As we all know, the Companies Act, 2013 has brought about significant changes to the corporate governance landscape in India. One of the key areas where these changes are being felt is in internal audit and control. It is no longer enough for companies to simply tick the boxes when it comes to internal audit and control. They must go beyond that and ensure that their internal audit and control processes are effective and compliant with the Companies Act, 2013.
The Companies Act, 2013 (CA, 2013) has introduced a number of new requirements for companies in relation to income audit and control. These requirements are designed to improve the accuracy and reliability of financial reporting, and to reduce the risk of fraud and error.
One of the key changes introduced by the CA, 2013 is the requirement for companies to have an internal audit function. The internal audit function is responsible for providing independent assurance to the board of directors on the effectiveness of the company's internal controls over financial reporting.
Beyond Box Ticking - Internal Audit & Controls - Companies Act, 2013 Perspective - CA Sana Baqai
1. Companies Act Perspective
Beyond Box
Ticking: Internal
Audit & Controls
CA Sana Baqai
Organised by: Board of Internal Audit &
Management Accounting of ICAI
1 0 t h M a y , 2 0 2 3 , W e d n e s d a y
4. ERA OF CORPORATE GOVERNANCE IN INDIA
1998 1999 2003 2013
2004
2000 2002
MATURITY/
SUSTAINABILITY
INITIATIVES
CII
Kumar Mangalam
Birla Committee
Clause 49
DCA - Task Force
On Corporate
Excellence
DCA Report
Narayan
Murthy
Committee
Naresh
Chandra
Committee
2015
Amended
clause 49
IFC
2017
SEBI (LODR)
Regulations
2015
GST
2021
SEBI (LODR)
Regulations
emphasizing
the role of
RMC
5. EVOLVING EXPECTATIONS FROM INTERNAL AUDIT FUNCTION
OVER THE YEAR
Verifier –
Focus on
Numbers
and
Compliances
Evaluator
– Focus on
Processes
Problem
Identifier –
Focus on
Systems and
Controls
Solution
Provider –
Focus on
Objectives
and Risk
Management
Consultant and
Assurance
Provider – Focus
on Value Addition
and Corporate
Governance
6. DEFINITION OF INTERNAL AUDIT - ICAI
The Institute of
Chartered Accountants
of India (ICAI)
“Internal audit provides independent
assurance on the effectiveness of
internal controls and risk management
processes to enhance governance and
achieve organisational objectives”.
7. PARADIGM SHIFT IN THE ROLE OF INTERNAL AUDITOR
From To
Reactive Proactive
Books Business
Vouchers Systems
Sales Value Addition
Economic Value Addition Value Creation
Quantity of Earnings Quality of Earnings
Delayed Accuracy Quick Estimate
Internal Control Internal Co-operation
8. PARADIGM SHIFT IN THE ROLE OF INTERNAL AUDITOR
From To
Compliance with Standard Accounting Compliance with Accounting Standards
Tax Planning Tax Compliance
Checker Consultant
Compliance Competency
Foe Friend
Fault Finder Facilitator
Net Profits Cash Flow
Large Cash as a source of “comfort” Cause of “Concern”
9. PARADIGM SHIFT IN THE ROLE OF INTERNAL AUDITOR
From To
You vs. We All of us
Stern Look Smile
Internal Audit External Internal Audit
Professional Partner
Consultant Core Group Member
Long Report Crisp Elevator Pitch
Conceptualization Execution
11. SECTION 138 OF
COMPANIES ACT,
2013
• As per Section 138 of Companies
Act, 2013 read with Rule 13(1) of
the Companies (Accounts) Rules,
2014, certain classes of
companies are required to
appoint an Internal Auditor.
• The Board of a Company may
appoint Chartered Accountant,
cost accountant or any other
professional to conduct Internal
Audits.
• The Internal auditor may or may
not be an employee of the
company.
