ICFR The New Kid on the Block...6 Frauds highlight the weaknesses in the governance structure. Small...

Nandita Parekh

CNK & Associates LLP

July 2016

ICFRThe New Kid on the Block

Is he friendly?

Does he mean business?

Is he helpful?

Will he stay on or he is temporary in this area?

Well, let me tell you:

This new kid is permanent, here to stay,

means business, can be very useful to

companies if handled well and may be

dangerous to both companies and

auditors if mishandled.

So… it is time we step out and greet thisNEW KID ON THE BLOCK called ICFR.

Hi. My name is ICFR….

2

So who is this new kid on the block?

Nandita ParekhCNK & Associates LLP

3

To understand ICFR requirements at aconceptual level.

To learn practical and easy ways to comply withthe requirements in a meaningful manner.

To appreciate the intent of the law by goingbeyond the form.

All with a focus on not-so-large privatecompanies, their advisors and their auditors.

Session Objectives


Part I: Introduction to ICFR

• Origin – Regulatory Routes (where from?)

• Definition and Coverage (what?)

• Objective – Purpose (why?)

4 Nandita ParekhCNK & Associates LLP

5

Most enhancements in governancelaws owe their origin to frauds….


6

Frauds highlight the weaknesses in the governance structure.

Small frauds results in investigations and punitive action on the

fraudster; large, pervasive frauds lead to introspection on the

adequacy of the governance structure.

The origin of the developments in the area of IFC and ICFR can

be traced to large frauds like Enron, WorldCom and such others

that shook the investor confidence in corporate governance. The

requirements in most countries extend only to listed and large

public companies.

In India – we have gone a big step forward – the regulations

have been adopted on lines with the US law, but unlike the US,

has been made applicable to all companies, irrespective of their

size and ownership structure.

IFC/ICFR – Made in the West,Embraced by Indian Regulators


The “Three lines of defence” provides a simple and effective way to enhance IFCs by clarifying roles andduties.

• The first line is responsible for setting up the controls, mitigation of risk and defining policies andprocedures to be complied with;

• The second line monitors compliance with the laid down controls. It is not an independent assurancefunction, but a monitoring tool for the management;

• The third line provides the independent assurance on the activities of first and second lines of defence,and the Audit committee and board of directors provide overall direction and oversight.

Senior Management

1st line of defense 2nd line of defense 3rd line of defense

Operational & Business units (design

& operation of controls)

Management assurance (ongoing

monitoring of controls)

Independent assurance

Internal audit

Ex

ternal A

ud

itors

Reg

ula

tors

7

Lines of Defence


‘

Auditors

• Section 143(3):Auditor’s report shallstate whether thecompany hasadequate internalfinancial controlssystem in place andoperatingeffectiveness of suchcontrols.

Directors

• Section 134(5)(e) of2013 Act, requiresDirectors’ResponsibilityStatement of listedcompanies tospecifically assert onadequacy andoperatingeffectiveness ofinternal financialcontrols.

•Rule 8(5)(viii) ofCompanies (Accounts)rules requires thedirectors’ report togive details w r t ICFR.

Audit Committee

• Section 177(4): EveryAudit Committee shallact in accordance withterms of referencespecified in writing bythe Board which shall,inter alia, includeevaluation of internalfinancial controls andrisk managementsystems.

Independent Directors

• Section 149 (8):IndependentDirectors shall satisfythemselves on theintegrity of financialinformation and thatfinancial controls andsystems of riskmanagement arerobust and defensible.

Companies Act, 2013 and Companies (Accounts) Rules, 2014 specifyresponsibilities of different stakeholders w r t IFC & ICFR.

8

The Responsibility Allocation for IFC/ ICFR


Scope:• Listed companies – Adequacy and operating effectiveness of

internal financial controls• Unlisted companies - Adequacy of internal controls over financial

reporting

Responsibilities:• Board: To laydown adequate and effective internal financial control

and include in Directors’ responsibility statement• Independent Directors’: to satisfy themselves on the strength of

financial controls• Audit Committee: to evaluate Internal Financial Control System

Applicable from FY 2014-15For Private companies and other companies not required to haveaudit committee or independent director, the entire responsibility iswith the Board of Directors.

