Internal Financial ControlsRole & Responsibility of Auditors

CA V. Balaji

November 2015

Contents

2

1. ICFR – Global Scenario

2. Key Matters For Consideration by Companies and Auditor’s

3. Framework for ICFR

4. Implications and Benefits of ICFR

5. Key Considerations- Implementation of ICFR Framework in a Company

6. Guidance

7. Key Considerations in Year - One

Internal Control over Financial Reporting – Global Scenario

Internal Control Over Financial Reporting – Global ScenarioDefinition of ICFR

Those policies and procedures that pertain to an entity’s ability to initiate, record, process and report financial data consistent with the assertions embodied in either annual or interim financial statements

Requirements in USA

• In June 2003, US SEC adopted Rules for the implementation of Sarbanes – Oxley Act (SOX) that required certification of the Internal Controls over Financial Reporting (ICFR) by the management and by the auditors.

Requirements in Japan

• In June 2006, the Financial Institution and Exchange Laws (J-SOX) was passed by the Diet. Requirements similar to SOX on ICFR.

4

Internal Control Over Financial Reporting – Global ScenarioReporting by the auditors

Integrated Audit - The auditor expresses two opinions:

1. Opinion on internal control over financial reporting, which requires: Evaluating and opining on management’s assessment of the effectiveness of internal

control over financial reporting (Japan). Evaluating and opining on the effectiveness of internal control over financial

reporting (Only in USA).

2. As well as the Opinion on the Financial statements

5

Internal Control Over Financial Reporting in India

• Clause 49 of the Equity Listing Agreement requires CEO / CFO sign off on ICFR in case of equity listed entities

• Companies Act 2013 requires Directors’ Responsibility Statement, in the case of listed companies, to include a statement that they have laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively.

• In case of unlisted companies, the Board Report to state the details in respect of adequacy of internal financial controls with reference to the Financial Statements.

• Audit Committee is required to evaluate the Company’s internal financial control systems (IFC).

• Auditors required to report on whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls.

‒ Such reporting required for all companies whether listed or not

• Standards on Auditing (SA) 700 “Forming an Opinion and Reporting on Financial Statements” issued by the ICAI, at present, specifically requires the auditor to state that the auditor’s consideration of the internal controls in the entity are not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control.

6

Key Matters For Consideration by Companies and Auditor’s

8

Internal Financial Controls under Companies Act, 2013

The Internal Financial Controls in Companies Act, 2013 goes beyond Internal Financial Controls Over Financial Reporting (IFCoFR)

The resultant IFC framework adopted by the company will have to address combination of internal controls on financial reporting and other controls in order to align with the definition of IFC in the new Act.

Accuracy and completeness of accounting records

Prevention and detection of frauds and errors

Safeguarding of assets

Policies and procedures adopted by the Company for ensuring orderly and efficient conduct of its business

Timely preparation of reliable financial information

INTERNAL FINANCIAL CONTROLS

As per Companies Act 2013, Internal Financial

Controls means:

© 2015 Deloitte Haskins & Sells LLP 9

IFC and IFCoFR – Coverage for Reporting

Board report for an unlisted company

Adequacy Effectiveness+

Auditor

Director Responsibility for a Listed company

Operations Controls

Inte

rnal

Fin

anci

al C

ont

rols

+

IFCoFR

10

Internal Financial Control Framework

Outcomes

Risk and control matrices for processes - demonstrating adequacy and effectiveness of controls over Financial Reporting (ICFR)

Risk and control matrices for Entity Level

Controls(IFC & ICFR)

Integrated framework leveraging existing monitoring practices -

demonstrating adequacy and effectiveness of operational

controls (IFC)

Internal Controls over Financial Reporting- Process level

controls

Entity Level Controls

Enterprise Risk Management

Operations related accreditation – E.g. US FDA, etc.

ISO Audits

Standard Operating Procedures

Internal Audits

Leverage existing monitoring framework for operational

controls

1 2 3

Legal compliance framework

1

2

Key Issues To Be Noted By Companies

• Companies Act, 2013 does not prescribe a framework that may be considered by companies in establishing IFC‒ In the absence of a framework to be adopted by the company, auditor cannot benchmark

and test the design and operating effectiveness of IFC with the framework.‒ In India, Appendix 1 to SA 315 provides the components of an internal control system.‒ Other international frameworks such as COSO, Turnbull Report, etc. available.

