On 12th March, 2020 BCAS made an announcement
deferring my talk scheduled a week hence. The previous
day, WHO had labelled the novel coronavirus disease
or Covid-19 as a pandemic. As a consequence, several
precautions snowballed into locking down half the world’s
population as the deadly virus quickly infected over four
million people in 210 countries and claimed tens of
thousands of lives. Our Prime Minister asked for 22nd
March to be observed as Janata Bandh following which
we are into Lockdown 3.0 (and now 4.0 till 31st May,
2020). Some have termed this outbreak as a Black Swan
event and the biggest challenge humanity has faced
since World War II, seriously impacting lives, earnings,
economies and businesses with a whopping toll on the
markets. We still have to see a flattening of the curve
and estimates are that this will trigger a global recession
for an extended period. The trillion-dollar question…
who could have anticipated this and, more importantly,
prepared for it?
Over the last few decades we have been witness to
quite some events of tremendous gravity such as Ebola,
SARS, Bird Flu, the 2008 meltdown, the 2011 Earthquake
and Tsunami, Brexit… With these abnormal occurrences
occurring with discomforting regularity, is this the new
normal?
But what have all these got to do with internal controls (IC)?
Sound internal controls which encompass identifying and
managing risks both internal and external, are a sine qua
non for running a sustainable business. Conventionally
though, internal controls were more of the order of internal
checks and internal audit (IA). Segregation of duties,
maker-checker procedures, vouching transactions,
physical verification of cash, stocks and so on received
a lot of prominence. And internal audit was seen as a
routine albeit necessary activity, coasting alongside the
main operations in business. Within corporations, too, this
function was never the sought-after role for accounting
and finance professionals. Not so any longer. The everchanging
world in which things are turning more complex
by the day, is only making this entire process difficult and
tricky as we reflect on the Covid-19 pandemic.
INTERNAL CONTROLS
Controls function to keep things on course and internal
controls in any business or enterprise provide the
assurance that there would be no rude surprises. The
Committee of Sponsoring Organisations1 (COSO) has
defined IC as ‘a process, effected by an entity’s board of
directors, management and other personnel, designed to
provide reasonable assurance regarding the achievement
of objectives relating to operations, reporting and
compliance’. As per SIA 120 issued by the Institute of
Chartered Accountants of India2, ICs are essentially risk
mitigation steps taken to strengthen the organisation’s
systems and processes, as well as help to prevent and
detect errors and irregularities. In SA 3153 it is defined
as ‘the process designed, implemented and maintained
by those charged with governance, management and
other personnel to provide reasonable assurance about
the achievement of an entity’s objectives with regard
to reliability of financial reporting, effectiveness and
efficiency of operations, safeguarding of assets and
compliance with applicable laws and regulations’. IC
therefore encompasses entity level, financial as well as
operational controls (Figure 1).
1. COSO Committee of Sponsoring Organisations of the Treadway Commission: Internal Control – Integrated Framework, May, 2013 2 Standard on Internal Audit (SIA) 120 issued by the Institute of Chartered Accountants of India 3 Standard on Auditing (SA) 315 ‘Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment’, issued by ICAI effective 1st April, 2008
A number of regulatory requirements are in place in the
realm of IC. The Companies Act, 20134 requires the
statutory auditor to report on ‘whether the company has
adequate internal financial controls system in place and
the operating effectiveness of such controls’. It requires
the Board to develop and implement a risk management
policy and identify risks that may threaten the existence
of the company. It imposes overall responsibility on
the Board of Directors with regard to Internal Financial
Controls. The Directors’ Responsibility Statement has to
state that ‘the Directors, in the case of a listed company,
had laid down internal financial controls to be followed by
the company and that such internal financial controls are
adequate and were operating effectively.’ And they have
also devised a proper system to ensure compliance with
the applicable laws and that such systems are operating
effectively. SEBI5 Regulations stipulate the preparation of
a compliance report of all laws applicable to a company
and the review of the same by the Board of Directors
periodically, as well as to take steps (by the company) to
rectify instances of non-compliance and to send reports
on compliance to the stock exchanges quarterly.
Furthermore, listed companies have additional
responsibilities on Internal Controls for Financial Reporting.
A Compliance Certificate is mandated to be signed by the
CEO and CFO to indicate that ‘they accept responsibility for
establishing and maintaining internal controls for financial
reporting and that they have evaluated the effectiveness of
the internal control systems of the listed entity pertaining to
financial reporting and they have disclosed to the auditors
and the audit committee, deficiencies in the design or
operation of such internal controls, if any, of which they are
aware and the steps they have taken or propose to take
to rectify these deficiencies’. The Institute of Chartered
Accountants of India has formulated Standards on Internal
Audit which are a set of minimum requirements that need
to be complied with. Hence, the overall responsibility
for designing, assessing adequacy and maintaining the
operating effectiveness of Internal Financial Controls rests
with the Board and the management (Figure 2).
