Internal Financial Controls (IFC) Building efficiency Managing risks Private and Confidential August 1, 2015 1
Internal Financial Controls (IFC)
Building efficiency Managing risks
Private and Confidential
August 1, 2015
1
Agenda
• Reporting and Implementation of internal financial controls (IFC)
• Comparison of IFC with SOX
• Responsibilities of Board of Directors
• Responsibilities of auditors
22
1998 1999 2002 200420032000 2001
India..…. Era of Corporate Governance
3
MA
TU
RIT
Y/
SU
STA
INA
BIL
ITY
INITIATIVES
CII
Kumar Mangalam Birla Committee
Clause 49
DCA - Task Force On Corporate Excellence
DCA Report
Narayan Murthy Committee
Naresh Chandra Committee
2013
Amended clause 49
IFC
Regulatory requirements and guidelines
Guidelines for listed entities
Combined Code: Turnbull UK 1998/99
Amended 2003
Code on Corporate Governance (Part I & II) Malaysia 2000
King II South Africa 2002
Sarbanes-Oxley Act US 2002
ASX Good Corporate Governance (Principle 7) AUS 2003/04
Clause 49 India 2000
Amended 2004
Code on Corporate Governance (Principle C2) HK 1 July 2005
JSoX Japan 2005 release
Financial services guidelines
APRA GPS 220 - General insurers AUS 2002
Basel II Capital Accord – Banks to comply by 2007 AUS 2005
Combined Code: Turnbull UK 1998/99
Amended 2003
Code on Corporate Governance (Part I & II) Malaysia 2000
King II South Africa 2002
Sarbanes-Oxley Act US 2002
ASX Good Corporate Governance (Principle 7) AUS 2003/04
Clause 49 India 2000
Amended 2004, 2014
Code on Corporate Governance (Principle C2) HK 1 July 2005
J-SoX Japan 2005
APRA GPS 220 - General insurers AUS 2002
Basel II Capital Accord – Banks to comply by 2007 AUS 2005
4
Companies Act requirements
Internal Financial Controls
5
Section 134(5)(e) - The directors, in the case of a listed company, had laid down
internal financial controls to be followed by the company and that such internal
financial controls are adequate and were operating effectively.
Section 134(5)(f) - The directors had devised proper systems to ensure
compliance with the provisions of all applicable laws and that such systems
were adequate and operating effectively.
Directors
responsibility
statement
Section 134(3)(q), sub-rule 8(5) - “In addition to the information and details
specified in sub-rule (4), the report of the Board shall also contain: …“the details in
respect of adequacy of internal financial controls with reference to the financial
statements.”
Explanation - For the purpose of this clause “Internal Financial Controls” means the policies and procedures adopted by the
company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the
safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting
records, and the timely preparation of reliable financial information.
Internal financial controls reporting covers not just financial reporting aspects, but also the strategic and
operational aspects of business and the efficiency with which those operations are carried out
Companies Act requirements (continued)
Internal Financial Controls
6
Section 177(4)(vii) - Every Audit Committee shall act in accordance with the terms
of reference specified in writing by the Board which shall inter alia, include …..,
evaluation of internal financial controls and risk management systems ….
Audit
CommitteeSection 177(5) - The Audit Committee may call for the comments of the auditors
about internal control systems, the scope of audit, including the observations of the
auditors and review of financial statement before their submission to the Board and
may also discuss any related issues with the internal and statutory auditors and the
management of the company.
Section 143(3)(i) - Whether the company has adequate internal financial
controls system in place and the operating effectiveness of such controls.
Auditor’s
report
Whilst section 134(5) requires directors to state their responsibility on internal financial controls in case of listed
companies, auditors are required to report on the adequacy and operating effectiveness of such controls in case
of all companies.
Further, Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 requires the board report of all companies to
state the details in respect of adequacy of internal financial controls with reference to the financial statements.
Internal Financial Controls (as per Companies Act of India)
Board of Directors:
• Lay down adequate and effective IFCs and include it in Directors'
Responsibility Statement
• Independent directors to satisfy themselves on the strength of financial
controls.
Audit Committee :
• Evaluate IFC systems
• Review Auditors' comments / observations with respect to controls before
submission to the Board
• Discuss issues with Management or Internal / Statutory Auditors
Auditors:
• Report on adequacy of IFCs system
• Report on operating effectiveness of such controls.
Internal Financial Controls (IFC)
What does the law say?
