CODOMAIN

IFC INTERNAL FINANCIAL

CONTROL

CODOMAIN
 India :- Age of Corporate Governance

Naresh Narayan
Chandra Murthy
SEBI Clause Committee Committee
CII 1998 IFC 2013
49 2000 2002 2003

KM Birla DCA Task DCA Report Amended

Committee Force on 2003 Clause 49
1999 Corporate 2004
Excellence
2000

CODOMAIN
IFC :- Global Scenario
In June 2003, the Securities and Exchange Commission (SEC) of the United States of America adopted
Rules for the implementation of Sarbanes – Oxley Act, 2002 (SOX) that required certification of the
Internal Controls over Financial Reporting (ICFR) by the management and by the auditors.

The Public Company Accounting Oversight Board (PCAOB) has issued its Auditing Standard (AS) 5 on “An
Standard (AS) 5 on “An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of
Integrated with An Audit of Financial Statements”.

In June 2006, the Financial Instruments and Exchange Act (J-SOX) was passed by the Diet, the National
Diet, the National Legislature of Japan. The requirements of this legislation are similar to the requirements
the requirements of internal controls over financial reporting under SOX.

CODOMAIN
Context of IFC
Major corporate and accounting scandals – Satyam, Financial
Technologies (India) Limited

Decline of public trust in accounting and reporting practices

Indian regulations modified to reflect the regulatory developments in
the western world
SOX Act 2002, HIPAA, J – SOX and PCI-DSS are few examples of
regulatory changes introduced by the western world.
Introduction of Internal Financial Controls (IFC) in the Companies Act
2013, reflect the continuation of this trend

CODOMAIN
 Rules and Regulation as per Companies Act -2013

Sec 134 (5) (e) In case of listed companies, as per Sec 134 (5) (e) requires, Directors to make an ascertain in
IFC Director Responsibility Statement that they laid down internal financial control to be followed
and that such IFCs are adequate and operating effectively
Sec 143 (3) (i) As per sec (143 ) (i) In case of company (whether listed or not), Statutory Auditors are required
ICFR to make a statement in their auditors report, whether the company has adequate IFC system in
place and operative effectiveness of same.
Sec 177 (4) (vii) Under sec 177 (4) (vii) , the duties of Audit Committee include evaluation of Internal Financial
ICFR control & to make a report to the board
Schedule (iv) The independent directors should satisfy themselves on the integrity of financial information
ICFR and insure that financial controls and system of risk management are robust and defensible.

Rule 8 (5) (vii) As per Rule 8 (5) (vii), requires Board of Directors’ Report of all companies to state in detail the
ICFR adequacy of internal financial controls with reference to the financial statements.

CODOMAIN
Benefits of IFC

Help in Business process re-designing to plug revenue leakages & Cost containment opportunities.

Helps in rationalizing the number of control across the organization moving to smart and
automated control
Provide More accurate and reliable Financial Statements

Promote culture of Transparency

Improved control over financial reporting processes

Improved Compliance to Law

Provide assurance to CEO/CFO and support them to certification

Fixed Accountability of Operational Management and Senior Management Accountability

Helps in standardizing policies and procedures for multi-location / multi business companies.

CODOMAIN
Sec 134:- Definition and Component of IFC
As per Sec 134 the Companies Act 2013 defines ‘Internal Financial
Control (IFC)’ to mean policies and procedures adopted by the
company for:

Orderly and efficiently conduct of it’s business, including

adherence to company policies,
Safeguarding of it’s assets
Prevention and detection of frauds and errors
Accuracy and completeness of accounting records, and
Section 134 of Companies Act 2013
Timely preparation of reliable financial information

•Internal Financial Report over financial Reporting (ICFR)

Components Of •Operational Controls
IFC •Fraud prevention
CODOMAIN
Sec 143: - Definition and Component of ICFR
The ‘Internal Financial Controls Over Financial Reporting (ICFR)’ shall mean “A
process designed to provide reasonable assurance regarding the reliability of financial
reporting and the preparation of financial statements for external purposes in
accordance with generally accepted accounting principles. A company's internal
financial control over financial reporting includes those policies and procedures that-
pertain to the maintenance of records that, in reasonable detail, accurately and
fairly reflect the transactions and dispositions of the assets of the company;
provide reasonable assurance that transactions are recorded as necessary to
permit preparation of financial statements in accordance with generally accepted PHOTO CAPTION
accounting principles, and that receipts and expenditures of the company are
being made only in accordance with authorizations of management and directors
of the company; and
provide reasonable assurance regarding prevention or timely detection of
unauthorized acquisition, use, or disposition of the company's assets that could
have a material effect on the financial statements.”

