Section 143 of the Indian Companies Act 2013 has rewarded auditors with additional auditing responsibilities wherein assurance must be provided on the Internal Controls present in a Company's Business Environment. The Auditor must provide an opinion on the operating effectiveness of these Internal Financial Controls.
The Institute of Chartered Accountants of India has released a Guidance Note which provides the required guidance to an Auditor to conduct an Audit of the same.
This presentation deals with the legal requirement of IFCs, Auditing Responsibilities and Implementation Guides from guidance note.
This presentation was presented at the Study Circle conducted by the Mangalore Branch of SIRC of ICAI on 23rd June 2016.
4. Mistakes…
Carrian
Group
1993
Accounting fraud. An auditor
was murdered, an adviser
committed suicide.The largest
collapse in Hong Kong history
WorldCom 2001
Fraudulent Accounting Methods
to increase.The Legend of all
scams
Peregrine
Systems
2002 Overstated sales
Satyam 2009
Falsification of Accounts.
Legend of Indian Corporate
Scams
IFCs - bharathraob.com 4
8. Section 134 –
• Director’s
Responsibility
Statement –
• Listed
Companies
shall have
IFCs
Section 143 –
• Auditor’s
Report shall
State –
• Adequate IFCs
System and is
operating
effectively
Section 149 –
• Independent
Directors –
• Integrity of
Financial
Information
and IFCs are
robust and
Dependable
Section 177 –
• Audit
Committee –
• Evaluate IFCs
and Risk
Management
System
Clause 49(V)(c)
–
• CEO/CFO
Certification –
• Accept
Responsibility
for
establishing
and
maintaining
ICFR and have
valuated their
effectiveness.
Regulations
IFCs - bharathraob.com 8
9. Internal
Controls
The Process designed,
implemented and maintained by
TCWG and other personnel to
provide reasonable assurance
about the achievement of the
entity’s objectives with regards to
reliability of financial reporting,
effectiveness and efficiency of
operations, safeguarding of assets
and compliance of applicable laws
and regulations
IFCs - bharathraob.com 9
13. Internal
Financial
Controls
explained as
perCA 2013
Explanation to section 134(5)(e) — For the
purposes of this clause, the term “internal
financial controls” means the policies and
procedures adopted by the company
for ensuring the orderly and efficient conduct
of its business,
including adherence to company’s policies, the
safeguarding of its assets,
the prevention and detection of frauds and
errors, the accuracy and completeness of the
accounting records,
and the timely preparation of reliable financial
information
IFCs - bharathraob.com 13
19. Suggested
Areas
Identification
and Inspection
of
Documentation
of Policies,
Processes
Identifying and
Understanding
the business
applications
and their roles
Perform Design
Effectiveness to check if
Policies and Documented
Procedures are sufficient
and adequate to the size
of the business
Perform
Testing for
Operational
Effectiveness,
Audit Evidence
and
Documentation
The Process to be followed
IFCs - bharathraob.com 19
25. IG 11 – IFC –
Testing of
Design
Objectives:
Conclude on effectiveness of the design to assess
risk
Plan the nature, timing and extent of the tests for
operating effectiveness
Understand the Nature and significance of the
risks of material misstatement addressed by the
control
Characteristics or details of the control
Factors to determine whether the control is
appropriately designed to address the identified
risk.
Competence and authority of the person(s)
performing the control
Frequency and consistency with which the control
is performed
IFCs - bharathraob.com 25
26. IG 13 – IFC –
Test of
Operating
Effectiveness
Assess Findings and Conclude
Perform tests of Operating Effectiveness
Plan the NTE of Operating Effectiveness based
on results of Design Effectiveness
Assess the risk associated with the control
IFCs - bharathraob.com 26
27. IG 15 – Roll
Forward
Testing
Objective:
To identify any changes to the business occurred
that could give rise to new, or affect existing risks
of material misstatement,
That would necessitate implementing new
controls or modifying the design of existing
controls
Existing controls continue to operate effectively in
the roll forward period
Identification of “Roll Forward Period”
Auditor rolls-forward the conclusions of the
effectiveness of those relevant controls which
were tested and concluded to be effective as at
an interim date
Initial/MajorTesting Period Roll Forward Period
Interim
Date
IFCs - bharathraob.com 27
28. Some more
Newer
Concepts
IG 16 – Rotation Plan for testing IFCs
IG 17 – RemediationTesting
IG 18 – Using Work of Internal
Auditors (SA 610) and Expert (SA
620)
IFCs - bharathraob.com 28
29. Reporting
Obtain Management’s Assertion regarding
Internal Financial Controls
Details of Areas, Processes and the Internal
Controls deployed and their status
Define Auditor’s Responsibility (SA 210) and
limitations
Report (As an Annexure or Separate Report)
– SA 700, SA 705
Opinion regarding the design and operating
effectiveness of the IFCs
IFCs - bharathraob.com 29
Control Environment
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors.
Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.
Control Activities
Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
Information and Communication
Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.
Monitoring
Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.