IFCFR SERIES CHASE THE MAZE
Aseem Trivedi Centre for Advisor’s Excellence
Auditor and IFCFR Reporting
“There is nothing wrong with being a control freak auditor, if you
are controlling your words, behaviours and actions.”
Dear Readers
“This is a very intriguing time to be in”
The Companies Act, 2013 has introduced many
new reporting requirements for the statutory
auditors of companies. One of these
requirements is given under the Section 143(3)
(i) of the Act requiring the statutory auditor to
state in his audit report whether the company
has adequate internal financial controls system
in place and the operating effectiveness of such
controls. The section has cast onerous
responsibilities on the statutory auditors
because reporting on internal financial controls
is not covered under the Standards on Auditing
issued by the ICAI, it requires auditor to test the However, no consultancy or advice should be
control for assessment of risk of Material
misstatement, and to document the evidence of
efficiency and effectiveness. Further it should be
noted that as no specific framework has been
prescribed under the Companies Act, 2013 and
the Rules thereunder for the evaluation of
IFCFR
series
Chase the Maze
CH
ISSUE -1 OCTOBER 2016
internal financial controls, there was lack of
guidance to the Auditor for the same hence ICAI
came out with a 276 pages guidance note to give
guidance to the auditor. Our endeavour through
this series of articles is to explain the
requirements by correlating them in day to day
practice of a chartered Accountant Firm
irrespective of the size of the firm.
All and all, there is an urgent need to be
technically sound about all the recent
pronouncements to be competitive. Every new
change brings new horizons to explore and
grow. This material is an honest attempt to give
an in-depth and overall understanding of the
Internal Financial Control requirements.
given solely on the basis of this material. The
user is recommended to exercise his professional
due diligence and care before certification and
consultation.
Happy Reading!
IFCFR SERIES CHASE THE MAZE
2

Topic - 1 Traditional approach of auditing V/S Control Based

Auditing

Do you still believe in Extensive vouching while auditing?

With the passing time the focus of the audit has shifted from the substantive procedures to the control
procedures because of automation of accounting in substantially all organizations. Paper based
evidences are rarely seen now days hence vouching is losing its importance. The very basic objective of
the control based audit is to prevent and detect the loopholes and lapses from the source itself so that
risk of falsified input data cannot entered in accounting system, once reliable input is there automated
system which is tested for time and again before implementation cannot manipulate the input data
while processing as against manual system of accounting. This is a change from the “old tick-tick” based
approach to a scientific and documented approach towards audit.

For instance,
 There will be least chances of the embezzlement of cash if there is proper segregation of duties,
regular cash verification, authority matrix and proper safe management etc.
 There will be least chances of fabrication of hiring in payroll, if there is employee manual,
documented HR policies, background verification and identity verification of employees etc.
 There will be least chances of irregularity in purchase of goods, if there is documented policy about
raising of purchase requisition, call for quotation, placing of order and preparation of material
requisition note and quality check.

So, instead of verifying the cash vouchers, salary sheet and purchases invoices in heaps, we can verify
the controls which are placed by the organisation in the said processes. Therefore the placement of
controls in organizations minimizes the chances of the risk in general, reduces the time and favours the
authentic documentation.
This is the only reason regulators are now demanding from our profession not only to change the audit
approach but also reporting to stakeholders.

What is this concept of Internal Control (IC)? What are the types of controls covered by ICs?

As explained in SA 315 by ICAI:- The process designed, implemented and maintained by those charged
with governance, management and other personnel to
 provide reasonable assurance about the achievement of an entity’s objectives with regard to
reliability of financial reporting,
 effectiveness and efficiency of operations,
 safeguarding of assets and
 Compliance with applicable laws and regulations.

The term “controls” refers to any aspects of one or more of the components of internal control.
This definition is in line with the International Standards on Auditing 315.
IFCFR SERIES CHASE THE MAZE |

The above definition covers controls namely:

 Operating controls- They are relating to the operations of the business.

