Internal Financial

Controls
Take control. Add value

14 April 2016
Contents

1 Understanding regulations

2 Focusing on business value; not compliance

3 Getting Audit ready

© 2015 Deloitte Touche Tohmatsu India Private Limited 4

 Understanding regulations

© 2015 Deloitte Touche Tohmatsu India Private Limited 3

Key questions

• What does the regulation say?

• What are the global benchmarks?

• What are the timelines? Who’s job is it anyways?

• What is the difference between Internal Control (IC), Internal Control

over Financial Reporting (ICFR) and Internal Financial Controls
(IFC)?

• Is it for all companies? My group includes listed, unlisted, indian

subsidiaries and foreign subsidiaries

• What are the consequences of non compliance?

4
IFC – Companies Act, 2013 Requirements

Integrity of financial statements to be validated by independent directors

Para II (4) of Schedule IV: Code for Independent Directors

Independent Directors shall satisfy themselves on the integrity of financial information and that
financial controls.

Board to ensure implementation of adequate internal financial controls

Section 134 (5)(e) – One of the requirements of Directors’ Responsibility Statement (S. 134 (3)( c)

The report by the Board of Directors (BOD) shall include a statement ensuring implementation of
adequate internal financial control and adherence of policy and procedures adopted by the company
with an objective of orderly and efficient conduct of its business, safeguarding company’s assets,
prevention and detection of frauds, for accuracy and completeness of the accounting records
and timely preparation of reliable financial information.
Auditor’s report to state adequacy and effectiveness of internal financial controls

Section 143 (3)(i)

Auditor’s report for all companies (listed or not) to state the adequacy and operating effectiveness of the
Company’s internal financial controls.

Section 177 (4)(vii)

Every Audit Committee shall act in accordance with the terms of reference specified in writing by the
Board which shall inter alia include evaluation of internal financial controls and risk management
systems.

© 2015 Deloitte Touche Tohmatsu India Private Limited 5

IFC – Companies Act, 2013 Requirements (continued)

Internal Controls for Unlisted Companies

Rule 8 (5) (viii):

Of the Companies (Accounts) Rules, 2014 requires Board of Directors to report on adequacy of
internal financial controls with reference to financial statement

© 2015 Deloitte Touche Tohmatsu India Private Limited 6

IFC – Companies Act, 2013 Requirements (continued)

Reporting on Internal Financial Controls on Consolidated Financial Statements

All the requirements as are applicable to the Standalone Financial Statements are applicable
mutatis mutandis to Consolidated Financial Statements

© 2015 Deloitte Touche Tohmatsu India Private Limited 7

Ambit of Internal Financial Controls – Companies Act,
2013

The ambit of Internal

Financial Controls in
Companies Act, 2013 Prevention and
Accuracy and
goes beyond ICFR. completeness of
detection of
frauds and errors
accounting
records
The resultant IFC
framework adopted INTERNAL FINANCIAL
by the company will CONTROLS
have to address As per Companies Act
Timely 2013, Internal Financial Safeguarding
combination of preparation Controls means: of assets
internal controls on of reliable
financial reporting financial
information
and other controls in
order to align with
the definition of IFC Policies and procedures
adopted by the company for
in new act. ensuring orderly and efficient
conduct of its business

©2015 Deloitte Touche Tohmatsu India Private Limited 8

Comparison between Companies Act, Clause 49 and SoX
Companies Act, 2013
• Responsibility of the Board
• Board Report to contain a
statement on adequacy of
internal financial controls
• Audit committee to evaluate
internal financial controls
• Auditor’s report to comment on
adequacy of internal financial
controls system and operating
effectiveness of controls.
• No framework mandated
• Definition of IFC goes beyond
financial reporting
©2015 Deloitte Touche Tohmatsu India Private Limited
Clause 49 of listing
agreement
• Responsibility of the CEO/CFO to
maintain internal controls for
financial reporting
• Evaluate the effectiveness of
internal control systems
pertaining to financial reporting
• Indicate to the auditors and the
audit committee significant
changes to accounting policies
and internal controls for financial
reporting.
• Effective from October 1, 2014
Board and Audit Committee
responsibility brought in line with
Companies Act, 2013
Sarbanes Oxley Act
• Responsibility of the signing
officer to the Annual report to
establish and maintain internal
controls
• Annual report to contain
management report on ICFR
• Auditor’s to report on and attest
to management’s assessment of
ICFR
• Compliance program is required
to be aligned to COSO
framework
• Definition covers specifically
ICFR
8
Applicability chart

