Corporate Accountability has been gaining its momentum in the Indian Scenario. The Companies Act 2013 has now benchmarked itself to regulations like the Sarbanes-Oxley Act and stresses on the fact the auditor has to give an opinion on the Internal controls that handle Financial Data and are operating effectively. Section 134 and Section 143 of the Companies Act 2013 highlights the requirements for documenting, implementing, enforcing and auditing those internal controls which handle Financial Data.
This article provides an introduction of Internal Controls over Financial Reporting in the Indian perspective.
1. Compliance of Internal Financial ControlsoverFinancialReporting
1 | P a g e
Compliance of Internal Financial Controls
over Financial Reporting
Bharath Rao |
mailme@bharathraob.com
Towards regaining public confidence
In the year2009, we have seenthe investorconfidence underthe IndianscenariofallingfromRs.
300 to Rs.10 pershare.The moneyso investedwassystematicallywipedoff andwithdrawnovera
numberof yearsby the managementof Satyamand falsifieditsaccounts.Satyamhadbetrayedthe
trust andbelief of itsinvestors.Thisledtoa bigblow inthe accountabilityandtransparencyof
Accountsand Internal ControlsinIndia.
Incidentallythisproblemwashighlightedduringthe Enron,WorldCom andothersuchscams
surfacedthe publicworld-wide.
It isevidentthatthere isa growingneedforthe protectionof the interestof publiconcompanies.
The Money investedbythe shareholdersneedtobe well protectedfromill use andmustbe usedfor
the sole purpose of the objectiveslevieddownbythe company.Apartfrominvestors,variousother
partiesrelyonthe efficientperformanceof the companies.Theyinclude regulators,bankers,
vendors,customers,suppliersetc.
Governmentasa regulatorhasan impliedresponsibilitytoprotectthe interestof the public.Ithas
come up withstringentregulationsforall those typesof businessentitiesthatrunonpublicmoney.
To quote a fewexampleswe have the CompaniesAct2013, SEBI Act, Clause 49, Multi state co-
operative societyactetc.Time andagain,the Governmentcontinuestoupdate the regulationand
enforcesitscompliance byvirtue of itsregulators.Regulatorsinclude SEBI,MCA,andRBI etc.
In the USA, whichisknownforitsbenchmarkregulations,the Sarbanes-OxleyActof 2002 was
enactedas a reactionto scandalsdue toEnron and WorldComandothernotable scams The
followingmajorsectionsare enforcedonthe companiesof USorigin –
1. Section302 – Disclosure of Controls
Section302 of the Act mandatesaset of internal proceduresdesignedtoensure accurate
financial disclosure.The signingofficersmustcertifythattheyare "responsible for
establishingandmaintaininginternal controls"and"have designedsuchinternal controlsto
ensure thatmaterial informationrelatingtothe companyand itsconsolidatedsubsidiariesis
made knownto suchofficersbyotherswithinthose entities,particularlyduringthe periodin
whichthe periodicreportsare beingprepared."
2. Section404 – Assessmentof Internal Controls
The most contentiousaspectof SOXisSection404, whichrequiresmanagementandthe
external auditortoreportonthe adequacyof the company'sinternal control onfinancial
2. Compliance of Internal Financial ControlsoverFinancialReporting
2 | P a g e
reporting(ICFR).This includes documentingandtesting importantfinancialmanual and
automatedcontrolsdeployedinthe company.
Under the Indianscenario,we have the CompaniesActrevisedinthe year2013. Thisact was revised
as a response tothe Satyam Scam andto preventfurtherfinancial losses.Underthe new Companies
Act 2013, the followingsectionspertaintoICFR –
1. Section134 – DirectorsStatementof Internal Controlsbeingadequate andoperating
effectively
Clause (e) of Sub-section5of Section134 to the Act requiresthe directors’responsibility
statementtostate that the directors,inthe case of a listedcompany,hadlaiddowninternal
financial controlstobe followedbythe companyandthat such internal financial controlsare
adequate andwere operatingeffectively.
Clause (e) of Sub-section5of Section134 explainsthe meaningof the term, “internal
financial controls”as“the policiesandproceduresadoptedbythe companyforensuringthe
orderlyandefficientconductof itsbusiness,includingadherence tocompany’spolicies,the
safeguardingof itsassets,the preventionanddetectionof fraudsanderrors,the accuracy
and completenessof the accountingrecords,andthe timelypreparationof reliablefinancial
information.”
