Control Overview and Risk Assessment Document

WP Ref.:

Prepared by: Namuna Joshi

Date: 12 February 2018

Client: VF Services (Mauritius) Pte. Limited

Period: 1 January 2017 to 31 December 2017

The purpose of this document is to:

 obtain an understanding of client and its environment

 document the assessment of risk of material misstatement

Documentation may be included in this working paper, or other working papers (with cross-reference to
the Control Overview and Risk Assessment Document).

Summary of our understanding of internal control

YES 
Does the control environment appear to be satisfactory?

Does the entity's risk assessment process appear to be satisfactory? YES 

Does the information system, and business processes for financial

YES 
reporting, and communication appear to be satisfactory?

Does control activities appear to be satisfactory YES 

Does monitoring of controls appear to be satisfactory YES 

Control risk is the risk that a misstatement, which could occur in an account balance or class of
transactions and that could be material individually or when aggregated with misstatements in other
balances or classes, will not be prevented or detected and corrected on a timely basis by the accounting
and internal control systems.

Internal control system means all the policies and procedures adopted by the management of an entity to
assist in achieving management's objective of ensuring, as far as practicable, the orderly and efficient
conduct of its business, including adherence to management policies, the safeguarding of assets, the
prevention and detection of fraud and error, the accuracy and completeness of the accounting records,
and the timely preparation of reliable financial information.

Control procedures mean those policies and procedures in addition to the control environment which
management has established to achieve the entity's specific objectives.
 Control Environment

The control environment includes the attitudes, awareness, and actions of management and those
charged with governance concerning the entity’s internal control and its importance in the entity. The
control environment also includes the governance and management functions and sets the tone of an
organization, influencing the control consciousness of its people. It is the foundation for effective internal
control, providing discipline and structure.

Communication and enforcement of integrity and ethical values

Consider

n What are entity’s ethical and behavioral standards

n How they are communicated

n How they are reinforced in practice.

The entity follows the Code of Ethical Conduct which encompasses anti-corruption,
confidentiality, social media, prohibition against work performed for outside parties during
normal hours, prohibition against false statements, stealing project property and supplies,
falsely reporting time work, punctuality, no political involvement, diligence and respect to
others.

They are communicated by conducting training programs from VFS Global India

They are reinforced upon constant monitoring, supervision, review process and timely
reporting.

Commitment to competence

Consider

n Management’s consideration of the competence levels for particular jobs

n How those levels translate into requisite skills and knowledge

The competence levels for the particular jobs depend upon the post. The management
provides the details of job description, makes analysis of what sort of personnel is required for
a particular job. Different jobs require different qualification, experience and training.

ThThe The competence levels translate into requisite skills and knowledge through on the job training
and cycle evaluation.

Management’s philosophy and operating style

Consider

n Management’s approach to taking and monitoring business risks

n Management’s attitudes and actions toward financial reporting (conservative or aggressive selection
from available alternative accounting principles, and conscientiousness and conservatism with which
accounting estimates are developed)

n Management’s attitudes toward information processing and accounting functions and personnel

The management is conservative and extremely risk averse so they do not undertake any sort
of risks.

Management has positive and supportive attitude towards information processing and
accounting functions.

Organizational structure

Consider

n Key areas of authority and responsibility

n Appropriate lines of reporting

The organization has well defined organizational structure. The key areas of authority include
Manager for corporate security, Operation, Finance, Administration.

The record of operating activities is maintained on Daily report of operation department for
various mission (eg Australia, British council etc) kept by different employee, later shared to
senior officer-operation. Once the Report is reviewed by Manager- Operation (Anil Shrestha),
final reporting is done to Operation department VFS Global Mumbai.

The record of finance activities is kept by Madhukar Karki and he directly reports it to Finance
Department head of VFS Global.

Assignment of authority and responsibility

Consider

n How authority and responsibility for operating activities are assigned

n How reporting relationships and authorization hierarchies are established.

The authority and responsibility for operational activities are assigned on the basis the job
position and hierarchy of the employees and clearly mentioned under organizational chart .

Human resource policies and practices

Consider

n Standards for recruiting the most qualified individuals

n Training policies that communicate prospective roles and responsibilities

n Promotions driven by periodic performance appraisals

There is Centralized Human Resources management as it is outsourced; the entire document

such as personal files, preparation of full and final settlement is done by HR department at
VFS Global Mumbai. Preparation of salary Sheet is done by the outsourced company in India.

Entity’s Risk Assessment Process

An entity’s risk assessment process is its process for identifying and responding to business risks and the
results thereof. For financial reporting purposes, the entity’s risk assessment process includes how
management
n identifies risks relevant to the preparation of Financial Statements

n estimates their significance,

n assesses the likelihood of their occurrence, and

n decides upon actions to manage them.

Once risks are identified, management considers their significance, the likelihood of their occurrence, and
how they should be managed. Management may initiate plans, programs, or actions to address specific
risks or it may decide to accept a risk because of cost or other considerations.
When documenting the entity’s risk assessment process risks can arise or change due to circumstances
such as the following
n Changes in operating environment

n New personnel

n New or revamped information systems

n Rapid growth

n New technology

n New business models, products, or activities

n Corporate restructurings

n Expanded foreign operations

n New accounting pronouncements

The entity’s risks can arise or change due to the circumstances such as changes in operating
environment, new personnel, new or revamped information systems, rapid growth, new
 technology, new business models, products or activities, corporate restructurings, expanded
foreign operations and new accounting policies.

Information system, and business processes for financial reporting, and communication

An information system consists of infrastructure (physical and hardware components), software, people,
procedures, and data. Infrastructure and software will be absent, or have less significance, in systems
that are exclusively or primarily manual.

