internal financial controls [opportunity to redefine ... workshop... · huzeifa unwala founder...
TRANSCRIPT
Huzeifa Unwala Founder
Verita Management Advisors Pvt. Ltd.
Internal Financial Controls [Opportunity to redefine control environment]
August 04 2016
• Fraudulent Financial Reporting
• Global IFC Scenario
• IFC Regulatory requirements in India
• ICOFR implementation guidance by ICAI
• Globally reported material weaknesses
• NBFC Case Study
TOPICS
• Increasing trend of Financial reporting frauds
• Higher number of CEO/ CFO convictions on account of financial reporting frauds
• Most abused accounts Revenue, Capex and employee benefits
• Auditor characteristics don’t really matter
FRAUDULANT FINANCIAL REPORTING
Source - COSO Study on Fraudulent Financial Reporting
• A forensic report prepared for the Serious Fraud Investigation Office (SFIO) shows over a third of India’s top 500 companies, including those in the top 100, are “managing” their accounts.
• It finds that companies where promoters hold more than 50% of total shareholding are more likely to take such steps to impress markets with their performance. Both domestic companies and subsidiaries of multinationals listed in India show similar trends when their shareholding is concentrated in a few hands.
• The report notes that almost all companies whose financial numbers are questionable underreport tax liabilities. Also, all such efforts have been approved by the board of directors of these companies, raising questions about the effectiveness of corporate governance norms in some boardrooms.
FRAUDULANT FINANCIAL REPORTING (India) Cont..
Source - SFIO
.
Background - Global Scenario
• In June 2003, the Securities and Exchange Commission (SEC) of the United States of America adopted Rules for the implementation of Sarbanes – Oxley Act, 2002 (SOX) that required certification of the Internal Controls over Financial Reporting (ICFR) by the management and by the auditors.
• The Public Company Accounting Oversight Board (PCAOB) has issued Auditing Standard (AS) 5 on “An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements”.
• In June 2006, the Financial Instruments and Exchange Act (J-SOX) was passed by the Diet, the National legislature of Japan. The requirements of this legislation are similar to the requirements of internal controls over financial reporting under SOX.
• Entities listed in UK main market (i.e LSE) has to voluntarily comply or explain non compliance under the Turnbull Guidance. This is a smart departure from mandatory control attestation over financial reporting.
• Globally also, auditor’s reporting on internal controls is together with the reporting on the financial statements and such internal controls reported upon relate only to internal controls over financial reporting. For example, in USA, Section 404 of the Sarbanes Oxley Act of 2002, prescribes that the registered public accounting firm (auditor) of the specified class of issuers (companies) shall, in addition to the attestation of the financial statements, attest the internal controls over financial reporting.
Internal Financial Controls – Concept, etc.
Definition as per Section 134(5) of the Companies Act, 2013
• Explanation.--For the purposes of this clause, the term "internal financial controls" means the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company's policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information
Definition as per
SA 315
• Internal control – The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity's objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets, and compliance with applicable laws and regulations. The term "controls" refers to any aspects of one or more of the components of internal control.
Internal Financial Controls over Financial Reporting as
per Sec 143
• This guidance provides direction that applies when an auditor is required to report under Clause (i) of Sub-section 3 of Section 143 of the 2013 Act on whether the company has in place adequate internal financial controls over financial reporting and the operating effectiveness of such controls.
• Effective internal financial controls over financial reporting provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes. If one or more material weaknesses exist, the company's internal financial controls cannot be considered effective.
Comparison of IFC/ IC definitions
Components
ICFR Operational
Controls Fraud
Prevention IFC
As per section 134 of the companies Act 2013, the term ‘Internal Financial Controls’ means the policies and procedures adopted by the company for ensuring:
• Orderly and efficient conduct of its business, including adherence to company’s policies,
• Safeguarding of its assets,
• Prevention and detections of fraud and errors,
• Accuracy and completeness of the accounting records, and
• Timely preparation of reliable financial information.
Internal Financial Control
Internal Controls minimize the RISKS
to your Organization!!!
Management has a fundamental responsibility to develop and maintain effective internal control.