THE CONTROL S HIERARCHY
Internal Controls is a vast topic in its own right. What we
will examine in this article are the following aspects:
(i) IC in action,
(ii) M anaging Risks, and
(iii) E xcellence in Business
4 The Companies Act, 2013: Sections 134, 143, 149 5 Securities and Exchange Board of India (SEBI) (Listing Obligations and Disclosure Requirements) Regulations, 2015
Given the enlightened readers’ expert knowledge on the
above, I will dwell on anecdotes from my experience having
been on both sides of the table (auditor as well as auditee)
which could provide perspectives for due consideration.
Internal Controls in action
First, some ground realities:
* IC is commonly perceived as a specialist domain of
auditors whereas fundamentally it is the lookout of every
person in the workforce. Every manager must realise that
s/he has the core responsibility of running operations
consciously abiding by the control parameters. As the
primary owner, every person in charge must provide
assurance that their work domain is under control through
a control self-assessment mechanism;
* IA is perceived as a statutory duty and often deprived
of the credit it deserves. The irony is that this function is
not appreciated when all is well and the first issue to be
frowned upon when something goes amiss!
* O perations get priority and IA, instead of being seen
as a guide and ally to business, is perceived to be an
adversary.
In well-run enterprises there is realisation and
understanding of the importance of IC in running and
growing a sustainable business. Here are some good
practices I have experienced which build and nurture a
healthy control culture in the enterprise.
(i) In Hindustan Unilever (HLL then) there was an
unwritten practice that accountants had to go through a stint in IA. Speaking for myself, I can candidly state that my
appreciation of enterprise-wide business processes grew
during my tenure in Unilever Corporate Audit. I bagged
my first business role to run the Seeds Business in HLL
on the strength of the exposure to various businesses and
functions while in IA. A stint in IA is invaluable in opening
up the mind to the various facets of business;
(ii) U nilever Corporate Audit always reported to the
Board of Unilever and this chain of command percolated
down. In India, we were a resource for the region. IA,
therefore, had the desired independence. Not only did it
give us working exposure in several geographies, we often
worked in teams with members from different countries.
Apart from learning best practices from different parts of
the world, I found the attitude to audit and culture quite
varied. When we came up with issues, in many countries
it would be accepted and debated purely at a professional
level, whereas in some it would be taken as a personal
assault by the auditee! Managing such conflicts by open
communication and objective fieldwork / analytics is a
valuable experience in honing leadership skills;
(iii) IA used to take on deputation team members from
other functions such as Manufacturing, Sales, QA, etc.
This provided a two-pronged advantage. As a primary
owner of controls, such functional members became the
spokespersons for demystifying IA within the organisation.
Equally, these members brought in their domain expertise
to raise the quality within IA, in particular on operational
controls. Involving and engaging team members in
different ways helps in building the control culture;
(iv) A udit always began with a meeting with the Chairman
/ MD / Business Head as the case may be. Not only
did this give a perspective to the business but it also
highlighted for the IA team the priorities and areas where
the business looked for support from IA. This would also
demonstrate the senior leadership’s commitment to IA.
Soon thereafter, we would convert this into a Letter of
Audit Scope outlining the focus areas of the particular
audit. In a sense, it was like giving out the question paper
before the exam! Open communication with the auditee
and a constructive attitude is the core of a productive
outcome.
Managing Risks
At the core of Board functioning in a company is the task
of managing risks. With change and uncertainty being
the order of the day, regulations require listed companies
to have a separate Risk Management Committee at the Board level which is often chaired by an Independent
Director. While identifying and managing financial and
operational risks can be delegated to the management,
the Board focuses on strategic or environmental risks.
A major risk which we find emerging is that of disruptions.
While the other risks which are identified or anticipated can
be reasonably managed, businesses today feel challenged
due to disruptions coming from various quarters. These
could be in the form of Regulatory disruption (e.g. FDI in
multi-brand retail), Market disruption (e- and m-commerce
congruence), Competitive disruption (Jio in the telecom
space), Change in consumer buying behaviour (leasing
or renting vs. buying) or Disruptors in the service space
(Airbnb or Uber). What businesses need to be planning
for is not just combating competition from traditional
competitors, but that coming from the outside as well.
The purport of these external risks become clear, as
pointed out by the World Economic Forum6, as global risks
– an unsettled world, risks to economic stability and social
cohesion, climate threats and accelerated biodiversity
loss, consequences of digital fragmentation, health
systems under new pressures. As for Covid-19, there
were research papers published post the SARS event
warning about such an eventuality. Stretching it further,
even films such as Contagion portrayed this. It is feared
that a number of MSMEs and startups may get seriously
throttled due to this disruption. How seriously do Boards
and managements take the cue from such pointers going
forward and, more important, prepare for such disruptions
is going to be the key in sustaining businesses.
As we learn to work differently during lockdowns, there is
a growing reliance on remote working and heightened use
of technology. Webinars, video chats, video conferences,
e-platforms and Apps have become daily routines and
add another dimension to cyber security, data protection
and data privacy.
