ICFR The New Kid on the Block...6 Frauds highlight the weaknesses in the governance structure. Small...
Transcript of ICFR The New Kid on the Block...6 Frauds highlight the weaknesses in the governance structure. Small...
Is he friendly?
Does he mean business?
Is he helpful?
Will he stay on or he is temporary in this area?
Well, let me tell you:
This new kid is permanent, here to stay,
means business, can be very useful to
companies if handled well and may be
dangerous to both companies and
auditors if mishandled.
So… it is time we step out and greet thisNEW KID ON THE BLOCK called ICFR.
Hi. My name is ICFR….
2
So who is this new kid on the block?
Nandita ParekhCNK & Associates LLP
3
To understand ICFR requirements at aconceptual level.
To learn practical and easy ways to comply withthe requirements in a meaningful manner.
To appreciate the intent of the law by goingbeyond the form.
All with a focus on not-so-large privatecompanies, their advisors and their auditors.
Session Objectives
Nandita ParekhCNK & Associates LLP
Part I: Introduction to ICFR
• Origin – Regulatory Routes (where from?)
• Definition and Coverage (what?)
• Objective – Purpose (why?)
4 Nandita ParekhCNK & Associates LLP
5
Most enhancements in governancelaws owe their origin to frauds….
Nandita ParekhCNK & Associates LLP
6
Frauds highlight the weaknesses in the governance structure.
Small frauds results in investigations and punitive action on the
fraudster; large, pervasive frauds lead to introspection on the
adequacy of the governance structure.
The origin of the developments in the area of IFC and ICFR can
be traced to large frauds like Enron, WorldCom and such others
that shook the investor confidence in corporate governance. The
requirements in most countries extend only to listed and large
public companies.
In India – we have gone a big step forward – the regulations
have been adopted on lines with the US law, but unlike the US,
has been made applicable to all companies, irrespective of their
size and ownership structure.
IFC/ICFR – Made in the West,Embraced by Indian Regulators
Nandita ParekhCNK & Associates LLP
The “Three lines of defence” provides a simple and effective way to enhance IFCs by clarifying roles andduties.
• The first line is responsible for setting up the controls, mitigation of risk and defining policies andprocedures to be complied with;
• The second line monitors compliance with the laid down controls. It is not an independent assurancefunction, but a monitoring tool for the management;
• The third line provides the independent assurance on the activities of first and second lines of defence,and the Audit committee and board of directors provide overall direction and oversight.
Senior Management
1st line of defense 2nd line of defense 3rd line of defense
Operational & Business units (design
& operation of controls)
Management assurance (ongoing
monitoring of controls)
Independent assurance
Internal audit
Ex
ternal A
ud
itors
Reg
ula
tors
7
Lines of Defence
Nandita ParekhCNK & Associates LLP
‘
Auditors
• Section 143(3):Auditor’s report shallstate whether thecompany hasadequate internalfinancial controlssystem in place andoperatingeffectiveness of suchcontrols.
Directors
• Section 134(5)(e) of2013 Act, requiresDirectors’ResponsibilityStatement of listedcompanies tospecifically assert onadequacy andoperatingeffectiveness ofinternal financialcontrols.
•Rule 8(5)(viii) ofCompanies (Accounts)rules requires thedirectors’ report togive details w r t ICFR.
Audit Committee
• Section 177(4): EveryAudit Committee shallact in accordance withterms of referencespecified in writing bythe Board which shall,inter alia, includeevaluation of internalfinancial controls andrisk managementsystems.
Independent Directors
• Section 149 (8):IndependentDirectors shall satisfythemselves on theintegrity of financialinformation and thatfinancial controls andsystems of riskmanagement arerobust and defensible.
Companies Act, 2013 and Companies (Accounts) Rules, 2014 specifyresponsibilities of different stakeholders w r t IFC & ICFR.
8
The Responsibility Allocation for IFC/ ICFR
Nandita ParekhCNK & Associates LLP
Scope:• Listed companies – Adequacy and operating effectiveness of
internal financial controls• Unlisted companies - Adequacy of internal controls over financial
reporting
Responsibilities:• Board: To laydown adequate and effective internal financial control
and include in Directors’ responsibility statement• Independent Directors’: to satisfy themselves on the strength of
financial controls• Audit Committee: to evaluate Internal Financial Control System
Applicable from FY 2014-15For Private companies and other companies not required to haveaudit committee or independent director, the entire responsibility iswith the Board of Directors.
