ICFR A Handbook For PVT Cos and Their Auditors

INTERNAL CONTROL OVER FINANCIAL REPORTING
(ICFR)
A HANDBOOK
FOR PRIVATE COMPANIES
AND
THEIR AUDITORS
An Initiative of the
Bombay Chartered Accountants’ Society
July 2016
1
PREFACE
The Companies Act, 2013 read with Companies (Accounts) Rules,
2014, requires all companies, irrespective of their size, ownership
pattern, governance structure or nature of business activity, to
comply with certain provisions related to Internal Financial Controls
(IFC) and/or Internal Controls over Financial Reporting (ICFR).
The governance requirements laid down for listed companies have

evolved over time and encompass several specific requirements
introduced over a span of 10-15 years, such as - composition of the
Board of Directors, the need for independent directors, establishment
of an Audit Committee, formal mandate and structure of the Audit
Committee, quarterly closures and financial disclosures, formal risk
management framework, CEO/CFO certification - and so forth. The
recent requirement relating to Internal Financial Controls (IFC) thus
is incremental in nature and in line with the past changes in
corporate governance norms, for these listed companies.
Unlike listed companies and certain large companies, most of the

smaller private companies do not have an elaborate management
structure comprising of independent directors on the Board, a formal
Audit Committee or, in many cases, even a designated CEO or CFO.
The managements of these companies are not required to have a
formal risk management framework in place, where key risks faced
by the organization are identified and the internal controls for
mitigating these risks are documented with clear allocation of
responsibilities. In these companies, the business processes that have
evolved over time are most often not documented, in terms of
structured policies and Standard Operating Procedures (SOPs); and
even if documented, not updated from time to time. For such
companies, the ICFR requirements introduced by the Companies Act,
2013 are radical in nature, as these require a paradigm shift in the
manner in which internal controls are designed, documented,
implemented and evidenced.
For audit reports for the years ended 31st March 2016 onwards,
Statutory Auditors are also mandatorily required to comment on the
adequacy of internal financial controls system and the operating
effectiveness of such controls.
2
The ‘Guidance Note on Audit of Internal Financial Control Over
Financial Reporting’ released by the Institute of Chartered
Accountants of India (ICAI) in September 2015 (hereinafter referred
to as “the ICAI Guidance Note” or “the Guidance Note”) is a detailed
document explaining the regulatory framework and providing both,
technical guidance and implementation guidance for conducting such
an audit. This Guidance Note has been prepared for providing
guidance to the auditor and has proved to be of immense help in
carrying out the first set of ICFR audits, mainly of large and listed
companies, most of whom had the benefit of having formal
documented policies and processes, risk management framework
and a well-defined governance structure in place.
This handbook is intended for the next set of companies and their
auditors, who are required to cover the distance in a shorter time. It
is a humble attempt to guide such private companies and their
auditors in their endeavor to comply with the requirements of ICFR.
The objective of this book is to provide a simple and jargon-less
explanation of what is expected, what is required to be done and how
it can be done, in a manner that not only the form, but also the spirit
of the regulatory requirement is achieved, without incurring
disproportionate costs and without creating a complex structure of
policies and documentation that may not be sustainable.
- Nandita Parekh
3
Contents at a Glance
Section Topic Page
Numbers
1. Overview – ICFR for Private Companies
1.1 Understanding IFC and ICFR
1.2 The Regulatory Framework in a Nutshell
1.3 So, What Has Really Changed?
2. Roadmap for a Private Company for
adopting an ICFR Framework
2.1 Need for a Framework
2.2 Proposed Framework
2.3 Understanding the components of internal
control with specific reference to ICFR
2.4 Starting the ICFR project
2.5 Component # 1 - Control Environment
2.6 Component # 2 - Risk Assessment
2.7 Component # 3 - Control Activities
2.8 Component # 4 - Information System and
Communication
2.9 Component # 5 - Monitoring of Controls
2.10 Concluding Remarks
3. Roadmap for Auditors of Private
Companies
3.1 Overview
3.2 Pre-audit Approach
3.3 Audit Approach
3.4 Audit Execution – Testing of Controls
3.5 Audit Conclusions and Audit Reporting
3.6 Call to action
4. Making it easy – ready-to-use drafts and
formats
4.1 Entity Level Controls – Specimen
4.2 IT General Controls - Specimen
4.3 Financial Statement Closure Policy -
Specimen
5 Glossary of abbreviations used
6 Useful links and recommended reading
4
SECTION 1: OVERVIEW – ICFR FOR PRIVATE COMPANIES
1.1 Understanding IFC and ICFR:
1.1.1 Definitions:
Internal Control:
Standard on Auditing – SA 315 defines Internal Control as:
“The process designed, implemented and maintained by those
charged with governance, management and other personnel to
provide reasonable assurance about the achievement of an
entity’s objectives with regard to reliability of financial
reporting, effectiveness and efficiency of operations,
safeguarding of assets, and compliance with applicable laws and
regulations. The term “controls” refers to any aspects of one or
more of the components of internal control.”
Internal Financial Controls (IFC):

Internal financial controls (IFC) has been defined in the
explanation to Section 134(5) (e) of the Companies Act, 2013
as “the policies and procedures adopted by the company for
ensuring the orderly and efficient conduct of its business,
including adherence to company’s policies, the safeguarding of
its assets, the prevention and detection of frauds and errors, the
accuracy and completeness of the accounting records, and the
timely preparation of reliable financial information.”
Internal Controls over Financial Reporting (ICFR)

The ICAI Guidance Note has adopted the definition of ICFR as
given in the Auditing Standard 5 (AS 5) issued by the Public
Company Accounting Oversight Board (PCAOB), USA, which is
as follows:
ICFR shall mean:

“A process designed by, or under the supervision of, the
company’s principal executive and principal financial officers, or
persons performing similar functions, and effected by the
company’s board of directors, management and other personnel,
to provide reasonable assurance regarding the reliability of
financial reporting and the preparation of financial statements
for external purposes in accordance with generally accepted
5
accounting principles. A company’s internal financial control
over financial reporting includes those policies and procedures
that:
(i) pertain to the maintenance of records that, in reasonable
detail, accurately and fairly reflect the transactions and
dispositions of the assets of the company;
(ii) provide reasonable assurance that transactions are recorded
as necessary to permit preparation of financial statements in
accordance with generally accepted accounting principles,
and that receipts and expenditures of the company are being
made only in accordance with authorisations of management
and directors of the company; and
(iii) provide reasonable assurance regarding prevention or
timely detection of unauthorized acquisition, use, or
disposition of the company's assets that could have a
material effect on the financial statements.”
1.1.2 ICFR and IFC - Simply Stated:
ICFR comprises of:
Annual/period closure and

Transaction level controls
finalization controls
(Controls on maintenance of
(Controls on preparation of
financial books)
financial statements)
ICFR
Controls over unauthorized Authorization controls over

or fraudulent access over or financial flows of receipts
use of company's assets and payments
6
ICFR is a subset of IFC:
Operational
controls
Anti-fraud
ICFR
controls
IFC
Thus, IFC as a concept is much wider than ICFR. ICFR
comprises of controls that provide reasonable assurance that
financial statements are free of material misstatement. IFC, in
addition, covers controls that ensure orderly and efficient
conduct of business, controls for safeguarding assets, controls
that ensure compliance with company’s policies and
prevent/detect frauds and errors.
To give an example, Safe Traders Pvt. Ltd. (STPL) is a company

that deals in goods that are highly combustible. The fire
extinguishers in the company’s warehouse are not in a working
condition. This is a failure of IFC, as the operations of the
company are not being conducted efficiently and this could
pose a material risk, including potential financial loss to the
company. However, this failure does not have a direct impact
on ICFR, as long as STPL has a process for:
 Verifying inventory at year-end and ensuring that only
the inventory that actually existed at year-end is
considered for financial reporting.
 Reporting and accounting for a loss by fire in a timely
and accurate manner.
As can be seen, in ICFR, the company and its auditors are
concerned with all those controls, the failure of which exposes
the financial reporting to a risk of material misstatement – they
are not concerned with controls that create a risk of business
7
loss, non-financial fraud in terms of information leakage, non-
adherence to quality control checks etc., all of which would be a
subject matter of IFC.
For private companies, the present regulatory

requirement for reporting by the Board as well as the
auditors is restricted to ICFR. Hence, in the rest of this
book, the discussion will be restricted to ICFR.
1.2 The Regulatory Framework in a Nutshell:
1.2.1 Maintenance of Financial Books and Preparation of

Financial Statements:
Sections 128 and 129 of the Companies Act, 2013 requires all
companies to maintain books of account and prepare financial
statements in a manner that they give a true and fair view of
the state of affairs of the Company. This requirement was there
also in the earlier Act of 1956. So, a company’s responsibility
for maintenance of financial records and preparation of
financial statements is an age-old requirement.
The responsibility for maintenance of financial books and

records and preparation of financial statements has been
assigned to the Board of Directors, who in turn may delegate
this responsibility to the managing director, the whole-time
director in charge of finance, the Chief Financial Officer or any
other person of a company charged by the Board with the duty
of complying with the provisions of these sections. If no such
delegation is done, then all the directors are responsible for the
same.
In many small companies, the practice actually followed is

that the Accounts & Finance Department compiles records
up to the trial balance and hands over the same to the
statutory auditors and the auditors then prepare the
financial statements and draft all the notes to accounts and
disclosures. This practice blurs the division of role between
the Company and its auditors and creates, on one hand, an
unhealthy dependence on the auditors by the Company and on
the other hand, a conflict in the professional relationship of the
statutory auditors with the shareholders of the Company.
8
This practice needs to stop and companies need to take full
responsibility for preparation of financial statements, with
all due disclosures and which are fully compliant with
accounting standards.
1.2.2 Ensuring adequate Internal Controls over Financial

Reporting (ICFR) – Whose Responsibility?
Having established that the maintenance of financial books and

records and preparation of financial statements is the
responsibility of the Company management, we now move to
the next question – “Is ensuring adequate internal controls
over financial reporting also the responsibility of the
Company?” This question needs to be answered at three
levels:
a) With reference to the Companies Act and Rules
b) From a logical and common sense point of view and
c) From the perspective of risk management
a) With reference to Companies Act and Rules:

The Companies Act, 2013, vide section 134(5)(e)
specifically requires that:
“(5) The Directors’ Responsibility Statement referred to in

clause (c) of sub-section (3) shall state that—
…… (e) the directors, in the case of a listed company, had
laid down internal financial controls to be followed by the
company and that such internal financial controls are
adequate and were operating effectively.”
As seen, the requirement for listed companies has been

spelt out clearly in the section above.
What about private companies then?
For private companies, there is no specific section of the

Companies Act, 2013 that specifies such a requirement.
The requirement comes indirectly through Companies
(Accounts) Rules, 2014 – more specifically, Rule
8(5)(viii) reproduced herein below for easy reference:
9
“Rule 8. (5) In addition to the information and details in
sub-rule (4), the report of the Board shall also contain –
….(viii) the details in respect of adequacy on internal
financial controls with reference to the Financial
Statements”
This requirement applies to every company – listed,

unlisted, private, public, and even one-person
company. This indirectly makes the Board of Directors
accountable for ensuring the adequacy of internal
financial controls with reference to financial statements.
This is similar to an earlier requirement in CARO, 2003

where the auditors of certain companies were required
to report on “whether the company has an internal audit
system commensurate with its size and nature of its
business”; while the Companies Act, 1956 was silent on
the requirement for internal audit, the reporting
requirement by the auditors indirectly led to the
presumption that such companies were expected to have
a formal internal audit system and an adverse remark by
the auditors would require the Board of Directors to
provide an explanation. Thus, the accountability of the
directors was indirectly set/ presumed.
Similarly, in the present case, by requiring all companies,

in the Board’s Report to the shareholders, to include a
statement about the adequacy of internal financial
controls over financial reporting, the responsibility for
ensuring adequacy of such controls has been identified to
be that of the Board.
b) From a logical and common sense point of view:

From the inception of the Companies Act, 1956, directors
have been signing the financial statements of a company.
The Annual Report, comprising of the financial
statements, the Board of Directors’ Report and Auditors’
Report, forms the most significant communication
between the Board of Directors and the
shareholders/owners of the company on an annual basis.
This being the case, one can logically conclude that
directors assume the primary responsibility to ensure
10
the truth and fairness, the accuracy and appropriateness
of the financial statements.
For small companies, where the owners and the

management are the same, and where there are few
employees with centralized operations of a small
quantum, it may be possible for the directors to present
financial statements that are true and fair and fully
compliant in terms of disclosure requirements and
accounting standards, without the need for elaborate
processes, sophisticated IT systems or a detailed analysis
of risks and controls.
As companies grow in size, the only way for the directors

to reasonably ensure that the financial statements are
free from material errors and misstatements is by
establishing processes and controls that counter the risks
effectively and to employ/appoint adequately competent
people to discharge the responsibility on behalf of the
Board.
c) From the perspective of risk management:

Section 134(3)(n) of the Companies Act, 2013 lays down
the responsibility of Board of Directors with reference to
risk management; the same is reproduced hereunder:
“There shall be attached to statements laid before a

company in general meeting, a report by its Board of
Directors, which shall include—
….(n) a statement indicating development and
implementation of a risk management policy for the
company including identification therein of elements of
risk, if any, which in the opinion of the Board may
threaten the existence of the company;….”
The directors are thus required to ensure that the

company has designed and implemented a risk
management policy for the company. It is expected that
one of the key risks that is addressed through the risk
management policy is the financial reporting risk or, in
other words, the risk of material misstatements in
financial statements and financial reporting.
11
The Directors’ Report of all companies provides a
statement on the risk management framework/policy
adopted by the company; however it is a known fact that
for a large number of companies, this statement is not
backed by a documented risk management policy or a
framework that has actually been implemented with the
involvement of the management. The companies and
their directors need to take a hard look at how they
establish, implement and document a risk management
framework for the company in general and with
reference to ‘financial reporting risk’ in particular.
Thus, whether one takes a regulatory stand-point or a logical

view, or a risk management perspective, it is amply clear that
the directors take primary responsibility for presenting annual
financial statements that are free from material misstatements.
This would, in itself, require them to institute risk management
processes and internal controls appropriate to the size of the
company, and the nature of its operations. They may discharge
this responsibility themselves or through effective delegation.
1.2.3 The Auditor’s Responsibility and Reporting Requirement:
The auditor’s responsibility with respect to IFC/ICFR stems

from section 143(3)(i) that requires the auditor’s report to
state whether the company has adequate internal financial
controls system in place and the operating effectiveness of such
controls.
To be able to make such a statement, the auditor would need to

obtain reasonable assurance to state whether an adequate
internal financial control system was maintained and whether
such controls were operating effectively as far as financial
reporting is concerned.
The ICAI Guidance Note makes it clear that the auditor’s

responsibility with internal financial controls extends only
with respect to financial reporting. Further, Companies
Amendment Bill 2016 contains a provision to modify section
143(3)(i), by replacing the words "internal financial controls
12
system", with the words "internal financial controls with
reference to financial statements”.
1.2.4 A Summary of Relevant Sections and Rules:
The specific sections of Companies Act, 2013 and rules forming

part of Companies (Accounts) Rules, 2014 that fix the
responsibility with respect to IFC/ICFR are summarized
hereunder:
Section and Brief Description and Applicability

Rule Reference
Section 128 Books of account, etc., to be kept by the
company:
A company is required to prepare and
maintain books, papers and financial
statements so as to give true and fair view
of the state of affairs.
Section 129 Financial Statements:
The financial statements shall give a true
and fair view of the state of affairs of the
company or companies, comply with the
accounting standards notified under
section 133 and shall be in the form or
forms as may be provided for different
class or classes of companies in Schedule
III.
At every annual general meeting of a
company, the Board of Directors of the
company shall lay before such meeting the
financial statements for the financial year.
Section Financial statement, Board’s report, etc.
134(3)(n) Statements laid before a company in
general meeting to include a report by its
Board of Directors, which shall include—
….(n) a statement indicating development
and implementation of a risk management
policy for the company including
identification therein of elements of risk, if
any, which in the opinion of the Board may
threaten the existence of the company;….”
13
Rule Reference
Section Financial statement, Board’s report, etc.
134(5)(e) – Directors’ Responsibility Statement
(e) the directors, in the case of a listed
company, had laid down internal financial
controls to be followed by the company and
that such internal financial controls are
adequate and were operating effectively.
This is applicable only to listed companies.

