2. Accounting | Audit | Advisory
Contents
• Background to Internal Controls
• IFC – The Companies Act, 2013
• The Roadmap
• COSO Framework
• Controls landscape
• Case studies
• Key takeaways
3. Accounting | Audit | Advisory
Background to Internal Controls
Strong Internal
Controls
Effective
Reporting
Ethics and
Values
Customer
Satisfaction
Profitable
Growth
Profitable growth for a business is defined by the effective existence
of customer satisfaction, enviable ethics and values, effective
management reporting and a strong internal control system.
Global Regulatory Framework on Internal Controls
The SOX Act, 2002 is an exhaustive legislation applicable to all
Securities and Exchange Commission (SEC) registrants making it
mandatory to comply with the requirements on internal controls over
financial reporting. Sarbanes Oxley was enacted as a reaction to a
number of major corporate and accounting scandals, including Enron,
and WorldCom. For more than a decade now, SOX has fortified the
corporate walls of US with a strong financial reporting framework.
Indian Scenario – The Companies Act 2013
The overall trend in the Indian legislative environment is that of aligning its laws and regulations to globally
acceptable standards. In this direction, the Companies Act of 2013 and the subsequent amendments enacted to
the Act ushers in a new era of governance and transparency for the Indian corporate sector. The recently enacted
provisions on Internal Financial Controls has made the role of an internal auditor that of an enabler of good
corporate governance.
Currently, apart from the requirement for an Internal Audit for those companies exceeding certain defined
thresholds, there is no other significant responsibility and accountability that is set on those charged with
governance. The new provisions not only set the responsibility on the board but also on the Audit Committee and
the Independent Auditors.
4. Accounting | Audit | Advisory
IFC - The Companies Act, 2013
Board of Directors
• Section 134
• Applicable to public listed
companies
• Directors’ report shall
include a statement on
IFC’s and its operating
effectiveness
Audit Committee
• Section 177
• Audit Committee may call
on Auditors to get a
understanding of the state
of IFC before submitting
their report to the Board
Independent
Auditors
• Section 143
• To report whether the
company has adequate
IFC system in place and
the operating effectiveness
of such controls.
The term ‘internal financial controls’ means the policies and procedures adopted by the company for
ensuring the orderly and efficient conduct of its business, including adherence to company’s policies,
the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and
completeness of the accounting records, and the timely preparation of reliable financial information.
The Act has set increased responsibility and accountability on Board of Directors, Audit Committee,
Senior Management and Independent Auditors. The approach that should be adopted by Companies
should be that of a comprehensive risk management program – Enterprise Risk Management (ERM)
Applicability of
Internal Financial
Controls
Public listed
companies (Section
134)
Private Limited
Companies (Section
143)
The Companies Act,
2013 is silent on what
comprises Internal
Financial Control.
Therefore most
Companies look to a
established framework
such as the COSO for
guidelines.
5. Accounting | Audit | Advisory
The Roadmap
Assess
Develop
Implement
Monitor
Test
Assess the current state of internal controls
Embrace a widely acceptable framework or guidelines
Set the right tone at the top i.e. those charged with governance
Ascertain Organisational risks which have a financial impact
Define the Control Objectives and Control Activities to mitigate the risk
Ongoing continous monitoring of the functioning of controls
Obtain independent assurance on the effectiveness of the internal controls
i.e. Independent Auditors
What is the roadmap to implementing IFC ? What should you be doing? Segregation of Duties
(SoD) requires more
than one person to
complete a task.
SoD is an internal
control aimed at
preventing fraud and
errors .
Delegation of
authority refers to
assignment of
responsibility of to
another person.
Person who delegated
however remains
accountable for the
outcome.
6. Accounting | Audit | Advisory
COSO Framework Principles
Control
Environment
• Demonstrates
commitment to
integrity and
ethical values
• Exercises
oversight
responsibility
• Establishes
structure,
authority and
responsibility
• Demonstrates
commitment to
competence
• Enforces
accountability
Risk Assessment
• Specifies suitable
objectives
• Identifies and
analyses risk
• Assesses fraud
risk
• Identifies and
analyses
significant
change
Control Activities
• Selects and
develops control
activities
• Selects and
develops general
controls over
technology
• Deploys through
policies and
procedures
Information and
Communication
• Uses relevant
and quality
information
• Communicates
internally
• Communicates
externally
Monitoring
Activities
• Conducts
ongoing and/or
separate
evaluations
• Evaluates and
communicates
deficiencies
COSO is the most widely accepted risk framework in the world. It embodies all the
requirements of a organisational risk management principles.
