Asansol Call Girl Just Call♥️ 8084732287 ♥️Top Class Call Girl Service Available
RSM India - The New Axis of Corporate Governance
1. The New Axis of Corporate Governance
- Changes Introduced by the New Companies Act
2. RSM Astute Consulting Group
Indian member of RSM International
Personnel strength of over 1,000
Consistently ranked amongst India's top 6 Accounting and Consulting groups
(Source : International Accounting Bulletin - 2010, 2011 & 2012)
Nationwide presence
RSM International
Annual combined fee income of US$ 4 billion
718 offices across 111 countries
Personnel strength of over 35,000
International delivery capabilities
www.astuteconsulting.com
3. The New Axis of Corporate Governance
- Changes Introduced by the New Companies Act
|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
4.
5. |THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
What is this New Axis of Corporate Governance? Is it Applicable to me and what are
theActionsrequired?
The new Companies Act, 2013 has introduced far reaching changes from April 1, 2014
onwards to enhance the transparency in financial reporting which have resulted in
greater and unprecedented accountability on the part of Board of Directors, Audit
Committee,IndependentAuditorsandManagement(includingCEOs/CFOs/CCOs/Company
Secretaries). In this booklet, we have endeavoured to discuss the changes introduced in
thenewCompaniesAct,2013andrevisedClause49oftheSEBIListingAgreement:
}InternalAudit
}InternalFinancialcontrolsFramework
}EnterpriseRiskManagement
}FraudRiskManagement
}LegalComplianceFramework
6. | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of The
Companies Act,
2013 & Relevant
Rules
Applicability Effective
DateListed
Company
Unlisted Public
Company
Private
Company
Rule 13 of
Companies
(Accounts)
Rules, 2014
As per Rule 13 (1)
Companies fulfilling
criteria are required
to appoint an
internal auditor or
firm of internal
auditors.
138(2)
138(1) “Such class or
classes of companies
as may be
prescribed shall be
required to appoint
an internal auditor,
who shall either be a
chartered
accountant or a cost
accountant, or such
other professional as
may be decided by
the Board to conduct
internal audit of the
functions and
activities of the
company.”
st
1 April,
2014 –
Listed
Companies
th
30
September,
2014 – All
other
Companies
meeting
the
criterianee
d to comply
with
provision
of
Companies
Act, 2013
and related
rules
Yes All public
companies with
Paid-up Share
Capital of Rs.50
crores or more
during the
preceding
financial year, or
Turnover of
Rs.200 crores or
more during the
preceding
financial year; or
Outstanding
loans or
borrowings from
banks or public
financial
institutions of
Rs.100 crores or
more at any point
of time during
the preceding
financial year; or
Outstanding
Deposits of Rs.25
crores or more at
any point of time
during the
preceding
financial year.
}
}
}
}
All private
companies
with:
Turnover
of Rs.200
crores or
more
during the
preceding
financial
year; or
Outstan-
ding
loans or
borrow-
ings from
banks or
public
financial
institut-
ions of
Rs.100
crores or
more at
any point
of time
during the
preceding
financial
year
}
}
Applicability & Effective Date
Internal Audit
The Companies Act, 2013 has given statutory recognition to the function of Internal Audit
bymandatoryinternalAuditforcertainclassofcompaniesasfollows:
“The Central
Government may, by
rules, prescribe the
manner and the
intervals in which
the internal audit
shall be conducted
and reported to the
Board.”
7. |THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Implementation of Internal Financial Control Framework, ERM, Fraud Risk
ManagementandLegalComplianceFramework:
The new Companies Act, 2013 and Revised Clause 49 of SEBI listing agreement cast
responsibility on Board of Directors and Audit Committee for implementation and
monitoring of following frameworks with effect from 1st April, 2014 (in certain cases from
1stOctober,2014or1stApril,2015).
Internal Financial
Controls (IFC)
}
procedures to
ensure efficient
conduct of
business
lSafeguarding
of assets
lPrevention and
detection of
frauds and
errors
lAccuracy and
completeness of
accounting
records
lTimely
preparation of
reliable financial
information.
Polices and
Enterprise Risk
Management
System (ERM)
}Approving and
monitoring the
ERM
}ERM includes:
lIdentification of
significant risk
exposures
lAssessing the
impact of
significant risk
exposures
lAction plan for
risk mitigation
lMonitoring
progress
Fraud Risk
Management
(FRM)
}Preventing and
detecting Frauds
}FRM includes
lCreating control
environment
lConduct of
fraud risk
assessment
lEstablishing
prevention
techniques
to avoid key
risk
lPromoting
tools for
reporting
suspicious
activities
lResponse to
fraud allegation
Legal Compliance
Framework (LCF)
}Devised proper
systems to
ensure
compliance to
applicable laws
}LCF includes
lIdentification of
all applicable
laws and their
requirements
lDevelopment of
system to
ensure
compliance
lEnsuring
training
and awareness
among
employees
lMonitoring
compliance
status
KeyActionsRequired
We have listed the Key Actions required for each of the areas listed above with the
timelines in this publication. We have also summarized the outline of contents for the
above Frameworks, revised COSO framework and related latest developments. This will
assist you in timely and effective implementation of the new requirements as well as
benefitfromtheimprovedgovernance.Happyreading!
11. 1. TheBusinessImperativeandFocusonCorporateGovernance
We are living in a highly complex and uncertain business world. There is a growing
inter-dependence between economies due to globalization and increase in cross
border activities as evident from recent instances of Eurozone crisis, political
uncertainty in the Gulf region and US quantitative easing. The technological
revolution and emergence of digital world has added new dimensions to this
complexitywithdevelopmentssuchason-linesales,mobileapplications,ERPsand
cloud computing. The regulations and intolerant attitude of the regulators has
heightened the need for compliances to the fullest extent which is evident from
instances of recent penalties imposed on banks by US regulators and transfer
pricing/taxdisputesinIndia.
The risk of fraud has increased manifold with growing aspirations, cyber-crimes
and volatility of business. In the last decade, the world has witnessed high level
corporate and financial frauds at companies such as Enron, Tyco and WorldCom
which shook investors’ and stakeholders’ confidence. The expectations of the
investors, lenders and other stakeholders in terms of governance have reached
unprecedented levels. This necessitated strong legislation to improve financial
disclosures from corporations, prevent accounting frauds, regulate financial
practicesandcorporategovernance.
Section I: Preface
2|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Global
Uncertainty
Business
Complexity
Growth
Employee
Aspirations (Frauds)
Information
Security
Intense
Competition
Highly Regulated
Environment
Technological
Advancement
Increased
Volatility
12. 3 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
2. BackgroundofCorporateGovernanceinIndia
In the past few years, India too has witnessed some high profile corporate frauds
such as Reebok India, National Spot Exchange Limited, Lilliput Kids wear, Satyam,
Subhiksha, etc. The SEBI Listing Agreement introduced Clause 49 in 2005 which
requirestheCEOandCFOofeverylistedcompanytocertifyoneffectivenessofthe
systemsofInternalControls.
The New Companies Act, 2013 has been introduced which replaces the old Act of
1956. The new Act has introduced provisions to enhance the transparency in
financial reporting which have resulted in greater and unprecedented
accountability on the part of Board of Directors, Audit Committee, Independent
AuditorsandManagement(includingCEOs/CFOs).
Inthisbooklet,wehaveendeavouredtodiscussthechangesintroducedinthenew
CompaniesAct,2013andrevisedClause49oftheSEBIListingAgreement:
}InternalAudit
}InternalFinancialcontrolsFramework
}EnterpriseRiskManagement
}FraudRiskManagement
}LegalComplianceFramework
13. 4|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Formalise
Internal
Audit
Function
Monitoring
Strong Focus
on Internal
Finance
Controls
Fraud Risk
Assessment
& Mitigation
Effective
Legal
Compliance
Framework
Strengthen
ERM
processes
Board of
Directors &
Audit
Committee
Audit Committee & Board’s Responsibility introduced by the Act in brief has been
depictedbelow:
15. MandatoryInternalAudit:
ResponsibilityonBoardofDirectorsandAuditCommittee:
The new Companies Act, 2013 has given statutory recognition to the function of Internal
Audit by making Internal Audit mandatory for certain class of companies. The eligibility
criteriafortheinternalaudithavealsobeendefined.
The new Companies Act, 2013 and Revised Clause 49 of SEBI listing agreement cast
responsibility on Board of Directors and Audit Committee for implementation and
monitoringoffollowingframeworks:
Section II: Executive Summary
6|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Internal Financial
Controls (IFC)
}
business
lSafeguarding of assets
lPrevention and detection of frauds and errors
lAccuracy and completeness of accounting records
lTimely preparation of reliable financial information
Polices and procedures to ensure efficient conduct of
Enterprise Risk
Management System
(ERM)
}
}ERM includes:
lIdentification of significant risk exposures
lAssessing the impact of significant risk exposures
lAction plan for risk mitigation
lMonitoring progress
Approving and monitoring the ERM
Fraud Risk Management
(FRM)
}
}FRM includes
lCreating control environment
lConduct of fraud risk assessment
lEstablishing prevention techniques to avoid key risk
lPromoting tools for reporting suspicious activities
lResponse to fraud allegation
Preventing and detecting Frauds
16. 7 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
OtherImportantRegulatoryAspects:
SeriousFraudInvestigationOffice:
EstablishmentofVigilMechanism:
Introductionofpenalprovisionsforwrongdoings:
ClassActionsuits:
TheCompaniesAct,2013accordsthestatutorystatustoSeriousFraudInvestigationOffice
(SFIO).SFIOhasbeensetupundersection211oftheNewAct.
Everylistedcompanyorsuchclassorclassesofcompanies,asmaybeprescribed,arealso
required to establish a vigil mechanism for directors and employees to report genuine
concerns in such manner as may be prescribed. The details of establishment of such
mechanism shall be disclosed by the company on its website, if any, and in the Board’s
report. The vigil mechanism should also provide for adequate safeguards against
victimisationofpersonswhousesuchmechanismandmakeprovisionfordirectaccessto
thechairpersonoftheAuditCommitteeinappropriateorexceptionalcases.
TheNewActhasspecificallyprovidedastringentpunishmentwithrespecttofraud.Under
section 447 of the new Companies Act, 2013, any person who is found to be guilty of fraud,
shall be punishable with imprisonment for a term which shall not be less than six months
but which may extend to ten years and shall also be liable to fine which shall not be less
than the amount involved in the fraud, but which may extend to three times the amount
involvedinthefraud.
