Professional Documents
Culture Documents
Internal Controls DLTT
Internal Controls DLTT
Internal Controls DLTT
Controls
Take control. Add value
14 April 2016
Contents
1 Understanding regulations
4
IFC – Companies Act, 2013 Requirements
Section 134 (5)(e) – One of the requirements of Directors’ Responsibility Statement (S. 134 (3)( c)
The report by the Board of Directors (BOD) shall include a statement ensuring implementation of
adequate internal financial control and adherence of policy and procedures adopted by the company
with an objective of orderly and efficient conduct of its business, safeguarding company’s assets,
prevention and detection of frauds, for accuracy and completeness of the accounting records
and timely preparation of reliable financial information.
Auditor’s report to state adequacy and effectiveness of internal financial controls
All the requirements as are applicable to the Standalone Financial Statements are applicable
mutatis mutandis to Consolidated Financial Statements
Clause 49 of listing
Companies Act, 2013 Sarbanes Oxley Act
agreement
• Responsibility of the Board • Responsibility of the CEO/CFO to • Responsibility of the signing
maintain internal controls for officer to the Annual report to
• Board Report to contain a
financial reporting establish and maintain internal
statement on adequacy of
controls
internal financial controls • Evaluate the effectiveness of
internal control systems • Annual report to contain
• Audit committee to evaluate
pertaining to financial reporting management report on ICFR
internal financial controls
• Indicate to the auditors and the • Auditor’s to report on and attest
• Auditor’s report to comment on
audit committee significant to management’s assessment of
adequacy of internal financial
changes to accounting policies ICFR
controls system and operating
and internal controls for financial
effectiveness of controls. • Compliance program is required
reporting. to be aligned to COSO
• No framework mandated
• Effective from October 1, 2014 framework
• Definition of IFC goes beyond Board and Audit Committee • Definition covers specifically
financial reporting responsibility brought in line with ICFR
Companies Act, 2013
ICFR +
Policies
Internal Financial Controls
Auditors Reporting
As per section 134 (8) If a company contravenes the provisions of this section, the
company shall be punishable with fine which shall not be less than fifty thousand rupees
but which may extend to twenty-five lakh rupees and every officer of the company who
is in default shall be punishable with imprisonment for a term which may extend to
three years or with fine which shall not be less than fifty thousand rupees but which may
extend to five lakh rupees, or with both.
13
Functional Involvement
Planning/Scoping Document
aa a a
Process documentation a a a
Control Matrices a a aa
Training a a a
14
IFC Coverage
IT Controls
23
© 2015 Deloitte Touche Tohmatsu India Private Limited
Entity Level Control
CONTROL ENVIRONMENT
Overall control environment supported by
adequate processes & controls such as
Code of conduct for Directors and senior
management
CONTROL
ENVIRONMENT RISK ASSESSMENT
Existence of Board level Risk Management
Committee, Disciplinary Committee
CONTROL
ACTIVITIES
CONTROL ACTIVITIES
Existence of automated and manual controls
for various processes within business.
Documented policies and process manuals
MONITORING ACTIVITIES
Internal Audit reports, Whistle blower policy
24
© 2015 Deloitte Touche Tohmatsu India Private Limited
IT Controls
USER ACCESS
Policy definition
Access reviews
CHANGE
PASSWORD MANAGEMENT
POLICY
Change policy
For OS and ERP
Approvals
Assertions Particulars
Accuracy Amounts and other data relating to recorded
transactions and events have been recorded
appropriately.
Completeness All transactions and events, assets, liabilities, and
equity interests that should have been recorded are
recorded
Validity Transactions and events that have been recorded
have occurred and pertain to the entity.
Cut Off Transactions and events have been recorded in the
correct accounting period
Valuation and Allocation Assets, liabilities, and equity interests are included in
the financial statements at appropriate amounts and
any resulting valuation or allocation adjustments are
appropriately recorded.
Presentation and Disclosure Recorded transactions and events are properly
classified, described, and disclosed in the financial
statements
27
©2015 Deloitte Touche Tohmatsu India Private Limited
Overview of Controls
• Segregation
Entity level of duties
• Authorization
• Application Manual
Preventive controls
Levels of
control
• Review
Detective • Reconciliation
• Physical Automated
Process Verification
level
28
Key considerations in a Control
Understand & Document the Who, What, When, Where, Why & How…
Who … performs the control? Does this person have the requisite knowledge/ authority?
When …is this control performed? Frequency (Daily, Weekly, Monthly Qtrly, etc)? Is it
frequent enough to prevent/ detect & correct the risk?
Where … is the evidence of control performance retained? For how long? Is it accessible for
audit?
Why … is this control being performed? What types of errors should be prevented or
detected?
