Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
INTERNAL CONTROLS OVER FINANCIAL REPORTING
I C F R
‐ CA SAMEER KARYEKAR
COMPANY LAW REFRESHER COURSE(10TH & 17TH MAY 2019)
PUNE BRANCH OF WIRC
AGENDA
Quick Revision• Applicability• Important aspects of Guidance Note• IFC / ICFR Process
Processes Typically CoveredPractical Scenarios / ChallengesProcess of Forming an OpinionExhibits
APPLICABILITYementCompanies013
Public Listed Co.
Public Un‐listed‐ Paid up Share Capital >= 10 Cr‐ Turnover >= 100 Cr. (Audit Committee)
‐ Loans, Borrowing in aggregate >= 50 Cr. (S. 139(2)‐Rule 6)
Pvt. Ltd. Cos.
ctors nsibility ment. [S.134]
√
itor Report ]
√ √ √it Committee ]
√ √ependent ors [Sch. IV]
√ √Accounts Rules (5)(viii)
√ √
IFC / ICFR ‐ Exemption
otification No G.S.R. 583(E) dated 13th June, 2017
ction 143(3)(i) of the Companies Act 2013 shallt be applicable for those audit reports issuedter 13th June 2017 of private limited companiesne‐person companies (OPC) which: ‐– has Annual turn over of less than Rs 50 Crores or– has aggregate borrowings of less than 25 Crores frombanks, Financial institutions or body corporate at anytime during the financial year
Consequences [Company]
ction 134 (8) If a company contravenes theovisions of this section: ‐the company shall be punishable with fine whichshall not be less than fifty thousand rupees butwhich may extend to twenty‐five lakh rupees andevery officer of the company who is in defaultshall be punishable with imprisonment for a termwhich may extend to three years or with finewhich shall not be less than fifty thousand rupeesbut which may extend to five lakh rupees, or withboth.
Consequences [Auditors]ction 147 (2): If an auditor of a company contravenes any ofe provisions of section 139, section 143, section 144 orction 145, the auditor shall be: ‐punishable with fine which shall not be less than twenty‐five thousand rupees but which may extend to five lakhrupees:Provided that if an auditor has contravened such provisionsknowingly or wilfully with the intention to deceive thecompany or its shareholders or creditors or tax authorities,he shall be punishable with imprisonment for a term whichmay extend to one year and with fine which shall not beess than one lakh rupees but which may extend to twenty‐five lakh rupees.
Consequences [Auditors]
ction 147 (3) Where an auditor has beennvicted under sub‐section (2), he shall beble to—(i) refund the remuneration received by him to thecompany; and(ii) pay for damages to the company, statutorybodies or authorities or to any other persons for lossarising out of incorrect or misleading statements ofparticulars made in his audit report.
ICAI Guidance
Guidance Note on Audit of Internal FinancialControls Over Financial Reporting (Sep‐2015,218 pages)
Implementation Guide on Audit of InternalFinancial Controls over Financial Reporting withSpecific Reference to Smaller, Less ComplexCompanies (SLC‐Guidance) (Aug‐2016, 67 Pages)(should be read in conjunction with the aforesaidGuidance Note)
ICFR Definition
or this purpose, “internal financial controls over financialeporting” shall mean “A process designed to provideeasonable assurance regarding the: ‐reliability of financial reporting and the preparation offinancial statements for external purposes in accordance withgenerally accepted accounting principles.
company's internal financial control over financial reportingncludes those policies and procedures that) pertain to the maintenance of records that, in reasonableetail, accurately and fairly reflect the transactions andispositions of the assets of the company;
ii) provide reasonable assurance that transactions are recordedas necessary to permit preparation of financial statements inaccordance with generally accepted accounting principles, andhat receipts and expenditures of the company are being madeonly in accordance with authorizations of management anddirectors of the company; and
iii) provide reasonable assurance regarding prevention orimely detection of unauthorized acquisition, use, or dispositionof the company's assets that could have a material effect onhe financial statements.”
ICFR Definition …. Contd.
IMPORTANT ASPECTS OFGUIDANCE NOTE
(15th Sept. 2015)
ON
AUDIT OF
INTERNAL FINANCIAL CONTROLS OVER FINANCIAL REPORTING
(ICFR)
IMPORTANT ASPECTS
A material weakness in internal financial controls may exist evenwhen the financial statements are not materially misstated.
S. 143 does not specify if auditor report should report that: such internalfinancial controls existed and operated effectively during the period underreporting of the financial statements or as at the balance sheet date.Guidance Note prescribes Balance Sheet DateNew CARO has no Internal Control clause.