Apart from penal provision, the New Act has introduced the concept of Class Action,
wherein specified number of shareholders and depositors can take a legal action against
Legal Compliance
Framework (LCF)
}
applicable laws
}LCF includes
lIdentification of all applicable laws and their
requirements
lDevelopment of system to ensure compliance
lEnsuring training and awareness among employees
Devised proper systems to ensure compliance to
17. 8|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
thecompanybyfilinganapplicationwiththeNationalCompanyLawTribunaliftheaffairs
orcertainactsofthecompanyareinmannerprejudicialtotheinterestofthecompanyor
itsmembersordepositors.
The members or the depositors can seek damages or demand suitable action against a
director,auditor,expert,advisororconsultantofthecompany.ThesectiononClassAction
Suitsisnotyetnotified.
While the role and responsibility of internal audit may vary in scope and authority
between organizations, there is a clear trend that internal audit is taking on a more
strategic and central role. With these changes, the increased interaction between the
evolving internal audit function and its major stakeholders is an important area for
organizations to focus on and develop. For many organizations, executive management
will request more advisory involvement of internal audit, including performing reality
checksonkeymanagementdecisions.
It has become increasingly clear that IFC, ERM and FRM activities are by nature
interconnected and rely on common information, methodology, processes and
technology. By establishing a universal, integrated approach to legal, compliance, risk,
audit and control processes, organizations can better leverage information, gain
operationalefficiencyandprovidegreatertransparencyintooverallbusinessrisks.
InternalAudit’sRole:
18. 9 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
}
}
}
}
}
}
Must support
business objectives.
Be a Business
Partner
Cost Control and
Cost Efficiency
Participate in Risk
Management
Process
Improvement
Ensuring Knowledge
management
}
}
}
}
}
}
}
Assurance on Risk
Management
Existence & Effectiveness
of Internal Control
Framework
Provide a plan to address
key governance issues
Reporting Statutory
Compliances
Mechanism for business
process improvement
Focus on preventive
actions rather than
problems
Accurate, timely & Open
communication
Operating
Management and
Process Owners
Board of Directors and
Audit Committee
External Auditors and
Regulator
}
}
}
Assurance on Internal
Control Framework
existence and
efficiency
SEBI Regulations,
Companies Act, Other
regulations
Coverage of material
audit functions / areas
affecting financial
statements
ExpectationofvariousstakeholdersfromInternalAudit
19. 10|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
NewAxis-InternalAudit’sRole:
The Act places a stronger emphasis than before on the role of the Board and the Audit
Committeeonnewaxisofcorporategovernance.
FollowingActionsare required by either ChiefInternal AuditExecutive or outsourcedfirm
carryingInternalAuditfortheCompany.
PositionInternalAuditfunctionasabusinessfunction
UsageofTechnologyforcontinuousandintegratedauditing
LeverageDataAnalyticsforfrauddetection
FocusonRiskAssessmentandRegulatoryLandscape
InvestmentinCross-functionanddomainexperts
Aligningtorequirementsofdifferentstakeholders
BenchmarkingIndustry/businesspractices
Promotingqualityimprovementsandinnovations
21. 1. RegulatoryAspects
TheCompaniesAct,2013hasgivenstatutoryrecognitiontothefunctionofInternal
Audit by mandatory internal Audit for certain class of companies. The relevant
provisionsarereproducedbelow:
Chapter 1: Internal Audit
12|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of
The Companies
Act, 2013 &
Relevant Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
138(1) “Such class or
classes of
companies as
may be
prescribed shall
be required to
appoint an
internal auditor,
who shall either
be a chartered
accountant or a
cost accountant,
or
such other
professional as
may be decided
by the Board to
conduct internal
audit of the
functions and
activities of the
company.”
st
1 April,
2014 –
Listed
Companies
th
30
September,
2014 – All
other
Companies
meeting
the criteria
need to
comply
with
provision of
Companies
Act 2013
and related
rules
Yes All public
companies with
Paid-up
Share
Capital of
Rs.50 crores
or more
during the
preceding
financial
year, or
Turnover of
Rs.200 crores
or more
during the
preceding
financial
year; or
Outstanding
loans or
borrowings
from banks
or public
financial
institutions
of Rs.100
crores or
more at any
point of time
}
}
}
All private
companies
with:
Turnover of
Rs.200 crores
or more
during the
preceding
financial year;
or
Outstanding
loans or
borrowings
from banks or
public
financial
institutions
of Rs.100
crores or more
at any point of
time during
the preceding
financial yearRule 13 of
Companies
(Accounts)
Rules, 2014
As per Rule 13 (1)
Companies
fulfilling criteria
are required to
appoint an
internal auditor
or firm of internal
auditors.
22. 13 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Further Section 138 of the Companies Act, 2013 provides that the internal auditor
shall either be a Chartered Accountant or a Cost Accountant, or such other
professional as may be decided by the Board. The explanation to Rule 13 of the
Companies(Accounts)Rules,2014providesabouttheeligibilityofinternalauditor,
whichstatesasbelow:
“Forthepurposesofthisrule–
(i) theinternalauditormayormaynotbeanemployeeofthecompany;
(ii) the term “Chartered Accountant” shall mean a Chartered Accountant
whetherengagedinpracticeornot”
The scope or function of Internal Auditor has not been defined in the Companies
Act, 2013 or in the Companies (Accounts) Rules. However Rule 13(2) of the
Companies(Accounts)Rulesprovidesasbelow:
“The Audit Committee of the company or the Board shall, in consultation with the
Internal Auditor, formulate the scope, functioning, periodicity and methodology
forconductingtheinternalaudit”
Moreover, section 144 of the Companies Act, 2013 provides that the Statutory
Auditor of the Company shall not render the services of Internal Auditor to the
Section
Ref.
Provisions Of
The Companies
Act, 2013 &
Relevant Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
during the
preceding
financial
year; or
Outstanding
Deposits
of Rs.25
crores or
more at any
point of time
during the
preceding
financial
year.
}
138(2) “The Central
Government may,
by rules,
prescribe the
manner and the
intervals in which
the internal audit
shall be
conducted and
reported to the
Board.”
23. 14|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Company.
A cornerstone of strong governance, internal auditing bridges the gap between
management and the board, assesses the ethical climate and the effectiveness
and efficiency of operations, and serves as an organization’s safety net for
compliance with rules, regulations and overall best business practices (Adopted
fromInstituteofInternalAuditors).
2. TheBusinessAspects
` FRAUD
Safeguards
Assets
Process
Improvement
Opportunities
Benchmark
against
Best
Practices
Aid in
Decision
Making
Detection
of Frauds
and Errors Effective
Corporate
Governance
Value
Addition
Compliance
Risk
Management
The Board of Directors and Senior Management have responsibilities of risk
management, establishing internal control system and compliance framework,
etc. Internal audit as an independent function evaluates adequacy and
effectiveness of governance, risk management and controls and provides
feedbacktotheBoardandSeniorManagementwhichhelpsthemfulfiltheirduties
totheorganisationanditsstakeholders.
Internal Audit is an important tool since it reviews and reports whether the
Company has carried out the compliances required under various statutes and
whichcanminimizeimpactofpenalconsequencesandreputationalrisk.
Internalauditisalsoanimportantcomponentofacompany'sriskmanagement,as
they help companies identify issues before they become substantial problems.
Internal Auditors work within businesses and organisations to monitor and
evaluate how well risks are being managed, the business is being governed and
internalprocessesareworking.
24. 15 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Moreover, Internal Audit function is independent of the operations and reports to
the apex authority of the Company i.e. the Board of Directors, either directly or
through Audit Committee. The element of independence helps Internal Auditor to
provideunbiasedandobjectiveviewoftheCompany’soperations.
Internal audit is not defined in the Companies Act, 2013; however it is defined as
underintheprefacetothestandardsonInternalAuditissuedbyICAI:
“Internal Audit is an independent management function, which involves a
continuous and critical appraisal of the functioning of an entity with a view to
suggest improvements thereto and add value to and strengthen the overall
governance mechanism of the entity, including the entity’s strategic risk
managementandinternalcontrolsystems.”
InternalAuditisalsodefinedbyInstituteofInternalAuditors(USA)asunder:
“Internal Auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organisation's operations. It helps an
organisation accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control
andgovernanceprocess”
This definition has been adopted by the Institute of Internal Auditors (India) which
isaffiliatedtotheUSInstitute.
3. MeaningofInternalAudit
25. 16|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Understanding
}Business,
industry and
environment
of the
Company
}Needs and
expectations
of the senior
management,
Audit
Committee
and Board of
Directors
}Audit
objectives
}Policies and
procedures of
the Company
}Risk profile
Preparing
}The Annual
audit plan
}The scope
covering key
aspects such
as processes,
locations,
audit
universe,
sampling
basis and
periodicity
}The right
team profile
and work
allocation
}Mapping of
major
processes
and
operations
}Evaluation of
risks and
design gaps
operational
controls for
the processes
and
operations
}Testing of
effectiveness
of controls –
Compliance
testing,
substantive
testing,
analytical
review and
data analysis,
walk-through
etc.
}Verifying
adherence to
Statutory
Compliances
}Assistance of
Domain and
Functional
Experts
}Usage of
CAAT tools
}Executive
Summary of
the salient
audit
observations
reported in
respect of
areas
covered in
the audit for
the senior
management.
}Detailed
Report along
with exhibits
for the
operating
management.
}Presentation
to Audit
Committee
}Follow-Up
Reports and
Status of
Implement-
ation of
Action Plans.
}Supervision
of internal
audit team
conducting
work
}Monitoring of
audit
assignments
and review of
reports by
Managers
and Partners
}Ongoing
Industry and
Legislations
training of
audit team
}Quality
Assurance
Reviews
AuditPlanning
1
AuditExecution
2
AuditReporting
3
QualityAssurance
4
TheInternalAuditprocessisexplainedinfollowingdiagrams:
26. 17 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
MeaningofGovernance
MeaningofRisk
MeaningofInternalControl
The role of internal audit as noted in the definitions above includes responsibility
toevaluateandimprovegovernanceprocesses.
The term “governance” has a range of definitions depending on a variety of
environmental, structural, and cultural circumstances, as well as legal
frameworks. The Glossary to the International Standards for the Professional
Practice of Internal Auditing (Standards) define governance as: “The combination
of processes and structures implemented by the board to inform, direct, manage,
and monitor the activities of the organization toward the achievement of its
objectives.”
Globally, there are a variety of governance models that have been published by
other organisations and legal and regulatory bodies. For example, the
Organisation for Economic Co-operation and Development (OECD) defines
governance as: “...a set of relationships between a company’s management, its
board, its shareholders, and other stakeholders. Corporate governance provides
the structure through which the objectives of the company are set and the means
ofattainingthoseobjectivesandmonitoringperformancearedetermined.”
GovernanceisnotdefinedintheCompaniesAct,2013.
