The reporting requirements are modelled on the lines of the SOX requirements for US listed entities, which were notified by the Securities and Exchange Commission of the USA in June 2003. The trigger for the introduction of the same were various corporate scandals like Enron, Worldcom, Parmalat etc. Similarly in June 2006, the Financial Instruments and Exchange Act (J-SOX) was passed by Diet, which is the Japanese Parliament/ National Legislature. In the United Kingdom, the UK Corporate Governance Code specified the matters which the Boards of listed companies have to comply with, which inter alia includes matters relating to oversight and review of internal controls in the Company. Just as the various corporate scandals like Enron prompted the introduction of the SOX requirements, the Satyam saga which unfolded in January 2009 has been the prime driver for the introduction of the reporting requirements on Internal Controls over Financial Reporting in India.
The reporting by auditors on internal controls is not entirely new for auditors in India. As all of you would be aware, the auditors in the course of their reporting under CARO 2003 and CARO 2015 were required to report on whether the Company has an adequate internal control system which is commensurate with the size of the Company and the nature of its activities in respect of purchase of inventory and fixed assets and sale of goods and services and whether there is a continuing failure to correct major weaknesses in respect thereof. Thus, the scope of reporting which is envisaged under the Act ,is substantially larger than what was required under CARO 2003 and 2015, which is limited to reporting on the adequacy of internal controls on specific matters. Further, Clause 49 of the Equity Listing Agreement, which has now been substituted by the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 requires an evaluation by listed companies of the internal financial controls and risk management systems by the Board and also a specific assertion by the CEO and CFO that they accept responsibility for establishing and maintaining internal controls for financial reporting and the operating effectiveness thereof. Accordingly, the scope and objectives of Internal Financial Control and the reporting thereof has increased substantially for all classes of companies, which brings along with it various misconceptions and myths in the minds of both the management and the auditors.
Before discussing certain common misconceptions with regard to the reporting on Internal Financial Controls, both from the point of view of both the Management and the Auditors, it would be pertinent to examine the statutory provisions dealing with Internal Financial Controls and Internal Financial Control System from the point of view of the management and the auditors.
Statutory Provisions
The statutory provisions emanate from the Act, and place separate responsibilities on the Management and Statutory Auditors, which are discussed hereunder.
Management’s Responsibility
The Management’s responsibility towards Internal Financial Controls can be examined separately with respect to the following stakeholders:
• Board of Directors
• Audit Committee
• Independent Directors
The statutory provisions in the context of each of the above are analysed hereunder:
Board of Directors
Section 134(5)(e) of the Act requires the Director’s Responsibility Statement in case of a Listed Company, to state whether the Company has laid down internal financial controls[IFC] and whether the same are adequate and operating effectively. It may be noted that listed companies would also cover those where only the debt securities are listed.
Further, explanation to Section134(5)(e) defines IFC as the policies and procedures adopted by the Company for ensuring orderly and efficient conduct of its business including adherence to company’s policies, the safeguarding of assets, the prevention and detection of frauds and errors, accuracy and completeness of the accounting records and timely preparation of reliable financial information.The aforesaid definition encompasses both operational and financial reporting controls, and is much broader in scope than internal financial control systems.
Further, Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 requires the Board Report of all companies to state the details in respect of the adequacy of internal financial controls with reference to the financial statements.This requirement is much more restricted as compared to that for listed companies since it covers only the controls impacting financial statements and also does not cover the operating adequacy thereof.
Audit Committee
Section177(4) requires that the terms of reference of every Audit Committee shall include an evaluation of the Internal Financial Controls and Risk Management Systems.
Independent Directors
The Code of Independent Directors under Schedule IV emphasises that Independent Directors have to satisfy themselves about the integrity of the financial reporting system and on the strength of financial controls and risk management systems
Misconceptions on the part of Management
There is a common misconception on the part of the Management in many cases, as to whether there is anything new which has cropped up as a result of the aforesaid reporting responsibilities which are specified under the Act and whether anything has really changed?
In this context, two common questions are normally asked, as under:
a) The first question which top managements including CEOs ask is, whether anything has changed and are we saying that the entity did not have controls earlier?
b) Further, as an off shoot of the above, the second question which is asked is, were not the auditors checking and reporting on controls earlier?
More often than not, these questions need to be answered by the auditors (both internal and external) and/or other external consultants.