7
IFC to be included as part of Directors Responsibility Statement from March 31, 2015 onwards and as part of
Statutory Auditors Report from March 31, 2016 onwards
Applicability for listed and unlisted companies
Internal Financial Controls
Board Audit Committee Auditors
Scope:
• Listed Companies – Adequacy and effectiveness of Internal Financial
Controls
• Unlisted Company - Adequacy and effectiveness of Internal Financial
Controls over Financial Reporting (IFCFR)
Report on adequacy and operating
effectiveness of Internal Financial
Controls over Financial Reporting
Responsibility:
• Lay down adequate and effective
Internal Financial Controls and
include it in Directors’
responsibility statement
• Independent Directors to satisfy
themselves on the strength of
internal financial controls
Responsibility:
• Evaluate Internal Financial Control
system
• Review Auditors’ comments/
observation on Internal Financial
Controls before submission to the
Board
• Discuss issues with management
or internal/ statutory auditors
• Investigate and seek external
professional advice.
8
SOX vs IFC
Comparison
9
Description SOX Internal Financial Control
Applicability Parent company and major consolidated subsidiaries,
affiliated companies.
Every listed company registered under
Companies Act.
Entity Level
Controls
Assessment
Applicable Applicable
Assessment of
business
processes
Assess business process relating to material financial
statement accounts e.g. Procure to Pay, Order to
Cash etc.
Assess business process relating to material
financial statement accounts e.g. Procure to
Pay, Order to Cash etc.
Assessment
method of
business
processes
• Understand and classify business processes
• Document business process in the form of
flowchart and process narratives.
• Identify risks and controls (RCMs)
• Evaluate design effectiveness of internal controls
• Evaluate operational effectiveness of internal
controls
• Understand and classify business
processes
• Identify risks and controls (RCMs)
• Evaluate design effectiveness of internal
controls
• Evaluate operational effectiveness of
internal controls
Evaluation of
controls over IT
environment
• IT General Controls
• Business processing IT controls
• IT General Controls
• Business processing IT controls
Auditors Opinion Express opinion on management’s evaluation of the
effectiveness of internal controls.
• Report on adequacy of IFC system
• Report on operating effectiveness of
such controls.
Internal Financial Controls – common myths
Scope and plan
Assess and define
Identify and document
Test and remediate
Monitor, certify and assert
Meeting CARO
requirement is
sufficient
There is no need
to document
processes and
controls
Testing of
controls and
remediation of
deficiencies is
the responsibility
of auditors
We don’t need a
process for IFC
certification to Board
/ AC. We know
people are doing it
and no exceptions
are identified by the
auditorsWe don’t need to
revisit processes
and controls
Why do we need to
look at cost / benefit
for controls?
Everything is
essential
Materiality is for
financials. It doesn't
really impact control
considerations
We have a good
SLA with service
providers. We don’t
need to evaluate
their controls
We understand
controls. There is no
need for training and
development of our
people
Automation
through ERP –
Controls are
automatically in
place
We don’t need an
oversight body to
oversee all changes
in processes /
controls
We don’t need to
link risks with
controls
10
Internal Control Environment
11
Key drivers of the framework in the value chainInternal Control Environment
Governance OperationsFinancial
Reporting
1 2 3
• Enhancements for
effective risk governance
• Finalize lines of defense
and aspects to be
covered under each line
of defense
• Suggest improvements in
the framework
• Compliance as per
various regulations
(Companies Act Rules
2013 and SEBI Listing
agreement.)
• Evaluate the control
activities for each process
• Identify control
redundancies
• Identify areas of
improvement from design
perspective
• Identify automation
opportunities.
• Identify areas of
improvement and
reducing financial
reporting risk
• Eliminate redundant
controls
• Automate financial
reporting related controls
• Segregation of Duty
Strengthening all lines of defense within the value chain
Third Line of DefenseSecond Line of DefenseFirst Line of Defense
Opera
tional M
anagem
ent
Inte
rnal C
ontro
l
Risk Management
Compliance
Controllers
Inte
rnal A
udit
Exte
rnal A
udit
Superv
isory
Auth
ority
CEO/Senior Management
Board of Directors/Audit Committee
Source: Institute of Internal Auditors: The Role of Internal Auditing in Governance, Risk, and
Compliance
Three lines of Defense
3
IFC RequirementsIFC Objective
• Defined Policies and procedures to
ensure effective and efficient operations.
• Effective Delegation of Authority and
Entity level controls
• Preventive controls to address Fraud risk
• Mechanism for timely detection of fraud
and errors
• Adequate control over asset movement,
storage, loss or theft.
