Contents at a glance Acknowledgement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v About the author. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Table of contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Chapter 1
A De-brief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2
IFC Framework – Regulatory Aspects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 3
IFC Framework Implementation Project - Roll-out Approach . . . . . . . . . . . . . . . . . . 21
Chapter 4
Life-cycle of an IFC Framework Implementation Project. . . . . . . . . . . . . . . . . . . . . . 23
Chapter 5
IFC Framework Implementation and Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 SECTION A
GOVERNANCE POLICIES Risk Management Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Code of Conduct & Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Internal Audit Charter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Audit Committee(AC) Charter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 High level Chart of Authority. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 High level Group Chart of Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 SECTION B
STANDARD OPERATING PROCEDURES (SOPs) Period End/Month-End Closing Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Record to Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Treasury & Corporate Finance (TCF). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Financial Planning and Analysis (FPA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Capital Expenditure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Secretarial Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purchase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cash Purchase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Procedure for Perpetual Inventory in Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Debtors/Creditors Management and Reconciliation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Segregation of Duties (SoD). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Master Database Updation (MDU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Process Review/Change Management Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
149 153 157 161 165 171 175 181 187 191 195 199 205 xi
Internal Financial Controls – Implementation and Testing
SECTION C
CONTROL CHECKLISTS Record to Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Treasury & Corporate Finance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Financial Planning and Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Capital expenditure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inventory Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Procurement to Pay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Order to Cash. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Human Resources (HR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
212 215 220 221 224 226 232 239
SECTION D
INTERNAL FINANCIAL CONTROLS DOCUMENTATION - RCM Entity Level Checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample - RTR Record to Report RCM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Treasury and Corporate Finance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Financial Planning and Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Capital expenditure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inventory Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Procurement to Pay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Order to Cash. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Human Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
244 262 272 286 290 306 318 340 366
SECTION E
TESTING OUTCOME SHEET Financial Planning and Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 Record to Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 Treasury and Corporate Finance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 SECTION F
EXECUTIVE SUMMARY : IFC IMPLEMENTATION & TESTING Key aspects of Internal Financial Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
The sample templates contained in this publication are illustrative and for guidance. Readers may customize these as per their requirements. xii
Table of contents Acknowledgement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v About the author. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Contents at a glance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Chapter 1 A De-brief. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Internal Financial Controls – In Indian Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Understanding IFC & its relationship with ICoFR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 ICoFR - Deliverables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4 Segregation of Duties (SoD). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5 Control effectiveness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 2 3 4 5 5
IFC Framework – Regulatory Aspects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Chapter 2 2.1 Applicability status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2 Directors responsibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3 Audit committee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.4 Auditor’s report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Chapter 3
IFC Framework Implementation Project - Roll-out Approach. . . . . . . . . . . . 21
Life-cycle of an IFC Framework Implementation Project. . . . . . . . . . . . . . . . Chapter 4 4.1 Roadmap of IFC Framework Implementation Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Understanding the project objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Evaluate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Envisaging and planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5 Executing & ensuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.6 Summary of stage wise aspects of the project life-Cycle. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
23 23 24 25 25 25 27
IFC Framework Implementation and Testing. . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 5 5.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Summary of stage-wise activities to be performed during IFC framework life-cycle . . . . . . . 5.3 IFC framework implementation checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29 29 51 53
SECTION A
GOVERNANCE POLICIES Risk Management Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Code of Conduct & Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Internal Audit Charter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 xiii
Internal Financial Controls – Implementation and Testing
Audit Committee(AC) Charter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 High level Chart of Authority. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 High level Group Chart of Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 SECTION B
STANDARD OPERATING PROCEDURES (SOPs) Period End/Month-End Closing Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Record to Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Treasury & Corporate Finance (TCF). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Financial Planning and Analysis (FPA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Capital Expenditure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Secretarial Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purchase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cash Purchase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Procedure for Perpetual Inventory in Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Debtors/Creditors Management and Reconciliation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Segregation of Duties (SoD). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Master Database Updation (MDU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Process Review/Change Management Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