• Responsibility statement on system of IFC not applicable in the case of consolidated financial statements.

• In large organisations, management likely to engage Internal Auditors in testing the design and operating effectiveness of IFC to facilitate reporting by the Directors.‒ Existing Standards on Auditing do not permit statutory auditor to use the work of the

Internal Auditor as deemed appropriate for reporting on IFC.

• Reporting by auditor is specified for all companies.‒ Reporting on IFC in USA is only applicable for listed companies – accelerated and large

filers‒ In Japan, reporting on IFC is applicable for listed companies and other companies as

may be required by the Government11

Key Issues To Be Noted By Auditors

• Internal financial controls includes systems in the company for ensuring ‒ the orderly and efficient conduct of its business

This matter is proprietary and auditors may not be able to comment on the same. SA 200 specifically excludes this as an objective of the auditor.

‒ the accuracy of the accounting records, and the timely preparation of reliable financial informationAuditors apply the concept of materiality in their audits. Audit is performed to obtain

reasonable assurance and the opinion would state whether an effective internal financial control system was maintained and operated in all material respects.

• Standards on Auditing 315 “Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity and its Environment” defines Internal Control as follows:“The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control.” (Emphasis added)

12

• Auditor’s reporting u/s 143(3)(i) shall relate to Internal Financial Controls over Financial Reporting

• Sec 143(3)(i) requires the auditor to report whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls.‒ Reporting on internal financial controls system is similar to reporting on operations of the

company. Whilst the testing is carried out on the transactions recorded during the year, the reporting is as at the balance sheet date. For example, if the company’s revenue recognition was erroneous through the year under audit but was corrected, including for matters relating to internal control that caused the error, as at the balance sheet date, the auditor is not required to report on the errors in revenue recognition during the year.

13

Key Issues To Be Noted By Auditors

IFCoFR is not applicable to interim financial statements unless such reporting is required under law or regulation

Audit of IFCoFR is broader than the audit procedures carried out for reporting under CARO clauses on adequacy of internal controls

14

Key Issues To Be Noted By Auditors

Applicability to consolidated financial statements

Section 129(4) of the 2013 Act states that the provisions of the 2013 Act applicable to the preparation, adoption and audit of the financial statements of a holding company shall, mutatis mutandis, apply to the consolidated financial statements.

Based on the above, • Reporting on IFCoFR is applicable to consolidated financial statements• Approach to be adopted similar to reporting on CARO – i.e. on the basis of reports

as submitted by auditors of components, which are Indian companies• Concepts of materiality and professional judgment to apply to matters reported

by component auditors

Financial Statement Audit with Control Reliance Strategy (FS-CRS) Vs. Combined audit (CA)

15

Audit Element FS-CRS CA

Requirement to test OE of Entity-Level Controls

Only when control activities we plan to rely on are dependent on those Entity-Level Controls

Yes

Extent of our understanding of the entity's flows of transactions and of our walkthroughs

Understanding and walkthrough to identify and understand controls we intend to rely on

Understanding and walkthrough to identify controls that address every risk of material misstatement

How evaluation of information used in a relevant control ("IUC") vary?

May test accuracy and completeness of IUC either directly or through test of controls

Test accuracy and completeness through test of controls

Financial Statement Audit with Control Reliance Strategy (FS-CRS) Vs. Combined audit (CA)

16

Audit Element FS-CRS CA

For which controls would we test OE?

Those we intend to rely on in order to alter our planned substantive procedures

All relevant controls

Requirement to assess the “risk associated with the control” (”RAWC”) and to increase our sample size based on RAWC being assessed as higher

No Yes

Framework for Internal Financial Control over Financial Reporting

18

Criteria / Framework by SA 315 - Components of Internal Control

Control Environment

Information system and

Communication

Control Activities

Monitoring Controls

Risk Assessment

Process

19

Criteria / Framework by SA 315 - Components of Internal Control

• Companies need to adopt a Criteria / Framework that has the components of internal controls as stated in the Guidance Note on Audit of IFCoFR

• Auditor’s IFCoFR report to specify identification of the benchmark criteria used by the management for establishing internal financial controls over financial reporting

• Failure by the management to establish a system of IFCoFR considering the essential components of internal controls stated in the Guidance Note on Audit of IFCoFR would result in a disclaimer of opinion in the IFCoFR reporting by the auditor

Implications and Benefits of ICFR

What Does ICFR mean to Entities?

