Professional Documents
Culture Documents
(ICFR)
A HANDBOOK
FOR PRIVATE COMPANIES
AND
THEIR AUDITORS
An Initiative of the
Bombay Chartered Accountants’ Society
July 2016
1
PREFACE
The Companies Act, 2013 read with Companies (Accounts) Rules,
2014, requires all companies, irrespective of their size, ownership
pattern, governance structure or nature of business activity, to
comply with certain provisions related to Internal Financial Controls
(IFC) and/or Internal Controls over Financial Reporting (ICFR).
For audit reports for the years ended 31st March 2016 onwards,
Statutory Auditors are also mandatorily required to comment on the
adequacy of internal financial controls system and the operating
effectiveness of such controls.
2
The ‘Guidance Note on Audit of Internal Financial Control Over
Financial Reporting’ released by the Institute of Chartered
Accountants of India (ICAI) in September 2015 (hereinafter referred
to as “the ICAI Guidance Note” or “the Guidance Note”) is a detailed
document explaining the regulatory framework and providing both,
technical guidance and implementation guidance for conducting such
an audit. This Guidance Note has been prepared for providing
guidance to the auditor and has proved to be of immense help in
carrying out the first set of ICFR audits, mainly of large and listed
companies, most of whom had the benefit of having formal
documented policies and processes, risk management framework
and a well-defined governance structure in place.
This handbook is intended for the next set of companies and their
auditors, who are required to cover the distance in a shorter time. It
is a humble attempt to guide such private companies and their
auditors in their endeavor to comply with the requirements of ICFR.
The objective of this book is to provide a simple and jargon-less
explanation of what is expected, what is required to be done and how
it can be done, in a manner that not only the form, but also the spirit
of the regulatory requirement is achieved, without incurring
disproportionate costs and without creating a complex structure of
policies and documentation that may not be sustainable.
- Nandita Parekh
3
Contents at a Glance
Section Topic Page
Numbers
1. Overview – ICFR for Private Companies
1.1 Understanding IFC and ICFR
1.2 The Regulatory Framework in a Nutshell
1.3 So, What Has Really Changed?
2. Roadmap for a Private Company for
adopting an ICFR Framework
2.1 Need for a Framework
2.2 Proposed Framework
2.3 Understanding the components of internal
control with specific reference to ICFR
2.4 Starting the ICFR project
2.5 Component # 1 - Control Environment
2.6 Component # 2 - Risk Assessment
2.7 Component # 3 - Control Activities
2.8 Component # 4 - Information System and
Communication
2.9 Component # 5 - Monitoring of Controls
2.10 Concluding Remarks
3. Roadmap for Auditors of Private
Companies
3.1 Overview
3.2 Pre-audit Approach
3.3 Audit Approach
3.4 Audit Execution – Testing of Controls
3.5 Audit Conclusions and Audit Reporting
3.6 Call to action
4. Making it easy – ready-to-use drafts and
formats
4.1 Entity Level Controls – Specimen
4.2 IT General Controls - Specimen
4.3 Financial Statement Closure Policy -
Specimen
5 Glossary of abbreviations used
6 Useful links and recommended reading
4
SECTION 1: OVERVIEW – ICFR FOR PRIVATE COMPANIES
1.1.1 Definitions:
Internal Control:
Standard on Auditing – SA 315 defines Internal Control as:
“The process designed, implemented and maintained by those
charged with governance, management and other personnel to
provide reasonable assurance about the achievement of an
entity’s objectives with regard to reliability of financial
reporting, effectiveness and efficiency of operations,
safeguarding of assets, and compliance with applicable laws and
regulations. The term “controls” refers to any aspects of one or
more of the components of internal control.”
5
accounting principles. A company’s internal financial control
over financial reporting includes those policies and procedures
that:
(i) pertain to the maintenance of records that, in reasonable
detail, accurately and fairly reflect the transactions and
dispositions of the assets of the company;
(ii) provide reasonable assurance that transactions are recorded
as necessary to permit preparation of financial statements in
accordance with generally accepted accounting principles,
and that receipts and expenditures of the company are being
made only in accordance with authorisations of management
and directors of the company; and
(iii) provide reasonable assurance regarding prevention or
timely detection of unauthorized acquisition, use, or
disposition of the company's assets that could have a
material effect on the financial statements.”
ICFR
6
ICFR is a subset of IFC:
Operational
controls
Anti-fraud
ICFR
controls
IFC
Thus, IFC as a concept is much wider than ICFR. ICFR
comprises of controls that provide reasonable assurance that
financial statements are free of material misstatement. IFC, in
addition, covers controls that ensure orderly and efficient
conduct of business, controls for safeguarding assets, controls
that ensure compliance with company’s policies and
prevent/detect frauds and errors.
7
loss, non-financial fraud in terms of information leakage, non-
adherence to quality control checks etc., all of which would be a
subject matter of IFC.
Sections 128 and 129 of the Companies Act, 2013 requires all
companies to maintain books of account and prepare financial
statements in a manner that they give a true and fair view of
the state of affairs of the Company. This requirement was there
also in the earlier Act of 1956. So, a company’s responsibility
for maintenance of financial records and preparation of
financial statements is an age-old requirement.
8
This practice needs to stop and companies need to take full
responsibility for preparation of financial statements, with
all due disclosures and which are fully compliant with
accounting standards.
9
“Rule 8. (5) In addition to the information and details in
sub-rule (4), the report of the Board shall also contain –
….(viii) the details in respect of adequacy on internal
financial controls with reference to the Financial
Statements”
10
the truth and fairness, the accuracy and appropriateness
of the financial statements.
11
The Directors’ Report of all companies provides a
statement on the risk management framework/policy
adopted by the company; however it is a known fact that
for a large number of companies, this statement is not
backed by a documented risk management policy or a
framework that has actually been implemented with the
involvement of the management. The companies and
their directors need to take a hard look at how they
establish, implement and document a risk management
framework for the company in general and with
reference to ‘financial reporting risk’ in particular.
12
system", with the words "internal financial controls with
reference to financial statements”.
13
Section and Brief Description and Applicability
Rule Reference
Section Financial statement, Board’s report, etc.
134(5)(e) – Directors’ Responsibility Statement
(e) the directors, in the case of a listed
company, had laid down internal financial
controls to be followed by the company and
that such internal financial controls are
adequate and were operating effectively.
14
Section and Brief Description and Applicability
Rule Reference
controls and risk management systems.
15
taken over the 2-wheeler lane, the side-walk was encroached
upon by peddlers and the risk of accident had in fact increased
for the stray pedestrians who actually walked believing that
everyone else would follow the rules! He immediately started
catching those who were not following the rules and started
issuing notices/levying fines. At this, everyone – the
pedestrians, the peddlers and the vehicle drivers – went up in
arms, saying there was not enough notice given before the
traffic cop showed up.
The traffic cop was unmoved. He simply stated that there had
been enough advance notice given, that following the traffic
rules was in the interest of the various concerned groups and if
anyone wanted to avoid the fines, all they had to do was to start
following the rules!