In Rallis India Limited, it had been the practice for many
years to have an off-site meeting of the Board devoted
to discussing strategy and long-term plans. It is now
imperative that companies use such fora at a Board and
senior leadership level not only to debate annual and
long-term plans, but also scenario planning simulating
various major risks. These are necessary to strengthen
IC by crafting exhaustive disaster recovery plans not
only for operations or digital disruptions, but also for force majeure events occurring in different magnitudes
across the extended supply chain both within and
externally.
6 World Economic Forum: The Global Risks Report, 2020
Excellence in Business
In the Tata Group, in addition to instilling the Tata Code
of Conduct, all companies adopt the Tata Business
Excellence Model7 (TBEM). Based on the Malcolm
Balridge model of the USA, TBEM encourages Tata
Companies to strive for excellence in every possible
manner. Instituted by Chairman Emeritus Mr. Ratan Tata
in honour of Bharat Ratna Late J.R.D. Tata who embodied
excellence, TBEM is the glue amongst Tata Companies
to share best practices and provide a potent platform
for leadership development. Last year marked the 25th
year of its highest award called the JRD-Quality Value
Award, which was bestowed on companies that reached
a high threshold of business excellence. Rallis won the
JRD-QV Award in 2011 and I benefited hugely having
been an integral part of the TBEM process. This gave
me tremendous perspectives on managing businesses,
especially in the following areas:
(a) T BEM is a wall-to-wall model touching every aspect
of business from leadership to strategy to customer
to results. A trained team comprising members from
different backgrounds and businesses comes together
for an assessment over many man-months. While
assessment is done against a framework, this is not
in the nature of an audit. Evidence and records do not
get as much importance as interactions with people. It
is not uncommon for a team to interact with a thousand
persons connected with the company being assessed,
both workforce as well as other stakeholders. Therefore,
the smell of the company would give a perspective on
governance matters as well. Excellence assessments
is a great discipline for organisations to get an external
assurance on both governance and internal controls;
(b) U nique to TBEM is the practice of having Mentors for
every assessment. I have been privileged to be a longstanding
Mentor. The Mentor essentially assesses the
strategy of the company and also plays the crucial role of
being a bridge between the company and the assessing
team. The Mentor finally presents the assessment finding
to the Chairmen both at the company and at the Group
level. Over the years this has given me exposure to various
industries ranging from steel to battery to insurance to
coffee and retail, not to speak of connecting with scores of people within the Group and beyond. A great tool for
leadership development;
(c) T BEM uses the lens of continuous improvement
to assess businesses. Deep within lies the twin benefit
of this not only sharpening controls but also constantly
improving the effectiveness and efficiency of business
processes. The DNA of excellence in an organisation
leads every individual to keep questioning and enriching
jobs. Excellence is a journey, not a destination and a way
of doing business.
7 www.tatabex.com – About us – Tata Business Excellence Model
Bringing these together
All the three components, viz., risk management, internal
audit and business excellence acting in unison are
crucial to building and nurturing a sustainable business.
In many organisations, however, the degree of maturity
and the level of execution of each of these vary and are
rarely found to be harmoniously in motion. Embedded in
this lies the fact that each of these is driven by different
frameworks, parameters, regulations, formats, reporting systems, teams and so on. A softer aspect is that most
of this is perceived as a theoretical exercise and the
operating management having to fill in tedious forms
while running the business!
Here is an approach (Figure 3) which integrates all
of these driving similar goals and therefore avoiding
repeated exercises involving the operating teams.
The Enterprise Risk Management exercise carried out
across the organisation involving internal and external
stakeholders culminates in the identification of the
environmental, strategic, operational and financial risks
of the business. The Enterprise Process Management
model crafts all the business processes into three
levels which can be aligned and integrated with the
mitigation plans for the risks. These L1, L2 and L3
processes keep getting updated and improved annually
to drive continuous improvement as well as to enhance
controls.
The internal audit self-control checklists as well as audit
plans would be dovetailed with these mitigation plans and
processes. Such an approach will not only ensure that operations are run within the defined control framework
keeping risks within the appetite of the business, but
also strive continuously for excellence as processes
keep improving its efficiencies and effectiveness. This
integrated framework will then flow through populating the
various formats required and help the operating teams
to also address different reviews in a cohesive manner.
Above all, this brings in the desired objective of the entire
workforce viewing and putting into action the entire gamut
of the internal control framework enabling them to register
a superior performance in business.
The Late J.R.D. Tata’s quote sums this up well: ‘One
must forever strive for excellence, or even perfection, in
any task however small, and never be satisfied with the
second best.’
Driving excellence, all businesses will necessarily need
to uphold the highest standards of governance and
internal controls for long-term sustainable value creation,
committed to all stakeholders.
(This article is a sequel to Part 1 published on Page 15 in
BCAJ, March, 2020)