Directors' Responsibility on ICFR requires renewed emphasis and discipline regarding internal controls over financial transactions, financial systems and financial statements

• NEW: Adopt a structured and generally accepted internal controls framework• NEW: Establish processes to assess risk and monitor the on-going effectiveness of internal controls

Audit CommitteeAudit Committee

CEO/CFOCEO/CFO

• Strong working relationship between audit committee and auditor while maintaining independence• NEW: A financial expert on the audit committee; heightened involvement and oversight expectations• NEW: Establish a procedure for receipt, retention and treatment of complaints and anonymous tips

• Implement and maintain effective internal controls over financial transactions• NEW: Document, test, remediate and monitor internal controls• NEW: Represent to Management that internal controls are operating effectively

ControllersControllers

• NEW: Implement process to assess risk and monitor the on-going effectiveness of internal controls• NEW: Provide and maintain supporting processes and infrastructure for on-going monitoringInternal AuditInternal Audit

Represents an opportunity for Company to standardize and enhance business processes and controls across the global financial operation based on company “best practice”

Stakeholders Requirements

• Audit financial statements and opine to management’s representations about them• NEW: Test internal control compliance and opine on the adequacy of the internal controls environment

External AuditorsExternal Auditors

Benefits of ICFR

• Senior Management Accountability• Improved controls over financial reporting process• Improved investor confidence in entity’s financial reporting process• Promotes culture of openness and transparency within the entity• Trickling down of accountability to operational management • Improvements in board, audit committee, and senior management engagement in financial

reporting and improvements in financial controls• More accurate, reliable financial statements• Making audits more independent

Additional value to companies• Fresh independent look at key business processes• Identification of potential operating process opportunities• Updated formal, centralized, and managed financial internal controls documentation for the

Company• Enhanced support to CEO/CFO certifications• Should result in an enhanced control environment and thereby mitigate Risk • Better understanding of internal controls

Guidance on testing internal controls

Abbreviation Description

CISSP Certified Information Systems Security Professional

CoCo Guidance on Assessing Control published by the Canadian Institute of

Chartered Accountants

COSO Committee of the Sponsoring Organisations of the Treadway Commission

D&P Direct and Precise

ELC Entity Level Controls

ERM Enterprise Risk Management

GITC General Information Technology Controls

ICFR Internal Controls over Financial Reporting

IPE Information Produced by the Entity

IT Information Technology

PCAOB Public Company Accounting Oversight Board

ROMM Risk of material misstatements

SA Standards on Auditing

SOX Sarbanes – Oxley Act

24

Some Key Terminologies

25

Flowchart Illustrating Typical Flow of Audit of Internal Financial Controls Over Financial Reporting

The Top-Down Approach

27

Internal Financial Controls over Financial Reporting – Typical Coverage

ComplianceCompliance

Compliance

Compliance

Compliance

Governance

Compliance

Risk Mgmt.

Governance Risk Mgmt.

Risk Mgmt.

Governance

Risk Mgmt.

Risk Mgmt.

Risk Mgmt.

Governance

Compliance

Risk Mgmt.

Governance

Billing system

Receivable

Procure to Pay

Payroll & Hire to Retire

Fixed Assets

Inventory Management

Treasury

Record to Report

Duties and Taxes

  Entity Level

Control

  Process Level

Control

 IT Controls

Corporate Governance

Risk Assessment

Policies & Procedures

ERP Other Applications

Entity Level Controls

• Tone at the TOP• Board of Directors and Audit Committee Charters• Risk Management• Integrity and Ethical values• Assignment of Authority and responsibility• Organization structure• Management’s Philosophy and Operating style• Human Resource management• Monitoring

ELCs are generally not direct and precise and accordingly may not be controls addressing specific risks for our IFCoFR audit opinion.

