You are on page 1of 27

CODOMAIN

IFC

INTERNAL FINANCIAL
CONTROL

CODOMAIN

India :- Age of Corporate Governance


Naresh
Chandra
Committee
2002

SEBI Clause
49 2000

CII 1998

KM Birla
Committee
1999

DCA Task
Force on
Corporate
Excellence
2000

Narayan
Murthy
Committee
2003
DCA Report
2003

IFC 2013

Amended
Clause 49
2004

CODOMAIN

IFC :- Global Scenario


In June 2003, the Securities and Exchange Commission (SEC) of the United States of America adopted
Rules for the implementation of Sarbanes Oxley Act, 2002 (SOX) that

required certification of the

Internal Controls over Financial Reporting (ICFR) by the management and by the auditors.
The Public Company Accounting Oversight Board (PCAOB) has issued its Auditing Standard (AS) 5 on An

Standard (AS) 5 on An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of
Integrated with An Audit of Financial Statements.
In June 2006, the Financial Instruments and Exchange Act (J-SOX) was passed by the Diet, the National
Diet, the National Legislature of Japan. The requirements of this legislation are similar to the requirements
the requirements of internal controls over financial reporting under SOX.

CODOMAIN

Context of IFC
Major corporate and accounting scandals Satyam, Financial
Technologies (India) Limited
Decline of public trust in accounting and reporting practices
Indian regulations modified to reflect the regulatory developments in
the western world
SOX Act 2002, HIPAA, J SOX and PCI-DSS are few examples of
regulatory changes introduced by the western world.
Introduction of Internal Financial Controls (IFC) in the Companies Act

2013, reflect the continuation of this trend

CODOMAIN

Rules and Regulation as per Companies Act -2013


Sec 134 (5) (e)
IFC

In case of listed companies, as per Sec 134 (5) (e) requires, Directors to make an ascertain in
Director Responsibility Statement that they laid down internal financial control to be followed
and that such IFCs are adequate and operating effectively

Sec 143 (3) (i)


ICFR

As per sec (143 ) (i) In case of company (whether listed or not), Statutory Auditors are required
to make a statement in their auditors report, whether the company has adequate IFC system in
place and operative effectiveness of same.

Sec 177 (4) (vii)


ICFR

Under sec 177 (4) (vii) , the duties of Audit Committee include evaluation of Internal Financial
control & to make a report to the board

Schedule (iv)
ICFR

The independent directors should satisfy themselves on the integrity of financial information
and insure that financial controls and system of risk management are robust and defensible.

Rule 8 (5) (vii)


ICFR

As per Rule 8 (5) (vii), requires Board of Directors Report of all companies to state in detail the
adequacy of internal financial controls with reference to the financial statements.

CODOMAIN

Benefits of IFC
Help in Business process re-designing to plug revenue leakages & Cost containment opportunities.
Helps in rationalizing the number of control across the organization moving to smart and
automated control
Provide More accurate and reliable Financial Statements
Promote culture of Transparency
Improved control over financial reporting processes
Improved Compliance to Law
Provide assurance to CEO/CFO and support them to certification
Fixed Accountability of Operational Management and Senior Management Accountability
Helps in standardizing policies and procedures for multi-location / multi business companies.
CODOMAIN

Sec 134:- Definition and Component of IFC


As per Sec 134 the Companies Act 2013 defines Internal Financial
Control (IFC) to mean policies and procedures adopted by the
company for:
Orderly and efficiently conduct of its business, including
adherence to company policies,

Safeguarding of its assets


Prevention and detection of frauds and errors
Accuracy and completeness of accounting records, and

Timely preparation of reliable financial information

Components Of
IFC

Section 134 of Companies Act 2013

Internal Financial Report over financial Reporting (ICFR)


Operational Controls
Fraud prevention
CODOMAIN

Sec 143: - Definition and Component of ICFR


The Internal Financial Controls Over Financial Reporting (ICFR) shall mean A
process designed to provide reasonable assurance regarding the reliability of financial
reporting and the preparation of financial statements for external purposes in
accordance with generally accepted accounting principles. A company's internal
financial control over financial reporting includes those policies and procedures thatpertain to the maintenance of records that, in reasonable detail, accurately and
fairly reflect the transactions and dispositions of the assets of the company;
provide reasonable assurance that transactions are recorded as necessary to
permit preparation of financial statements in accordance with generally accepted

PHOTO CAPTION

accounting principles, and that receipts and expenditures of the company are
being made only in accordance with authorizations of management and directors
of the company; and
provide reasonable assurance regarding prevention or timely detection of
unauthorized acquisition, use, or disposition of the company's assets that could
have a material effect on the financial statements.