12. APPLICABILITY OF INTERNAL AUDIT UNDER SECTION 138 OF COMPANIES
ACT, 2013 READ WITH RULE 13 OF COMPANIES (ACCOUNTS) RULES, 2014
Types of
Companies/
Conditions
Private Companies Unlisted Public
Companies
Listed
Companies
Turnover Rs. 200 Crore or more
during previous financial
year
Rs. 200 Crore or more
during previous financial
year
All listed
companies
covered
Outstanding Loans /
Borrowings from
Banks or Public
Financial
Institutions
Rs. 100 Crore or more at
any point of time during
previous financial year
Rs. 100 Crore or more at
any point of time during
previous financial year
Paid up Share
Capital
N.A. Rs. 50 Crore or more during
previous financial year
Outstanding
Deposits
N.A. Rs. 25 Crore or more at any
point of time during
previous financial year
Statutory
Auditor has to
mention about
the adequacy of
Internal controls
in Audit Report !
Even the Cost
auditor has to
confirm the
adequacy of
Internal controls
in Cost Audit
report !
13. ELIGIBILITY FOR APPOINTMENT OF INTERNAL AUDITOR
The internal auditor shall be either Chartered Accountant or Cost Accountant or such other
professional as may be decided by the board.
The internal auditor may or may not be an employee of the company.
“Chartered Accountant” shall mean a Chartered Accountant whether engaged in practice or not –
therefore, every registered member of the Institute of Chartered Accountants of India is eligible for
appointment as Internal Auditor of company.
Thus, the board of company via the Audit Committee has been given freedom to appoint any
professional and competent person to be its internal auditor.
Statutory auditor appointed under section 139 of Act is not eligible to provide the service of
Internal audit whether rendered directly or indirectly to the company or its holding company or
subsidiary company.
14. COMPETENCIES THAT AN INTERNAL AUDITOR NEEDS TO
POSSESS
An Internal Auditor shall be free from
any undue influences which force
him to deviate from the truth. This
independence shall be not only in
mind, but also in appearance.
Independence
“Due professional care” signifies
that the Internal Auditor exercises
reasonable care in carrying out the
work to ensure the achievement of
stated objectives.
Due Professional Care
The Internal Auditor shall be honest,
truthful and be a person of high
integrity. He shall operate in a highly
professional manner and seen to be
fair in all his dealings.
Integrity
The Internal Auditor shall keep
information confidential and
secured which he has gathered
during the period under audit.
Confidentiality
The Internal Auditor shall conduct his
work in a highly objective manner,
especially in gathering and evaluation
of facts and evidence. He shall not
allow prejudice or bias to override his
objectivity.
Objectivity
The Internal Auditor shall have
sound knowledge, strong
interpersonal skills, practical
experience and professional
expertise in certain areas and other
competencies required to conduct a
quality audit.
Skill and Competence
15. SCOPE OF INTERNAL AUDIT
Not prescribed under the Act or Rules made
thereunder
The Audit Committee or the Board shall, in
consultation with the internal auditor,
formulate the scope, functioning, periodicity and
methodology for conducting the internal audit.
18. INTERNAL FINANCIAL CONTROLS: COMPANIES ACT, 2013
Section 134(5)(e) - The directors, in the case of a listed
company, had laid down internal financial controls to be
followed by the company and that such internal financial
controls are adequate and were operating effectively
1
Section 134(5)(f) - The directors had devised proper
systems to ensure compliance with the provisions of
all applicable laws and that such systems were
adequate and operating effectively
2
Section 134(3)(q), sub-rule 8(5) - “In addition to the
information and details specified in sub-rule (4), the report of
the Board shall also contain: …“the details in respect of
adequacy of internal financial controls with reference to
the financial statements.”
3
Director’s
Responsibility
Statement
19. INTERNAL FINANCIAL CONTROLS: COMPANIES ACT, 2013
Audit
Committee
• Section 177(4)(vii) - Every Audit Committee shall act in accordance with the
terms of reference specified in writing by the Board which shall inter alia,
include ….., evaluation of internal financial controls and risk
management systems ….
• Section 177(5) - The Audit Committee may call for the comments of the
auditors about internal control systems, the scope of audit, including the
observations of the auditors and review of financial statement before their
submission to the Board and may also discuss any related issues with the
internal and statutory auditors and the management of the company.