Risk is the possibility of an event occurring that will have an impact on the
achievement of objectives. Risk is measured in terms of impact and likelihood. (as
definedbyInstituteofInternalAuditor,USA)
The“internalfinancialcontrols”isdefinedintheCompaniesAct,2013asunder.
The term “internal financial controls” means the policies and procedures adopted
by the company for ensuring the orderly and efficient conduct of its business,
including adherence to company’s policies, the safeguarding of its assets, the
prevention and detection of frauds and errors, the accuracy and completeness of
the accounting records and the timely preparation of reliable financial
information.
27. 18|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
InternalAuditRole–Governance,RiskandControl
Role-AsdefinedbyICAIinInternalAuditStandards
StandardsonInternalAudit
Governance does not exist as a set of distinct and separate processes and
structures. Rather, there are relationships among governance, risk management
andinternalcontrols.
Effective governance activities consider risk when setting strategy. Conversely,
risk management relies on effective governance. Effective governance relies on
internal controls and communication to the board on the effectiveness of those
controls.
Internal auditors provide the Board, Audit Committee and senior management
with assurance based on the highest level of independence and objectivity within
the organisation.An audit should addressthosecontrols in governanceprocesses
thataredesignedtopreventordetecteventsthatcouldhaveanegativeimpacton
the achievement of organisational strategies, goals, and objectives; operational
efficiency and effectiveness; financial reporting; or compliance with applicable
laws and regulations. Controls within governance processes are often significant
inmanagingmultiplerisksacrosstheorganisation.
The Internal Audit Standards Board of Institute of Chartered Accountants of India
has, till date, issued 18 Standards on Internal Audit (SIAs). The list is given below.
TheSIAsaimtocodifythebestpracticesintheareaofinternalauditandalsoserve
toprovideabenchmarkoftheperformanceoftheinternalauditservices.
SIA1-PlanninganInternalAudit
SIA2-BasicPrinciplesGoverningInternalAudit
SIA3-Documentation
SIA4-Reporting
SIA5-Sampling
SIA6-AnalyticalProcedures
SIA7-QualityAssuranceinInternalAudit
28. 19 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
SIA8-TermsofInternalAuditEngagement
SIA9-CommunicationwithManagement
SIA10-InternalAuditEvidence
SIA11-ConsiderationofFraudinanInternalAudit
SIA12-InternalControlEvaluation
SIA13-EnterpriseRiskManagement
SIA14-InternalAuditinanInformationTechnologyEnvironment
SIA15-KnowledgeoftheEntityanditsEnvironment
SIA16-UsingtheWorkofanExpert
SIA17-ConsiderationofLawsandRegulationsinanInternalAudit
SIA18-RelatedParties
TheroleandresponsibilityofInternalAuditorisexplainedinvariousSIAsasstated
above. The extracts from SIAs related to internal auditor’s role for Internal
Financial Controls, Enterprise Risk Management, Fraud Risk Management and
LegalComplianceframeworkarereproducedbelowexplainingInternalAudit’srole
ineachsection.
SIA 12- Role of Internal Auditor is described in relation to Evaluation of
InternalControlsystem:
SIA Role of Internal Audit
12 InternalControlsystem:
The internal auditor should examine the continued effectiveness of the
internalcontrolsystemthroughevaluationandmakerecommendations,if
any, for improving that effectiveness. The internal auditor should focus
towards improving the internal control structure and promoting better
corporategovernance.
Theroleoftheinternalauditorencompasses:
}Evaluationoftheefficiencyandeffectivenessofcontrols.
}Recommending new controls where needed – or discontinuing
unnecessarycontrols.
29. 20|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
SIA Role of Internal Audit
}
}Developingcontrolself-assessment.
Theinternalauditor’sevaluationofinternalcontrolinvolves:
}Determining the significance and the sensitivity of the risk for
whichcontrolsarebeingassessed;
}Assessing the susceptibility to misuse of resources, failure to
attain objectives regarding ethics, economy, efficiency and
effectiveness, or failure to fulfil accountability obligations and
non-compliancewithlawsandregulations;
}Identifying and understanding the design and operation of
relevantcontrols;
}Determining the degree of control effectiveness through testing
ofcontrols;
}Assessingtheadequacyofthecontroldesign;and
}Reporting on the internal control evaluation and discussing the
necessarycorrectiveactions.
Thebroadareasofreviewbytheinternalauditorinevaluatingtheinternal
controlsystem,interalia,are:
}Mission, vision, ethical and organizational value-system of the
entity. Personnel allocation, appraisal system and development
policies.
}Accounting and financial reporting policies and compliance with
applicablelegalandregulatorystandards.
}Objectiveofmeasurementandkeyperformanceindicators.
}Documentationstandards.
}Riskmanagementstructure.
}Operationalframework.
}Processesandproceduresfollowed.
}Degreeofmanagementsupervision.
}Informationsystems,communicationchannels.
}BusinessContinuityandDisasterRecoveryProcedures.
Usingcontrolframeworks.
13 EnterpriseRiskManagement
The internal auditor is to provide assurance to management on the
effectivenessofriskmanagement.Thescopeoftheinternalauditor’swork
in assessing the effectiveness of the enterprise risk management would,
normally,include:
}assessing the risk maturity level both at the entity level as well as
theauditableunitlevel;
}assessingtheadequacyofandcompliancewiththerisk
30. 21 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
4. TheNewAxis(Whathaschanged?)
The requirement of internal audit was not expressly provided under the
Companies Act, 1956. The Companies (Auditor’s Report) Order, 2003 required the
statutoryauditortoreportthefollowinginClause4(viii):
“in the case of listed companies and/or other companies having a paid-up capital
and reserves exceeding Rs.50 lakhs as at the commencement of the financial year
concerned,orhavinganaverageannualturnoverexceedingfivecrorerupeesfora
period of three consecutive financial years immediately preceding the financial
year concerned, whether the company has an internal audit system
commensuratewithitssizeandnatureofitsbusiness.”
Now, the new Companies Act has an express provision recognising the legal
requirement of internal audit. The eligibility criteria for the internal auditor have
SIA Role of Internal Audit
management policy and framework; and
}for the risks covered by the internal audit plan:
lAssessingtheefficiencyandeffectivenessoftheriskresponse;
lAssessing whether the score of the residual risk is within the
riskappetite.
11 Fraudpreventionanddetection
Theprimaryresponsibilityforpreventionanddetectionoffraudsisthatof
the management of the entity. The internal auditor should, however, help
the management fulfil its responsibilities relating to fraud prevention and
detection.
17 LegalComplianceframework
Theobjectivesoftheinternalauditorare:
a) To obtain sufficient appropriate audit evidence regarding
compliance with the provisions of those laws and regulations
generallyrecognisedtohaveadirecteffectonthedeterminationof
materialamountsanddisclosuresinthefinancialstatements;
b) To perform specified audit procedures to help identify instances of
non-compliance with other laws and regulations that may have a
significantimpactonthefunctioningoftheentity;and
c) To respond appropriately to non-compliance or suspected non-
compliance with laws and regulations identified during the internal
audit.
31. alsobeendefined.PleasereferRegulatoryAspectssectionabove.
ITAuditasapre-requisitetoInternalAudit
Businesses today are driven by IT systems in terms of Enterprise Resource
Planning (ERP) or legacy IT applications running on diverse technology platforms.
For a meaningful internal audit in an IT dominated environment, it becomes
imperativetoreviewITcontrols.
Review of IT policies, Design controls and IT organizational structures including
thirdpartyserviceproviderstoascertaintheirperformance,roles,responsibilities
and accountability. The IT Audit also needs to cover review of IT infrastructure to
test its robustness and ability to prevent / detect possibilities of system
compromises. As most of the applications involve on-line transaction processing,
it becomes necessary to check application controls covering inputs, output, and
data processing controls. Enhanced IT Audits can go the extent of auditing the
programs,sourcecodes,scriptsandconfigurations.
Transactions processed through technology systems need special attention from
Internal Audit perspective. These include tests to ensure that the transactions are
processed completely, follow the business rules and ensure that integrity of the
dataismaintained.
ConcurrentAuditofInformationTechnology(IT)Systems
SinceIT systems typically are rolled out with long term objectivesand high impact
on the organization eco-system, concurrent IT Audit becomes a very critical need
forthemanagementtoensurethatthecontrolsarebuiltatthedesignstageitself,
especially for core functionality of the business. System specifications, design
documents, project management, planned upgrades, disaster recovery drills,
system outputs are some of the areas where concurrent IT Audit brings powerful
valueadditionstotheorganization.
One of the objectives of IT Audit is also to test effectiveness and efficiency of IT
systems. Effectiveness of IT systems depends on their ability to meet specified
goals. EfficiencyofITAuditdependsonoptimumutilizationofITResources. Such
IT Audits are extended requirements of Internal Audits going beyond the IT
environmentalandtransactionaudits.
5. RoleofInformationTechnology(IT)inInternalAudit
22|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
32. Test of IT controls help Internal Auditors to ascertain the extent to which Internal
AuditcanrelyonITsystems.Internalauditcanbefurtherenhancedusingin-house
developed / off the shelf IT Tools. Organisations need to define business /
transactionobjectives,mapthesameontheinternalsystemdesign,andconfigure
rules/alertsandtotrackexceptions.
IT Audits help the internal auditors to perform substantive checks more
effectively. ThishelpsAuditorstoidentifywhichareasrequiresubstantivetesting
andtowhatextent.
23 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Internal
Audit
Goal
Evaluate
IT
Controls
Caliberate
Internal
Audit
process
lEstablish
IA Objectives
lFinalize
IA Scope
lMap IT
Processes
lEvaluate IT
Control
lEffectivness
lCaliberate
IA Strategy
lPerform IA
6. ActionsRequired
For complying with the requirements of the Companies Act, 2013 and the
Companies (Accounts) Rules, the Board / Audit Committee should undertake the
followingactions:
Determine the
Applicability
}
specified in Rule 13 of the Companies (Accounts)
Rules, 2014 which makes it mandatory to appoint
Internal Auditor.
Identify whether the Company fulfils the criteria
Appointment of
Internal Auditor
}
internal Auditor as per requirements of Section 138
and Section 144 of the Companies Act, 2013 read
with explanation to Rule 13 of the Companies
(Accounts) Rules, 2014.
Companies falling in criteria shall appoint the
Internal Audit
Charter
}
prepare the Internal Audit Charter in consultation
with the Internal Auditor. The Internal Audit Charter
shall contain the scope and periodicity of Internal
Audit. Such scope shall be formulated considering
the business operations, business risks, internal
financial controls, regulatory requirements, etc.