For example: An HR policy which governs the hiring of employees which includes its
background verification
 Financial Controls-Financial controls would be linked to the financial transactions which
ultimately affects the financial reporting.
For example: The authority matrix for signing the cheque above the specified limit.

Processes Operational Controls Financial Controls Compliance Controls

Effectiveness and efficiency Reliability of financial Complied with laws, rules

of operations conducted reporting and regulations

Procure to pay  Vendor selection process  Purchase Order • Input credits on taxes
 Purchase Requisitions creation paid
 Quotation Analysis • Creation of Vendor
• Deduction of tax at
 Purchase ordering process Masters
source
• Goods Receiving Process
• Related Party
• Bill verification and Disclosures
payment
• MSME disclosures and
• Vendor ledger compliance
accounting
• Other Disclosures as per
statutory requirements

Payroll  Hiring and recruitment  Increment policies  Gratuity provision and

process  Payment processing payment
 Background verification  Bonus payment norms  TDS/ PT deduction
 Norms regarding requirement
qualification, experience  PF/ESIC compliances
etc.

Management is required to design and implement all of the above controls, however the auditor is
only required to report on the adequacy and operating effectiveness of mainly the financial controls
and other controls also if they have significant financial impact on financial reporting.

For example:- The auditor has to verify the increments and promotions policies of the employees and
report on the adequacy and operating effectiveness of such controls but need not to report on
operational controls like qualification norms, background verification etc. if the impact on financial
statement is immaterial.
IFCFR SERIES CHASE THE MAZE
2

So, what is this a new concept of Internal Financial Controls (IFCs)? What are its objectives?

As explained in the Guidance Note by ICAI, Internal Financial Controls Policies and procedures
adopted by the company for ensuring the orderly and efficient conduct of the business,
 Adherence of the company’s policies.
 Safeguarding of the assets.
 Prevention and detection of fraud and errors.
 Accuracy and completeness of the accounting records.
 Timely preparation of the reliable financial statements.

However, it is not exactly a new concept, our erstwhile generally accepted auditing practices including
SAP from year 1985, AAS from year 2002 and SAs from year 2009 have been laying stress on the Internal
Controls.
This is the same definition which is used for Internal Control under erstwhile AAS-6 and Internal
Control System under SIA 12. Hence in the view of the editorial board there is no need of hair-
splitting between the definition of internal control and internal financial control, although in
auditing world people are making differences between the two. We found that both the definition
has same objectives as described under this table.

Classification Objective Example

Operations Objectives Efficiency and effectiveness in 1. Employee manual

Operations 2. Segregation of Duties,
Prevention and detection of Authorisation.
fraud and error 3. Reconciliation, Reverification
Safeguarding of assets and review of processes.
4. Safe management for cash.
5. Revenue Recognition policy.
6. Asset safeguarding policies.
Reporting & Financial Accuracy and completeness of 1. Controls over accurate and
Objectives Accounting records timely update.
Reliability of Financial 2. Control over completeness of
reporting accounting records.
3. Timely preparation of financial
reports.
Compliance Objectives Compliance with applicable 1. Adequate framework to
laws and regulations ensure compliance to
applicable laws and
regulations.
2. Adequate framework to
monitor the compliance

From the above classification of its objectives, it is very clear that the objective of Internal Financial
Control and Internal Control is no different.
IFCFR SERIES CHASE THE MAZE |

Author’s comment:-
The definition of the Internal Control as per SA 315 has been replicated from the International Standards of
Auditing 315. Further, the definition of the Internal Financial Controls is same as which is defined for Internal
Control as per erstwhile AAS 6. The same definition of the Internal Control (under AAS 6) has been replicated to
the definition of the Internal Control System under Standards on Internal Audit – 12.
Internal Control as per Internal Control System as Internal Financial
former AAS 6 per SIA 12 Controls as per GN

Internal Control as per Internal Control as per SA

ISA 315 315

AASB of ICAI should clarify the members what exactly is difference between the two terms internal
control system and internal financial control.
The guidance note should provide the fundamental difference between the IC and IFCs which is at present missing.
Key takeaways from the definition of the two:-
 Academically, IFCs are the policies and the procedures whereas ICs are the processes. This means IC is the
broader term.
 This has led to open interpretation from the members and industry at large.
 This jugglery would have never arisen had the word IC used in place of IFC. IFC was always a part of
IC, with the new legal pronouncements and guidance note coming up, only the documentation
and reporting requirements have changed.