Auditor’s
Report
• Section 143(3)(i) - Whether the company has adequate internal financial
controls system in place and the operating effectiveness of such
controls.
20. CONSEQUENCES OF NON-COMPLIANCE
Section 134(8) – contravention punishable with
fine
which shall not be less than Rs. 50,000 but which
may extend to Rs. 2,500,000 and
every officer of the company who is in default
shall be punishable with imprisonment for a term
which may extend to 3 years or
with fine which shall not be less than Rs. 50,000
but which may extend to Rs. 500,000 or
with both.
21. WHAT DOES THE LAW SAY?
Board of Directors (Section 134):
Lay down adequate and effective IFCs and include it in Directors' Responsibility Statement
Independent directors to satisfy themselves on the strength of financial controls.
Audit Committee (Section 177):
Evaluate IFC systems
Review Auditors' comments / observations with respect to controls before submission to the Board
Discuss issues with Management or Internal / Statutory Auditors
Auditors (Section 143):
Report on adequacy of IFCs system
Report on operating effectiveness of such controls.
IFC to be included as part of Directors Responsibility Statement from March 31, 2015 onwards and as part of Statutory
Auditors Report from March 31, 2016 onwards
22. WHO ALL ARE RESPONSIBLE???
Who all are responsible Public Listed
Company
Public Unlisted Company Pvt.
Company
paid up share
capital >=
₹20 Cr.
Paid up share
capital >= ₹10
Cr.
Turnover >=
₹100 Cr.
Loans/
Borrowings
in aggregate
>= ₹ 50 Cr.
Director’s Responsibility
Statement (134)
IFR
✓
Statutory Auditor (143) ICFR
✓ ✓ ✓ ✓ ✓
Audit Committee (177) ICFR
✓ ✓ ✓ ✓
Independent Director
(Schedule IV)
ICFR
✓ ✓ ✓ ✓
Rule 8(5)(viii) of the
Companies Accounts Rules,
2014 – BOD Report –
Financial Statements only
ICFR
✓ ✓ ✓ ✓
23. RESPONSIBILITY OF STAKEHOLDERS
Company
Management
Auditors Audit committee/
Independent Director
Board of Directors
• Create & test the
framework of
internal controls
• IFC (including
operational &
compliance)
• Controls
documentation
• Focus on internal
controls, to the
extent these relate to
the financial
reporting
• Auditors
responsibility limited
to evaluation of
‘Financial reporting
controls’
• Would like to see a
robust framework
that is aligned to
acceptable standards
• Review & question
the basis of your
controls design &
ongoing assessments
• Would rely on the
assessment & view
of the audit
committee
• They may ask for
additional
information
24. CLAUSE 49 OF THE LISTING AGREEMENT
The CEO and the CFO shall certify to the board the following matters:
They have accepted the responsibility for the establishment and maintenance of internal
controls for financial reporting.
The effectiveness of the internal control systems that pertain to financial reporting has been
evaluated by them.
The deficiencies in the design and operation of such internal controls of which the CEO / CFO
is aware have been communicated to the audit committee and auditors and necessary steps
have been taken or proposed to be taken to rectify such deficiencies.
Necessary changes during the year pertaining to the internal control over financial reporting
have been indicated to the audit committee and the auditor.
Significant frauds involving an employee or management having a significant role in the
internal control system over the financial reporting of the company have also been indicated to
the audit committee and the auditors.
25. INTERNAL FINANCIAL CONTROLS – COMPANIES ACT, 2013
Accuracy and
completeness
of accounting
records
Policies and procedures
adopted by the company for
ensuring orderly & efficient
conduct of its business
INTERNAL
FINANCIAL
CONTROLS
As per Section 134
Companies Act
2013, Internal
Financial Controls
means:
Internal
Controls over
Financial
Reporting
(ICFR)
Operational
Controls
Fraud
Prevention
Controls
Internal
Financial
Control
(IFC)
26. INTERNAL FINANCIAL CONTROLS OVER FINANCIAL REPORTING
(ICFR)
A process designed to provide reasonable assurance regarding the reliability of financial reporting and the
preparation of financial statements for external purposes in accordance with generally accepted accounting
principles. A Companies’ internal financial control over financial reporting includes those policies and procedures that:
Pertain to the maintenance of the records that, in reasonable detail, accurately and fairly reflect the transactions
and dispositions of the assets of the company
Provides reasonable assurance that transactions are recorded as necessary to permit preparation of financial
statement in accordance with generally accepted accounting principles, and those receipts and expenditures of the
company are being made only in accordance with authorizations of management and director of the company.
Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or
disposition of the company’s assets that could have a material impact on the financial statement.
Maintenance
of Financial
Records
(Detail/
Accuracy)
Authorisation
of
transactions
(In accordance
with GAAP)
Safeguarding
of the assets
Internal
Controls over
Financial
Reporting
(ICFR)
27. WHY ICFR IS IMPORTANT?
Regulatory Compliance
Process Efficiencies
Value Enhancement
Framework Development
Operations Assessment
Control Design Review
Upgrading Internal Practices
Sampling Techniques
Effectiveness Testing
Documentation and Representation
Gain a level of assurance that allows the board, management
and other stakeholders to be satisfied that the organization
maintains a strong system of internal control.
28. COMMON MYTHS
Meeting CARO Requirement is sufficient
Company has SOPs in place
Controls are automatically in place & hence there is no need to revisit them
There is no need to document the processes & controls
There is no need to link the Risks with controls
The process for IFCoFR Certification is not required since no exceptions are noted by the auditors
Testing of Controls & remediation of deficiencies is the responsibility of auditors and not of the
management
There is no need to provide training & development to the employees
29. INTERNAL FINANCIAL CONTROLS – WHAT TO DO?
IFC Requirements
IFC Objective
• Defined Policies and procedures to ensure
effective and efficient operations.
• Effective Delegation of Authority and Entity level
controls
• Preventive controls to address Fraud risk
• Mechanism for timely detection of fraud and errors
• Adequate control over asset movement, storage,
loss or theft.
• Risk identification and mitigation plan to reduce loss
of asset
• Controls over accurate and timely update of
accounting records
• Control over completeness of accounting records
• Timely preparation of financial reports
• Adequate controls over preparation of financial
reports
What to do ?
• Define and ensure compliance to appropriate
policies and procedures and Delegation of
Authority
• Define appropriate Entity level controls
• Define and monitor operating effectiveness of
appropriate controls over various activities.
• Fraud Risk Management
• Define appropriate asset movement controls
• Effective asset verification program
Defined effective controls and ensure operating
effectiveness
(ELC, PLC, ITGC and Fraud Risk)
• Defined appropriate controls over preparation of
financial reports
• Adequate review mechanism
Efficiency and
effectiveness in
Operations
Prevention and detection
of fraud and error
Reliability of Financial
reporting
Compliance with
applicable laws and
regulations
Operations
Objectives
Reporting
Objectives
Compliance
Objectives
Safeguarding of assets
Accuracy and
completeness of
Accounting records
• Adequate framework to ensure compliance to
applicable laws and regulations
• Adequate framework to monitor the compliance
Legal Compliance Framework
30. Assertions Particulars
Accuracy Amounts and other data relating to recorded transactions and events have
been recorded appropriately.
Completeness All transactions and events, assets, liabilities, and equity interests that should
have been recorded are recorded
Validity Transactions and events that have been recorded have occurred and pertain to
the entity.
Cut Off Transactions and events have been recorded in the correct accounting period
Valuation and Allocation Assets, liabilities, and equity interests are included in the financial statements
at appropriate amounts and any resulting valuation or allocation adjustments
are appropriately recorded.
Presentation and Disclosure Recorded transactions and events are properly classified, described, and
disclosed in the financial statements
ACCOUNTING ASSERTIONS
31. KEY CONSIDERATIONS IN A CONTROL
Focus your questions on the assertions the control is making
… is this control performed? Frequency (Daily, Weekly, Monthly Qtrly, etc)? Is it frequent
enough to prevent/ detect & correct the risk?
… is generated to prove that this control was performed?
… performs the control? Does this person have the requisite knowledge/ authority?
… is the evidence of control performance retained? For how long? Is it accessible for audit?