Evaluation of ELCs can result in increase / decrease in testing that auditor otherwise would have performed on other controls

Direct and Precise Controls – Design Criteria

Level of precision is whether the control is designed and operating to prevent or detect on a timely basis misstatements that could cause the financial statements to be materially misstated. Factors that can affect the level of precision of an entity-level control include the following: • Objective of the review - A procedure that functions to prevent or detect misstatements

generally is more precise than a procedure that merely identifies and explains differences. • Level of aggregation - A control that is performed at a more granular level generally is

more precise than one performed at a higher level. For example, an analysis of revenue by location or product line normally is more precise than an analysis of total company revenue.

• Competency of the person performing the control

• Consistency of performance - . A control that is performed routinely and consistently generally is more precise than one performed sporadically.

Direct and Precise Controls – Design Criteria

• Correlation to relevant assertions - A control that is indirectly related to an assertion normally is less likely to prevent or detect misstatements in the assertion than a control that is directly related to an assertion. For example, a control designed to detect errors in the recorded amounts of accounts receivable might not operate with a sufficient level of precision to detect errors in the valuation of doubtful receivables.

• Predictability of expectations - Some entity-level controls are designed to detect misstatements by using key performance indicators or other information to develop expectations about reported amounts ("detective controls"). The precision of those controls depends on the ability to develop sufficiently precise expectations to highlight potentially material misstatements.

• Criteria for investigation - For detective controls, the threshold for investigating

deviations or differences from expectations relative to materiality is an indication of a control's precision. For example, a control that investigates items that are near the threshold for financial statement materiality has less precision and a greater risk of failing to prevent or detect misstatements that could be material than a control with a lower threshold for investigation.

 

Evaluate the Design of Control

• Process level controls generally operate at number of levels:- At senior levels of management, the control activities are more likely to be high-level

procedures performed by management and are likely to involve greater aggregation of data and less consideration of detail.

- At lower levels, the control activities are likely to be focused on distinct sets of data and at a much greater level of detail.

- At the lowest level, detailed control activities are likely to relate to specific transactions.• Commonly performed process controls :

- Reviews: Analytical Transactional

- Reconciliations & Comparisons- Safeguarding of assets

• Controls relating to information technology:- Data centre operations controls- System software controls- Access security controls

• Application controls:Tolerances, Authorizations, edits and validations, data reasonableness tests, predefined data listings, balancing control activities

Which Control to be Evaluated

• Any controls that fall under these categories may need to be evaluated:- controls related to the initiation, recording, processing and reconciling of account

balances, classes of transactions,- disclosures, and related assertions included in the financial statements- controls related to the initiation and processing of non-routine and nonsystematic

transactions- controls related to the selection and application of accounting policies - controls related to the prevention, identification, and detection of fraud

• Controls, including information technology general controls, on which other controls are dependent. General controls include:- data center operation controls- system software controls- access security controls- application system development and- maintenance controls

Evaluate Design Effectiveness

• In performing design effectiveness we need to evaluate the following:- Owner of control- Description of process flow- Properly designed i.e. is the control meeting the desired control objective - Document control deficiencies, if any- Classify deficiencies into:

Material weakness Significant deficiency Internal control deficiency

• Prepare Remediation plan

Process vs. Control

• Process and controls are two very different aspects. Often they are used interchangeably; hence it is important to understand the difference between them.

‒ A Process describes the action of taking a transaction or an event through an established and usually a routine set of procedures or steps.

‒ A Control is an action or activity taken to prevent or detect misstatements within the process.

• The following examples distinguishes a process from a control:

Example 1:

Control description: Company engages an Actuary Firm to prepare the actuarial report.

Pitfall: Hiring a specialist may add competency to management’s control and is a process, but it is not a control in itself.

Improved control description: Management reviews and discusses the Actuarial Report, including key assumptions, with the specialist to assess the appropriateness of the assumptions and conclusions reached.

Process vs. Control

Example 2: Control description: The Financial Controller prepares a memo documenting the basis for the entity’s conclusions regarding impairment.