Rule 8(5)(viii) Matters to be included in Board’s
report:
The report of the Board, in addition to all
other details, to also contain the details in
respect of the adequacy of internal financial
controls with reference to the financial
statements.
This Rule, applicable to all companies,

has extended the responsibility of
reporting on ICFR to all unlisted
companies – whether one person
company, private or public.
Section Powers and duties of auditors and
143(3)(i) auditing standards:
This sub-section requires the Auditor’s
Report to state, among other things,
“whether the company has adequate
internal financial controls system in place
and the operating effectiveness of such
controls”.
Companies Powers and duties of auditors and
Amendment Bill auditing standards:
2016 – Contains a provision to modify Section
modification to 143(3) (i) by replacing the words “internal
section 143(3) financial controls system” with “internal
(i) financial controls with reference to
financial statements”.
Section Audit Committee:
177(4)(vii) The terms of reference of Audit Committee
to include evaluation of internal financial
14
Rule Reference
controls and risk management systems.
This is applicable to those listed and

specified public companies that are
required to form an Audit Committee.
This section is not applicable to private

companies, as there is no regulatory
requirement to form an Audit Committee
for a private company.
Schedule Code for independent directors:
IV(II)(4) Independent directors are required to
satisfy themselves that financial control
and the systems of risk management are
robust and defensible.
This requirement is applicable to

companies that are required to appoint
independent directors. As private
companies are not required to do so, this
requirement does not apply to a private
limited company.
1.3 So, What Has Really Changed?
This can be explained by a small story.
There was a busy road that was prone to accidents, as cars, 2-

wheelers and pedestrians kept driving and walking around in
an undisciplined manner. Seeing this, the traffic police and the
local authorities created a zebra crossing for the pedestrians, a
separate 2-wheeler lane and installed a traffic signal. Now it
was for the pedestrians and vehicle drivers to operate within
this framework to ensure each other’s safety and to discharge
their responsibility for the maintenance of a risk-free
environment.
After some time, as the accidents continued to occur, a traffic

police was placed at the signal. To his utter horror, he found
that the signal was being ignored by most, the pedestrians had
15
taken over the 2-wheeler lane, the side-walk was encroached
upon by peddlers and the risk of accident had in fact increased
for the stray pedestrians who actually walked believing that
everyone else would follow the rules! He immediately started
catching those who were not following the rules and started
issuing notices/levying fines. At this, everyone – the
pedestrians, the peddlers and the vehicle drivers – went up in
arms, saying there was not enough notice given before the
traffic cop showed up.
The traffic cop was unmoved. He simply stated that there had
been enough advance notice given, that following the traffic
rules was in the interest of the various concerned groups and if
anyone wanted to avoid the fines, all they had to do was to start
following the rules!
Now, let’s fast forward and relate this to ICFR:

 Directors are responsible for maintenance of financial
records and preparation of financial statements that are
true and fair and free of material misstatements;
 For all companies that have grown over time, that
operate from multiple locations, or have complex
financial transactions, or deal in multiple lines of
business, or have entered into many outsourcing
arrangements with delegation of key financial processes,
etc. - there is a need to define adequate processes and
controls to ensure that the financial statements are not
compromised;
 If the company has implemented an elaborate IT system,
the company ought to have defined access rights,
authorization controls and created a set of protocols to
ensure that the IT system based controls are robust and
do not dilute the quality of financial records or reporting;
 Auditors are required to perform an evaluation of
internal controls as per Standard on Auditing (SA) 315,
“Identifying and Assessing the Risks of Material
Misstatement Through Understanding the Entity and Its
Environment”;
 The auditors are required to plan the audit based on
evaluation of internal controls and the extent of reliance
that can be placed on such controls. Accordingly,
auditors, at the time of planning the audit, ought to have
16
documented the results of their evaluation of internal
controls;
 Now, the regulatory requirement has changed wherein:
o the Board, in its report to shareholders, is required
to state the adequacy of ICFR and
o the auditors are required to express an opinion on
the adequacy of ICFR and its effectiveness
With this, suddenly, companies and their auditors have

started feeling the pain and the pressure, because neither
had paid keen attention to the rules and the expected
conduct till now.
The self-regulated traffic signal is now manned by a traffic

cop, namely, the “ICFR reporting requirements” under the
Companies Act, 2013 and the subsequent likely scrutiny by
regulators…… and suddenly, some companies and some
auditors are realizing that perhaps they were lax in observing
the traffic rules earlier!!
The scene is not much different from the traffic cop showing up
on that busy road. The task on hand appears tougher than it is
intended to be, perhaps because neither the company, nor
maybe the auditors have performed their evaluations and
analyses in a manner that could stand up to an independent
review/ scrutiny.
To sum up, the principal change is that the auditor is now

required to comment on the adequacy of internal controls over
financial reporting (ICFR) and its operational effectiveness. For
17
the auditor to express this opinion, it is necessary for him/her
to understand the policies and processes adopted by the
company, to obtain evidence in support and to perform testing
for confirming operational effectiveness of such controls.
This, in turn, will require the management of companies to

provide the necessary details and documentation to evidence
that they have designed and implemented controls to ensure
robustness of financial reporting. This will also require the
companies to first identify the risks of material misstatement of
financial statements and then map controls for each such
identified risk.
And therein lies the challenge – it is no longer enough for a

company to have sound internal controls over financial
reporting, it is equally necessary that they are able to
demonstrate the controls. Similarly, it is no longer enough for
the auditors to modify their audit plan based on their
assessment of internal controls, it is essential for them to
evaluate whether these controls are adequate and operational
to be able to give an opinion on ICFR.
In the chapters that follow, a step-by-step guide is provided for

companies to roll out and consolidate the framework for ICFR;
followed by a methodology for the auditors to assess the
existence, adequacy and effectiveness of ICFR.
18
SECTION 2: ROADMAP FOR A PRIVATE COMPANY FOR
ADOPTING AN ICFR FRAMEWORK
2.1 Need for a Framework:
Any assurance or diagnostic activity requires a set of

benchmarks based on which the assessment is done to arrive at
a conclusion.
For all quality control assessments, there is a set of

benchmarks that the production facility and the product is
required to meet before giving quality assurance. Similarly, in
the medical field, before diagnosing a medical condition, a set
of parameters are tested and based on the combined results, an
indicative diagnosis is arrived at.
The same is applicable to ICFR - for the directors to make a

statement that the internal financial controls with reference to
financial statements are adequate, they would need to use
certain benchmarks against which the internal control system
adopted by the company would be evaluated. The set of
benchmarks collectively are referred to as the ‘framework’.
Without a structure or a framework, the entire exercise of

assessing internal controls may remain ad hoc and subjective
and may not give the desired level of confidence. Further, if the
internal control system is found inadequate, the framework
would provide a clear identification of the area where the
system does not meet the adequacy test, thereby highlighting
the specific areas for improvement and strengthening of the
controls. Hence, a company needs to adopt a framework for
designing and implementing its system of internal controls
over financial reporting.
A different way of visualizing a framework is to compare it

with a map. A map provides an efficient way of reaching one’s
destination – a good map, like a Google Map, shows the
alternate ways, the fastest way, the road that may have costs
attached (tolls) and the road that may be congested at a given
point of time. Now, it is possible to reach one’s destination
without a guiding map, but that may entail detours, time loss,
unexpected costs, placing reliance on the directions indicated
19
by others…. and above all, a high risk of not making it to the
destination. Similarly, a framework for internal controls
provides a map – an efficient and planned way of achieving a
desired state of internal controls over financial reporting
(ICFR).
Should anything more be said about the need for a framework?
2.2 Proposed Framework:
The directors of all unlisted companies are required to state, in

their Director’s Report, “details in respect of adequacy of
internal financial controls with reference to the financial
statements”, i.e. adequacy of ICFR.
The adequacy of ICFR is best assessed with reference to a

framework or a benchmark standard. The next question for the
directors is – which framework to adopt?
The company and its directors are free to choose a framework

that is appropriate for their company; no mandatory format
has been prescribed by any regulations, as such, for companies.
One of the most common frameworks adopted for

establishment and assessment of internal controls is the 5-
component framework detailed in AS – 315 “Identifying And
Assessing The Risk Of Material Misstatement Through
Understanding the Entity And Its Environment”. This
framework has also been endorsed by the ICAI Guidance Note.
The said Guidance Note states that:
“In general, a system of internal controls to be considered
adequate should include the following five components:
 Control Environment
 Risk Assessment
 Control Activities
 Information System and Communication
 Monitoring”
This 5-component framework is by far the most frequently

used framework globally for designing and reviewing internal
controls. Also, the ICAI Guidance Note, read with SA-315,
provides ample guidance, ready to use formats and detailed
20
explanations that can be used by the company for the
development of its ICFR framework. Hence, it is advisable for
companies to adopt this 5-component framework for
establishing and evaluating ICFR, which can then be used by
the auditors for their review – this would optimize efforts at
every level.
2.3 Understanding the components of internal control with

specific reference to ICFR:
2.3.1 Components explained through an example:
A clear understanding of each of the five components is

essential for those responsible for designing and operating
ICFR.
Let us start with an example: A company is concerned about

health of its employees and is thus interested in ensuring
preventive healthcare of its employees. To this end, it requires
each employee to undertake an annual health check-up at a
nearby hospital.
When an employee goes for his/her routine annual medical

examination, the following process is adopted by the hospital:
i. General profile:
First, a general profile of the individual is taken in terms of
gender, age, past history, hospitalization in the past 5 years,
surgeries undertaken, illnesses, medical history of the
parents/blood relations, exercise routine, smoking/alcohol
habits etc. Also, a certain set of general tests such as CBC,
chest x-ray, blood pressure, etc. is prescribed to all.
This corresponds to the 1st component - “Control

Environment”.
ii. Identification of potential risks:

Based on age profile, family history, living conditions and
lifestyle assessment, some general medical risks are
identified. E.g. for someone who has a very demanding work
schedule, stress-induced disease is identified as a risk, and
21
for someone with a family history of diabetes, risk of
diabetes and related conditions is identified as a risk.
This corresponds to the 2nd component – “Risk

Assessment”.
iii. Further testing and medical advice based on identified

risks:
Based on the risk profile, a further set of tests is prescribed.
E.g., for persons with a family history of cardiac problem, an
ECG and stress test may be advised. The company’s Medical
Officer then decides which further tests are required and
based on the approval, these tests are conducted.
The test results are examined to check if any of the feared

risks have shown up as actual medical condition.
Based on the results of all the tests and an assessment of

general profile and lifestyle, the doctor prescribes/
recommends:
a. Certain corrective medication and activities e.g. for an
obese person, a serious exercise routine would be
prescribed.
b. Certain preventive medication and activities – e.g. for a
woman over 50, the doctor may advise taking calcium
supplements.
c. Certain general advice on lifestyle, e.g. blinking of eyes
every 5 minutes when there is extended computer usage.
d. Recommendation for certain further testing or specialist
intervention, e.g., if moderate loss of eyesight is detected,
the need to examine eye-pressure and test the retina may
be identified and recommended.
This corresponds to the 3rd component – “Control

Activities”.
iv. Creating awareness and communication of findings:

The annual medical examination ends with the hospital
handing over to the patient, a health summary, accompanied
by all the test reports and prescriptions, duly signed by the
attending physician. The findings are shared with the
22
company, giving due respect to privacy and confidentiality
norms.
Also, the Medical Officer of the company is required to give a

brief report to the management about the general health of
the employees and changes in trends observed, if any.
The company, in association with the hospital, creates

awareness to ensure good health by sending out periodic
updates on developments in the medical field that are of
general interest to company’s employees.
All this helps the management of the company to conclude

on the general health of its employees and whether the pro-
active steps taken by the company are effective in improving
the health standards.
This corresponds to the 4th component – “Information

System and Communication”
v. Periodic Monitoring:
The company takes steps to confirm that the annual health
check-ups have been completed for all employees during the
year. Further, for certain key employees or those at higher
risks, the company adopts a more involved plan for regular
monitoring the parameters at a greater frequency.
This corresponds to the 5th component – “Monitoring”.
This easy to understand example explains the role of each

component of internal controls.
2.3.2 Internal control components explained in the context of

ICFR:
The objective set by the company is “to establish and

implement a system of internal controls such that it provides
reasonable assurance that the financial statements prepared by
the company are free from material misstatements.” A
supplementary objective is also to test the adequacy and
operating effectiveness of these internal controls periodically.
23
Using the 5-component framework for ICFR, the company may
start with examining the control environment, and then move
to the next component and the next one. Readers are advised to
refer to SA 315 for detailed explanation of each of the five
components.
A brief overview of each of the components in the context of

ICFR is given hereunder:
Control Environment:
Control environment refers to the tone set at the top by the

senior management/owners of the company. With reference
to ICFR, the control environment refers to the organization-
wide values, policies and protocols that create an environment
conducive to accurate, fair and transparent financial reporting.
The control environment encompasses the direction given by
the management for eliciting ethical behavior, ensuring
competency, emphasizing structured processes and
automation to reduce errors and control lapses, instituting
audit and quality control processes, ensuring management
deliberations on key issues relating to financial reporting, etc.
Risk Assessment:
Risk assessment with reference to ICFR refers to the process

adopted by the company to identify the Risk of Material
Misstatements (RoMM) in financial statements. This
component calls for a structured analysis of potential risks of
misstatements, at two levels:
 Financial statement level
 Account balance and transaction type level
Risk assessment for ICFR needs to be conducted by persons

competent to understand the financial reporting process, the
disclosure requirements, the vulnerabilities to fraud, the
temptations for misstatement at employee and or
management levels, etc. The risk assessment needs to be done
keeping in view the known stakeholders and expected readers
of the financial statements.
24
Control Activities:
Control activities with reference to ICFR refer to all the

policies, processes and practices designed and applied by an
organization for mitigating its RoMM to an acceptable level.
Control activities are embedded in the daily processes (e.g. a
bill is accounted only after authorization), or introduced as
periodic activities (reconciliations or verifications or
budgetary reviews) or as an annual exercise (financial closure
related controls). Controls may be automated or manual and
may be preventive or detective.
For an effective ICFR framework, one starts with RoMM and

maps the controls to each identified risk with a view to
conclude that the controls are existing and adequate to
address the risks.
Periodic testing is required to be done to establish the

operational effectiveness of controls i.e. to conclude whether
the controls operate effectively.
Information System and Communication:
In the context of ICFR, this component refers to multiple types

of information flows and communication channels:
First, the entire flow of information from the occurrence or

non-occurrence of all relevant events or transactions, its flow
into the accounting system and ultimately into financial
statements to ensure that the financial statements are
complete, accurate and present a true and fair view.
Second, the flow of relevant information including regulatory

developments to those charged with governance and/or those
responsible for selection of accounting policies, finalizing
accounting treatment and making financial estimates, to
ensure transparency and fairness in financial reporting.
Third, the communication of financial statements from the

company to the owners and other stakeholders, including
regulators.
25
The presentation of financial statements free from any
material misstatement necessitates that all these information
and communication channels are operating effectively.
Monitoring (of Controls):
This component entails the processes established by the

management to ensure that controls as designed are operating
effectively and that lapses are identified and remedied in a
timely manner.
The monitoring activities may be carried out by introducing

