IFC Document

Internal Financial Controls (IFC)

Building efficiency Managing risks

Private and Confidential

August 1, 2015

1

Agenda

• Reporting and Implementation of internal financial controls (IFC)

• Comparison of IFC with SOX

• Responsibilities of Board of Directors

• Responsibilities of auditors

22

1998 1999 2002 200420032000 2001

India..…. Era of Corporate Governance

3

MA

TU

RIT

Y/

SU

STA

INA

BIL

ITY

INITIATIVES

CII

Kumar Mangalam Birla Committee

Clause 49

DCA - Task Force On Corporate Excellence

DCA Report

Narayan Murthy Committee

Naresh Chandra Committee

2013

Amended clause 49

IFC

Regulatory requirements and guidelines

Guidelines for listed entities

Combined Code: Turnbull UK 1998/99

Amended 2003

Code on Corporate Governance (Part I & II) Malaysia 2000

King II South Africa 2002

Sarbanes-Oxley Act US 2002

ASX Good Corporate Governance (Principle 7) AUS 2003/04

Clause 49 India 2000

Amended 2004

Code on Corporate Governance (Principle C2) HK 1 July 2005

JSoX Japan 2005 release

Financial services guidelines

APRA GPS 220 - General insurers AUS 2002

Basel II Capital Accord – Banks to comply by 2007 AUS 2005

Combined Code: Turnbull UK 1998/99

Amended 2003

Code on Corporate Governance (Part I & II) Malaysia 2000

King II South Africa 2002

Sarbanes-Oxley Act US 2002

ASX Good Corporate Governance (Principle 7) AUS 2003/04

Clause 49 India 2000

Amended 2004, 2014

Code on Corporate Governance (Principle C2) HK 1 July 2005

J-SoX Japan 2005

APRA GPS 220 - General insurers AUS 2002

Basel II Capital Accord – Banks to comply by 2007 AUS 2005

4

Companies Act requirements

Internal Financial Controls

5

Section 134(5)(e) - The directors, in the case of a listed company, had laid down

internal financial controls to be followed by the company and that such internal

financial controls are adequate and were operating effectively.

Section 134(5)(f) - The directors had devised proper systems to ensure

compliance with the provisions of all applicable laws and that such systems

were adequate and operating effectively.

Directors

responsibility

statement

Section 134(3)(q), sub-rule 8(5) - “In addition to the information and details

specified in sub-rule (4), the report of the Board shall also contain: …“the details in

respect of adequacy of internal financial controls with reference to the financial

statements.”

Explanation - For the purpose of this clause “Internal Financial Controls” means the policies and procedures adopted by the

company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the

safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting

records, and the timely preparation of reliable financial information.

Internal financial controls reporting covers not just financial reporting aspects, but also the strategic and

operational aspects of business and the efficiency with which those operations are carried out

Companies Act requirements (continued)


6

Section 177(4)(vii) - Every Audit Committee shall act in accordance with the terms

of reference specified in writing by the Board which shall inter alia, include …..,

evaluation of internal financial controls and risk management systems ….

Audit

CommitteeSection 177(5) - The Audit Committee may call for the comments of the auditors

about internal control systems, the scope of audit, including the observations of the

auditors and review of financial statement before their submission to the Board and

may also discuss any related issues with the internal and statutory auditors and the

management of the company.

Section 143(3)(i) - Whether the company has adequate internal financial

controls system in place and the operating effectiveness of such controls.

Auditor’s

report

Whilst section 134(5) requires directors to state their responsibility on internal financial controls in case of listed

companies, auditors are required to report on the adequacy and operating effectiveness of such controls in case

of all companies.

Further, Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 requires the board report of all companies to

state the details in respect of adequacy of internal financial controls with reference to the financial statements.

Internal Financial Controls (as per Companies Act of India)

Board of Directors:

• Lay down adequate and effective IFCs and include it in Directors'

Responsibility Statement

• Independent directors to satisfy themselves on the strength of financial

controls.

Audit Committee :

• Evaluate IFC systems

• Review Auditors' comments / observations with respect to controls before

submission to the Board

• Discuss issues with Management or Internal / Statutory Auditors

Auditors:

• Report on adequacy of IFCs system

• Report on operating effectiveness of such controls.

Internal Financial Controls (IFC)

What does the law say?