Components • Maintenance Of Financial Record ( Detail / Accuracy)

• Authorization of transaction (In accordance with GAAP)
Of ICFR • Safeguarding of the assets of the Company
CODOMAIN
Example covering both IFC & ICFR

• Salary and wages correctly recorded in the

ICFR financial Statement

Operational • Overtime given to staff as per Company Policy and

Effectiveness adherence to policy is monitor

Fraud • Unauthorized changes in salary sheet (Access

Prevention Control)

CODOMAIN
 Responsibility of various stake holders

Directors Audit Committee Auditors Independent Directors

Ensure adequacy and Evaluation of internal To comment on Satisfy themselves on
operating financial controls adequacy and the robustness of
effectiveness of IFC operating internal financial
effectiveness of IFC controls framework

CODOMAIN
What are Companies Expected to Do ?

Assess the Governance tone at the top Define entity level governance policies like
whistle blower, code of conduct etc.
Define process level policies and procedures
Develop a delegation of authority
Perform an assessment of:
Entity Level Controls
Process Level Controls
IT Controls
Anti Fraud Controls Identify key and non-key mitigating controls
.

CODOMAIN
Document all existing financial and
operating controls
Develop a robust financial close process and
document controls around the process
Document controls in form of RCMs
Controls on accuracy of judgment and estimates
Define and document user responsibilities

Consider implementing an ongoing

framework for monitoring and evaluation of
defined controls and internal certifications
Monitor effectiveness of existing controls
Perform periodic assessments to review the
operating effectiveness of the controls

CODOMAIN
Consider preventive and detective anti Carry out Fraud Risk Assessment and identify fraud risks
fraud controls and existing controls in the processes.
Define mitigating controls for any gaps identified

Review the existing technology set up and

use of IT modules/software.
Ensure adequacy of ITGCs and ITACs
Consider automation of routine activities
Review technology support
to reduce incidence of manual errors

CODOMAIN
 SA-315 :-Definition and Component of Internal Control
As per SA ‘315’ Internal control is a process,

Effected by an entity’s board of directors, management, and other

personnel,

Designed to provide reasonable assurance regarding the achievement

of objectives relating to operations, reporting, and compliance.

• Control Environment
• Entity’s risk assessment process
Components Of • Control activities
PHOTO CAPTION
Internal Control • Information system and communication
• Monitoring of controls

CODOMAIN
 COSO 2013 :- 17 Principal for Internal Control
Components of Internal Controls as
Control Environment 1. Demonstrates commitment to integrity and ethical values
2. BOD demonstrates independence from management and exercise oversight
responsibility
3. Management, with Board oversight, establish structure, authority and responsibility.
4. The organization demonstrate commitment to competence
5. The organization establish accountability

Entity’s Risk Assessment 6. Specifies relevant objectives with sufficient clarity to enable identification of risk
7. Identifies and assesses risk
Process 8. Considers the Potential for fraud in assessing risk
9. Identifies and assesses significant change that could impact system of Internal Control

10. Select and development control activities

Control Activities 11. Select and development general control over technology
12. Deploys through policies and procedures

PHOTO CAPTION
13. Obtains or generates relevant, quality information
Information system and
per COSO

14. Communicates internally

communication 15. Communicates externally

16. Selects , develops and performs ongoing and separate evaluation

Monitoring of controls 17. Evaluates and communicates deficiencies

CODOMAIN
 Controls Environment

Entity Level Controls Process Level Controls IT Environment

The tone at the top is articulated and Controls have been defined in the Information Technology General
communicated through clear and easily processes to ensure accuracy, Control
understandable policies, procedures and completeness, authorization of the User Access Controls
practices. The sub-components of Entity transaction entered. The processes
Level Controls include: covered under the same are:
Overall Board Governance Order to Cash
Organization Structure Procurement to Pay
Policies & procedures Finance Statement Close Process
Risk Management Hire to Retire
Integrity & Ethics Fixed Assets
Monitoring & Reporting Distribution
Marketing Expense
CODOMAIN
 Key next steps & Actionable :-
Entity Level Controls
• Documentation / Updating of SOPs for key business
processes, in line with the current practices and
controls requirement. Identification of critical classes
of transactions across all areas and documentation
of a value based DOA.
• Formalization of critical entity level policies including
Board approvals where required and creating
awareness
• Define reporting channels as part of Vigil
Mechanism
• Alignment of Entity Level Controls with the guidance
on IFC framework to be issued by MCA / ICAI
Process Level Controls
• Implementation of the remediation plans against
the Design Deficiencies noted on walkthrough
of process & controls and documented in the
process level RCMs
• Alignment of the Process Level Controls with
the guidance on IFC framework to be issued by
MCA / ICAI
• Testing of Operating Effectiveness of the
controls on an ongoing basis