Responsibilities:

Report on• adequacy and• operating effectiveness ofinternal financial controlssystem over financialreporting

Mandatory from FY 2015-16;voluntary adoption from FY2014-15.

Directors Auditor

9

Scope and Responsibility


10

2014-15 Audit Committee and Directors

Statutory Auditors

Listed Companies IFC and ICFR Only for CARO

Other Companies ICFR Only for CARO

2015-16 Audit Committee and Directors

Statutory Auditors

Listed Companies IFC and ICFR ICFR

Other Companies ICFR ICFR

For companies, reporting on IFC/ICFR becameapplicable from FY 2014-15. Hence, for companies,ICFR is not really a new kid on the block….

So, is ICFR really a new kid on the block?


11

The self-regulated traffic signal is now manned by a traffic cop, theauditor…… and suddenly, some companies are realizing, thatperhaps they were lax in observing the traffic rules earlier!!

2014-15 2015-16

So what has really changed for companies?


12

Requirement:

ICFRreporting by auditors w.e.f

01/04/2015

ICAI guidance Note

issued:

September 2015

FY 2015-16:

Seminars, training sessions,

documentation,

outsourcing…..

February – May 2016:

Tireless working round the clock by listed/early closure

companies and their auditors for ICFR completion.

July –September

2016:

….Time for remaining

companies and auditors to play

catch up.

Outsourcing

Decisions

Skill

shortage

What about

System Audit?

Confusion

Life after ICFR….


‘

Including adherence to

company’s policies

Ensuring the orderly and efficient conduct of its

business

Safeguarding of its assets

Prevention and detection of frauds

and errors

Timely preparation of reliable financial

information

Accuracy and completeness of the accounting records

IFC means Policies and

procedures adopted for

13

What is IFC? [Explanation to Section 134(5)(e)]


Internal Financial Controls =

Internal Controls

over Financial Reporting

Fraud Prevention and Fraud Monitoring

controls

Operational Controls

Controls to ensure

Regulatory

Compliance

‘Internal Financial Controls’ has a broad connotation – however,from the perspective of assurance expected from Statutory Auditors,the focus is only on Internal Controls over Financial Reporting.


The evolving Corporate Governancerequirements have resulted indevelopment of differentmanagement /governance tools andpolicies and processes.

IFC may be viewed as aconsolidating exercise that connectsall these pieces to make a whole thatis larger than the sum of its parts.

The approach to establishingInternal Financial Controls andauditing them can only be topdown, as it starts with the seniormost management and drills downto the lowest operating level.

Ethics and Governance

Policy

Risk Management

Policy

Code of Conduct

IT System Manuals

Standard Operating Procedures

Accounting Policies

Whistle Blower Policy

Anti Bribery Policy

15

Practical Insights


ICFR review needs to be done keeping in view the size of thecompany and the complexity of its operations/accounting.

In small companies, with low complexity, a much simpler level ofdocumentation may be insisted upon.

In large companies with external stake holders and complexoperations, insist on full documentation by early/mid March andensure testing of controls

In cases where the Company does not have competent employeeswho can draw up the financial statements/disclosures or where thereis a history of material adjustments between the unaudited and theaudited statements, the prima facie conclusion would be that ICFRare not adequate.

In the first year of review, the focus may be on intent andestablishing a basic framework that addresses key risks – insubsequent years, this framework needs to be enhanced andimproved for wider coverage.