… is this control being performed? What types of errors should be prevented or detected?
… is this control being performed? What activities are included? Can these activities be
bypassed? Can the bypass be detected? How are issues resolved, once identified, and in what
timeframe? Is this fast enough to mitigate the risk?
Understand
& Document
32. HOW WILL IFC HELP BEYOND COMPLIANCE?
Helps in business process redesigning to plug revenue leakages & cost
containment opportunities
Helps in rationalizing the number of controls across organization –
moving to smart and automated controls
Helps in standardizing policies and procedures for multi-location and
multi-business companies
Foster a control conscious work culture for people behind controls
Provides assurance to the CEO/ CFO as well as improves business
performance
In some instances, also serves as a base for blue print of optimal
procedures while thinking about ERP
Aimed at strengthening the processes to further improve business,
identify cost containment opportunities as well as drive business growth
Compliance
Ethics
Trust
33. RISK MANAGEMENT DEFINED
33
A structured, consistent and continuous
process for identification and
assessment of risks, undertaking control
assessment and continuous monitoring
of exposure of the risk
Risk Management
Risk Management is critical to value creation, offering shareholders improved stability and
predictability
34. REGULATORY REQUIREMENT FOR ERM FRAMEWORK-
COMPANIES ACT 2013 REQUIREMENT
1
2
Responsibility: Audit Committee
Applicability: Listed Entities,
Entities with Public borrowing
Responsibility: Board of Directors
Applicability: Listed Companies
Responsibility: Independent Directors
Applicability: Listed Entities, Entities
with Public borrowing
3
The board of directors report must include a statement
indicating development and implementation of a risk
management policy for the Company including
identification of elements of risk, if any, which in the opinion
of the board may threaten the existence of the Company.
The audit committee shall act in
accordance with the terms of reference
specified in writing by the board, which
shall, inter alia, include evaluation of risk
management systems.
Section 134
Section 177
Section 149(7),
Schedule IV
Independent directors
should satisfy themselves
that systems of risk
management are robust
and defensible.
35. RISK MANAGEMENT – AN OVERVIEW
Organizations'
Vision & Mission
Strategic
Objectives
Organization
Structure & Processes
Processes/ Sub
Processes
Risks
Why the company / business unit exists
Articulate what an Organisation seeks to do to achieve its vision
The way company operates to achieve its objectives
The sub-processes that are needed to
achieve the objectives
What could go wrong which would hamper achievement
of the vision/ mission/ strategic objectives
36. WHO IS RESPONSIBLE FOR RISK MANAGEMENT
A SHARED
RESPONSIBILITY
Process
Owners
Senior
Management
Business
Unit
Management
Board of
Directors
Shareholders
Audit
Committee
External
Audit
Internal
Audit
37. Use risk and control information
to improve performance
Risk Structure
Risk Portfolio
RISK MANAGEMENT FRAMEWORK COMPRISES OF...
