gearing up for internal financial controls - ernst &...
TRANSCRIPT
Companies Act 2013: Gearing up to be in-control of Internal Financial Controls
2 | Companies Act
Gearing up for implementing Section 134
Components of IFC
Requirements as per the New Companies Act 2013
Preamble
Key considerations ListedUnlisted public
PrivateAll
Auditor’s report Company has adequate IFC system in place and such controls are operating effectively (Section 143)
Audit CommitteeEvaluate IFC and risk management systems (Section 177)
Independent directors
…and efforts for companies (minimum regulatory requirement under the new Act)
Financial reporting controls
Operational controls
Fraud prevention controls
IFCFinancial reporting
controlsOperational controls
Fraud prevention controls= + +
Example: All material receipts are accurately accounted for at month end
Material procurement plan is validated to prevent excess / short procurement
is robust to eliminate bias
* Paid up capital >= INR 10 Cr; Turnover >= INR 100 Cr; Outstanding loans, borrowings, debentures or deposits in aggregate >= INR 50 Cr
Board report (Section 134)• Director’s Responsibility Statement: Directors have laid down IFC and such
controls are adequate and operating effectively [Section 134(5)(e)]• Other matters: Board of Director’s report will contain details in respect
statements [Section 134(3)(q) read with Rule 8(5)(viii) of the Companies(Accounts) Rules, 2014]
Requirements under revised Clause 49 - SEBI
Call to action
Familiarize the Board of Directors (especially the Audit Committee and Independent Directors) and Senior Management personnel with respect to their enhanced responsibilities regarding IFC.
Assess the controls set-up in your organization using the following grid:
Assess the current state of
IFC
Policies/Guidelines Operating Procedures
available across the organization
Roles and Responsibilities
All stakeholders are aware of their roles and responsibilities with respect to processes and controls
Management Information System
Ensure adequate and accurate information is available for reporting and decision making
Behaviour
The culture of compliance with laid down guidelines and procedures is evident through the actions and behaviour of individuals and teams
TechnologySeveral controls are preventive in nature and automated. Detective controls and monitoring processes are technology enabled with one version of truth
Revised Clause 49 of the listing agreement issued by SEBI on 17 April 2014, amended in line with the requirements in the Companies Act 2013:
Board of Directors
CEO and CFO
Audit Committee
Annual Report
Audit Committee
Management Discussion & Analysis should include discussion on internal control systems and their adequacy
4 | Companies Act
The expanded coverage and focus goes way beyond the “Financial Reporting Controls” and the focus is on “all the elements” of a Controls Framework including tone at the top, policies and procedures, operating controls, controls design, controls monitoring etc.
Decoding IFC - What are its components?
Control Compliance Monitoring
Control Operation
Control Design
Control Governance & Standards
Entity Controls
Ethics & Values strategyCultureCommunication
Policies & ProceduresOranisational StructuresPerformance Objectives
Roles & Responsibilities
Capacity to Deliver Objectives
Control SystemsContinuous Improvement
Compliance MonitoringControl Monitoring
The “Three Lines of Defense” model provides a simple and effective way to enhance communications on Internal Financial Controls by clarifying roles and duties.
The second line monitors compliance with the laid down controls. It is not an independent assurance function, but a monitoring tool for the management
Audit committee and board of directors provide overall direction and oversight
How to implement IFC and who all need to be involved?
Board of Directors/Audit Committee
Senior Management
1st Line of Defense 2nd Line of Defense
Internal Audit
Independent Assurance
3rd Line of Defense
External Audit
Regulators
Operational and Business Units
(design and operation of controls)
Management Assurance (ongoing controls monitoring)
Board of Directors
FY 2014-15 FY 2015-16
Auditor ! !!
!!
Recommended
Mandatory
6 | Companies Act
What are IFC requirements in addition to IA?
What is the suggested documentation for IFC?
maintenance of records and ongoing monitoring. The following steps are recommended:
First time documentation of controls to be performed to meet IFC requirements
Ongoing IFC testing integrated with IA reviews
Internal control – Integrated framework issued by COSO (Committee of the Sponsoring organisations of Treadway Commission)
Guidance on assessing control published by Canadian Institute of Chartered Accountants (COCO)
Turnbull report (published by Institute of Chartered Accountants of England & Wales)*guidance note has been withdrawn and currently under revision
Walkthrough documentation
Risk and Control Matrices (RACM)
RequirementsListed Private
Financial reporting controls (Based on materiality threshold of group entity)
Operational controls
Fraud prevention controls
SOX
Do we have a structure/program to train our employees on their role in the overall internal controls process?
Do we have relevant skills (skills around fraud risks, IT controls, analytics for continuous controls monitoring etc.), focused teams and bandwidth to the support the IFC agenda?
Do we have entity level controls w.r.t policies and procedures, risk assessment, whistle blowing, ethics etc. that are clearly established, communicated and monitored?
Do we periodically review, assess and refresh our controls framework in line with emerging guidance around applicable standards like COSO?
Monitoring & Reporting Do we periodically update the key stakeholders on Controls and Risk management effectiveness
of our organization? Is there a technology platform to enable proactive and timely monitoring of controls effectiveness?
Do we have adequate and reliable information to certify compliance with IFC requirements according to the Act?