An information system encompasses methods and records that:

 Identify and record all valid transactions.
 Describe on a timely basis the transactions in sufficient detail to permit proper classification of
transactions for financial reporting.
 Measure the value of transactions in a manner that permits recording their proper monetary value
in the Financial Statement & Statement of Profit and loss
 Determine the time period in which transactions occurred to permit recording of transactions in
the proper accounting period.

The Organization uses Visa application software customized by different missions (Embassy)
for the purpose of Operation. Such source data is accessed by Finance and Administration
department via Share point software. The organization uses SAP for the purpose of recording
the financial data. Organization have timely System Audit and ISO Audit in order to assure the
Control & Security mechanism followed by it is free from risk.

Control Activities

Control activities are the policies and procedures that help ensure that management directives are carried
out. Control activities, whether within IT or manual systems, have various objectives and are applied at
various organizational and functional levels.

Certain control activities may depend on the existence of appropriate higher-level policies established by
management or those charged with governance. For example, authorization controls may be delegated
under established guidelines, such as investment criteria set by those charged with governance;
alternatively, non-routine transactions such as major acquisitions or divestments may require specific
high-level approval.
Control over Revenue generation process
Control are performed to ensure the accuracy, cutoff, occurrence and completeness
n Visa Application is entered on the visa application system (VISA Application software) of different
embassy by the operation department member of VFS Nepal.
n Daily Revenue data is pulled by SharePoint software through Visa application system
n Rates of Visa fees and Service charges are updated by respective Embassy on VFS website
n Daily Revenue data is uploaded to SAP through share point system, then such data can be accessed
by Finance Department, once the database is updated (entry) by VFS Global Mumbai.
n Daily Accounting Report (DAR) is prepared on daily basis, country wise by operation department
n Such DAR is sent to Finance department on daily basis from Operation department
n Based on DAR, Finance department deposit the draft (group of 25) to concerned authorized bank on
next working day
n This income mainly consist of income generated from the visa processing for countries like Australia,
Canada,Italy,Denmark, Netherland,Turkey , Greece etc.Visa processing charges mainly include the
service charge paid by applicants for services rendered by VF Services:

Information processing
Controls are performed to check accuracy, completeness, and authorization of transactions.
n Application controls apply to the processing of individual applications. These controls help ensure that
transactions occurred, are authorized, and are completely and accurately recorded and processed.
Examples of application controls include checking the arithmetical accuracy of records, maintaining
and reviewing accounts and Account balances, automated controls such as edit checks of input data
and numerical sequence checks, and manual follow-up of exception reports.
n General IT-controls are policies and procedures that relate to many applications and support the
effective functioning of application controls by helping to ensure the continued proper operation of
information systems. General IT-controls commonly include controls over data center and network
operations; system software acquisition, change and maintenance; access security; and application
system acquisition, development, and maintenance.
VFS Nepal uses SAP as the accounting software. SAP only allows the valid user having the
valid Username & Password for the data posting, extraction of reports.

Access of Data on SAP is provided to Senior Finance Officer Madhukar Karki, who has the
authority to post the transaction once they are entered from VFS Global Reversal entry is
coded separately by SAP and only Madhukar Karki has the Authority to do such actions. Data
maintained by operation department are accessed through Share point application software,
after using the valid Username and Password

Physical controls
These activities encompass the physical security of assets, including adequate safeguards such as
secured facilities over access to assets and records; authorization for access to computer programs and
data files; and periodic counting and comparison with amounts shown on control records (for example
comparing the results of cash, security and inventory counts with accounting records).
The organization maintains fixed assets register on SAP. The organization has maintained
proper record of date of purchase, value of purchased items, model number, asset type.The
organization have 24hrs camera surveillance, security guards and well as card Access
system.

Segregation of duties
Ensure that following three activities are separately assigned:
 authorizing transactions
 recording transactions, and
 maintaining custody of assets
This would reduce the opportunities to allow any person to be in a position to both perpetrate and conceal
errors or fraud in the normal course of the person’s duties.
VFS Nepal has the segregation of Duties among the different department. It mainly has
Operation, Administration, and Finance Department. Preparation of daily accounting report is
done by operation department and later it is verified along with the daily invoice by
Administrative Department. Database is maintained by VFS global Mumbai, after that it is
 posted on SAP by Senior Finance Manager on SAP of VFS Nepal

Monitoring of controls

It is management responsibility is to establish and maintain internal control on an ongoing basis.

Management’s monitoring of controls includes considering whether they are operating as intended and
that they are modified as appropriate for changes in conditions.

Examples are:
 management’s review of whether bank reconciliations are being prepared on a timely basis
 internal auditors’ evaluation of sales personnel’s compliance with the entity’s policies
 legal department’s oversight of compliance with the entity’s ethical or business practice policies.

Consider:
 assessment and reassessment of design and operation of controls on a timely basis
 necessary corrective actions
 ongoing monitoring activities (activities are built into the normal recurring activities)
 separate evaluations
Bank reconciliations are prepared every month by Santosh Tandukar and reviewed by Madhukar
Karki. The management reviews the bank reconciliation, obtained the confirmation year ended.

The entity makes assessment and reassessment of design and operation of controls on a timely
basis.

VFS Nepal has the segregation of Duties among the different department. It mainly has Operation,
Administration, and Finance Department. The monitoring processes and policies of VFS Nepal comply
with VFS holding. Each Department of VFS Nepal directly report to the Department Head of VFS
Global (Mumbai). Hence VFS Nepal has independent unit wise reporting to VFS Global (Mumbai)