2. Section143 – Auditor’sassessmentonthe operatingeffectivenessof Internal Controls -
The CompaniesAct,2013 specifiesthe auditor’sreportingoninternalfinancial controlsonly
inthe contextof auditof financial statements.Consistentwiththe practice prevailing
internationally,the term‘internalfinancial controls’statedinClause (i) of Sub-section3of
Section143 wouldrelate to‘internal financial controlsoverfinancial reporting’.
Consideringthe above,the auditorneedstoobtainreasonable assurance tostate whether
an adequate internal controlssystemwasmaintainedandwhethersuchinternal financial
controlssystemoperatedeffectivelyinthe companyinall material respectswithrespectto
financial reportingonly.
A company'sinternal financialcontrol overfinancial reportingincludesthosepoliciesand
Procedures that–
i. Pertaintothe maintenance of recordsthat,inreasonable detail,accuratelyand
fairlyreflectthe transactionsanddispositionsof the assetsof the company.
ii. provide reasonableassurance thattransactionsare recordedasnecessarytopermit
preparationof financial statementsinaccordance withgenerallyaccepted
accountingprinciples,andthatreceiptsandexpendituresof the companyare being
made onlyinaccordance withauthorisationsof managementanddirectorsof the
company;and
iii. Provide reasonable assurance regardingpreventionortimelydetectionof
unauthorisedacquisition,use,ordispositionof the company'sassetsthatcouldhave
a material effectonthe financial statements.”
Thus the companiesacthas createda new challenge forthe managementtodesignandimplement
internal controlsoverthe businessprocessesof the companyandevenadifficulttasktothe auditor
of testingthe designandoperatingeffectivenessof the implementedcontrolsandtocheckif the
3. Compliance of Internal Financial ControlsoverFinancialReporting
3 | P a g e
deployedcontrolsare sufficientandadequate againstthe riskthatispresentinthe company’s
businessenvironment.
The Managementthushave the followingresponsibilities –
1. IdentifyandEvaluate the riskpresentinthe businessenvironment
2. Designa control
3. Implementthe control
4. Monitorthe control
5. Designcompensatingcontrolsin-case if apreventive control cannotbe implemented.
The managementwouldreferto internal control frameworkssuchasCOSO(Companyof Sponsoring
Organisations) Internal Control Framework,COBIT5(Control ObjectivesinInformationandRelated
Technology),ISOStandardsetc.forguidance of implementingthe control.
It iscrucial to note that the controlsneedtobe deployeduniformlyatall businessunitsof the
company.Each control has to be documentedandreviewedperiodicallybythe management.The
Internal control componentcanbe brokenintothe following –
a. Control Environment –itrefersto the company’sentire businessenvironment.
b. RiskAssessment –Itrefers to identificationandassessmentof the riskspresentinthe
environment.Thisisperformedtodecide the designof the control.
c. Control Activities –A control objective isastatementwhichemphasisthe extentof which
the control is to be achieved.A control objectiveissetafterassessingthe levelof riskthatis
presentinthe control environment.These refertothe activitiesthatmaybe inthe form of
Policies,Procedures,organisationstructure thatwouldbe developedandimplementedin
the company.A setof control activitiesare mappedtoone control objective.
d. InformationSystemandCommunication –Itrefersto the IT Controlsthathave to be
implementedinthe system.ITControlscanbe broadlyclassifiedintoITApplicationcontrols
and IT General Controls.
IT ApplicationControlsvarydependingonthe applicationsthathave beeninstalledbythe
enterprise foritsrevenuegeneration.Applicationsoftwareisthe software thatprocesses
businesstransactions.The Applicationsoftware couldbe aretail bankingsystem, an
InventorysystemorpossiblyanintegratedERP.Controlswhichrelate tobusiness
applicationsleadingtojudicialuse of the applicationandenforcedthroughthe application
itself tothe enduserare calledITApplicationControls.
IT General Controlsare those controls otherthanIT ApplicationControls,whichrelatetothe
environmentwithinwhichcomputer-basedapplicationsystemsare developed,maintained
and operatedandare therefore applicable toall applicationsThese are policiesand
proceduresthatrelate tomany applicationsandsupportthe effective functioningof
applicationcontrolsbyhelpingtoensure the continuedproperoperationof information
systems.