• Risk identification and mitigation plan to
reduce loss of asset
• Controls over accurate and timely update
of accounting records
• Control over completeness of accounting
records
• Timely preparation of financial reports
• Adequate controls over preparation of
financial reports
What to do ?
• Define and ensure compliance to
appropriate policies and procedures and
Delegation of Authority
• Define appropriate Entity level controls
• Define and monitor operating
effectiveness of appropriate controls
over various activities.
• Fraud Risk Management
• Define appropriate asset movement
controls
• Effective asset verification program
Defined effective controls and ensure
operating effectiveness
(ELC, PLC, ITGC and Fraud Risk)
• Defined appropriate controls over
preparation of financial reports
• Adequate review mechanism
Efficiency and
effectiveness in
Operations
Prevention and
detection of fraud and
error
Reliability of Financial
reporting
Compliance with
applicable laws and
regulations
Operations
Objectives
Reporting
Objectives
Compliance
Objectives
Safeguarding of
assets
Accuracy and
completeness of
Accounting records
• Adequate framework to ensure compliance
to applicable laws and regulations
• Adequate framework to monitor the
compliance
Legal Compliance Framework
Internal Financial Controls – What to do?
14
Internal Financial ControlsEntity Level Controls
15
Business Risk
Management
Whether risk management policy and procedures are in place? Whether formal risk assessment has
been carried out or not?
Business Ethics
FrameworkWhether whistle-blower policy and Code of conduct exists and implemented ?
Internal Audit and
Financial Integrity
Whether internal audit function is independently reporting to Audit Committee? Whether roles and
responsibilities of senior management is defined and documented? And Whether adequate
segregation of duties exists?
Legal Compliance
Framework
Whether legal compliance framework is documented and compliance health to checked on periodic
basis?
Fraud Risk
Management
Whether Fraud Risk Management policy exists, detailing structure of fraud deterrence, prevention and
investigation, fraud incidence response guidelines. Whether Key controls to mitigate fraud risks are
identified and monitored for compliance on regular basis.
Business and
Operations ContinuityWhether Disaster Recovery Plan, Business continuity plan and crisis management policy defined and
implemented?
Succession Planning Whether formal process of succession planning defined and implemented?
Management
Operational ReviewWhether formal process management oversight and review mechanism exist and followed?
ELC Component Requirement
Process Level Controls
Internal Financial Controls
16
PLC Component Requirement
Operating
Effectiveness
Policy of control testing and operating effectiveness, containing the sampling criteria and
strategy to be defined
Standard documentation to be maintained in the forms of test scripts and support documents
to evidence the operating effectiveness of the identified controls
Illustrative Test Script
Design
Effectiveness
Significant policy and procedures are defined. Process of assessing adequacy and
appropriateness of policies and process to be developed
Completeness of RCM documented for all business cycles to be assessed. Example RCM for
Treasury etc. to be prepared. Existing RCM’s to include following:• Review and update RCMs for all financial assertions.
• Controls description to be elaborated
• Fraud Risk to be highlighted
• Whether Policy/ Procedure exists or not to be documented
• Control Category specifying COSO control level
• Control Owner and responsibility for testing and reporting Illustrative RCM
Control Assessment Dashboard – P2P
17
Manual
Control Effectiveness Test Result
Automated
Control Universe
8 0
5 4
8 4
4 3
4 4
Business Cycle
1
2
1
0
3
1
5
1
0
2
0
0
0
0
0
Business CycleCount
Total
8
9
12
5
8
Total Ineffective Manual Automated
CountCompliance Percentage
90%
77%
92%
<= 50% <= 90 >90
Business CycleTotal Fraud
Risk Universe
Planning and Budgeting 10 0
Vendor Management 11 5
Ordering 16 4
Receiving 7 2
Invoice Processing 10 2
Count
100%
78%
Planning and budgeting
Vendor Management
Ordering
Receiving
Invoice Processing
Planning and budgeting
Vendor Management
Ordering
Receiving
Invoice Processing
8
9
12
5
8
Internal Financial Controls – Roadmap
The following is the typical risk-based internal controls journey:
Internal Control compliance
Bu
sin
es
s v
alu
e
Plan and scope
Evaluate
operating
effectiveness
Document
results
Evaluate
control
design
Document
Controls
Identify
significant
ControlsPerform risk
assessment
Identify and
remediate
deficiencies
Ability to sustain
controls based audit
Build
sustainability
18
Payment process
Risk and control matrix
‘What can go Wrong’
• Advances to vendors not being adjusted
against the bills
• Payment made in excess of invoice
amount
• Duplicate payment made to the vendors
• Payment made to wrong vendor
Control Activities to mitigate the Risk:
• Periodical process of review of open/long
pending advances
• Payments are made only after reconciling it with
appropriate invoice. System based control
payment only as per the invoice amount
• Process for periodical review of list of pending
invoices.