The answer to the first question is not very direct or simple, and depends upon a variety of factors including the size and complexity of the entity, the nature and extent of existing documentation which is available, the management philosophy and operating style etc., since the fundamental foundation of an Internal Financial Control system is the existence of a documented framework. For the purpose of explaining to the top management including the CEO, an assessment needs to be done in respect of the following matters or should we say ground realities!), amongst others, as deemed necessary:
Is the Code of Conduct documented and even if so, whether the same is communicated.
Are Board meetings actually held or are minutes written just to cover the required agenda matters.
Is quality time spent by the Board on important/critical matters having a material impact on the risk.
The Audit Committee does not allot sufficient time to discuss the interim results or Internal Audit Reports.
The Company has a turnover of over Rs. 500 crore, but does not have a qualified CA in its Accounts/Finance Department.
The Organisational structure is not formalised even though the Company has 500 employees and the job profiles are not documented/reviewed periodically.
Though there is a documented Risk Management Framework and SOPs, the same operate on a standalone basis and the actual activities are conducted based on neither of them. Further, the control points/ activities may not be specifically documented therein. Also, policies and procedures and/or authority levels/ matrices remain undocumented for many key areas/ operations/processes.
The ERP/IT system is changed/modified regularly without proper justification/UATs and no IT system audit has been undertaken for the past several years. Also, the Company uses a Tally package, even though it has multi-locational activities which involve processing of numerous transactions at various points of data entry, which are also modified/changed without proper oversight.
The process of generating MIS is not robust and is based on incomplete data.
Policies and procedures for period end closure of financial statements are not adequately documented, especially in case of multi-location/multiple activity entities and for preparation of consolidated financial statements. Also, unusual events/transactions are not captured, escalated or approved appropriately.
The information/communication system is not adequate /deficient resulting in non-escalation of problems from the lower levels to the middle/top management, lack of open communication, ineffective whistle blower mechanism etc.
Lack of documented controls over preparation and generation of spreadsheets.
An adverse answer to any one or more of the above matters, based on either a Self-Assessment / introspection by the top management or by an external party, would prima-facie indicate lack of or absence of internal controls depending upon the nature, severity, criticality and materiality of the deficiency/deviation which in turn would need to be factored in whilst discharging the statutory reporting responsibilities in the Board Report under the Act as discussed earlier, and could also result in an adverse opinion on ICFR by the statutory auditors under the Act. Accordingly, there should be a comprehensive introspection on the part of the Management with regard to the existence and documentation of Internal Financial controls.
With regard to the second question regarding the change in the responsibility of the statutory auditors vis-à-vis controls, as discussed earlier, the reporting responsibility has broadened/widened. Further, upto last year, the auditors could adopt a non-reliance on controls strategy, by performing more extensive and focussed substantive testing and accordingly opine on the truth and fairness of the financial statements, even if adequate internal controls were not prevelant or documented.
To conclude in one sentence, what the top Management requires is a cultural change rather than a compliance change!
Auditors’ Responsibilities
As discussed above, the auditors responsibility to report in terms of section 143(3)(i) covers all companies. Further, consistent with global practices and based on the Guidance Note issued by the ICAI, internal financial controls as referred to above only relates to Internal Financial Controls over Financial Reporting (‘ICFR’) and thus auditors reporting on Internal Financial Controls is only in the context of the audit of the financial statements.
The following are certain matters which are relevant in this regard:
The definition IFC as per explanation to section 134(5)(e) above is relevant only on the context of the reporting under the same and is not relevant for the reporting u/s. 143(3(i) by the auditor.
Unlisted companies are not required to affirm the operating effectiveness of controls, whereas the auditor is required to report on the adequacy and operating effectiveness of all companies. This would present greater challenges to the auditor in respect of unlisted companies.
Misconceptions/Myths in the Minds of auditors
Whilst discharging their attest responsibilities with regard to reporting on ICFR, the auditors should be aware of certain common and practical misconceptions, which are discussed hereunder.
Concept of Control and Process
Wikipedia defines Control, or controlling, “is one of the managerial functions like planning, organizing, staffing and directing. It is an important function because it helps to check the errors and to take the corrective action so that deviation from standards are minimized and stated goals of the organisation are achieved in a desired manner.
According to modern concepts, control is a foreseeing action whereas earlier concept of control was used only when errors were detected. Control in management means setting standards, measuring actual performance and taking corrective actions.”