Responsibilities:
Report on• adequacy and• operating effectiveness ofinternal financial controlssystem over financialreporting
Mandatory from FY 2015-16;voluntary adoption from FY2014-15.
Directors Auditor
9
Scope and Responsibility
Nandita ParekhCNK & Associates LLP
10
2014-15 Audit Committee and Directors
Statutory Auditors
Listed Companies IFC and ICFR Only for CARO
Other Companies ICFR Only for CARO
2015-16 Audit Committee and Directors
Statutory Auditors
Listed Companies IFC and ICFR ICFR
Other Companies ICFR ICFR
For companies, reporting on IFC/ICFR becameapplicable from FY 2014-15. Hence, for companies,ICFR is not really a new kid on the block….
So, is ICFR really a new kid on the block?
Nandita ParekhCNK & Associates LLP
11
The self-regulated traffic signal is now manned by a traffic cop, theauditor…… and suddenly, some companies are realizing, thatperhaps they were lax in observing the traffic rules earlier!!
2014-15 2015-16
So what has really changed for companies?
Nandita ParekhCNK & Associates LLP
12
Requirement:
ICFRreporting by auditors w.e.f
01/04/2015
ICAI guidance Note
issued:
September 2015
FY 2015-16:
Seminars, training sessions,
documentation,
outsourcing…..
February – May 2016:
Tireless working round the clock by listed/early closure
companies and their auditors for ICFR completion.
July –September
2016:
….Time for remaining
companies and auditors to play
catch up.
Outsourcing
Decisions
Skill
shortage
What about
System Audit?
Confusion
Life after ICFR….
Nandita ParekhCNK & Associates LLP
‘
Including adherence to
company’s policies
Ensuring the orderly and efficient conduct of its
business
Safeguarding of its assets
Prevention and detection of frauds
and errors
Timely preparation of reliable financial
information
Accuracy and completeness of the accounting records
IFC means Policies and
procedures adopted for
13
What is IFC? [Explanation to Section 134(5)(e)]
Nandita ParekhCNK & Associates LLP
Internal Financial Controls =
Internal Controls
over Financial Reporting
Fraud Prevention and Fraud Monitoring
controls
Operational Controls
Controls to ensure
Regulatory
Compliance
‘Internal Financial Controls’ has a broad connotation – however,from the perspective of assurance expected from Statutory Auditors,the focus is only on Internal Controls over Financial Reporting.
14 Nandita ParekhCNK & Associates LLP
The evolving Corporate Governancerequirements have resulted indevelopment of differentmanagement /governance tools andpolicies and processes.
IFC may be viewed as aconsolidating exercise that connectsall these pieces to make a whole thatis larger than the sum of its parts.
The approach to establishingInternal Financial Controls andauditing them can only be topdown, as it starts with the seniormost management and drills downto the lowest operating level.
Ethics and Governance
Policy
Risk Management
Policy
Code of Conduct
IT System Manuals
Standard Operating Procedures
Accounting Policies
Whistle Blower Policy
Anti Bribery Policy
15
Practical Insights
Nandita ParekhCNK & Associates LLP
ICFR review needs to be done keeping in view the size of thecompany and the complexity of its operations/accounting.
In small companies, with low complexity, a much simpler level ofdocumentation may be insisted upon.
In large companies with external stake holders and complexoperations, insist on full documentation by early/mid March andensure testing of controls
In cases where the Company does not have competent employeeswho can draw up the financial statements/disclosures or where thereis a history of material adjustments between the unaudited and theaudited statements, the prima facie conclusion would be that ICFRare not adequate.
In the first year of review, the focus may be on intent andestablishing a basic framework that addresses key risks – insubsequent years, this framework needs to be enhanced andimproved for wider coverage.
17
Practical Insights for Auditors/Advisors
Nandita ParekhCNK & Associates LLP
Part II- Internal Control Components
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring
Nandita ParekhCNK & Associates LLP
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring
20
5 Components of the COSO Cube – to be appliedto Internal Controls on Financial Reporting
Nandita ParekhCNK & Associates LLP
22
Understand and document Entity Level Controls
Assess the IT general controls or the ITenvironment (ITGC)
Assess the risk of misstatements in financialstatements and assign materiality
Based on Materiality assessment identify keyprocesses that require detailed documentationof risks and controls
Document RCMs for identified processes; coverremaining areas through macro-level processes
Test the controls for design and operationaleffectiveness – address deficiencies found.