Control Self-Assessment (CSA), where each process owner
periodically tests the process controls, or by an independent
review by the internal auditors, quality auditors or
management representatives, or by periodic management
reviews.
Now that we have understood the need for a framework and

examined the relevance of each of the component, it is time to
apply all this knowledge to create a practical and sustainable
framework for ICFR.
For this, the steps to be taken to start the ICFR Project and then
to be taken under each component are explained in sections 2.4
to 2.10 below, with certain ready-to-use templates.
2.4 Starting the ICFR Project:
2.4.1 A company would be required to consider the ICFR exercise as

a project initially, and thereafter integrate the ICFR review as
an ongoing company process/activity.
The following steps may be considered to start with:

a) The Board of Directors (BoD) should formally acknowledge
their responsibility for establishing Internal Controls over
Financial Reporting. This may be recorded in the Board
Minutes.
b) If the BoD has delegated the responsibility for ensuring ICFR
to one or more of the directors or officers of the company,
then such delegation may also be formally recorded, ideally
26
as a Board Resolution. It may be noted that private
companies are not required to have an Audit Committee by
law – however, they can voluntarily constitute an Audit
Committee or its equivalent, to provide guidance in matters
of internal audit, financial reporting and ICFR.
c) It is advisable to designate a senior employee or a whole-
time director with requisite understanding of financial
reporting and company’s way of functioning, to champion
the ICFR initiative. This role is generally played by the CFO,
Chief Internal Auditor, Company Secretary/ Compliance
Officer or Finance Director. This role may also be played by
an external advisor, other than the statutory auditors. If the
company has outsourced its internal audit function, then the
outsourced firm of internal auditors may be appointed to
assist the company in design and documentation of ICFR.
d) Since the statutory auditors are required to review the
ICFR framework for the purpose of ICFR audit, they
cannot be involved in designing the framework (either
directly or through any other entity within their
network) – else, they will find themselves in conflict
when it comes to expressing their opinion based on
review of ICFR framework.
e) The ICFR Champion needs to be supported by requisite
team members – ideally, the team members may be freed up
from their day-to-day responsibilities to focus exclusively
on the ICFR project – alternatively, support may be sought
from external agencies/advisors.
f) The quality of the ICFR framework will be directly related to
the importance and commitment displayed by the directors
throughout the ICFR Project and thereafter. Considering
that this is an important responsibility cast on the directors,
it is advisable for the directors to effectively communicate
the importance of this project across the company, to assign
competent persons to drive this project and to stay involved
with the project, through ongoing review and monitoring.
2.4.2 ICFR Project – First Steps in a Nutshell:
27
Board to acknowledge its primary
responsibility for ICFR
Board to formally delegate the responsibility

to a designated ICFR Champion
ICFR Champion to formulate a team of

persons from within and outside the
company to drive ICFR
Board to provide support through

communication and resource allocation
2.4.3 Each company and its directors need to make a choice –
 Either treat ICFR as a means of formalizing and

strengthening the entire process leading to preparation
of financial statements, and thereby create a company-
wide focus on internal controls; or
 Treat this as one more ‘check the box’ exercise that
holds no significance.
At a regulatory level, ICFR is one more provision to comply

with. At a deeper level, ICFR provides a means for revisiting,
strengthening and documenting the entire process, starting
with the core values of the organization, governance
principles, policies and processes and level of automation,
down to operating instructions that together ensure reliable
financial statements with due disclosures.
The author believes that ICFR is an opportunity for forward

looking companies who want to adopt best practices in the way
they function; it is a step towards improving governance and
inculcating control awareness across the organization.
2.4.4 Risk Control Matrix (RCM) – an important tool for

documentation for ICFR:
28
A Risk Control Matrix (RCM) refers to a tool used for
documentation of risks and controls in a structured manner, on
a standard template. An RCM prepared for ICFR documentation
generally provides the following details:
 Process and sub-process name
 Risk description
 Characteristics of risk in terms of fraud risk, risk level,
etc.
 Control description
 Nature of control – preventive/ detective, manual/
automated, frequency of control, etc.
 Evidence of control
 Result of design testing
 Result of testing operational effectiveness.
An RCM provides a one-point documentation of business
process, risks, controls and control testing details and is
extensively used for ICFR documentation.
A specimen RCM template has been provided along with ICAI

Guidance Note. A simplified version of the same may be
adopted by smaller, private companies.
2.5 Component # 1 - Control Environment:
2.5.1 Control environment may be visualized as the sentinels or

security guards at the main entrance of a large building, say, a
mall. If the entrance security is strong, the likelihood of
miscreants entering the mall is reduced and to that extent, the
security at each of the shops need not be as strong. Similarly, if
the control environment is strong and reliable, the process and
account level controls do not need to be very strict. However, if
the control environment is not strong, then each
process/account level controls need to be strong and
frequently tested.
29
2.5.2 The directors of a private company need to assess the control
environment by introspecting on the availability of the
following:
Documented
Effective risk
Clearly stated policies and
management Documented
structure, processes IT system is
framework, financial
responsibility related to key effectively
with reporting
allocation activities, used, secure,
identified and period
and with tested and
"financial closure
governance identified documented
reporting process
framework control
risks"
points
These parameters define the broad framework that forms the

foundation of ensuring adequate ICFR.
30
The key issues that the management needs to debate and
answer are:
 What role do the directors play in reviewing the financial
statements to ensure that they meet the disclosure
requirements and are free for material misstatements?
 Do the directors possess the necessary knowledge and do
they spend adequate time to discharge this role?
 If the directors are themselves not reviewing the financial
statements as required, then whom do they rely upon? The
CFO, the Controller, any external advisor?
 What are the policies and protocols adopted by the
company to create an ethical environment that discourages
frauds, misappropriations and misreporting?
 What is the direction given by the management to
encourage automation, smart IT systems for financial
accounting, documented processes and adequate training?
 Are the IT systems used by the company tested for accuracy
and controls by periodic audit of the IT security and
systems?
 Are there management processes such as budgeting,
periodic reviews, analyses of deviations, performance
reviews etc. that would result in timely preparation of
accounting records and early detection of errors and
potential problems?
 Is the company able to source and retain talent appropriate
to its requirements? Is sufficient importance given to
training and knowledge building so that the employees are
able to perform well in the changing regulatory
environment?
In short, there needs to be an assessment of all those steps that

have been taken by the management, whether documented or
not, that give confidence to the management on the quality of
financial statements prepared by the company.
2.5.3 The directors’ assessment of the control environment, done

with the help of functional experts such as CFO, IT head and
internal auditor, results in the documentation of:
 Entity Level Controls (ELC)
 IT General Controls (ITGC)
31
2.5.4 Assessment of ELC and ITGC is facilitated by use of
questionnaires or checklists. These assessments are likely to
reveal certain control gaps and some areas for improvement
that need to be addressed by the management.
Addressing control weaknesses in ELC will enhance the

governance of the company and strengthen the work culture
and environment.
Addressing control weaknesses in ITGC will enable greater

reliance to be placed on the IT systems and automated
controls, thereby reducing the need for manual controls and
extensive testing.
ELC and ITGC are generally used to judge the internal control
climate in the company – weaknesses at these levels may not
automatically result in a conclusion that internal controls over
financial reporting are inadequate unless the weaknesses are
indicative of a serious governance failure or a controls
breakdown.
2.5.5 For a private company that falls in the SME category or has a
simple business model, there is expected to be a gap in the
documentation of policies and statements that evidence the
organization’s vision, mission, code of ethics, compliance focus,
fraud prevention, etc. Absence of documentation is not the
same as absence of controls. However, documentation of
certain key policies will need to be taken up on a priority basis
for the management to be able to rely upon and demonstrate
the internal controls.
An easy-to-use table is provided hereunder to enable a

company to make a self-assessment of its ELC and decide the
action plan for improvement, where the score is low.
You may rate your company on a scale of 0-3, where:

0 represents ‘total absence’:
1 represents ‘somewhat available/known’;
2 represents ‘substantially available and evidenced’; and
3 represents ‘fully in place and well-documented/
evidenced’
32
Sr Parameter Description Your
# Score
1 Board  Clarity of role of the
structure, Board.
delegated  Regularity of meetings.
authority for  Timely recording of
ICFR and role of minutes.
CFO  Specific responsibility
assigned for ensuring
adequacy of ICFR to Audit
Committee or Board
members with relevant
experience.
 CFO empowered and
independent, to ensure full
and fair reporting.
2 Values, vision  Mission, vision and values
and Code of of the company defined
Ethics and demonstrated.
 Code of Ethics and Code of
Conduct documented,
explained and enforced.
 Anti-bribery policy, self-
disclosure of conflicts and
whistleblower policies
introduced and explained.
3 Organization  Clearly defined, updated
structure, roles organization chart.
and  Well-defined roles,
responsibilities responsibilities and
and authority authority structure.
matrix  Formal delegation of
powers.
 Segregation of duties and
functional roles across the
company to improve
internal controls.
4 Risk  Formal risk management
management policy and framework
framework implemented.
 Financial reporting and
33
# Score
fraud risks considered in
the risk management
framework.
 Risks mapped with
controls.
 Risk management
framework revisited and
revised to ensure on-going
relevance.
5 Documented  Documented policies and
process flow processes for all key areas
diagrams and of the company.
process  Process diagrams with
narratives/ identified control points.
policies/SOPs  Authority matrix defined.
 Work flow and document
flow well designed.
6 Policy for  Written policy and process
financial note for financial
reporting and statements closure with
closure assigned responsibilities.
 Process for incorporating
regulatory changes in
disclosure requirements.
 Adequate segregation and
maker/checker controls.
 Basis for making financial
estimates and approval
authority for the same
clearly defined.
7 Talent  Policy established to
development ensure right people for the
right job.
 Effective sourcing,
retention and training of
people.
 Ensuring employee
empowerment and
growth.
34
# Score
8 Performance  Budgetary controls.
review & MIS  Performance review by
management, with
deviation analysis.
 Well-structured MIS
generated from IT system
used for financial
reporting.
 Periodic analysis to
identify aberrations,
exceptions and unusual
trends.
9 Monitoring and  System of internal audit
internal audit for periodic review of
controls.
 System of quality checks
and self-checks of
controls.
 Periodic review of
adequacy of processes and
controls by functional
heads and management.
10 Management’s  Emphasis on IT-enabled
philosophy on processes and automation.
IT usage,  Compliance framework
compliance and and compliance reporting
employee to the Board established.
policies  Employee policies and
performance appraisal
process that encourages
commitment, integrity and
competency.
This table is only indicative, and may be modified to suit each

company’s needs based on its specific structure and nature of
its business.
The self-assessment will help the management to determine

the areas to focus on and also on the level of reliance that may
be placed on these controls for the purpose of ICFR. While a
35
score of perfect 30 may seem a distant dream, companies with
scores less than 15 have reasons to worry.
For a more purposeful analysis, the table needs to be

supplemented by 2 additional columns:
 Description of the current status, based on which score has
been assigned;
 Proposed action/remediation plan, with timelines and
responsibility.
In larger companies, the ELC documentation is done using a

spreadsheet (Excel template). A sample template is provided in
Section 4 of this book.
2.5.6 IT General Controls:
Almost all companies use some IT platform and applications

for conducting their day-to-day business, including for financial
accounting. The use of IT systems is all-pervasive, in
maintaining fixed asset records, for generating Purchase
Orders, for printing sales invoices, for uploading statutory
returns and so forth.
From the ICFR perspective, a company is concerned with the

review of the overall IT infrastructure initially, and thereafter,
the specific applications and modules used for recording
information that are directly or indirectly used in the
preparation of financial statements. The overall review of the
IT policies and infrastructure is referred to as ITGC, or
Information Technology General Controls. As a starting point,
a company should document the IT infrastructure and
applications used by it, how each one connects with other
applications of the company and who is the ‘owner’ of each
IT application in use, in terms of controlling access and
modification thereto.
The IT risks that are expected to be addressed through

effective ITGC are:
 Risk of inadequate management focus on IT function and IT
environment, inadequate policies for integrity of IT systems.
 Risk of interruption and breakdown leading to inability to
compile accurate financial statements.
36
 Risk of unauthorized access to servers, computers and
application programs.
 Risk of misuse by the IT department, by gaining back-end
access to IT systems and making unauthorized changes.
 Risk related to outsourcing and loss of data integrity or
leakages of information/funds/resources.
 Risk of undocumented IT applications, leading to sub-
optimal or inappropriate usage.
 Risk of inadequate change management process, leading to
uploading untested patches and modifications.
 Risk of ineffective review and monitoring, leading to errors,
processing flaws, threats and unauthorized access
remaining undetected.
The IT systems used by companies vary widely. The IT system

adopted by a company may be an off-the-shelf package or a
customized system, a single location system or a cloud-based
multi-location system, a stand-alone financial accounting
package or an integrated ERP.
Considering the wide differences, it is difficult to arrive at a

standard checklist or assessment criteria. An attempt is made
hereunder to provide a set of parameters for evaluation of ITGC
– these will need to be modified to suit the specific
circumstances of a company.
Sr Parameters for Assessment of ITGC Self-

# Assessment
1. IT Policy and department structure:
 Well-documented IT policy
explaining the company’s philosophy
and IT vision.
 IT department’s structure, with clear
identification of the roles and
responsibilities.
 Policy on anti-piracy, preferred
platforms and mode of development.
2. IT procurement and outsourcing:
 Policy for procurement of IT
hardware and software.
 IT outsourcing policy clearing
37
# Assessment
indicating the activities that need to
be done in-house and those that may
be outsourced.
 Vendor KYC and due diligence policy.
 Policy on access rights to outsourced
vendors and control on data security.
 Review of Service Level Agreements
(SLA) at pre-defined periodicity.
3. Physical security and access to IT
resources:
 Physical control on access to IT
servers and data rooms.
 Safeguarding of IT hardware.
 Custody and safekeeping of archived
data and source code files.
 Software license management.
4. Logical access controls:
 Access rights allocation, approval
and periodic review.
 “Need to know” basis of access right
allocations.
 Log reports for detection of threats
and penetration.
 Blocking and de-blocking of access
rights.
 Password change policy.
 Controls on sharing of passwords.
5. Data security:
 Back-up policy.
 Data archival and access policy.
 Choice of media for data storage.
 Firewalls for safety from
unauthorized access.
 Protection of data stored on third
party servers and on the cloud.
6. Business Continuity and Disaster
Recovery Plan:
 Documented BCP/DRP
 Testing of backups periodically
38
# Assessment
 Communication of DRP to all
employees
 Identification of mission-critical IT
activities for effective BCP/DRP
7. IT manuals and source code:
 Availability of manuals for all IT
applications and systems in use.
 All modifications to IT systems duly
updated in IT manuals.
 For customized software, availability
of source code for future
modifications and for fixing bugs.
8. Change management process for
modification to IT applications:
 Tracking of IT change requests
 Modifications only in test server.
 User Acceptance Test and technical
test for all changes prior to go live.
 Process for ensuring seamless data
processing pre and post changes to
the software.
9. IT audit, log monitoring:
 Periodic IT security management
audits
 Ongoing generation of log reports
and effective review.
 System-based alerts for all security
threats and unauthorized access.
10. Review of IT controls of significant
outsourced vendors:
 For all significant outsourced
activities, assessment of IT systems
used and related controls
implemented by the vendor e.g.
outsourced payroll processing.
The parameters listed above help a company to assess its areas

of strength and areas for improvement.
39
For a company to rely on the data processed by the IT system
and use the same for financial statements, it is necessary to
ensure that ITGC are adequate to ensure accuracy and integrity
of the data processed and reports generated using these
systems. Assessment of ITGC is also required to prevent frauds
and vulnerabilities arising out of unauthorized IT access. IT
systems directly interfacing with financial accounting system
need to be reviewed in greater detail as part of the process
reviews undertaken, as explained later.
The ITGC assessment may lead to one of the following

conclusions:
 The ITGC are substantially in place and hence, the IT
systems can be relied upon at the time of process review.
 The ITGC are in place in some areas but need significant
strengthening – hence, limited reliance may be placed on IT
systems and controls embedded therein; alternate manual
controls need to be identified and tested for the specific
areas where the ITGC are found to be inadequate.
 The ITGC are almost non-existent making it difficult to rely
on the IT systems and the output processed through these
systems. This may warrant the directors (and the auditors)
to report that the ICFR are inadequate as far as they relate
to the IT environment and IT systems, unless a complete
system of manual controls is in place and can be relied upon.
Many companies develop a Risk Control Matrix (RCM) based on