17

Practical Insights for Auditors/Advisors


Part II- Internal Control Components

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring


This you need to know

by heart…

19

The COSO Cube


Control Environment

Risk Assessment

Control Activities


Monitoring

20

5 Components of the COSO Cube – to be appliedto Internal Controls on Financial Reporting


21

To summarize:A framework for assessing ICFR…


22

Understand and document Entity Level Controls

Assess the IT general controls or the ITenvironment (ITGC)

Assess the risk of misstatements in financialstatements and assign materiality

Based on Materiality assessment identify keyprocesses that require detailed documentationof risks and controls

Document RCMs for identified processes; coverremaining areas through macro-level processes

Test the controls for design and operationaleffectiveness – address deficiencies found.

Step by Step Approach


Entity level

(ELC)

IT platform level (ITGC)

Application/ Account/Process

level (ALC)

23

Internal Controls over Financial Reporting


Control Environment

Output:

• Entity Level controls

• IT general Controls Assessment


1. Organization demonstrates commitment to integrity andethical values

2. Board exercises oversight of the development andperformance of internal control mechanism

3. Management establishes structure, authority, andresponsibility

4. Organization demonstrates commitment to attract and retaincompetent individuals

5. Organization enforces accountability for internal controlresponsibilities

25

Control Environment - with specific focuson Financial Reporting


27

Does the organization have an Anti-BriberyPolicy? Or an Ethics policy?


Ethical code of conduct is neitherdocumented, nor communicated

Board meetings are not actually held – theminutes are written to cover the requiredagenda matters. Managing directtor hasunlimited powers.

The Company with a turnover of Rs 300crores does not have a single qualified CA inits Accounts department.

Organization structure is not formalized; jobresponsibilities are either not documented, ornot reviewed periodically.

“Cost centers” like Accounts and compliancedepartments are perpetully understaffed.

Very few companies are able to demonstrate acontrol environment that creates confidence inentity level controls.

28

The Ground Reality


All ELCs may not have an impact on ICFR

Identification of relevant ELCs and assessing their precision levelbased on: (greater the precision, greater the reliance placed)

Purpose of control – e.g. inventory verification

Level of aggregation – e.g. review of consolidated statements

Quality and consistency of performance – e.g. control exercisedat random intervals when time permits

Correlation to relevant assertions – e.g. selective confirmation ofdebtors

Criteria for identifying exceptions/conducting investigations –e.g. too high a materiality threshold

Comparison with expectations/budgets – e.g. budgets may beunrealistic, estimates may not have the desired level of precision.

29

Assessing Relevance of ELCs for FinancialReporting


30

In most private/SME companies, there may not be anydocumentation of the governance and management framework –companies should consider codifying the same.

Auditors, based on their past experience, and interactions with themanagement will need to prepare their own assessment of ELCs in asystematic manner. Most people use an Excel based format.However, a narrative style document to assess ELCs is also fine.

The purpose of the ELC assessment is primarily to determine thelevel of detail with which process level controls needs to bereviewed – stronger the ELC, higher the reliance on overall controlsand lesser the need for detailing of process level controls.

ELC assessment ends with identification of areas that needstrengthening, but generally does not directly result in a materialdeficiency or a qualification.

ELC for Private Companies


ELCs assessment is normally documented in terms of an excelspreadsheet – the Company should provide this to the auditors forreview. At the minimum, the Company should document a detailednote on the ELCs that they believe lead to transparent, true and fairfinancial reporting.

For ICFR, one must focus only on those ELCs that have a bearing onfinancial reporting

The greater the reliance on ELCs, the lesser the testing required atprocess/account level

Emphasis should be placed on enhancing entity level controls andautomated controls – this can help in reducing the quantum of testingand the need for detailed checking.

31

ELC Assessment Format


Effective Entity level Controls arefundamental to an effective IFC.

The quality of ELCs determine thequantum and nature of testing to bedone at account line item, unit or processlevel.

Deficiencies observed at the ELC levelneed to be communicated to themanagement for remedial actions.

It is time for us, as auditors orcontrollers, to start working on helpingorganizations in setting up an effectiveframework of IFC – such a frameworkwill go a long way in enhancing thereliability of the financial statements.

32

To Conclude


33

IT general controls are relevant when the Company hasimplemented one or more IT platforms for processing informationthat flows into financial statements.

