Brief about Internal Control Over Financial Reporting (ICFR) design and testing
Internal Financial Control came into existence to promote risk management and governance process within the organization so that we don’t have another Satyam case in the future. In this article we have discussed the Internal Financial Control (IFC) from the Business perspective and from Auditor’s perspective:
As per Sec 143(3)(i) of Companies Act 2013, the report of the auditor should state as to whether the company has adequate Internal Financial Control system in place and the operating effectiveness of such controls.
Further, Rule 10A of Companies (Audit & Auditors) Rules 2014 states that:
a) For the financial years commencing on or after 1st April 2015, the report of the auditor should state about existence of adequate Internal financial controls and its operating effectiveness.
b) The auditor of a company may voluntarily include the statement referred to in this rule for the financial year commencing on or after 1st April 2014 and ending on or before 31st March 2015.
a) which is one person company or a small company
b) which has turnover less than Rs. 50 crores as per the latest audited financial statements and which has aggregate borrowings from banks or financial institutions or any body corporate at any point of time during the financial year less than Rs. 25 crores.
After reading the above, the question comes to our mind that how the Internal Financial Control (IFC/ ICFR) should be implemented (for organization perspective) and tested (for Auditor’s Reporting) ?
A) From the Organization’s perspective:
Following are the background which requires the implementation of Internal Financial Controls (IFC) as per Companies Act, 2013:
Section 134: Director’s Responsibility Statement: In the case of a listed company, the Director’s Responsibility states that directors, have laid down IFC to be followed by the company and that such controls are adequate and operating effectively.
Rule 8: Board Report: Every Company to state the details in respect of the adequacy of IFC with reference to financial statements.
Section 177: Audit Committee: Audit committee may call for comments of auditors about internal control systems before their submission to the Board and may also discuss any related issues with the internal and statutory auditors and the management of the company.
Schedule IV: Independent Directors: The Independent Directors should satisfy themselves on the integrity of financial information and ensure that financial controls and systems of risk management are robust and defensible.
Section 143: Auditor Report: The Auditor’s Report should state whether the company has adequate IFC system in place and the operating effectiveness of such control.
Designing Process: The Management should identify the significant business processes of the Company and design the Process Notes and Risk Control Matrix (RCM) for the Company by itself or with the help of an external expert. The same should be followed regularly & tested by the management at least once in a Financial Year.
Following is the example of Risk control matrix, and RCM should mention at least the following details:
It is very important for a business to prepare the proper control and cover all the risk areas for that particular process.
B) From Auditor’s perspective:
During the audit, Auditor should ask from the management defined Process Notes and Risk Control Matrix (RCM) of the Company for testing the controls and after testing the auditor can give opinion about the effectiveness of the Company’s Internal Financial Controls. Auditor should also ask the report of testing done by management in a financial year to find the detailed observations. After testing, auditor can give the opinion on Internal Control Over Financial Reporting (ICFR).
During testing, the deficiencies to be identified which are:
1. Design deficiency
2. Operating deficiency
3. Significant deficiency
4. Material weakness
A deficiency in internal financial control over financial reporting exists when the design or operation of a control does not allow the management to prevent or detect misstatements on a timely basis, in the normal course of business activity.
I hope this will help to understand the IFC, for any clarification please reach out to us at +919711132615 or write to us: [email protected] for any further query.