Step by Step Approach
Nandita ParekhCNK & Associates LLP
Entity level
(ELC)
IT platform level (ITGC)
Application/ Account/Process
level (ALC)
23
Internal Controls over Financial Reporting
Nandita ParekhCNK & Associates LLP
Control Environment
Output:
• Entity Level controls
• IT general Controls Assessment
24 Nandita ParekhCNK & Associates LLP
1. Organization demonstrates commitment to integrity andethical values
2. Board exercises oversight of the development andperformance of internal control mechanism
3. Management establishes structure, authority, andresponsibility
4. Organization demonstrates commitment to attract and retaincompetent individuals
5. Organization enforces accountability for internal controlresponsibilities
25
Control Environment - with specific focuson Financial Reporting
Nandita ParekhCNK & Associates LLP
27
Does the organization have an Anti-BriberyPolicy? Or an Ethics policy?
Nandita ParekhCNK & Associates LLP
Ethical code of conduct is neitherdocumented, nor communicated
Board meetings are not actually held – theminutes are written to cover the requiredagenda matters. Managing directtor hasunlimited powers.
The Company with a turnover of Rs 300crores does not have a single qualified CA inits Accounts department.
Organization structure is not formalized; jobresponsibilities are either not documented, ornot reviewed periodically.
“Cost centers” like Accounts and compliancedepartments are perpetully understaffed.
Very few companies are able to demonstrate acontrol environment that creates confidence inentity level controls.
28
The Ground Reality
Nandita ParekhCNK & Associates LLP
All ELCs may not have an impact on ICFR
Identification of relevant ELCs and assessing their precision levelbased on: (greater the precision, greater the reliance placed)
Purpose of control – e.g. inventory verification
Level of aggregation – e.g. review of consolidated statements
Quality and consistency of performance – e.g. control exercisedat random intervals when time permits
Correlation to relevant assertions – e.g. selective confirmation ofdebtors
Criteria for identifying exceptions/conducting investigations –e.g. too high a materiality threshold
Comparison with expectations/budgets – e.g. budgets may beunrealistic, estimates may not have the desired level of precision.
29
Assessing Relevance of ELCs for FinancialReporting
Nandita ParekhCNK & Associates LLP
30
In most private/SME companies, there may not be anydocumentation of the governance and management framework –companies should consider codifying the same.
Auditors, based on their past experience, and interactions with themanagement will need to prepare their own assessment of ELCs in asystematic manner. Most people use an Excel based format.However, a narrative style document to assess ELCs is also fine.
The purpose of the ELC assessment is primarily to determine thelevel of detail with which process level controls needs to bereviewed – stronger the ELC, higher the reliance on overall controlsand lesser the need for detailing of process level controls.
ELC assessment ends with identification of areas that needstrengthening, but generally does not directly result in a materialdeficiency or a qualification.
ELC for Private Companies
Nandita ParekhCNK & Associates LLP
ELCs assessment is normally documented in terms of an excelspreadsheet – the Company should provide this to the auditors forreview. At the minimum, the Company should document a detailednote on the ELCs that they believe lead to transparent, true and fairfinancial reporting.
For ICFR, one must focus only on those ELCs that have a bearing onfinancial reporting
The greater the reliance on ELCs, the lesser the testing required atprocess/account level
Emphasis should be placed on enhancing entity level controls andautomated controls – this can help in reducing the quantum of testingand the need for detailed checking.
31
ELC Assessment Format
Nandita ParekhCNK & Associates LLP
Effective Entity level Controls arefundamental to an effective IFC.
The quality of ELCs determine thequantum and nature of testing to bedone at account line item, unit or processlevel.
Deficiencies observed at the ELC levelneed to be communicated to themanagement for remedial actions.
It is time for us, as auditors orcontrollers, to start working on helpingorganizations in setting up an effectiveframework of IFC – such a frameworkwill go a long way in enhancing thereliability of the financial statements.
32
To Conclude
Nandita ParekhCNK & Associates LLP
33
IT general controls are relevant when the Company hasimplemented one or more IT platforms for processing informationthat flows into financial statements.
