Introduction: The Companies Act, 2013 has reshaped corporate governance, placing a spotlight on Internal Financial Controls (IFC). In response to corporate scandals, global legislations like Sarbanes Oxley Act and J-SOX, alongside the Act, aim to restore trust. This article delves into the significance of IFC, the advantages of robust controls, and the evolving regulatory landscape.
1. Background
- The Companies Act, 2013 (the ‘Act’) has imposed specific responsibilities on the Board of Directors (the ‘Board’) towards the company’s Internal Financial Controls (the ‘IFC’) and, inter alia, requires the Board to state that they have laid down IFC to be followed by the company and that such IFC are adequate and were operating effectively. The recent corporate frauds (Satyam Scandal and Enron Scandal) have created an atmosphere of mistrust in the governance of corporations. The USA adopted the Sarbanes Oxley Act in 2002, which contains regulations on the internal control expected from companies. In June 2006, The Financial Instruments and Exchange Act (J-SOX) was passed by the Diet, The National Legislature of Japan. The. The requirements of this legislation are like the requirements of the Internal Controls over financial reporting under SOX. Thus, it was imperative for the government to come up with regulations to re-install the trust in the corporate sector which is the requirement of the statutory auditor to state in his report whether the company has adequate internal financial controls systems in place and the operating effectiveness of such controls.
- Statutory auditors are required to report on the adequacy and operating effectiveness of the company’s Internal Financial Control Over Financial Reporting (IFCoFR). The reporting by the auditors is voluntary for the year ending 31 March 2015 and mandatory for financial years beginning on or after 1 April 2015.
- Placing more accountability and responsibility on the Board and Audit Committee with respect to internal financial controls, the Act is a welcome attempt to align the corporate governance and financial reporting standards with global best practices. Advantages of the robust controls: –
a) Accurate and reliable financial statements
b) Openness and transparency
c) Improved controls over financial reporting process
d) Accountability of senior management
2. Internal Financial Control (IFC):
As per Section 134 of the Act, the term Internal Financial Controls means the policies & procedures adopted by the company for ensuring:
a) Orderly and efficient conduct of its business
b) Safeguarding of its assets
c) Prevention and detection of frauds and errors
d) Accuracy and completeness of accounting records
e) Timely preparation of reliable financial information
3. Internal Control over Financial Reporting (ICOFR):
As per Section 143 of the Act, the term Internal Control over Financial Reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and preparation of the Financial Statement.
a) Maintenance of Records Safeguarding of its assets
b) Accurately & fairly reflect the transactions and dispositions of the asset of the Co.
c) Prevention and detection of frauds and errors,
d) Accuracy and completeness of accounting records, and
e) Timely preparation of reliable financial information
4. Difference between IFC and IFCoFR
|
Basis of Difference |
Internal Financial Control (IFC) | Internal Financial Control over Financial Reporting (IFCoFR) |
| Definition | As per Section 134(5)(e) Internal financial controls are the policies and procedures adopted by the company for:
(a) Ensuring the orderly and efficient conduct of its business, including adherence to company’s policies (b) the Safeguarding of its assets (c) the prevention and detection of frauds and errors (d) the accuracy and completeness of the accounting records, and (e) the timely preparation of reliable financial information Note: IFC= Operations Controls + Internal Financial Control over Financial Reporting + Fraud Prevention |
As per Section 143 of the Companies Act, 2013, the term Internal Control over Financial Reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and preparation of the Financial Statement.
(a) Maintenance of Records (b) Accurately & fairly reflect the transactions and dispositions of the asset of the Co. (c) Prevention and detection of frauds and errors, (d) Accuracy and completeness of accounting records, and (e) timely preparation of reliable financial information |
| Scope | Its scope is very vast (Operational Controls, Financial Controls & Fraud Prevention) | Its scope is restricted to financial reporting only |
| Auditor’s report | Will not comment on the Internal Financial Controls | Will comment on the adequacy and effectiveness of Internal Control Over Financial Reporting |
5. Process to Audit of IFCOFR
Step 1: Understanding of the business
Gain a deep understanding of the organization’s business environment, industry, and specific financial processes. This includes the organization’s services or products, revenue streams.
Step 2: Assessment of the entity level control
a) Identifying risks of material misstatement related to internal control at the entity level.
b) Understanding the internal control environment and its related elements.
c) Documenting audit evidence obtained.
d) Conclusion regarding the operating effectiveness of the entity level control.
e) Determining the effect on audit strategy.
Step 3: Process understanding
a) Understanding of all key relevant business process.
b) Critical path for all relevant business processes (through flow charts/ diagrammatic representations)
c) Identify and document what can go wrongs and relevant controls.
d) Understanding about controls (includes control description, frequency, nature, overall evaluation of design effectiveness and others.
e) Who performed and reviewed the audit work and such relevant dates.
Step 4: Test of controls
a) Significant class of transactions for which the test of controls is being performed.
b) Details about the controls which are being tested.
c) Samples selected for testing the controls.
d) Population used for sample selection.
e) Nature, timing, and extent of the work being performed.
f) Documentation regarding the audit evidence gathered.
g) Conclusion about the operating effectiveness of each control basis the samples tested.
Step 5: Evaluation of deficiencies
On completing test of controls- the deficiencies are to be identified.