7

IFC to be included as part of Directors Responsibility Statement from March 31, 2015 onwards and as part of

Statutory Auditors Report from March 31, 2016 onwards

Applicability for listed and unlisted companies


Board Audit Committee Auditors

Scope:

• Listed Companies – Adequacy and effectiveness of Internal Financial

Controls

• Unlisted Company - Adequacy and effectiveness of Internal Financial

Controls over Financial Reporting (IFCFR)

Report on adequacy and operating

effectiveness of Internal Financial

Controls over Financial Reporting

Responsibility:

• Lay down adequate and effective

Internal Financial Controls and

include it in Directors’

responsibility statement

• Independent Directors to satisfy

themselves on the strength of

internal financial controls

Responsibility:

• Evaluate Internal Financial Control

system

• Review Auditors’ comments/

observation on Internal Financial

Controls before submission to the

Board

• Discuss issues with management

or internal/ statutory auditors

• Investigate and seek external

professional advice.

8

SOX vs IFC

Comparison

9

Description SOX Internal Financial Control

Applicability Parent company and major consolidated subsidiaries,

affiliated companies.

Every listed company registered under

Companies Act.

Entity Level

Controls

Assessment

Applicable Applicable

Assessment of

business

processes

Assess business process relating to material financial

statement accounts e.g. Procure to Pay, Order to

Cash etc.

Assess business process relating to material

financial statement accounts e.g. Procure to

Pay, Order to Cash etc.

Assessment

method of

business

processes

• Understand and classify business processes

• Document business process in the form of

flowchart and process narratives.

• Identify risks and controls (RCMs)

• Evaluate design effectiveness of internal controls

• Evaluate operational effectiveness of internal

controls

• Understand and classify business

processes

• Identify risks and controls (RCMs)

• Evaluate design effectiveness of internal

controls

• Evaluate operational effectiveness of

internal controls

Evaluation of

controls over IT

environment

• IT General Controls

• Business processing IT controls

• IT General Controls

• Business processing IT controls

Auditors Opinion Express opinion on management’s evaluation of the

effectiveness of internal controls.

• Report on adequacy of IFC system

• Report on operating effectiveness of

such controls.

Internal Financial Controls – common myths

Scope and plan

Assess and define

Identify and document

Test and remediate

Monitor, certify and assert

Meeting CARO

requirement is

sufficient

There is no need

to document

processes and

controls

Testing of

controls and

remediation of

deficiencies is

the responsibility

of auditors

We don’t need a

process for IFC

certification to Board

/ AC. We know

people are doing it

and no exceptions

are identified by the

auditorsWe don’t need to

revisit processes

and controls

Why do we need to

look at cost / benefit

for controls?

Everything is

essential

Materiality is for

financials. It doesn't

really impact control

considerations

We have a good

SLA with service

providers. We don’t

need to evaluate

their controls

We understand

controls. There is no

need for training and

development of our

people

Automation

through ERP –

Controls are

automatically in

place

We don’t need an

oversight body to

oversee all changes

in processes /

controls

We don’t need to

link risks with

controls

10

Internal Control Environment

11

Key drivers of the framework in the value chainInternal Control Environment

Governance OperationsFinancial

Reporting

1 2 3

• Enhancements for

effective risk governance

• Finalize lines of defense

and aspects to be

covered under each line

of defense

• Suggest improvements in

the framework

• Compliance as per

various regulations

(Companies Act Rules

2013 and SEBI Listing

agreement.)

• Evaluate the control

activities for each process

• Identify control

redundancies

• Identify areas of

improvement from design

perspective

• Identify automation

opportunities.

• Identify areas of

improvement and

reducing financial

reporting risk

• Eliminate redundant

controls

• Automate financial

reporting related controls

• Segregation of Duty

Strengthening all lines of defense within the value chain

Third Line of DefenseSecond Line of DefenseFirst Line of Defense

Opera

tional M

anagem

ent

Inte

rnal C

ontro

l

Risk Management

Compliance

Controllers

Inte

rnal A

udit

Exte

rnal A

udit

Superv

isory

Auth

ority

CEO/Senior Management

Board of Directors/Audit Committee

Source: Institute of Internal Auditors: The Role of Internal Auditing in Governance, Risk, and

Compliance

Three lines of Defense

3

IFC RequirementsIFC Objective

• Defined Policies and procedures to

ensure effective and efficient operations.

• Effective Delegation of Authority and

Entity level controls

• Preventive controls to address Fraud risk

• Mechanism for timely detection of fraud

and errors

• Adequate control over asset movement,

storage, loss or theft.