149 153 157 161 165 171 175 181 187 191 195 199 205
SECTION C
CONTROL CHECKLISTS Record to Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Treasury & Corporate Finance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Financial Planning and Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Capital expenditure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inventory Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Procurement to Pay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Order to Cash. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Human Resources (HR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
212 215 220 221 224 226 232 239
SECTION D
INTERNAL FINANCIAL CONTROLS DOCUMENTATION - RCM Entity Level Checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample - RTR Record to Report RCM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Treasury and Corporate Finance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Financial Planning and Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Capital expenditure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inventory Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
244 262 272 286 290 306
Table of contents
Procurement to Pay. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Order to Cash. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Human Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 SECTION E
TESTING OUTCOME SHEET Financial Planning and Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 Record to Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 Treasury and Corporate Finance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 SECTION F
EXECUTIVE SUMMARY : IFC IMPLEMENTATION & TESTING Key aspects of Internal Financial Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
The sample templates contained in this publication are illustrative and for guidance. Readers may customize these as per their requirements. xv
Chapter 1
A De-brief
The corporate structure of a business was initially designed with an aim to attract financial participation by those who are not directly involved in the financial management of the business. In a corporate structure, the financial management of business affairs is left to its board and executives. The financial performance of a business and related aspects associated with the executive responsibilities/accountabilities are reported to the management through an elaborated Financial Reporting Framework. However, it is the management (along-with key officers) who holds the ultimate responsibility for timely preparation of reliable financial reports for the various stake-owners. The financial reporting framework, therefore, is not just critical to management’s ability to effectively manage the business but is being considered as one of its key obligation. Ever since the introduction of corporate business structure, internal controls associated with governing its operating environment, their adequacy and operating effectiveness have become a focus area of: • Management from responsibility perspective; • Auditors from reporting perspective, • Regulators and investors from measuring the governance perspectives. Each instance of governance failures, in the recent past, prompted the regulators towards furtherance of the internal controls structure; and over a period of time, effective internal control over financial reporting has become more of a legal obligation. Since 1977, the US federal law has required public companies to establish and maintain a system of internal control that provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with generally accepted accounting principles (“GAAP”). The Sarbanes-Oxley Act of 2002 added a requirement, which is applicable to most of the public companies, that management annually assesses the effectiveness of the company’s Internal Controls over Financial Reporting (ICoFR); and reports the results to the public. In addition, the Act requires most of the large public companies to engage their independent auditor to audit the effectiveness of their ICoFR. On a parallel note similar laws have also been introduced by many countries, year on year since then, with an aim to improve the quality of financial statements in terms of accuracy and reliability of corporate disclosures. These are as follows: •
Australian Security Exchange Corporate Governance Council in 2003;
•
Hong Kong’s Corporate Governance Practices in 2004,
•
The Swedish Companies Act in 2005,
1
Internal Financial Controls – Implementation and Testing
1.1
•
EU Companies Law Directives in 2006,
•
Japan’s Financial Instruments & Exchange Laws in 2008,
•
The UK’s Corporate Governance Code in 2010.
Chapter 1
INTERNAL FINANCIAL CONTROLS – IN INDIAN CONTEXT
While India started quite a bit early in this direction with Voluntary Corporate Governance Guidelines 2009, but it was only the Companies Act, 2013 which laid down the related principles in respect of Internal Financial Controls Framework (IFC). Efforts in India geared up post Satyam scandal of 2009. Satyam scandal highlighted the need of strengthening the financial reporting controls and it became necessary to establish a formal mechanism (affixing the responsibility at the top) with the responsibility of the directors to state whether they have laid down an Internal Financial Control (IFC) structure and those controls are adequate and operating effectively. It also requires the auditors of both the private and public companies to confirm whether the companies have an IFC system in place that is adequate and operating effectively. As per the provisions contained therein, the IFC would mean– “the policies and the procedures adopted by the business for ensuring its effective conduct; adherence to the business policies and procedures, safeguarding of its assets, prevention and detection of frauds and errors, the completeness and accuracy of its financial/accounting records and more importantly the preparation of financial statements with reliability and timeliness.” This would mean that these provisions practically cover all operational controls in addition to ICoFR, whereas SOX controls are primarily limited to ICoFR. In other words, the IFC, as prescribed, is expected to address the assessment of adequacy and operating effectiveness of operational controls in addition to ICoFR. It may also be interesting to note here that India does not have a formal framework of internal controls on financial reporting. In fact The Committee of Sponsoring Organizations of the Treadway Commission (better known as ‘COSO’) had in 1992 established an Internal Control Framework. Thereafter in 1999, the Combined Code/Turnbull Guidance was also published by the Institute of Chartered Accountants of England & Wales. The other countries also either adopted COSO or introduced codes on the principles modelled on COSO or its equivalent framework. Assuming that countries in majority have used COSO designed framework, it would be no exception for industry executive/profession to follow a similar approach in India. It should be understood that efforts were made to either set up a design of the framework or adopting one before introducing ICoFR or IFC regulations that mandated the compliance with regard to internal controls over financial reporting or internal financial controls.