A deficiency in internal financial control over financial reporting exists when the design or operation of a control does not allow the management to prevent or detect misstatements on a timely basis, in the normal course of business activity.
6. Regulatory framework of IFC
The framework of IFC is given by Standard on Auditing issued by the Institute of Chartered Accountants of India (ICAI).
A brief discussion on the regulatory framework for IFC is as follows.
A. Important sections and rules are listed below:
|
Relevant Sections and rules |
Particulars | Description of section/rule |
| Section 134 | Director’s Responsibility Statement | In the case of a listed company, the Director’s Responsibility states that directors, have laid down IFC to be followed by the company and that such controls are adequate and operating effectively |
| Rule 8 | Board Report | Every Company to state the details in respect of adequacy of IFC with reference to financial statements |
| Section 177 | Audit committee | Audit committee may call for comments of auditors about internal control systems before their submission to the Board and may also discuss any related issues with the internal and statutory auditors and the management of the company |
| Section IV | Independent directors | The Independent Directors should satisfy themselves on the integrity of financial information and ensure that financial controls and systems of risk management are robust and defensible |
| Section 143 | Audit report | The Auditor’s Report should state whether the company has adequate IFC system in place and the operating effectiveness of such controls |
B. Scope and responsibilities of the Board, Audit Committee, and the auditors are as follows:
|
Board of Directors |
Audit Committee/Individual Directors | Auditors |
| Scope | ||
| Listed Entities: Adequacy and operating effectiveness of internal financial controls | Focus on internal controls | |
| Unlisted Entities: Adequacy of IFCFR- Internal Financial controls over financial reporting | Report on the adequacy and operating effectiveness of IFCFR | |
| Lay down adequate and effective internal financial controls and include in the Directors’ Responsibility Statement | Evaluate internal financial control and risk management systems | |
| Independent directors to satisfy themselves on the effectiveness of financial controls | Review results of management evaluation of Internal Financial Controls | |
| Discuss issues with management or internal/ statutory auditors | ||
| Investigate and seek external professional advice | ||
C. Basic framework to be considered by the Board and Audit Committee is as follows:
- Whether the framework for internal financial controls has been identified for the company and includes operations and regulatory compliances.
- Are there any gaps in current processes, control activities, or documentation, and if so, how are these being addressed?
- Whether all the policies and procedures are in place and who is responsible for communicating internal control considerations to external parties.
- What is the role of information technology and data analytics to help continuously monitor internal control systems?
Internal Control framework
|
Components of Internal Control |
Description |
| Control Environment |
|
| Risk Assessment |
|
| Control Activities |
Also including general IT controls |
| Information system Communication |
|
| Monitoring |
|
7. Auditors Responsibility, Applicability & Reporting
a) According to the “overall objective of the Independent Auditor” defined in Part A1 of SA 200:
- The applicable laws and regulations may require auditors to provide opinions on other specific matters, such as the effectiveness of internal control.
b) Criteria/ Framework by SA 315- Components of Internal Control.
- Companies that have the components of internal controls as need to adopt a Criteria / Framework stated in the Guidance Note.
- Auditor’s IFCoFR report to specify identification of the benchmark criteria used by the management for establishing IFCoFR.
- Failure by the management to establish a system of IFCoFR considering the essential components of internal controls stated in the Guidance Note would result in a disclaimer of opinion in the IFCoFR reporting by the auditor.
- The auditor should consider the requirements of SA 230, “Audit Documentation” when documenting the work performed on internal financial controls.
SA 320 “Materiality in Planning and Performing an Audit” should be used to assess the materiality in planning the audit of IFC. Further,
- Reporting is applicable to consolidated financial statements.
- IFCoFR is not applicable to interim financial statements unless such reporting is required under law or regulation.
- Elaborate Audit Procedures – Audit of IFC is broader than the audit procedures carried out for reporting under CARO clauses on adequacy of internal controls.
- Auditor should report if the company has an adequate internal financial controls system in place and whether the same was operating effectively as at the balance sheet date.
- When forming the opinion on internal financial controls, the auditor should test the same during the financial year under audit and not just as at the balance sheet date, though the extent of testing at or near the balance sheet date may be higher.
Focus points for auditors
- Concepts of materiality and professional judgment to apply to matters reported by component auditors,
- Approach to change from Only Substantive procedures to Control reliance,
- Approach to change from testing account balances to ‘class of transactions’
- In view of the inherent risk of management override, the auditor will need to identify and consider appropriate fraud risk factors when testing the control,
- Auditors should give adequate time, to management for remediating deficiencies identified, and to the audit team to test the remediated controls.
Conclusion: Mastering Internal Financial Control goes beyond regulatory compliance; it is a cornerstone of sound governance. The Companies Act, 2013, aligning with global standards, reinforces the need for robust controls, transparent reporting, and accountability. As auditors navigate the complexities of IFC, their role becomes pivotal in ensuring the adequacy and effectiveness of controls, contributing to a resilient financial ecosystem. In conclusion, the evolving landscape of IFC demands a proactive approach, constant adaptation, and unwavering commitment to financial integrity.
*****
The contributors to the Article are Sumit Mahajan, AccuWiz Consulting LLP along with inputs from Hemant Mishra.
Disclaimer: The content/information is only for general information of the user and shall not be construed as legal advice. The facts stated are based on information available in public domain. Views expressed above are personal.
Author Bio