The reliance placed on IT systems and automated controls may beout of place in case certain basic care is not taken in terms of accesscontrols, modification and change management for softwareapplications, generation and review of log reports, periodic systemsaudit for validation of controls and accurate processing, etc.

Unlike ELC, in case there are gaps in ITGC it could result into amaterial deficiency unless the company has introduced parallel orcompensating controls that do not rely on automated controls.

It is essential for the company management and the auditors tounderstand the IT infrastructure and ITGC to conclude on theadequacy and effectiveness of ICFR.

Assessment of IT General Controls


34

Assess ELCs as far as they impact Financial Reporting

Decide the level of reliance to be placed on ELCs and accordinglyplan the review of process level controls.

Review ITGC and determine the level of reliance that can be placedon automated controls in general – if reliance cannot be placed, thecompany management and the auditors will have to rely on manualand alternate controls.

A full scope systems audit is not expected to be carried out by theauditors – however, absence of any systems audit or review by thecompany over 2-3 years, particularly in case of IT applications thatare being regularly modified, it may be difficult to provide a positiveassurance on ICFR.

Action Points


35

ELCs and ITGC are like thesecurity guards placed at theentrance of a building.

Strong entrance securityeliminates some risks bycontrolling who can go in –similarly, ELCs and ITGCsminimize the possibility ofcertain risks entering thecompany.

Strong entry point controlsdoes not eliminate the needfor additional controls atstrategic points – hence,process/account level controlsneed to be in place for all keyrisks identified.

ELCs – the Sentinel at the Gate


36

Company:

Prepare a list of overallcontrols established throughmission, vision, code ofconduct, policies, automation,audits, etc.

Essentially put on paper, in aformat of your choice, all thatyou feel contributes totransparency, efficiency andintegrity in preparing financialstatements.

Auditor:

Examine the Company’sstatement on ELC.

Alternatively, meet with themanagement and ask relevantquestions to compile a statementof ELCs – add your past clientexperience to this.

Use a structured excel formatpreferably.

Conclude on the level of reliancethat you want to place on ELCsand communicate to themanagement the areas that needto be strengthened.

Expected time, for an existing client: approximately 1-3 days of senior time,including validation of controls.

Documentation for ELC


Risk Assessment

Output:

• Identification of key risks for ICFR – starting point of RCMs

• Materiality based identification of accounts and processes

• Determination of RCMs and policies to be documented


6. Organization specifies objectives to enable the identification andassessment of related risks

7. Identifies and analyzes risk related to the objectives

8. Considers the potential for fraud

9. Identifies and analyzes significant changes that would impact theinternal control system

38

Risk Assessment – Risk that financial statementsmay contain material misstatements


39

The entire ICFR framework is designed with the primaryobjective of providing reasonable assurance to theDirectors and the auditors that the internal financialcontrols are such that the annual financial statementsprepared by the company would be free from materialmisstatements.

Note the emphasis on materiality – the formal frameworkof ICFR is required only with respect to RoMM and notany misstatement.

For a risk to be significant – the likelihood and the impactneed to be examined. Strong ELCs reduce the likelihoodand thus, reduce the severity of the risk.

Risk of Material Misstatements


Analyze the sources of potential risks. Some potential risks couldarise due to:

Significant changes in the reporting requirements ( IND-AS)

Untested IT systems relied upon for generating financialreports

Inability to retain competent staff – high attrition level,inadequate induction/training

Business exigencies creating compulsions for misstatements –listing, borrowing requirements, pressure frominvestors/shareholders

Incentive structures not backed by appropriate controls

Inadequate time allotted for review and audit scrutiny

Inadequate quality of audit staff for internal/external audits –sub-optimal partner review before finalization

40

Analyzing RoMM


Management Override or

management fraud

Employee initiated

misreporting –due to targets or incentives/fear

Errors, omissions and inefficiency resulting from

people, processes or IT systems

Misinterpretation of Regulatory

provisions related to financial reporting

Governance structure,

independence of the Board

Inbuilt controls through policies,

segregation of duties, system based checks

IT controls, authority matrix, maker-checker, audit processes

Quality of personnel, quality

of auditors & consultants

42

Risks related to Financial Reporting


Consider financial statements and all other disclosures

Apply quantitative criteria and qualitative criteria

Use previous experience and assessment of RoMM toidentify additional accounts/account groups that arevulnerable

Finalize a list of accounts/account groups in respect ofwhich detailed testing is required to be done.