16
documented the results of their evaluation of internal
controls;
Now, the regulatory requirement has changed wherein:
o the Board, in its report to shareholders, is required
to state the adequacy of ICFR and
o the auditors are required to express an opinion on
the adequacy of ICFR and its effectiveness
The scene is not much different from the traffic cop showing up
on that busy road. The task on hand appears tougher than it is
intended to be, perhaps because neither the company, nor
maybe the auditors have performed their evaluations and
analyses in a manner that could stand up to an independent
review/ scrutiny.
17
the auditor to express this opinion, it is necessary for him/her
to understand the policies and processes adopted by the
company, to obtain evidence in support and to perform testing
for confirming operational effectiveness of such controls.
18
SECTION 2: ROADMAP FOR A PRIVATE COMPANY FOR
ADOPTING AN ICFR FRAMEWORK
19
by others…. and above all, a high risk of not making it to the
destination. Similarly, a framework for internal controls
provides a map – an efficient and planned way of achieving a
desired state of internal controls over financial reporting
(ICFR).
20
explanations that can be used by the company for the
development of its ICFR framework. Hence, it is advisable for
companies to adopt this 5-component framework for
establishing and evaluating ICFR, which can then be used by
the auditors for their review – this would optimize efforts at
every level.
i. General profile:
First, a general profile of the individual is taken in terms of
gender, age, past history, hospitalization in the past 5 years,
surgeries undertaken, illnesses, medical history of the
parents/blood relations, exercise routine, smoking/alcohol
habits etc. Also, a certain set of general tests such as CBC,
chest x-ray, blood pressure, etc. is prescribed to all.
21
for someone with a family history of diabetes, risk of
diabetes and related conditions is identified as a risk.
22
company, giving due respect to privacy and confidentiality
norms.
v. Periodic Monitoring:
The company takes steps to confirm that the annual health
check-ups have been completed for all employees during the
year. Further, for certain key employees or those at higher
risks, the company adopts a more involved plan for regular
monitoring the parameters at a greater frequency.
23
Using the 5-component framework for ICFR, the company may
start with examining the control environment, and then move
to the next component and the next one. Readers are advised to
refer to SA 315 for detailed explanation of each of the five
components.
Control Environment:
Risk Assessment:
24
Control Activities:
25
The presentation of financial statements free from any
material misstatement necessitates that all these information
and communication channels are operating effectively.
For this, the steps to be taken to start the ICFR Project and then
to be taken under each component are explained in sections 2.4
to 2.10 below, with certain ready-to-use templates.
26
as a Board Resolution. It may be noted that private
companies are not required to have an Audit Committee by
law – however, they can voluntarily constitute an Audit
Committee or its equivalent, to provide guidance in matters
of internal audit, financial reporting and ICFR.
c) It is advisable to designate a senior employee or a whole-
time director with requisite understanding of financial
reporting and company’s way of functioning, to champion
the ICFR initiative. This role is generally played by the CFO,
Chief Internal Auditor, Company Secretary/ Compliance
Officer or Finance Director. This role may also be played by
an external advisor, other than the statutory auditors. If the
company has outsourced its internal audit function, then the
outsourced firm of internal auditors may be appointed to
assist the company in design and documentation of ICFR.
d) Since the statutory auditors are required to review the
ICFR framework for the purpose of ICFR audit, they
cannot be involved in designing the framework (either
directly or through any other entity within their
network) – else, they will find themselves in conflict
when it comes to expressing their opinion based on
review of ICFR framework.
e) The ICFR Champion needs to be supported by requisite
team members – ideally, the team members may be freed up
from their day-to-day responsibilities to focus exclusively
on the ICFR project – alternatively, support may be sought
from external agencies/advisors.
f) The quality of the ICFR framework will be directly related to
the importance and commitment displayed by the directors
throughout the ICFR Project and thereafter. Considering
that this is an important responsibility cast on the directors,
it is advisable for the directors to effectively communicate
the importance of this project across the company, to assign
competent persons to drive this project and to stay involved
with the project, through ongoing review and monitoring.
27
Board to acknowledge its primary
responsibility for ICFR
28
A Risk Control Matrix (RCM) refers to a tool used for
documentation of risks and controls in a structured manner, on
a standard template. An RCM prepared for ICFR documentation
generally provides the following details:
Process and sub-process name
Risk description
Characteristics of risk in terms of fraud risk, risk level,
etc.
Control description
Nature of control – preventive/ detective, manual/
automated, frequency of control, etc.
Evidence of control
Result of design testing
Result of testing operational effectiveness.
An RCM provides a one-point documentation of business
process, risks, controls and control testing details and is
extensively used for ICFR documentation.
29
2.5.2 The directors of a private company need to assess the control
environment by introspecting on the availability of the
following:
Documented
Effective risk
Clearly stated policies and
management Documented
structure, processes IT system is
framework, financial
responsibility related to key effectively
with reporting
allocation activities, used, secure,
identified and period
and with tested and
"financial closure
governance identified documented
reporting process
framework control
risks"
points
30
The key issues that the management needs to debate and
answer are:
What role do the directors play in reviewing the financial
statements to ensure that they meet the disclosure
requirements and are free for material misstatements?
Do the directors possess the necessary knowledge and do
they spend adequate time to discharge this role?
If the directors are themselves not reviewing the financial
statements as required, then whom do they rely upon? The
CFO, the Controller, any external advisor?
What are the policies and protocols adopted by the
company to create an ethical environment that discourages
frauds, misappropriations and misreporting?
What is the direction given by the management to
encourage automation, smart IT systems for financial
accounting, documented processes and adequate training?
Are the IT systems used by the company tested for accuracy
and controls by periodic audit of the IT security and
systems?
Are there management processes such as budgeting,
periodic reviews, analyses of deviations, performance
reviews etc. that would result in timely preparation of
accounting records and early detection of errors and
potential problems?
Is the company able to source and retain talent appropriate
to its requirements? Is sufficient importance given to
training and knowledge building so that the employees are
able to perform well in the changing regulatory
environment?
31
2.5.4 Assessment of ELC and ITGC is facilitated by use of
questionnaires or checklists. These assessments are likely to
reveal certain control gaps and some areas for improvement
that need to be addressed by the management.
ELC and ITGC are generally used to judge the internal control
climate in the company – weaknesses at these levels may not
automatically result in a conclusion that internal controls over
financial reporting are inadequate unless the weaknesses are
indicative of a serious governance failure or a controls
breakdown.
2.5.5 For a private company that falls in the SME category or has a
simple business model, there is expected to be a gap in the
documentation of policies and statements that evidence the
organization’s vision, mission, code of ethics, compliance focus,
fraud prevention, etc. Absence of documentation is not the
same as absence of controls. However, documentation of
certain key policies will need to be taken up on a priority basis
for the management to be able to rely upon and demonstrate
the internal controls.
32
Sr Parameter Description Your
# Score
1 Board Clarity of role of the
structure, Board.
delegated Regularity of meetings.
authority for Timely recording of
ICFR and role of minutes.
CFO Specific responsibility
assigned for ensuring
adequacy of ICFR to Audit
Committee or Board
members with relevant
experience.
CFO empowered and
independent, to ensure full
and fair reporting.
2 Values, vision Mission, vision and values
and Code of of the company defined
Ethics and demonstrated.