Adequacy + Operating effectiveness

ICFR +
Policies
Internal Financial Controls

and Directors Responsibility for a Listed company

procedures

Board report for an

ICFR unlisted company

Auditors Reporting

©2015 Deloitte Touche Tohmatsu India Private Limited 10

Consequences of non compliance

As per section 134 (8) If a company contravenes the provisions of this section, the
company shall be punishable with fine which shall not be less than fifty thousand rupees
but which may extend to twenty-five lakh rupees and every officer of the company who
is in default shall be punishable with imprisonment for a term which may extend to
three years or with fine which shall not be less than fifty thousand rupees but which may
extend to five lakh rupees, or with both.

© 2015 Deloitte Haskins & Sells LLP 11

©2015 Deloitte Touche Tohmatsu India Private Limited

 Focus on business value not compliance

© 2015 Deloitte Touche Tohmatsu India Private Limited 12

Key questions

• How can I leverage compliance to drive business value?

• Who should drive it? Whose involvement is needed

• There is no guidance on implementation, where do we start?

• What is the approach and methodology to be followed?

• How do I roll out across the group?

• Is it a one time effort? What is needed to sustain and improve?

13
Functional Involvement

Stage Finance IT Business

Planning/Scoping Document
aa a a
Process documentation a a a
Control Matrices a a aa
Training a a a

14
IFC Coverage

Anti Fraud Program Whistleblowing Internal Audit

Entity Level Controls
Budgeting Ethics & Code of
Enterprise Risk Management
Process Conduct

Processes across business cycles

Retail & Stores

Distribution Procedure Service Income
Management

Contracting & Compliance Project Management

Policies & Procedures
Customer Acquisition
Supplier Selection & Quality Management
&
Supply Chain Control
Order Management
Employee
Acquiring & Safeguarding Fixed Assets
Management
Processing
Depreciation FS Preparation Direct Taxes
Financial Reporting Disbursements
Controls Provision on doubtful Manage cash &
Payroll Master
debts investments
IT Application Disaster
Technology Controls
Security Systems Recovery
15
COSO Framework

©2015 Deloitte Touche Tohmatsu India Private Limited 10

©2015 Deloitte Touche Tohmatsu India Private Limited

COSO Framework – Components and Principles

Components Summarised Principles

• Demonstrates commitment to integrity and ethical values
• Exercise oversight responsibility
Control Environment • Establishes structure, authority, and responsibility
• Demonstrates commitment to competence
• Enforces accountability

• Specifies relevant objectives

• Identifies and analyses risk
Risk Assessment • Assesses fraud risk
• Identifies and analyses significant change

• Select and develop control activities

Control Activities • Select and develop general controls over technology
• Deploys policies and procedures throughout

• Use relevant information

Information and Communication • Communicates internally
• Communicates externally

• Conduct ongoing and/or separate evaluations

Monitoring Activities • Evaluate and communicate deficiencies

©2015 Deloitte Touche Tohmatsu India Private Limited 17

Illustrative Controls – Control environment

Large Organizations Smaller Organizations

• Publishing Integrity and ethics policy
on the Company’s website
• Sharing with employees and taking
periodic confirmations of adherence
• Include in contracts with service
providers and take their
concurrence etc.
• Display Integrity and ethics policy in
the premises
• Include reference in Appointment
Letter
• Share with service providers and
take their concurrence

© 2015 Deloitte Touche Tohmatsu India Private Limited 18

Illustrative Controls – Risk assessment

Large Organizations Smaller Organizations

• Mandatory Leave policy • Periodic physical verification of
assets to address theft, loss,
• Periodic Job rotation
defalcation etc.
• Vendor assessment and registration
• Signed contracts to formalize oral
• Audit of vendors, pricing / discounts arrangements / understanding
controls
• Controls over banking transactions
• Identification, approval and
authorization of related party
transactions, etc.