OBJECTIVES
Objectives of Internal Financial Controls
To develop & implement a framework of Internal Financial
Controls Assessment
Document the process flow, risk and controls for material
processes/significant accounting captions
To identify material weaknesses, significant deficiencies,
deficiencies (if any)
To facilitate Board certification
and ensure full compliance with the provisions of the Companies
Act, 2013
Reporting requirements on Deficiencies
Nature of Deficiencies Reporting Requirement
Deficiency **
Material weakness ^^
Significant Deficiency ##
Management Audit
Committee Board Report / Auditors Report
Yes
Yes
Yes
** A ‘deficiency’ in internal financial control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
## A ‘significant deficiency’ is a deficiency, or a combination of deficiencies, in internal financial control over financial reporting that is important enough to merit attention of those charged with governance since there is a reasonable possibility that a misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.
^^ A ‘material weakness’ is a deficiency, or a combination of deficiencies, in internal financial control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.
No
Yes
Yes
No
Yes
No
REGULATORY REQUIREMENT
In case of listed companies, Director’s Responsibility Statement should,
among the other matters, state that director’s has laid down internal
financial controls and such controls are adequate and were operating
effectively.
Director’ s Responsibility
Statement
SEC 134(5)(e) of Companies Act, 2013
The auditors of the companies to report as whether the company has
adequate internal financial controls system in place and the operating
effectiveness of such controls. Auditors reporting on internal financial
controls is effective from FY 2015-16.
Auditor SEC 143(3)(i) of Companies Act, 2013
Background - Indian Scenario
Every Audit Committee shall act in accordance with the terms of
reference specified in writing by the Board which shall inter alia, include,
evaluation of internal financial controls and risk management systems.
Audit Committee
SEC 177(4)(vii) of Companies Act, 2013
Matters to be included in the Board report states that companies should
provide the details in respect of adequacy of internal financial controls
with reference to the Financial Statements..
Board Report
Companies (Accounts) Rules, 2014 Clause 8
Independent directors should satisfy themselves on the integrity of financial information and ensure that IFCs & systems of risk management are robust and defensible
Integrity of Financial
Information
Schedule IV
May call for comments of auditors about internal control systems before their submission to the Board and may also discuss any related issues with the internal and statutory auditors and the management of the company
Should act in accordance with the terms of reference specified in writing by the board, which should, inter alia, include evaluation of IFC and risk management systems.
IFC and Risk Management
Section 177 (4) (iv) & (5)
Clause 49 required and continues to require the certification by the CEO
/ CFO stating that on establishing and maintaining IFCs for financial
reporting & evaluation of the effectiveness of internal control systems
pertaining to financial reporting, in addition to disclosures to the
auditors and the audit committee and steps to address rectify the
deficiencies.
Board of Director
Clause 49
The Directors’ report of all companies should state the details in
respect of adequacy of IFCs with reference to the financial statements
only.
Adequacy of IFC’s
Companies (Accounts) Rules, 2014
The CEO i.e. Managing Director or Manager appointed as per Companies Act, and CFO i.e. whole time Finance Director or any other person heading the finance function shall certify to the Board that they accept responsibility for establishing & maintaining internal controls for financial reporting and that they have evaluated the effectiveness of internal control systems of the company pertaining to financial reporting & they have disclosed to the auditors & the Audit Committee, deficiencies in the design or operation of such internal controls, if any, of which they are aware and the steps they have taken or propose to take to rectify these deficiencies.
Apart from the CEO/ CFO certification the Clause 49 prescribes several principles and features of clause 49 that have a significant bearing on the concept and effectiveness of internal financial controls.
Clause 49 CLAUSE 49
Applicability & Conclusion
• On collective reading of Sec – 134 (5) (e), Sec – 143 (3) (i) of Companies Act, 2013, and Rule 8 (5) (viii) of Companies (Accounts) Rules, 2014 it appears that the Auditors of even unlisted companies are required to report on the adequacy and operating effectiveness of the internal financial controls over financial reporting.
• IFC is applicable to Consolidated Financial Statements and not only to Standalone Financial Statements
• Adequacy and effectiveness of IFC to be reported as on Balance Sheet date.