Henri Fayol, a French Mining Engineer who had developed a general theory of business administration which was popularly referred to as Fayolism, formulated one of the first definitions of control as it pertains to management as under:
“Control of an undertaking consists of seeing that everything is being carried out in accordance with the plan which has been adopted, the orders which have been given, and the principles which have been laid down. Its object is to point out mistakes in order that they may be rectified and prevented from recurring”.
According to E. F. L. Brech, who was a British Management consultant and an author of several management books, “control is checking current performance against predetermined standards contained in the plans, with a view to ensure adequate progress and satisfactory performance”.
According to Harold Koontz, an American organisational theorist, professor of business management at the University of California, Los Angeles and a consultant for many of America’s largest business organisations, “Controlling is the measurement and correction of performance in order to make sure that enterprise objectives and the plans devised to attain them are accomplished”.
Some of the common characteristics which emerge from the above definitions are summarised hereunder:
Control is a continuous process
Control is a management process
Control is embedded in each level of organisational hierarchy
Control is closely linked with planning
Control is a tool for achieving organisational activities
Control is an end process
Control compares actual performance with planned performance
Control points out errors in the execution process
Control helps in achieving standards of performance.
From the point of view of ICFR, the term control is often used synonymously with the term process, which is a misconception. Both these terms are different even though they may be inter-connected, since one of the characteristics of controls is evaluating the adequacy of or monitoring of the processes within an entity. Process describes the action of taking a transaction or event through an established and usually routine set of procedures, whereas a control is an action or an activity taken to prevent or detect misstatements within the process.
It would be relevant at this stage to understand the difference between process and control, with the help of a few examples.
Some of the important points which are relevant based on the above examples, are discussed hereunder:
a) The distinction between a process or a control is more important in case of predominantly manual activities.
b) In case of activities/processes performed in a predominantly IT environment, a lot of the controls are automated and may not always be visible but get evidenced by exception reports/logs/audit trails. Whilst in such cases the review of IT general and application controls by an IT specialist would give an assurance on the operating effectiveness, these by itself may not always be adequate and may need to be supplemented by high level review controls.
c) In many entities, the control activities indicated above may be actually performed but not specifically documented in the SOPS, flow charts, policy manuals, authority matrix etc. This could be one of the common misconceptions on the part of the top management, who already assume that controls are prevalent and nothing has changed. In such cases, it is important for the auditors and/or other external consultants to advise the Management to document the existing controls as well identify controls for processes or activities where none
Key Factors for Identifying Controls (5WH analysis)
The key factors to assist in identifying controls and differentiating the same from a process can be summarised as the 5WH analysis, which can be explained by considering the following questions, all of which should normally be present for an activity/process to be considered as a control.
Information Produced by the Entity (IPE)
Though the term IPE is referred to in the auditing standards (primarily SA-315 dealing with Risk Assessment and SA- 500 dealing with Audit Evidence), there is no precise definition given therein.
IPE is primarily used by auditors as a source of evidence both for control testing, which includes ICFR as well as substantive testing. Hence, it is important to understand the nature thereof.
IPE is basically in the form of various reports which are generated either through the system or manually or in combination. They may take different forms as under:
Used by the entity – These are used by the entity in performing the relevant controls. These normally take one or more of the following forms:
– Standard “out of the box” or default reports or templates with or without configuration e.g. debtors ageing report
– Custom developed reports which are not a part of the standard application but which are defined and generated by user operated tools like scripts, report writers, query tools etc. e.g. sales by region
– Outputs from end user applications
– Analysis, schedules, spreadsheets etc. which are manually prepared from system generated information or from other internal or external sources.
A lot of information/IPEs may be generated by the Management for its own use all of which may not be relevant and used as audit evidence.
Used by/relevant for the auditor – The IPE which can be used by/relevant for the auditors can be in either of the following forms:
– used by the entity when performing relevant controls
– used by the auditor when testing operating effectiveness of ICFR and substantive testing
It is of utmost importance to test of the accuracy and completeness of the data generated through the IPE. This is a common short coming which needs to be remedied.
The elements of IPE which are relevant from the auditor’s point of view are as follows:
– Source Data which represents information from which the IPE is generated and which can be system generated or manual.
– Report Logic which represents the computer code, algorithms, formulae, query parameters etc.
– Report Parameters which define the report structure, filtering of data, connecting of related reports.