2
Chapter 1
1.2
A De-brief
UNDERSTANDING IFC & ITS RELATIONSHIP WITH ICOFR
The relationship between IFC and ICoFR has been better defined below:
While a sound financial reporting framework enables the top management in overall assessment of financial health of the business and decision taking on one hand, it provides an overview of the business to the financial market and other stake-owners on the other. It is in this context that the adequacy of design and operating effectiveness of the internal controls over the accounting and financial reporting is fundamental to a financial reporting framework. Inadequate design and ineffective controls will not allow executives to draw financial reports in a timely and reliable manner for assessment and decision taking by management, investors, lenders, and other stake-owners. As explained, over a period of time, the governments and the institutions regulating the profession of accounting and auditing have either introduced laws relating to internal controls over financial reporting or have prescribed guidelines that require corporate business entities to maintain a system of internal controls, providing reasonable assurance regarding the reliability of financial reporting and preparation of financial statements. In other words, establishing of internal financial controls is now legally obligated upon management. These laws/guidelines further require the independent auditor’s confirmation with regard to the effectiveness of the internal financial controls (IFC). It may also be noted here that the auditor’s opinion on the operating effectiveness of the internal controls have already been a part of the Auditor’s Report in a limited manner in Indian context, since introduction of MAOCARO in 1975 (and later as CARO). While the internal financial controls, refers the control framework more in broader sense, sec 134(5)(e) of the Companies Act, 2013, explains the meaning of the term, “internal financial controls” as“the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the 3
Internal Financial Controls – Implementation and Testing
Chapter 1
accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.” The legality aspects of internal financial controls as presently applicable are discussed separately in detail. It would also be appropriate to refer COSO framework that defines internal control as“a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.” With regard to the definition of ICoFR, it is defined as follows– “A company's internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.”
1.3
ICOFR - DELIVERABLES
The basic deliverables of an ICoFR, thus, can be summarized as under: •
An assurance that there exists a control framework to ensure that financial statements of the company are reliable and fairly reflects all financial transactions. This would assume that both fundamental controls i.e population and accuracy controls are effectively operating and form part of the internal controls framework;
•
An assurance that internal control framework will ensure that all transactions are recorded in accordance with applicable policies, directives and standards [considering that financial transactions duly also comply with the internal governance policies w.r.t financial matters (including management directions) and with the applicable Accounting Standards];
•
An assurance that internal control framework of the company will ensure that no transactions are carried out in violation of management delegated authorities and are conducted with due financial prudence (financial DoAs are complied with and followed while processing financial transactions) and the non-compliances, if any, are identified and course corrective measures are taken by executive;
•
An assurance that the internal controls are adequate enough to safeguard the company’s financial resources against any material loss that may arise due to mismanagement, irregularities and frauds.
Like in case of an audit, an IFC framework also does not provide an absolute assurance. Although the reporting requirements in respect of the effectiveness of an IFC framework by the auditors and a statement by the board under the Companies Act, 2013 makes it more like a statutory requirement, its design, implementation and sustainability aspects are likely to be influenced/governed by their cost-effectiveness and business needs over a period of time. No system, howsoever fool-proof, is capable of preventing and detecting all possible errors. Further, the instances of management over-ride, mostly prevalent in family owned/promoted businesses, carry large prospects of the designed controls, not being permitted to operate as intended. Intentional frauds are at-times also encouraged through management over-rides and are difficult to be prevented/detected even with a most effective ICoFR. The above assurances that an ICoFR 4
Chapter 1
A De-brief
framework is expected to deliver, therefore, have to be viewed on ‘reasonableness’ terms and not on ‘absolute’ basis. It may also be noted that the very aspect of ‘reasonableness’ is also subjective and may differ, given the circumstances in each individual case. The circumstances are outcomes of the control environment forming part of ICoFR; the ethical values and the executive prudence w.r.t the financial reporting. While the operating effectiveness of the control environment is process and executive prudence dependent, it is the ‘tone-at-the-top’ and the leadership behavior that drives and governs the ethical values in the system. In other words, the operating effectiveness of an ICoFR, to an extent, is dependent upon the level of importance accorded by the top to ethical work culture; values and integrity and its continuous commitment for the same. This is why the instances of management over-rides often lead to control failures and intentional fraudulent scenarios. A strong ‘code of conduct and ethics supported by the leadership; in-house capacity to deal with ethical issues, executive awareness and ability to manage business risks are fundamental to an effective control environment apart from the specific policies and procedures designed to mitigate financial reporting risk. Control activities can largely be considered as segregation of duties, preventive and detective controls, and entitylevel and process-level controls.