The reliance placed on IT systems and automated controls may beout of place in case certain basic care is not taken in terms of accesscontrols, modification and change management for softwareapplications, generation and review of log reports, periodic systemsaudit for validation of controls and accurate processing, etc.
Unlike ELC, in case there are gaps in ITGC it could result into amaterial deficiency unless the company has introduced parallel orcompensating controls that do not rely on automated controls.
It is essential for the company management and the auditors tounderstand the IT infrastructure and ITGC to conclude on theadequacy and effectiveness of ICFR.
Assessment of IT General Controls
Nandita ParekhCNK & Associates LLP
34
Assess ELCs as far as they impact Financial Reporting
Decide the level of reliance to be placed on ELCs and accordinglyplan the review of process level controls.
Review ITGC and determine the level of reliance that can be placedon automated controls in general – if reliance cannot be placed, thecompany management and the auditors will have to rely on manualand alternate controls.
A full scope systems audit is not expected to be carried out by theauditors – however, absence of any systems audit or review by thecompany over 2-3 years, particularly in case of IT applications thatare being regularly modified, it may be difficult to provide a positiveassurance on ICFR.
Action Points
Nandita ParekhCNK & Associates LLP
35
ELCs and ITGC are like thesecurity guards placed at theentrance of a building.
Strong entrance securityeliminates some risks bycontrolling who can go in –similarly, ELCs and ITGCsminimize the possibility ofcertain risks entering thecompany.
Strong entry point controlsdoes not eliminate the needfor additional controls atstrategic points – hence,process/account level controlsneed to be in place for all keyrisks identified.
ELCs – the Sentinel at the Gate
Nandita ParekhCNK & Associates LLP
36
Company:
Prepare a list of overallcontrols established throughmission, vision, code ofconduct, policies, automation,audits, etc.
Essentially put on paper, in aformat of your choice, all thatyou feel contributes totransparency, efficiency andintegrity in preparing financialstatements.
Auditor:
Examine the Company’sstatement on ELC.
Alternatively, meet with themanagement and ask relevantquestions to compile a statementof ELCs – add your past clientexperience to this.
Use a structured excel formatpreferably.
Conclude on the level of reliancethat you want to place on ELCsand communicate to themanagement the areas that needto be strengthened.
Expected time, for an existing client: approximately 1-3 days of senior time,including validation of controls.
Documentation for ELC
Nandita ParekhCNK & Associates LLP
Risk Assessment
Output:
• Identification of key risks for ICFR – starting point of RCMs
• Materiality based identification of accounts and processes
• Determination of RCMs and policies to be documented
37 Nandita ParekhCNK & Associates LLP
6. Organization specifies objectives to enable the identification andassessment of related risks
7. Identifies and analyzes risk related to the objectives
8. Considers the potential for fraud
9. Identifies and analyzes significant changes that would impact theinternal control system
38
Risk Assessment – Risk that financial statementsmay contain material misstatements
Nandita ParekhCNK & Associates LLP
39
The entire ICFR framework is designed with the primaryobjective of providing reasonable assurance to theDirectors and the auditors that the internal financialcontrols are such that the annual financial statementsprepared by the company would be free from materialmisstatements.
Note the emphasis on materiality – the formal frameworkof ICFR is required only with respect to RoMM and notany misstatement.
For a risk to be significant – the likelihood and the impactneed to be examined. Strong ELCs reduce the likelihoodand thus, reduce the severity of the risk.
Risk of Material Misstatements
Nandita ParekhCNK & Associates LLP
Analyze the sources of potential risks. Some potential risks couldarise due to:
Significant changes in the reporting requirements ( IND-AS)
Untested IT systems relied upon for generating financialreports
Inability to retain competent staff – high attrition level,inadequate induction/training
Business exigencies creating compulsions for misstatements –listing, borrowing requirements, pressure frominvestors/shareholders
Incentive structures not backed by appropriate controls
Inadequate time allotted for review and audit scrutiny
Inadequate quality of audit staff for internal/external audits –sub-optimal partner review before finalization
40
Analyzing RoMM
Nandita ParekhCNK & Associates LLP
Management Override or
management fraud
Employee initiated
misreporting –due to targets or incentives/fear
Errors, omissions and inefficiency resulting from
people, processes or IT systems
Misinterpretation of Regulatory
provisions related to financial reporting
Governance structure,
independence of the Board
Inbuilt controls through policies,
segregation of duties, system based checks
IT controls, authority matrix, maker-checker, audit processes
Quality of personnel, quality
of auditors & consultants
42
Risks related to Financial Reporting
Nandita ParekhCNK & Associates LLP
Consider financial statements and all other disclosures
Apply quantitative criteria and qualitative criteria
Use previous experience and assessment of RoMM toidentify additional accounts/account groups that arevulnerable
Finalize a list of accounts/account groups in respect ofwhich detailed testing is required to be done.