Pitfall: Preparing an analysis is typically a process step and not a control; the control is the activities performed to verify that the analysis is appropriate.

Improved control description: The CFO reviews the Impairment Analysis Memo and supporting documentation prepared by the Controller to assess the appropriateness of the conclusions reached.

Example 3: Control description: The billed revenue file is summarised at the month end and the total is recorded into revenue.

Pitfall: Recording an event or transaction is a process step; the control is the activity that is performed to verify that the recording was appropriately performed.

Improved control description: The Accounting Manager verifies that the billed revenue was properly recorded to revenue by comparing the billed revenue file to the revenue recorded in the general ledger.

Process vs. Control

Example 4: Control description: When new contracts are entered into or existing contracts are modified, the accounting manager determines and documents in a memo, the applicable revenue recognition model to be used for the contract.

Pitfall: Determining the revenue recognition model and documenting the same are process steps. They do not have any preventive or detective action steps.

Improved control description: The controller reviews and approves the revenue recognition memo prepared by the accounting manager. As part of the review process, the controller reads all the relevant excerpts from the contract and applicable professional standards as well as reviews and challenges, as appropriate, the conclusions documented in the memo.

Test the Operating Effectiveness of Control

Tests of controls are usually performed using the following techniques, often in combination:

Corroborative enquiry: This procedure, consisting of detailed interviews to obtain evidence about the effectiveness of controls, is performed in tandem with other procedures (e.g., examination of documentary evidence) to corroborate the information derived from the inquiry.

Observation: Observing the performance of a control activity often provides substantial evidence of its effectiveness. For example, the auditor may test controls over inventory by observing that employees who perform and record the counts follow management's written instructions. But observation of a control activity in action ordinarily does not, in itself, provide sufficient evidence of the effectiveness of the control activity, mainly because observations may not be representative of the usual performance of a control activity because management and staff may perform their tasks more diligently if they know they are being observed.

Examination of Documentation: If performance of a control activity is documented, the auditor can obtain evidence of its performance by examining the documentation, both electronic and written.

Re-performance: Re-performance may be effective for testing application controls, because the computer processes transactions systematically.

Test the Operating Effectiveness of Control

Points to be kept in mind:

• Inquiry alone is not adequate; extensive testing procedures should be carried out• Management should not rely solely on self assessment procedures but Independent

Monitoring is required• If the company uses an outside service provider for certain business functions you should

request from the provider a reports which reports on the effectiveness of internal control at the outside company.

The following guidance related to the frequency of the performance of control may be considered when planning the extent of tests of operating effectiveness of manual controls for which control deviations are not expected to be found. The auditor may determine the appropriate number of control occurrences to test based on the following minimum sample size for the frequency of the control activity dependent on whether assessment has been made on a lower or higher risk of failure of the control.

Frequency of Control Activity and Sample Size

Frequency of control activity Minimum sample size

Risk of failure

  Lower Higher

Annual 1 1

Quarterly (including period- end, i.e., +1) 1+1 1+1

Monthly 2 3

Weekly 5 8

Daily 15 25

Recurring manual control (multiple times per

day)

25 40

40

IT General Controls – Typical Coverage

ComplianceCompliance

Compliance

Compliance

Compliance

Governance

Compliance

Risk Mgmt.

Governance Risk Mgmt.

Risk Mgmt.

GovernanceRisk

Mgmt.Risk Mgmt.

Risk Mgmt.

Governance

Compliance

Risk Mgmt.

Governance

ERP/ Other Applications

1. User access management (IFCoFR)

2. Change management (IFCoFR)

3. Data center – physical and environmental controls (IFC)

4. Information security – logical access to application, database and operating system (IFCoFR)

5. Backup and restoration (IFC)

6. Job scheduling (IFC)

General IT Controls

When identifying and understanding relevant controls, it is important to consider whether a control is dependent upon other controls [e.g., General IT controls (GITC)] or information produced by the entity (IPE). • The design of the control cannot be concluded upon without also considering the other

control or IPE, or • The effectiveness of the control cannot be concluded to be effective unless the other

controls are also effective.