Code of Ethics and Code of
Conduct documented,
explained and enforced.
Anti-bribery policy, self-
disclosure of conflicts and
whistleblower policies
introduced and explained.
3 Organization Clearly defined, updated
structure, roles organization chart.
and Well-defined roles,
responsibilities responsibilities and
and authority authority structure.
matrix Formal delegation of
powers.
Segregation of duties and
functional roles across the
company to improve
internal controls.
4 Risk Formal risk management
management policy and framework
framework implemented.
Financial reporting and
33
Sr Parameter Description Your
# Score
fraud risks considered in
the risk management
framework.
Risks mapped with
controls.
Risk management
framework revisited and
revised to ensure on-going
relevance.
5 Documented Documented policies and
process flow processes for all key areas
diagrams and of the company.
process Process diagrams with
narratives/ identified control points.
policies/SOPs Authority matrix defined.
Work flow and document
flow well designed.
6 Policy for Written policy and process
financial note for financial
reporting and statements closure with
closure assigned responsibilities.
Process for incorporating
regulatory changes in
disclosure requirements.
Adequate segregation and
maker/checker controls.
Basis for making financial
estimates and approval
authority for the same
clearly defined.
7 Talent Policy established to
development ensure right people for the
right job.
Effective sourcing,
retention and training of
people.
Ensuring employee
empowerment and
growth.
34
Sr Parameter Description Your
# Score
8 Performance Budgetary controls.
review & MIS Performance review by
management, with
deviation analysis.
Well-structured MIS
generated from IT system
used for financial
reporting.
Periodic analysis to
identify aberrations,
exceptions and unusual
trends.
9 Monitoring and System of internal audit
internal audit for periodic review of
controls.
System of quality checks
and self-checks of
controls.
Periodic review of
adequacy of processes and
controls by functional
heads and management.
10 Management’s Emphasis on IT-enabled
philosophy on processes and automation.
IT usage, Compliance framework
compliance and and compliance reporting
employee to the Board established.
policies Employee policies and
performance appraisal
process that encourages
commitment, integrity and
competency.
35
score of perfect 30 may seem a distant dream, companies with
scores less than 15 have reasons to worry.
36
Risk of unauthorized access to servers, computers and
application programs.
Risk of misuse by the IT department, by gaining back-end
access to IT systems and making unauthorized changes.
Risk related to outsourcing and loss of data integrity or
leakages of information/funds/resources.
Risk of undocumented IT applications, leading to sub-
optimal or inappropriate usage.
Risk of inadequate change management process, leading to
uploading untested patches and modifications.
Risk of ineffective review and monitoring, leading to errors,
processing flaws, threats and unauthorized access
remaining undetected.
37
Sr Parameters for Assessment of ITGC Self-
# Assessment
indicating the activities that need to
be done in-house and those that may
be outsourced.
Vendor KYC and due diligence policy.
Policy on access rights to outsourced
vendors and control on data security.
Review of Service Level Agreements
(SLA) at pre-defined periodicity.
3. Physical security and access to IT
resources:
Physical control on access to IT
servers and data rooms.
Safeguarding of IT hardware.
Custody and safekeeping of archived
data and source code files.
Software license management.
4. Logical access controls:
Access rights allocation, approval
and periodic review.
“Need to know” basis of access right
allocations.
Log reports for detection of threats
and penetration.
Blocking and de-blocking of access
rights.
Password change policy.
Controls on sharing of passwords.
5. Data security:
Back-up policy.
Data archival and access policy.
Choice of media for data storage.
Firewalls for safety from
unauthorized access.
Protection of data stored on third
party servers and on the cloud.
6. Business Continuity and Disaster
Recovery Plan:
Documented BCP/DRP
Testing of backups periodically
38
Sr Parameters for Assessment of ITGC Self-
# Assessment
Communication of DRP to all
employees
Identification of mission-critical IT
activities for effective BCP/DRP
7. IT manuals and source code:
Availability of manuals for all IT
applications and systems in use.
All modifications to IT systems duly
updated in IT manuals.
For customized software, availability
of source code for future
modifications and for fixing bugs.
8. Change management process for
modification to IT applications:
Tracking of IT change requests
Modifications only in test server.
User Acceptance Test and technical
test for all changes prior to go live.
Process for ensuring seamless data
processing pre and post changes to
the software.
9. IT audit, log monitoring:
Periodic IT security management
audits
Ongoing generation of log reports
and effective review.
System-based alerts for all security
threats and unauthorized access.
10. Review of IT controls of significant
outsourced vendors:
For all significant outsourced
activities, assessment of IT systems
used and related controls
implemented by the vendor e.g.
outsourced payroll processing.
39
For a company to rely on the data processed by the IT system
and use the same for financial statements, it is necessary to
ensure that ITGC are adequate to ensure accuracy and integrity
of the data processed and reports generated using these
systems. Assessment of ITGC is also required to prevent frauds
and vulnerabilities arising out of unauthorized IT access. IT
systems directly interfacing with financial accounting system
need to be reviewed in greater detail as part of the process
reviews undertaken, as explained later.
40
Employee initiated
Management
misreporting – due
override or
to targets or
management fraud
incentives/fear
41
2.6.4 Next, a detailed exercise is undertaken for identifying account
balances that meet the materiality considerations. The purpose
of this exercise is to identify the corresponding business
processes and map the related risks and internal controls to
confirm adequacy of internal controls.
42
Some residuary items may need to be individually dealt
with e.g. dividend, taxation, etc. or will be dealt with in
terms of “Financial Statement Closure Policy/Process”.
To summarize:
Determine percentage threshold for materiality
assessment
Step I:
Categorize financial transactions generally entered into by the
company into:
Routine, repetitive transactions – purchase, sales,
expense booking, payment processing, payroll, etc.
Non-routine financial transactions – these are
transactions that occur at uncertain intervals and are
event based – e.g. issue of fresh shares, borrowing,
capitalization, insurance claim, arbitration
settlements, etc.
43
Estimations – bad debt provisions, diminution in
investment value, provision for employee benefits, tax
provision, inventory valuation, deferred taxation etc.
Period Closure Entries – based on reconciliations,
verifications, interest accounting, cut-off based
accruals etc.
Step II:
Routine Transactions:
Examples – purchase, sales, expense booking, payment
processing, payroll, etc.
These generally cover at least 60-70% of total transactions
of the company and equivalent man-hours of the accounting
personnel.
These need to be covered by a process flow and narrative,
and ideally well-established IT platform/s.
These may also be subjected to internal audit and periodic
MIS review.
For each material category/significant process, ideally a
Risk Control Matrix (RCM) needs to be prepared, focusing
on only material risks.
For an SME company, the analysis of routine transactions
and materiality would result into identification of 5-6
processes for which RCMs would need to be prepared.
Step III:
Non-Routine Transactions:
Examples - issue of fresh shares, borrowing, capitalization,
insurance claim, arbitration settlements, declaration of
dividends.
For these, it may be very difficult, especially for SME &
private companies, to have a documented process.
For all such transactions, based on pre-defined monetary
limit, the company may establish a maker-checker-approver
process and document the same under “Policy/Process
for processing of material non-routine transactions”
This will cover various categories of transactions and
ensure that the quality of review will ensure accurate
accounting, with due scrutiny and authorization at an
appropriately senior level.