Map this list with the key activities/functions for whichreview of process level controls has beeninitiated/proposed.
43
Establishing Materiality
Nandita ParekhCNK & Associates LLP
44
SA 320 provides guidance on “Materiality inPlanning and Performing an Audit” – the sameconsiderations need to be applied for determiningmateriality for ICFR audit.
Very often, a % based materiality is applied forobtaining a first set of covered items; e.g. forbalance sheet items any item that is more than 1%of total Balance sheet Size (i.e. 1% of total assets) orany P&L item that is more than 1% of Grossrevenues or 5% of PBT – lower of the 2. The % isderived based on professional judgement.
Materiality Considerations
Nandita ParekhCNK & Associates LLP
45
Obtain Last audited financial statements (March 2015) and also projectedfinancial statements for March 2016 (if available)
Determine, based on past experience and professional judgement, the % tobe applied.
Apply the % to each category of accounts at a FS level and then drill down toGL codes
Identify additional items that qualify based on qualitative assessment ofvulnerability
Against each item map the broad business process (procurement, sales,administration, payroll etc) where the accounting item originates.
Compile a list of those business processes for performing process analysisand preparation of RCMs
Some residuary items may need to be individually dealt with e.g. dividend,taxation, etc. or will be dealt with in terms of “Financial Statement ClosurePolicy/Process”.
Establishing Materiality Levels: Steps tofollow
Nandita ParekhCNK & Associates LLP
46
GL Code Account Name Balance Process
FA001 Land xxxxx • Fixed assets
CA200 Account Receivables -Domestic
xxxxx • Domestic Sales• Domestic Receivables
CA300 Account receivables - international
xxxxx • International sales• International customer
management
CA 400 Account Receivables –related parties
xxxxx • Sales to related parties• Transfer pricing /related
parties transactions process
OE711 Salaries xxxxx • Payroll process - Outsourced
OE400 Purchase of consumables
xxxxx • Procurement Process
OE500 Purchases – R/M xxxx • Procurement Process
AP100 Dividend xxxx • Fin Statement Closure Process
Nandita ParekhCNK & Associates LLP
47
Identify financial transactions into:
Routine, repetitive transactions – purchase, sales, expense booking,payment processing, payroll, etc.
Non-routine financial transactions – these are transactions thatoccur at uncertain intervals and are event based – e.g. issue of freshshares, borrowing, capitalization, insurance claim, arbitrationsettlements, etc.
Estimations – bad debt provisions, diminution in investment value,provision for employee benefits, tax provision, inventory valuation,deferred taxation etc.
Period Closure Entries – based on reconciliations, verifications,interest accounting, cut-off based accruals etc.
Risk and Controls–A Simple Model to Follow
Nandita ParekhCNK & Associates LLP
48
Examples – purchase, sales, expense booking, paymentprocessing, payroll, etc.
These generally cover at least 60-70% of total transactionsof the Company and equivalent man-hours of theaccounting personnel.
These need to be covered by a process flow and narrative,and ideally well established IT platforms.
These may also be subjected to internal audit andperiodic MIS review.
For each material category/significant process, ideally anRCM needs to be prepared, focusing on only materialrisks.
Routine Transactions
Nandita ParekhCNK & Associates LLP
49
Examples - issue of fresh shares, borrowing,capitalization, insurance claim, arbitration settlements,declaration of dividends.
For these, it may be very difficult, especially for SME &private companies, to have a documented process.
For all such transactions, based on pre-defined monetarylimit, the company may establish a maker-checker-approver process and document the same under“Process for processing of material non-routinetransactions”.
This will cover various categories of transactions andensure that the quality of review will ensure accurateaccounting, with due scrutiny and authorization at anappropriately senior level.