Section 129(4) of the 2013 Co. Act : All Subsidiaries (of a Company)will be covered
CFR not applicable to Interim reporting, unless required by anyother law or regulation.
ICFR PROCESS
other major ounts or sclosure apping to r processes
Walkthrough& Process Document
RCM Test of Controls
PROCESS – IN DETAIL
ESS IFICATION
DESIGN REVIEW CONTROLS IDENTIFICATION
OPERATIONAL EFFECTIVENESS
CONCLUSIONS
ntification on ality
major ures
ed Process ication
RISK‐What can go wrong?
Likelihood‐Is it likely to happen?
Impact‐What will happen if it does?
Identification of Controlsmitigating risks
Identification ofKey controls
Control Pass / Failure Strategy & agreement
Define SamplingStrategy
Testing of Sample
Remediation plan testing
Testing documentation
Final RCM
Failed ControlsIdentification
Failed Controls Risk Rating
hrough & Process harts
RISKs IDENTIFICATION
Risk and Control Matrix (RCM)
Sample StrategyTesting Template (TT)
‐ Failed Controls Reporting‐ Overall
Challenges
How to assess whether all controls in a process are covered?– SA‐315 / COSO / ICQs / Experience (reference)How to identify test attributes to ensure control is effective ? – Breakdown the control into smaller parts (TOC exhibit)Standard method to grade the failure in to Low, Medium and High– Professional Judgement (covered in later slides)How to define sample size– Guidance note is very clear (GN)
Processes Typically Covered2 3
re to Pay & Creditors Journal Entry Entity Level Controls(Budget, Business Reviews, Ethics, Appraisals, Authority Matrix, ERM, Audits, Whistle blower, MIS, ),
to Receipt & Debtors Expenses Provisioning(Employee Benefits, Bonus, warranty, Deferred Tax, IT/MAT)
ll (Per Diem, TDS)
& Settlements
Taxes Reconciliations (DT, IDT)
IPE (Information Produced by EntityAssets & Depreciation
(Cut offs, Books re, AS Compliance, , Notes, CFS, olidation)
Inventory (Physical, cost roll ups, write offs)
ITGC (User management, Change management, logs, passwords, custom software, backup, DRP, BCP, Infra‐Security)
Consumption Statutory Compliance
C h B k T F
Scenarios / ChallengesO Documents
esting Done by external party not management
perational – Financial classification
ubsidiaries not covered
o flow chart only Narratives given
o Remediation plan / testing done
o documented evidence =? no control
ntity Level Control Process not documented
…contd. ‐1
Scenarios / ChallengesWalkthroughs not documented
gnature / Authorization =? Control
E / supporting workings not present
ey Control / process / activity or not
ntity Level Authority Matrix not defined
egregation of Duty (Licenses constraints) ‐ ITGC
ut off procedures (Tally ERPs) ‐ ITGC
OC – Key controls or All controls
…contd. ‐2
Scenarios / Challengesontrols exercised by Parent / HO
xceptional instances are not control failure
rectors report v/s. Auditors report
l the activities not included in SOP
ateriality at Standalone or Consolidated level
Forming an Opinion
A `deficiency’ in ICFR exists when design or operation of a controldoes not allow management or employees in normal course ofperforming their assigned functions, to prevent or detectmisstatements on timely basis.A `Significant Deficiency’ is a deficiency or combination ofdeficiencies, in ICFR that is important enough to merit attention ofthose charge with governance since there is a reasonable possibilitythat a misstatement of company’s annual or interim FS will not beprevented or detected on timely basis.A `Material Weakness’ is a deficiency or combination ofdeficiencies, in ICFR, such that there is a reasonable possibility thata material misstatement of the company’s annual or interim FS willnot be prevented or detected on a timely basis
Deficiencies ‐ Exerciseventory listing does not match withInventory GLs . A JV is passed tore it matches and the physicalntory is verified quarterly but notmented properly.sence of the entity level Delegation uthority matrix. But ERP access rights efined and operatingree‐Way match in the ERP for hase bills booked is not operational. ases.cess rights review not done for ss to ERP, excess access rights
Deficiency ? Significant ? Weakness?