Map this list with the key activities/functions for whichreview of process level controls has beeninitiated/proposed.

43

Establishing Materiality


44

SA 320 provides guidance on “Materiality inPlanning and Performing an Audit” – the sameconsiderations need to be applied for determiningmateriality for ICFR audit.

Very often, a % based materiality is applied forobtaining a first set of covered items; e.g. forbalance sheet items any item that is more than 1%of total Balance sheet Size (i.e. 1% of total assets) orany P&L item that is more than 1% of Grossrevenues or 5% of PBT – lower of the 2. The % isderived based on professional judgement.

Materiality Considerations


45

Obtain Last audited financial statements (March 2015) and also projectedfinancial statements for March 2016 (if available)

Determine, based on past experience and professional judgement, the % tobe applied.

Apply the % to each category of accounts at a FS level and then drill down toGL codes

Identify additional items that qualify based on qualitative assessment ofvulnerability

Against each item map the broad business process (procurement, sales,administration, payroll etc) where the accounting item originates.

Compile a list of those business processes for performing process analysisand preparation of RCMs

Some residuary items may need to be individually dealt with e.g. dividend,taxation, etc. or will be dealt with in terms of “Financial Statement ClosurePolicy/Process”.

Establishing Materiality Levels: Steps tofollow


46

GL Code Account Name Balance Process

FA001 Land xxxxx • Fixed assets

CA200 Account Receivables -Domestic

xxxxx • Domestic Sales• Domestic Receivables

CA300 Account receivables - international

xxxxx • International sales• International customer

management

CA 400 Account Receivables –related parties

xxxxx • Sales to related parties• Transfer pricing /related

parties transactions process

OE711 Salaries xxxxx • Payroll process - Outsourced

OE400 Purchase of consumables

xxxxx • Procurement Process

OE500 Purchases – R/M xxxx • Procurement Process

AP100 Dividend xxxx • Fin Statement Closure Process


47

Identify financial transactions into:

Routine, repetitive transactions – purchase, sales, expense booking,payment processing, payroll, etc.

Non-routine financial transactions – these are transactions thatoccur at uncertain intervals and are event based – e.g. issue of freshshares, borrowing, capitalization, insurance claim, arbitrationsettlements, etc.

Estimations – bad debt provisions, diminution in investment value,provision for employee benefits, tax provision, inventory valuation,deferred taxation etc.

Period Closure Entries – based on reconciliations, verifications,interest accounting, cut-off based accruals etc.

Risk and Controls–A Simple Model to Follow


48

Examples – purchase, sales, expense booking, paymentprocessing, payroll, etc.

These generally cover at least 60-70% of total transactionsof the Company and equivalent man-hours of theaccounting personnel.

These need to be covered by a process flow and narrative,and ideally well established IT platforms.

These may also be subjected to internal audit andperiodic MIS review.

For each material category/significant process, ideally anRCM needs to be prepared, focusing on only materialrisks.

Routine Transactions


49

Examples - issue of fresh shares, borrowing,capitalization, insurance claim, arbitration settlements,declaration of dividends.

For these, it may be very difficult, especially for SME &private companies, to have a documented process.

For all such transactions, based on pre-defined monetarylimit, the company may establish a maker-checker-approver process and document the same under“Process for processing of material non-routinetransactions”.

This will cover various categories of transactions andensure that the quality of review will ensure accurateaccounting, with due scrutiny and authorization at anappropriately senior level.