Non-routine Transactions
Nandita ParekhCNK & Associates LLP
50
Examples -bad debt provisions, diminution ininvestment value, provision for employee benefits, taxprovision, inventory valuation, deferred taxation.
Estimations require exercise of judgement and hence,need to be based on proper working, rationale, policyand approval.
A due process for basis of significant estimations andapproval of the same needs to be documented.
This area poses the highest risk of error and managementoverride – there is a need for increased attention to thisarea, both, by the company and its auditors.
Estimations
Nandita ParekhCNK & Associates LLP
51
Examples –entries based on reconciliations, physicalverifications, interest accounting, cut-off based accruals,outstanding liabilities, pre-paid expenses, etc.
These may be covered in the Financial Statement ClosurePolicy (FSCP)
Trail to be maintained for establishing cut-offs may bespecified.
Authority matrix identifying the maker-checker –approvermay be documented.
Clear trail of year end processing may be established from thefirst trail balance to final financial statements.
For most SME & private companies, the FSCP and the relatedRCM may be the most relevant document in support of ICFRreview and assurance.
Period Closure Transactions
Nandita ParekhCNK & Associates LLP
52
Company:
Identify the risks of misstatementsin financial statements w r t theexpected users and stakeholders.
Categorize these risks as material,moderate and low based onlikelihood and impact.
Map the risks to controls institutedthrough ELC, ITGC and SOPs.
The Company may be able to relyon a lot of informal controls ornon-documented controls; thesame may not be accepted byauditors in absence ofdocumentation – hence, some ofthe controls may need to beevidenced.
Auditor:
Ideally RoMM should havebeen documented as per SA –315; if not this may be done inaccordance with SA – 315.
The RoMM to be identified,giving due consideration to pastexperience, the nature ofbusiness, and the expectedreadership and stakeholders.
The risks that need to bereviewed for mapping controlsand testing the controls shouldbe kept at an optimum – mostRCMs make the mistake ofdetailing risks that areimmaterial also in RCM.
Expected time for a mid-sized company: 4-5 days in all to set the materialitylimits, screen the TB to identify the accounts/processes, adding items basedon qualitative consideration.
Documentation
Nandita ParekhCNK & Associates LLP
53
Based on materiality assessment and identification of routinetransactions, a list of processes and RCMs that need to bedocumented is prepared.
The RCMs that may be required for most entities would be: purchasecycle, income cycle, employee payments & benefits, expense,cash/bank payment processing, fixed assets, inventory.
In addition, the following will need to be documented:
General Process for Non-routine Transactions and related RCM
General process for estimation-based accounting with specificreference to key estimations made annually
Financial Statement Closure Policy and related RCM – this mayalso include RCM for year end estimations.
ELC and ITGC related RCMs.
Final Output
Nandita ParekhCNK & Associates LLP
Control Activities: Process/Account Level Controls
Output:
• Identification of key processes
• Review and document process flow diagrams and RCMs identifyingfinancial reporting risks and controls
• Identifying process and design gaps and assessing materiality ofweakness/gap observed
• Determining remedial plan
54 Nandita ParekhCNK & Associates LLP
10. Organization selects and develops control activities for riskmitigation
11. Selects and develops general controls over technology
12. Deploys control activities through policies and procedures
55
Control Activities
Nandita ParekhCNK & Associates LLP
Likely Findings…..
Risk Management Framework,RCMs and SOPs are all stand alonedocuments – and actual activitiesare conducted based on neither ofthese.
ERP system is tweaked every nowand then, but IT system audit hasnot been done since last 5 years –there is no review of log reports,unauthorized access, vulnerabilityto external security breaches,change management processes.
Policies and procedures remainundocumented for many of the keyactivities.
IT System Audit
SOP compilation
Risk Management Framework
56
Controls? What Controls?
Nandita ParekhCNK & Associates LLP
Assessing IFC in absence ofwell documented policies,procedures, AuthorityMatrices etc becomes almostimpossible.
Quality of documentation isa general concern area inmany organizations.
Policies for period closure forfinancial statements alsoneed to be documented and astructured process forpreparation of financialstatements needs to beformally documented andadopted.
No job is complete unless the paperwork is done!!57
The Need for Documentation
Nandita ParekhCNK & Associates LLP
58
What is an RCM? It is a document linking keyidentified risks for a process or account balance withcorresponding controls. The RCM providesdescription and categorization of the risk and also ofthe control.
