Professional Documents
Culture Documents
IFC 3rd Feb 16
IFC 3rd Feb 16
IFC 3rd Feb 16
CONTROL REPORTING
UNDERSTANDING AND IMPLEMENTATION STEPS
(4) The process may also be designed by, or under the supervision of a committee or group
of the aforesaid persons.
Considering the above, the auditor should obtain reasonable assurance to state whether an
adequate internal financial controls system was maintained and whether such internal
financial controls system operated effectively in the company in all material respects with
respect to financial reporting only.
|
Internal Financial control
• Policies and procedures adopted by company for ensuring orderly and efficient conduct of its
business, including adherence to company’s policies
• Safeguarding of its assets
• Prevention and detection of fraud and errors
• Accuracy and completeness of the accounting records, and
• Timely preparation of reliable financial information
This also includes a robust mechanism of well-defined authorities within the organization
for authorizing various business functions.
|
Related sections in Companies Act, 2013
Key compliances
Section 134 (5) ( e): The Directors’ Responsibility
Statement referred to in clause ( c) of subsection (3) shall
state that:
The directors, in the case of a listed company, had laid
down internal financial controls to be followed by the
company and that such internal financial controls are
adequate and were operating effectively.
Section 143 (3) (i): The auditor’s report should also state
whether the company has adequate IFC system in place
and the operating effectiveness of such controls
|
Related sections in Companies Act, 2013
Key compliances
Section 177: Every Audit Committee
shall act in accordance with the terms of
reference specified in writing by the
Board which shall, inter alia, include:
- evaluation of internal financial
controls and risk management systems.
|
Related sections in Companies Act, 2013
Key compliances
Schedule IV (II) (4) of Companies Act 2013:
The independent directors shall satisfy
themselves on the integrity of financial
information and that financial
controls and the systems of risk
management are robust and defensible
|
|
What Companies Need to do ?
|
Implementation process road map
Onetime
One time
Validate &
Corrective Prepare test Reporting
Detailed scope Document
design action strategy & plan
Seek
Change
confirmation for Corrective Control Testing Reporting
Management action
changes
On going
|
Detailed Analysis (Implementation)
SCOPING
|
Detailed Analysis (Implementation)
DESIGN ASSESSMENT
|
Detailed Analysis (Implementation)
|
Detailed Analysis (Implementation)
|
Risk control matrix
Risk control Matrix is a matrix which defines the various levels of risk and the harm
probability and the associated controls design by the organization to mitigate the risk.
The risk control matrix should ideally cover the following areas for effective analysis of
risk and the related controls
Risk
category Automated/
High/Mediu Assertions Non- Preventive/ Core/Non
m/Low Detective
Automated -core
|
|
Management and auditor responsibility
MANAGEMENT RESPONSIBILITY
Clause (e) of sub-section 5 of section 134 of the Companies Act 2013 requires the directors’
responsibility statement to state that the directors, in the case of a listed company, had laid down internal
financial controls to be followed by the company and that such internal financial controls are adequate and
were operating effectively
Clause (e) of Sub-section 5 of Section 134 explains the meaning of the term, “internal financial controls” as
“the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its
business, including adherence to company’s policies, the safeguarding of its assets, the prevention and
detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely
preparation of reliable financial information.”
AUDITOR RESPONSIBILITY
Matter relating to
Matters effecting the company’s business
Preliminary knowledge about
industry in which the including capital
the company’s IFC.
company operated structure &
operations
Control deficiencies
Recent changes in operation and Materiality, risk and previously
IFC. other consideration. communicated to the
audit committee.
|
Refer Page 30 of ICAI guidance note
Scoping of audit
A Top Down Begins at the financial statement The auditor then focuses on entity- The auditor then verifies his or her
level and with the auditor's understanding of the level controls and works down to understanding of the risks in the
overall risks to internal financial controls over significant accounts and disclosures company's processes and selects
financial reporting. and their relevant assertions. for testing those controls.
(For illustrative list refer page 187 of ICAI Guidance Note, September 2015)
|
Understanding process of organization
|
Materiality selection
Para 86 of ICAI Guidance Note : In planning the audit of internal financial controls over
financial reporting, the auditor should use the same materiality considerations he or she
would use in planning the audit of the company's annual financial statements as provided
in SA 320 “Materiality in Planning and Performing an Audit”.