Components
Of ICFR

Maintenance Of Financial Record ( Detail / Accuracy)


Authorization of transaction (In accordance with GAAP)
Safeguarding of the assets of the Company

CODOMAIN

Example covering both IFC & ICFR


ICFR

Operational

Salary and wages correctly recorded in the


financial Statement

Effectiveness

Overtime given to staff as per Company Policy and


adherence to policy is monitor

Fraud
Prevention

Unauthorized changes in salary sheet (Access


Control)

CODOMAIN

Responsibility of various stake holders

Directors
Ensure adequacy and
operating
effectiveness of IFC

Audit Committee
Evaluation of internal
financial controls

Auditors
To comment on
adequacy
and
operating
effectiveness of IFC

Independent Directors
Satisfy themselves on
the robustness of
internal
financial
controls framework

CODOMAIN

What are Companies Expected to Do ?


Assess the Governance tone at the top

Define entity level governance policies like


whistle blower, code of conduct etc.

Define process level policies and procedures


Develop a delegation of authority
Perform an assessment of:
Entity Level Controls
Process Level Controls
IT Controls
Anti Fraud Controls

Identify key and non-key mitigating controls

CODOMAIN

Document all existing financial and


operating controls

Develop a robust financial close process and


document controls around the process

Document controls in form of RCMs


Controls on accuracy of judgment and estimates
Define and document user responsibilities
Consider implementing an ongoing
framework for monitoring and evaluation of
defined controls and internal certifications
Perform periodic assessments to review the
operating effectiveness of the controls

Monitor effectiveness of existing controls

CODOMAIN

Consider preventive and detective anti


fraud controls

Carry out Fraud Risk Assessment and identify fraud risks


and existing controls in the processes.
Define mitigating controls for any gaps identified

Review the existing technology set up and


use of IT modules/software.
Ensure adequacy of ITGCs and ITACs
Consider automation of routine activities

to reduce incidence of manual errors

Review technology support

CODOMAIN

SA-315 :-Definition and Component of Internal Control


As per SA 315 Internal control is a process,
Effected by an entitys board of directors, management, and other
personnel,
Designed to provide reasonable assurance regarding the achievement
of objectives relating to operations, reporting, and compliance.

Components Of
Internal Control

Control Environment
Entitys risk assessment process
PHOTO CAPTION
Control activities
Information system and communication
Monitoring of controls
CODOMAIN

Components of Internal Controls as


per COSO

COSO 2013 :- 17 Principal for Internal Control


Control Environment

1. Demonstrates commitment to integrity and ethical values


2. BOD demonstrates independence from management and exercise oversight
responsibility
3. Management, with Board oversight, establish structure, authority and responsibility.
4. The organization demonstrate commitment to competence
5. The organization establish accountability

Entitys Risk Assessment


Process

6. Specifies relevant objectives with sufficient clarity to enable identification of risk


7. Identifies and assesses risk
8. Considers the Potential for fraud in assessing risk
9. Identifies and assesses significant change that could impact system of Internal Control

Control Activities

10. Select and development control activities


11. Select and development general control over technology
12. Deploys through policies and procedures

PHOTO CAPTION

Information system and


communication

13. Obtains or generates relevant, quality information


14. Communicates internally
15. Communicates externally

Monitoring of controls

16. Selects , develops and performs ongoing and separate evaluation


17. Evaluates and communicates deficiencies

CODOMAIN

Controls Environment

Entity Level Controls

Process Level Controls

IT Environment

The tone at the top is articulated and


communicated through clear and easily
understandable policies, procedures and
practices. The sub-components of Entity
Level Controls include:
Overall Board Governance
Organization Structure
Policies & procedures
Risk Management
Integrity & Ethics
Monitoring & Reporting

Controls have been defined in the


processes to ensure accuracy,
completeness, authorization of the
transaction entered. The processes
covered under the same are:
Order to Cash
Procurement to Pay
Finance Statement Close Process
Hire to Retire
Fixed Assets
Distribution
Marketing Expense