• Purchase requisitions are reviewed and approved
by an individual with the appropriate signatory
authority approval limits
• Obtain balance confirmations from vendors
18
Control Activities
Control Activities are actions established by policies and procedures
rather than being the policies and procedures themselves
Control Description #1
Company engages XYZ
Actuary Firm to prepare
the actuarial analysis.
Issue
Hiring a specialist is a
procedure which may
enhance competency, but
is not a control.
Control Description #1
Management reviews and
discusses the Actuarial
Report, including key
assumptions with the
specialist to assess the
appropriateness of the
assumptions and
conclusions reached.
Process vs. control: Example
19
Process vs. control
Control Description #2
The billed revenue file
is summarized at
month’s end and the
total is recorded into
revenue.
Issue
Someone recording
something is typically a
process step; not a
control.
Control Description #2
The Accounting
Manager verifies that
the billed revenue was
properly recorded to
revenue by comparing
the billed revenue file
to the revenue
recorded in the
general ledger.
Control Activities
20
Control mitigates the risk?
Control Description #3
Risk:
All shipments are not
recorded
(completeness).
Control Description:
The general ledger is
reconciled to the XYZ
file.
Issue
It is not clear based on
the description how this
control mitigates the
completeness risk.
Control Description #3
The general ledger is
reconciled to the XYZ
file, which is a
download from the
warehouse shipping
system of all shipments
processed for the
period.
Control Activities
21
• Accounting of vendor relatedinvoices
• Creation of GRN on receipt ofgoods at the warehouse.
• Recording of invoices on dispatchand monitoring of accountsreceivables
• Creation of vendor master with allthe requisite fields
• Physical verification of fixedassets/stock on a periodic basisand reconciling them with recordsmaintained
• Segregation of duties at variousstages of financial reporting
• IT General controls are kept inplace
• Proper authorization as per theauthorization matrix for all thetransactions entered into thesystem
• employees and 'covered persons'must sign an Insider TradingCertification per the corporatepolicy prior to trading in thecompany stock.
Life sciences
Illustrative Controls
Key Controls
(Operational and Financial)
• Performance evaluation ofvendors is conducted on anannual basis.
• Physical counting and checkingof material / goods received atthe warehouse to ensure that thecorrect quantity and quality ofmaterial / goods have beenreceived.
• Setting of credit limit forcustomers
• The SCM team takescomparative quotes from aminimum of 3 vendors prior toselection of the final vendor.
Financial ControlOperational Control
Non Key Control
• Review of the existence of non-key fields within master datastored in the system
• Review of inactive accounts withlow and immaterial balances
• Physical verification of “C”category inventory (low valueitems)
• Presence of multipleauthorization at various stages ofhigh value transactions
• Periodic review of debtors ageing• Proper vendor evaluation process
to avoid collusion with thirdparties.
Fraud Controls
Controls – An overview
ICFR
IFC
23
24
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related
entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients.
Please see www.deloitte.com / about for a more detailed description of DTTL and its member firms.
This material and the information contained herein prepared by Deloitte Touche Tohmatsu India Private Limited (DTTIPL) is intended to provide general information on a
particular subject or subjects and is not an exhaustive treatment of such subject(s). This material contains information sourced from third party sites (external sites). DTTIPL
is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such external sites. None of DTTIPL, Deloitte Touche Tohmatsu
Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this material, rendering professional advice or services. The
information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that
might affect your personal finances or business, you should consult a qualified professional adviser.
No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this material.
Mr. Ajay Minocha
Partner
Deloitte Haskins & Sells LLP
E-mail: [email protected]
Main: +91 (124) 679-2000
7th Floor, Building 10 Tower B
DLF Cyber City Complex, DLF City Phase II
Gurgaon, Haryana 122002
India
Mr. Sidheshwar Bhalla
Director
Deloitte Haskins & Sells LLP
E-mail: [email protected]
Mobile: +91 98997 87786
7th Floor, Building 10 Tower B
DLF Cyber City Complex, DLF City Phase II
Gurgaon, Haryana 122002
India