Ideally risks must flow from the Risk ManagementFramework and controls identified should bemapped to SOPs – this provides for a common,consistent understanding of risks and controls.
The RCM should also provide the details abouttesting of controls and cross reference to workingpapers for control testing.
Risk Control Matrix (RCM)
Nandita ParekhCNK & Associates LLP
59
Process flow charts provide a pictorial view of theactivity/process from origination to conclusion
Controls can be marked on the process flowchart
Those controls that directly or indirectly address“financial reporting risks” need to be noted – within thisonly those controls that address the RoMM need to beconsidered for testing of controls at design level and atoperational effectiveness level.
Some cases of RoMM may get addressed through entitylevel controls and may not need further detaileddocumentation or testing.
Process Flowchart and RCM
Nandita ParekhCNK & Associates LLP
60
• Account/sub-account, activity identified
• Assertions based on account type andrisk/controls
Account, sub-account, activity
• Significant risk
• Is there a fraud risk?Risk identified and details
• Automated/manual
• Frequency
• Control description
Controls
• Test of design
• Test of operational effectivenessControls Testing details
RCM Components
Nandita ParekhCNK & Associates LLP
61
RCMs form the most detailed documentation compiled tosupport the companies in evidencing and confirming thecontrols.
It provides a one-spreadsheet view of all relevant detailsrequired for the assessment of controls and their operationaleffectiveness.
Preparation of RCMs requires training and a clearunderstanding of the company’s processes.
An RCM, when finalized becomes the basis of testing ofcontrols.
When the test results are incorporated in the RCM, it becomesthe working paper to back the conclusions arrived at by themanagement and the auditor as to the adequacy andeffectiveness of underlying controls pertaining to that RCM.
RCM
Nandita ParekhCNK & Associates LLP
62
Nature Example Noteworthy
Routine • Sales invoicing• Expense booking• Monthly salary processing
• Automation• Internal audit coverage• Clarity of authority,
processes
Non-routine transactions
• Transfer from Capital WIP toFixed assets
• Full and final settlement• Leave encashment payment• Expense provisioning
• Exceptional processing• Not always covered by
Internal Audit• Fuzzy authority structure• Often not amenable to SOP• Risk of error, material fraud
Estimations • Provision for ESOPs/employee benefits
• Impairment• Ascertaining estimated claim
amount in case of a legaldispute
• Limited automation –reliance on excel workings
• Rarely covered by IA• Relevance of ELCs• Risk of management
override
Analysis of Nature of Financial Transactions
Nandita ParekhCNK & Associates LLP
63
Too much attention to routine transactions that are highvolume, low value and low impact of risk of error.
Policy and processes not defined for non-routine transactions– need to address issues relating to identification,documentation, authorization, automation, escalation andreporting.
Absence of critical review internally for estimates, the ‘gamechangers’ in financial closing – the impairments, theprovisions and the write-downs. The process may not bedefined, the documentation may not be adequate and theclosing time schedules do not permit an independent review.In fact, the Letter of Representation and Board Resolutions givethese estimations an undeserved clout that makes them almostirrefutable.
ICFR Revelations
Nandita ParekhCNK & Associates LLP
64
At a process level, the controls exercised to overcome the risk ofmisstatement can be categorized under some broad categories. Anillustrative list of typical controls is as :
Segregation of Duties (SoD)
Maker-checker controls
Authorization – pre-approval, post-authorization, shareholder sanction
Reconciliation – including 3-way reconciliation of physical assets.
Confirmation – third party validation
Physical verification of fixed assets, investments, title deeds etc.
Independent review – internal auditor, any other independent person
Review and Scrutiny of balances at periodic intervals
External opinion or review – for valuation, diminution
Automated controls – blocking, system based alerts, re-computation.
Availability of documented policies
Escalation process
Understanding controls in ICFR
Nandita ParekhCNK & Associates LLP
65
Company: Ideally, RCMs as decided by
the analysis. However, thecompany may choose todocument risks and controlsin any other format that isappropriate.
SOPs for all routineprocesses that build up tomaterial processes
Policies for financial closure,estimations and non-routinetransactions processing.