The Audit Committee or Board of Directors should
35. 1. RegulatoryAspects
Explanation to Section 134 (5) (e) of the Companies Act, 2013 defines internal
financialcontrolsasbelow:-
The term “internal financial controls” means the policies and procedures adopted
by the company for ensuring the orderly and efficient conduct of its business,
including adherence to company’s policies, the safeguarding of its assets, the
prevention and detection of frauds and errors, the accuracy and completeness of
the accounting records, and the timely preparation of reliable financial
information.
TheotherprovisionsrelatingtoInternalFinancialControlsarementionedbelow:
Chapter 2: Internal Financial Controls
26|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of The
Companies Act
2013 & Relevant
Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
134(5)
134(5)(e)
Reporting /
Disclosure
Requirements
The Directors’
Responsibility
Statement shall
state that—
The directors, in the
case of a listed
company, had laid
down internal
financial controls to
be followed by the
company and that
such internal
financial controls
are adequate and
were operating
effectively.
st
1 April,
2014
To be
reported in
the Annual
Report
from the
FY 2014-15
onwards.
Yes No No
36. 27 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of The
Companies Act,
2013 & Relevant
Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
143(3)
143(3)(i)
Independent
Auditors’
Responsibility
The auditor’s
report shall also
state—
Whether the
company has
adequate internal
financial controls
system in place
and the operating
effectiveness of
such controls.
st
1 April, 2014
To be
reported in
the Annual
Report from
the FY 2014-
15 onwards.
Yes Yes Yes
177(1) Audit
Committee
Constitution
The Board of
Directors of every
listed company
and such other
class or classes
of companies, as
may be
prescribed, shall
constitute an
Audit Committee.
st
1 April, 2014
To be
constituted
within one
year from 1st
April, 2014 or
from the
appointment
of
independent
directors,
whichever is
earlier.
Yes }
}
}
All public
companies
with a paid
up capital of
Rs. 10 crores
or more
All public
companies
having a
turnover of
Rs. 100
crores or
more
All public
companies
having in
aggregate,
outstanding
loans, or
borrowings
or
debentures
or deposits
exceeding
No
37. 28|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of The
Companies Act,
2013 & Relevant
Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
Rs.50 crores
or more.
177(4)
177(4)
(vii)
177(5)
Role of Audit
Committee
Every Audit
Committee shall
act in accordance
with the terms of
reference specified
in writing by the
Board which shall,
inter alia, include—
Evaluation of
internal financial
controls and risk
management
systems.
The Audit
Committee may
call for the
comments of the
auditors about
internal control
systems, the scope
of audit, including
the observations of
the auditors and
review of financial
statement before
their submission to
the Board and may
also discuss any
related issues with
the internal and
statutory auditors
and the
st
1 April, 2014Yes Yes, as above No
38. 29 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of The
Compan1ies Act,
2013 & Relevant
Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
management of the
company.
Schedule
IV
Appointment of
Independent
Directors
Every listed and
other companies as
may be prescribed
should appoint
independent
directors.
st
1 October,
2014 (for
listed
companies)
st
1 April, 2015
(other
companies)
Yes Public
Companies
having:
Paid up
Share
Capital: Rs.
10 crores or
more; or
Turnover: Rs.
100 crores or
more; or
Outstanding
loans,
debentures
and
deposits: Rs.
50 crores.
(A company
fulfilling the
above criteria
shall have at
least 2
independent
directors)
}
}
}
No
Schedule
IV
Clause II
(4)
Code of
Independent
Directors
The independent
directors shall:
satisfy themselves
on the integrity of
financial
information and
that financial
controls and the
st
1 October,
2014 (for
listed
companies)
st
1 April, 2015
(other
companies)
Yes, as above NoYes
39. 30|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Note: The provisions of section 134 (5) (e) are applicable only to listed companies
by which the Board is responsible to lay down internal financial controls to be
followedbythecompanyaswellasensurethatsuchinternalfinancialcontrolsare
adequateandwereoperatingeffectively.However,provisionsofsection143(3)are
applicable to all companies which cast responsibilities on the Independent
Auditors to report on adequacy and effectiveness of internal financial control
system. As a matter of proper compliance and reporting by the independent
auditors, all companies may have to lay down internal financial control system to
demonstrate the existence and effectiveness of internal financial controls within
the organization. Each company, depending upon its size of operations, activities,
complexities of businesses, governing regulations, etc. will have to lay down
appropriate level and depth of internal financial control system and monitor and
reportonitseffectiveness.
The Companies Act, 2013 has introduced provisions relating to Internal Financial
Controls for the first time. Whereas, the SEBI Listing Agreement required the CEO
and CFO of every listed company to certify various aspects relating to Internal
Controls.
It is however pertinent to note that while the Companies Act, 2013 refers to
“Internal Financial Controls”, the SEBI Listing Agreement refers to “Internal
Controls”. Though the words and phrases referred above are slightly different,
both, the Companies Act, 2013 and the SEBI Listing Agreement aim at enhancing
transparency in financial reporting and increasing accountability on the company
managementwithrespecttofinancialreporting.
Related Provisions of the SEBI Listing Agreement Requirements – At a
Glance
Section
Ref.
Provisions Of
The Companies
Act, 2013 &
Relevant Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
systems of risk
management are
robust and
defensible.
40. 31 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
2. BusinessAspects
3. WhatisInternalControlFramework–AGlobalPerspective
Internal control framework is one such tool which helps organization in managing
its operations and activities which can lead to improve efficiencies, greater
reliability, compliance, etc. and prepares it to face challenges external
environment successfully. The external environment includes the social, political,
economic, regulatory, tax, cultural, legal and technological environments. An
organisation’s ability to design and adjust its internal variables to take advantage
of opportunities offered by the external environment and its ability to control
threats posed by the same environment, determines its success. Thus, seizing the
opportunitiesandmanagingchallenges,internaltoitsownenvironmentisthekey
togrowth.
TheinternalControlFramework(ICF)isanintegratedframeworkfordesigningand
implementing internal controls and assessing the effectiveness and efficiency of
internal controls. It is a set of policies and procedures, designed to assist the
company management to achieve its objectives of operational effectiveness and
efficiency, reliable financial reporting and compliance with laws, regulations and
policies.
The Institute of Chartered Accountants of India has defined the ‘Internal Control
System’asunder:
"Internal Control System" means all the policies and procedures (internal
controls) adopted by the management of an entity to assist in achieving
management's objective of ensuring, as far as practicable, the orderly and
efficientconductofitsbusiness,includingadherencetomanagementpolicies,the
safeguarding of assets, the prevention and detection of fraud and error, the
accuracy and completenessofthe accounting records, and the timely preparation
ofreliablefinancialinformation.
ModelICFFramework
TherearevariousICFsinplaceworldwidesuchas:
1. TheCommitteeofSponsoringOrganizationsoftheTreadwayCommission’s
(COSO’s)InternalControl–IntegratedFramework
2. Canadian Institute of Chartered Accountants’ (CICA’s) Criteria of Control
Framework(CoCo)
41. 32|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
3. ThestandardsforInternalcontrolinU.S.FederalGovernment.
4. International Organization for Standardization (ISO) focuses on quality
management systems, including ensuring controls are in place to comply
withapplicableregulatoryrequirements.
5. The Basel Committee on Banking Supervision’s Framework for Internal
ControlSystems
6. Control Objective for Information and Related Technology (COBIT) –
frameworkforITManagementandITGovernance
The most widely used framework worldwide for Internal Controls is developed by
CommitteeofSponsoringOrganizationsoftheTreadwayCommission(COSO).
COSOInternalControlFramework
In 1992, COSO issued Internal Control – Integrated Framework to help
businesses assess and enhance their internal control systems. Since then, this
framework has been recognized by board members, regulators, professional
organisationsandothersasanappropriatecomprehensiveframeworkforinternal
controls. The Framework has been updated in 2013 by COSO and is applicable from
15thDecember,2014.
5componentsofCOSOFramework
In order to achieve its objectives of operational efficiency, reporting and
compliance, the COSO framework has laid down following 5 components and
principleswhichtravelthroughthelayersofentireorganization:
Opeations
r
n
Reportig
Compliance
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
EntityLevel
Division
OperatingUnit
Function
42. 33 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
4. TheNewAxis(Whathaschanged)
5. RoleofInformationTechnology(IT)inInternalFinancialControls
There was no requirement related to implementationofinternal financial controls
in the earlier Act (The Companies Act, 1956). Earlier the Clause 49 of SEBI listing
agreement required the CEO and CFO of every listed company to certify various
aspectsrelatingtoInternalControls. AlsotheCompanies(Auditor’sReport)Order,
2003 required the independent auditors to comment on the adequacy of internal
control system for purchase ofinventory and fixed assets and sale ofgoods under
clause4(iv).
Now the Companies Act, 2013 stipulates specific requirements with respect to
internal financial controls framework to be laid down by the board of directors in
case of a listed company. The new Act has also now defined internal financial
controls. Also provisions of section 143(3) are applicable to all companies which
cast responsibilities on the Independent Auditors to report on adequacy and
effectivenessofinternalfinancialcontrolsystem.
IT systems participate in Internal Financial Controls in several ways. The
5 Components
of COSO
Risk
Assessment
Related Principles
}
}Identifies and analyses risk
}Assesses fraud risk
}Identifies and analyses significant change
Specifies suitable objectives
Control
Activities
}
}Selects and develops general controls over technology
}Deploys controls through policies and procedures
Selects and develops control activities
Information
and
communication
}
}Communicates internally
}Communicates externally
Uses relevant information
Monitoring
Activities
}
}Evaluates and communicates deficiencies
Conducts on-going and/or separate evaluations
Control
Environment
}Demonstrates commitment to integrity and ethical values
}Exercises oversight responsibility
}Establishes structure, authority, and responsibility
}Demonstrates commitment to competence
}Enforces accountability
43. 34|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
effectiveness of financial controls of the organization depends on how business
ruleshave been configured on the applicationsdesignedto processthe same. For
example, inventory controls, credit limits, approval processes, interest
computations, process flow validations are built into the application and hence,
the functional and security testing of such applications become critical to build
internalfinancialcontrols.
Specific requirement of Internal IT controls is to verify that segregation of duties
(SoD) is built into the applications deployed in production environment and as per
the internal control framework. All system elements, components, infrastructure,
information assets require access control matrices to be defined and mapped
taking into account SoD requirements. Not only business and operational users
need to be defined with respect to their roles and privileges, there needs to be
internalsegregationofdutiesforadministratorsaswell. Theuseradministration,
role administration, system administration should preferably be separated.
Complex systems further define the access requirements at transactions and
object levels. In case of large applications involving hundreds of users, access
control reviews need to be automated. An illustration of the same is mentioned
below:
User
administration
Role
Administration
Profile
Administration
Authorization
levels
Authroization
Objects levels
Access to systems, transactions form the core part of internal control framework.