ubstantive Audit Procedures Planventory listing does not match withInventory GLs . A JV is passed tore it matches and the physicalntory is verified quarterly but notmented properly.sence of the entity level Delegation uthority matrix. But ERP access rights efined and operatingree‐Way match in the ERP for hase bills booked is not operational. ases.cess rights review not done for ss to ERP, excess access rights
Audit Risk Substantive Procedure/ Conclusions
Net Audit Risk
(Expected)
Physical verification
Modify IFC opinion
Obtain DOA for major areas and conduct testing
Select higher sample for verification
of correctness
Analyze transactions by
Deficiency Examplesegory of Deficiency Examples
ificant deficienciessign / operating)
No Authority MatrixNo SOPs for significant accounts / processesInadequate ITGC / IPE testing
Failure to perform reconciliations of significant accountsCut off procedures not exercisedJournal entries not authorized
erial Weaknesses Analytical procedures not conductedInternal Audit / Risk Assessments not done for a complex organization or scope is not adequateIdentification of fraud Large number of rectification entries passed in inventory or other areas
Auditor will be issuing separate report for ICFR
Exhibits
Process Document TemplateWalkthrough Template (to prove process was discovered not documented based on interviews) Or Test of Design (TOD)
Risk Control Matrix (RCM) Test of Control (TOC) document
so Refer ICAI templates
Benefits as Seen by Clients
Clarity of responsibility & authority, Transparency & accountabilityStandardization of controls across locations/ entitiesDuplication of work identifiedElimination of smaller inefficient controls and adding monitoring controls, automating controlsEnhanced oversight & governance
Company Act 2013: Section 134(5) The Directors’ Responsibility Statement shall state that—
the directors, in the case of a listed company, had laid down internalncial controls to be followed by the company and that such internalncial controls are adequate and were operating effectively.
Explanation.—For the purposes of this clause, the term “internal financialcontrols” means the policies and procedures adopted by the company forensuring the orderly and efficient conduct of its business, includingadherence to company’s policies, the safeguarding of its assets, theprevention and detection of frauds and errors, the accuracy andcompleteness of the accounting records, and the timely preparation ofreliable financial information;
Company Act 2013: Section 177AUDIT COMMITTEE
ation of Internal Financial Controls (IFC) by Audit Committee: ‐
4) (vii) Every Audit Committee shall act in accordance with the terms of
ence specified in writing by the Board which shall, inter alia, include,—
evaluation of internal financial controls and risk
management systems;
6 of Companies (Meetings of Board and its powers) Rules,2014 : Audit Committee s to be appointed by: ‐l public companies with a paid up capital of Rs.10 Crores or more; l public companies having turnover of Rs.100 Crores or more; l public companies having in aggregate outstanding loans or borrowings or
ompany Act 2013: Section 143 (3)(3) The auditor’s report shall state—
(i) whether the company has adequate internal financial controls system inplace and the operating effectiveness of such controls;
The section has cast onerous responsibilities on the statutory auditorsbecause reporting on internal financial controls is not covered under theStandards on Auditing issued by the ICAI also because of the fact that noframework has been prescribed under the Companies Act, 2013 and theRules thereunder for the evaluation of internal financial controls.
This was deferred earlier by 1 year; now applicable from the FY 2015‐16.
Company Act 2013: Sch. IVSCHEDULE IV
[See section 149(8)]
CODE FOR INDEPENDENT DIRECTORS
Role and functions:
independent directors shall:
(4) satisfy themselves on the integrity of financial information and
that financial controls and the systems of risk management are
robust and defensible;
Board Report Contents
Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 – BOD Report
le 8: Matters to be included in Board’s report.‐In addition to the information and details specified in
b‐rule (4), the report of the Board shall also contain ‐ii) the details in respect of adequacy of internalancial controls with reference to the Financialatements.
II. COSO FRAMEWORK (1992)
(Confederation of Sponsoring Organizations of Tread way Commission)
Controls are Evaluated by us using the COSO Framework’s three dimensional criteriats of three objectives:ctiveness and Efficiency of Operationsability of Financial Reportingpliance with Applicable laws and regulationssts of five objectives:rol EnvironmentAssessmentrol Activitiesmation/Communicationtoring
res an entity level focus and an activity level focus
MONITORING
INFORMATION AND COMMUNICATION
CONTROL ACTIVITIES
RISK ASSESSMENT
CONTROL ENVIRONMENT
OPERATIONS
FINANCIA
L
REPORTING
COMPLIANCE
UN
IT AU
NIT B
AC
TIVITY 1A
CTIVITY 2
AC
TIVITY 3
Sampling ‐ ICFRendix 4 to SIA 5 – Sampling ency of Control Activity and Sample Sizeowing guidance related to the frequency of the performance of control may be considered wheng the extent of tests of operating effectiveness of manual controls for which control deviationsexpected to be found.nternal auditor may determine the appropriate number of control occurrences to test based onowing minimum sample size for the frequency of the control activity dependent on whetherment has been made on a lower or higher risk of failure of the control.te: Although +1 is used to indicate that the period–end control is tested, this does not mean that more frequent control operations the year‐end operation cannot be tested.