IT General Risks and ITGC using a spreadsheet (Excel
template). A sample template of ITGC RCM is provided in
Section 4 of this book.
2.6 Component # 2 - Risk Assessment:
2.6.1 Risk assessment with reference to ICFR refers to the

management’s assessment of the Risk of Material Misstatement
(RoMM) in preparation of financial statements and in financial
reporting. Ideally, this risk assessment should be part of a
larger, company-wide risk management exercise.
2.6.2 The key sources of financial reporting risks are:
40
Employee initiated
Management
misreporting – due
override or
to targets or
management fraud
incentives/fear
Errors, omissions Misinterpretation

and inefficiency of regulatory
resulting from provisions related
people, processes to financial
or IT systems reporting
2.6.3 The sources of risks identified above are typically addressed

through Entity Level Controls (ELC) and Process Level Controls
(PLC) as follows:
Principal Sources of Risk Manner of addressing the risk

Management override or Governance Structure, Code of
management fraud Ethics and reputation of the
Board members.
Mainly through ELC.
Employee initiated Code of Ethics, well-designed
misreporting (due to incentive and performance
targets set, incentives, fear) measurement systems, pre-
emptive controls.
Combination of ELC and PLC.
Misinterpretation or lack of Commitment to competency,
awareness of regulatory training plans, access to
provisions related to knowledge resources and
financial reporting professional experts.
Mainly through ELC.
Errors, omissions and IT application controls, maker
inefficiency resulting from checker controls, authorization,
people, processes or IT verifications, reconciliations,
systems financial statement closure
policy, etc.
Mainly through PLC.
41
2.6.4 Next, a detailed exercise is undertaken for identifying account
balances that meet the materiality considerations. The purpose
of this exercise is to identify the corresponding business
processes and map the related risks and internal controls to
confirm adequacy of internal controls.
Steps for identification of material items are as follows:

 Based on the analysis of the previous year’s financial
statements and current year’s projected financial figures, a
percentage-based threshold for materiality needs to be
determined. Typically, this is fixed as % of turnover or a %
of profit for the year or a % of total assets of the company.
The selection of the base and the % is based on judgement
and understanding of the business.
 The materiality level determined as aforesaid is then
applied to the account balances as per the last audited
financial statements and all balances in excess of the
threshold are selected.
 Based on the nature of business, the account balances
susceptible to material errors and misreporting are
identified – e.g. stock valuation in a jewelry manufacturing
company, revenue recognition in a construction company,
and so forth. These items are added to the list of ‘material’
items.
 An additional qualitative analysis of financial statements
and related disclosures is done to determine additional
items that may be considered material from the point of
view of true and fair reporting – e.g. related party
disclosures, disclosures related to derivative transactions,
etc.
 Based on the above, a final list of potentially material items
is determined. These items, if misstated, are considered to
pose a material risk of misstatement – hence, for these
items, it is necessary to identify the controls implemented.
 Against each item, the broad business process
(procurement, sales, administration, payroll etc.) where the
accounting item originates is mapped.
 A list of those business processes for performing process
analysis and preparation of RCMs is compiled.
42
 Some residuary items may need to be individually dealt
with e.g. dividend, taxation, etc. or will be dealt with in
terms of “Financial Statement Closure Policy/Process”.
To summarize:
Determine percentage threshold for materiality
assessment
Apply the materiality threshold to trial balance as

on the selected date and filter the account
balances qualifying as 'material'.
Identify additional items as 'material' based on

qualitiaitve analysis of fiancial statements and
disclosures and based on the nature of business.
Map the account balances selected as 'material' to

underlying business processes.
Identify the key processes that need to be

analyzed to ensure that all material items are
covered.
The end product of the risk assessment exercise is:

 Establishment of materiality threshold;
 Identification of account balances and processes for
which Risk Control Matrices need to be documented;
 Documentation of the first section of RCMs dealing with
account/process, risks and characteristics of the risk.
2.6.5 A simpler and more intuitive process that may be considered is

presented hereunder:
Step I:
Categorize financial transactions generally entered into by the
company into:
Routine, repetitive transactions – purchase, sales,
expense booking, payment processing, payroll, etc.
Non-routine financial transactions – these are
transactions that occur at uncertain intervals and are
event based – e.g. issue of fresh shares, borrowing,
capitalization, insurance claim, arbitration
settlements, etc.
43
Estimations – bad debt provisions, diminution in
investment value, provision for employee benefits, tax
provision, inventory valuation, deferred taxation etc.
Period Closure Entries – based on reconciliations,
verifications, interest accounting, cut-off based
accruals etc.
Step II:
Routine Transactions:
 Examples – purchase, sales, expense booking, payment
processing, payroll, etc.
 These generally cover at least 60-70% of total transactions
of the company and equivalent man-hours of the accounting
personnel.
 These need to be covered by a process flow and narrative,
and ideally well-established IT platform/s.
 These may also be subjected to internal audit and periodic
MIS review.
 For each material category/significant process, ideally a
Risk Control Matrix (RCM) needs to be prepared, focusing
on only material risks.
 For an SME company, the analysis of routine transactions
and materiality would result into identification of 5-6
processes for which RCMs would need to be prepared.
Step III:
Non-Routine Transactions:
 Examples - issue of fresh shares, borrowing, capitalization,
insurance claim, arbitration settlements, declaration of
dividends.
 For these, it may be very difficult, especially for SME &
private companies, to have a documented process.
 For all such transactions, based on pre-defined monetary
limit, the company may establish a maker-checker-approver
process and document the same under “Policy/Process
for processing of material non-routine transactions”
 This will cover various categories of transactions and
ensure that the quality of review will ensure accurate
accounting, with due scrutiny and authorization at an
appropriately senior level.
Step IV:
44
Estimations:
 Examples -bad debt provisions, diminution in investment
value, provision for employee benefits, tax provision,
inventory valuation, deferred taxation.
 Estimations require exercise of judgement and hence, need
to be based on proper working, rationale, policy and
approval.
 A due process for basis of significant estimations and
approval of the same needs to be documented.
 This area poses the highest risk of error and management
override – there is a need for increased attention to this
area, both, by the company and its auditors.
Step V:
Period closure transactions:
 Examples –entries based on reconciliations, physical
verifications, interest accounting, cut-off based accruals,
outstanding liabilities, pre-paid expenses, etc.
 These may be covered in the Financial Statement Closure
Policy (FSCP).
 Trail to be maintained for establishing cut-offs may be
specified.
 Authority matrix identifying the maker-checker –approver
may be documented.
 Clear trail of year-end processing may be established from
the first trial balance to final financial statements.
 For most SME & private companies, the FSCP and the
related RCM may be the most relevant document in support
of ICFR review and assurance.
The alternate approach to risk assessment proposed for SMEs

is summarized hereunder:
45
5-6 RCMs
Routine Covers 60-70%
of total
identifed based
transactions transactions
on main
processes
Non-routine Covers 10-20%

RCM for material
non-routine
transactions of transactions
transactions
Based on
Policy for
judgement,
Estimations material in
estimations +
RCM
nature
Period Based on cut-off, Finanical

closures, Statement
closure reconciliations Closure Policy
entries and verifications (FSCP)
Under this approach, the company would be required to

document policies/process narratives and RCMs as follows:
 Financial Statement closure Policy (FSCP) and related RCM.
 Policy for accounting estimates and related RCM.
 Policy for processing non-routine material transactions and
related RCM.
 Based on analysis of routine transactions, documentation of
Policies and standard Operating Procedures for 5-6 key
processes (e.g. purchase, payroll, sales, inventory, fixed
assets)
2.6.6 The Company may perform materiality assessment and

determine the RCMs to be prepared by using either of the
approaches presented in 2.6.4 or 2.6.5.
The risk assessment exercise ends with the identification of

material financial reporting risks for the selected processes and
activities. The risk assessment exercise leads to completion of
the first part of all RCMs that deal with description and
detailing of risks.
Documentation template for documenting RoMM has been

provided in the CD accompanying the ICAI Guidance Note and
may be used with desired modification.
46
2.7 Component # 3 - Control Activities:
2.7.1 This component of internal control deals with establishment of

controls appropriate to the identified risks.
ICFR are considered to be adequate and effective when it can

be established and demonstrated that all key risks identified
through the risk assessment process have been addressed
through institution of appropriate controls.
2.7.2 In most business organizations, there are several controls

implemented to support preparation of financial statements
that are free from material errors or misstatements. However,
a formal structured linking of identified risks with
corresponding controls is not done. The ICFR project would
enable this formal mapping of risks with controls and as a
result, is likely to reveal:
 Risks that have not been envisaged or visualized and hence
controls have not been designed e.g. company has recently
shifted to net banking and electronic payments; however,
the underlying risk was not identified and hence, specific
controls not mapped to the risk.
 Controls that are operational for risks that are no longer
relevant.
 Multiple controls are there for addressing the same risk,
giving an opportunity for optimizing.
 Several controls are embedded in the IT system, but due to
untested IT systems, these controls cannot be relied upon.
Such revelations would help the company in optimizing its

controls and enhancing its management of financial reporting
risk.
2.7.3 Documentation of policies and process narratives forms an

integral part of the control activities and ICFR framework. In
case a company does not have well-documented and updated
policy and process notes, the company may consider
documentation of the following policies to start with:
Policy Name Brief Contents

Financial Statement Entire process from year-end trial
Closure Policy balance to finalization of financial
47
Policy Name Brief Contents
(FSCP) statements. This policy should detail the
information called from various
functional heads, the manner of
determining cut-offs, checklist for
disclosures, etc.
Specimen of FSCP is provided in Section
4 of this book.
Routine The following standard processes may
transactions – be documented:
standard processing  Procurement (indent to pay)
cycles  Income Cycle (order to cash)
 Employee costs and benefits
(joining, termination, monthly
processing and periodic
allowances)
 Expenses (order to payment)
 Fixed assets (procurement,
verification, retirement,
depreciation)
For all these processes, it would be ideal
to document process flow diagrams with
clear demarcation of controls, in addition
to the process note.
Special transactions  Policy & process note for
approving non-routine
transactions
 Policy and process note for
approving accounting estimates
General  Organization chart
 Delegation of Authority (DoA)
 Anti-fraud policy
 Code of conduct, ethics policy
 IT policy
2.7.4 The documentation of controls can be quite tedious and

demanding. A practical approach would be to make a list of
commonly applied controls and assign a number to each such
control. An indicative list is provided hereunder:
48
Control # Control Description
C1 Availability of documented policy and process
note
C2 Maker-checker control
C3 Segregation of duties
C4 Authorization control
C5 Verification of assets /documents
C6 Reconciliation of balances – bank balances,
vendor & customer balances, investments, etc.
C7 3-way matching of records – financial records,
asset records and physical verification records
(fixed assets, inventory, etc.)
C8 Review controls – month/year closure review,
MIS review, budgetary review, etc.
C9 Third party balance confirmations
C10 Independent review by internal auditor, or other
agencies
C11 System-based alerts and blocking
C12 Expert opinion (for determination of valuation,
statutory liabilities, diminution/impairment,
gratuity valuation etc.)
C13 Physical security controls – safe custody, security
agencies, web-cameras for remote vigilance
C14 KYC and due diligence requirements
C15 Automation controls for validation, computation
and data transfer
C 16 ……
C 17 ……
Making this list of commonly deployed controls saves time at

the time of preparing RCMs – instead of writing description of
control against each identified risk, only the relevant control
number may be entered. The list may be expanded to cover
additional controls, or residuary control # may be assigned –
for this residuary control, the description of the control will
need to be stated in the RCM.
2.7.5 With respect to those risks for which controls have not been
clearly identified, maker-checker controls, with a senior level
authorization may provide sufficient control in most cases. To
this end, a comprehensive summary of all delegation of
49
authority and segregation of duties across functions may prove
helpful in demonstrating effective controls.
Areas that are found to have inadequate controls may be

included in the scope of internal audit to provide additional
controls/assurance.
For all control gaps identified, the management must insist on a

time-bound remedial plan.
2.7.6 Based on overall assessment of risks and controls, including

alternate and compensating controls, the management should
conclude on the adequacy of ICFR for the purpose of the
Directors’ Report.
2.8 Component # 4 - Information System and Communication:
2.8.1 This component of internal control deals with establishment of

clear channels for information flow and communication to
ensure:
 The completeness and integrity of the information that
flows into the financial statements.
 The accuracy and integrity of financial information,
including financial statements, disseminated by the
company to regulators, shareholders and other
stakeholders.
2.8.2 The risk of inaccurate or incomplete information flowing into

financial statements is examined as part of documentation of
process flows and RCMs.
2.8.3 The risk of errors in financial statements disseminated to

external agencies may be addressed through the Financial
Statement Closure Policy (FSCP).
2.8.4 In addition, the directors and senior management should

undertake a review of all other information flows from the
functional heads and remote locations, to those responsible for
preparing financial statements. Very often, information critical
to preparing financial statements that is free from material
misstatements does not reach the Accounts department in a
timely manner – e.g. intimation of rejection by a customer
50
before the year-end may not be communicated by the Sales
head; receipt of a favorable order from Income Tax department
that warrants reversal of past provisions may not be
communicated by the Taxation manager to the Accounts
department.
ICFR project provides an opportunity to undertake a

comprehensive review of information flow and remove all
bottlenecks that may be causing delay or breakdown in the
information flow.
2.8.5 This component does not call for any separate documentation
by the company; as all related documentation is included in the
RCMs and policy/process notes.
2.9 Component # 5 - Monitoring of Controls:
2.9.1 The last component of internal controls deals with instituting

adequate processes for ongoing monitoring of controls. This is
most important for ensuring that the controls as desired and
designed by the management have actually been
operationalized and their continuing effectiveness is ensured.
2.9.2 Monitoring of controls is achieved by maintaining the ICFR

framework as a dynamic framework by:
 Ensuring periodic review of all documented policies and
processes.
 Requiring all RCMs to be updated periodically to reflect the
changes in the risk profile and controls.
 Including, as part of internal audit scope, testing of controls
depicted in the RCMs.
 Getting IT system independently tested periodically to
continue placing reliance on IT system-based controls.
 Creating a control-centric organization by introducing
Control Self-Assessment (CSA) where appropriate.
 Formalizing risk management framework across the
company.
The directors may prioritize and set timelines for monitoring

and strengthening of controls on an ongoing basis.
51
2.9.3 For private companies, the statement to be made in the
Directors’ Report does not require any specific mention about
the ‘operational effectiveness ‘ of controls; hence, as such, no
specific responsibility has been cast on the directors for the
testing of operational effectiveness.
2.10 Concluding Remarks:
The first year of implementation of ICFR framework will pose a

challenge for most companies and will require significant
management time.
All regulatory changes are internalized initially in form, to meet

the compliance requirements. After the basic compliance is
achieved, some companies will take the initiative forward to
aim to comply in spirit, by understanding the intent of the
regulations. As far as ICFR is concerned, only those companies
that choose to go beyond the initial compliance will stand to
benefit.
Companies that make a sincere effort to implement the ICFR

framework in spirit are likely to benefit from improved control
consciousness across the company, stronger policy and process
documentation, improved processes and stronger IT systems.
52
SECTION 3: ROADMAP FOR THE AUDITORS OF A PRIVATE
COMPANY FOR AUDIT OF ICFR
3.1 Overview:
3.1.1 The ICAI Guidance Note provides detailed guidance for

auditors, including formats of engagement letters, specimen
audit reports and sample documentation templates.
Section 2 above provides a roadmap for private companies

along with certain practical solutions - this is also relevant to
the auditors of private companies.
The objective of this section is to provide certain practical

guidance and methodology for the auditors of private
companies, without replicating what is already available in the
ICAI Guidance Note.
3.1.2 Some salient points related to ICFR audit, based on ICAI