Hence, granting of user access is the crucial activity. All activities related to user
life cycle management including accessrequests and approvals need to be logged
by the system. These have evidential value as well and accordingly these logs
should be preserved in secure manner. Organisations sometimes need to permit
exceptions as per exigencies of the business and operational requirements. The
exception management systems need to be well defined for effective corporate
governance.
Monitoring tools are available at various levels to log, analyse and track activities
pertaining to sensitive and administrative activities. Such tools need to be
deployedeffectively.
Effective internal control systems need to monitor all activities pertaining to
system/ application administrations, and transactions processed through all
applications.
44. 35 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Nowadays, organizations process a large volume of transactions through data
processing system. Further, with increased automation levels, organisations
deploy multiple applications for variety of purposes and these systems operate
fromdiverselocationssometimescrossingnationalboundaries.Thesystemtends
to become more complex and periodic audit processes tend to be become less
effective. Like business process automation, an audit process needs to move to a
near real time basis through automation. Such technique is called continuous
Audit.
Continuous auditing process examines accounting practices continuously
throughout the year. Continuous audits are usually technology-driven and
designed to automate error checking and data verification in real time. A
continuous audit driven system generates alarm triggers that provide advance
noticeaboutanomaliesanderrorsdetectedbythesystem.
Control
Testing
Continuous
monitoring
cycle
Control
Monitoring
Control
Design
Control
Effectiveness
ContinuousAuditshelptotestinternalcontrolframeworkinmanyways:
}Auditsgodeeperandbroader
}Auditstakelesstime
}Auditorsprovidevalue-addedservices
}Increasedtransparencywithauditorsandauditees
45. 36|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
}Improvedcommunicationwithexternalauditors
}Improvedutilizationofspecializedauditskills
In view of the foregoing regulations, following broad initiatives are required to be
takenbyeverylistedcompanyrelatingtoInternalFinancialControls:
a) LayingdownInternalFinancialControlframework
b) Continuousevaluationofinternalcontrolsoverfinancialreporting
c) Ensuringadequacyandeffectivenessofsuchcontrolsandreporting
d) Rectifyingdeficienciesinthedesignoroperationofinternalcontrols,ifany
e) Reportingaboutanyincidentsoffraudsandfailureofinternalcontrols
Since the related provisions under the Companies Act, 2013 are already effective
from1stApril,2014,everylistedcompanyneedstoensurethataboveinitiativesare
implemented and monitored regularly for the purpose of compliance and
appropriatereporting.
ThecompanymanagementneedstodesignstrongInternalControlFrameworkand
the process of development and implementation of Internal Control Framework.
Thescopeofthisexerciseinvolvesfollowingmajorsteps:
6. ActionsRequired
Assessment of Gaps - Evaluation of Current Process
Documentation vis-à-vis Existing Processes
Development of SOPs Considering Best Processes
and Practices
Development of Risk & Control Matrices (RCM) for
Internal Financial Control
Evaluation of Operating Effectiveness
Laying Down Process for Change in Internal Financial
Controls framework
46. 37 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Further,eachsteprequiresfollowingactivities
Assessment of Gaps
- Evaluation of
Current Process
Documentation vis-à-
vis Existing
Processes
}
Accounts
}Understanding various processes, sub processes &
activities
}Understanding and qualitative assessment of
existing documents (SOPs, flowcharts, RCMs, MIS,
Narrative,etc.)
}Walk through of existing processes (As-is process)
including process owners interviews, discussions,
etc.
}Mapping of process documents to practices
(Existingdocumentsvis-a-vis As-isprocesses)
}Assessment of Gaps in adequacy and
comprehensiveofexistingdocumentation
}Reporting the Gap analysis and internal discussions
with top management to draw a road map for
Internal ControlFramework.
Identifying critical processes and material
Development of SOPs
Considering Best
Processes and
Practices
}
achievementofprocessobjectives
}Identify steps to manage / mitigate the risks
througheffectivecontrolframework
}Assessthedesigneffectivenessofcontrols
}Deviseremediationplan.
}Update the process documentations based on
remediationplan
}Signofffromthetopmanagement
}Roll out and implementation of SOPs by the
management
Identification of risks and its likely impact on
Development of Risk
& Control Matrices
(RCM) for Internal
Financial Control
}
Compliance,Reporting,Fraud,etc.)
}Identify the controls and document the nature of
risk (preventive or detective) and manner of
deployment(Manual/Automated/ITDependent)
}Identifyresponsibilitiesfordocumentedcontrols
}Identify key and non-key controls based on various
parameters (segregations, mitigations of fraud
risks,mitigatingmultiplerisks,etc.)
}DevelopRiskandControlMatrix(RCM)
}Signoffbythemanagement.
Document the risks in the processes (Operating,
47. 38|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Evaluation of
Operating
Effectiveness
}
}Evaluation of the operating effectiveness of
controlsonsamplebasisaspertestplan
}Identifygapsatoperatingeffectiveness
}Developing the remediation plan as agreed by the
process owner to remove the operational
deficiencies,ifrequired
}Updating the process documentation or RCMs if
required based on operating effectiveness
evaluation
Prepare testPlanforcontrolsasper RCMs
Laying Down Process
for Change in Internal
Financial Controls
framework
}
effectivenessofexistingcontrols
}Developingthereviewplantoassessthechangesin
the accounting systems, regulatory environment,
change in management, etc. requiring processes
changes
}Creating reporting, monitoring and escalation
framework to provide the desired level of
assurancetotheseniormanagement
}Developing the self assessment programs to
provideassurancetomanagementandBoard.
}Sign off from the management for agreed process
change documents, monitoring & escalation
framework
Developing periodic review plan to assess the
7. Responsibilities:
SummaryofResponsibilitiesundertheCompaniesAct,2013:
Constituents
Board of
Directors
Responsibility
}
company
}To ensure that such internal financial controls are adequate
and were operating effectively
To lay down internal financial controls to be followed by the
Audit
Committee
}
systems
}Call for the comments of the auditors about internal control
systems
Evaluation of internal financial controls and risk management
Independent
Directors
}
}The financial controls and the systems of risk management
arerobustanddefensible
Tosatisfythemselvesontheintegrityoffinancialinformation
Independent
Auditors
}
controlssysteminplaceand
}Suchcontrolssystemisoperatingeffectively
To report whether the company has adequate internal financial
48. 39 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
With respect to Internal Controls, the Clause 49 of The SEBI Listing Agreement (as
revised w.e.f. 1st October 2014) prescribes following responsibilities of the Board,
AuditCommitteeandCEOandCFO:
ResponsibilityoftheBoard
}Ensuring integrity of the company’s accounting and financial reporting
systemsincluding independentaudit
}Ensuring that appropriate systems of control are in place, in particular,
systemsforriskmanagement,financialandoperationalcontrol
}Compliancewiththelawandrelevantstandards
ResponsibilityoftheAuditCommittee
}Reviewing with the management, external and internal auditors, the
adequacyofinternalcontrolsystems
}Reviewing the findings of any internal investigations by the internal
auditors into matters where there is suspected fraud or irregularity or a
failure of internal control systems of a material nature and reporting the
mattertotheboard
}Reviewing Management letters / letters of internal control weaknesses
issuedbystatutory/internalauditors
}Evaluationofinternalfinancialcontrolsandriskmanagementsystems
}Internalauditreportsrelatingtointernalcontrolweaknesses
ResponsibilityoftheCEOandCFO
}Establishingandmaintaininginternalcontrolsforfinancialreporting
}Evaluation of the effectiveness of the internal control systems of the
companypertainingtofinancialreporting
}Disclosing to the auditors and the Audit Committee, deficiencies in the
designor operation ofinternal controls, if any, ofwhich they are aware and
thestepstheyhavetakenorproposetotaketorectifythesedeficiencies
49. 40|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
}Disclosing to the auditors and the Audit Committee and in the notes on
accounts about significant changes in internal control and / or of
accountingpoliciesduringtheyear
}Disclosing to the auditors as well as the Audit Committee, instances of
significant fraud, if any, that involves management or employees having a
significantroleinthecompany’sinternalcontrolsystems
}Reporting through the Management Discussion & Analysis in the Annual
Reporton:
a) Risksandconcerns
b) Internalcontrolsystemsandtheiradequacy
51. 1. RegulatoryAspects
The Companies Act, 2013 stipulates
specific requirements for compliance by
every company with respect to risk
management. Relevant provisions are
reproducedbelow:
Chapter 3: Enterprise Risk Management
42|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of The
Companies Act,
2013 & Relevant
Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
134(3) “The board of
directors’ report
must include a
statement
indicating
development and
implementation of
a risk management
policy for the
company including
identification of
elements of risk, if
any, which in the
opinion of the
board may
threaten existence
of the company”.
st
1 April,
2014
Yes Yes Yes
177(1) Audit Committee
Constitution
The Board of
Directors of every
listed company
and such other
class or classes of
companies, as may
be prescribed,
st
1 April, 2014
To be
constituted
within one
st
year from 1
April, 2014 or
from the
appointment
of
independent
Yes }
}
All public
companies
with a paid
up capital of
Rs. 10 crores
or more
All public
companies
having a
turnover of
No
52. 43 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of The
Companies Act,
2013 & Relevant
Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
shall constitute an
Audit Committee.
directors,
whichever
is earlier.
Rs. 100
crores or
more
All public
companies
having in
aggregate,
outstanding
loans, or
borrowings
or
debentures
or deposits
exceeding
Rs.50 crores
or more.
}
177(4) Role of Audit
Committee
“The Audit
Committee shall
act in accordance
with the terms of
reference
specified in
writing by the
board, which shall,
inter alia, include
evaluation of risk
management
systems”
st
1 April, 2014Yes Yes, as above No
Schedule
IV
Appointment of
Independent
Directors
Every listed and
other companies
as may be
prescribed should
st
1 October,
2014 (for
listed
companies)
st
1 April, 2015
(other
companies)
Yes Public
Companies
having:
Paid up
Share
Capital: Rs.
10 crores or
}
No
53. Note:
As per circular 08/2014 issued by the Ministry of Corporate Affairs dated 4th April,
2014, the Financial Statements, Auditor’s Report and Board’s report in respect of
44|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of The
Companies Act,
2013 & Relevant
Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
Schedule
IV
Clause II
(4)
Code of
Independent
Directors
The independent
directors shall:
satisfy themselves
on the integrity of
financial
information and
that financial
controls and the
systems of risk
management are
robust and
defensible.
1 October,
2014 (for
listed
companies)
st
1 April, 2015
(other
companies)
st
Yes Yes, as above No
appoint
independent
directors.
more; or
Turnover: Rs.
100 crores or
more; or
Outstanding
loans,
debentures
and deposits:
Rs. 50
crores.