Step IV:
44
Estimations:
Examples -bad debt provisions, diminution in investment
value, provision for employee benefits, tax provision,
inventory valuation, deferred taxation.
Estimations require exercise of judgement and hence, need
to be based on proper working, rationale, policy and
approval.
A due process for basis of significant estimations and
approval of the same needs to be documented.
This area poses the highest risk of error and management
override – there is a need for increased attention to this
area, both, by the company and its auditors.
Step V:
Period closure transactions:
Examples –entries based on reconciliations, physical
verifications, interest accounting, cut-off based accruals,
outstanding liabilities, pre-paid expenses, etc.
These may be covered in the Financial Statement Closure
Policy (FSCP).
Trail to be maintained for establishing cut-offs may be
specified.
Authority matrix identifying the maker-checker –approver
may be documented.
Clear trail of year-end processing may be established from
the first trial balance to final financial statements.
For most SME & private companies, the FSCP and the
related RCM may be the most relevant document in support
of ICFR review and assurance.
45
5-6 RCMs
Routine Covers 60-70%
of total
identifed based
transactions transactions
on main
processes
Based on
Policy for
judgement,
Estimations material in
estimations +
RCM
nature
46
2.7 Component # 3 - Control Activities:
47
Policy Name Brief Contents
(FSCP) statements. This policy should detail the
information called from various
functional heads, the manner of
determining cut-offs, checklist for
disclosures, etc.
Specimen of FSCP is provided in Section
4 of this book.
Routine The following standard processes may
transactions – be documented:
standard processing Procurement (indent to pay)
cycles Income Cycle (order to cash)
Employee costs and benefits
(joining, termination, monthly
processing and periodic
allowances)
Expenses (order to payment)
Fixed assets (procurement,
verification, retirement,
depreciation)
For all these processes, it would be ideal
to document process flow diagrams with
clear demarcation of controls, in addition
to the process note.
Special transactions Policy & process note for
approving non-routine
transactions
Policy and process note for
approving accounting estimates
General Organization chart
Delegation of Authority (DoA)
Anti-fraud policy
Code of conduct, ethics policy
IT policy
48
Control # Control Description
C1 Availability of documented policy and process
note
C2 Maker-checker control
C3 Segregation of duties
C4 Authorization control
C5 Verification of assets /documents
C6 Reconciliation of balances – bank balances,
vendor & customer balances, investments, etc.
C7 3-way matching of records – financial records,
asset records and physical verification records
(fixed assets, inventory, etc.)
C8 Review controls – month/year closure review,
MIS review, budgetary review, etc.
C9 Third party balance confirmations
C10 Independent review by internal auditor, or other
agencies
C11 System-based alerts and blocking
C12 Expert opinion (for determination of valuation,
statutory liabilities, diminution/impairment,
gratuity valuation etc.)
C13 Physical security controls – safe custody, security
agencies, web-cameras for remote vigilance
C14 KYC and due diligence requirements
C15 Automation controls for validation, computation
and data transfer
C 16 ……
C 17 ……
2.7.5 With respect to those risks for which controls have not been
clearly identified, maker-checker controls, with a senior level
authorization may provide sufficient control in most cases. To
this end, a comprehensive summary of all delegation of
49
authority and segregation of duties across functions may prove
helpful in demonstrating effective controls.
50
before the year-end may not be communicated by the Sales
head; receipt of a favorable order from Income Tax department
that warrants reversal of past provisions may not be
communicated by the Taxation manager to the Accounts
department.
2.8.5 This component does not call for any separate documentation
by the company; as all related documentation is included in the
RCMs and policy/process notes.
51
2.9.3 For private companies, the statement to be made in the
Directors’ Report does not require any specific mention about
the ‘operational effectiveness ‘ of controls; hence, as such, no
specific responsibility has been cast on the directors for the
testing of operational effectiveness.
52
SECTION 3: ROADMAP FOR THE AUDITORS OF A PRIVATE
COMPANY FOR AUDIT OF ICFR
3.1 Overview:
53
The reporting requirement on ICFR applies to financial
statements prepared under the Companies Act, 2013 and
hence, applies to annual financial statements and
consolidated financial statements; but not to any interim or
unaudited financial statements.
3.1.3 Some additional points that merit consideration for the auditor
in determining the audit approach are presented hereunder:
The audit of ICFR needs to be customized based on the size
of the company and complexity of its operations. For smaller
companies or companies with less complex operations, the
controls defined may be simpler and the documentation
may be less structured and less detailed.
Risk of Material Misstatements (RoMM) needs to be
assessed keeping in mind the likely readers of the financial
statements and the purpose for which the statements are
likely to be used by the company. This is an important
consideration for identification of material risks.
The reporting by auditors and by directors on ICFR is
independent of each other. Hence, the company and the
auditors need to maintain their independent documentation
to support their individual conclusions and opinions. The
company and the auditors may follow different
methodology for determining materiality and identifying
material items – as long as the method followed by the
company is reasonable, the same need not be objected by
the auditor.
The auditor may use the documentation created by the
company as a base (e.g. RCMs or ELC document), but is not
justified in insisting the same to be in a specific format. The
company may use formats that are easy for them to compile
and sustain – the auditors may enhance this documentation
based on their own requirements. E.g. specification of audit
assertion as part of the RCM may be done by the auditors,
but may not be done by the company. Also, the company
may document ELC as a narrative, whereas the auditor may
document the same as an Excel spreadsheet with several
columns.
The auditor’s review of adequacy and effectiveness of ICFR
needs to be driven by the content of the internal control
system and documentation adopted by the company and not
merely by the formats used. However, the company needs to
54
adopt a framework for designing and assessing its internal
financial controls, as mentioned in Section 2 above.
The auditor must give due consideration to the past
experience of audit and other relevant evidence where the
financial statements have been subjected to external
scrutiny – if significant errors or irregularities have been
identified, these need to be considered in the assessment of
risks.
Engage
With the
Educate
directors and All those who
Empathize
senior will drive ICFR With the Encourge
management within the constraints of The company
company skills and to achieve
documentation higher
- provide easy standards of
tools to achieve governance
compliance and internal
controls
55
3.2.2 Based on prior years’ audit experience, the auditor may be able
to help the company identify areas of control weaknesses,
giving the company management time to establish alternate
controls or strengthen existing controls in such areas.
Areas that have been error free in the past and do not pose a
serious risk of misstatement may be deferred for
documentation of policies and preparation of RCMs.
56
As part of the usual audit process adopted for audit of financial
statements, and as required by SA -315, auditors do carry out
an assessment of financial reporting risks and plan their audit
in a manner that areas with weak or inadequate controls are
checked more extensively.
57
It is expected that in case of many of the small and medium
sized companies, it may not be possible to place reliance on the
IT systems in the first year, as they may not be adequately
documented and tested. In such cases, the auditor may need to
consider alternate manual controls.
Is the
design
effective?
Do the Are they
controls operating
exist? effectively?
Are the
controls
adequate
and
effective?