What kind of assurance is provided to the Management and Board on IFC by internal audit and external audit?
Implementation Are authority, responsibility and accountability clearly (delegation of authority and segregation of
Do we periodically assess and optimize controls to improve effectiveness, reduce costs and support business performance?
Do we have policies and procedures covering all domains such as Finance and Accounts, Business Operations and Compliance?
Are our policies and procedures easy to access and comprehend? Are these maintained and updated on the technology platform on a regular basis?
Do we regularly up-skill our employees to address the emerging needs of our organisation in areas such as GRC, IT controls, fraud risks etc.?
Do we have common understanding on the “Risk that Matter” among relevant stakeholders?
Do we consider fraud risks as part of the risk management exercise and address them with clear action, accountability and ownership?
Do we pay adequate focus on safeguarding of assets, fraud indicators and perform periodic
Do we effectively track and proactively monitor our compliance agenda around domestic/ international footprint, covenants, compliance with guidelines etc.?
by a CXO
Well prepared
Requires consideration
8 | Companies Act
Notes
Implementation
Monitoring & Reporting
How can EY assist you in your IFC journey?
9
Train Board members (including Audit Committee and Independent Directors) on IFC- related requirements of the Act
Establish internal controls framework covering both Entity Level Controls and Process
with leading industry/controls practices
Benchmark controls against leading practices; IT controls, prevent v. detect, manual v. automated
Design and implement controls self-assessment
Dipstick/ongoing sample testing to assess operating effectiveness of controls
Design and assist in implementation of delegation of authority, segregation of duties etc.
Establish a comprehensive Risk Management Framework and/or targeted intervention in areas such as:
Identifying and prioritizing risks that matter
Automating the risk monitoring process
Monitoring and management of fraud risks
Fraud risk analytics through Data Analytics lab
Implementation of control self-assessment tool
Develop standard operating procedures including relevant policies and guidelines
Rationalize and automate current controls portfolio to reduce overall cost of control while improving effectiveness
Design MIS and board reporting pack to facilitate evaluation of IFCs
Train employees on their role in the overall internal controls process and on leading practices for managing emerging risks in areas such as IT, fraud, contract compliance etc.
Do I need support?Areas of intervention
To measure the gap that you need to bridge to comply with the Act and understand more about how we are assisting our clients with IFCs, please contact us at
Related EY service offerings Enterprise Risk Management
Business Performance Management
Compliance Management
Controls Transformation
10 | Companies Act
Notes
Notes
12 | Companies Act
For any queries on how EY can assist you please contact us at:
Ernst & Young LLPEY | Assurance | Tax | Transactions | AdvisoryAbout EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity.
guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
Ernst & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit www.ey.com/in.
Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata - 700016
© 2015 Ernst & Young LLP. Published in India. All Rights Reserved.
EYIN1402-012 ED None
This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.
Ahmedabad2nd
AmbawadiAhmedabad - 380 015Tel: + 91 79 6608 3800Fax: + 91 79 6608 3900
Bengaluru12th & 13th
Bengaluru - 560 001Tel: + 91 80 4027 5000 + 91 80 6727 5000 Fax: + 91 80 2210 6000 (12th
Fax: + 91 80 2224 0695 (13th
1st Floor, Prestige Emerald No. 4, Madras Bank RoadLavelle Road JunctionBengaluru - 560 001Tel: + 91 80 6727 5000 Fax: + 91 80 2222 4112
Chandigarh1st Floor, SCO: 166-167Sector 9-C, Madhya MargChandigarh - 160 009 Tel: + 91 172 671 7800Fax: + 91 172 671 7888
ChennaiTidel Park, 6th & 7th Floor A Block (Module 601,701-702)No.4, Rajiv Gandhi Salai, Taramani Chennai - 600113Tel: + 91 44 6654 8100 Fax: + 91 44 2254 0120
Hyderabad
Tel: + 91 40 6736 2000Fax: + 91 40 6736 2200
Kochi9th Floor, ABAD Nucleus
Kochi - 682304Tel: + 91 484 304 4000 Fax: + 91 484 270 5393
22 Camac Street3rd
Kolkata - 700 016Tel: + 91 33 6615 3400Fax: + 91 33 2281 7750
Mumbai14th Floor, The Ruby29 Senapati Bapat MargDadar (W), Mumbai - 400028Tel: + 91 022 6192 0000Fax: + 91 022 6192 1000
5th Floor, Block B-2Nirlon Knowledge Park
Goregaon (E)Mumbai - 400 063Tel: + 91 22 6192 0000Fax: + 91 22 6192 3000
NCR
Near DLF Golf CourseSector 42Gurgaon - 122002Tel: + 91 124 464 4000Fax: + 91 124 464 4050
6th
18-20 Kasturba Gandhi Marg New Delhi - 110 001Tel: + 91 11 4363 3000 Fax: + 91 11 4363 3200
4th & 5th Floor, Plot No 2B, Tower 2, Sector 126, NOIDA 201 304
Tel: + 91 120 671 7000 Fax: + 91 120 671 7171
PuneC-401, 4th
Panchshil Tech ParkYerwada (Near Don Bosco School)Pune - 411 006Tel: + 91 20 6603 6000Fax: + 91 20 6601 5900