Guidance Note and other reference material, are summarized
here:
 The reporting requirements under section 143(3)(i) are
applicable to financial years starting on or after 1st April
2015.
 The auditor’s reporting on internal financial controls is only
with reference to audit of financial statements.
 The auditor is required to report on the adequacy of internal
financial controls system – the use of the word ‘system’
presupposes a structured approach of internal controls
adopted by the company.
 In the Indian context, the Internal Control Components
specified in Appendix I of SA 315 provide the necessary
criteria for internal financial controls – these may be used as
benchmark system for evaluating ICFR.
 As with financial statements audit, the auditor is required to
obtain reasonable assurance with respect to adequacy and
effectiveness of ICFR.
 The adequacy and effectiveness of ICFR has to be examined
as at the balance sheet date – auditor need not comment
adversely on companies that did not have adequate ICFR
during the year, but managed to have the same in place as at
the balance sheet date.
53
 The reporting requirement on ICFR applies to financial
statements prepared under the Companies Act, 2013 and
hence, applies to annual financial statements and
consolidated financial statements; but not to any interim or
unaudited financial statements.
3.1.3 Some additional points that merit consideration for the auditor
in determining the audit approach are presented hereunder:
 The audit of ICFR needs to be customized based on the size
of the company and complexity of its operations. For smaller
companies or companies with less complex operations, the
controls defined may be simpler and the documentation
may be less structured and less detailed.
 Risk of Material Misstatements (RoMM) needs to be
assessed keeping in mind the likely readers of the financial
statements and the purpose for which the statements are
likely to be used by the company. This is an important
consideration for identification of material risks.
 The reporting by auditors and by directors on ICFR is
independent of each other. Hence, the company and the
auditors need to maintain their independent documentation
to support their individual conclusions and opinions. The
company and the auditors may follow different
methodology for determining materiality and identifying
material items – as long as the method followed by the
company is reasonable, the same need not be objected by
the auditor.
 The auditor may use the documentation created by the
company as a base (e.g. RCMs or ELC document), but is not
justified in insisting the same to be in a specific format. The
company may use formats that are easy for them to compile
and sustain – the auditors may enhance this documentation
based on their own requirements. E.g. specification of audit
assertion as part of the RCM may be done by the auditors,
but may not be done by the company. Also, the company
may document ELC as a narrative, whereas the auditor may
document the same as an Excel spreadsheet with several
columns.
 The auditor’s review of adequacy and effectiveness of ICFR
needs to be driven by the content of the internal control
system and documentation adopted by the company and not
merely by the formats used. However, the company needs to
54
adopt a framework for designing and assessing its internal
financial controls, as mentioned in Section 2 above.
 The auditor must give due consideration to the past
experience of audit and other relevant evidence where the
financial statements have been subjected to external
scrutiny – if significant errors or irregularities have been
identified, these need to be considered in the assessment of
risks.
3.2 Pre-audit Approach:
Engage
With the
Educate
directors and All those who
Empathize
senior will drive ICFR With the Encourge
management within the constraints of The company
company skills and to achieve
documentation higher
- provide easy standards of
tools to achieve governance
compliance and internal
controls
3.2.1 The auditors need to communicate the ICFR audit

requirements to the companies audited by them. For this, they
need to be clear about their audit approach and requirements.
Effective communication, with the board of directors and the

senior management of the company sets the ball rolling to
achieve superior compliance and more efficient audit.
In many cases, the auditors are not clear as to their

requirements and audit approach – this creates irritation and
confusion for the companies, as the company is not able to
prepare the records and documentation expected by the
auditors in advance.
55
3.2.2 Based on prior years’ audit experience, the auditor may be able
to help the company identify areas of control weaknesses,
giving the company management time to establish alternate
controls or strengthen existing controls in such areas.
Areas that have been error free in the past and do not pose a
serious risk of misstatement may be deferred for
documentation of policies and preparation of RCMs.
3.2.3 The auditor may guide the company in creating documentary

trail for controls already in existence. E.g. the auditor is aware
that at the time of finalization, all changes to the financial
statements are being approved by the CFO and the CEO, but
this is not documented as a formal sign-off. In such a case, the
auditor may guide the company to ensure sign-offs for
evidencing the control.
3.2.4 Similarly, the auditor may guide the company in identifying

controls that have already been implemented, but have not
been reflected in RCMs. E.g. the company monitors the activity
of its factory remotely through viewing the images from the
web-cameras installed at the factory, particularly when new
machinery is being installed. This may not have been identified
as a control for validating the date of installation of new
machinery as part of the RCM.
3.2.5 To conclude, auditors of private companies need to take an

approach based on appreciation of their size and structure, and
aim to help the company achieve higher levels of governance
and controls through the ICFR exercise.
In the initial years of compliance, the auditor may want to focus

on creating awareness, encouraging compliance in spirit and
not just in form, and enabling a directional or a mindset change
in the company being audited, rather than focus on insisting on
meticulous documentation done with the help of external
agencies/advisors who have limited understanding of the
company’s business and style of working.
3.3 Audit Approach:
3.3.1 Risk assessment in a structured manner:
56
As part of the usual audit process adopted for audit of financial
statements, and as required by SA -315, auditors do carry out
an assessment of financial reporting risks and plan their audit
in a manner that areas with weak or inadequate controls are
checked more extensively.
The auditor now is required to perform such a risk assessment

in a more structured manner, with determination of materiality
levels and documentation of material/significant weaknesses
or inadequacies observed in the controls. Also, the risk
assessment is not merely for the purpose of planning the audit
of financial statements, but also for assessing the adequacy of
ICFR.
3.3.2 Documentation of ELC, ITGC and RCMs:
Next, the auditor needs to review all available documentation

prepared by the company and then suitably modify/enhance
the same to meet the requirements of ICFR audit
documentation.
The documentation formats given as part of the ICAI guidance

Note may be suitably simplified for smaller companies or
companies with less complex operations.
3.3.3 ITGC and IT systems testing:
The auditor may consider taking the assistance of an IT

specialist for assessing ITGC and the IT systems. This may be
particularly necessary for companies with advanced IT systems
and where a high level of reliance is placed on IT based
controls. Alternatively, the auditor may place reliance on
findings of the IT systems audit conducted for the company by
independent IT audit specialists.
A commonly used accounting package, such as Tally, also needs

to be tested for access rights, back-ups, customization carried
out, monthly/quarterly locking of system to prevent back-
dated accounting entries or modification to past data, year-end
closing entries, etc.
57
It is expected that in case of many of the small and medium
sized companies, it may not be possible to place reliance on the
IT systems in the first year, as they may not be adequately
documented and tested. In such cases, the auditor may need to
consider alternate manual controls.
3.4 Audit Execution - Testing of Controls:
3.4.1 The auditor’s report is required to state whether the company

has adequate internal financial controls system in place and the
operating effectiveness of such controls.
Essentially, this requires the auditors to identify the financial

reporting risks or the risk of material misstatements and
review the controls to confirm:
Is the
design
effective?
Do the Are they
controls operating
exist? effectively?
Are the
controls
adequate
and
effective?
The audit of ICFR is expected to be integrated with audit of

financial statements. The auditors need to maintain adequate
documentation to support their conclusion on ICFR – this
requires effective design and use of smart templates for work
paper documentation.
The testing of controls is done at 2 levels:

 Testing design effectiveness of controls
 Testing operating effectiveness of the controls
58
Testing design effectiveness of controls is essentially
confirming that the controls, as indicated by the company, are
in existence and designed properly. E.g. one of the stated
controls is that a purchase invoice cannot be entered into the
IT system without entering a purchase order, duly approved by
the Head- Procurement. Here, the design effectiveness testing
would require a walkthrough of the IT system to check that the
system does not permit entering a purchase invoice without a
PO and that the IT system-based approval rights are available
only with the Head – Procurement. Testing design effectiveness
is best done at the time of review/documenting of controls by
means of process walkthrough and live testing of 1-2 sample
transactions.
Testing operational effectiveness comprises of the

substantive testing done to confirm that a control is operating
consistently and as intended. For manual controls, this entails
checking of a sample of transactions against the control
parameters. For automated controls, this entails testing the
system configuration and logic and then testing a very small
sample for validation of the automated control.
It is expected that most of the controls identified as key

controls in the ICFR exercise would get tested as part of normal
audit of financial statements. The controls that may not have
been tested adequately are:
 IT system related controls
 Financial statement closure process and related controls,
specifically with reference to estimates and year-end
provisions; (the working and the accounting entries
would be tested in normal course, but the underlying
controls and evidence of controls may not have been
tested).
Hence, the auditor needs to ensure that the testing of controls
is done in a manner that there is no duplication of efforts, and
that the documentation of testing is sufficient for both - the
financial statements audit and ICFR audit.
3.4.2 Timing of testing:
The ICAI Guidance Note states that the ICFR need to be

examined as at the balance sheet date.
59
In practical terms, for smaller companies, most of the key
controls will be exercised as part of the financial statement
closure process, i.e. after the year end when the finalization is
underway. In this case, can it be said that the controls were
effective as at the year-end?
The author is of the view that controls envisaged and designed

before the year-end, to be exercised at the time of finalization
of accounts, may be considered adequate if they were indeed
exercised and could be evidenced by the auditors. As many of
these controls could not have been exercised earlier, as the
underlying activity is performed only at or after the year-end
(e.g. inventory verification and valuation, assessment of
impairment, provision for doubtful debts, provision for
taxation, etc.), the question of testing whether these were
operating prior to the year-end does not arise, especially in the
first year of review.
3.4.3 Optimizing the quantum of testing:
A company, in its design of controls, will need to implement

controls at various stages in a transaction cycle. E.g. for
procurement cycle, there may be controls on PO placement, on
receipt of materials, on bill approval and on payment release.
The company may also monitor and test all these controls as
and when the activity is taking place.
The auditors need not test each of the controls individually, if

they can get an assurance that all the controls are existing and
operational by checking the documentation of the last stage
(payment release) with all related approvals and
documentation for PO, GRN and invoice booking. Such
composite controls testing can reduce the time and efforts of
the auditors.
Similarly, for a company that normally gives 30 days’ credit to

its customers, one of the risks identified is the ‘risk of raising
sales invoices without rendering services’. The corresponding
control is ‘obtaining an email confirmation from the customer
at the time of billing’. Now, in this case, at the year-end, the
control needs to be tested only for invoices that have not been
60
paid – the fact that a customer has paid for the services billed
automatically implies that the services were rendered during
the year. Thus, for effective testing of this control, a sample
may be drawn from outstanding invoices.
It is thus important for the auditors to perform controls testing

in a manner that it optimizes efforts and gives greater
assurance or identifies weaknesses effectively. Selection of
controls, timing of testing and method of testing are important
considerations for the auditors.
3.5 Audit Conclusions and Audit Reporting:
3.5.1 Based on testing of controls, and evaluation of ELC and ITGC,

the auditor is required to arrive at conclusion about the
adequacy and effectiveness of internal controls.
The ICAI Guidance Note provides that only in case of a material

weakness, the auditors need to qualify their opinion. Further,
the qualification or disclaimer, as the case may be, needs to
specify the specific area of weakness rather than provide a
blanket qualification.
Whether a weakness identified is material or not is a matter of

professional judgement, and needs to be exercised by the
auditor considering the financial statement as a whole. The
identified control weakness needs to be evaluated based on
likelihood of occurrence of the underlying risk and the
potential impact on the financial statements.
The ICFR audit is concluded as follows:
61
Qualify the ICFR
Material Weakness
report
Significant Inform those

deficiency or charged with
weakness governance
Inform the
Other weaknesses CFO/CEO so that
and deficiencies corrective action
may be taken
3.5.2 The Audit Report on ICFR may be issued as a separate report or

may be combined with the Audit Report on financial
statements. The ICAI Guidance Note provides detailed guidance
on the contents of the Audit Report and also several illustrative
reports covering different scenarios.
The auditor may also be able to issue a combined report based

on audit of financial statements and ICFR, particularly for small
companies. The following paragraph may be included for giving
an unqualified report on ICFR in such cases:
“In our opinion, the Company has, in all material respects,

an adequate internal financial control system over financial
reporting and such internal financial controls over financial
reporting were operating effectively as at 31 March 2016,
considering the essential components of internal control stated
in the Guidance Note on Audit of Internal Financial Controls over
financial reporting issued by the Institute of Chartered
Accountants of India”
3.5.3 An issue that often comes up for discussion is whether there is

a case for increase in audit fees as a result of increased
reporting responsibility.
62
The move to require audit reporting on ICFR is a move to align
the audit requirements with global practices, as a means of
improving investor confidence in not only the financial
statements, but also in the process adopted and controls
established for preparing financial statements.
Reporting on ICFR requires additional work to be done by the

auditors in terms of assessing the controls, testing their
effectiveness and documenting the basis for their conclusion.
The ICFR audit requires interactions with the senior
management of the company, ability to understand the
organizational culture and control systems in a holistic manner
and thus requires the auditors to deploy persons with sufficient
seniority. The ICFR report requires auditors to give additional
assurance, assume additional professional responsibility and
thus needs to be compensated accordingly.
In case of companies where the audit appointment and the fees

for the year have been fixed at the Annual General Meeting, the
fee increase on account of ICFR reporting may be ratified by the
general body at a subsequent meeting. This practice has been
observed in some large listed entities.
3.5.4 The responsibility of reporting on ICFR is an onerous

responsibility and exposes auditors to professional risk in case
they fail to discharge the same judiciously. The auditors of
private companies need to exercise balance and judgement
whereby, they take a practical and fair approach to the audit –
ensuring that on one hand, they do not compromise in their
professional duty, and on the other hand, they do not
overwhelm their private company client by expecting systems
and documentation generally found only in large listed
companies. A fine distinction needs to be maintained between
‘the need to have’ and ‘the nice to have’ – the ‘need to have’
must be insisted upon and the ‘nice to have’ must be
encouraged without reporting consequences.
Business community normally responds to anything in which it

sees a value, or fears consequences of non-compliance. Many of
them obtained an ISO certification when their customers
insisted on the same. They got their environmental clearances
when they faced factory shutdowns. They documented an Anti-
63
Bribery Policy when their vendors and customers refused to do
business with them otherwise. So, if the auditors refuse to give
an unqualified opinion where controls are inadequate, the
community will respond by ensuring an adequate internal
controls system. Even better, if the auditors are able to drive
home the value proposition that ICFR holds for a company, they
may be able to encourage the company to embrace the ICFR
regulations as a business improvement tool. Creating such a
win-win situation will require some auditors with
extraordinary convincing skills and some companies with
extraordinary openness to change.
3.6 Call to Action:
The audit profession is undergoing a sea change: the

professional risk is increasing, the rotation of auditors is here
to stay, the reporting requirements are ever-changing and the
expectations from auditors are sky-high. In this scenario, it is
up to the audit profession to decide the approach that it wants
to take towards ICFR. The questions that each auditor needs to
answer:
 Am I willing to give an unqualified opinion on ICFR

where there are material weaknesses in ICFR?
 Am I feeling compelled to give an unqualified opinion in
spite of material weaknesses, due to a fear of losing my
client otherwise?
 Am I using the regulatory change to gain personal
benefit by forcing my client to appoint my firm or an
associate to undertake the documentation for ICFR, and
earn handsome fees for the same?
 Am I willing to work with my client to enhance the ICFR
framework, so that it benefits my client and also reduces
the audit risk in the medium-to-long term?
 Am I going beyond the formats and templates to
understand the intent of the regulations and work
towards complying with the regulations in form and in
spirit?
The approach that the auditing profession adopts will decide

the way Corporate India and the regulators respect and value
the auditors in times to come. For some auditors, ICFR is one
64
more box to tick, for some other auditors, this is an earning
opportunity, and for a handful of auditors, it is a stepping stone
to playing a catalyst’s role in shaping the way Corporate India
considers its financial reporting responsibility.
The members of the auditing fraternity need to decide their

approach with responsibility, knowing that their individual
choice may impact the collective future of the auditing
profession.
65
4. Making it easy – ready-to-use drafts and formats
4.1 Entity Level Controls – Specimen (refer paragraph 2.5.5)