The following considerations govern the testing of the accuracy and completeness of the data generated by IPEs:
– Not all data is captured
– Data is incorrectly input
– Report logic is incorrect
– Inappropriate or unauthorised change of the report logic or source data
– Use of incorrect parameters
The above may involve the help of IT specialists.
Testing of IPE
The testing of IPEs can be undertaken in one or more of the following ways:
Direct Testing – This method can be adopted only in respect of standard parameter driven reports, which are generated directly from the system. It primarily involves the testing of the completeness and logic of the reports and benchmarking may be adopted.
Testing of controls that address the accuracy and completeness of the IPE – This method involves performing the tests on certain specific aspects such as system setting like access, passwords etc. as well as on the parameter settings like interest rates, prices etc.
More often than not, the entity generates various spread sheets which represent IPE to be used by the auditors, which are normally not specifically tested for accuracy and completeness. Hence, it is important to understand the considerations governing the same.
Testing of Spreadsheets
As indicated above, spreadsheets are an important component of IPEs in many enterprises and hence, it is imperative to test the accuracy and completeness thereof. The following are certain controls which can be adopted in respect of spreadsheets:
Change Controls – These involve controls over tracking of version changes and testing and approval of updates prior to deployment.
Access Controls – The spreadsheets should be stored in files or directories whose access is restricted. Further, formula fields should use cell protection measures, to restrict the possibilities of making changes in formulae.
Input Controls – Inputs to the spreadsheets should be validated for accuracy and completeness, when manually entering the data or importing the same. Control totals should be reconciled during data extraction with the source data/system prior to uploading to the spreadsheet
Calculation Controls –Automated algorithms should be used with access and change controls discussed earlier. Important formulae should be periodically reviewed to evaluate their continued relevance.
Testing of controls over spreadsheets would be an important consideration in assessing the effectiveness of ICFR and would involve interaction with the management at an early stage, since there is generally a lack of awareness of assessing and documenting formalised controls in this area as discussed earlier, whilst identifying certain common myths on the part of the top management/CEOs.
Spreadsheets could be used either to generate information to enable monitoring by the Management of various activities/processes as well as for preparation of financial statements. Accordingly, the documentation of the controls therein should be done as a part of the RCM for the individual processes or the financial closing and reporting process as discussed subsequently.
Documentation of the Internal Control Framework
To enable the auditors to report on ICFR, it is necessary for them to base their report on a specific framework, which needs to be documented by the Management. A question which is often raised is, whether there is any standard format for documenting the framework and whether the same needs to be captured in a single document.
In this context, it may be noted that since companies are free to adopt any framework, it would be difficult to lay down a standard format for documenting the same nor is it possible to have the same in one document, since the individual components of the framework would be different for each entity and may involve various documents.
From a practical perspective, it would be advisable to have a Summarised Master Policy Framework document, especially for the smaller and less complex entities, which captures the essence of the framework proposed to be adopted together with the various components and get the same adopted by the Board and/or Those Charged with Governance, if the same is not already done.The Master document may in turn refer to the various other documents/policies at the appropriate place, which would then constitute the comprehensive framework on which the auditors can base their report. These documents can comprise of the following, amongst others depending upon the size of the entity and the nature of its activities:
a) Risk Management Policy
b) Vision and Mission Statement / Ethics Policy
c) Code of Conduct
d) Whistle Blower Policy
e) Internal Audit Charter
f) Audit Committee Charter
g) Anti-Fraud Programme/Policy
h) Budgeting Policy/Process
i) Legal Compliance Framework
j) IT Security Policy
k) Business Continuity Plan
l) Disaster Recovery Plan
m) Outsourcing Policy
n) Succession Policy
o) Authority Matrix
p) SOPs for various processes
q) Process Flow Diagrams
r) Risk Control Matrix (RCM) for each business cycle / process
The following are some of the points which need to be kept in mind:
a) Some of the documents indicated above have to be mandatorily prepared by companies in terms of the Act or the Listing Agreement with the Stock Exchanges e.g. code of conduct, risk management policy, succession policy etc.
b) Whilst the above is a comprehensive list which addresses Internal Financial Controls from the point of view of the Board Reporting responsibilities indicated earlier, the auditors need to consider the same only to the extent relevant for ICFR reporting.
Conclusion:
Whilst every attempt has been made to decode some of the common myths/misconceptions of this new kid on the block, like all kids, this kid would in time become a grown up and responsible adult and have many more of its own challenges!