Professional Documents
Culture Documents
March 2016
Contents
Current Status
Way Forward
2016 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Sec.
177
Sec.
143
Sch.
IV
Implications for Non Compliance: <INR 25 Lacs on Company; <INR 5 Lacs on Officers; <3 years imprisonment
Companies Act 2013 casts responsibility to ensure existence and operating effectiveness of
Internal Financial Controls for various stakeholders
Ensure adequacy and
operating effectiveness of
IFC
Evaluation of internal
financial controls
Directors
To comment on adequacy
and operating
effectiveness of IFC
Auditors
Internal
Financial
Control
Audit Committee
Satisfy themselves on the
robustness of internal
financial controls
framework
Independent Directors
2016 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
1
2
Safeguarding of assets
2016 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Phase I
Plan and Scope
evaluation
2
2
Phase II
Document the IFC
framework
3
3
Phase III
Evaluate Design and
Controls
4
4
Phase IV
Identify and Correct
Deficiencies
Current Status
Activity
Identify the business
processes to be covered
during the IFC
documentation
Status
Activity
Document Process flows/
narratives for in-scope
processes for pilot
locations
Develop Risk Control
Matrices covering Entity Level Controls
Process Level Controls
Status
Status
Activity
Status
Activity
Report deficiencies and
provide suggestion on
remediation measures
Remediation of gaps by
process owners
Completed
In progress
2016 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Planned
Current Status
Milestone
Status
Completed
Completed
Completed
Completed
Completed*
Completed*
Completed
Management Reporting
Closure meeting with Management and Statutory Auditors
Initiated
To be initiated
2016 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
TOE
Total Controls
Automated/Semi
Automated Controls
Pass
Fail
43
37
Capex
23
10
21
21
Admin
14
13
13
Scheduling
Royalty
Process
Digital
Pass
Fail
Not applicable
Secretarial
10
10
10
98
45
98
98
Legal
12
12
10
Sponsorship
12
11
11
Human Resource
22
20
20
Marketing
18
11
11
IT General Control
18
13
13
Creative Services
Station*
HR & Payroll
Admin
Programming
Activation
Ad Sales
Total
15
15
15
13
12
12
12
346
300
29
261
ELC
Remediation
Post conduct of HR Internal Audit, it was agreed by
management that HR policies will be reviewed once in
every 2 years.
SC.05
SC.06
HR.04
HR.21
MM.14
MM.17
Timeli
nes
Sept
2016
Type
Operation
al
ELC
Operation
al
June
2016
Operation
al
Sept
2016
Operation
al
2016 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Operation
al
ICOFR
Summary of key control improvement areas Design exists but not adhered
Documentation Level
Contro
Process
l no.
FA.8
Fixed
Assets
Remediation
Time
lines
Type
Process
SC.03
SP.01
AC.01
MM.01
Remediation
All the TOs for Radio business are routed
thru SEAM (SM), post the TO gets
approved by station finance an email
gets triggered & goes to the scheduler
whose email id is mapped in SM. On
creating the contract ion Airwaves ,
scheduler updates the SM TO # in the
AW contract. In case the TO cannot be
generated in SM for some reason, a
manual TO is given to the scheduler for
booking ( with approvals),Such TOs are
later passed on to the scheduler who
tags the same in AW.MIS on the missing
TOs is circulated by the scheduling team
to all concerned that gives status of the
TOs which has not been booked into SM
Timeline
s
Type
Operation
al
Operation
al
Operation
al
10
Process
Remediation
Timeline
s
Type
Operation
al
Operation
al
Operation
al
2016 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
11
Process
Remediation
Legal
Timeline
s
Type
Operational
12
Remediation
The IT plan for every year is at an operational level
and a broad strategic plan though exists, is not
formally concluded and documented. We will start
that process from this financial year
Timelines
Type
Operat
ional
ELC
ELC1.5 1. A documented SOD matrix does not exist for 1. Will review the policy document and update the
Policy document review
SAP.
same accordingly during the first quarter of 2016-17 and updation by first
quarter 2016-17
2. Segregation of duties is not maintained
2. Access allowed to Aashish Mankad, Rajeshwari
Will be initiated by 31st
between IT support and functional access. It
Bhattacharyya for all functional transactions in order March 2016
was noted that IT team members have
to facilitated troubleshooting. However, we could
complete functional access.