IT Environment
• Enhance user access controls in systems like ….., …….,
……etc. ensuring adequate Segregation of Duties controls
• Periodic review of the existing access rights in Sun and Champ
Systems to remove rights for unauthorized accesses. Document
and archive the evidence of review
• Document IT Policy, Data back up policy, BCP and DR Plan
CODOMAIN
Our Approach

Control framework - COSO

Control Risk Information & Monitoring Control Fraud

Environment Assessment Communication Activity

Financial Statements & related Disclosures

Identification of consolidated materiality

Significant Accounts / relevant assertions

Significant Processes
Corporate, Regions, Institutions, FSS

Individual Controls at the Entity,

Process, Transaction or Application Level
Determine Nature, Timing & Extent of Key Control Testing

CODOMAIN
Steps:-Express an opinion on internal control

STEP 1 STEP 2 STEP 3 STEP 4 STEP 5

Scoping Design Design Gap Operating Overall

Assessment Remediation Effectiveness Assessment
and
Reporting

CODOMAIN
 STEP 1 STEP 2 STEP 3 STEP 4 STEP 5

Key work-steps/ consideration for Scoping :-

Map/Identify Significant Account, Process and Key Location

Segregate scope between Business Process and IT
Discuss the scope with Statutory Auditor
Define materiality –Key /Non –key Risk.
Finalize scope exclusion and validate with auditors
Define scope of process/ activities performed by third parties
Nominate IFC Champion across process/location
Set up Steering Committee to review progress / remediation
plans
Align Audit Committee and Board
Finalize templates ,documentation standard, reporting packs.
Conduct training/workshop with process owners

CODOMAIN
 STEP 1 STEP 2 STEP 3 STEP 4 STEP 5

Key work-steps/considerations for Design Assessment :-

Finalize Process owners across each process/Location

Perform & document walkthrough (recommended)
Document process maps with input, output,
risk/control, IPE
Segregate controls into Entity/Process/IT
Identify control into Manual, Automated ,IT Department
,Preventive /Detective
Segregate control into document risk and control matrix
with control description, owner, frequency, control
evidence etc.
Document IT General control (GITCs)
Perform Segregation of Duties analysis
Identify design gaps based on walkthrough, interview,
discussion etc.
Benchmarking of IFC control-consolidate, remove
redundancy
CODOMAIN
 STEP 1 STEP 2 STEP 3 STEP 4 STEP 5

Key work-steps/consideration for Design Gap Remediation :-

Prioritize financial gaps into material /non-material

Prioritize operational /reputation gaps ( If any) into H/M/L
impact
Co-develop remediation plan with owners & implementation
timelines
Periodic monitoring of remediation plan
Enhance/optimize IT controls
Standardized/Centralize processes(wherever possible)
Enhance SOP/MIS/DOA etc.
Interim testing to confirm remediated gaps

CODOMAIN
 STEP 1 STEP 2 STEP 3 STEP 4 STEP 5

Key work-steps/ consideration for Operating Effectiveness:

Align sampling strategy with external Auditors

Prepare testing plan & templates
Timing of testing – mid year and roll forwarding testing
Finalize resources- competency &
independence/objectivity
Document testing results
Prioritize testing gaps into material/non material
Identify mitigation/compensating controls for material
gaps
Co- develops remediation plans for testing gaps including
owners and implementation timelines

CODOMAIN
 STEP 1 STEP 2 STEP 3 STEP 4 STEP 5

Key work-steps/ consideration for Assessment and

Reporting :

Finalize material weakness and update Executive

management
Report to Audit Committee and Board
Opinion on IFC

CODOMAIN
CONTACT US!
We’re socıal

011 4228 0431

[email protected]

www.codomain.co.in

CODOMAIN
 TY

Thank You !