• Risk identification and mitigation plan to

reduce loss of asset

• Controls over accurate and timely update

of accounting records

• Control over completeness of accounting

records

• Timely preparation of financial reports

• Adequate controls over preparation of

financial reports

What to do ?

• Define and ensure compliance to

appropriate policies and procedures and

Delegation of Authority

• Define appropriate Entity level controls

• Define and monitor operating

effectiveness of appropriate controls

over various activities.

• Fraud Risk Management

• Define appropriate asset movement

controls

• Effective asset verification program

Defined effective controls and ensure

operating effectiveness

(ELC, PLC, ITGC and Fraud Risk)

• Defined appropriate controls over

preparation of financial reports

• Adequate review mechanism

Efficiency and

effectiveness in

Operations

Prevention and

detection of fraud and

error

Reliability of Financial

reporting

Compliance with

applicable laws and

regulations

Operations

Objectives

Reporting

Objectives

Compliance

Objectives

Safeguarding of

assets

Accuracy and

completeness of

Accounting records

• Adequate framework to ensure compliance

to applicable laws and regulations

• Adequate framework to monitor the

compliance

Legal Compliance Framework

Internal Financial Controls – What to do?

14

Internal Financial ControlsEntity Level Controls

15

Business Risk

Management

Whether risk management policy and procedures are in place? Whether formal risk assessment has

been carried out or not?

Business Ethics

FrameworkWhether whistle-blower policy and Code of conduct exists and implemented ?

Internal Audit and

Financial Integrity

Whether internal audit function is independently reporting to Audit Committee? Whether roles and

responsibilities of senior management is defined and documented? And Whether adequate

segregation of duties exists?

Legal Compliance

Framework

Whether legal compliance framework is documented and compliance health to checked on periodic

basis?

Fraud Risk

Management

Whether Fraud Risk Management policy exists, detailing structure of fraud deterrence, prevention and

investigation, fraud incidence response guidelines. Whether Key controls to mitigate fraud risks are

identified and monitored for compliance on regular basis.

Business and

Operations ContinuityWhether Disaster Recovery Plan, Business continuity plan and crisis management policy defined and

implemented?

Succession Planning Whether formal process of succession planning defined and implemented?

Management

Operational ReviewWhether formal process management oversight and review mechanism exist and followed?

ELC Component Requirement

Process Level Controls


16

PLC Component Requirement

Operating

Effectiveness

Policy of control testing and operating effectiveness, containing the sampling criteria and

strategy to be defined

Standard documentation to be maintained in the forms of test scripts and support documents

to evidence the operating effectiveness of the identified controls

Illustrative Test Script

Design

Effectiveness

Significant policy and procedures are defined. Process of assessing adequacy and

appropriateness of policies and process to be developed

Completeness of RCM documented for all business cycles to be assessed. Example RCM for

Treasury etc. to be prepared. Existing RCM’s to include following:• Review and update RCMs for all financial assertions.

• Controls description to be elaborated

• Fraud Risk to be highlighted

• Whether Policy/ Procedure exists or not to be documented

• Control Category specifying COSO control level

• Control Owner and responsibility for testing and reporting Illustrative RCM

Control Assessment Dashboard – P2P

17

Manual

Control Effectiveness Test Result

Automated

Control Universe

8 0

5 4

8 4

4 3

4 4

Business Cycle

1

2

1

0

3

1

5

1

0

2

0

0

0

0

0

Business CycleCount

Total

8

9

12

5

8

Total Ineffective Manual Automated

CountCompliance Percentage

90%

77%

92%

<= 50% <= 90 >90

Business CycleTotal Fraud

Risk Universe

Planning and Budgeting 10 0

Vendor Management 11 5

Ordering 16 4

Receiving 7 2

Invoice Processing 10 2

Count

100%

78%

Planning and budgeting

Vendor Management

Ordering

Receiving

Invoice Processing

Planning and budgeting

Vendor Management

Ordering

Receiving

Invoice Processing

8

9

12

5

8

Internal Financial Controls – Roadmap

The following is the typical risk-based internal controls journey:

Internal Control compliance

Bu

sin

es

s v

alu

e

Plan and scope

Evaluate

operating

effectiveness

Document

results

Evaluate

control

design

Document

Controls

Identify

significant

ControlsPerform risk

assessment

Identify and

remediate

deficiencies

Ability to sustain

controls based audit

Build

sustainability

18

Payment process

Risk and control matrix

‘What can go Wrong’

• Advances to vendors not being adjusted

against the bills

• Payment made in excess of invoice

amount

• Duplicate payment made to the vendors

• Payment made to wrong vendor

Control Activities to mitigate the Risk:

• Periodical process of review of open/long

pending advances

• Payments are made only after reconciling it with

appropriate invoice. System based control

payment only as per the invoice amount

• Process for periodical review of list of pending

invoices.