Non-routine Transactions


50

Examples -bad debt provisions, diminution ininvestment value, provision for employee benefits, taxprovision, inventory valuation, deferred taxation.

Estimations require exercise of judgement and hence,need to be based on proper working, rationale, policyand approval.

A due process for basis of significant estimations andapproval of the same needs to be documented.

This area poses the highest risk of error and managementoverride – there is a need for increased attention to thisarea, both, by the company and its auditors.

Estimations


51

Examples –entries based on reconciliations, physicalverifications, interest accounting, cut-off based accruals,outstanding liabilities, pre-paid expenses, etc.

These may be covered in the Financial Statement ClosurePolicy (FSCP)

Trail to be maintained for establishing cut-offs may bespecified.

Authority matrix identifying the maker-checker –approvermay be documented.

Clear trail of year end processing may be established from thefirst trail balance to final financial statements.

For most SME & private companies, the FSCP and the relatedRCM may be the most relevant document in support of ICFRreview and assurance.

Period Closure Transactions


52

Company:

Identify the risks of misstatementsin financial statements w r t theexpected users and stakeholders.

Categorize these risks as material,moderate and low based onlikelihood and impact.

Map the risks to controls institutedthrough ELC, ITGC and SOPs.

The Company may be able to relyon a lot of informal controls ornon-documented controls; thesame may not be accepted byauditors in absence ofdocumentation – hence, some ofthe controls may need to beevidenced.

Auditor:

Ideally RoMM should havebeen documented as per SA –315; if not this may be done inaccordance with SA – 315.

The RoMM to be identified,giving due consideration to pastexperience, the nature ofbusiness, and the expectedreadership and stakeholders.

The risks that need to bereviewed for mapping controlsand testing the controls shouldbe kept at an optimum – mostRCMs make the mistake ofdetailing risks that areimmaterial also in RCM.

Expected time for a mid-sized company: 4-5 days in all to set the materialitylimits, screen the TB to identify the accounts/processes, adding items basedon qualitative consideration.

Documentation


53

Based on materiality assessment and identification of routinetransactions, a list of processes and RCMs that need to bedocumented is prepared.

The RCMs that may be required for most entities would be: purchasecycle, income cycle, employee payments & benefits, expense,cash/bank payment processing, fixed assets, inventory.

In addition, the following will need to be documented:

General Process for Non-routine Transactions and related RCM

General process for estimation-based accounting with specificreference to key estimations made annually

Financial Statement Closure Policy and related RCM – this mayalso include RCM for year end estimations.

ELC and ITGC related RCMs.

Final Output


Control Activities: Process/Account Level Controls

Output:

• Identification of key processes

• Review and document process flow diagrams and RCMs identifyingfinancial reporting risks and controls

• Identifying process and design gaps and assessing materiality ofweakness/gap observed

• Determining remedial plan


10. Organization selects and develops control activities for riskmitigation

11. Selects and develops general controls over technology

12. Deploys control activities through policies and procedures

55

Control Activities


Likely Findings…..

Risk Management Framework,RCMs and SOPs are all stand alonedocuments – and actual activitiesare conducted based on neither ofthese.

ERP system is tweaked every nowand then, but IT system audit hasnot been done since last 5 years –there is no review of log reports,unauthorized access, vulnerabilityto external security breaches,change management processes.

Policies and procedures remainundocumented for many of the keyactivities.

IT System Audit

SOP compilation

Risk Management Framework

56

Controls? What Controls?


Assessing IFC in absence ofwell documented policies,procedures, AuthorityMatrices etc becomes almostimpossible.

Quality of documentation isa general concern area inmany organizations.

Policies for period closure forfinancial statements alsoneed to be documented and astructured process forpreparation of financialstatements needs to beformally documented andadopted.

No job is complete unless the paperwork is done!!57

The Need for Documentation


58

What is an RCM? It is a document linking keyidentified risks for a process or account balance withcorresponding controls. The RCM providesdescription and categorization of the risk and also ofthe control.