58
Testing design effectiveness of controls is essentially
confirming that the controls, as indicated by the company, are
in existence and designed properly. E.g. one of the stated
controls is that a purchase invoice cannot be entered into the
IT system without entering a purchase order, duly approved by
the Head- Procurement. Here, the design effectiveness testing
would require a walkthrough of the IT system to check that the
system does not permit entering a purchase invoice without a
PO and that the IT system-based approval rights are available
only with the Head – Procurement. Testing design effectiveness
is best done at the time of review/documenting of controls by
means of process walkthrough and live testing of 1-2 sample
transactions.
59
In practical terms, for smaller companies, most of the key
controls will be exercised as part of the financial statement
closure process, i.e. after the year end when the finalization is
underway. In this case, can it be said that the controls were
effective as at the year-end?
60
paid – the fact that a customer has paid for the services billed
automatically implies that the services were rendered during
the year. Thus, for effective testing of this control, a sample
may be drawn from outstanding invoices.
61
Qualify the ICFR
Material Weakness
report
Inform the
Other weaknesses CFO/CEO so that
and deficiencies corrective action
may be taken
62
The move to require audit reporting on ICFR is a move to align
the audit requirements with global practices, as a means of
improving investor confidence in not only the financial
statements, but also in the process adopted and controls
established for preparing financial statements.
63
Bribery Policy when their vendors and customers refused to do
business with them otherwise. So, if the auditors refuse to give
an unqualified opinion where controls are inadequate, the
community will respond by ensuring an adequate internal
controls system. Even better, if the auditors are able to drive
home the value proposition that ICFR holds for a company, they
may be able to encourage the company to embrace the ICFR
regulations as a business improvement tool. Creating such a
win-win situation will require some auditors with
extraordinary convincing skills and some companies with
extraordinary openness to change.
64
more box to tick, for some other auditors, this is an earning
opportunity, and for a handful of auditors, it is a stepping stone
to playing a catalyst’s role in shaping the way Corporate India
considers its financial reporting responsibility.
65
4. Making it easy – ready-to-use drafts and formats
66
ABC Private Limited
ICFR for the year ending 31st March, 2016
Entity Level Controls (ELC)
67
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
performance.
Monthly
reporting is 3. Review budget
done by variances,
Finance exceptional items
Manager to to assess internal
the Group control gaps, if
CFO who in any.
turn reports
to BOD.
4 Control Demonstrate Board Board of Director C03 Policies are 1.Verify minutes of
Environment s Oversight does not set the framed by Board meeting and
commitment right tone at the top the Board Admin Manual/
to integrity to encourage ethics w.r.t. ethical directions issued
and ethical and integrity. conduct, by the Board of
values anti-bribery Directors from
and time to time.
corruption,
anti-fraud. 2. Review
Appointment
letter of an
employee.
5 Control Holds Board Board of Directors C02 Directions Verify minutes of
Environment individual Oversight does not set the are given by Board meeting and
accountable right tone at the top the Board to policies/directions
for the to encourage encourage issued by the
internal institution of process- Board of Directors
control controls and driven from time to time.
responsibiliti systems and ensure conduct,
es accountability for automation
lapse of controls and effective
monitoring
across the
organization
.
6 Control Management Delegation Ambiguity in C01 1. Financial Confirm that
Environment establishes of delegation of powers in authorization/app
structure, Authority financial powers terms of rovals of Directors
authority reduces the control signing is in place, review
and over financial /effecting Board resolution
responsibilit transactions and banking to define powers
y in pursuit increase the risk of transactions of Director
of objectives financial losses is with the
Director.
2. Also, all
the major
contracts,
agreements,
Purchase
Orders are
signed/appr
oved by the
Directors.
3. All the
major
decisions
are closely
reviewed by
the
respective
HODs at
Group level
68
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
before
approval by
the Director.
7 Control Demonstrate Ethics & Flawed C03, 1. Admin 1. Verify Admin
Environment s Integrity performance C19 Manual Manual to ensure
commitment incentive/ gives a all updations are
to integrity compensation reference to included.
and ethical policy not in line ethical
values with ethical tone standards 2. Verify
and standards may expected Appointment
increase the risk of from Letter of employee
compromise / non- employees.
compliance to
ethical standards of 2.
conduct Appointmen
t Letter
includes
relevant
clauses
8 Control Demonstrate Ethics & If management does C03 Managemen 1. Verify the
Environment s Integrity not take timely and t takes mechanism for
commitment appropriate disciplinary recording non-
to integrity disciplinary action, action for adherences/
and ethical it would encourage violations/ violations.
values non-adherence to non-
established policies adherence, 2. Verify the
and procedures in a timely evidence of action
and being taken.
appropriate
manner.
9 Control Demonstrate Ethics & Applicant screening C05, 1.Adequate
Environment s Integrity procedures do not C09 background
commitment adequately consider verification
to integrity integrity and ethical is done for
and ethical values employees
values (Police
Clearance,
Experience
letter, etc.)
2.Majority of
office staff is
hired
through a
placement
agency
which is
selected by
the
managemen
t to ensure
right person
for the right
job
3.Declaratio
ns are
obtained
from
employees
for non-
disclosure
and code of
conduct
69
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
adherence
as a part of
joining
formalities
10 Control Demonstrate Recruitme Lack of adequate C05, 1. A rigorous 1. Confirm the no.
Environment s nt & talent or C06, recruitment of exits and the
commitment Selection mismatches in C09 and principal
to attract, requirements and selection underlying
retain and skill sets may process is reason/s.
develop severely impact adopted to
competent achievement of ensure 2. Confirm that key
individuals objectives selection of positions are not
right left vacant for a
employees long time.
for the right
job.
2. Majority
of office staff
is hired
through a
placement
agency
which is
selected by
the
managemen
t
11 Control Demonstrate Incentive In absence of a C10, 1. 1. Review the
Environment s proper work C12 Promotions appraisal process
commitment environment the are based on for
to attract, company may have well-defined appropriateness
retain and to deal with high Performanc and confirm that
develop attrition levels e Evaluation there is due
competent system. process for
individuals redressal of
2. appraisal related
Managemen grievances.
t ensures a
very low 2. Review attrition
attrition rate and related
rate. analysis
2. Board
meetings
discuss
internal
audit
reports - key
findings.
70
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
13 Control Demonstrate Training Inadequate C11 1. Training Verify training
Environment s attention to training for process
commitment may result into skill regulatory
to attract, dilution, lack of and process
retain and awareness about changes is
develop policies and imparted on
competent regulatory a timely
individuals requirements and basis as per
inability to either
discharge assigned client's
responsibilities. requirement
or
regulatory
requirement
2. Training
is identified
and
imparted as
needed
14 Risk Specifies Risk Absence of C04 Formal risk Review the risk
Assessment objectives Manageme enterprise-wide risk managemen management
with clarity nt assessment and t policy is policy adopted by
to identify Framewor absence of presented to the Company
and assess k documented risk the Board
the risks management policy and
approved by
the Board of
Directors.
15 Risk Identifies Business Absence of C22, 1. Business 1. Review the BCP
Assessment and analyzes Continuity BCP/DRP may lead C23 Continuity and DRP.
significant Plan, to business Plan (BCP)
changes that Disaster interruptions and and Disaster 2. Review the data
could impact Recovery may jeopardize Recovery recovery plan.
internal Plan business continuity Plan(DRP)
controls are in place.
