Professional Documents
Culture Documents
CH
Auditor and IFCFR Reporting
“There is nothing wrong with being a control freak auditor, if you
ISSUE -1 OCTOBER 2016
are controlling your words, behaviours and actions.”
internal financial controls, there was lack of
Dear Readers guidance to the Auditor for the same hence ICAI
“This is a very intriguing time to be in” came out with a 276 pages guidance note to give
guidance to the auditor. Our endeavour through
The Companies Act, 2013 has introduced many this series of articles is to explain the
new reporting requirements for the statutory requirements by correlating them in day to day
auditors of companies. One of these practice of a chartered Accountant Firm
requirements is given under the Section 143(3) irrespective of the size of the firm.
(i) of the Act requiring the statutory auditor to
state in his audit report whether the company All and all, there is an urgent need to be
has adequate internal financial controls system technically sound about all the recent
in place and the operating effectiveness of such pronouncements to be competitive. Every new
controls. The section has cast onerous change brings new horizons to explore and
responsibilities on the statutory auditors grow. This material is an honest attempt to give
because reporting on internal financial controls an in-depth and overall understanding of the
is not covered under the Standards on Auditing Internal Financial Control requirements.
issued by the ICAI, it requires auditor to test the However, no consultancy or advice should be
control for assessment of risk of Material given solely on the basis of this material. The
misstatement, and to document the evidence of user is recommended to exercise his professional
efficiency and effectiveness. Further it should be due diligence and care before certification and
noted that as no specific framework has been consultation.
prescribed under the Companies Act, 2013 and
the Rules thereunder for the evaluation of Happy Reading!
IFCFR SERIES CHASE THE MAZE
2
With the passing time the focus of the audit has shifted from the substantive procedures to the control
procedures because of automation of accounting in substantially all organizations. Paper based
evidences are rarely seen now days hence vouching is losing its importance. The very basic objective of
the control based audit is to prevent and detect the loopholes and lapses from the source itself so that
risk of falsified input data cannot entered in accounting system, once reliable input is there automated
system which is tested for time and again before implementation cannot manipulate the input data
while processing as against manual system of accounting. This is a change from the “old tick-tick” based
approach to a scientific and documented approach towards audit.
For instance,
There will be least chances of the embezzlement of cash if there is proper segregation of duties,
regular cash verification, authority matrix and proper safe management etc.
There will be least chances of fabrication of hiring in payroll, if there is employee manual,
documented HR policies, background verification and identity verification of employees etc.
There will be least chances of irregularity in purchase of goods, if there is documented policy about
raising of purchase requisition, call for quotation, placing of order and preparation of material
requisition note and quality check.
So, instead of verifying the cash vouchers, salary sheet and purchases invoices in heaps, we can verify
the controls which are placed by the organisation in the said processes. Therefore the placement of
controls in organizations minimizes the chances of the risk in general, reduces the time and favours the
authentic documentation.
This is the only reason regulators are now demanding from our profession not only to change the audit
approach but also reporting to stakeholders.
What is this concept of Internal Control (IC)? What are the types of controls covered by ICs?
As explained in SA 315 by ICAI:- The process designed, implemented and maintained by those charged
with governance, management and other personnel to
provide reasonable assurance about the achievement of an entity’s objectives with regard to
reliability of financial reporting,
effectiveness and efficiency of operations,
safeguarding of assets and
Compliance with applicable laws and regulations.
The term “controls” refers to any aspects of one or more of the components of internal control.
This definition is in line with the International Standards on Auditing 315.
IFCFR SERIES CHASE THE MAZE |
Procure to pay Vendor selection process Purchase Order • Input credits on taxes
Purchase Requisitions creation paid
Quotation Analysis • Creation of Vendor
• Deduction of tax at
Purchase ordering process Masters
source
• Goods Receiving Process
• Related Party
• Bill verification and Disclosures
payment
• MSME disclosures and
• Vendor ledger compliance
accounting
• Other Disclosures as per
statutory requirements
Management is required to design and implement all of the above controls, however the auditor is
only required to report on the adequacy and operating effectiveness of mainly the financial controls
and other controls also if they have significant financial impact on financial reporting.
For example:- The auditor has to verify the increments and promotions policies of the employees and
report on the adequacy and operating effectiveness of such controls but need not to report on
operational controls like qualification norms, background verification etc. if the impact on financial
statement is immaterial.
IFCFR SERIES CHASE THE MAZE
2
So, what is this a new concept of Internal Financial Controls (IFCs)? What are its objectives?
As explained in the Guidance Note by ICAI, Internal Financial Controls Policies and procedures
adopted by the company for ensuring the orderly and efficient conduct of the business,
Adherence of the company’s policies.
Safeguarding of the assets.
Prevention and detection of fraud and errors.
Accuracy and completeness of the accounting records.
Timely preparation of the reliable financial statements.
However, it is not exactly a new concept, our erstwhile generally accepted auditing practices including
SAP from year 1985, AAS from year 2002 and SAs from year 2009 have been laying stress on the Internal
Controls.
This is the same definition which is used for Internal Control under erstwhile AAS-6 and Internal
Control System under SIA 12. Hence in the view of the editorial board there is no need of hair-
splitting between the definition of internal control and internal financial control, although in
auditing world people are making differences between the two. We found that both the definition
has same objectives as described under this table.