For example, the automated generation of invoices may be dependent upon the price look-up table that is maintained by the invoicing clerk, in which case, the controls related to that look-up file (e.g., access controls) would be relevant in determining whether the automated generation of invoices is effective.

GITCs and IPE

Similarly, if the control is dependent on the accuracy and completeness of a report, then either the controls related to the preparation and maintenance of the report need to be evaluated or the report needs to be directly tested. However, if the accuracy and completeness of the information is the objective of the control, then the control is operating on that information and, therefore, is not dependent upon it.

Example of IPE that a control is dependent upon: If a headcount report is used by the controller to perform a reasonableness test of payroll expense, the effectiveness of the controller’s analysis/review is dependent upon the accuracy and completeness of the headcount report. Accordingly, the headcount report is IPE and, therefore, its accuracy and completeness are considered as part of the evaluation of the design.

Example of IPE that a control is not dependent upon: A bank reconciliation is reviewed by the controller to determine that it was prepared properly. The purpose of the control is to determine that the bank reconciliation is accurate and complete, so the bank reconciliation is the subject of the control and, therefore, is not dependent on the IPE.

GITCs and IPE

IPE has 3 elements - Source Data, Report Logic and Report Parameters

Testing IPE

Element Description

Source Data The information from which the IPE is created. This may include data maintained in the IT system (e.g., within an application system or database) or external to the system (e.g., data maintained in an Excel spreadsheet or manually maintained), which may or may not be subject to general IT controls.For example, for a report of all sales greater than Rs.10,000, the source data is the database of all sales transactions.

Report Logic The computer code, algorithms, or formulas for transforming, extracting or loading the relevant source data and creating the report. Report logic may include standardised report programs, user-operated tools (e.g., query tools and report writers) or Excel spreadsheets, which may or may not be subject to the general IT controls.For example, for the Debtors Aging report, the report logic is typically a program in the Debtors application that contains the code and algorithms for creating the Debtors Aging (report) from the Debtors sub-ledger detail (source data).

Report Parameters Report parameters allow the user to look at only the information that is of interest to them. Common uses of report parameters including defining the report structure, specifying or filtering data used in a report or connecting related reports (data or output) together. Depending on the report structure, report parameters may be created manually by the user (user-entered parameters) or they may be pre-set (there is significant flexibility in the configuration of parameters, depending on the application system), and they may or may not be subject to the general IT controls.For example, for a monthly report of slow moving inventory by warehouse location, the user enters the month and location code parameters to generate the reports.

Next steps:• Document test results:

‒ tests performed and evidence obtained‒ results of the tests‒ conclusion as to the effectiveness of each control tested

• If the control is not operating effectively, document the internal control deficiency. • Evaluate remediation plan• Test outcome of remediation

Test the Operating Effectiveness of Controls

Test the Operating Effectiveness of Controls

Suggested approach for classifying deficiency:

© 2015 Deloitte Haskins & Sells LLP 46

Evaluation of Severity of Deficiencies

• Document considerations and basis for conclusions

• Where significant judgement is required to evaluate severity of a deficiency, apply appropriate professional skepticism.

Report on internal financial controls over financial reporting

• A ‘deficiency’ in internal financial control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

• A ‘significant deficiency’ is a deficiency, or a combination of deficiencies, in internal financial control over financial reporting that is important enough to merit attention of those charged with governance since there is a reasonable possibility that a misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.

• A ‘material weakness’ is a deficiency, or a combination of deficiencies, in internal financial control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.

Report on Adequacy and Effectiveness of Control

• A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met.

• A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.

• The severity of a deficiency does not depend on whether a misstatement actually has occurred but depends on whether there is a reasonable possibility that the company's controls will fail to prevent or detect a misstatement.

Report on Adequacy and Effectiveness of Control

• The auditor shall express a qualified opinion on Internal Financial Controls Over Financial Reporting when the auditor, having obtained sufficient appropriate audit evidence, concludes that such controls are designed, implemented or operated in such a way that it is unable to prevent, or detect and correct material misstatements in the financial statements on a timely basis; or the control is missing, but the effects/possible effects of the material weakness in such internal controls are material but is not pervasive to the financial statements.

