Viewpoint: Corporate Affairs

Internal Financial Controls

Is Corporate India
Ready?

Sumit

Seth,
Partner, Price Waterhouse

he Companies Act 2013 has brought in a flurry of changes that aim to raise corporate governance standards in India. These changes have not only widened the
mandate for management, but also for the Board of Directors, and auditors. One
such requirement relates to the maintenance of Internal Financial Controls (IFCs).
The 2013 Act requires directors and auditors to report on the adequacy and
operating effectiveness of IFCs. While this provision was originally applicable to financial
statements for the year ending 31 March 2015, due to a lack of guidance, this was deferred by one year. Also, the Ministry of Corporate Affairs (MCA) retained the somewhat
limited internal control-related reporting requirement in specific areas under the Companies
(Auditors Report) Order, 2013 (CARO).
Undoubtedly, reporting on IFCs is a paradigm shift from the current reporting requirements under CARO. The Institute of Chartered Accountant of India (ICAI) has issued a longawaited Guidance Note on Audit of Internal Financial Controls over Financial Reporting.

What does IFC encompass?

The term internal financial controls is defined in Section 134(5) (e) of the 2013 Act
to include policies and procedures adopted by the company to ensure:
Orderly and efficient conduct of business, including adherence to policies;
Safeguarding of assets;
Prevention and detection of fraud and errors;
Accuracy and completeness of accounting records; and
Timely preparation of reliable financial information.
This definition of IFCs is broad-based and does not restrict itself
to financial reporting. It includes both operating controls and internal
he 2013 Act
financial controls over financial reporting (ICFR). Operating controls are
requires directors and
those designed to provide reasonable assurance on business operations,
auditors to report on
process efficiency and effectiveness. ICFR, meanwhile, includes controls
the adequacy and
designed to provide reasonable assurance that the companys financial
operating effectiveness statements are reliable and prepared in accordance with Generally Accepted Accounting Principles.
of IFCs. While this
This significantly increases the responsibility of directors of listed
provision was originally companies, and of audit committees. To effectively discharge their responsibilities, both sets will need to rely on the management to provide
applicable to financial
sufficient and appropriate documentation to confirm their assessment
statements for the
and evaluation of the effectiveness of IFCs.

year ending 31 March

2015, due to a lack
of guidance, this was
deferred by one year.

16 CFOCONNECT November 2015

Auditor responsibility
The guidance note clarifies that for auditor reporting under Section
143 (3) (i) of the 2013 Act, the term IFC is restricted to the audit
of financial statements, and relates to internal control over financial
reporting only (ICFR). This is consistent with global practices, such

Viewpoint: Corporate Affairs

as the US Sarbanes-Oxley Act of 2002 (SOX). This removes ambiguity by excluding from
the auditors scope operational controls, such as those facilitating the effectiveness and
efficiency of operations. It also differentiates ICFR from enterprise risk management and
risk management policies, which Boards are required to oversee.
The guidance note reproduces the definition of ICFR from the US Auditing Standard
(AS) 5: An audit of internal control over financial reporting that is integrated with an audit of
financial statements issued by the Public Company Accounting Oversight Board (PCAOB):
A process designed to provide reasonable assurance regarding the reliability of financial
reporting and the preparation of financial statements for external purposes in accordance
with generally accepted accounting principles. A companys internal financial control over
financial reporting includes those policies and procedures that:
(i) Pertain to the maintenance of records that, in reasonable detail, accurately and fairly
reflect the transactions and dispositions of the assets of the company;
(ii) Provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting
principles, and that receipts and expenditures of the company are being made only in accordance with the authorisation of management and directors of the company; and
(iii) Provide reasonable assurance regarding prevention or timely detection of unauthorised
acquisition, use, or disposition of the companys assets that could have a material effect
on the financial statements.
This aligns auditors responsibility in context of financial reporting and preparation of
financial statements.

To whom does this apply?

The guidance note clarifies that reporting on ICFR by auditors will be applicable to both
listed and unlisted companies, including small and one-person companies. This is in line with
the requirements of Section 143 (3) (i) of the 2013 Act. Furthermore, it states that auditors
will have to report on ICFR in respect of both standalone and consolidated financial statements. With respect to the latter, it covers subsidiaries, joint ventures (JVs) and associates
of the group, which are incorporated in India, since the 2013 Act applies to such entities.
Auditors of foreign subsidiaries of an Indian parent are not required to report on ICFR.

ndoubtedly,
reporting on IFCs is a
paradigm shift from
the current reporting
requirements under
CARO. The Institute of
Chartered Accountant of
India (ICAI) has issued a
long-awaited Guidance
Note on Audit of Internal
Financial Controls over
Financial Reporting.

