ICFR Roundtable - The Future of International OTC Derivatives Regulation
Internal Control over Financial Reporting Control over Financial Report… · IFC & ICFR –Few...
Transcript of Internal Control over Financial Reporting Control over Financial Report… · IFC & ICFR –Few...
Internal Control over Financial Reporting
Statutory Requirement
Auditors
• Section 143(3)
• Auditor’s Report tostate whether theCompany hasadequate internalfinancial controls inplace with referenceto financialstatements and theoperatingeffectiveness of suchcontrols.
Directors
• Section 134(5)(e)
• Listed Company –Directors Responsibility Statement to state whether the Company has laid down internal financial controls to be followed and that such internal financial controls are adequate and were operating effectively.
Audit Committee
• Section 177(4)
• Evaluate the internal financial controlsand risk management systems
Independent Directors
• Section 149(8)
• Satisfy themselves on the integrity of financial information and that financial controls and the systems of risk management are robust and defensible.
M.K. Dandeker & Co.,
IFC under the Companies Act, 2013
The policies and procedures adopted by the Company for ensuring:
▪ Orderly and efficient conduct of its business, including adherenceto company’s policies,
▪ Safeguarding of its assets,
▪ Prevention and detection of frauds and errors,
▪ Accuracy and completeness of the accounting records, and
▪ Timely preparation of reliable financial information;
M.K. Dandeker & Co.,
What is ICFR
M.K. Dandeker & Co.,
o A subset of IFC
o ICFR comprises of:
▪ Controls on maintenance of financial books
▪ Controls on preparation of financial statements
▪ Controls over unauthorized or fraudulent access over or use of
company’s assets
▪ Authorization controls over financial flows of receipts and payments
o Concerned with those controls, the failure of which exposes the financial
reporting to a risk of material misstatement and not those controls that create
a risk of business loss, non – financial fraud in terms of information leakage,
non – adherence to quality control check.
Spectrum of IFC
M.K. Dandeker & Co.,
IFC
Anti – Fraud ControlsICFR
Operational Controls
Why ICFR
Fairly reflect all financial
transaction
All transactions are recorded in
accordance with applicable
policies, directives and
standards
Transactions are carried out in accordance with delegated
authorities
Financial resources are safeguarded
against material loss due to waste, mismanagement,
error, fraud, omission
M.K. Dandeker & Co.,
Key Concepts / Definition
Process
Action of taking transaction or event through an established andusually a routine set of procedures or steps
Control
An action or activity taken to prevent or detect misstatement withinprocess
Example
Process – Receipt of purchase order and entry as sales order in thesystem by sales staff
Control – Verification and approval of sales order by head of salesdepartment
M.K. Dandeker & Co.,
Key Concepts / Definition
Design EffectivenessThe right person, using the right informationto make the right decision in a timely manner,to mitigate identified key risks
Operating Effectiveness The consistent application, without exception, of an effectively designed control
M.K. Dandeker & Co.,
Overview of Controls
Entity level
Process level
Levels of control
• Segregation of duties
• Authorization• Application
controls
• Review• Reconciliation
• Physical Verification
Manual
Automated
Preventive
Detective
M.K. Dandeker & Co.,
IFC & ICFR – Few Examples
M.K. Dandeker & Co.,
o Expired Fire Extinguisher in the Warehouse - IFC
o Periodical physical verification of Stock - ICFR
o Compliance with AS 2 – Inventory Valuation - ICFR
o Annual Maintenance Contract for Fixed Asset - IFC
o Periodical physical verification of Fixed Asset - ICFR
o Code of Conduct – Entity Level Control
o Periodical internal meeting where Senior Management team insists on theimportance of ethical behaviour and intolerance to unethical behaviour – EntityLevel Control
o Rigor around performance measures, incentives and rewards to driveaccountability for performance – Entity Level Control
o Whistle Blower policy – Entity Level Control
IFC & ICFR – Few Examples
M.K. Dandeker & Co.,
o Segregation of duties – ICFR / Entity Level Control
o Validation of cash register of a shift by the next shift cashier - ICFR
o Authorisation of purchase by purchase manager and approval of payment byFinance Manager - ICFR
o Surprise physical verification of cash - ICFR
o Multiple level of approval for Bank payments - ICFR
o Joint custody of cash - ICFR
o CFO and Finance Director review the quarterly and financial statement andrelated disclosures. – Entity Level Control
Audit of ICFR – Broad Steps
Planning & Scoping
Design & Implementation
Operating Effectiveness
Final Conclusion & Reporting
M.K. Dandeker & Co.,
Internal Control over Financial Reporting
Entity Level Controls
IT General Controls
Transaction Level Controls
M.K. Dandeker & Co.,
ICFR – Approach
o Top – down, risk based approach to identify and understand the relevant controls.
