Summary- Guidance Note on Audit of Internal Financial Controls over Financial Reporting

Clause (e) of Sub-section 5 of Section 134 explains the meaning of the term, “internal financial controls” as “the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.

Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 requires the Board of Directors’ report of all companies to state the details in respect of adequacy of internal financial controls with reference to the financial statements.

The inclusion of the matters relating to internal financial controls in the directors’ responsibility statement is in addition to the requirement for the directors to state that they have taken proper and sufficient care for the maintenance of adequate accounting records in accordance with the provisions of the 2013 Act, for safeguarding the assets of the company and for preventing and detecting fraud and other irregularities.

Auditors’ Responsibility

The auditor’s objective in an audit of internal financial controls over financial reporting is to express an opinion on the effectiveness of the company’s internal financial controls over financial reporting and the procedures in respect thereof are carried out along with an audit of the financial statements. Because a company’s internal controls cannot be considered effective if one or more material weakness exists, to form a basis for expressing an opinion, the auditor must plan and perform the audit to obtain sufficient appropriate evidence to obtain reasonable assurance about whether material weakness exists as of the date specified in management’s assessment. A material weakness in internal financial controls may exist even when the financial statements are not materially misstated.

The auditor needs to obtain reasonable assurance to state whether an adequate internal financial controls system was maintained and whether such internal financial controls system operated effectively in the company in all material respects with respect to financial reporting only.

Accordingly, the term ‘internal financial controls’ wherever used in this Guidance Note in the context of the responsibility of the auditor for reporting on such controls under Section 143(3)(i) of the Act, per se implies and relates to internal financial controls over financial reporting.

For this purpose, “internal financial controls over financial reporting” shall mean “A process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal financial control over financial reporting includes those policies and procedures that

(i) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;

(ii) provide reasonable assurance that transactions are recorded as necessary to permit  preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and

(iii) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.

Criteria for Internal Financial Controls Over Financial Reporting

To state whether a set of financial statements presents a true and fair view, it is essential to benchmark and check the financial statements for compliance with the financial reporting framework. The Accounting Standards specified under the Companies Act, 1956 (which are deemed to be applicable as per Section 133 of the 2013 Act, read with Rule 7 of Companies (Accounts) Rules, 2014) is one of the criteria constituting the financial reporting framework based on which companies prepare and present their financial statements and against which the auditors evaluate if the financial statements present a true and fair view of the state of affairs and operations of the company in an audit of the financial statements carried out under the 2013 Act.

Similarly, a benchmark internal control system, based on suitable criteria, is essential to enable the management and auditors to assess and state adequacy of and compliance with the system of internal control.

In the Indian context, for example, Appendix 1 “Internal Control Components” of SA 315, “Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment”2 provides the necessary criteria for internal financial controls over financial reporting for companies.

Specified date for reporting on the aforesaid adequacy

The Auditor should report if the company has adequate internal control systems in place and whether they were operating effectively as at the balance sheet date if the same has not been corrected by the management Further, reporting on internal financial controls over financial reporting will not be applicable with respect to  interim financial statements, such as quarterly or half-yearly financial statements, unless such reporting is required under any other law or regulation .

Appendix I to SA 315 explains the five components of any internal control as they relate to a financial statement audit. The five components are:

i. Control environment

ii. Entity’s risk assessment process

iii. Control activities

iv. Information system and communication

v. Monitoring of controls

Addressing the Risk of Fraud

Controls that might address these risks include:

• Controls over significant, unusual transactions, particularly those that result in late or   unusual journal entries;
• Controls over journal entries and adjustments made in the period-end financial  reporting process;
• Controls over related party transactions;
• Controls related to significant management estimates; and
• Controls that mitigate incentives for, and pressures on, management to falsify or  inappropriately manage financial results.