2. Data
recovery
plan is
established
and
operational.
2.
Compliance
tracker is
filled in at
defined
frequency
and updated
periodically
for
71
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
amendment
s.
17 Risk Identifies Financial Improper channels C24 Periodic Review
Assessment and analyzes reporting to communicate the department modification in
significant changes in business al reviews processes, if any,
changes that practices to the are done by the accounts
could impact accounting wherein team
internal department may Finance
controls affect the method or team is also
the process of present;
recording the review
transactions in covers
financial statements discussions
on changes
in business
practices
affecting
financial
statements.
18 Risk Identifies Financial Risk of regulatory C13, 1.Manageme 1. Verify financial
Assessment and analyzes reporting non-compliance and C15, nt specifies statements with
significant financial C25 financial adequate
changes that misstatements if reporting disclosures
could impact suitable accounting rules and
internal principles, policies standards 2. Verify statutory
controls or rules not which are auditor's report
followed consistent
with 3. Verify internal
accounting audit reports
principles
suitable and
appropriate
for the
entity.
2. Reviews
by/consultat
ions with
the
Statutory
Auditors as
required by
the
regulation
(annual
review) or
as
considered
necessary
by the
managemen
t, are done.
3.Internal
audit
coverage
extends to
compliance
review and
financial
reporting
review.
19 Risk Identifies Financial Non identification of C13, 1. Defined Review financial
Assessment and analyzes reporting changes in C25 and statements and all
72
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
significant accounting documented other relevant
changes that principles or Financial information.
could impact financial reporting Statement
internal requirements may Closure
controls lead to non- Process is in
compliance and the place.
financial statements
will not show true 2. Periodic
and fair figures or updates are
may not include received
disclosures as from
required. professional
consultants.
20 Risk Identifies Financial Absence of an C20, 1. Various Verify Board
Assessment risks to the reporting appropriate C26 compliances noting and
achievement mechanism of under approval of related
of objectives related party different party transactions.
and analyzes transactions statutes in
risks to identification can relation to
manage them lead to regulatory transactions
non-compliance with related
and/ or financial party
misstatements (transfer
pricing
related
compliance
and return
filing) are
verified.
2. Board
approval is
taken for
related
party
transaction
21 Risk Assesses IT Security Company C14 1. Access is 1. Review list of
Assessment fraud risk to infrastructure and restricted to user-ids with
the IT systems being users who access rights
achievement used for fraudulent are either
of objectives activities thereby employees 2. Verify protocol
affecting the or for access to
reputation and authorized systems and policy
increasing the legal personnel. highlighting
risks attached security of user id
2. Password and passwords
and user id
protected
systems
exist.
3.
Deactivation
of external
storage
devices on
company
PC's has
been done.
4. Access to
all public
sites and
domains is
73
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
restricted.
22 Risk Identifies Training Changes in the C27 Periodic 1. Verify that the
Assessment risks to the procedure manual review of manuals are
achievement of a particular process periodically
of objectives department without manual is reviewed.
and analyzes the knowledge of its done and
risks to employees leads to updates are 2. Verify evidence
manage them dilution of the communicat of communication
impact of the ed to all of changes to
changes employees employees.
implemented concerned.
23 Control Selects and Evaluation Risk of recurrence C15 Periodic Verify internal
Activities develops of issues if not internal audit reports
control evaluated and audit is done available, and
activities to policies/ by an record of
mitigate procedures not external resolution of
risks modified agency and agreed actions.
accordingly changes
made basis
agreed
actions.
24 Control Selects and Financial Risk of financial loss C16, 1. Physical 1. Verify fixed
Activities develops reporting and/ or financial C20 verification asset verification
control misstatement in the of fixed report and check
activities to absence of an assets, cash for periodicity
mitigate established physical is done. (CARO, 2015)
risks verification of assets
mechanism 2. Third 2. Verify third
party and party
bank confirmations.
balance
confirmatio 3. Verify records
ns showing full
statements particulars -
are taken. quantitative
details and
3. Board situation of fixed
discusses assets
findings of (CARO, 2015)
physical
verification 4. Verify Board
of assets/ meeting minutes
discrepancy
resolution
25 Control Deploys Payments Absence of policies C03 All financial Verify
Activities control and will lead to policies remuneration
activities reimburse reimbursement/ relating to structure for
through ments allowance of non employees financial policies
policies and agreed expenses to are in place relating to
procedures the employees or along with employees.
reimbursement of defined level
expenses over and of approvals.
above the set limit
to the employees.
26 Information Communicat External May result in C03 1. Clear Verify the Admin
& es externally Communic reputational/financi identificatio Manual for
Communicati regarding ation al/reporting risk n of persons communicating
on matters due to erroneous authorized with external
affecting communications to to parties
internal external parties/ communicat
controls external reporting e with
external
parties on
74
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
relevant
company
matters.
2. A formal
social media
policy is in
place.
27 Information Communicat External In the absence of C03, There are Review grievance
& es externally Communic clear C18 properly mechanism and
Communicati regarding ation communicating identified sexual harassment
on matters channels for communicat policy
affecting external parties, ion channels
internal employee/ (email ids)
controls management for third
malpractices may parties
not come to light, under
may have a grievance
reputation risk with mechanism,
respect to third sexual
parties harassment
policy
28 Information Communicat Internal Absence of clear C28 Clear Verify the
& es internally, Communic communication on communicat communication for
Communicati information ation performance ion of the the KRAs
on including measures may lead Key Result
objectives to ambiguities and Areas in the
and increase in attrition evaluation
responsibiliti levels process
es of internal
control
29 Information Communicat Manageme Risk events, C07, 1. Formal 1. Verify periodic
& es internally, nt exceptional and C08, communicat MIS on sample
Communicati information Oversight unusual events C29 ion process basis
on including remain unreported established
objectives to the management for 2. Verify
and and hence the risk escalating management and
responsibiliti management disruption Board meeting
es of internal framework is not to minutes
control duly enhanced. operations,
occurrence
of risk
events and
any material
exceptional
event.
2. Periodic
MIS/
dashboards,
highlighting
of all
exceptions.
3. Board
meeting,
managemen
t review
meeting
discuss
unusual
events.
30 Monitoring Evaluates Financial Inadequate process C16 1. Third Verify
and reporting for obtaining third party confirmations
75
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
communicate party confirmations confirmatio obtained from
s to validate financial ns obtained counter parties
deficiencies, figures and to detect from banks, and Government
to enable financial frauds. debtors, website (such as
corrective related Income Tax) for
actions being parties reconciling
taken statutory figures
2. Web and other
based balances.
review done
to assess tax
status, TDS
status,
regulatory
compliance
related
numbers.