• Purchase requisitions are reviewed and approved

by an individual with the appropriate signatory

authority approval limits

• Obtain balance confirmations from vendors

18

Control Activities

Control Activities are actions established by policies and procedures

rather than being the policies and procedures themselves

Control Description #1

Company engages XYZ

Actuary Firm to prepare

the actuarial analysis.

Issue

Hiring a specialist is a

procedure which may

enhance competency, but

is not a control.


Management reviews and

discusses the Actuarial

Report, including key

assumptions with the

specialist to assess the

appropriateness of the

assumptions and

conclusions reached.

Process vs. control: Example

19

Process vs. control


The billed revenue file

is summarized at

month’s end and the

total is recorded into

revenue.

Issue

Someone recording

something is typically a

process step; not a

control.


The Accounting

Manager verifies that

the billed revenue was

properly recorded to

revenue by comparing

the billed revenue file

to the revenue

recorded in the

general ledger.

Control Activities

20

Control mitigates the risk?


Risk:

All shipments are not

recorded

(completeness).

Control Description:

The general ledger is

reconciled to the XYZ

file.

Issue

It is not clear based on

the description how this

control mitigates the

completeness risk.


The general ledger is

reconciled to the XYZ

file, which is a

download from the

warehouse shipping

system of all shipments

processed for the

period.

Control Activities

21

• Accounting of vendor relatedinvoices

• Creation of GRN on receipt ofgoods at the warehouse.

• Recording of invoices on dispatchand monitoring of accountsreceivables

• Creation of vendor master with allthe requisite fields

• Physical verification of fixedassets/stock on a periodic basisand reconciling them with recordsmaintained

• Segregation of duties at variousstages of financial reporting

• IT General controls are kept inplace

• Proper authorization as per theauthorization matrix for all thetransactions entered into thesystem

• employees and 'covered persons'must sign an Insider TradingCertification per the corporatepolicy prior to trading in thecompany stock.

Life sciences

Illustrative Controls

Key Controls

(Operational and Financial)

• Performance evaluation ofvendors is conducted on anannual basis.

• Physical counting and checkingof material / goods received atthe warehouse to ensure that thecorrect quantity and quality ofmaterial / goods have beenreceived.

• Setting of credit limit forcustomers

• The SCM team takescomparative quotes from aminimum of 3 vendors prior toselection of the final vendor.

Financial ControlOperational Control

Non Key Control

• Review of the existence of non-key fields within master datastored in the system

• Review of inactive accounts withlow and immaterial balances

• Physical verification of “C”category inventory (low valueitems)

• Presence of multipleauthorization at various stages ofhigh value transactions

• Periodic review of debtors ageing• Proper vendor evaluation process

to avoid collusion with thirdparties.

Fraud Controls

Controls – An overview

ICFR

IFC

23

24

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related

entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients.

Please see www.deloitte.com / about for a more detailed description of DTTL and its member firms.

This material and the information contained herein prepared by Deloitte Touche Tohmatsu India Private Limited (DTTIPL) is intended to provide general information on a

particular subject or subjects and is not an exhaustive treatment of such subject(s). This material contains information sourced from third party sites (external sites). DTTIPL

is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such external sites. None of DTTIPL, Deloitte Touche Tohmatsu

Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this material, rendering professional advice or services. The

information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that

might affect your personal finances or business, you should consult a qualified professional adviser.

No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this material.

Mr. Ajay Minocha

Partner

Deloitte Haskins & Sells LLP

E-mail: [email protected]

Main: +91 (124) 679-2000

7th Floor, Building 10 Tower B

DLF Cyber City Complex, DLF City Phase II

Gurgaon, Haryana 122002

India

Mr. Sidheshwar Bhalla

Director

Deloitte Haskins & Sells LLP

E-mail: [email protected]

Mobile: +91 98997 87786

7th Floor, Building 10 Tower B

DLF Cyber City Complex, DLF City Phase II

Gurgaon, Haryana 122002

India

http://www.deloitte.com/

IFC Document

Documents