4. Compliance of Internal Financial ControlsoverFinancialReporting
4 | P a g e
e. MonitoringActivities –These refertothe controlsthat are deployedbythe management
whichwouldmonitorthe regularactivitiesthatare performedusingthe controls.Usually
thisisperformedbyconductingperiodicreviewsinitiatedbythe Complianceteamand
auditedbythe internal auditteam.
Managementwouldbe able tocomplywithSection134, if theyare successful indesigning,
implementingandmonitoringthe internal controlsagainstthe identifiedrisks.
The Auditorwouldhave the followingresponsibilities –
Financial reportingislikesingingasuccessforany organisation.Justaswe see a transitionfrom
complex classical musictothe modernmusic,there hasbeenasteadychange infromHistorical
ReportingtoResponsible Reporting.The needforeffectivepresentationof the resultsmakes a
difference indecisionmakingtodiversegroupsof enduserswhoare spreadacross geographical
bodies.Thus financial reportingmakesitaverychallenginganda complex exercise.
Because of Section143, Responsible Reportingnow includesthatthe auditortoprovide anopinion
on the financial statementsandadditionallyprovide anopiniononthe operatingeffectivenessof the
internal controlsthatisinplace in the company. OperatingEffectivenessrefersto the effectiveness
of actual performance of the Control in the businessenvironment.
Thus the auditorhas now become accountable regardingthe financial statementsandthe internal
controls.Penaltieswouldbe leviedonthe auditorbythe regulatorsincase if he has not fulfilledhis
responsibility of gainingassurance onthe effectivenessof the controls.
The Institute of CharteredAccountantsof Indiahascome out witha Guidance note forauditors
whichprovidesguidance towardstheirresponsibilityforInternalFinancialcontrolsoverfinancial
reporting.Thisguidance note suggeststhe followingmethodologythatcanbe followedbythe
auditor.
5. Compliance of Internal Financial ControlsoverFinancialReporting
5 | P a g e
Picture adopted from the ICAI Guidance Note for compliance for ICFR released in 2014. Courtesy: ICAI
In additiontothe above mentionedapproach,the auditorwill have toensure thathe performsthe
followingtasks –
a. PerformDesignEffectivenessof everycontrol thatisbeingdeployedineverybusiness
process,businessapplicationsandgeneral applications.
b. He wouldhave toobtainsufficientandadequate evidencesthatwouldhelphim
substantiate hisreportinaccordance withSA 500. Evidenceswouldinclude raw systemlogs,
screenshots,tickets,rawfiles,policydocuments,organisationchart etc.
c. He wouldhave totestthe controlsand documentthe resultsaspart of hiswork-papersin
accordance withSA 230 (AuditDocumentation).
d. His documentationshouldinclude testingleadsheetswhichwouldprovide the following
details–
a. TestDate
6. Compliance of Internal Financial ControlsoverFinancialReporting
6 | P a g e
b. Risk,Control ObjectiveandControl ActivitiesandControl Number
c. Detailsof the entitywhichisbeingaudited.
d. Detailsof evidenceprovidedandthe personwhoprovidedthe evidence
e. Completenesscheckdetails
f. Evaluationof designeffectiveness.Designsimplyreferstoa documentedblueprint
of a control.The documentation includesthe control objective andthe risksbeing
addressed,the control activities,control owneretc.
g. Evaluationof Operatingeffectiveness.
h. PopulationdetailsandSamplingMethodology.
i. TestingSummary of the chosensamples andreferencestothe supportingwork-
paperscreatedas evidence.
j. In case if the auditorwouldrelyonthe workof the internal auditor/anotherauditor
inaccordance withSA 610/600, he wouldhave toprovide hisopiniononthe quality
of testingperformedbythe Internal Auditor/anotherauditor.
Thus the ultimate testof Internal Controls isperformedhere.Basedonthe inquiries, findingsand
observations,anAuditorwouldbe able toprovide sufficientassurance whetherthe incorporated
controlsare adequate andensuring thatthere isnoharmful effectonthe figurespresentedinthe
financial statements.
A goodcharteredaccountantlovesgoodchallengesanditalsomeansgoodmoney,andthe big
bonushas come out inthe form of the companies’act2013. It’s onlythe numberwhichsounds
unlucky, but, itisnothingbuta baggage of new riverside opportunities. One suchopportunityfor
the CharteredAccountantishisservicesthathe can renderto ensure thatthe companywouldstay
complianttothe Internal ControlsoverFinancial Reportingregulatoryrequirements andthushe will
be able to restore,cultivate and protect the confidence of the investorsandotherstakeholdersof
the company.