Ideally risks must flow from the Risk ManagementFramework and controls identified should bemapped to SOPs – this provides for a common,consistent understanding of risks and controls.

The RCM should also provide the details abouttesting of controls and cross reference to workingpapers for control testing.

Risk Control Matrix (RCM)


59

Process flow charts provide a pictorial view of theactivity/process from origination to conclusion

Controls can be marked on the process flowchart

Those controls that directly or indirectly address“financial reporting risks” need to be noted – within thisonly those controls that address the RoMM need to beconsidered for testing of controls at design level and atoperational effectiveness level.

Some cases of RoMM may get addressed through entitylevel controls and may not need further detaileddocumentation or testing.

Process Flowchart and RCM


60

• Account/sub-account, activity identified

• Assertions based on account type andrisk/controls

Account, sub-account, activity

• Significant risk

• Is there a fraud risk?Risk identified and details

• Automated/manual

• Frequency

• Control description

Controls

• Test of design

• Test of operational effectivenessControls Testing details

RCM Components


61

RCMs form the most detailed documentation compiled tosupport the companies in evidencing and confirming thecontrols.

It provides a one-spreadsheet view of all relevant detailsrequired for the assessment of controls and their operationaleffectiveness.

Preparation of RCMs requires training and a clearunderstanding of the company’s processes.

An RCM, when finalized becomes the basis of testing ofcontrols.

When the test results are incorporated in the RCM, it becomesthe working paper to back the conclusions arrived at by themanagement and the auditor as to the adequacy andeffectiveness of underlying controls pertaining to that RCM.

RCM


62

Nature Example Noteworthy

Routine • Sales invoicing• Expense booking• Monthly salary processing

• Automation• Internal audit coverage• Clarity of authority,

processes

Non-routine transactions

• Transfer from Capital WIP toFixed assets

• Full and final settlement• Leave encashment payment• Expense provisioning

• Exceptional processing• Not always covered by

Internal Audit• Fuzzy authority structure• Often not amenable to SOP• Risk of error, material fraud

Estimations • Provision for ESOPs/employee benefits

• Impairment• Ascertaining estimated claim

amount in case of a legaldispute

• Limited automation –reliance on excel workings

• Rarely covered by IA• Relevance of ELCs• Risk of management

override

Analysis of Nature of Financial Transactions


63

Too much attention to routine transactions that are highvolume, low value and low impact of risk of error.

Policy and processes not defined for non-routine transactions– need to address issues relating to identification,documentation, authorization, automation, escalation andreporting.

Absence of critical review internally for estimates, the ‘gamechangers’ in financial closing – the impairments, theprovisions and the write-downs. The process may not bedefined, the documentation may not be adequate and theclosing time schedules do not permit an independent review.In fact, the Letter of Representation and Board Resolutions givethese estimations an undeserved clout that makes them almostirrefutable.

ICFR Revelations


64

At a process level, the controls exercised to overcome the risk ofmisstatement can be categorized under some broad categories. Anillustrative list of typical controls is as :

Segregation of Duties (SoD)

Maker-checker controls

Authorization – pre-approval, post-authorization, shareholder sanction

Reconciliation – including 3-way reconciliation of physical assets.

Confirmation – third party validation

Physical verification of fixed assets, investments, title deeds etc.

Independent review – internal auditor, any other independent person

Review and Scrutiny of balances at periodic intervals

External opinion or review – for valuation, diminution

Automated controls – blocking, system based alerts, re-computation.

Availability of documented policies

Escalation process

Understanding controls in ICFR


65

Company: Ideally, RCMs as decided by

the analysis. However, thecompany may choose todocument risks and controlsin any other format that isappropriate.

SOPs for all routineprocesses that build up tomaterial processes

Policies for financial closure,estimations and non-routinetransactions processing.

Auditor: RCMs for all identified

processes. RCMs for the FSCP,

estimations, non-routinetransactions processing,etc.

Need to optimize the no.of RCMs so that materialrisks are addressed duly.