Potential penal consequences
• Imprisonment upto 3 years
• Monetary consequences upto 25 Lacs
ICAI GUIDANCE NOTE
ICAI GUIDANCE NOTE
• Specified date for reporting on the adequacy and operating effectiveness of internal financial controls over financial reporting and applicability in case of interim financial statements
• Auditors’ responsibility for reporting on internal financial controls over financial reporting in case of consolidated financial statements
• Flowchart illustrating typical flow of audit of internal financial controls over financial reporting
• Components of internal control
• Combining the audits
• Addressing the risk of fraud
• Using the work of others
• Identifying entity-level controls
• Identifying significant accounts and disclosures and their relevant assertions
• Understanding likely sources of misstatement
• Testing controls - testing design effectiveness
• Testing controls - testing operating effectiveness
• Relationship of risk to the evidence to be obtained
• Evaluating identified deficiencies
• Indicators of material weakness
• Forming an opinion
ICAI GUIDANCE NOTE
• Reporting on internal financial controls over financial reporting
• Illustrative example of process flow documentation for revenue business cycle
• Entity-level controls
• Direct and precise entity-level controls
• Application controls defined
• IPE in the context of internal financial controls testing
• Testing accuracy and completeness of IPE that the entity’s controls are
dependent upon
ICAI GUIDANCE NOTE
• Service organizations
• Internal financial controls – testing of operative effectiveness
• Remediation Testing
• Using the Work of Internal Auditors and an Auditor’s Expert
• Assessing the risk of management override and evaluating mitigating action
• Illustrative Risks of Material Misstatement, Related Control Objectives and Control
Activities
• Examples of Control Deficiencies
ICAI GUIDANCE NOTE
SCOPE OF INTERNAL FINANCIAL CONTROL
Stages in IFC Implementation
Materiality Assessment
Assessment of Entity Level Controls
Assessment of Process Controls & Remediation of Deficiencies
Control Effectiveness Reporting
Board Certification
Materiality Assessment
Factors affecting identification of significant accounts – Quantitative and Qualitative Quantitative: • Size and Composition of Account (e.g. percentage of profit / networth / turnover) • Volume of activity (e.g. Higher volume of transactions but lesser net financial impact –
derivatives transactions) • Changes from the prior period in account or disclosure characteristics (e.g. turnaround in any
business segment) Qualitative: • Nature of the account or disclosure (e.g. deferred tax) • Susceptibility to misstatement due to errors or fraud (e.g. rebates/ discounts/ claims) • Complexity of transactions (e.g. customized derivative products transacted) • Exposure to losses in the account • Possibility of significant contingent liabilities (e.g. warranty claims) • Existence of related party transactions in the account • Changes from prior period
Identification of Significant Accounts
Entity Level Controls Assessment
Characteristics of Entity Level Controls
• Influences overall control environment – Management Philosophy, Operating Style, Integrity &
Ethical Values
• Controls over management override – Audit Committee and Board Reporting and Oversight
• Risk Assessment Process – Enterprise Risk Management, Business Strategy
• Centralized Processing and Controls – Compliance, Information Technology, H.R.
• Monitoring Controls – Internal Audit, Compliance Monitoring, Audit Committee
• Period-end Financial Processing
• Controls over recording unusual/ exceptional transactions
Key Functions Influencing and responding to Entity Level Controls assessment:
• Human Resource
• Information Technology
• Compliance
• CEO – Management Philosophy, Ethical Values, Enterprise Risk Management
Assessment of Entity Level Controls
• Standard review techniques of inquiry, verification, observation are to be applied for assessing
the effectiveness of Entity Level Controls.
• As these controls generally remain constant during the span of one year, review need to be
conducted once in a year.
• Evidences need to be validated and any control deficiency identified to be promptly reported.
• IFC Steering Committee need to monitor Compliance Tracker for control deficiencies reported
and devised plan of action.