Building blocks of an ICFR audit and what this

means for management
Criteria for effective IFCs
The starting point for effective IFCs is defining an appropriate benchmark for the internal control framework against which
management and auditors can measure and evaluate compliance.
In this regard, the guidance note draws upon the Internal Control
Components of the Standard on Auditing (SA) 315, Identifying and
assessing the risks of material misstatement through understanding
the entity and its environment.
To demonstrate the operating effectiveness IFCs, the management
must evaluate and document the adequacy and effectiveness of the
following five components:
Control environment: Including the communication and enforcement of integrity and ethical values across the organisation, active
participation by those charged with governance, the managements
philosophy and operating style (aggressive or conservative), HR
policies and practices, relevant organisational structures (including

November 2015 CFOCONNECT 17

Viewpoint: Corporate Affairs

assignment of authority and responsibility).
Risk assessment processes: Including how the management identifies risks pertaining
to the preparation of financial statements for instance, due to changes in the operating
and regulatory environment, and in technology, as well as risks arising from the companys
operations (including overseas) or its workforce, new business models, and corporate
restructuring. Management must assess the probability of occurrence and set in place
mitigation plans.
Control activities: At the core of ICFR are specific process-level controls such as management performance reviews of financial and operating data, information processing and
physical security controls, and segregation of duties (SOD) controls related to custody of
assets and recording of transactions.
Information system and communication: Including business processes that are relevant
for financial reporting, such as communication, and the quality and reliability of systemgenerated information. This is important because it affects the managements ability to make
decisions and prepare reliable financial reports.
Monitoring of controls: Includes an evaluation of whether they are operating as intended
and modified as per changes in external environment.

Key steps in an ICFR audit

Identifying significant account balances and disclosure items
The first step in an ICFR audit is identifying, and then focusing on, significant accounts
in the financial statements. This assessment is done basis an evaluation of qualitative and
quantitative risk factors including the size, nature, composition, and susceptibility to misstatement (due to both errors and frauds). For instance, accounts such as revenue, purchases,
payroll, treasury, and fixed assets, are significant in a typical manufacturing enterprise.
This is related to the fact that management is required to perform a risk assessment
as part of the process of evaluating adequacy and effectiveness of IFCs. This also links to
Section 134(3) (n) of the 2013 Act, which requires the board report to include a statement
on the development and implementation of a risk management policy.
Identifying and understanding significant flows of transactions
The second step for the auditor is understanding the flow of transactions, and related
processes or sub-processes, linked to different assertions, including how these transactions
are initiated, authorised, processed, and recorded. In this regard, the auditor can leverage
management documentation such as Process Narratives, Flow Charts and Risk and Control
Matrix about the companys ICFR. A keen understanding of information technology systems
and the period-end financial reporting process is critical for the audit process.
Identifying risk of material misstatements (ROMM) and setting in place
controls to address those risks
he starting point
The auditor has to identify likely sources of potential misstatement
for effective IFCs is
(LSPM), which is linked to an analysis of what could go wrong? This
identifies points within different processes at which a material error, indefining an appropriate
cluding a misstatement due to fraud, could arise. For instance, one LSPM
benchmark for the
in a sales process is incorrect cut-offs that result in an overstatement
internal control
or understatement of revenues for a reporting period. In this regard, the
framework against
company must have controls to mitigate the risk of incorrect cut-offs.
which management and Controls to address ROMM can be at the level of the entity, such as the
review of budgets versus actuals, or at the level of processes.
auditors can measure
Identify applications, associated IT environment, IT general controls
and evaluate compliance. Further, a process control can be either manual or automated/ITdependent. Identification of risks and controls within IT is not a separate

18 CFOCONNECT November 2015

Viewpoint: Corporate Affairs

evaluation; instead, it is an integral part of the walkthrough and top-down approach used to
identify significant accounts and their relevant assertions, and the related controls. Further, the
implementation of a well-known ERP by itself does not ensure effective IT general controls IT
controls have to be both designed and operating effectively.
Testing of controls
Finally, the auditor tests the design, implementation, and operating effectiveness of selected
controls. The nature, timing and extent of testing will depend on the degree of risk associated with the control. Specifically, the guidance note permits auditors to use the concept of
materiality in determining the extent of testing. For example, controls related to areas with
high inherent risk, fraud risk, as well as areas involving estimates such as impairment, would
typically require more attention.

An integrated audit model

Both companies and auditors in India must come to terms with the concept of an integrated,
or combined, audit, one that includes the audit of both ICFR and financial statements. The
guidance note acknowledges that while the objectives of the audit of ICFR and that of financial
statements are different, the auditor must plan and perform in such a way that it achieves
both objectives in an integrated manner. The auditor must seek to obtain sufficient evidence
to support both his opinion on the IFC as of year-end, as well as control risk assessment for
the purposes of the audit of financial statements. This is an area where early dialogue and
engagement between auditors, management and audit committees can result in an efficient
and effective combined audit.