Auditor: RCMs for all identified
processes. RCMs for the FSCP,
estimations, non-routinetransactions processing,etc.
Need to optimize the no.of RCMs so that materialrisks are addressed duly.
Expected time: this is the time consuming part of the ICFR process – if the companyhas good SOPs and auditors have well documented audit files as per SA-315 andother SAs, this would take less time. Else, the entire process could take 2-4 weeks, tobring it to an acceptable shape.
Documentation
Nandita ParekhCNK & Associates LLP
Information and Communication
Output
• Identification of communication protocols within and outsidethe company to facilitate robust financial accounting
• Identification of channels and medium of communication – ITbased, auto-alerts, emails, physical documents, etc.
• Identifying the sources of information and validating theintegrity of dataflow.
66 Nandita ParekhCNK & Associates LLP
13. Organization obtains/generates/uses relevant information
14. Communicates internally to support the internal controlfunctioning
15. Communicates externally matters affecting the functioning ofinternal control
67
Information & Communication
Nandita ParekhCNK & Associates LLP
The process of generating MIS isnot robust – MIS is based onincomplete data.
Unusual events/transactions arenot captured, escalated orappropriately approved.
Problems known at lower levels arenot always escalated to seniormanagement in absence ofappropriate platforms
Whistleblower Policy exists only onpaper
Open communication is notencouraged
Exit interviews are nottaken/recorded.
69
Information and Communication Breakdown
Nandita ParekhCNK & Associates LLP
70
Originating department to Accounts department for timelyaccounting
Accounts department to Executive Management for decisionmaking and approvals where required
Management to BoD for analysis, discussion and directions
BoD to various departments – communication of policies and SOPs.
Various departments to Auditors /internal Auditors for review
Company to counterparties and counterparties to company –balance confirmation, account confirmation, proof of delivery, proofof acceptance of services etc.
It is important for the company to ensure unrestricted flow of accurateinformation relevant for making financial statements. It is equallyimportant for the auditors to validate the flow of information and theintegrity of the contents.
Flow of Information
Nandita ParekhCNK & Associates LLP
71
Company: Document the flow of
information thatcontributes to financialreporting process,fixing responsibilityand timelines.
Implement controls thatensures smooth flow ofaccurate and completeinformation on a timelybasis.
Auditors: Review the
communication andinformation flow.
Risks related toinappropriatecommunication orinformation flow will beembedded in relevantRCMs
No significant separatedocumentation to bedone by the auditors.
Documentation
Nandita ParekhCNK & Associates LLP
16. Organization conducts ongoing and/or separate evaluations ofinternal controls
17. Evaluates and communicates internal control deficiencies to thoseresponsible for remedial actions including the board/seniormanagement
72
Monitoring
Nandita ParekhCNK & Associates LLP
Self assessment of controls (Control Self assessment orCSA) is not an established practice as yet.
Review of Internal Controls is done by internal Auditors– however, the scope of internal audit is at times limitedand the internal auditors have limited access to thesenior management.
Many small companies do not have any internal audit.
The SOP and the IT systems are designed primarily toensure functionality – control thinking is not an integralpart of these initiatives. Hence, identification andreporting of internal control failures is not automated orpart of structured reporting to the management.
73
Who is Monitoring?
Nandita ParekhCNK & Associates LLP
74
The Company must establish monitoring processes toconfirm the robustness of its ICFR.
The monitoring activity may take the form of:
Periodic review of certain balances and performance
Internal audit – based on scope assigned. Ideally, scopemay be assigned based on risk- based audit principles.
Management review of budgets , performance andexceptions and
Testing of controls documented in the RCMs.
Review of Monitoring Activity
Nandita ParekhCNK & Associates LLP
75
Company:
Company’s monitoringphilosophy is documented aspart of ELC
Monitoring activity at a processlevel is embedded in Policiesand SOPs and will be reflectedin controls in the RCMs
Internal audit scope, if notformally defined, may bedocumented.
Verification and monitoringprocesses may also bedocumented.
Auditors:
Monitoring activity will bereflected as controls in the RCM
The monitoring activity will bereviewed as part of controlstesting and will be documentedunder ‘test of controls’.
No separate documentation forthis component may berequired.
Controls testing will take fairamount of time – but this isintegrated with normal auditand hence, separate time isdifficult to estimate.
Documentation
Nandita ParekhCNK & Associates LLP