Information Technology
Control
User Access Controls

General

CODOMAIN

Key next steps & Actionable :Entity Level Controls

Documentation / Updating of SOPs for key business


processes, in line with the current practices and
controls requirement. Identification of critical classes
of transactions across all areas and documentation
of a value based DOA.
Formalization of critical entity level policies including
Board approvals where required and creating
awareness
Define reporting channels as part of Vigil
Mechanism
Alignment of Entity Level Controls with the guidance
on IFC framework to be issued by MCA / ICAI

Process Level Controls


Implementation of the remediation plans against
the Design Deficiencies noted on walkthrough
of process & controls and documented in the
process level RCMs
Alignment of the Process Level Controls with
the guidance on IFC framework to be issued by
MCA / ICAI
Testing of Operating Effectiveness of the
controls on an ongoing basis

IT Environment
Enhance user access controls in systems like .., .,
etc. ensuring adequate Segregation of Duties controls
Periodic review of the existing access rights in Sun and Champ
Systems to remove rights for unauthorized accesses. Document
and archive the evidence of review
Document IT Policy, Data back up policy, BCP and DR Plan

CODOMAIN

Our Approach
Control framework - COSO
Control
Environment

Risk
Information &
Assessment Communication

Monitoring

Control
Activity

Fraud

Financial Statements & related Disclosures


Identification of consolidated materiality

Significant Accounts / relevant assertions


Significant Processes
Corporate, Regions, Institutions, FSS

Individual Controls at the Entity,


Process, Transaction or Application Level
Determine Nature, Timing & Extent of Key Control Testing

CODOMAIN

Steps:-Express an opinion on internal control


STEP 1

Scoping

STEP 2

STEP 3

Design
Assessment

Design Gap
Remediation

STEP 4

STEP 5

Operating
Overall
Effectiveness Assessment
and
Reporting

CODOMAIN

STEP 1

STEP 2

STEP 3

STEP 4

STEP 5

Key work-steps/ consideration for Scoping :-

Map/Identify Significant Account, Process and Key Location


Segregate scope between Business Process and IT
Discuss the scope with Statutory Auditor
Define materiality Key /Non key Risk.
Finalize scope exclusion and validate with auditors
Define scope of process/ activities performed by third parties
Nominate IFC Champion across process/location
Set up Steering Committee to review progress / remediation
plans
Align Audit Committee and Board
Finalize templates ,documentation standard, reporting packs.
Conduct training/workshop with process owners

CODOMAIN

STEP 1

STEP 2

STEP 3

STEP 4

STEP 5

Key work-steps/considerations for Design Assessment :Finalize Process owners across each process/Location
Perform & document walkthrough (recommended)
Document process maps with input, output,
risk/control, IPE
Segregate controls into Entity/Process/IT
Identify control into Manual, Automated ,IT Department
,Preventive /Detective
Segregate control into document risk and control matrix
with control description, owner, frequency, control
evidence etc.
Document IT General control (GITCs)
Perform Segregation of Duties analysis
Identify design gaps based on walkthrough, interview,
discussion etc.
Benchmarking of IFC control-consolidate, remove
redundancy
CODOMAIN

STEP 1

STEP 2

STEP 3

STEP 4

STEP 5

Key work-steps/consideration for Design Gap Remediation :Prioritize financial gaps into material /non-material
Prioritize operational /reputation gaps ( If any) into H/M/L
impact
Co-develop remediation plan with owners & implementation
timelines
Periodic monitoring of remediation plan
Enhance/optimize IT controls
Standardized/Centralize processes(wherever possible)
Enhance SOP/MIS/DOA etc.
Interim testing to confirm remediated gaps

CODOMAIN

STEP 1

STEP 2

STEP 3

STEP 4

STEP 5

Key work-steps/ consideration for Operating Effectiveness:


Align sampling strategy with external Auditors
Prepare testing plan & templates
Timing of testing mid year and roll forwarding testing
Finalize
resourcescompetency
&
independence/objectivity
Document testing results
Prioritize testing gaps into material/non material
Identify mitigation/compensating controls for material
gaps
Co- develops remediation plans for testing gaps including
owners and implementation timelines

CODOMAIN

STEP 1

STEP 2

STEP 3

STEP 4

STEP 5

Key work-steps/ consideration for Assessment and


Reporting :
Finalize material weakness and update Executive
management
Report to Audit Committee and Board
Opinion on IFC

CODOMAIN

CONTACT US!
Were socal

011 4228 0431


bd@codomain.co.in
www.codomain.co.in

CODOMAIN

TY

Thank You !