Represents Entity Level Controls
7. Accounting | Audit | Advisory
Information Technology Controls
General IT Controls:
Are those which are designed to ensure that the financial information that is generated from a company's application systems can be relied upon. E.g.
Physical access controls, software version controls etc..,
Application Controls:
Application controls are embedded within software programs to prevent or detect unauthorized transactions and allow the authorization and processing
of transactions.
What are Internal Controls
Entity Level Objectives / Controls:
Broad level objectives defined at a organisation level which
may include the tone at the top, operating style and ethical
values. They are internal controls that help ensure that
management directives pertaining to the entire entity are
carried out. Entity-level controls have a pervasive influence
throughout an organization. If they are weak, inadequate, or
nonexistent, they can produce material weaknesses relating to
an audit of internal control and material misstatements in the
financial statements of the company
Preventive Controls:
Preventive controls are designed
to avert problems rather than
identify them. Some examples
include the use of passwords to
gain access to computer
application systems, or required
approval for all purchase orders
over a certain rupee threshold.
Detective Controls:
Detective controls are meant to
identify errors or irregularities
after the fact. These may take the
form of reviews, reconciliations,
and analyses.
Manual Controls:
Manual controls are carried out
by people, as opposed to
automated controls (i.e.,
application controls) that take
place without direct human
intervention.
E.g. Manually reconciling a bank
statement or a manager
reviewing sales based on
budgeted amounts are examples
of manual controls.
Automated Controls:
Application controls are
embedded within software
programs to prevent or detect
unauthorized transactions and
allow the authorization and
processing of transactions.
E.g. Automated controls help
ensure a customer number is
valid, all required data is entered
for a PO and debits equal credits.
Transaction Level Controls:
Represent more basic level objectives and controls which are
defined at a process or transaction level
8. Accounting | Audit | Advisory
Case Studies
Xerox
• Overstated equipment
revenues
• Accounting function
was just another
revenue source and
profit opportunity
• KPMG, its auditors
for 30 years were also
charged
• Fined $10 million by
the SEC
Satyam
• Overstated cash
balances
• Inflated sales by way
of recording fictitious
sales
• Internal auditors were
hand-in-glove with the
perpetrators
• PWC the statutory
auditors were
convicted of
negligence
WorldCom
• Reported operating
expenses as long-
term capital
investments
• Classified cash
reserves as sales
revenue
• Deficient controls;
autocratic
management;
inadequate
understanding of the
functioning by BOD
and AC
• Poor quality
independent audits
Enron
• Revenue recognition
• Mark-to-market
principles of
accounting was
exploited
• Off- balance sheet
items created to
misguide investors
• Lack of auditor
independence
• Unqualified audit
committee
9. Accounting | Audit | Advisory
Key Takeaway
Thank You
1. Clearly defined authority, responsibility and accountability ?
2. Periodical assessment of controls
3. Policies and procedures for all functions; easy to understand; updated
4. Up-skilling employees to meet evolving needs
5. Consider fraud risks; safeguarding of assets as part of the risk management
6. In sync with changes to regulatory environment and SOX, Companies Act, 2013, JOBS Act;
Changes to COSO Framework.
7. To unlock value, risk management should be seen as a comprehensive evaluation and not
driven by checklist.
10. Accounting | Audit | Advisory
About Merican Consultants
Diverse
Offerings
Client
Oriented
Efficient
Team
Cost
Effective
Solutions
Merican Consultants Private Limited is a firm of Chartered
Accountants based in Bangalore and provides financial,
accounting, tax and risk advisory services to small and
medium sized enterprises. With a consolidated work
experience of over 25 years, advising clients on diverse
issues, we act as a integrated service provider for all
finance, accounting, tax and audit related needs of the
clients.
Corporate Finance & Investment Banking – Fund Raise
Risk Advisory Services – Internal Audit
Business Establishment – Incorporation of Companies
CFO Assist Services – Outsourced Accounting
Assurance Services – Audit and Attestation
Taxation services
11. Accounting | Audit | Advisory
Team
Tarun Kumar Mallappa
Principal Consultant
Tel: +91 80 4174 0023
Mobile: +91 99169 24919
Rohan Arinaya
Principal Consultant
Tel: +91 80 4174 0023
Mobile: +91 99860 70783
Sandeep Arinaya
Principal Consultant
Tel: +91 80 4174 0023
Mobile: +91 98867 85439
Senthil Kumar
Principal Consultant
Tel: +91 80 4174 0023
Mobile: +91 88614 33999
Sunil Louis
Principal Consultant
Tel: +91 80 4174 0023
Mobile: +91 96633 94493
Merican Consultants Private Limited
12/62, Off Reservoir Street
Basavanagudi
Bangalore 560 004
Ph: 080-41740023