(A company
fulfilling the
above
criteria shall
have at least
2
independent
directors)
}
}
54. 45 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
the financial years that commenced earlier than 1st April, 2014 shall be governed
bytheprovisionsoftheCompaniesAct,1956.
Section 134 has thus already come into operation with effect from 1st April, 2014
and the Board’s report for the financial year ending 31st March 2015 will have to
containastatementasrequiredunderSection134(5)(f).
Related Provisions of Revised Clause 49 of the SEBI Listing Agreement
Requirements–AtaGlance:
Revised “Clause 49” of the Listing Agreement by the Securities & Exchange Board
of India (SEBI) has under Para VI on “Risk Management” stipulated as follows
(Effectivefrom1stOctober2014):
a) The company shall lay down procedures to inform Board members about
theriskassessmentandminimizationprocedures.
b) The Board shall be responsible for framing, implementing and monitoring
theriskmanagementplanforthecompany.
c) ThecompanyshallalsoconstituteRiskManagementCommittee.TheBoard
shall define the roles and responsibilities of the Risk Management
Committee and may delegate monitoring and reviewing of the risk
management plan to the committee and such other functions as it may
deem fit. The majority of Committee shall consist of members of the Board
of Directors. Senior Executives of the company may be members of said
Committee but the Chairman of the Committee shall be a member of Board
ofDirectors.
The Compliance with the provisions of Clause 49 shall not be mandatory, for the
timebeing,inrespectofthefollowingclassofcompanies:
a. Companies having paid up equity share capital not exceeding Rs. 10 Crore
and Net worth not exceedingRs. 25 crore, as on the last dayofthe previous
financial year: Provided that where the provisions of Clause 49 becomes
applicable to a company at a later date, such company shall comply with
the requirements of Clause 49 within 6 months from the date on which the
provisionsbecameapplicabletothecompany.
b. Companies whose equity share capital is listed exclusively on the SME and
SME-ITPPlatforms.
55. 46|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
2. BusinessAspects
In a dynamic business environment of
today, managing risks is a constant
challenge for board of directors and senior
management of the company. Business
risks are of a diverse nature and arise due
to innumerable factors. These risks may be
broadlyclassifiedintotwotypes,dependingupontheirplaceoforigin.
Internal risks are those risks which arise from the events taking place within the
business enterprise. Such risks arise during the ordinary course of a business.
These risks can be forecasted and the probability of their occurrence can be
determined. Hence, they can be controlled by the entrepreneur to an appreciable
extent.
Thevariousinternalfactorsgivingrisetosuchrisksare:-
}Human factors are an important cause of internal risks. They may result
from negligence and dishonesty of an employee, accidents in the industry,
incompetence of the manager or other important people in the
organisation,etc.Also,failureofsupplierstosupplythematerialsorgoods
ontimeordefaultinpaymentbydebtorsmayadverselyaffectthebusiness
enterprise.
}Technological factors are the unforeseen changes in the techniques of
production or distribution or delivery of services. They may result in
technological obsolescence and other business risks. For example, if there
is some technological advancement which results in products of higher
quality, then a firm which is using the traditional technique of production
might face the risk of losing the market for its inferior quality product.
Similarly, services can be made redundant by improved or superior quality
ofservicedeliverytocustomersorclients.
}Physical factors are the factors which result in loss or damage to the
property of the firm. They include the failure of machinery and equipment
used in business, fire or theft in the industry, damages in transit of goods,
etc. It also includes losses to the firm arising from the compensation paid
by the firm to the third parties on account of intentional or unintentional
damagescausedtothem.
56. 47 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
External risksare thoseriskswhich arisedue to the eventsoccurring outsidethe
business organisation. Such events are generally beyond the control of an
entrepreneur. Hence, the resulting risks cannot be forecasted and the probability
of their occurrence cannot be determined with accuracy. The various external
factorswhichmaygiverisetosuchrisksare:-
}Economic factors are the most important causes of external risks. They
resultfromthechangesintheprevailingmarketconditions.Theymaybein
theformofchangesindemandfortheproduct,pricefluctuations,changes
in tastes and preferences of the consumers and changes in income, output
or trade cycles. The conditions like increased competition for the product,
inflationary tendency in the economy, currency volatility as well as the
fluctuations in world economy may also adversely affect the business
enterprise
}Natural factors are the unforeseen natural calamities over which an
entrepreneur has very little or no control. They result from events like
earthquake, flood, famine, cyclone, lightening, etc. Such events may cause
lossoflifeandpropertytothefirmortheymayspoilitsgoods.
}Political factors have an important influence on the functioning of a
business, both in the long and short term. They result from political
changes in a country like fall or change in the Government, communal
violence or riots in the country, civil war as well as hostilities with the
neighbouring countries. Besides, changes in Government policies and
regulationsmayalsoaffecttheprofitabilityandpositionofanenterprise.
BenefitsofEnterpriseRiskManagement
ERM when implemented in a right manner can yield substantial benefits to an
organization.Someprimarybenefitsinclude:
}Abilitytomeetstrategicgoals
}Increasedmanagementaccountability
}Betterinformeddecisions
}Greatermanagementconsensus
}BettercommunicationtoBoard
57. 48|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
}Usageofriskasacompetitivetool
MeaningofRisk:
Risk is the possibility of an event occurring that will have an impact on the
achievement of objectives. Risk is measured in terms of impact and likelihood. (As
definedfromInstituteofInternalAuditor,USA)
Illustrative listing of the areas in an organisation where the risk arises is given
below:
3. WhatisEnterpriseRiskManagement(ERM)?
Governance Finance Operational Technology Reputation
Authority Funding Quality Reliability Brand
Leadership Financial Customer Management Intellectual
Instruments service Information property
systems
Performance Financial Pricing Access/ Stakeholder
Reporting availability perception
Corporate Foreign Obsolescence IT security
direction Exchange
and strategy
Incentives Cash flow Sourcing
Investment Product
evaluation development
Payroll Product failure
Debtor/Creditor Business
management interruption
Treasury Contingency
planning
Compliance Environment Human Integrity Preparedness
Resources
Health and Seasonality Competencies Management Confidentiality
Safety fraud
Environment Globalization Recruitment Employee Communication
Fraud flow
Copyright Competition Retention Illegal Acts Change
and acceptance
trademarks
58. 49 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
(Source: Guide to Implementing Enterprise Risk Management from Institute of
CharteredAccountantsofIndia)
MeaningofERM
EnterpriseRisk Management is the identificationand assessmentofthe collective
risks affecting the value of an organisation and the implementation of an
organisation-widestrategytomanagethem.
ERM is the logical and systematic method of identifying, analysing, treating and
monitoring the risks involved in any activity or process for identifying
opportunitiesandavoidingorminimizinglosses.
TherearevariousRiskManagementstandardsinplaceworldwidesuchas:
1. ISO 31000:2009 on Enterprise Risk Management issued by International
OrganizationforStandardization(ISO)
2. IRM- UK- Standard on Risk Management issued by Institute of Risk
ManagementUK.
3. ERMCOSOframeworkissuedbyCommitteeofSponsoringOrganization.
Compliance Environment Human Integrity Preparedness
Resources
Contractual
liability measurement use readiness
Data Strategic Leadership Ethics
Protection uncertainty development
Succession Morale
planning
Workplace
environment
Communication
infrastructure
E- Commerce Performance Unauthorised Change
59. 50|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
COSOERM
Organisations are becoming more and more aware of the need and importance of
implementing an enterprise risk management framework. COSO framework is the
most widely accepted framework for ERM. (Source: Guide to Implementing
EnterpriseRiskManagementissuedbyInternalAuditStandardBoardofICAI).
Enterprise risk management deals with risks and opportunities affecting value
creation or preservation, defined as follows by Committee of Sponsoring
Organisation(COSO)
“Enterprise risk management is a process, effected by an entity’s board of
directors, management and other personnel, applied in strategy setting and
across the enterprise, designed to identify potential events that may affect the
entity, and manage risk to be within its risk appetite, to provide reasonable
assuranceregardingtheachievementofentityobjectives”.
ThedefinitionreflectsthefundamentalconceptsofERM:
}Aprocess,ongoingandflowingthroughanentity
}Effectedbypeopleateverylevelofanorganization
Establish the context
Identify risks
Analyse risks
Evaluate risks
Treat risks
Communicateandconsult
Monitorandreview
Assess
risks
Accept
risks
Yes
No
GenericModelofRiskManagementProcess:
The Risk Assessment process can be conceptualized in the following
diagram:
60. 51 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
}Appliedinstrategysetting
}Applied across the enterprise, at every level and unit, and includes taking
anentitylevelportfolioviewofrisk
}Designed to identify potential events that, if they occur, will affect the
entityandtomanageriskwithinitsriskappetite
}Able to provide reasonable assurance to an entity’s management and
boardofdirectors
}Geared to achievement of objectives in one or more separate but
overlappingcategories
ComponentsofEnterpriseRiskManagement
Enterprise Risk Management consists of eight interrelated components. These
componentsasdescribedinCOSOERM(pleasealsoseeCOSOCubebelow)are:
ERM
Component
Internal
Environment
Description of the Component
The internal environment encompasses the tone of an organisation
and sets the basis for how risk is viewed and addressed by an entity’s
people, including risk management philosophy and risk appetite,
integrityandethicalvaluesandtheenvironmentinwhichtheyoperate.
Objective
setting
Objectivesmustexistbeforemanagementcanidentifypotentialevents
affecting their achievement. Enterprise risk management ensures that
management has in place a process to set objectives and that the
chosen objectives support and align with the entity’s mission and are
consistentwithitsriskappetite.
Internal Environment
O E AT ONS
P R
I
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
STRA E
C
T GI
ER PORTING
C
PLIANC
OM
E
ENTITY-LEVEL
DIVISION
BUSINESSUNIT
SUBSIDIARY
61. 52|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Enterprise risk management is not strictly a serial process, where one component
affects only the next. It is a multidirectional, iterative process in which almost any
componentcananddoesinfluenceanother.
AchievementofObjectives
Within the context of an entity’s established mission or vision, management
establishes strategic objectives, selects strategy, and sets aligned objectives
cascading through the enterprise. This enterprise risk management framework is
gearedtoachievinganentity’sobjectives,setforthinfourcategories:
}Strategic–highlevelgoals,alignedwithandsupportingitsmission
}Operations–effectiveandefficientuseofitsresources
}Reporting–reliabilityofreporting
}Compliance–compliancewithapplicablelawsandregulations
ERM
Component
Risk
Assessment
Description of the Component
Risks are analyzed, considering likelihood and impact, as a basis for
determining how they should be managed. Risks are assessed on an
inherentandaresidualbasis.