Reporting
The Standards on Auditing (SA) issued by the ICAI do not fully address the auditing
requirements for reporting on ICFR. The guidance note only suggests that the auditor will
have to consider the relevant portions of the SA during an audit of ICFR. It however provides
supplementary procedures that the auditor should use. Auditors will have to issue a qualified
or an adverse opinion on ICFR if the identify material weaknesses in the companys ICFR.
Material weakness is defined as a deficiency, such that there is a reasonable possibility that
a material misstatement of the companys annual or interim financial statements will not be
prevented or detected on a timely basis. A material weakness in ICFR can also arise due to a
missing control or a control not operating effectively. The guidance note specifies the following
indicators of material weaknesses:
Identification of fraud, whether or not material, on the part of senior management
Errors observed in previously issued financial statements repeated in the current financial year
Identification by the auditor of a material misstatement of financial statements that would
not have been detected by the companys ICFR
Ineffective oversight of the companys external financial reporting and internal
financial controls over financial reporting by the companys audit committee
An adverse opinion will be issued if such matters are pervasive in the fihe first step
nancial
statement i.e. they impact various elements, accounts, or items, or
in an ICFR audit
a substantial portion, of the financial statement. In addition, significant control
is identifying, and
deficiencies will have to be reported to the audit committee and management.
then focusing on,
This is expected to contribute to an effective two-way dialogue between auditors
significant accounts and Board members charged with governance.
Clearly, material weaknesses in internal control systems, and related qualificain the financial
tions in the auditors report, will ultimately undermine investor confidence in the
statements.
companys standards of financial reporting. It should, therefore, be a top priority
for the management to address such risks.

November 2015 CFOCONNECT 19

Viewpoint: Corporate Affairs

When does this apply, and for which financial statements?
The guidance note clarifies that auditors should report on the adequacy and operating effectiveness of ICFR as of the balance sheet date, which is, end-March of the respective year. In practice,
this means that while forming its audit opinion on ICFR, the auditor will test transactions conducted
during the financial year ending 31 March, and not just as of the balance sheet date although
the extent of testing at or near the balance sheet date may be higher.
If issues are identified in the interim and remedial measures are taken before the balance sheet
date, the auditor may still be able to express an unqualified opinion on ICFR. For instance, for
control deficiencies recognised during the quarter-ending September, the management will have
the opportunity to address these by implementing new controls before the end-March.
However, evaluating such newly implemented controls will require time, depending on the
nature and frequency of operation. This evaluation, however, is a professional judgement. This
is particularly important for the current year ending 31 March 2016, as this is the first year for
auditor validation of ICFR. An early start may help companies avoid risks of material weaknesses
or control deficiencies.
Finally, reporting on ICFR will not apply to interim financial statements, such as quarterly or
half-yearly, unless such reporting is required under any other law or regulation.

Comparison with international practices

Interestingly, on several counts, the guidance note is similar to PCAOB Auditing Standard
5, which is applicable for SOX reporting in the US. For one, the guidance note includes several
paragraphs from the US standard, such as, the definitions of significant deficiency and material
weakness related to internal controls. Further, in both India and the US, auditors are not required to
report on the managements assertion on the effectiveness of ICFR. Rather, the auditor independently
assesses and states his assertion on the adequacy and effectiveness of ICFR.
There are, however, some differences. In the US, the Securities Exchange Commission (SEC)
offers interpretative guidance to companies management for evaluating ICFR, which is separate
from that for the auditors. The guidance suggests that the management follow a top-down, riskbased approach to evaluating ICFR, and allows it to exercise significant judgment and customise
its evaluation based on the companys context. It also ensures an appropriate balance between
managements evaluation and the audit process. India does not have such guidance for management yet, so this is an area that regulators could review going forward.

What next?
The guidance note is a fairly comprehensive, over 200-page-long document, containing detailed
guidance in several areas related to ICFR, such as internal control components, entity-level controls,
information technology controls, documentation of process flows, including flow
charts and risk control matrix, use of service organisations, and sampling. Both
ompliance
management and auditors should quickly familiarise themselves with this note in
will require
order to gear up for the fast-approaching March 31, 2016 year-end reporting on IFC.
Compliance will require intense focus and involvement by directors and senior
intense focus and
management,
as well as resources, given the need for documentation. This is also
involvement by
an excellent opportunity for companies to strengthen the quality of their internal
directors and senior control systems, the quality, efficiency and timeliness of financial reporting, as
management, as
well as the ability to prevent and detect frauds. This, in turn, can raise the level
of confidence the audit committee, investors, and other stakeholders have in
well as resources,
companys ICFR and financial reporting.
given the need for
Corporate India should embrace the new era of corporate governance and
documentation.
make the most of this new legislation. Hopefully, this will not become a tick in
the box checklist. n

20 CFOCONNECT November 2015