with closing balances of previous year
2 General Ledger Scrutiny Allocate responsibility within the accounts team to scrutinize specific accounts
All accounts with non-moving balances, intermediary accounts , suspense accounts to be scrutinized thoroughly to ensure genuineness of transactions recorded in these accounts
Based on this scrutiny pass appropriate entries with approval of senior personnel in the accounts team ideally the CFO
3 Review of accounts related to statutory compliance
Allocate responsibility within the accounts team to scrutinize specific accounts
Reconcile company's data with the data available on the website of respective regulator (such as 26 AS reconciliation)
Review all the assessment orders, refund / demand orders issued by various regulatory authorities during the year
Compare all statutory returns filed with the books of account
Record all the necessary entries required based on above scrutiny
4 Independent Review Get independent review done by professional retainer, if any, engaged by the company
5 IT Systems blocking Blocking of various IT Systems for data entry of transactions posting by respective employees for basic transaction posting such as cash, bank ,petty cash, purchase, sales etc.
Rights to pass entries to be granted to only few personnel in the accounts department
6 Provision for Gratuity & Provide necessary data/
91
# Area Process Process Owner
Reviewer Proposed Start Date
Proposed End Date
Status
Employee benefits information after validation to the appointed actuary
Actuarial valuation report to be referred for estimations provided by the auditee.
Workings for provisions to be computed and validated by senior personnel
Provisions for employee benefit to be recorded with appropriate approvals
7 Inventory Valuation Inventory verification reports to be referred to ascertain inventory figures
Inventory as ascertained to be valued adopting suitable methodology and adhering to applicable accounting standards and company policy
Necessary adjustment entries to reflect appropriate value of inventory to be recorded with due approvals
8 Revaluation of Assets & Liabilities in Foreign Currency
Ascertain the balances of foreign assets and liabilities
Depending on the class of asset / liability and guidelines laid down in applicable accounting standards, appropriate foreign exchange rate to be selected
The selected rate(s) to be validated by senior authority and applied to closing balance of such classes(s) of assets / liability
Appropriate effect of revaluation to be recorded in books of account
9 Year-end adjustment of Exchange rate difference for trade payables and receivables
Refer to closing balance of debtors/ creditors
Revalue debtors and creditors basis closing exchange rate
10 Income Tax working Based on profits / losses as computed prepare Income Tax working
Co-ordinate with tax consultant for validation of the same
Incorporate changes suggested by consultant
Record necessary provision for income tax
11 Deferred Tax Assets/Liabilities
Prepare working for deferred tax assets /
92
# Area Process Process Owner
Reviewer Proposed Start Date
Proposed End Date
Status
working liabilities
Co-ordinate with tax consultant and Statutory Auditors for validation of the same
Incorporate changes suggested by consultant
Record necessary entries for deferred tax assets / liabilities
12 Preparation of Financial Statements as per prescribed formats
Extract trial balance from accounting system
Save the same with date and time in soft
Prepare appropriate groupings
Validate all the excel formulas and linkages if financials are prepared in excel
As per prescribed format classify respective assets and liabilities as current , non - current , short term , long term
Take print out of financials prepared and revalidate again with base trial balance for accuracy
Provide audit trail of revalidation on hard copy of financials
13 Co-ordination with statutory auditors and get the audit done
Arrange for Stat audit, prepare information as per their prescribed format
During Stat audit liaison with their team for smooth conduct of audit
Formal meetings for discussion of queries / clarifications
Passing of rectification JVs, if required in system
14 Prepare revised Financial Statements
Repeat process given in step 12
Maintain version control and modification trail
15 Grouping and regrouping of previous year’s figures
Detailed review of previous years grouping with current grouping and make necessary changes in the grouping of previous year
16 Freeze the numbers after review of Statutory Auditors
Get the revised financials validated from Statutory Auditors
17 Present the Provisional Financial statements to Management/Audit committee
To facilitate management to take certain decisions about managerial remuneration, proposed dividend
18 Calculate Managerial Prepare workings for
93
# Area Process Process Owner
Reviewer Proposed Start Date
Proposed End Date
Status
remuneration if it is on % basis of profit/surplus
managerial remuneration as per applicable rules and regulations and company policy
19 Prepare Proposed dividend working
Proposed dividend working to be prepared based on the dividend proposed by Board of Directors
Workings to validated by senior personnel
Entries to record proposed dividend to be passed in books of account
20 Make necessary changes in the Financial Statements
Necessary changes to be validated by Statutory Auditors
94
Annexure – III ABC Pvt. Ltd. Sample and Specimen Checklist for Disclosure & Notes to Accounts # Area Process Process
Owner Reviewer Proposed
Start Date Proposed End Date
Status
1 Review of Notes to Accounts of Previous year and evaluate it for necessary changes
Take notes to account of pervious year as a base
If there are any changes in the accounting policies adopted by the company during the year incorporate the same in notes to account
If there are any regulatory changes which require change in company policy incorporate the same in Notes to account
2 Prepare Disclosures
As per disclosure checklist provided by Stat auditors prepare disclosures
Validate all the numbers given in the disclosures with the financial statements
Also ensure disclosure for contingent liability after consultation with various operational dept. HODs and HOD of legal dept.