© 2015 Deloitte Touche Tohmatsu India Private Limited 19

Illustrative Controls – Control Activities

Large Organizations Smaller Organizations

• Stronger segregation of duties • Periodic Management Reviews
• Formal SOPs • Manual Controls

• ERP including GRC solutions etc. • Higher and direct supervision by

Senior management executives

© 2015 Deloitte Touche Tohmatsu India Private Limited 20

Illustrative Controls – Information & Communication
Large Organizations
• Internal communications through
various channels, like emails,
webcasts, town-halls, technical
trainings etc. and also across
various departments
• Specific cells to take charge of
external communications including
with regulators, media, stock
exchanges etc.
• Reliable systems, information
security controls using standards
such as ISO 27001, etc.
© 2015 Deloitte Touche Tohmatsu India Private Limited
Smaller Organizations
• Weekly / monthly management
meetings, periodic physical visits by
MD / CEO to plants, operations,
marketing channels, meeting
employees etc.
• Physical Controls over data e.g.
minutes of meetings etc.
21
Illustrative Controls – Monitoring

Large Organizations Smaller Organizations

• Ongoing evaluations are automated
and exceptions are reported and
evaluated for appropriate approvals
• Separate evaluations are conducted
by experts either internal or external
• Monitoring of operations at third
party processing centers
• Higher emphasis on ongoing
evaluations
• Separate evaluations are carried out
by independent personnel or
internal auditors
• Higher and direct supervision by the
senior management

© 2015 Deloitte Touche Tohmatsu India Private Limited 22

Internal Control Environment

Entity Level Process Level

Controls Controls

IT Controls

23
© 2015 Deloitte Touche Tohmatsu India Private Limited
Entity Level Control

CONTROL ENVIRONMENT
Overall control environment supported by
adequate processes & controls such as
Code of conduct for Directors and senior
management

CONTROL
ENVIRONMENT RISK ASSESSMENT
Existence of Board level Risk Management
Committee, Disciplinary Committee
CONTROL
ACTIVITIES
CONTROL ACTIVITIES
Existence of automated and manual controls
for various processes within business.
Documented policies and process manuals

INFORMATION & COMMUNICATION

Internal and External reporting of financial
and non-financial information

MONITORING ACTIVITIES
Internal Audit reports, Whistle blower policy

24
© 2015 Deloitte Touche Tohmatsu India Private Limited
IT Controls

USER ACCESS
Policy definition
Access reviews

ACCESS LOGS CUSTOM

Monitoring for PROGRAMS
PIMS Access reviews

CHANGE
PASSWORD MANAGEMENT
POLICY
Change policy
For OS and ERP
Approvals

25 © 2015 Deloitte Touche Tohmatsu India Private Limited

 Illustration
Process Level Controls
Identify
Business Business processes Related Account Balances
cycles

− Sales order processing − Sales

Revenue − Invoicing − Receivables

– Materials receipt and storage − Inventory

Inventory − Cost of sales
− Inventory master maintenance
Management

– Procurement – Accounts payable

− Processing accounts payable – Expenses
Expenditure
− Vendor master maintenance – Accruals
− Employee master maintenance − Salaries and Wages
Payroll − Salary processing − Accruals and provisions
− Recruitment, separation
– Asset Acquisition – Capital Work in progress
– Capitalization – Property
Fixed Assets – Depreciation
– Disposal
– Impairment – Gain / Loss on sale
– Investments
– Managing surplus cash – Borrowings
Treasury – Short term investments and – Interest expense and accruals
borrowings – Interest income and accrual

– Grouping of accounts – Provisions

– Cut off activities – Taxation (Current and Deferred)
FCRP
– Approvals for specific provisions – Contingent Liabilities
26
© 2014 Deloitte Touche Tohmatsu India Private Limited
Accounting Assertions

Assertions Particulars
Accuracy Amounts and other data relating to recorded
transactions and events have been recorded
appropriately.
Completeness All transactions and events, assets, liabilities, and
equity interests that should have been recorded are
recorded
Validity Transactions and events that have been recorded
have occurred and pertain to the entity.
Cut Off Transactions and events have been recorded in the
correct accounting period
Valuation and Allocation Assets, liabilities, and equity interests are included in
the financial statements at appropriate amounts and
any resulting valuation or allocation adjustments are
appropriately recorded.
Presentation and Disclosure Recorded transactions and events are properly
classified, described, and disclosed in the financial
statements

27
©2015 Deloitte Touche Tohmatsu India Private Limited
Overview of Controls

• Segregation
Entity level of duties
• Authorization
• Application Manual
Preventive controls

Levels of
control
• Review
Detective • Reconciliation
• Physical Automated
Process Verification
level

28
 Key considerations in a Control
Understand & Document the Who, What, When, Where, Why & How…

Who … performs the control? Does this person have the requisite knowledge/ authority?