ABC Private Limited
ICFR for the year ending 31st March, 2016
Entity Level Controls (ELC)
LIST OF CONTROL GROUPS

Control Ref Control Group
C01 Roles and responsibilities of Board of Directors
C02 Formal SOPs for various crucial processes
C03 Admin Manual covers various policies
C04 Risk Management policy
C05 Background Verification process in place
C06 Manpower planning and recruitment policy/process to ensure right crew for the
right job
C07 Board Review of business plans, budgets, budget vs. actual, periodic
performance and Internal Audit reports
C08 Monthly MIS reporting
C09 Staff hired through a management approved placement agency
C10 Promotions based on well-defined Performance Evaluation system.
C11 Talent growth through need-based and compliance related training
C12 Attrition management
C13 Independent Review and periodic updates by External Professional Consultant
C14 Access rights restrictions
C15 Independent Review by Internal Auditor
C16 Validation controls - confirmation, verifications of assets/bank balances,
valuations
C17 Compliance framework, tracker and reporting - controls on compliances and
regulatory reporting
C18 Sexual Harassment Policy
C19 Appointment letter covers ethical standards and other required terms and
conditions which is signed-off by employees at the time of joining
C20 Board/Management Approval
C21 Formal roll out of ICFR policy and testing
C22 Data Back-up strategy
C23 Defined BCP/DRP process
C24 Periodic department reviews
C25 Defined Financial Closure Policy
C26 Compliance with related-party transactions and disclosures
C27 Periodic updation and communication of ISO manual
C28 Formal KRA definition and communication of the same
C29 Information and Communication
66
ABC Private Limited
Entity Level Controls (ELC)
Sr Attribute Principle Process Risk Control Control Audit Step

No Activity Ref No. Description
1 Control Management Board Board does not C01 Board 1. Confirm the
Environment establishes Oversight clearly define powers are documentation of
structure, authority to be clearly Board powers and
authority exercised at Board defined delegation of
and level and authority authority done by
responsibilit delegated to other the Board.
y in pursuit Directors
of objectives 2. Verify Board
minutes and
meeting
frequency. Verify
attendance
records to ensure
participation and
insights.
2 Control Board of Board Board does not C02 1. Board 1. Verify that
Environment Directors Oversight acknowledge its minutes formal guidelines
exercises responsibility includes a have been
oversight of towards oversight statement provided by the
the for establishing and acknowledgi Board.
development performance of ng its
and internal controls responsibilit 2. Verify that
performance y for ICFR specific
of internal Board does not responsibility has
controls formally delegate 2. Board been allocated for
the responsibility provides establishing
for establishment of broad internal financial
internal financial guidelines controls
controls and for for internal
ensuring effective controls and
performance records
thereof. formal
delegation
of authority
for
establishme
nt of
controls.
3 Control Board of Board Board does not have C07, Board of 1. Verify Board
Environment Directors Oversight a mechanism to C08 Directors meeting minutes
exercises review ICFR review the where adequacy
oversight of adequacy and performanc and effectiveness
the performance e of the of internal controls
development company have been
and and reviewed.
performance adequacy of
of internal internal 2. Confirm that
controls controls there are regular
through interactions
regular between Board
interactions members and
with the Finance Manager
Finance through CFO, and
Manager other key
management
Budgets are personnel to
established assess quality of
on yearly controls and
basis review business
67
performance.
Monthly
reporting is 3. Review budget
done by variances,
Finance exceptional items
Manager to to assess internal
the Group control gaps, if
CFO who in any.
turn reports
to BOD.
4 Control Demonstrate Board Board of Director C03 Policies are 1.Verify minutes of
Environment s Oversight does not set the framed by Board meeting and
commitment right tone at the top the Board Admin Manual/
to integrity to encourage ethics w.r.t. ethical directions issued
and ethical and integrity. conduct, by the Board of
values anti-bribery Directors from
and time to time.
corruption,
anti-fraud. 2. Review
Appointment
letter of an
employee.
5 Control Holds Board Board of Directors C02 Directions Verify minutes of
Environment individual Oversight does not set the are given by Board meeting and
accountable right tone at the top the Board to policies/directions
for the to encourage encourage issued by the
internal institution of process- Board of Directors
control controls and driven from time to time.
responsibiliti systems and ensure conduct,
es accountability for automation
lapse of controls and effective
monitoring
across the
organization
.
6 Control Management Delegation Ambiguity in C01 1. Financial Confirm that
Environment establishes of delegation of powers in authorization/app
structure, Authority financial powers terms of rovals of Directors
authority reduces the control signing is in place, review
and over financial /effecting Board resolution
responsibilit transactions and banking to define powers
y in pursuit increase the risk of transactions of Director
of objectives financial losses is with the
Director.
2. Also, all
the major
contracts,
agreements,
Purchase
Orders are
signed/appr
oved by the
Directors.
3. All the
major
decisions
are closely
reviewed by
the
respective
HODs at
Group level
68
before
approval by
the Director.
7 Control Demonstrate Ethics & Flawed C03, 1. Admin 1. Verify Admin
Environment s Integrity performance C19 Manual Manual to ensure
commitment incentive/ gives a all updations are
to integrity compensation reference to included.
and ethical policy not in line ethical
values with ethical tone standards 2. Verify
and standards may expected Appointment
increase the risk of from Letter of employee
compromise / non- employees.
compliance to
ethical standards of 2.
conduct Appointmen
t Letter
includes
relevant
clauses
8 Control Demonstrate Ethics & If management does C03 Managemen 1. Verify the
Environment s Integrity not take timely and t takes mechanism for
commitment appropriate disciplinary recording non-
to integrity disciplinary action, action for adherences/
and ethical it would encourage violations/ violations.
values non-adherence to non-
established policies adherence, 2. Verify the
and procedures in a timely evidence of action
and being taken.
appropriate
manner.
9 Control Demonstrate Ethics & Applicant screening C05, 1.Adequate
Environment s Integrity procedures do not C09 background
commitment adequately consider verification
to integrity integrity and ethical is done for
and ethical values employees
values (Police
Clearance,
Experience
letter, etc.)
2.Majority of
office staff is
hired
through a
placement
agency
which is
selected by
the
managemen
t to ensure
right person
for the right
job
3.Declaratio
ns are
obtained
from
employees
for non-
disclosure
and code of
conduct
69
adherence
as a part of
joining
formalities
10 Control Demonstrate Recruitme Lack of adequate C05, 1. A rigorous 1. Confirm the no.
Environment s nt & talent or C06, recruitment of exits and the
commitment Selection mismatches in C09 and principal
to attract, requirements and selection underlying
retain and skill sets may process is reason/s.
develop severely impact adopted to
competent achievement of ensure 2. Confirm that key
individuals objectives selection of positions are not
right left vacant for a
employees long time.
for the right
job.
2. Majority
of office staff
is hired
through a
placement
agency
which is
selected by
the
managemen
t
11 Control Demonstrate Incentive In absence of a C10, 1. 1. Review the
Environment s proper work C12 Promotions appraisal process
commitment environment the are based on for
to attract, company may have well-defined appropriateness
retain and to deal with high Performanc and confirm that
develop attrition levels e Evaluation there is due
competent system. process for
individuals redressal of
2. appraisal related
Managemen grievances.
t ensures a
very low 2. Review attrition
attrition rate and related
rate. analysis
12 Control Board of Internal A robust system of C07, 1. Internal 1.Verify Internal

Environment Directors Audit monitoring through C15 audits are audit scope and
exercises periodic internal done reports
oversight of audits or control quarterly as
the Self Assessments per pre- 2.Review Board
development has not been defined Minutes
and established scope which
performance is approved
of internal by the
controls managemen
t.
2. Board
meetings
discuss
internal
audit
reports - key
findings.
70
13 Control Demonstrate Training Inadequate C11 1. Training Verify training
Environment s attention to training for process
commitment may result into skill regulatory
to attract, dilution, lack of and process
retain and awareness about changes is
develop policies and imparted on
competent regulatory a timely
individuals requirements and basis as per
inability to either
discharge assigned client's
responsibilities. requirement
or
regulatory
requirement
2. Training
is identified
and
imparted as
needed
14 Risk Specifies Risk Absence of C04 Formal risk Review the risk
Assessment objectives Manageme enterprise-wide risk managemen management
with clarity nt assessment and t policy is policy adopted by
to identify Framewor absence of presented to the Company
and assess k documented risk the Board
the risks management policy and
approved by
the Board of
Directors.
15 Risk Identifies Business Absence of C22, 1. Business 1. Review the BCP
Assessment and analyzes Continuity BCP/DRP may lead C23 Continuity and DRP.
significant Plan, to business Plan (BCP)
changes that Disaster interruptions and and Disaster 2. Review the data
could impact Recovery may jeopardize Recovery recovery plan.
internal Plan business continuity Plan(DRP)
controls are in place.
2. Data
recovery
plan is
established
and
operational.
16 Risk Identifies Financial Regulatory changes C17 1. Verify formal

Assessment and analyzes reporting impacting business, Regulatory assessment of key
significant financial conduct or changes are regulatory
changes that reporting understood changes.
could impact requirements are and
internal not understood, assessed for
controls analyzed or their impact
internalized. on business.
2.
Compliance
tracker is
filled in at
defined
frequency
and updated
periodically
for
71
amendment
s.
17 Risk Identifies Financial Improper channels C24 Periodic Review
Assessment and analyzes reporting to communicate the department modification in
significant changes in business al reviews processes, if any,
changes that practices to the are done by the accounts
could impact accounting wherein team
internal department may Finance
controls affect the method or team is also
the process of present;
recording the review
transactions in covers
financial statements discussions
on changes
in business
practices
affecting
financial
statements.
18 Risk Identifies Financial Risk of regulatory C13, 1.Manageme 1. Verify financial
Assessment and analyzes reporting non-compliance and C15, nt specifies statements with
significant financial C25 financial adequate
changes that misstatements if reporting disclosures
could impact suitable accounting rules and
internal principles, policies standards 2. Verify statutory
controls or rules not which are auditor's report
followed consistent
with 3. Verify internal
accounting audit reports
principles
suitable and
appropriate
for the
entity.
2. Reviews
by/consultat
ions with
the
Statutory
Auditors as
required by
the
regulation
(annual
review) or
as
considered
necessary
by the
managemen
t, are done.
3.Internal
audit
coverage
extends to
compliance
review and
financial
reporting
review.
19 Risk Identifies Financial Non identification of C13, 1. Defined Review financial
Assessment and analyzes reporting changes in C25 and statements and all
72
significant accounting documented other relevant
changes that principles or Financial information.
could impact financial reporting Statement
internal requirements may Closure
controls lead to non- Process is in
compliance and the place.
financial statements
will not show true 2. Periodic
and fair figures or updates are
may not include received
disclosures as from
required. professional
consultants.
20 Risk Identifies Financial Absence of an C20, 1. Various Verify Board
Assessment risks to the reporting appropriate C26 compliances noting and
achievement mechanism of under approval of related
of objectives related party different party transactions.
and analyzes transactions statutes in
risks to identification can relation to
manage them lead to regulatory transactions
non-compliance with related
and/ or financial party
misstatements (transfer
pricing
related
compliance
and return
filing) are
verified.
2. Board
approval is
taken for
related
party
transaction
21 Risk Assesses IT Security Company C14 1. Access is 1. Review list of
Assessment fraud risk to infrastructure and restricted to user-ids with
the IT systems being users who access rights
achievement used for fraudulent are either
of objectives activities thereby employees 2. Verify protocol
affecting the or for access to
reputation and authorized systems and policy
increasing the legal personnel. highlighting
risks attached security of user id
2. Password and passwords
and user id
protected
systems
exist.
3.
Deactivation
of external
storage
devices on
company
PC's has
been done.
4. Access to
all public
sites and
domains is
73
restricted.
22 Risk Identifies Training Changes in the C27 Periodic 1. Verify that the
Assessment risks to the procedure manual review of manuals are
achievement of a particular process periodically
of objectives department without manual is reviewed.
and analyzes the knowledge of its done and
risks to employees leads to updates are 2. Verify evidence
manage them dilution of the communicat of communication
impact of the ed to all of changes to
changes employees employees.
implemented concerned.
23 Control Selects and Evaluation Risk of recurrence C15 Periodic Verify internal
Activities develops of issues if not internal audit reports
control evaluated and audit is done available, and
activities to policies/ by an record of
mitigate procedures not external resolution of
risks modified agency and agreed actions.
accordingly changes
made basis
agreed
actions.
24 Control Selects and Financial Risk of financial loss C16, 1. Physical 1. Verify fixed
Activities develops reporting and/ or financial C20 verification asset verification
control misstatement in the of fixed report and check
activities to absence of an assets, cash for periodicity
mitigate established physical is done. (CARO, 2015)
risks verification of assets
mechanism 2. Third 2. Verify third
party and party
bank confirmations.
balance
confirmatio 3. Verify records
ns showing full
statements particulars -
are taken. quantitative
details and
3. Board situation of fixed
discusses assets
findings of (CARO, 2015)
physical
verification 4. Verify Board
of assets/ meeting minutes
discrepancy
resolution
25 Control Deploys Payments Absence of policies C03 All financial Verify
Activities control and will lead to policies remuneration
activities reimburse reimbursement/ relating to structure for
through ments allowance of non employees financial policies
policies and agreed expenses to are in place relating to
procedures the employees or along with employees.
reimbursement of defined level
expenses over and of approvals.
above the set limit
to the employees.
26 Information Communicat External May result in C03 1. Clear Verify the Admin
& es externally Communic reputational/financi identificatio Manual for
Communicati regarding ation al/reporting risk n of persons communicating
on matters due to erroneous authorized with external
affecting communications to to parties
internal external parties/ communicat
controls external reporting e with
external
parties on
74
relevant
company
matters.
2. A formal
social media
policy is in
place.
27 Information Communicat External In the absence of C03, There are Review grievance
& es externally Communic clear C18 properly mechanism and
Communicati regarding ation communicating identified sexual harassment
on matters channels for communicat policy
affecting external parties, ion channels
internal employee/ (email ids)
controls management for third
malpractices may parties
not come to light, under
may have a grievance
reputation risk with mechanism,
respect to third sexual
parties harassment
policy
28 Information Communicat Internal Absence of clear C28 Clear Verify the
& es internally, Communic communication on communicat communication for
Communicati information ation performance ion of the the KRAs
on including measures may lead Key Result
objectives to ambiguities and Areas in the
and increase in attrition evaluation
responsibiliti levels process
es of internal
control
29 Information Communicat Manageme Risk events, C07, 1. Formal 1. Verify periodic
& es internally, nt exceptional and C08, communicat MIS on sample
Communicati information Oversight unusual events C29 ion process basis
on including remain unreported established
objectives to the management for 2. Verify
and and hence the risk escalating management and
responsibiliti management disruption Board meeting
es of internal framework is not to minutes
control duly enhanced. operations,
occurrence
of risk
events and
any material
exceptional
event.
2. Periodic
MIS/
dashboards,
highlighting
of all
exceptions.
3. Board
meeting,
managemen
t review
meeting
discuss
unusual
events.
30 Monitoring Evaluates Financial Inadequate process C16 1. Third Verify
and reporting for obtaining third party confirmations
75
communicate party confirmations confirmatio obtained from
s to validate financial ns obtained counter parties
deficiencies, figures and to detect from banks, and Government
to enable financial frauds. debtors, website (such as
corrective related Income Tax) for
actions being parties reconciling
taken statutory figures
2. Web and other
based balances.
review done
to assess tax
status, TDS
status,
regulatory
compliance
related
numbers.
31 Monitoring Conducts Financial Absence of review C07, Monthly MIS Verify financial
ongoing/ reporting of the financials by C08 consisting of statements/
separate management financial reports, periodic
evaluations statements MIS and
to confirm and other reconciliations
that internal operations,
controls are reconciliatio
functioning ns prepared
by Finance
Manager are
reviewed
and
analyzed by
Group CFO
32 Monitoring Evaluates Grievance Inappropriate C03 Employee Verify policy to
and and grievance processes grievance resolve complaints
communicate dispute may lead to delay in policy (to and grievances, as
s resolution detection of frauds, resolve stated in Admin
deficiencies, mechanis misreporting of complaints Manual
to enable m financial figures, and
corrective need for grievances)
actions being provisioning due to forms part
taken disputes of Admin
Manual
33 Monitoring Conducts Manageme Process gaps, errors C03, 1. Internal 1. Verify Internal
ongoing/ nt and misstatements C07, audit Audit reports
separate Oversight may not be C15 function
evaluations identified by the reports to 2. Verify meeting
to confirm management which Board of minutes
that internal may also lead to Director and
controls are fraud or non- highlights 3. Verify sample
functioning compliance due to deficiencies policies and
absence of well- observed. process notes
established risk and
internal audit 2. Polices
review system and
processes
are
introduced
and revised
from time to
time to plug
identified
gaps and
controls
76
lapses.
34 Monitoring Conducts Manageme Absence of C21 Formal roll 1. Check ICFR

