understanding internal financial controls

7/25/2019 Understanding Internal Financial Controls

1/27

CODOMAIN


2/27

IFC

INTERNAL FINANCIAL

CONTROL


3/27

India :- Age of Corporate Governance

CII 1998SEBI Clause

49 2000

Naresh

Chandra

Committee

2002

KM Birla

Committee1999

DCA Task

Force onCorporate

Excellence

2000

Narayan

Murthy

Committee

2003

DCA Report

2003

Amend

Clause2004


4/27

In June 2003, the Securities and Exchange Commission (SEC) of the United States of America a

Rules for the implementation of Sarbanes Oxley Act, 2002 (SOX) that required certificatio

Internal Controls over Financial Reporting (ICFR) by the management and by the auditors.

The Public Company Accounting Oversight Board (PCAOB) has issued its Auditing Standard (AS) 5

Standard (AS) 5 onAnAudit of Internal Control Over Financial Reporting That Is Integrated with An

Integrated with An Audit of Financial Statements.

In June 2006, the Financial Instruments and Exchange Act (J-SOX) was passed by the Diet, the N

Diet, the National Legislature of Japan. The requirements of this legislation are similar to the requi

the requirements of internal controls over financial reporting under SOX.

IFC :- Global Scenario


5/27

Major corporate and accounting scandals Satyam, Financial

Technologies (India) Limited

Decline of public trust in accounting and reporting practices

Indian regulations modified to reflect the regulatory developments in

the western world

SOX Act 2002, HIPAA, J SOX and PCI-DSS are few examples of

regulatory changes introduced by the western world.

Introduction of Internal Financial Controls (IFC) in the Companies Act

2013, reflect the continuation of this trend

Context of IFC


6/27

Sec 134(5) (e)

IFC

Rules and Regulation as per Companies Act -2013

In case oflisted companies, as per Sec 134 (5) (e) requires, Directors to make an as

Director Responsibility Statement that they laid down internal financial control to beand that such IFCs are adequate and operating effectively

Sec 143 (3) (i)

ICFR

Sec 177 (4) (vii)

ICFR

Schedule (iv)ICFR

Rule 8 (5) (vii)

ICFR

Under sec 177 (4) (vii) , the duties ofAudit Committeeinclude evaluation of Internal

control & to make a report to the board

As per sec (143 ) (i) In case ofcompany (whether listed or not), Statutory Auditors are

to make a statement in their auditors report, whether the company has adequate IFC

place and operative effectiveness of same.

Theindependent directorsshould satisfy themselves on the integrity of financial infand insure that financial controls and system of risk management are robust and defe

As per Rule 8 (5) (vii), requiresBoard ofDirectorsReport of all companiesto state in

adequacy of internal financial controls with reference to the financial statements.


7/27

Help in Business process re-designing to plug revenue leakages & Cost containment opportunities.

Benefits of IFC

Provide More accurate and reliable Financial Statements

Helps in rationalizing the number of control across the organization moving to smart and

automated control

Promote culture of Transparency

Improved control over f inancial reporting processes

Improved Compliance to Law

Provide assurance to CEO/CFO and support them to certification

Fixed Accountability of Operational Management and Senior Management Accountability

Helps in standardizing policies and procedures for multi-location / multi business companies.


8/27

As per Sec 134 the Companies Act 2013 defines Internal Financial

Control (IFC) to mean policies and procedures adopted by the

company for:

Orderly and efficiently conduct of its business, including

adherence to company policies,

Safeguarding ofits assets

Prevention and detection of frauds and errors

Accuracy and completeness of accounting records, and

Timely preparation of reliable financial information

Sec 134:- Definition and Component of IFC

Section 134 of Companies

Components OfIFC

Internal Financial Report over financial Reporting (ICFR)

Operational Controls

Fraud prevention


9/27

The InternalFinancial Controls Over Financial Reporting (ICFR) shall mean A

process designed to provide reasonable assurance regarding the reliability of financialreport ing and the preparation of financial statements for external purposes in

accordance with generally accepted accounting principles. A company's internal

financial control over financial reporting includes those policies and procedures that-

pertain to the maintenance of records that, in reasonable detail, accurately and

fairly reflect the transactions and dispositions of the assets of the company;

provide reasonable assurance that transactions are recorded as necessary to

permit preparation of financial statements in accordance with generally accepted

accounting principles, and that receipts and expenditures of the company are

being made only in accordance with authorizations of management and directors

of the company; and

provide reasonable assurance regarding prevention or t imely detection of

unauthorized acquisition, use, or disposition of the company's assets that could

have a material effect on the financial statements.