31 Monitoring Conducts Financial Absence of review C07, Monthly MIS Verify financial
ongoing/ reporting of the financials by C08 consisting of statements/
separate management financial reports, periodic
evaluations statements MIS and
to confirm and other reconciliations
that internal operations,
controls are reconciliatio
functioning ns prepared
by Finance
Manager are
reviewed
and
analyzed by
Group CFO
32 Monitoring Evaluates Grievance Inappropriate C03 Employee Verify policy to
and and grievance processes grievance resolve complaints
communicate dispute may lead to delay in policy (to and grievances, as
s resolution detection of frauds, resolve stated in Admin
deficiencies, mechanis misreporting of complaints Manual
to enable m financial figures, and
corrective need for grievances)
actions being provisioning due to forms part
taken disputes of Admin
Manual
33 Monitoring Conducts Manageme Process gaps, errors C03, 1. Internal 1. Verify Internal
ongoing/ nt and misstatements C07, audit Audit reports
separate Oversight may not be C15 function
evaluations identified by the reports to 2. Verify meeting
to confirm management which Board of minutes
that internal may also lead to Director and
controls are fraud or non- highlights 3. Verify sample
functioning compliance due to deficiencies policies and
absence of well- observed. process notes
established risk and
internal audit 2. Polices
review system and
processes
are
introduced
and revised
from time to
time to plug
identified
gaps and
controls
76
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
lapses.
Note:
The above work-sheet can be enhanced with columns such as department, details with respect to
controls (whether key or non-key, whether control exists – yes or no, type of control – manual or
automated, nature of control – preventive, detective or both preventive and detective, control
frequency – daily, weekly, fortnightly, monthly, half-yearly, annually, event-based, as and
when),document/ evidence, deficiencies, remedial plan, reference to document and remarks
77
4.2 IT General Controls – Specimen (refer paragraph 2.5.6)
78
ABC Private Limited
ICFR for the year ending 31st March, 2016
IT General Controls (ITGC)
Sr. Attribute Activity Identification of Risk of Control Ref Control That Addresses Risk of
No. Description Material Misstatement Number Material Misstatement
("What Could Go Wrong") — Control Name
Risk Description
1 Risk IT Policy Intended IT related ITGC 01 A defined comprehensive IT
Assessment processes not followed policy document to provide
due to absence of various guidelines to work in
defined comprehensive the IT environment, is in place
IT policy document
5 Control Selects and Unauthorized access to ITGC 02 1. For CMS - Users access rights
Environment develops IT systems, applications are granted by IT only upon
general and data results in errors specific approval by the
controls over in financial reporting concerned functional head
technology
2. For Tally - Users access
rights are granted by IT only
upon specific approval by the
concerned functional head
6 Control Selects and Unauthorized access to ITGC 03 System prompts the user to
Environment develops IT systems, applications change the password after the
general and data results in errors expiration of 30 days.
controls over in financial reporting
technology
7 Control Selects and Unauthorized access to ITGC 03 Password must contain at least
Environment develops IT systems, applications 7 characters, alpha numeric
general and data results in errors (alphabets, numbers and special
controls over in financial reporting characters).
technology
79
Sr. Attribute Activity Identification of Risk of Control Ref Control That Addresses Risk of
No. Description Material Misstatement Number Material Misstatement
("What Could Go Wrong") — Control Name
8 Control Selects and Unauthorized access to ITGC 03 If the password is wrongly
Environment develops IT systems, applications entered continuously for 5
general and data results in errors times within 30 minutes, the
controls over in financial reporting respective login id gets locked.
technology
9 Control Selects and Unauthorized access to ITGC 03 If a user is not accessing the
Environment develops IT systems, applications system for more than specified
general and data results in errors time, the system gets
controls over in financial reporting automatically locked.
technology
10 Control Identifies Unauthorized access to ITGC 10 There exists a periodic review
Environment and analyses IT systems, applications of the user profiles for systems
significant and data results in errors access, to confirm
changes that in financial reporting appropriateness.
could impact
internal
controls
11 Information & Selects and Unauthorized access to ITGC 03 Requests for creation of new
Communicatio develops IT systems, applications user ids are received by the IT
n general and data results in errors Executive on standardized form,
controls over in financial reporting duly signed by the respective
technology HOD.
12 Information & Selects and Unauthorized access to ITGC 03 1. User termination, resignation
Communicatio develops IT systems, applications is informed to IT Executive
n control and data results in errors through email by HR.
activities to in financial reporting
mitigate 2. User account is disabled
risks immediately after receiving an
email request. Before
processing this request, IT
archives the mail box of the
user.
80
Sr. Attribute Activity Identification of Risk of Control Ref Control That Addresses Risk of
No. Description Material Misstatement Number Material Misstatement
("What Could Go Wrong") — Control Name
15 Control Identifies Servers and end users ITGC 05 1. Desktops:
Environment risks to the PCs are infected with All the user desktops are
achievement virus installed with anti virus
of objectives scanner, which scans the new
and analyses files on an ongoing basis
risks to
manage them 2. Servers:
All servers are installed with
anti virus scanner.
3. Gateway:
Mail server is managed and all
the Emails are scanned by
threat management gateway.
81
4.3 Specimen - Financial Statement Closure Policy and sample
checklists (refer paragraph 2.7.3)
ABC Pvt. Ltd.
1. OBJECTIVES:
Provide guidance for the financial closure process leading to preparation of financial
statements.
Ensure adherence to applicable laws, regulations and disclosure requirements relevant to
the financial reporting.
Ensure completion of the financial closure efficiently and in a timely manner.
Ensure adherence to the approval matrix laid out for the closure process.
Retain and protect related documents, evidences and approval trails.
2. SCOPE:
82
# Particulars Review Approval/ Suggested
Responsibility Authorization Timeline
templates.
Knowledge update provided by the
statutory auditors or other
accounting/law firms from time to
time may be reviewed and where
appropriate, to be considered for
updating respective checklist.
The CFO is required to hold a formal
meeting with the statutory auditors
to confirm that all additional
reporting requirements for the
financial year have been duly
identified by the company – if there
has been a miss out, the same may
be incorporated after review.
2. System Environment Senior Person of CFO or By end
List all the systems from which data A & F Dept. equivalent December/
will flow into financial statements position January
either directly or indirectly.
Proposed changes/ enhancements
to the IT applications which have a
bearing on the financial closure
process or the financial statements
need to be pre-approved by the
Finance Department as per
authority matrix.
For any changes in the financial
reporting requirements, Finance
Department to review if the
required information is available
from the IT system and if not,
initiate a request for configuring the
IT system to ensure the availability
of the requisite information.
3. Pre-planning for Closure & Closure As per Checklist As per Checklist For Pre-
Activity for Operational Areas planning by
Activity wise pre-planning checklist to end
be prepared as per Company’s defined December/
SOPs, Policies and Business January and
Requirements. A specimen general For Closure at
format indicating illustrative year end date
checkpoints and processes is presented and
in Annexure – I. subsequent
month
4. Process for Preparation of Financial As per Checklist As per Checklist As per defined
Statements timeline by
A specimen general format indicating the
illustrative checkpoints and processes is management
presented in Annexure – II. for finalizing
audited
Financials
5. Process for Disclosure requirements As per Checklist As per Checklist As per defined
A specimen general format indicating timeline by
illustrative checkpoints and processes is management
for finalizing
presented in Annexure – III.
audited
Financials
83
# Particulars Review Approval/ Suggested
Responsibility Authorization Timeline
The closure process will follow the position defined as
approval matrix defined as per the SOP part of SOP of
of Accounts & Finance department. If it A& F dept. or
is not defined then define the same for at the
maker-checker control at various stages beginning of
and documentation trail the year
7. Retention of Documents Senior Person of CFO or N.A.
A & F Dept. equivalent
All documents related to the position
financial closure process shall be
retained in a safe manner.