ongoing/ nt communication of out of ICFR framework and
separate Oversight deficiencies and policy and documented RCMs
evaluations monitoring testing
to confirm corrective action process for 2. Check the
that internal may lead to un- control process adopted
controls are remediated design and for testing control
functioning deficiencies and effectivenes design and
resultant control s operational
gaps w.r.t. ICFR effectiveness
Note:
The above work-sheet can be enhanced with columns such as department, details with respect to
controls (whether key or non-key, whether control exists – yes or no, type of control – manual or
automated, nature of control – preventive, detective or both preventive and detective, control
frequency – daily, weekly, fortnightly, monthly, half-yearly, annually, event-based, as and
when),document/ evidence, deficiencies, remedial plan, reference to document and remarks
77
4.2 IT General Controls – Specimen (refer paragraph 2.5.6)
ABC Private Limited

RCM - IT General Controls
LIST OF CONTROL GROUPS

Control Ref Control Group/ Attribute
ITGC 01 Comprehensive IT Policy
ITGC 02 Access Rights Restrictions
ITGC 03 User account management - User id and password security
ITGC 04 Data management - back up and restoration of data and system
ITGC 05 Connectivity management - LAN, internet, firewall, anti-virus,
ITGC 06 Sign-off of stakeholders/management for changes made to key applications
relevant to financial reporting
ITGC 07 Restriction to share data
ITGC 08 Controls or authorization for acquisition / development of new system / migration /
subsequent changes
ITGC 09 Incident handling – In-house IT Personnel
ITGC 10 Approval/periodic review of user access rights
78
ABC Private Limited
IT General Controls (ITGC)
Sr. Attribute Activity Identification of Risk of Control Ref Control That Addresses Risk of
No. Description Material Misstatement Number Material Misstatement
("What Could Go Wrong") — Control Name
Risk Description
1 Risk IT Policy Intended IT related ITGC 01 A defined comprehensive IT
Assessment processes not followed policy document to provide
due to absence of various guidelines to work in
defined comprehensive the IT environment, is in place
IT policy document
2 Control Access Rights Editable access of ITGC 02 View-only access of Accounting

Environment Financial System Software provided to persons
(Accounting Software) other than Company employees
provided to persons (Internal and Statutory
other than Company Auditors, Consultants, etc.) who
employees (Internal and are not required to modify the
Statutory Auditors, financial transactions
Consultants, etc.)
3 Control Closing of Erroneous/intentional ITGC 02 Closing of previous period/year
Environment Accounting posting of Accounting to restrict back-dating of
period/year entry in the earlier transactions
in the closed period/year
Accounting
Software
4 Control Selects and Unauthorized access to ITGC 03 1. For CMS System - all new
Environment develops IT systems, applications users are given pre-expired
general and data results in errors password and the system
controls over in financial reporting prompts the user to set new
technology password at the time of first
login
2. For Tally - all new users are

given pre-expired password
and the system prompts the
user to set new password at the
time of first login
5 Control Selects and Unauthorized access to ITGC 02 1. For CMS - Users access rights
Environment develops IT systems, applications are granted by IT only upon
general and data results in errors specific approval by the
controls over in financial reporting concerned functional head
technology
2. For Tally - Users access
rights are granted by IT only
upon specific approval by the
concerned functional head
6 Control Selects and Unauthorized access to ITGC 03 System prompts the user to
Environment develops IT systems, applications change the password after the
general and data results in errors expiration of 30 days.
controls over in financial reporting
technology
7 Control Selects and Unauthorized access to ITGC 03 Password must contain at least
Environment develops IT systems, applications 7 characters, alpha numeric
general and data results in errors (alphabets, numbers and special
controls over in financial reporting characters).
technology
79
8 Control Selects and Unauthorized access to ITGC 03 If the password is wrongly
Environment develops IT systems, applications entered continuously for 5
general and data results in errors times within 30 minutes, the
controls over in financial reporting respective login id gets locked.
technology
9 Control Selects and Unauthorized access to ITGC 03 If a user is not accessing the
Environment develops IT systems, applications system for more than specified
general and data results in errors time, the system gets
controls over in financial reporting automatically locked.
technology
10 Control Identifies Unauthorized access to ITGC 10 There exists a periodic review
Environment and analyses IT systems, applications of the user profiles for systems
significant and data results in errors access, to confirm
changes that in financial reporting appropriateness.
could impact
internal
controls
11 Information & Selects and Unauthorized access to ITGC 03 Requests for creation of new
Communicatio develops IT systems, applications user ids are received by the IT
n general and data results in errors Executive on standardized form,
controls over in financial reporting duly signed by the respective
technology HOD.
12 Information & Selects and Unauthorized access to ITGC 03 1. User termination, resignation
Communicatio develops IT systems, applications is informed to IT Executive
n control and data results in errors through email by HR.
activities to in financial reporting
mitigate 2. User account is disabled
risks immediately after receiving an
email request. Before
processing this request, IT
archives the mail box of the
user.
3. Full & Final Settlement Form

is signed by the IT Executive
only when the necessary access
rights have been disabled in the
system.
13 Control Selects and Absence of regular back- ITGC 04 1. Regular back-up strategy
Environment develops up which may lead to defined for server and auto-
general loss of crucial data back up is taken at defined
controls over frequency.
technology
2. Retrieval is tested at
reasonable frequency
14 Control Selects and Absence of regular back- ITGC 04 Off-site storage of back-up to
Environment develops up which may lead to tackle any unforeseen event at
general loss of crucial data the office premises.
controls over
technology
80
15 Control Identifies Servers and end users ITGC 05 1. Desktops:
Environment risks to the PCs are infected with All the user desktops are
achievement virus installed with anti virus
of objectives scanner, which scans the new
and analyses files on an ongoing basis
risks to
manage them 2. Servers:
All servers are installed with
anti virus scanner.
3. Gateway:
Mail server is managed and all
the Emails are scanned by
threat management gateway.
4. The anti virus gets

automatically updated with the
latest version through process
of auto updates
16 Control Assesses Unauthorized access to ITGC 05 1. Firewalls have been installed.
Environment fraud risk to the IT systems, 2. The logs are regularly
the applications and data by reviewed by IT Executive
achievement external parties
of objectives
17 Control Selects and Unauthorized access to ITGC 06 Changes in programs can be
Environment develops IT systems, applications made only with prior approval
control and data results in errors of the Board of Directors or the
activities to in financial reporting HOD concerned, with the
mitigate simultaneous involvement and
risks approval of the IT personnel.
18 Control Selects and Significant developments ITGC 06 Decisions around significant
Environment develops and changes to developments and changes to
control information systems information systems relevant to
activities to relevant to financial financial reporting are made in
mitigate reporting are made, conjunction with Finance
risks resulting in errors in Manager and after approval of
financial reporting. BOD
19 Control Identifies Errors in changes made ITGC 06 Specific changes are made to
Environment and analyses to key applications key applications relevant to
significant relevant to financial financial reporting only after
changes that reporting. sign off from the relevant
could impact stakeholders
internal
controls
20 Control Selects and Problems and incidents ITGC 09 An in-house IT personnel
Environment develops are not effectively resolves issues faced by users
general managed. as required
controls over
technology
21 Control Selects and Intentional sharing of ITGC 07 1. Deactivation of external
Environment develops crucial and confidential storage devices on company
general data of the company by PCs.
controls over staff to outsiders (e.g.
technology competitors) 2. Restricting access to all
public sites and domain
Note:
The above work-sheet can be enhanced with columns such as department, details with respect to
controls (whether key or non-key, whether control exists – yes or no, type of control – manual or
automated, nature of control – preventive, detective or both preventive and detective, control
frequency – daily, weekly, fortnightly, monthly, half-yearly, annually, event-based, as and
when),document/ evidence, deficiencies, remedial plan, reference to document and remarks
81
4.3 Specimen - Financial Statement Closure Policy and sample
checklists (refer paragraph 2.7.3)
ABC Pvt. Ltd.
Financial Statements Closure Policy (FSCP)
1. OBJECTIVES:
This policy is prepared to achieve the following broad objectives:
 Provide guidance for the financial closure process leading to preparation of financial
statements.
 Ensure adherence to applicable laws, regulations and disclosure requirements relevant to
the financial reporting.
 Ensure completion of the financial closure efficiently and in a timely manner.
 Ensure adherence to the approval matrix laid out for the closure process.
 Retain and protect related documents, evidences and approval trails.
2. SCOPE:
This policy covers the following:

 Financial reporting framework applicable to the entity.
 IT application (system), if any, used for financial closure
 Checklist to be used to ensure completeness of financial statements
 Approval matrix related to financial closure activities.
 Document Management Policy, including retention policy for documents related to financial
closure.
3. STAGES OF FINANCIAL CLOSURE:
# Particulars Review Approval/ Suggested

Responsibility Authorization Timeline
1. Financial Reporting Framework Senior Person of CFO or By end
 The financial closure process shall A & F Dept equivalent December/
be carried out in adherence to the position January
following
 The Companies Act, 2013 and
allied Rules
 Applicable accounting
standards
 Pronouncements of the ICAI
applicable to preparation of
financial statements and
financial reporting
 Adequate care shall be taken to
incorporate the effects of
modifications to existing regulations
and pronouncements.
 Any new pronouncements
impacting the financial accounting,
closure process or reporting
requirements will be reviewed
internally, approved as per
Authority matrix and incorporated
in the appropriate checklist, SOP or
82
templates.
 Knowledge update provided by the
statutory auditors or other
accounting/law firms from time to
time may be reviewed and where
appropriate, to be considered for
updating respective checklist.
 The CFO is required to hold a formal
meeting with the statutory auditors
to confirm that all additional
reporting requirements for the
financial year have been duly
identified by the company – if there
has been a miss out, the same may
be incorporated after review.
2. System Environment Senior Person of CFO or By end
 List all the systems from which data A & F Dept. equivalent December/
will flow into financial statements position January
either directly or indirectly.
 Proposed changes/ enhancements
to the IT applications which have a
bearing on the financial closure
process or the financial statements
need to be pre-approved by the
Finance Department as per
authority matrix.
 For any changes in the financial
reporting requirements, Finance
Department to review if the
required information is available
from the IT system and if not,
initiate a request for configuring the
IT system to ensure the availability
of the requisite information.
3. Pre-planning for Closure & Closure As per Checklist As per Checklist For Pre-
Activity for Operational Areas planning by
Activity wise pre-planning checklist to end
be prepared as per Company’s defined December/
SOPs, Policies and Business January and
Requirements. A specimen general For Closure at
format indicating illustrative year end date
checkpoints and processes is presented and
in Annexure – I. subsequent
month
4. Process for Preparation of Financial As per Checklist As per Checklist As per defined
Statements timeline by
A specimen general format indicating the
illustrative checkpoints and processes is management
presented in Annexure – II. for finalizing
audited
Financials
5. Process for Disclosure requirements As per Checklist As per Checklist As per defined
A specimen general format indicating timeline by
illustrative checkpoints and processes is management
for finalizing
presented in Annexure – III.
audited
Financials
6. Approval Matrix for closure process Senior Person of CFO or Approval

A & F Dept. equivalent Matrix to be
83
The closure process will follow the position defined as
approval matrix defined as per the SOP part of SOP of
of Accounts & Finance department. If it A& F dept. or
is not defined then define the same for at the
maker-checker control at various stages beginning of
and documentation trail the year
7. Retention of Documents Senior Person of CFO or N.A.
A & F Dept. equivalent
 All documents related to the position
financial closure process shall be
retained in a safe manner.
 Clear naming protocols will be
followed to ensure version control
on financial statement drafts.
 Soft copies of the financial
statements need to be stored in a
folder, access rights to which have
been approved by the Chief
Financial Officer.
 Documents to be retained at least
until the time required to comply
with related regulations.
8. Post Closure Process Senior Person of CFO or Within 15
A & F Dept. equivalent days of
 Take printout of Final Trial balance. position completion of
 Keep printed copies of audited Annual
Financial Statements. Accounts
 Close the books of account for the closure
Financial Year.
 Block the IT system for amendment
in that financial year.
 Review opening balance in the
subsequent period with audited
financial statement.
84
Annexure – I
ABC Pvt. Ltd.
Sample and Specimen Checklist for Activity wise Pre-planning & Closure
# Area Process Process Reviewer Proposed Proposed Status