Sec 143: - Definition and Component of ICFR

PH

ComponentsOf ICFR

Maintenance Of Financial Record ( Detail / Acc

Authorization of transaction (In accordance wit

Safeguarding of the assets of the Company


10/27

Example covering both IFC & ICFR

ICFR Salary and wages correctly recordedfinancial Statement

OperationalEffectiveness

Overtime given to staff as per Company Policadherence to policy is monitor

FraudPrevention

Unauthorized changes in salary sheet (AControl)


11/27

Responsibility of various stake holders

Ensure adequacy and

operating

effectiveness of IFC

Directors

Evaluation of internal

financial controls

Audi t Committee

To comment on

adequacy and

operating

effectiveness of IFC

Audi tors

Satisfy thems

the robustn

internal

controls fram

Independe


12/27

What are Companies Expected to Do ?

Define entity level go

whistle blower, code of c

Define process level poli

Develop a delegation of

Assess the Governance tone at the top

Perform an assessment of:

Entity Level Controls

Process Level Controls

IT Controls

Anti Fraud Controls

.

Identify key and non key


13/27

Develop a robust finan

document controls around t

Document controls in form

Controls on accuracy of judDefine and document user r

Document all existing financial and

operating controls

Consider implementing an ongoing

framework for monitoring and evaluation of

defined controls and internal certifications

Perform periodic assessments to review the

operating effectiveness of the controls

Monitor effectiveness of exi


14/27

Review technology support

Review the existing technology set up and

use of IT modules/software.

Ensure adequacy of ITGCs and ITACs

Consider automation of routine activities

to reduce incidence of manual errors

Carry out Fraud Risk Assessm

and existing controls in the p

Define mitigating controls fo

Consider preventive and detective anti

fraud controls


15/27

As per SA 315Internal control is a process,

Effected by an entitys board of directors, management, and otherpersonnel,

Designed to provide reasonable assurance regarding the achievement

of objectives relating to operations, reporting, and compliance.

SA-315 :-Definition and Component of Internal Con

PHOTO CAPTIONComponents OfInternal Control

Control Environment

Entitys risk assessment process

Control activities

Information system and communication

Monitoring of controls


16/27

COSO 2013 :- 17 Principal for Internal Control

PHOTO CAP

ComponentsofInternalCont

rols

as

perCOSO

ControlEnvironment

Entitys Risk AssessmentProcess

Control Activities

Information system andcommunication

13. Obtains or generates relevant, quality information

14. Communicates internally

15. Communicates externally

Monitoring of controls 16. Selects , develops and performs ongoing and separate

17. Evaluates and communicatesdeficiencies

1. Demonstrates commitment to integrity and ethical values

2. BOD demonstrates independence from management and e

responsibility

3. Management, with Board oversight, establish structure, a

4. The organization demonstrate commitment to competenc5. The organization establish accountability

6. Specifies relevant objectives with sufficient clarity to enab

7. Identifies and assesses risk

8. Considers the Potential for fraud in assessing risk

9. Identifies and assesses significant change that could imp

10. Select and development control activities

11. Select and developmentgeneral control over technology

12. Deploys through policies and procedures


17/27

Controls Environment


The tone at the top is articulated and

communicated through clear and easily

understandable policies, procedures and

practices. The sub-components of Entity

Level Controls include:

Overall Board Governance

Organization Structure

Policies & procedures

Risk Management

Integrity & Ethics

Monitoring & Reporting

Controls have been defined in the

processes to ensure accuracy,

completeness, authorization of the

transaction entered. The processes

covered under the same are:

Order to Cash

Procurement to Pay

Finance Statement Close Process

Hire to Retire

Fixed Assets

Distribution

Marketing Expense

Information Techn

Control

User Access Controls

Process Level Controls IT Environme


18/27

Key next steps & Actionable :-


Documentation / Updating of SOPs for key businessprocesses, in line with the current practices and

controls requirement. Identification of critical classesof transactions across all areas and documentationof a value based DOA.