What are “Internal financial controls over financial reporting (IFCFR)” how it is different from ICs, IFCs?

Section 143(3) requires the auditor to report on the Internal Financial Controls over the financial
reporting.
As per guidance note, IFCFR means a process designed to provide reasonable assurance regarding the
reliability of financial reporting and the preparation of financial statements for external purposes in
accordance with generally accepted accounting principles.
A company's internal financial control over financial reporting includes those policies and procedures
that:
(i) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect
the transactions and dispositions of the assets of the company;
(ii) provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting
principles, and that receipts and expenditures of the company are being made only in
accordance with authorisations of management and directors of the company; and
(iii) Provide reasonable assurance regarding prevention or timely detection of unauthorised
acquisition, use, or disposition of the company's assets that could have a material effect on the
financial statements.

Note: The auditor’s opinion therefore does not assure, for example, the future viability of the entity nor
the efficiency or effectiveness with which management has conducted the affairs of the entity.
IFCFR SERIES CHASE THE MAZE |

Internal Financial Controls vs. Internal Financial Controls over Financial Reporting

 In the audit of the Financial Statements, the management is responsible for the preparation and
presentation of the Financial Statements and auditor is responsible for the verification of the
same.
 Here also, the management is responsible for design, implement and maintenance of the IFCs,
the auditor shall be required to report on the adequacy and operating effectiveness of the IFCs
this is known as IFCFR.
 IFCFR covers the Financial Controls over Financial Reporting whereas the Internal Financial
Controls also includes Operational controls and Fraud prevention.

What are the legal requirements under the companies act, 2013?

Relevant Clauses Requirements Applicability Scope

Director’s Board of the directors Listed IFC

Responsibility have to confirm IFCs are Companies
Statement u/s 134(5) adequate and operating
effectively
Board Report {Rule Board report to state the All Companies IFCFR
8(5) of the Company details in the respect of
(Accounts) Rules} the adequacy of IFC with
reference to Financial
Statements
Code for ID has to satisfy All the IFCFR
Independent themselves on the companies
Directors (ID) u/s integrity of the financial having IDs.
149(8) and schedule information and the
IV financial controls are
robust and defensible.
Audit Committee Evaluation of IFCs. All companies IFCFR
(AC) u/s Sec 177 having an AC.

Auditor’s Report The auditor to report on All Companies IFCFR

143(3) the adequacy and
operating effectiveness of
the internal financial
controls (IFCs) over
Financial Reporting of the
company.

Why Internal Financial Controls if there is Internal Audit?

Internal audit is an assist function and supervisory function to IFC. IFC which is implemented,
maintained and monitored by the Internal Audit department is considered as maintained, implemented
and monitored on behalf of management and those charged with governance. Hence there was a need
IFCFR SERIES CHASE THE MAZE |

to cast additional responsibility on the part of the Independent Auditors to ensure operating
effectiveness of the internal controls over financial reporting and further to ensure thorough
documentation of the key processes by the Independent Auditor.
The guidance note specifically states that the work of the internal auditor can’t be relied for the purpose
of this IFC Audit (IFCFR) but he can coordinate for the direct assistance from the internal auditor
through provisions of SA 610(Revised).

Statutory Auditor’s responsibilities for Internal Financial Controls over Financial Reporting.