What … is generated to prove that this control was performed?

When …is this control performed? Frequency (Daily, Weekly, Monthly Qtrly, etc)? Is it
frequent enough to prevent/ detect & correct the risk?

Where … is the evidence of control performance retained? For how long? Is it accessible for
audit?

Why … is this control being performed? What types of errors should be prevented or
detected?

How …is this control being performed? What activities are included? Can these activities be
bypassed? Can the bypass be detected? How are issues resolved, once identified,
and in what timeframe? Is this fast enough to mitigate the risk?

Focus your questions on the assertions the control is making

© 2015 Deloitte Haskins & Sells LLP 29
 Getting ready – project steps

PHASE 4
PHASE 1 PHASE 2 PHASE 3 PHASE 5
Perform Operating
Scope and Assess Test and Monitor
Effectiveness Tests and
Plan the Project and Define Remediate Controls and Assert
Document
Project Plan Entity Level Controls Evaluation of Design Development of Test Support of Auditor
• Objectives, scope, (ELC) • Evaluation of the Plans Testing
deliverables, • Study of existing design of the Control • Design test attributes • Advise and Supporting
approach and documentation and Activity to mitigate the testing performed
timeline. Interviews with the identified risks. Performance of Testing by the auditor
management. • Perform testing of
Scoping and Risk Evaluation of control effectiveness Monitoring & Roll forward
Assessment Risk and Control Implementation and document with Testing
• Significant accounts Matrices (RCM) • Test if the control has sufficient evidence • Monitoring of controls
and disclosures and • Evaluate RCM by been appropriately to enable an and the performance
their linkage to leveraging on ELC implemented as per independent of roll-forward testing.
significant and automated design verification of the
processes, and application controls. work. Evaluation of Deficiencies
related technology. • Consider IT GC’s for Remediation Plans • Facilitate
scoped –in IT • Develop remediation Additional Remediation management’s
IFC Framework
environments. plan for identified Plan evaluation of
• Adopt internal design and • Identify, control gaps, deficiencies.
controls framework
Process Walkthrough implementation if any, and prioritize
• Significant processes deficiencies. the same for Additional Remediation
using Narratives and remediation by Plan
/ or Flowcharts, and development of • Update deficiencies
also considering additional identified by auditors.
existing Remediation Plans.
documentation.
Deliverable: Deliverable:
Deliverable: Deliverable: Deliverable:
Control effectiveness Deficiencies evaluation
Risk Assessment and Key Risks and related Design Control gaps
gaps and remediation and management
Scoping Document Control Matrix and remediation plan
plan responses

© 2015 Deloitte Touche Tohmatsu India Private Limited 30

Control Effectiveness - Strategic shift to get business value

Preventive

Detective

Manual Automated

31
Internal Financial Controls Journey

Document results

Build sustainability
Identify significant
Controls of control environment
Evaluate control
Perform risk design
Business value

assessment Identify and remediate

deficiencies

Plan and
scope Evaluate operating
Document effectiveness
Controls

Internal Control implementation and sustenance

©2015 Deloitte Touche Tohmatsu India Private Limited 32

 Getting Audit ready

© 2015 Deloitte Touche Tohmatsu India Private Limited 33

Key questions

• What is the basis for Audit of IFC?

• What would be key considerations in the Audit process?

• What are the likely opinions?

• What should be the timing of the Audit?

34
Audit of Internal Financial controls over financial
reporting - Broad Steps

Final
Conclusion &
Operating Reporting
Effectiveness
Design &
Implementation
Planning &
Scoping

35 ©2015 Deloitte Touche Tohmatsu India Private Limited

Identifying significant accounts and disclosures (SAD)
and their relevant assertions

AUDITOR SHOULD

Evaluate both Qualitative and Quantitative risk Identify the relevant assertion that have a reasonable
factors of accounts and disclosure which include : possibility of containing a misstatement

• Size and composition of the account;

• Susceptibility to misstatement due to errors or fraud; • Existence or occurrence;

• Volume of activity, complexity, and homogeneity of
the individual transactions processed through the • Completeness;
account or reflected in the disclosure;

• Nature of the account or disclosure; • Valuation or allocation;

• Accounting and reporting complexities associated
with the account or disclosure; • Rights and obligations;

• Exposure to losses in the account; • Assertions relating to presentation

and disclosure
• Possibility of significant contingent liabilities arising
from the activities reflected in the account or
disclosure related party transactions;

• Changes from the prior period in account or

disclosure characteristics

• The auditor might determine the likely sources of potential misstatements by asking himself or
herself "what could go wrong?" within a given significant account or disclosure.
• In case of multiple locations/units, auditor should identify significant account or disclosure as a
whole.