• Report on preliminary review, control deficiencies and compliance need to be submitted to Audit
Committee
Assessment of Entity Level Controls Effectiveness
Process Controls Assessment
Process Controls Assessment
Process Understanding
• Process Walkthrough
• Identification of Sub-Processes and flow of information
• Process Flowcharting
RCM
Preparation
• Identification of Risks
• Identification of Controls
Control Testing
• Design Effectiveness
• Operating Effectiveness
• Deficiency Remediation
Reporting
• Reporting of Control Effectiveness status to Audit Committee
Establishing effective internal control framework require considering following factors:
• Flow of activity/ transaction/ information
• COSO Principles
• Control Environment
• Risk Assessment
• Control Activities
• Information & Communication
• Monitoring
• Compliance Requirements
• Fraud Risk
• Accounting Treatment
• Presentation & Disclosure Requirements
Effective Internal Controls
Following are illustrative key controls, to be applied suitably for respective process being covered
under IFC Framework:
• Governance Controls and Organization Structure
• Segregation of Duties
• Authorizations / Delegation of Power
• Maker – Checker Controls
• Controls over Exceptional/ non-routine Transactions
• Controls over Management Overrides
• Exception Reporting & Escalations
• Application – Input-Processing-Output Controls
• Related Party Transactions
• Compliance Monitoring
• Period-end/ Year-end Provisioning & Accruals
• Outsourcing/ Vendor Servicing
• Turnaround Time & Service Deliveries
• Management Reporting
Illustrative Key Controls at Process Level
Following are illustrative IT General Controls to be applied suitably for respective organization:
• IT Governance – IT Strategy, IT Plan, IT Security Policy & Procedures
• Information Classification
• User Access Management
• Logical Access Controls & Password Security Parameters
• Change Management
• Incident Management
• Backup and Restoration
• Virus and Malware Protection
• End-point Security
• O.S., Database and Network Security Controls
• Data Centre Operations
• IT Assets Management
• Physical & Environmental Security Controls
• Business Continuity & Disaster Recovery Plan
Illustrative IT General Controls
• Standard review techniques of walkthrough, inquiry, verification, observation are to be applied
for assessing the effectiveness of all the controls for respective process.
• Test of design effectiveness will be based on verification of sample of one or two evidences to
check existence and appropriateness of the control (e.g. Recruitment policy and employee
interview assessment sheet, Accounting Policy and Goods Receipt Note, Debit Note)
• Test of operating effectiveness need to be based on samples – sample size depends on control
frequency, key/ non-key controls and auditor’s judgment
• Parameters for Sampling should ensure covering relevant period, geographical locations, branch –
head office, different levels of authorizations, manual and IT controls, key and non-key controls
• Evidences need to be validated and any control deficiencies identified to be promptly reported.
• IFC Steering Committee need to monitor Compliance Tracker for control deficiencies reported
and devised plan of action
• Report on preliminary review, control deficiencies and compliance need to be submitted to Audit
Committee
Assessment of Process Control Effectiveness
IMAGINING RISKS !!!
ERM & IFC
Enterprise Risk Management
• ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives
Categories of ERM Objectives
• Strategic objectives
• Operations objectives
• Reporting objectives
• Compliance objectives
Components of ERM
• Internal Environment
• Objective Setting
• Event Identification
• Risk Assessment
• Risk Response
• Control Activities
• Information and Communication
• Monitoring
ERM and Internal Control
• ERM addresses the environment within which controls function.
• Internal control is encompassed within and an integral part of enterprise risk management.
Enterprise risk management is broader than internal control, expanding and elaborating on
internal control to form a more robust conceptualization focusing more fully on risk.
Some key differences between IFCs and EWRM
• EWRM is applied in strategy setting while internal financial controls operate more
at the process level.
• EWRM is applied across the enterprise, at every level and unit, and includes taking
an entity level portfolio view of risk while IFCs are for the processes which contribute to
financial reporting.
CASE STUDY ON NBFC
Way Ahead – IFC Impact….
• Change in drafting of Letter of Engagement (LOE) by Statutory Auditors.
• Scope of Statutory Audit among others include commenting on adequacy and operating effectiveness of Interim Financial Controls.
• Change in Audit planning and Audit methodology.
• Change in drafting of audit opinion report with specific emphasis on IFC (Sec – 143 (3)(i))
• Director’s report include a statement ensuring implementation of adequate internal financial control and adherence of policy and procedures adopted by the company (Sec -134 (5) (e)) • Board report of all companies to state the details in respect of adequacy of internal financial controls with reference to the “financial statements”
• Integrity of financial statements to be validated by Independent directors. (Schedule IV (II) (4))
• Evaluation of Interim Financial Controls by Audit Committee. Clause 177 (4) (vii)
• Responsibilities of those charged with governance include oversight of design and effective operation of Whistle blower procedures and process of reviewing internal controls.