have an audit trail of all transactions executed using
E.g. Aashish Mankad has following rights like
these ids requested for by Finance team / finance
Create Internal Order
controller on monthly / random audit to make sure
Purchase Manager Role 01
that there are no unauthorized transactions
Purchase Manager Role 04
happening through these ids
Primary Buyer Material / Service
Part of point 1 above
3. Finance Management Response:
3. It was noted that the some users have
a. A S Srinivasan is handling tax compliance &
conflicting roles assigned.E.g.
assessments for TIML & ABSL. Since ABSL does
a. A C Srinivasan has conflicting roles of
not have any employees separately doing
Collection Creator - Processor and Journal
accounting, he has been assigned these rights.
Creator - Approval for TIML and ABSL.
But, for payment, there is clear maker / checker
b. Anant Sawant has conflicting roles for
consent followed where any payment is
Collection Creator - Processor for ABSL and
approved by two independent approvers before
ENIL.
processing.
c. Arijit Ghosh has conflicting roles Journal
Creator - Approval for TIML and ABSL.
d. Ganapathy Iyer has conflicting roles of
Collection Creator
2016 KPMG,-anProcessor
Indian Registered Partnership
and Journal
and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
Creator* -Refer
Approval
for TIML, ABSL
and :ENIL.
Abbreviations
**ICOFR
Internal control over financial reporting
Operat
ional
ELC
13
Remediation
b. Anant Sawant is given selective right of creator
for ABSL & ENIL due to requirement of AR / AP ,
advances processing / refund from creditors etc.
For payment, there is clear maker / checker
consent followed where any payment is approved
by two independent approvers before processing.
c. Since ABSL and TIML does not have any
employees separately doing accounting, Arijit has
been assigned these rights to do the accounting.
But, for payment, there is clear maker / checker
consent followed where any payment is approved
by two independent approvers before processing.
d. Ganapathy is part of financial accounting &
reporting team & hence carries rights to create &
post collection entries and JV. This is required
mainly in case any rectification entries needs to
be posted which is identified at the time of
financial review. Ganapathy reports to Financial
controller who in turns reviews all the workings &
JVs. Further, there is period JV analysis which is
done on periodic basis. Same is also shared with
IT team.
e. Janardan was part of CPU team before moving to
station finance role. This should have been
deactivated at the time of movement. We have
already asked to make necessary changes in his
role to IT team.
Timelines
Type
Part of
point 1
above
* Refer Abbreviations
2016 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
14
Remediation
ELC1.6
Operatio
nal
Operatio
nal
ELC1.7
CO1.6
Timelines
Type
Operatio
nal
* Refer Abbreviations
2016 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
15
Remediation
Timelines
Type
Operational
2016 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
16
APD1.3
Remediation
5. It was noted that system does not have the 5. Yes this is a known limitation and we are
functionality to log the activities of the users
aware of it. The next version has that in
accessing the RCS application.
its design. The point has already been
discussed with software developers.
There is a debug log being written but
6. For SAP user creation, the access should
thats computer specific and more
granted only after the process owner has
meant for technical troubleshooting.
approved it. However it was noted that
access to SAP ID:15203262 and Consultant - 6. The policy requires process owner's
Jayesh Dicholkar was given before the
approval for role assignment. In this
approval.
case, since royalty payment process
would have been hindered, the IT team
took a practical view and went ahead
with the immediate reporting boss of
the Employee for role assignment.
However there was a follow-up for the
approval of the process owner in the
interim 3 days
According to user access management policy
The RCS access is limited to only the RCS
(namely User Access Policy) for RCS the
studio network at each market. Considering
minimum password standards are:
that this is limited to the studio network
1. At least eight characters.
and the users are limited with limited
2. Contain a mix of alpha and numeric.
functionality to RJs, this is not a big risk. As
However, it was noted that there are no
regards, implementing the password policy
password parameters such as minimum length, on RCS, the software does not mandate the
alphanumeric in place.
password requirement and hence we are
unable to ensure the recommended
password strength.
Timelines
Type
Operational
* Refer Abbreviations
2016 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
17
Abbreviations
2016 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
18