Brief about Internal Control Over Financial Reporting (ICFR) design and testing

Internal Financial Control came into existence to promote risk management and governance process within the organization so that we don’t have another Satyam case in the future. In this article we have discussed the Internal Financial Control (IFC) from the Business perspective and from Auditor’s perspective:

As per Sec 143(3)(i) of Companies Act 2013, the report of the auditor should state as to whether the company has adequate Internal Financial Control system in place and the operating effectiveness of such controls.

Further, Rule 10A of Companies (Audit & Auditors) Rules 2014 states that:

a) For the financial years commencing on or after 1st April 2015, the report of the auditor should state about existence of adequate Internal financial controls and its operating effectiveness.

b) The auditor of a company may voluntarily include the statement referred to in this rule for the financial year commencing on or after 1st April 2014 and ending on or before 31st March 2015.

As per Notification No. GSR 464 (E) dated 5th June 2015 as amended by Notification No. GSR 583(E) dated 13th June 2016, this requirement shall not apply  to a Private company-

a) which is one person company or a small company

b) which has turnover less than Rs. 50 crores as per the latest audited financial statements and which has aggregate borrowings from banks or financial institutions or any body corporate at any point of time during the financial year less than Rs. 25 crores.

After reading the above, the question comes to our mind that how the Internal Financial Control (IFC/ ICFR) should be implemented (for organization perspective) and tested (for Auditor’s Reporting) ?

A) From the Organization’s perspective:

Following are the background which requires the implementation of Internal Financial Controls (IFC) as per Companies Act, 2013:

Section 134: Director’s Responsibility Statement: In the case of a listed company, the Director’s Responsibility states that directors, have laid down IFC to be followed by the company and that such controls are adequate and operating effectively.

Rule 8: Board Report: Every Company to state the details in respect of the adequacy of IFC with reference to financial statements.

Section 177: Audit Committee: Audit committee may call for comments of auditors about internal control systems before their submission to the Board and may also discuss any related issues with the internal and statutory auditors and the management of the company.

Schedule IV: Independent Directors: The Independent Directors should satisfy themselves on the integrity of financial information and ensure that financial controls and systems of risk management are robust and defensible.

Section 143: Auditor Report: The Auditor’s Report should state whether the company has adequate IFC system in place and the operating effectiveness of such control.

Designing Process: The Management should identify the significant business processes of the Company and design the Process Notes and Risk Control Matrix (RCM) for the Company by itself or with the help of an external expert. The same should be followed regularly & tested by the management at least once in a Financial Year.

Following is the example of Risk control matrix, and RCM should mention at least the following details:

It is very important for a business to prepare the proper control and cover all the risk areas for that particular process.

B) From Auditor’s perspective:

During the audit, Auditor should ask from the management defined Process Notes and Risk Control Matrix (RCM) of the Company for testing the controls and after testing the auditor can give opinion about the effectiveness of the Company’s Internal Financial Controls. Auditor should also ask the report of testing done by management in a financial year to find the detailed observations. After testing, auditor can give the opinion on Internal Control Over Financial Reporting (ICFR).

During testing, the deficiencies to be identified which are:

1. Design deficiency

2. Operating deficiency

3. Significant deficiency

4. Material weakness

A deficiency in internal financial control over financial reporting exists when the design or operation of a control does not allow the management to prevent or detect misstatements on a timely basis, in the normal course of business activity.

Flow of Audit of IFC

I hope this will help to understand the IFC, for any clarification please reach out to us at +919711132615 or write to us: mishradevesh12@gmail.com for any further query.

Author Bio

Qualification: CA in Practice
Company: www.dkmassociates.in
Location: New Delhi, New Delhi, IN
Member Since: 01 Feb 2019 | Total Posts: 10
Partner at D K M & Associates, Chartered Accountants. Earlier worked with BIG 4 Accounting and Audit firm. Expertise in Ind AS, Goods & Services Tax, Income Tax, Auditing and Assurance, Internal Controls, Business Process Consultancy, Forensic Accounting and Auditing with various rules an View Full Profile

My Published Posts

More Under Company Law

3 Comments

  1. Subramanian Natarajan says:

    Now you have given much more than I asked. I am a CPA and have written 71 articles in tax guru but I welcome youngsters like you who actually implement the internal controls. Now it helps a student to understand I c better. Thanks
    Subramanian

  2. Subramanian says:

    Why can’t you actually give an example. Just checking one department work by others from same company on monthly basis is an internal control. How does a C A actually undertake the internal control operations. Young man give us details. No hiding under Company’s Law only. Have you really done and if so, why not details

    1. CA Devesh says:

      Dear Subramanian Ji,

      Every significant process has a process note and many controls to mitigate the risk/ what can go wrong in that process. It is not possible to give each and every process in this platform and this is also related to a specific company. We design the Internal Financial Controls and Process notes of the Company and it actually takes more than 1 month to design and test the same.

      Just like Ind AS adjustments, a person can guide you about the theory part but when you actually do that adjustment every company’s scenario is different.
      Hope you understand.
      If you want to design the same for your Company, we can help.

      In the Risk Control Matrix for following minimum details should be there:
      1. Risk Description/ what can go wrong
      2. Control Description
      3. Related process number
      4. Control Activity owner
      5. Financial statement assertions
      6. Control Type1 – Manual or automatic
      7. Control Type2 – Preventive or detective
      8. Frequency of control
      9. Significance – Primary or Secondary control

      If you need any specific details, please let me know.

Leave a Comment

Your email address will not be published. Required fields are marked *