SA 320 Issued by ICAI : Materiality means the amount or amounts set by the
auditor at less than materiality for the financial statements as a whole to reduce to an
appropriately low level the probability that the aggregate of uncorrected and undetected
misstatements exceeds materiality for the financial statements as a whole. If applicable,
performance materiality also refers to the amount or amounts set by the auditor at less
than the materiality level or levels for particular classes of transactions, account balances
or disclosures.
|
Test of controls
Para 107 of ICAI Guidance Note : The decision as to whether a control should be selected for testing
depends on which controls, individually or in combination, sufficiently address the assessed risk
of misstatement to a given relevant assertion rather than on how the control is labelled (e.g., entity-
level control, transaction-level control, control activity, monitoring control, preventive control, detective
control).
Para 109 of ICAI Guidance Note: Procedures the auditor performs to test design effectiveness include a
mix of inquiry of appropriate personnel, observation of the company's operations, and inspection of
relevant documentation. Walkthroughs that include these procedures ordinarily are sufficient to evaluate
design effectiveness.
(Note : Materiality will be selected based on the Risk control Matrix)
Importance of • The auditor should test those controls that are important to the
auditor's conclusion about whether the company's controls
controls sufficiently address the assessed risk of misstatement.
|
Design ,implementation & operating effectiveness
The auditor should test design effectiveness of controls by determining whether company’s
controls, if they are operated as prescribed by persons possessing necessary
|
Deficiency / Gap report
Definition of Deficiency:
‘Deficiency’ in internal financial control over financial reporting exists when the design or
operation of a control does not allow management or employees, in the normal course of
performing their assigned functions, to prevent or detect misstatements on a timely basis.
|
|
IFC & Internal Audit
Para 152 of ICAI Guidance Note: Since the primary responsibility for establishing and
maintaining an adequate internal financial controls system over financial reporting is that of
the management and the board of directors of the company, the auditor should ensure that
the board of directors approving the financial statements of the company also approve the
management assertion and conclusion on the adequacy and operating effectiveness of
internal financial controls over financial reporting and also take on record the deficiencies,
significant deficiencies and material weaknesses identified by the management, internal
auditors and the auditor.
IG 18.9 of ICAI Guidance Note: The extent to which the auditor may use the work of others
in an audit of internal control also depends on the risk associated with the control being
tested. As the risk associated with a control increases, the need for the auditor to perform
his or her own work on the control increases.
|
|
Topic Paragraph Page No.
Reference (ICAI)
Auditors’ responsibility for reporting on Internal financial 4–5 11
controls over financial reporting in India
Objective in an audit of internal financial controls over
financial reporting and interpretation of the term ‘internal 26 – 35 15
financial controls’ for auditor’s reporting under Section
143(3)(i)
Auditors’ responsibility for reporting on internal
financial controls over financial reporting in the case of 43 – 45 18
unlisted companies
Components of internal control 48 – 60 21
Planning the audit 75 30
Materiality 86 33
Indicators of material weakness 135 – 136 45
Audit Report 158 – 160 50
Audit documentation 165 51
Implementation Guidance (IG) IG 1 – IG 21 52 – 157
|
Topic Paragraph Page No.
Reference (ICAI)
Difference between Process and Control 65 – 66
Automated Controls 74 – 76
Information Produced by the Entity (IPE) 76 – 84
Internal Financial Controls – Testing of Design 88 – 91
Internal Financial Controls – Walk Through 91 – 93
Internal Financial Controls – Testing of Operative 93 – 104
Effectiveness
Sampling IG 14.1 – IG 14.10 105
Rotation Plan for Testing Internal Financial Controls IG 16.1 – IG 16.3 116 – 117
Using the Work of Internal Auditors and an IG 18.1 – IG 18.9 117 – 118
Auditor’s Expert
|
Topic Paragraph Page No.
Reference (ICAI)
IT-dependent controls IG 19.32 132
Documentation of processes and controls IG 19.44 139
Reporting Considerations 144 – 150
Scope limitations IG 20.20 – IG 20.22 149
Understanding the process of recording journal entries IG 21.10 – IG 21.12 155
Standard on Internal Audit (SIA) 5 – Sampling 192
|
| 36
A Journey of Professionals……
|
37