Expected time: this is the time consuming part of the ICFR process – if the companyhas good SOPs and auditors have well documented audit files as per SA-315 andother SAs, this would take less time. Else, the entire process could take 2-4 weeks, tobring it to an acceptable shape.

Documentation


Information and Communication

Output

• Identification of communication protocols within and outsidethe company to facilitate robust financial accounting

• Identification of channels and medium of communication – ITbased, auto-alerts, emails, physical documents, etc.

• Identifying the sources of information and validating theintegrity of dataflow.


13. Organization obtains/generates/uses relevant information

14. Communicates internally to support the internal controlfunctioning

15. Communicates externally matters affecting the functioning ofinternal control

67



The process of generating MIS isnot robust – MIS is based onincomplete data.

Unusual events/transactions arenot captured, escalated orappropriately approved.

Problems known at lower levels arenot always escalated to seniormanagement in absence ofappropriate platforms

Whistleblower Policy exists only onpaper

Open communication is notencouraged

Exit interviews are nottaken/recorded.

69

Information and Communication Breakdown


70

Originating department to Accounts department for timelyaccounting

Accounts department to Executive Management for decisionmaking and approvals where required

Management to BoD for analysis, discussion and directions

BoD to various departments – communication of policies and SOPs.

Various departments to Auditors /internal Auditors for review

Company to counterparties and counterparties to company –balance confirmation, account confirmation, proof of delivery, proofof acceptance of services etc.

It is important for the company to ensure unrestricted flow of accurateinformation relevant for making financial statements. It is equallyimportant for the auditors to validate the flow of information and theintegrity of the contents.

Flow of Information


71

Company: Document the flow of

information thatcontributes to financialreporting process,fixing responsibilityand timelines.

Implement controls thatensures smooth flow ofaccurate and completeinformation on a timelybasis.

Auditors: Review the

communication andinformation flow.

Risks related toinappropriatecommunication orinformation flow will beembedded in relevantRCMs

No significant separatedocumentation to bedone by the auditors.

Documentation


16. Organization conducts ongoing and/or separate evaluations ofinternal controls

17. Evaluates and communicates internal control deficiencies to thoseresponsible for remedial actions including the board/seniormanagement

72

Monitoring


Self assessment of controls (Control Self assessment orCSA) is not an established practice as yet.

Review of Internal Controls is done by internal Auditors– however, the scope of internal audit is at times limitedand the internal auditors have limited access to thesenior management.

Many small companies do not have any internal audit.

The SOP and the IT systems are designed primarily toensure functionality – control thinking is not an integralpart of these initiatives. Hence, identification andreporting of internal control failures is not automated orpart of structured reporting to the management.

73

Who is Monitoring?


74

The Company must establish monitoring processes toconfirm the robustness of its ICFR.

The monitoring activity may take the form of:

Periodic review of certain balances and performance

Internal audit – based on scope assigned. Ideally, scopemay be assigned based on risk- based audit principles.

Management review of budgets , performance andexceptions and

Testing of controls documented in the RCMs.

Review of Monitoring Activity


75

Company:

Company’s monitoringphilosophy is documented aspart of ELC

Monitoring activity at a processlevel is embedded in Policiesand SOPs and will be reflectedin controls in the RCMs

Internal audit scope, if notformally defined, may bedocumented.

Verification and monitoringprocesses may also bedocumented.

Auditors:

Monitoring activity will bereflected as controls in the RCM

The monitoring activity will bereviewed as part of controlstesting and will be documentedunder ‘test of controls’.

No separate documentation forthis component may berequired.

Controls testing will take fairamount of time – but this isintegrated with normal auditand hence, separate time isdifficult to estimate.

Documentation


Hope this session has been informative,

empowering and exciting – Hope this

encourages you to make friends with the

new kid on the block!


ICFR The New Kid on the Block...6 Frauds highlight the weaknesses in the governance structure. Small...

Documents

Transcript of ICFR The New Kid on the Block...6 Frauds highlight the weaknesses in the governance structure. Small...