Clear naming protocols will be
followed to ensure version control
on financial statement drafts.
Soft copies of the financial
statements need to be stored in a
folder, access rights to which have
been approved by the Chief
Financial Officer.
Documents to be retained at least
until the time required to comply
with related regulations.
8. Post Closure Process Senior Person of CFO or Within 15
A & F Dept. equivalent days of
Take printout of Final Trial balance. position completion of
Keep printed copies of audited Annual
Financial Statements. Accounts
Close the books of account for the closure
Financial Year.
Block the IT system for amendment
in that financial year.
Review opening balance in the
subsequent period with audited
financial statement.
84
Annexure – I
ABC Pvt. Ltd.
Sample and Specimen Checklist for Activity wise Pre-planning & Closure
85
# Area Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
Necessary co-
ordinations to be made
with Internal / Statutory
auditors in case they are
to attend inventory
verification
Year-end transactions
for sales and purchases
to be meticulously
recorded keeping in
mind cut off procedures
affecting inventory
position
Plan for Inventory
verification to be
decided basis certain
methods suitable for
Company's inventory
such as:
1. ABC analysis
2. Analysis based on fast
/ slow moving items
3. Critical and non-
critical items
4. Form of inventory i.e.
size,
weight, state of matter
etc.
Confirmations to be
called from third party
holding company's
inventory (on
consignment basis, for
job work purposes etc.)
Value of inventory as
per books to be
compared with actual
value
Adjustments , if
required, to be made to
inventory value with
proper approvals
4 Fixed Assets FA register to be
/Capitalization updated, finalized
FA register to be
compared with books of
account
Scrutinize the major
repairs account to find
out if any item of capital
nature has been debited
Capitalisation of
expenses to the point of
installations such as
transportation, octroi,
testing charges, training
for operation of FA
Review CWIP Account to
review completion stage
and capitalization if
required
Physical verification of
Fixed Assets with
86
# Area Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
proper internal controls
such as verification by
independent verifier ,
maker checker control
on verification process,
reporting of
discrepancy, if any and
appropriate accounting
of the same
Review of sale / scrap
of assets , profits / loss
on disposal of Assets
Depreciation workings
based on applicable
accounting standards
5 Investment Accounting of accrued
income based on year
end investment
Accounting of gains /
losses on sale of
investments
Validation of investment
balance with counter
party statements
Physical verification of
investment instruments
to ensure ownership of
the same
Revaluation of
investments as per
applicable accounting
standards
6 Income Circular to be sent to
Booking various branches /
depots from where sales
are effected to send
information / data for
dispatches made till cut-
off date
Ensure invoice booking
for materials where
ownership has been
transferred to
customers
Ensure invoice booking
/ billing for services
where provision of
service is completed as
per defined terms and
conditions
Accounting of pending
Debit and credit notes
(rejections / sales
returns / disputed
provision of services)
7 Expense Circular to be sent to
Booking various branches /
depots calling for all
relevant details of
expenses incurred
within defined timeline
after year end
Advances paid for
87
# Area Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
expenses to employees
be settled against
reimbursable expenses
Provision of expenses
based nature of expense
i.e. time based or
otherwise backed by
actual supporting
documents to be
accounted
Provision of expenses
basis estimation -
Company policy for
estimation to be
reviewed and adhered
Review accounting of
prepaid expenses
Review provisions /
prepaid expenses of
previous periods / years
for its existence and
continuity
8 Debtors/ Debtors balances to be
Receivables knocked off against
money received but
accounted in suspense /
unexplained accounts
Initiate communication
for debtors confirmation
Prepare reconciliation of
differences in debtors
balances and post
adjustments with
appropriate approvals
Scrutinize debtors
accounts and follow up
with the sales/
marketing team for
status of long standing
debtors
Provide for doubtful
debts / disputed debtors
in consultation with
marketing / legal dept. /
Management
9 Creditors Initiate communication
/Payables for creditors
confirmation
Prepare reconciliation of
differences in creditors
balances and post
adjustments with
appropriate approvals
Scrutinize advance to
creditors accounts and
follow up with the
procurement team for
status of long standing
advances
Write back creditors
balances which are not
payable in consultation
with procurement /
88
# Area Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
legal dept. /
Management
10 Related Party Obtaining account
Reconciliation confirmation from all
the related parties
Prepare reconciliation of
differences in balances
and post adjustments
with appropriate
approvals
89
Annexure – II
ABC Pvt. Ltd.
Sample and Specimen Checklist for Preparation of Financial Statements
90
# Area Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
Employee benefits information after validation
to the appointed actuary
Actuarial valuation report to
be referred for estimations
provided by the auditee.
Workings for provisions to
be computed and validated
by senior personnel
Provisions for employee
benefit to be recorded with
appropriate approvals
91
# Area Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
working liabilities
Co-ordinate with tax
consultant and Statutory
Auditors for validation of
the same
Incorporate changes
suggested by consultant
Record necessary entries for
deferred tax assets /
liabilities
12 Preparation of Financial Extract trial balance from
Statements as per accounting system
prescribed formats Save the same with date
and time in soft
Prepare appropriate
groupings
Validate all the excel
formulas and linkages if
financials are prepared in
excel
As per prescribed format
classify respective assets
and liabilities as current ,
non - current , short term ,
long term
Take print out of financials
prepared and revalidate
again with base trial balance
for accuracy
Provide audit trail of
revalidation on hard copy of
financials
13 Co-ordination with Arrange for Stat audit,
statutory auditors and prepare information as per
get the audit done their prescribed format
During Stat audit liaison
with their team for smooth
conduct of audit
Formal meetings for
discussion of queries /
clarifications
Passing of rectification JVs, if
required in system
14 Prepare revised Repeat process given in step
Financial Statements 12
Maintain version control
and modification trail
15 Grouping and Detailed review of previous
regrouping of previous years grouping with current
year’s figures grouping and make
necessary changes in the
grouping of previous year
16 Freeze the numbers Get the revised financials
after review of validated from Statutory
Statutory Auditors Auditors
17 Present the Provisional To facilitate management to
Financial statements to take certain decisions about
Management/Audit managerial remuneration,
committee proposed dividend
18 Calculate Managerial Prepare workings for
92
# Area Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
remuneration if it is on managerial remuneration as
% basis of per applicable rules and
profit/surplus regulations and company
policy
19 Prepare Proposed Proposed dividend working
dividend working to be prepared based on the
dividend proposed by Board
of Directors
Workings to validated by
senior personnel
Entries to record proposed
dividend to be passed in
books of account
20 Make necessary Necessary changes to be
changes in the Financial validated by Statutory
Statements Auditors
93
Annexure – III
ABC Pvt. Ltd.
Sample and Specimen Checklist for Disclosure & Notes to Accounts
94
# Area Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
appropriate authority
of the Company
Arrange for signature
on the Financial
Statements by the
Statutory Auditors
95
5. Glossary of abbreviations used:
96
6. Useful links and recommended reading:
97