Formalization of critical entity level policies includingBoard approvals where required and creatingawareness

Define reporting channels as part of VigilMechanism

Alignment of Entity Level Controls with the guidance

on IFC framework to be issued by MCA / ICAI

Process Level Controls

Implementation of the the Design Deficiencie

of process & controls aprocess level RCMs

Alignment of the Procethe guidance on IFC frMCA / ICAI

Testing of Operating Econtrols on an ongoing

IT Environment

Enhance user access controls in systems like .., .,etc. ensuring adequate Segregation of Duties controls

Periodic review of the existing access rights in Sun and ChampSystems to remove rights for unauthorized accesses. Documentand archive the evidence of review

Document IT Policy, Data back up policy, BCP and DR Plan


19/27

Our Approach

Control framework - COSO

Financial Statements & related Disclosures

Identification of consolidated materiality

Significant Accounts / relevant assertions

Significant Processes

Corporate, Regions, Institutions, FSS

Control

Environment

Risk

AssessmentInformation &

CommunicationMonitoring Control

ActivityFraud

Individual Controls at the Entity,

Process, Transaction or Application Level

Determine Nature, Timing & Extent of Key Control Testing


20/27

Steps:-Express an opinion on internal control

STEP 1 STEP 2 STEP 3 STEP 4 STEP

Scoping Design

Assessment

Design Gap

Remediation

Operating

Effectiveness

Overall

Assess

and

Reporti


21/27


Key work steps/ consideration for Scoping :

Map/Identify Significant Account, Process and Key Location

Segregate scope between Business Process and IT

Discuss the scope with Statutory Auditor

Define materialityKey /Nonkey Risk.

Finalize scope exclusion and validate with auditors

Define scope of process/ activities performed by third parties

Nominate IFC Champion across process/location

Set up Steering Committee to review progress / remediationplans

Align Audit Committee and Boar d

Finalize templates ,documentation standard, reporting packs.

Conduct training/workshop with process owners


22/27


Key work steps/considerations for Design Assessment :

Finalize Process owners across each process/Location

Perform & document walkthrough (recommended)

D ocument process maps wi th i nput , output ,

risk/control, IPE

Segregate controls into Entity/Process/IT

Identify control into Manual, Automated ,IT Department

,Preventive /Detective

Segregate control into document risk and control matrix

with control description, owne r, fre quency, control

evidence etc.

Document IT General control (GITCs)

Perform Segregation of Duties analysis

Identify design gaps based on walkthrough, interview,

discussion etc.

Benchmarking of IFC control-consolidate, remove

redundancy


23/27


Key work steps/consideration for Design Gap Remediation :

Prioritize financial gaps into material /non-material

Prioritize operational /reputation gaps ( If any) into H/M/L

impact

Co-develop remediation plan with owners & implementation

timelines

Periodic monitoring of remediation plan

Enhance/optimize IT controls

Standardized/Centralize processes(wherever possible)

Enhance SOP/MIS/DOA etc.

Interim testing to confirm remediated gaps


24/27


Key work steps/ consideration for Operating Effectiveness:

Align sampling str ategy with external Auditor s

Prepare testing plan & templates

Timing of testing mid year and roll forwarding testing

Finalize resources- competency &

independence/objectivity

Document testing results

Prioritize testing gaps into material/non material

Identify mitigation/compensating controls for materialgaps

Co- develops remediation plans for testing gaps including

owners and implementation timelines


25/27


Key work steps/ consideration for Assessment and

Reporting :

Finalize material weakness and update Executive

management

Report to Audit Committee and Board

Opinion on IFC


26/27

Were socal

CONTACT US!

011 4228 0431

[email protected]

www.codomain.co.in


27/27

Thank You !

TY

understanding internal financial controls

Documents