o Check for the “tone at the top” of the organization
o i.e. Start with Entity – level Controls
Why Entity level Controls:
o Efficiency and effectiveness of the internal control and risk identificationstrategy is equally important
o Benefits from leveraging effective ELC:
▪ Reduce the extent of reliance on transaction level controls▪ Increase the effectiveness of internal controls through leveraging senior
and experienced personnel▪ Better define and communicate the expectations of management across
the organisation (i.e. tone at the top)▪ Reduce redundancy in controls performed across the organisation at
different levels
M.K. Dandeker & Co.,
Entity Level Controls
M.K. Dandeker & Co.,
Entity level control is based on COSO Framework guidelines
5 Components of COSO Framework:
o Control related to control environment
o Risk Assessment
o Control Activities
o Information & Communication
o Monitoring Activities
Entity Level Controls – Control Environment
M.K. Dandeker & Co.,
o Integrity and Ethical Values
o Commitment to Competence
o Board of Directors and Audit Committee
o Management’s philosophy and Operating Style
o Organisational Structure
o Assignment of Authority and Responsibility
o Human Resource Policies and Procedures
Entity Level Controls – Risk Assessment
M.K. Dandeker & Co.,
o Specifies relevant objectives with sufficient clarity to enable identification of risks
o Identifies and assess risk
o Considers the potential for fraud in assessing risk
o Identifies and assesses significant change that could impact system of internal control
Entity Level Controls – Control Activities
M.K. Dandeker & Co.,
o Selects and develops control activities
o Selects and develops general control over technology
o Deploys through policies and procedures
Entity Level Controls – Information & Communication, Monitoring
M.K. Dandeker & Co.,
Information and Communication:
o Quality of Information
o Effectiveness of Communication
Monitoring:
o Ongoing Monitoring
o Separate Evaluations
o Reporting Deficiencies
Entity Level Controls
M.K. Dandeker & Co.,
Transaction Level Controls
M.K. Dandeker & Co.,
o Work backward from the end objective, which in this case is the financial statement
o Step 1 – Identify the significant accounts
o Step 2 – Associate the significant business processes
o Step 3 – Perform a detailed risk assessment
o Significant accounts balance is a matter of judgement of Auditors
o Assess the materiality of the underlying account results, and assess the inherent risks related to each account
o Follow risk based approach
Example: Risk of completeness is greater for liabilities for liabilities based accounts than asset accounts
Key consideration in Controls
Performs the control? Does this person have the requisiteknowledge / authority?Who
Is generated to prove that this control was performed?What
Is this control performed? Is it frequent enough to prevent /detect and correct the risk?When
Is the evidence of control performed retained? For how long?It is accessible for audit?Where
Is this control being performed? What type of errors should beprevented or detected?Why
Is this control being performed? What activities are included?Can these activities be bypassed? Can the bypass be detected?How are issues resolved, once identified, and in whattimeframe? Is this fast enough to mitigate the risk?How
M.K. Dandeker & Co.,
Accounts Balance Assertions
• An item is disclosed, classified anddescribed in accordance with theapplicable financial reporting framework
Presentation & Disclosure
• An asset or liability exists at a given dateExistence
• An asset or a liability pertains to theentity at a given dateRights and Obligations
• There are no unrecorded assets,liabilities, transactions or events orundisclosed items
Completeness
• An asset or liability is recorded at anappropriate carrying valueValuation
M.K. Dandeker & Co.,
Accounts Balance Assertions – Inventory Balance
Inventory recognized in the balance sheet exists at the periodend
Existence
Inventory units should have been recorded have beenrecognized in the financial statement. Any inventory held bya third party on behalf of the entity has been included in theinventory balance
Completeness
Entity owns or controls the inventory recognized in the financial statement. Inventory held on behalf of another entity has not been recognized as part of inventory of the entity.