36 ©2015 Deloitte Touche Tohmatsu India Private Limited

Identify and understand significant flows of
transactions
Identifying Relevant Controls over IPE

1. Identify the relevant controls that address the relevant risks of material misstatements

2. Determine if the relevant control uses IPE

3. Understand the IPE and determine which aspects (e.g., the specific data)
of the IPE are important to the effectiveness of the relevant control

4. Determine whether the control (user) sufficiently addresses (“validates”) the accuracy and
completeness of the IPE, or whether the control (user) is dependent upon other controls over the accuracy
and completeness of the IPE

Validates Dependent

Identify and test other controls that address the

Our evaluation of the design and evidence of accuracy and completeness of the IPE
operating effectiveness of the relevant control that
uses the IPE supports why the precision of the
control is sufficient to validate the IPE. Consider:
No need to identify additional controls to address • The source data
the accuracy and completeness of the IPE.
• The report logic (extraction & calculations)
• User-entered parameters
37 ©2015 Deloitte Touche Tohmatsu India Private Limited
Identify Applications, Associated IT Environment, ITGC

The auditor identifies significant accounts and disclosure further emphasizing that the relevant aspects
of the IT environment are identified based on the effect they may have on the entity’s internal control,
and ultimately on the financial statements.

38 ©2015 Deloitte Touche Tohmatsu India Private Limited

Assess the Design of Controls

The auditor should assess the design of control to determine if a deficiency in

design exists, considering :

• Appropriateness of the purpose of the control and its correlation to the risk/assertion
• Appropriateness of the control considering the nature and significance of the risk
• Competence and authority of the person(s) performing the control
• Frequency and consistency with which the control is performed
• Level of aggregation and predictability
• Criteria for investigation and process for follow-up
• Dependency on other controls or information

• Professional judgment is necessary to evaluate the design of relevant controls

• A deficiency in design exists when a control that mitigates the risk of material misstatement)
is missing OR an existing control is not properly designed so that the risk of material
misstatement would not be mitigated.

39 ©2015 Deloitte Touche Tohmatsu India Private Limited

Perform operating effectiveness testing

40 ©2015 Deloitte Touche Tohmatsu India Private Limited

Assess findings and conclude on operating
effectiveness

Auditor should consider likelihood that the deficiency will result in a financial misstatement
and magnitude of misstatement to evaluate the severity of deficiency.

Reasonable
Remote possibility
possibility of
of material
material
misstatement
misstatement

Magnitude

Reasonable
Remote possibility
possibility of
of immaterial
immaterial
misstatement
misstatement

Likelihood

41 ©2015 Deloitte Touche Tohmatsu India Private Limited

Form opinion on Internal Financial controls over
financial reporting

The Auditor should form an opinion on

-The adequacy and
-Operating effectiveness of IFC over financial reporting

Evaluate evidence obtained from

• All sources
• Auditor's testing of controls • Evaluate the disclosures that the management and
• Misstatements detected board of directors is required to make
• Any other identified control deficiencies
• Review Internal Audit Report

Auditor can form either of below opinion

• Unmodified Opinion
• Modified Opinion
• Qualified Opinion
• Disclaimer of Opinion
• Significant deficiency - material but is not
OR
pervasive to the financial statements
• Withdraw from Audit
• Adverse Opinion
• Due to limitation of scope of Audit
• Due to existence of material weakness

Determine the effect his or her modified opinion on

internal financial controls over financial reporting has on
his or her opinion on the financial statements

42 ©2015 Deloitte Touche Tohmatsu India Private Limited

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and
independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

This material has been prepared by Deloitte Touche Tohmatsu India Private Limited (“DTTIPL”), a member of Deloitte Touche Tohmatsu Limited, on a specific request from you and
contains confidential information. The information contained in this material is intended solely for you thereby, any disclosure, copy or further distribution of this material or the contents
thereof may be unlawful and is strictly prohibited.

©2015 Deloitte Touche Tohmatsu India Private Limited.

© 2015 Deloitte Touche Tohmatsu India Private Limited 43