How …is this control being performed? What activities are included? Can these activities be
bypassed? Can the bypass be detected? How are issues resolved, once identified,
and in what timeframe? Is this fast enough to mitigate the risk?
PHASE 4
PHASE 1 PHASE 2 PHASE 3 PHASE 5
Perform Operating
Scope and Assess Test and Monitor
Effectiveness Tests and
Plan the Project and Define Remediate Controls and Assert
Document
Project Plan Entity Level Controls Evaluation of Design Development of Test Support of Auditor
• Objectives, scope, (ELC) • Evaluation of the Plans Testing
deliverables, • Study of existing design of the Control • Design test attributes • Advise and Supporting
approach and documentation and Activity to mitigate the testing performed
timeline. Interviews with the identified risks. Performance of Testing by the auditor
management. • Perform testing of
Scoping and Risk Evaluation of control effectiveness Monitoring & Roll forward
Assessment Risk and Control Implementation and document with Testing
• Significant accounts Matrices (RCM) • Test if the control has sufficient evidence • Monitoring of controls
and disclosures and • Evaluate RCM by been appropriately to enable an and the performance
their linkage to leveraging on ELC implemented as per independent of roll-forward testing.
significant and automated design verification of the
processes, and application controls. work. Evaluation of Deficiencies
related technology. • Consider IT GC’s for Remediation Plans • Facilitate
scoped –in IT • Develop remediation Additional Remediation management’s
IFC Framework
environments. plan for identified Plan evaluation of
• Adopt internal design and • Identify, control gaps, deficiencies.
controls framework
Process Walkthrough implementation if any, and prioritize
• Significant processes deficiencies. the same for Additional Remediation
using Narratives and remediation by Plan
/ or Flowcharts, and development of • Update deficiencies
also considering additional identified by auditors.
existing Remediation Plans.
documentation.
Deliverable: Deliverable:
Deliverable: Deliverable: Deliverable:
Control effectiveness Deficiencies evaluation
Risk Assessment and Key Risks and related Design Control gaps
gaps and remediation and management
Scoping Document Control Matrix and remediation plan
plan responses
Preventive
Detective
Manual Automated
31
Internal Financial Controls Journey
Document results
Build sustainability
Identify significant
Controls of control environment
Evaluate control
Perform risk design
Business value
Plan and
scope Evaluate operating
Document effectiveness
Controls
34
Audit of Internal Financial controls over financial
reporting - Broad Steps
Final
Conclusion &
Operating Reporting
Effectiveness
Design &
Implementation
Planning &
Scoping
AUDITOR SHOULD
Evaluate both Qualitative and Quantitative risk Identify the relevant assertion that have a reasonable
factors of accounts and disclosure which include : possibility of containing a misstatement
• The auditor might determine the likely sources of potential misstatements by asking himself or
herself "what could go wrong?" within a given significant account or disclosure.
• In case of multiple locations/units, auditor should identify significant account or disclosure as a
whole.
1. Identify the relevant controls that address the relevant risks of material misstatements
3. Understand the IPE and determine which aspects (e.g., the specific data)
of the IPE are important to the effectiveness of the relevant control
4. Determine whether the control (user) sufficiently addresses (“validates”) the accuracy and
completeness of the IPE, or whether the control (user) is dependent upon other controls over the accuracy
and completeness of the IPE
Validates Dependent
The auditor identifies significant accounts and disclosure further emphasizing that the relevant aspects
of the IT environment are identified based on the effect they may have on the entity’s internal control,
and ultimately on the financial statements.
• Appropriateness of the purpose of the control and its correlation to the risk/assertion
• Appropriateness of the control considering the nature and significance of the risk
• Competence and authority of the person(s) performing the control
• Frequency and consistency with which the control is performed
• Level of aggregation and predictability
• Criteria for investigation and process for follow-up
• Dependency on other controls or information
Auditor should consider likelihood that the deficiency will result in a financial misstatement
and magnitude of misstatement to evaluate the severity of deficiency.
Reasonable
Remote possibility
possibility of
of material
material
misstatement
misstatement
Magnitude
Reasonable
Remote possibility
possibility of
of immaterial
immaterial
misstatement
misstatement
Likelihood
• Unmodified Opinion
• Modified Opinion
• Qualified Opinion
• Disclaimer of Opinion
• Significant deficiency - material but is not
OR
pervasive to the financial statements
• Withdraw from Audit
• Adverse Opinion
• Due to limitation of scope of Audit
• Due to existence of material weakness
This material has been prepared by Deloitte Touche Tohmatsu India Private Limited (“DTTIPL”), a member of Deloitte Touche Tohmatsu Limited, on a specific request from you and
contains confidential information. The information contained in this material is intended solely for you thereby, any disclosure, copy or further distribution of this material or the contents
thereof may be unlawful and is strictly prohibited.