 The introduction of IFCFR necessitates some changes in traditional audit approach by following
the control based audit approach.
 The independent statutory auditor is required to conduct the IFC audit and issue a separate audit
report (Annexure A if CARO not applicable, otherwise Annexure B) along with the main auditor
report.
 A separate engagement letter is also required for IFCFR or IFC Audit.
 In addition to the IFCFR, section 143 of the companies act. 2013 requires the auditor to comply
with the Standards on Auditing. These standards on auditing (specifically SA-230 (R)
Documentation) and section 143 now forces the auditors to do comprehensive audit
documentation and perform in depth audit procedures relating to the controls placed by the
management.
 Although such documentation was very much part and parcel of the audit procedures drawn by
the leading audit firms. But, now the IFCFR is applicable to the smallest of the companies and
has to be followed by the smallest of the audit firms.

IFCFR vs. Internal Controls under CARO

The scope for reporting on internal financial controls over financial reporting is significantly
larger and wider than the reporting on internal controls under CARO.
 Under CARO the reporting on internal controls is limited to the “adequacy” of controls over
1. purchase of inventory and fixed assets and
2. Sale of goods and services.
 As such, CARO does not require reporting on all controls relating to financial reporting and also
does not require reporting on the “adequacy and operating effectiveness” of such controls.
Hence we can say report over IFCFR has a larger and wider scope of reporting than CARO

Do the standards on auditing apply for the audit of internal financial controls over financial
reporting?

Standards on auditing provide an overview as how an auditor should conduct an audit. They provide a
complete and comprehensive guidance to the auditor. Internal financial controls have just concentrated
on the specific areas relating to controls. So, standards on auditing continues to be the principle
guidance material for the conducting the IFC audit.

For any queries please feel free to email us askatcae@gmail.com

IFCFR SERIES CHASE THE MAZE |

OUR EDITORIAL BOARD

CA. Aseem Trivedi,Qualified in
1998. Currently Managing Director
of Highbrow Mentor Learning
Solutions Pvt. Ltd. ATCAE is one
of the division of this Company for
Advisor’s Excellence.
He is nationwide known mentor of
AS,Ind AS, IFRS, Audit and
Company Law.
CA. Aseem Trivedi
He is also author of many
B.Sc, FCA
professional and academic books
CEO, ATCAE
on above subjects. Besides this he
is a Life Coach and takes
Motivational Seminars.
 Qualified CA in the year 2014
and B.com in the year 2012.
 Also qualified CMA/CWA in
the year 2015 with AIR 28 and
AIR 16 in CMA Final and CMA
Inter respectively.
 Currently into practice and
academics.
 Exposure in one of the Big 4
auditing firms.
CA. Aman Mehta  Visiting Faculty at Nahata
B.Com, ACA, CMA Academy, DAVV University,
ICAI(Cost) Prestige Institute
for various subjects like
accounts, taxation and cost.

 Qualified CA in the year 2014 .  Qualified CA in 2014,

 Excellent academic records
throughout schooling.
 Work experience of more than
one year with one of the Big 4
auditing firms.
 Currently into practice and
academics.
 Visiting Faculty at DAVV
University, ICAI(Cost) for the
subjects like Financial
CA. Suhani Jain
Management and Economics.
ACA
 Currently Practicing
 Indirect Taxation and
Auditing are his areas of
interest.
 He is academic advisor and
technical content developer
for Highbrow Mentors
learning solutions Publishing
House.
 He is academic and technical
CA. Santosh Gupta
advisor for Highbrow Mentor’s
ACA
Offline learning Portal CA
KIT.

Chase the Learn with Highbrow Mentor Group

Maze Highbrow Mentor Knowledge Series – Publishing Division

ATCAE- Centre for Advisor’s Excellence
ATCAE -Classroom for CPA(US)
ATCAE -Classroom for IFRS and INDAS
ATCAE- Classroom for ICFR and Critical Issues in Auditing
CAKIT- Offline Learning Technologies for CA students
Highbrow Mentor LSPL
4 I BCM CITY
Navlakha Square
Indore, 452001