From the above classification of its objectives, it is very clear that the objective of Internal Financial
Control and Internal Control is no different.
IFCFR SERIES CHASE THE MAZE |
Author’s comment:-
The definition of the Internal Control as per SA 315 has been replicated from the International Standards of
Auditing 315. Further, the definition of the Internal Financial Controls is same as which is defined for Internal
Control as per erstwhile AAS 6. The same definition of the Internal Control (under AAS 6) has been replicated to
the definition of the Internal Control System under Standards on Internal Audit – 12.
Internal Control as per Internal Control System as Internal Financial
former AAS 6 per SIA 12 Controls as per GN
AASB of ICAI should clarify the members what exactly is difference between the two terms internal
control system and internal financial control.
The guidance note should provide the fundamental difference between the IC and IFCs which is at present missing.
Key takeaways from the definition of the two:-
Academically, IFCs are the policies and the procedures whereas ICs are the processes. This means IC is the
broader term.
This has led to open interpretation from the members and industry at large.
This jugglery would have never arisen had the word IC used in place of IFC. IFC was always a part of
IC, with the new legal pronouncements and guidance note coming up, only the documentation
and reporting requirements have changed.
What are “Internal financial controls over financial reporting (IFCFR)” how it is different from ICs, IFCs?
Section 143(3) requires the auditor to report on the Internal Financial Controls over the financial
reporting.
As per guidance note, IFCFR means a process designed to provide reasonable assurance regarding the
reliability of financial reporting and the preparation of financial statements for external purposes in
accordance with generally accepted accounting principles.
A company's internal financial control over financial reporting includes those policies and procedures
that:
(i) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect
the transactions and dispositions of the assets of the company;
(ii) provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting
principles, and that receipts and expenditures of the company are being made only in
accordance with authorisations of management and directors of the company; and
(iii) Provide reasonable assurance regarding prevention or timely detection of unauthorised
acquisition, use, or disposition of the company's assets that could have a material effect on the
financial statements.
Note: The auditor’s opinion therefore does not assure, for example, the future viability of the entity nor
the efficiency or effectiveness with which management has conducted the affairs of the entity.
IFCFR SERIES CHASE THE MAZE |
Internal Financial Controls vs. Internal Financial Controls over Financial Reporting
In the audit of the Financial Statements, the management is responsible for the preparation and
presentation of the Financial Statements and auditor is responsible for the verification of the
same.
Here also, the management is responsible for design, implement and maintenance of the IFCs,
the auditor shall be required to report on the adequacy and operating effectiveness of the IFCs
this is known as IFCFR.
IFCFR covers the Financial Controls over Financial Reporting whereas the Internal Financial
Controls also includes Operational controls and Fraud prevention.
What are the legal requirements under the companies act, 2013?
Internal audit is an assist function and supervisory function to IFC. IFC which is implemented,
maintained and monitored by the Internal Audit department is considered as maintained, implemented
and monitored on behalf of management and those charged with governance. Hence there was a need
IFCFR SERIES CHASE THE MAZE |
to cast additional responsibility on the part of the Independent Auditors to ensure operating
effectiveness of the internal controls over financial reporting and further to ensure thorough
documentation of the key processes by the Independent Auditor.
The guidance note specifically states that the work of the internal auditor can’t be relied for the purpose
of this IFC Audit (IFCFR) but he can coordinate for the direct assistance from the internal auditor
through provisions of SA 610(Revised).
Statutory Auditor’s responsibilities for Internal Financial Controls over Financial Reporting.
The introduction of IFCFR necessitates some changes in traditional audit approach by following
the control based audit approach.
The independent statutory auditor is required to conduct the IFC audit and issue a separate audit
report (Annexure A if CARO not applicable, otherwise Annexure B) along with the main auditor
report.
A separate engagement letter is also required for IFCFR or IFC Audit.
In addition to the IFCFR, section 143 of the companies act. 2013 requires the auditor to comply
with the Standards on Auditing. These standards on auditing (specifically SA-230 (R)
Documentation) and section 143 now forces the auditors to do comprehensive audit
documentation and perform in depth audit procedures relating to the controls placed by the
management.
Although such documentation was very much part and parcel of the audit procedures drawn by
the leading audit firms. But, now the IFCFR is applicable to the smallest of the companies and
has to be followed by the smallest of the audit firms.
The scope for reporting on internal financial controls over financial reporting is significantly
larger and wider than the reporting on internal controls under CARO.
Under CARO the reporting on internal controls is limited to the “adequacy” of controls over
1. purchase of inventory and fixed assets and
2. Sale of goods and services.
As such, CARO does not require reporting on all controls relating to financial reporting and also
does not require reporting on the “adequacy and operating effectiveness” of such controls.
Hence we can say report over IFCFR has a larger and wider scope of reporting than CARO
Do the standards on auditing apply for the audit of internal financial controls over financial
reporting?
Standards on auditing provide an overview as how an auditor should conduct an audit. They provide a
complete and comprehensive guidance to the auditor. Internal financial controls have just concentrated
on the specific areas relating to controls. So, standards on auditing continues to be the principle
guidance material for the conducting the IFC audit.