3 Get it reviewed by Statutory Auditors
Notes to accounts and disclosures to be sent to Statutory Auditors for review and validation
4 Revise Notes to Accounts & Disclosures after review by Statutory auditors
As per suggestion by Statutory Auditors revise notes to accounts and disclosures
5 Review entire set of Financial statements & disclosures all together
Take print out of entire set of Financial statements, notes to account and disclosures
Revalidate again with base trial balance for accuracy
Provide audit trail of revalidation on hard copy of financials
6 Arrange for Signatures
Arrange for signature on the Financial Statements by the
95
# Area Process Process Owner
Reviewer Proposed Start Date
Proposed End Date
Status
appropriate authority of the Company
Arrange for signature on the Financial Statements by the Statutory Auditors
96
5. Glossary of abbreviations used:
Sr.
No.
Abbreviations Full Form
1. BoD Board of Directors
2. BCP/ DRP Business Continuity Plan/ Disaster Recovery Plan
3. CARO Companies (Auditor’s Report) Order
4. CD Compact Disc
5. CEO/CFO Chief Executive Officer / Chief Financial Officer
6. CSA Control Self-Assessment
7. DoA Delegation of Authority
8. ECG Electrocardiogram
9. ELC Entity Level Controls
10. FSCP Financial Statement Closure Policy
11. GRN Goods Received Note
12. ICAI Institute of Chartered Accountants of India
13. ICFR Internal Controls over Financial Reporting
14. IFC Internal Financial Controls
15. ISO International Organization for Standardization
16. IT Information Technology
17. ITGC Information Technology General Controls
18. KYC Know Your Customer
19. MIS Management Information Systems
20. PCAOB Public Company Accounting Oversight Board
21. PLC Process Level Controls
22. PO Purchase Order
23. RCM Risk Control Matrix
24. RoMM Risk of Material Misstatements
25. SA Standard on Auditing
26. SME Small and Medium-sized Enterprises
27. SOP Standard Operating Procedures
97
6. Useful links and recommended reading:
1. Guidance Note on Audit of Internal Financial Control Over Financial Reporting by the Institute of Chartered Accountants of India http://icai.org/new_post.html?post_id=11919&c_id=219
2. Guide to Internal Control Over Financial Reporting
published by Center for Audit Quality http://www.thecaq.org/reports-and-publications/ guidetoicfr
3. A Layperson’s Guide to Internal Control Over Financial Reporting by the Public Company Accounting Oversight Board https://pcaobus.org/News/Speech/Pages/03312006_GillanCouncilInstitutionalInvestors.aspx
4. BCAJ May 2016 issue – From Published Accounts http://bcajonline.org/artcile.aspx?Id=16405&Cid=52
5. Lecture Meeting on 28th June, 2016 at The Chamber of Tax Consultants on “Internal Financial Control - Way Forward for Private Companies and Their Auditor” http://www.ctconline.org/index.php/downloads1/corporate