Owner Start Date End Date
1 Cash Circular to be sent to
various branches to
send cash expenses
statement with closing
balance as on Year end
Co-ordination with the
statutory auditors if
they want to conduct
year end physical
verification of cash
conduct physical
verification on the last
working day of the
Financial year
Document the Physical
verification papers with
sign of maker and
checker
2 Bank Bank Reconciliation
statements to be called
from all branches for all
bank accounts
BRS to be prepared for
all the HO Accounts as
per the BRS process
defined by the company
Un-reconciled items in
BRS to be investigated
and necessary
adjustments to be
carried out with proper
approvals
Cheques pending to be
deposited to be
presented to bank for
clearance
Online transfers from
customers, kept in
suspense / unexplained
accounts, to be knocked
off from customer
balances
Print out of Final Copies
of BRS to be taken and
signed by the maker and
checker
Balance confirmations
to be called from banks
to assert bank balances
3 Inventory Circular to be sent to
branches to inform them
to carry year end stock
verifications
Factory / Warehouse /
Operations of any other
inventory holding
location to be suspended
during the period of
verification , if required
85
Necessary co-
ordinations to be made
with Internal / Statutory
auditors in case they are
to attend inventory
verification
Year-end transactions
for sales and purchases
to be meticulously
recorded keeping in
mind cut off procedures
affecting inventory
position
Plan for Inventory
verification to be
decided basis certain
methods suitable for
Company's inventory
such as:
1. ABC analysis
2. Analysis based on fast
/ slow moving items
3. Critical and non-
critical items
4. Form of inventory i.e.
size,
weight, state of matter
etc.
Confirmations to be
called from third party
holding company's
inventory (on
consignment basis, for
job work purposes etc.)
Value of inventory as
per books to be
compared with actual
value
Adjustments , if
required, to be made to
inventory value with
proper approvals
4 Fixed Assets FA register to be
/Capitalization updated, finalized
FA register to be
compared with books of
account
Scrutinize the major
repairs account to find
out if any item of capital
nature has been debited
Capitalisation of
expenses to the point of
installations such as
transportation, octroi,
testing charges, training
for operation of FA
Review CWIP Account to
review completion stage
and capitalization if
required
Physical verification of
Fixed Assets with
86
proper internal controls
such as verification by
independent verifier ,
maker checker control
on verification process,
reporting of
discrepancy, if any and
appropriate accounting
of the same
Review of sale / scrap
of assets , profits / loss
on disposal of Assets
Depreciation workings
based on applicable
accounting standards
5 Investment Accounting of accrued
income based on year
end investment
Accounting of gains /
losses on sale of
investments
Validation of investment
balance with counter
party statements
Physical verification of
investment instruments
to ensure ownership of
the same
Revaluation of
investments as per
applicable accounting
standards
6 Income Circular to be sent to
Booking various branches /
depots from where sales
are effected to send
information / data for
dispatches made till cut-
off date
Ensure invoice booking
for materials where
ownership has been
transferred to
customers
Ensure invoice booking
/ billing for services
where provision of
service is completed as
per defined terms and
conditions
Accounting of pending
Debit and credit notes
(rejections / sales
returns / disputed
provision of services)
7 Expense Circular to be sent to
Booking various branches /
depots calling for all
relevant details of
expenses incurred
within defined timeline
after year end
Advances paid for
87
expenses to employees
be settled against
reimbursable expenses
Provision of expenses
based nature of expense
i.e. time based or
otherwise backed by
actual supporting
documents to be
accounted
Provision of expenses
basis estimation -
Company policy for
estimation to be
reviewed and adhered
Review accounting of
prepaid expenses
Review provisions /
prepaid expenses of
previous periods / years
for its existence and
continuity
8 Debtors/ Debtors balances to be
Receivables knocked off against
money received but
accounted in suspense /
unexplained accounts
Initiate communication
for debtors confirmation
Prepare reconciliation of
differences in debtors
balances and post
adjustments with
appropriate approvals
Scrutinize debtors
accounts and follow up
with the sales/
marketing team for
status of long standing
debtors
Provide for doubtful
debts / disputed debtors
in consultation with
marketing / legal dept. /
Management
9 Creditors Initiate communication
/Payables for creditors
confirmation
differences in creditors
balances and post
adjustments with
Scrutinize advance to
creditors accounts and
follow up with the
procurement team for
status of long standing
advances
Write back creditors
balances which are not
payable in consultation
with procurement /
88
legal dept. /
Management
10 Related Party Obtaining account
Reconciliation confirmation from all
the related parties
differences in balances
and post adjustments
with appropriate
approvals
89
Annexure – II
ABC Pvt. Ltd.
Sample and Specimen Checklist for Preparation of Financial Statements

1 Opening balances Validation of opening
validation balances at the time of audit
of subsequent year with
closing balances of previous
year
2 General Ledger Scrutiny Allocate responsibility
within the accounts team to
scrutinize specific accounts
All accounts with non-
moving balances,
intermediary accounts ,
suspense accounts to be
scrutinized thoroughly to
ensure genuineness of
transactions recorded in
these accounts
Based on this scrutiny pass
appropriate entries with
approval of senior personnel
in the accounts team ideally
the CFO
3 Review of accounts Allocate responsibility
related to statutory within the accounts team to
compliance scrutinize specific accounts
Reconcile company's data
with the data available on
the website of respective
regulator (such as 26 AS
reconciliation)
Review all the assessment
orders, refund / demand
orders issued by various
regulatory authorities
during the year
Compare all statutory
returns filed with the books
of account
Record all the necessary
entries required based on
above scrutiny
4 Independent Review Get independent review
done by professional
retainer, if any, engaged by
the company
5 IT Systems blocking Blocking of various IT
Systems for data entry of
transactions posting by
respective employees for
basic transaction posting
such as cash, bank ,petty
cash, purchase, sales etc.
Rights to pass entries to be
granted to only few
personnel in the accounts
department
6 Provision for Gratuity & Provide necessary data/
90
Employee benefits information after validation
to the appointed actuary
Actuarial valuation report to
be referred for estimations
provided by the auditee.
Workings for provisions to
be computed and validated
by senior personnel
Provisions for employee
benefit to be recorded with
7 Inventory Valuation Inventory verification

reports to be referred to
ascertain inventory figures
Inventory as ascertained to
be valued adopting suitable
methodology and adhering
to applicable accounting
standards and company
policy
Necessary adjustment
entries to reflect
appropriate value of
inventory to be recorded
with due approvals
8 Revaluation of Assets & Ascertain the balances of
Liabilities in Foreign foreign assets and liabilities
Currency Depending on the class of
asset / liability and
guidelines laid down in
applicable accounting
standards, appropriate
foreign exchange rate to be
selected
The selected rate(s) to be
validated by senior authority
and applied to closing
balance of such classes(s) of
assets / liability
Appropriate effect of
revaluation to be recorded
in books of account
9 Year-end adjustment of Refer to closing balance of
Exchange rate debtors/ creditors
difference for trade Revalue debtors and
payables and creditors basis closing
receivables exchange rate
10 Income Tax working Based on profits / losses as
computed prepare Income
Tax working
Co-ordinate with tax
consultant for validation of
the same
Incorporate changes
suggested by consultant
Record necessary provision
for income tax
11 Deferred Tax Prepare working for
Assets/Liabilities deferred tax assets /
91
working liabilities
Co-ordinate with tax
consultant and Statutory
Auditors for validation of
the same
Incorporate changes
suggested by consultant
Record necessary entries for
deferred tax assets /
liabilities
12 Preparation of Financial Extract trial balance from
Statements as per accounting system
prescribed formats Save the same with date
and time in soft
Prepare appropriate
groupings
Validate all the excel
formulas and linkages if
financials are prepared in
excel
As per prescribed format
classify respective assets
and liabilities as current ,
non - current , short term ,
long term
Take print out of financials
prepared and revalidate
again with base trial balance
for accuracy
Provide audit trail of
revalidation on hard copy of
financials
13 Co-ordination with Arrange for Stat audit,
statutory auditors and prepare information as per
get the audit done their prescribed format
During Stat audit liaison
with their team for smooth
conduct of audit
Formal meetings for
discussion of queries /
clarifications
Passing of rectification JVs, if
required in system
14 Prepare revised Repeat process given in step
Financial Statements 12
Maintain version control
and modification trail
15 Grouping and Detailed review of previous
regrouping of previous years grouping with current
year’s figures grouping and make
necessary changes in the
grouping of previous year
16 Freeze the numbers Get the revised financials
after review of validated from Statutory
Statutory Auditors Auditors
17 Present the Provisional To facilitate management to
Financial statements to take certain decisions about
Management/Audit managerial remuneration,
committee proposed dividend
18 Calculate Managerial Prepare workings for
92
remuneration if it is on managerial remuneration as
% basis of per applicable rules and
profit/surplus regulations and company
policy
19 Prepare Proposed Proposed dividend working
dividend working to be prepared based on the
dividend proposed by Board
of Directors
Workings to validated by
senior personnel
Entries to record proposed
dividend to be passed in
books of account
20 Make necessary Necessary changes to be
changes in the Financial validated by Statutory
Statements Auditors
93
Annexure – III
ABC Pvt. Ltd.
Sample and Specimen Checklist for Disclosure & Notes to Accounts

1 Review of Notes to Take notes to account
Accounts of of pervious year as a
Previous year and base
evaluate it for If there are any
necessary changes changes in the
accounting policies
adopted by the
company during the
year incorporate the
same in notes to
account
If there are any
regulatory changes
which require change
in company policy
incorporate the same
in Notes to account
2 Prepare As per disclosure
Disclosures checklist provided by
Stat auditors prepare
disclosures
Validate all the
numbers given in the
disclosures with the
financial statements
Also ensure disclosure
for contingent liability
after consultation
with various
operational dept.
HODs and HOD of
legal dept.
3 Get it reviewed by Notes to accounts and
Statutory Auditors disclosures to be sent
to Statutory Auditors
for review and
validation
4 Revise Notes to As per suggestion by
Accounts & Statutory Auditors
Disclosures after revise notes to
review by accounts and
Statutory auditors disclosures
5 Review entire set Take print out of
of Financial entire set of Financial
statements & statements, notes to
disclosures all account and
together disclosures
Revalidate again with
base trial balance for
accuracy
Provide audit trail of
revalidation on hard
copy of financials
6 Arrange for Arrange for signature
Signatures on the Financial
Statements by the
94
appropriate authority
of the Company
Arrange for signature
on the Financial
Statements by the
Statutory Auditors
95
5. Glossary of abbreviations used:
Sr. Abbreviations Full Form

No.
1. BoD Board of Directors
2. BCP/ DRP Business Continuity Plan/ Disaster Recovery Plan
3. CARO Companies (Auditor’s Report) Order
4. CD Compact Disc
5. CEO/CFO Chief Executive Officer / Chief Financial Officer
6. CSA Control Self-Assessment
7. DoA Delegation of Authority
8. ECG Electrocardiogram
9. ELC Entity Level Controls
10. FSCP Financial Statement Closure Policy
11. GRN Goods Received Note
12. ICAI Institute of Chartered Accountants of India
13. ICFR Internal Controls over Financial Reporting
14. IFC Internal Financial Controls
15. ISO International Organization for Standardization
16. IT Information Technology
17. ITGC Information Technology General Controls
18. KYC Know Your Customer
19. MIS Management Information Systems
20. PCAOB Public Company Accounting Oversight Board
21. PLC Process Level Controls
22. PO Purchase Order
23. RCM Risk Control Matrix
24. RoMM Risk of Material Misstatements
25. SA Standard on Auditing
26. SME Small and Medium-sized Enterprises
27. SOP Standard Operating Procedures
96
6. Useful links and recommended reading:
1. Guidance Note on Audit of Internal Financial Control

Over Financial Reporting by the Institute of Chartered
Accountants of India
http://icai.org/new_post.html?post_id=11919&c_id=219
2. Guide to Internal Control Over Financial Reporting

published by Center for Audit Quality
http://www.thecaq.org/reports-and-publications/
guidetoicfr
3. A Layperson’s Guide to Internal Control Over Financial

Reporting by the Public Company Accounting Oversight
Board
https://pcaobus.org/News/Speech/Pages/03312006_Gil
lanCouncilInstitutionalInvestors.aspx
4. BCAJ May 2016 issue – From Published Accounts

http://bcajonline.org/artcile.aspx?Id=16405&Cid=52
5. Lecture Meeting on 28th June, 2016 at The Chamber of

Tax Consultants on “Internal Financial Control - Way
Forward for Private Companies and Their Auditor”
http://www.ctconline.org/index.php/downloads1/corpo
rate
97

ICFR A Handbook For PVT Cos and Their Auditors

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ICFR A Handbook For PVT Cos and Their Auditors

Uploaded by

Copyright:

Available Formats

INTERNAL CONTROL OVER FINANCIAL REPORTING

The governance requirements laid down for listed companies have

Unlike listed companies and certain large companies, most of the

1.1 Understanding IFC and ICFR:

Internal Financial Controls (IFC):

Internal Controls over Financial Reporting (ICFR)

ICFR shall mean:

1.1.2 ICFR and IFC - Simply Stated:

ICFR comprises of:

Annual/period closure and

Controls over unauthorized Authorization controls over

To give an example, Safe Traders Pvt. Ltd. (STPL) is a company

For private companies, the present regulatory

1.2 The Regulatory Framework in a Nutshell:

1.2.1 Maintenance of Financial Books and Preparation of

The responsibility for maintenance of financial books and

In many small companies, the practice actually followed is

1.2.2 Ensuring adequate Internal Controls over Financial

Having established that the maintenance of financial books and

a) With reference to Companies Act and Rules:

“(5) The Directors’ Responsibility Statement referred to in

As seen, the requirement for listed companies has been

What about private companies then?

For private companies, there is no specific section of the

This requirement applies to every company – listed,

This is similar to an earlier requirement in CARO, 2003

Similarly, in the present case, by requiring all companies,

b) From a logical and common sense point of view:

For small companies, where the owners and the

As companies grow in size, the only way for the directors

c) From the perspective of risk management:

“There shall be attached to statements laid before a

The directors are thus required to ensure that the

Thus, whether one takes a regulatory stand-point or a logical

1.2.3 The Auditor’s Responsibility and Reporting Requirement:

The auditor’s responsibility with respect to IFC/ICFR stems

To be able to make such a statement, the auditor would need to

The ICAI Guidance Note makes it clear that the auditor’s

1.2.4 A Summary of Relevant Sections and Rules:

The specific sections of Companies Act, 2013 and rules forming

Section and Brief Description and Applicability

This is applicable only to listed companies.

This Rule, applicable to all companies,

This is applicable to those listed and

This section is not applicable to private

This requirement is applicable to

1.3 So, What Has Really Changed?

This can be explained by a small story.

There was a busy road that was prone to accidents, as cars, 2-

After some time, as the accidents continued to occur, a traffic

Now, let’s fast forward and relate this to ICFR:

With this, suddenly, companies and their auditors have

The self-regulated traffic signal is now manned by a traffic

To sum up, the principal change is that the auditor is now

This, in turn, will require the management of companies to

And therein lies the challenge – it is no longer enough for a

In the chapters that follow, a step-by-step guide is provided for

2.1 Need for a Framework:

Any assurance or diagnostic activity requires a set of

For all quality control assessments, there is a set of

The same is applicable to ICFR - for the directors to make a

Without a structure or a framework, the entire exercise of

A different way of visualizing a framework is to compare it