1.4
SEGREGATION OF DUTIES (SOD)
Segregation of Duties (SoD) has always been considered as one of the key component in any internal control system. SoD defines the approach wherein responsibilities for performing different activities in a process are assigned to different executives in a manner that no one person can control the entire process. The importance of segregation of duties is based on the premise that collusion between two executives is less likely to happen as compared to the possibility of a misconduct by a single executive. Furthermore, segregation also works on the concept of multiple checks i.e maker/checker and preparer; reviewer & approver, so that each financial transaction is validated before being posted/recorded for financial reporting purposes. Multiple checks reduce the possibilities of errors not being detected timely. Similarly, the operational responsibilities are also segregated for ensuring the safe-guarding of assets of the organization.
1.5
CONTROL EFFECTIVENESS
In context of controls effectiveness, these are primarily divided between preventive and detective. While preventive as the name says, are the controls that are designed to prevent occurrence of an activity which is not consistent with the control objective whereas the objective of the detective controls is to identify such activities after they have occurred. Timely detections of inconsistencies allow timely course corrective management measures. From controls performance management perspective, the controls are structured at entity level and process level. The entity level controls aim to provide an assurance about the overall business objectives whereas the process level controls provide assurance w.r.t a particular activity. Entity level controls can be exemplified by the Budget Vs Actual comparison to identify unusual/unacceptable variances, financial reviews, ratio analysis etc. Similarly, process level controls primarily refers to transaction level controls and can be exemplified by the process controls over a particular activity. Considering the dynamic aspect of the business activities, the assurance required has always been to confirm that there exists an internal control system which is commensurate to the size of 5
Internal Financial Controls – Implementation and Testing
Chapter 1
business and operates effectively. This would mean that the size of business and the associated risks are duly factored into while designing; implementing, evaluating an ICoFR and the sustainability aspects are further required to be monitored and aligned to the ever-changing business scenario/needs, to be tailored to the size and reporting risks of the company. All along, the executive has to continuously balance the risk levels between the “controls at the cost of business” or “business at the cost of controls” scenarios. As can be understood while management has a clear/undisputed responsibility towards establishing an IFC framework and the ongoing oversight of its operating effectiveness, it is executives who actually perform. The executive skill-set; competency level, integrity and ethical values aspects, therefore, are critical and fundamental to the design; successful implementation, operating effectiveness and oversight of an IFC framework. Executives at all levels are responsible for the operating effectiveness of controls in their respective areas. Many a times, the non-clarity of executive role/responsibility w.r.t controls performance/operations are observed to be a major cause of control failures. Disconnects arising due to communication and understanding gap at the executive level, in the manner in which the controls are performed against the way they were expected to, is also of concern. Such issues demand outlining of executive responsibilities, at all levels, towards controls performance with clarity and on a definite note with the accountability for non-performance. There has to be mechanism in place to ensure that controls are operated as expected. This can be achieved by building executive awareness and understanding of financial aspects in each business area. It may also be noted that in most businesses, including large businesses, the operational areas are dominated by technical executives and do not have financial resources (or the basic minimum understanding of financial controls) to support financial aspects pertaining to that area. This also acts as a limitation in operating effectiveness of financial controls. It is also important to understand the extension of consequential aspects arising out of control breakdown in a process activity on subsequent process activities (within the same process) and on to the other processes (in case of interdependent processes) and how these are addressed by the controls. The responsibility aspects are further detailed and elaborated in the appropriate chapters. The corporate governance initiatives undertaken in India leading to the introduction of IFC framework related provisions are summarized hereunder for easy reference purposes. It may be noted that while a number of initiatives were taken from time to time, the triggering point that lead the way was ‘Satyam Scam’ raising the need for an in-depth study of all that went wrong and introduce regulatory amendments to tighten the governance framework.
6
Chapter 1
A De-brief
With this de-brief, this book aims to detail the application aspects of an IFC framework and ICoFR, addressing key aspects and challenges that are common and usually faced during the designing; developing, and implementation of an IFC framework along-with the basic design and documentation of the checklists; risk control matrix, testing sheets and the evidencing material, supporting the adequacy and operating effectiveness aspects.
7