• The auditor shall express an adverse opinion on Internal Financial Controls Over Financial Reporting when(a)the effects/possible effects of the material weakness in such internal controls

are both material and pervasive to the financial statements, even if the audit opinion on the financial statements is unmodified;

(b)the internal control framework adopted by the Company does not consider / adequately consider the essential components of internal control; or

(c)the audit opinion on the financial statements is required to be modified and such modification is also consequent to the material weakness in the company’s internal financial controls over financial reporting. .

Report on Adequacy and Effectiveness of Control

• The qualified or adverse opinion on internal financial controls over financial reporting may relate only to the operating effectiveness of such controls or may relate to both the adequacy and operating effectiveness of such controls, based on the audit evidence obtained.

• The auditor shall disclaim an opinion on the company’s internal financial controls over financial reporting:(a)if the company has not established its internal financial control over financial

reporting on criteria based on any of the recognised internal control frameworks / considering the essential components of internal control; or

(b)the auditor is unable to obtain sufficient appropriate audit evidence to express an opinion on the internal financial controls over financial reporting but is able to perform appropriate substantive procedures to express an opinion on the financial statements; or

(c)when the auditor is unable to obtain sufficient appropriate audit evidence on which to base the opinion on the company’s internal financial controls over financial reporting, and / or the auditor concludes that consequent to the material weakness in such internal controls the possible effects on the financial statements of undetected misstatements, if any, could be both material and pervasive.

Report on Adequacy and Effectiveness of Control

52

Effect of modified report over IFCoFR on the audit of financial statements

Does not imply that audit report on financial statements should also be

qualified. Assurance obtained by auditor is through both internal

controls and substantive procedures

Auditor should determine the effect, of deficiency in internal financial

controls, on substantive procedures to be performed to reduce audit risk

to an appropriately low level

Regardless of assessed level of control risk or material misstatement,

substantive procedures to be performed for all assertions

As a result of substantive procedures , if sufficient reliable

audit evidence is obtained to address identified risk, do not qualify audit opinion on financial statements

Key Considerations in Year - One

ICFR - Common Myths of Companies

Scope and plan

Assess and define

Identify and document

Test and remediate

Monitor, certify and

assert

Meeting CARO

requirement is sufficient

There is no need to

document processes and

controls

Testing of controls and

remediation of deficiencies is

the responsibility of

auditors

We don’t need a process for

ICFR certification to

Board / AC. We know people

are doing it and no exceptions are identified

by the auditors

We don’t need to revisit

processes and controls.

Why do we need to look at cost /

benefit for controls?

Everything is essential

Materiality is for financials. It

doesn't really impact control considerations

We have a good SLA with service

providers. We don’t need to evaluate their

controls

We understand controls. There is no need for training and

development of our people

Automation through ERP – Controls are

automatically in place

We don’t need an oversight

body to oversee all changes in processes /

controls

We don’t need to link risks with

controls.

54

55

Points of Focus – Mindset of Auditors

Shift from ‘only substantive’ procedures

Timing of procedures

Should give adequate time, to management for remediating deficiencies identified, and to the audit team to test the remediated controls

Consultation to be early – to permit remediation before reporting date

Mindset change from obtaining assurance from ‘only substantive’ procedures to control reliance; which should lead to cost benefits on the audit.

Key Considerations

• Implementation of enterprise-wide, executive-driven internal control management program

• Implementation of enterprise risk management program• Controls associated with the recording of non routine, complex, and unusual

transactions• Formalization of processes, standard operating procedures, workflows, authority

matrix• Redeployment of work routines to enable audit trails, evidencing the reviews, etc.• Maker – checker control / 4 eye principle• Segregation of duties and access controls

• Lack of an enterprise-wide, executive-driven internal control management program

• Lack of a formal enterprise risk management program• Inadequate controls associated with the recording of non routine, complex, and

unusual transactions• Lack of effective controls over the IT environment• Ineffective financial reporting and disclosure preparation processes• Lack of formal controls over the financial closing process• Lack of current, consistent, complete, and documented accounting policies and

procedures• Inability to evaluate and test controls over outsourced processes• Inadequate board and audit committee understanding of risk and control

Key Challenges

Questions?