Rights & Obligations
Inventory has been recognized at the lower of cost or net realizable value in accordance with AS 2. Any abnormal wastage has been excluded from the cost of inventory. Acceptable valuation basis has been used to value cost such as FIFO, Weighted average
Valuation
M.K. Dandeker & Co.,
Transaction Assertions
• Recorded transactions and events haveoccurred and pertain to the entityOccurrence
• All transactions and events that shouldhave been recorded have been recordedCompleteness
• Amounts and other data have beenrecorded accuratelyAccuracy
• Transactions and events have beenrecorded in the correct accounting periodCutoff
• Transactions and events have beenrecorded in the proper accountsClassification
M.K. Dandeker & Co.,
Transaction Assertions – Payroll Cost
• Expenses have been incurred during the period in respectof the personnel employed by the entity and does notinclude the cost of any unauthorized personnel
Occurrence
• Payroll cost in respect of all personnel have been fully accounted forCompleteness
• Payroll cost has been calculated accurately. Any adjustments such as tax deduction at source have been correctly reconciled and accounted for.
Accuracy
• Payroll cost recognized during the period relates to the current accounting period. Any accrued and prepaid expenses have been accounted for correctly in the financial statements
Cut - off
• Allocation between operating, general & administration expenses are fairClassification
M.K. Dandeker & Co.,
Presentation & Disclosure Assertions
• Disclosed events, transactions haveoccurred and pertain to the entityOccurrence
• All disclosures that should have beenincluded have been includedCompleteness
• Financial information is appropriatelypresented and described and disclosuresare clearly expressed
Classification and Understandability
• Financial and other information aredisclosed fairly and at appropriateamounts
Accuracy and Valuation
M.K. Dandeker & Co.,
Presentation and Disclosures Assertion - RPT
• Transactions with related party disclosed in the Notes toFinancial Statement have occurred during the period andrelate to the entity.Occurrence
• All related parties, related party transactions have been identified and disclosed in the notes to financial statement.
Completeness
• Nature of related party transactions, balances and events has been clearly disclosed so that users can easily ascertain their financial effect
Classification and Understandability
• Related party transactions, balances and events have been disclosed accurately at their appropriate amounts.Accuracy &
Valuation
M.K. Dandeker & Co.,
IT General Controls
M.K. Dandeker & Co.,
o Protects data integrity and is a significant component of an organization’s ICFR.
o Improve the consistency of control operations
o Improve the security (confidentiality, integrity and availability) of corporateinformation
o Reduce the extent of testing and reliance on manual transaction – level controls
o Improve reliability of manual controls dependent on IT information
IT General Controls
M.K. Dandeker & Co.,
IT General Controls broadly encompasses:
o User Management
o Logical Access Controls
o Change and Incident Management
o Database Management
o Software acquisition and maintenance
o Install and accredit system
o Network Security
Not all IT Controls impact financial statements directly. Absence of those controlaffect timely availability of reliable financial information
Execution Strategy
M.K. Dandeker & Co.,
Testing Design Effectiveness
M.K. Dandeker & Co.,
o Perform and document walkthroughs to understand the design of existing IFCSystem
o Document process and application controls
o Identify What could go wrong
o Focus on segregation of duties
o Review strength of IT General Controls
o Prepare Risk Control Matrix with control description, owner, frequency, controlevidence
o Perform and document walkthroughs
o Identify controls into Manual, Automated, IT dependent, Preventive or Detective.
o Prioritize control gaps into Material and non – Material
Testing Operating Effectiveness
M.K. Dandeker & Co.,
o Design testing methodology including the sample size
o Identify the Information produced by Entity (IPE) for the controls to be tested
o Test samples are not selected basis the materiality instead it is selected basis thefrequency of appearance of the transaction (daily, weekly, monthly, quarterly,annually)
o Timing of testing
o Document testing results
o Prioritize testing gaps into Material and non – material
o Identify mitigation / compensating controls for material gaps
Assessment and Reporting
M.K. Dandeker & Co.,
o Evaluate severity of each control deficiency
o Communicate to Management and those charged with Governance of all materialweaknesses and significant deficiencies
o Inquire about subsequent events
o Form an Opinion on the Internal Control over Financial Reporting
Significant deficiency and Material weakness
M.K. Dandeker & Co.,
o A deficiency (or combination of deficiencies) that is less severe than a materialweakness, yet important to merit attention of the Audit Committee or thosecharged with Governance – Significant deficiency
o A deficiency (or combination of deficiencies), such that there is a reasonablepossibility that a material misstatement of the entity’s annual financialstatements will not be prevented or detected on a timely basis – MaterialWeakness
o Evaluate the severity of each control deficiency to determine whetherindividually or in the aggregate it is a material weakness
o Severity of a deficiency does not depend on whether a material misstatementactually has occurred but rather on whether there is a reasonable possibility thatthe company’s controls will fail to prevent or detect a misstatement
Thank You
M. K. Dandeker & Co.,Chartered Accountants
M.K. Dandeker & Co.,