Risk Response Management selects risk responses – avoiding, accepting, reducing or
sharing risk – developing a set of actions to align risks with the entity’s
risktolerancesandriskappetite.
Control
Activities
Policies and procedures are established and implemented to help
ensuretheriskresponsesareeffectivelycarriedout.
Information
and
Communication
Relevant information is identified, captured, and communicated in a
form and time frame that enable people to carry out their
responsibilities. Effective communication also occurs in a broader
sense,flowingdown,acrossanduptheentity.
Monitoring The entirety of enterprise risk management is monitored and
modifications made as necessary. Monitoring is accomplished through
ongoingmanagementactivities,separateevaluations,orboth.
Event
Identification
Internal and external events affecting achievement of an entity’s
objectives must be identified, distinguishing between risks and
opportunities. Opportunities are channeled back to management’s
strategyorobjectivesettingprocesses.
62. 53 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
4. TheNewAxis(Whathaschanged?)
5. HowInformationTechnologyRiskManagementimpactsERM
Enterprise Risk Management (ERM) was not mandatory in the earlier Act (The
Companies Act, 1956). However, the Companies Act, 2013 stipulates specific
requirements with respect to risk management by companies. Further, SEBI has
revised Clause 49 under Para VI on risk management (Please refer paragraph 1
aboveforelaboratedprovisions).
With the percolation of IT systems in the working life of any organizations, IT risks
form critical component of Enterprise Risk Management. IT systems are now
heterogeneous, dynamic, evolving, interface with multiple systems and use open
platforms.Further,theyareaccessedbyexternalusersthroughmultiplechannels.
Organizations also outsource various activities to third parties who provide
different services. These include data centre services, cloud computing services,
infrastructure management services, systems / log monitoring services,
operational outsourcing, etc. All these entities use their own infrastructure and
platforms. Diverse number of business risks as mentioned earlier gets associated
withsuchhighlyintensetechnologyenvironment.AnEnterpriseRiskManagement
frameworkisincompletewithoutfactoringITRisks.
Anillustrativechartistabulatedbelow:
External Risks
}Ability of an external
entity to intrude into
organization systems
by exploiting weaknesses
of the organization
network/ design
}Unauthorized access
}Sniffing of data flowing
out of organizational
network
}Performance bottlenecks,
insufficient/ improper
utilization of corporate
network
}Intermediaries stealing
organizational data
Internal Risks
}Possible misuse of
organization resources due
to systems/application
configurations
}Weaknesses of accounting,
auditing controls
}Inability of the
organisation to respond
to a situations,
}Inability to enforce
organizational policies
}Degradation of IT
services, inability to
meet Operational needs
Third Party Risks
}Roles and
responsibilities,
obligations,
liabilities not
well defined
}Intermediaries/
third parties
unable to meet
SLAs
}Third parties
not following
legal,
compliance
requirements
63. 54|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Due to advancement of technology, all countries have put in place IT Legal
framework. Organizations need to factor in IT legal risks in their ERM framework.
Typicallythiscovers
}Needtoprotectofindividualprivacy
}Copyrightrequirements
}Controlsbuilttopreventanddetect abusiveuseofITinfrastructure
Controls built to prevent and detect prohibitive activities through computer
network, control of anti-virus, malware, and crime-ware. As the organization drills
into individual activities, the risk identification and management needs a closer
look. This is illustrated below through examples of usage of alternate channels
andbusinesscontinuityplans.
Mobile Commerce, E-commerce, Social Media interactions are virtually common.
These channels operate across all regions and user segments. On-line market is
world-wide, unrestricted and designing business model through on-line
transactionsisrelativelyeasythanbrick-and-mortarmode.
The cost of entry into the market is low, yet, the risk of failure for E-commerce is
veryhigh.
SomeoftherisksrelatedtoE-commercearetabulatedbelow.
External Risks
}Data Leakage and data
compromise
}Third party dependencies
on organisation
processes
Internal Risks
}Insider threats wherein
trusted users can misuse
the systems
}Fraudsters exploiting
weaknesses of the
organisation.
Third Party Risks
Information Risks
}Copyright
infringement, patents,
IPR, trade secret
violations.
}Identity theft /
stealing of
information.
Technology Risks
}Errors in software design
}Unauthorized access to a
web site/ Hacking of web-
sites to gain control.
}Infecting a web site with
computer viruses/
malwares
Business Risk
}Unlawful
promotion of
products
}Exposure to global
laws
}Fraudulent
Transactions
64. 55 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Information Risks
}Domain related
disputes
}boards containing
defamatory
statements resulting
in liability or
embarrassment
}Web site contents may
be defamatory,
offensive to certain
audience.
Technology Risks
}Insufficient capacity
management on supporting
infrastructure
}Security breach on
payment transactions
}ISP Services not up-to
mark.
}Response time of web site
}Improper back-end
integration.
Business Risk
}Inability to
manage cycle time
for presenting
web based
products
}Change of
relationship with
customers,
suppliers
}Integration of
E-commerce
process with
supply chain/
operational
processes
}Liabilities and
Penalties
Technology Scenario
}Increase in size, scale
and complexity of
businesses enabled by
technology platforms
}Heterogeneous
systems processing
volumes of
transactions on real
time basis
}Speed and cross
border nature of
transactions.
Consequences of
Disruption
}Material Damage
}Loss of productivity/
Increased cost of working
}Product release delay/
Customer complaints
received
}Cancellation of sales orders
}Loss of revenue/ Service
outcome impaired
Stakeholder
Interests
}Customers
demand service
on 24 x 7 basis
}Stakeholders
concerned on
business
obligations
damage
}Business partners
concerned on
supply chain
management.
BusinessContinuityRisk
Business continuity from technology point of view has assumed tremendous
significanceintherecentpast. Majordisruptionsduetotechnologyfailuresovera
periodofdecade,theconsequencesfeltduetothesamearewellknown.
How the technology scenario is changing, what are the consequences of
disruptions and how they are correlated to stakeholder interests is tabulated
below:
65. 56|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
6. ActionsRequired
The changes now require that the Board of Directors report should contain - a
statement indicating development and implementation of the risk management
policyandrisksthatmaythreatentheexistenceofthecompany.
In order to be able to make a statement as required under section 134(5)(f) of the
Companies Act, 2013, companies will have to take the following steps (Adapted
from Guide to Implementing Enterprise Risk Management issued by Internal Audit
StandardBoardofICAI):
a) PreparingtheInternalEnvironmentandRiskorientation
b) ObjectiveSetting
Technology Scenario
}Ability of the business
to reach customers
globally through
multiple channels
}Highly interconnected
global network of
business partners,
suppliers, customers,
service providers,
government and
regulatory agencies
}24 x 7 Operations,
competitive pricing,
end point delivery
focus and customized
servicing
}Government, Legal
and Administrative
machinery moving to
e-governance mode
further aiding the
process of automation
as well as controls
Consequences of
Disruption
}Delayed cash flows
}Payment of service credits
}Fine by regulator for non-
compliance
}Professional indemnities
and liabilities.
}Damage to brand
reputation/image
}Loss of human life
}Long term disability of the
business
Stakeholder
Interests
}Insurance teams
on claims during
disruptions
}Public – on overall
impact on public
life due to major
disruptions
}Regulators –
protecting larger
interests
66. 57 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
c) Risk/EventIdentification
d) RiskAssessment
e) RiskMitigation/Response
f) ControlActivities
g) RiskMonitoring
Further,eachsteprequiresfollowingactivities
Preparing the Internal
Environment
}
}Developingacodeofconductwithintheorganisation.
}Publicizethepolicyontheintranet.
}Develop guidelines on roles and responsibilities for
riskmanagement.
}Developriskorientationprogrammefornewemployees.
}Develop and formalise detailed training programme/
planforallofficials,auditcommitteemembers.
Assessinganddevelopingariskmanagementpolicy
Objective Setting
}
objectives.
}Define the Risk appetite for the organisation related to
thestrategicobjectives.
}Define the risk tolerance levels in business decisions
withintheoverallriskappetiteoftheorganisation.
Define risk management process linkages with strategic
Risk / Event
Identification
}
}Usevarioustechniquesforeventidentification.
}Prepare an inventory of risk/events. To maintain risk
registers.
}Categorize similar events in one category for a holistic
assessment.
}Evaluateinterdependenciesinevents.
Identifyeventswhichmayaffecttheobjectives.
Risk Assessment
}
andimpact.
}Use various qualitative and quantitative techniques for
assessingrisks.
}Prepare a risk map by plotting various risks in terms of
theirlikelihoodandimpact.
}Prioritizeriskstodevelopresponsemechanism.
Evaluateeachriskintermsofitslikelihoodofoccurrence
67. 58|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Companies will now need to develop and document adequately their risk
management policies and every Board of Directors report will discuss design &
documentationandstatusofimplementationoftheriskmanagementpolicy.
Board of Directors and employees entrusted with the task for implementation are
responsible for the development and implementation of Enterprise Risk
Management framework for the company including identification of elements of
risk if any, which in opinion of the Board may threaten the existence of the
company.
7. Responsibility
Risk
Response/Mitigation
}
}Evaluate each response in terms of cost and benefit by
identifying cost and benefit of each option (i.e. Avoid,
Reduce,Share/TransferandAccept).
}Select the most efficient option and identify the
net/residual risk portfolio after considering the
responsestovariousrisks.
}Ensure that the residual risk is within the risk tolerance
limitsoftheorganisation/businessunit.
Identifytheresponsetorisksidentified.
Control Activities
}
response.
}Identifycontrolactivitiesforvariousrisksresponses.
}Evaluate the control activities in terms of cost and
benefits.
}Implementthecontrolactivitiesforriskresponses.
Perform a root cause analysis for the failure of risk
Risk Monitoring
}
periodicperformancemonitoringagainsttargets.
}Review of risk management process and methodologies
independently such as Internal audit review, cross
functionalteamreview,etc.
}To embed the controls which escalate deviations as
triggerforadequatecorrectiveactions.
}Tomaintaintheadequatedocumentationwithrespectto
ERM framework implementation such as ERM
organization structure, roles and responsibilities, risk
registers, control framework, self assessment
questionnaireetc.
To institute monitoring mechanism internally such as
69. 1. RegulatoryAspects
The new Act has covered vital changes in context of fraud. It defines fraud, lays
down severe penalties, fixes extensive responsibility for senior management,
statutory auditors and independent directors, introduces the establishment of
whistle blowing mechanism and accords the statutory status to Serious Fraud
InvestigationOffice(SFIO).