38. RISK ASSESSMENT AND RECOMMENDATIONS
Significant
Medium Risk
Considerable
Management
Required
Medium Risk
Must Manage
and Monitor
High Risk
Extensive
Management
Essential
M
oderate
Low Risk
Worth
Accepting with
Monitoring
Medium Risk
Management
Efforts
wothwhile
High Risk
Management
Efforts Required
Low
Low Risk
Acceptable Risk
Low Risk
Accept but
Monitor
Medium Risk
Manage and
Monitor
Low Moderate Significant
Impact
Likelihood
Risk Assessment
• Quantify the impact to the extent possible
• Evaluate the possibility of recurrence
• Auditor needs to be Objective in this analysis
and must put forward his views along with
reasons
• Ensure that the recommendations are discussed
with the process owners and evaluated with
regard to the implementation plan
39. PERFORM ERM BASED INTERNAL AUDITING FOR EFFECTIVE
RISK MANAGEMENT
Direction
on
audit
planning
&
control
environment
Adequacy
of
Risk
Management
&
control
environment
Internal Audit
Review effectiveness of
risk management
Direction on risk management
ERM
ERM and Internal Audit cyclical relationship
Business
Operations
40. SMART – DIA (DIGITAL, INTELLIGENT AND ANALYTICAL)
INTERNAL AUDIT PROGRAM
For sharper, efficient and
greater coverage
Focus on anti fraud
controls
To be able to do a deeper
audit
To align business with
regulatory compliance Internal Financial Controls
(IFC) Incl. IT &
Cybersecurity
• Internal financial controls
• IT & Cybersecurity controls
• ERP application controls
• Operating effectiveness of the identified
controls
Statutory
Compliance
To cover the risk of legal and financial
exposure to the Company due to legal and
statutory non compliances
Operational Auditing
• Health & Safety
• Volatility in prices
• Identification and recommending process automation
• Sector Insights & Multidisciplinary and SME
Risk & Resilience
To cover risks at an enterprise level, review
the effectiveness of the mitigation plans and
integrating the same with Internal Audit
Eye of Forensic
Applying knowledge and repository of
fraud risks to focus on anti-fraud controls
Smart DIA, IT
Advanced data analytics tool to provide exceptional reporting for
effective internal auditing
360°
Coverage
To make business more
resilient against the
uncertainties
41. THE BOX-TICKING SYNDROME
The corporate culture is the most powerful control in
any organization.
In the corporate governance field, the box ticking
syndrome defines a formal approach to the
implementation of corporate governance principles –
doing something just because there is a rule that
says that you must do it. Over the last few years,
financial regulators (mainly in the banking and
insurance sectors) are requiring companies to
implement processes for the development and
management of risk culture as part of the corporate
governance framework.
42. CAN RISK CULTURE FALL INTO THE BOX TICKING TRAP?
Tone from the top – the management body should be responsible for setting and
communicating the institution’s core values;
Accountability – employees should know and understand the core values of the
institution and must be held accountable for their actions;
Effective communication and challenge – a sound risk culture promotes open
communication, and
Incentives – incentives should pay a key role in aligning risk taking with the
institution’s risk profile and long-term interest.
43. CHALLENGES AND EMERGING TRENDS IN INTERNAL AUDIT AND
INTERNAL CONTROL
Technological
Advancements
Globalization
Regulatory
Complexity
Data
Analytics
Agile
Audit
Methodologies
Focus
on
Culture
and
Behavior
Sustainability
44. REFOCUS ON RISK ASSESSMENT
The starting point to evaluate the sufficiency of an ICFR program
should be with a financial statement risk assessment. The risk
assessment, which includes specific financial reporting
objectives and identification of risks to achieving those
objectives, answers these fundamental questions:
Which controls are necessary to address the company's risks?
How many controls does the company need?
What is "just enough" for the company's ICFR program?
45. WHAT CAN MANAGEMENT DO TO REFOCUS?
Management's focus on ICFR should start with determining whether the company's risk
assessment process is sufficient to identify and assess the risks to reliable financial reporting,
including changes in those risks. Proactive steps management can consider include:
Refreshing the risk assessment program to incorporate the right people, processes, and technologies to
unlock the hidden value.
Integrating data analytics and visualization to improve the quality of the data analyzed to support robust
risk identification and report results succinctly to key stakeholders. This, in turn, can rationalize risks of
material misstatement to a level of granularity to focus on what could truly be a material misstatement.
46. REFOCUS ON MANAGEMENT REVIEW CONTROL
Management review controls (MRCs) to
address these issues:
High compliance costs
Outdated ICFR programs
A continued focus on ICFR by regulators
47. REFOCUS ON ROBOTIC PROCESS AUTOMATION
When exploring the adoption of RPA
technologies, it’s important to challenge areas
where the governance construct may not
adequately support these changes. Companies
may consider controls in the following layers in
terms of the life cycle from ideation and
creation of a bot:
Development
Implementation
Monitoring
48. PRACTICAL IMPLICATIONS FOR RISK PROFESSIONALS
To avoid a box ticking approach and gain deeper understanding as to how culture works in our
organization and how to manage it we need to:
Discover
Design
Deliver
Leaders play the most important role in this process – they are the main architects of culture and if elements of the culture
become dysfunctional, leadership can and must drive culture change.