Thebriefprovisionsrelatedtofraudsareexplainedbelow:
Chapter 4: Fraud Risk Management
60|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of The
Companies Act,
2013 & Relevant
Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
134(5) Financial
statement,
Board’s report,
etc.:
Section 134(5)
states that the
Directors’
Responsibility
Statement shall
state that the
directors had taken
proper and
sufficient care for
the maintenance of
adequate
accounting records
in accordance with
the provisions of
this Act for
safeguarding the
assets of the
company and for
preventing and
detecting fraud
and other
st
1 April,
2014
Yes Yes Yes
70. 61 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of The
Companies Act,
2013 & Relevant
Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
447 Punishment for
fraud
Without prejudice
to any liability
including
repayment of any
debt under this Act
or any other law
for the time being
in force, any
person who is
found to be guilty
of fraud, shall be
punishable with
imprisonment for
a term which shall
not be less than
six months but
which may extend
to ten years and
shall also be liable
to fine which shall
not be less than
the amount
involved in the
fraud, but which
may extend to
three times the
amount involved in
the fraud
th
12
September,
2013
Yes Yes Yes
irregularities.
Section 217 of the
Old Companies Act
1956 corresponds
with Section 134 of
the New Act.
71. 62|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of The
Companies Act,
2013 & Relevant
Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
177(9)
and (10)
Vigil Mechanism
The vigil
mechanism under
sub-section (9)
shall provide for
adequate
safeguards
against
victimisation of
persons who use
such mechanism
and make
provision for
direct access to
the chairperson of
the Audit
Committee in
appropriate or
exceptional cases
Provided that the
details of
establishment of
such mechanism
shall be disclosed
by the company
on its website, if
any, and in the
Board’s report.
1 April, 2014
st
Yes Public
Companies
which accept
deposits from
the public;
The
Companies
which have
borrowed
money from
banks and
public
financial
institutions in
excess of Rs.
50 Crore
rupees.
No
Schedule
IV
Appointment of
Independent
Directors
Every listed and
other companies as
may be prescribed
should appoint
independent
directors.
st
1 October,
2014 (for
listed
companies)
st
1 April, 2015
(other
companies)
Yes Public
Companies
having:
Paid up
Share
Capital: Rs.
10 crores or
more; or
}
No
72. 63 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of
The Companies
Act, 2013 &
Relevant Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
}
}
Turnover:
Rs. 100
crores or
more; or
Outstanding
loans,
debentures
and
deposits:
Rs. 50
crores.
(A company
fulfilling the
above criteria
shall have at
least 2
independent
directors)
Schedule
IV
Clause II
(4)
st
1 October,
2014 (for
listed
companies)
st
1 April,
2015
(other
companies)
Yes NoCode of
Independent
Directors
The independent
directors shall:
Ascertain and
ensure that the
company has an
adequate and
functional vigil
mechanism.
Ensure that the
interests of
individuals who
use the
mechanism are
not prejudicially
affected.
Yes, as above
73. 64|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of The
Companies Act,
2013 & Relevant
Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
141 Eligibility and
Qualification of
auditors
As per Section
141(3)(h) a person
who has been
convicted by a
court of an
offence involving
fraud and a period
of ten years has not
elapsed from the
date of such
conviction shall not
be eligible for
appointment as
auditor of a
company.
1 April,
2014
st
Yes Yes Yes
140(5) Removal,
resignation of
auditor and giving
special notice
As per Section
140(5) the Tribunal
either suo motu or
on an application
made to it by the
Central
Government or by
any person
concerned, if it is
satisfied that the
auditor of a
company has,
whether directly
or indirectly,
acted in a
fraudulent
1 April,
2014
st
Yes Yes Yes
74. 65 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of
The Companies
Act, 2013 &
Relevant Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
manner or
abetted or
colluded in any
fraud by, or in
relation to, the
company or its
directors or
officers, it may,
by order, direct
the company to
change its
auditors.
Section 225 of the
Old Act
corresponds with
Section 140 of the
New Act.
143 st
1 April,
2014
Yes YesPowers and
duties of an
auditor and
auditing
standards
Section 143(12)
states that if an
auditor of a
company, in the
course of the
performance of his
duties as auditor,
has reason to
believe that an
offence involving
fraud is being or
has been
committed against
the company by
officers or
employees of the
company, he shall
Yes
75. 66|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of The
Companies Act,
2013 & Relevant
Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
immediately
report the matter
to the Central
Government within
such time and in
such manner as
may be prescribed.
Section 227 and
Section 228 of the
Old Act
corresponded with
Section 143 of the
New Act
147 Punishment for
contravention
If an auditor of a
company
contravenes any of
the provisions of
section 139,
section 143,
section 144 or
section 145, the
auditor shall be
punishable with
fine which shall
not be less than
twenty-five
thousand rupees
but which may
extend to five lakh
rupees:
Provided that if an
auditor has
contravened such
provisions
knowingly or
wilfully with the
1 April,
2014
st
Yes Yes Yes
76. 67 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Section
Ref.
Provisions Of The
Companies Act,
2013 & Relevant
Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
intention to
deceive the
company or its
shareholders or
creditors or tax
authorities, he
shall be punishable
with imprisonment
for a term which
may extend to one
year and with fine
which shall not be
less than one lakh
rupees but which
may extend to
twenty-five lakh.
Where an auditor
has been convicted
as above he shall
be liable to—
(i)refund
remunerationrecei
ved by him to the
company; and
(ii) pay for
damages to the
company, statutory
bodies or
authorities or to
any other persons
for loss arising out
of incorrect or
misleading
statements of
particulars made
in his audit report.
Section 232 & 233
77. 68|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
Note:
Apart from above, Serious Fraud Investigation Office (SFIO) has been set up under
Section211oftheNewAct.
Also the new Companies Act, 2013 allows class action suits to be initiated. The
section245(notyetnotified)prescribedunderthenewactisasunder:
“In the case of a company having a share capital, not less than one hundred
members of the company or not less than such percentage of the total number of
its members as may be prescribed, whichever is less, or any member or members
holding not less than such percentage of the issued share capital of the company
asmaybeprescribed,subjecttotheconditionthattheapplicantorapplicantshas
orhavepaidallcallsandothersumsdueonhisortheirshares;and
in the case of a company not having a share capital, not less than one-fifth of the
totalnumberofitsmemberscanfileanapplicationbeforetheTribunalonbehalfof
the members or depositors for seeking damages or compensation or demand any
other suitable action from or against the auditor including audit firm of the
company for any improper or misleading statement of particulars made in his
auditreportorforanyfraudulent,unlawfulorwrongfulactorconduct.”
SEBI has made it mandatory for all listed companies to have a whistle-blower
mechanismfortheiremployeesanddirectorswitheffectfrom1stOctober2014.
The Compliance with the provisions of Clause 49 shall not be mandatory, for the
timebeing,inrespectofthefollowingclassofcompanies:
Related Provisions of Revised Clause 49 of the SEBI Listing Agreement
Requirements–AtaGlance:
Section
Ref.
Provisions Of The
Companies Act,
2013 & Relevant
Rules
Applicability Effective
DateListed
Company
Unlisted
Public
Company
Private
Company
of the Old Act
corresponds with
Section 147 of the
New Act.
78. 69 | THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
}Companies having paid up equity share capital not exceeding Rs. 10 Crore
andNetworthnotexceedingRs.25crores,asonthelastdayoftheprevious
financial year: Provided that where the provisions of Clause 49 becomes
applicable to a company at a later date, such company shall comply with
the requirements of Clause 49 within 6 months from the date on which the
provisionsbecameapplicabletothecompany.
}Companies whose equity share capital is listed exclusively on the SME and
SME-ITPPlatforms.
FraudisdefinedinCompaniesAct,2013asunder:
“Fraud”inrelationtoaffairsofacompanyoranybodycorporate,includesanyact,
omission, concealment of any fact or abuse of position committed by any person
or any other person with the connivance in any manner, with intent to deceive, to
gain undue advantage from, or to injure the interests of, the company or its
shareholders or its creditors or any other person, whether or not there is any
wrongfulgainorwrongfulloss;
“Wrongfulgain”meansthegainbyunlawfulmeansofpropertytowhichtheperson
gainingisnotlegallyentitled;
“Wrongfulloss”meansthelossbyunlawfulmeansofpropertytowhichtheperson
losingislegallyentitled.
Fraud negatively impacts organisations in many ways including financial,
reputation, psychological and social implications. Under the Companies Act 2013,
liability and punishment for fraud is extended to every individual who has been a
partytoitdeliberately,includingtheauditorsofthecompany.
According to various surveys, monetary losses from frauds are significant.
However, the full cost of fraud is immeasurable in terms of time, productivity and
reputation including organisational relationships with various stake holders.
Depending upon the severity of the loss, organisations can be irreparably harmed
due to the financial impact of fraud activity. Therefore it is important for
organisationstohaveastrongfraudprogramthatincludesawareness,prevention
2. Whatis“Fraud”?
3. BusinessAspects -Impactof“Fraud”onanOrganisation
79. 70|THE NEW AXIS OF CORPORATE GOVERNANCERSM Astute Consulting
and detection programs, as well as a fraud risk assessment process to identify
fraudriskswithintheorganisation.
The New Act has specifically provided a stringent punishment with respect to
fraud. The word used in the section is ‘person’ and hence punishment under this
sectionshallalsoextendtoallclassofauditorsincludinginternalauditors.
The new Companies Act, 2013 provides for certain class of companies being
required to establish a vigil mechanism for their directors and employees which
wasnottherequirementearlier.
No disqualification for conviction of an offence involving fraud for auditors was
prescribedundertheOldAct.Thisisanadditionalgroundofdisqualificationwhich
has been prescribed under the New Act. No such provisions in respect of internal
auditorshavebeenspecified.
The Old Act did not contain a provision for removal of an auditor on the ground of
fraud by the Tribunal either suo motu or on an application by the Central
Government or any person concerned. This is an additional power prescribed
undertheNewAct.
No duty was cast upon the Independent auditor under the Old Act to report fraud.
The New Act and the rules made thereunder make specific provisions of the
manner in which a Statutory Auditor should report fraud. The provisions requiring
reporting of Independent Auditor shall also apply mutatis mutandis to a Cost
auditor and a Secretarial auditor in the performance of his duties. However, no
mention has been made here of Internal Auditor. A penalty for contravention of
provisionsofthissectionhasalsobeenspecificallyprovidedintheNewAct.
Thepenaltywithrespecttocontraventionbyauditorshasbeenincreasedtoafine
which shall not be less than twenty-five thousand rupees but which may extend to
fivelakhrupees.TheOldActprovidedforapenaltyofuptotenthousandrupees.
Moreover the New Act also requires an Independent auditor to refund the
remuneration received by him to the company; and payfor damagesarising out of
the contravention. This is specific to the Statutory Auditor only. No such
provisionsinrespectofinternalauditorshavebeenspecified.
4. NewAxis(Whathaschanged?)