Reporting on Internal Financial Controls

February 17, 2015

 Agenda
► Understanding Internal Financial Controls

► Who all are responsible

► Consequences of Non-Compliance

► Comparison of regulations

► Key matters for consideration

► Global scenario

► Way forward

► Reporting considerations

Page 2
Understanding Internal Financial Controls (IFC)

Page 3
Understanding Internal Financial Controls
“IFC” means the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of
its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and
detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely
preparation of reliable financial information.

IFC means the policies and procedures adopted by the company for:

▬ ensuring the orderly and ▬ the prevention and ▬ the accuracy and
efficient conduct of its detection of frauds completeness of the
business, and errors accounting records, and
▬ including adherence to
company’s policies, ▬ the timely preparation of
▬ the safeguarding of its assets, reliable financial information
Operating controls Fraud Prevention Internal Financial Controls over
Financial Reporting (‘ICFR’)

Check if all documents (including Can we create an employee All salaries to the new employees
background checks) are available as record without relevant are processed
per checklist documents?

Internal financial controls system includes policies and procedures for ensuring efficiency and effectiveness of
business and ensuring accuracy of accounting records.

Definition of internal control as per SA- 315

Internal control is the process designed, implemented and maintained by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement of an entity’s
objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding
of assets, and compliance with applicable laws and regulations.
Comparable definition – COSO : Internal Control

‘Internal control is a process, effected by an entity's board of directors,

management, and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives relating to
operations, reporting, and compliance’

Operational
ICFR Compliance
+ controls +
=
Internal Controls

5 Internal Financial Control

Internal Financial Controls over Financial Reporting

As per Guidance Note*, ICFR is a process designed to provide reasonable assurance regarding the
reliability of financial reporting and the preparation of financial statements for external purposes in
accordance with generally accepted accounting principles.

A company's ICFR includes those policies and procedures that:

► pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the
transactions and dispositions of the assets of the company;

► provide reasonable assurance that transactions are recorded as necessary to permit preparation
of financial statements in accordance with generally accepted accounting principles, and that
receipts and expenditures of the company are being made only in accordance with authorisations
of management and directors of the company; and

► provide reasonable assurance regarding prevention or timely detection of unauthorised

acquisition, use, or disposition of the company's assets that could have a material effect on the
financial statements.

* The Guidance Note on ICFR has been withdrawn by the ICAI. References made herein are based on the Guidance
Note as earlier issued by ICAI for discussion purposes only

The above definition is in line with definition given under SEC Rules in respect of ICFR.

6 Internal Financial Control

Who all are responsible?

7 Internal Financial Control

The Companies Act 2013 – Who All Are Responsible?

Section Director’s ► In the case of a listed company, the Directors’ Responsibility

134 Responsibility states that directors, have laid down IFC to be followed by
Statement the company and that such controls are adequate and
operating effectively.
Rule 8 Directors ► The Board of Directors of all companies to state the details in
respect of adequacy of IFC with reference to the financial
statements

Section Auditor Report ► The auditor’s report should also state whether the company
143 has adequate IFC system in place and the operating
effectiveness of such controls

Section Audit ► Audit committee may call for comments of auditors about
177 Committee internal control systems before their submission to the
Board and may also discuss any related issues with the
internal and statutory auditors and the management of the
company

Sch IV Independent ► The independent directors should satisfy themselves on the

Directors integrity of financial information and ensure that financial
controls and systems of risk management are robust and
defensible.

8 Internal Financial Control

The Companies Act 2013 – Who All Are Responsible? (contd.)

Requirement
Public Listed Public Limited Others
(as per previous slide)
Loans,
Paid-up share Turnover >= Borrowing in
capital>= INR INR 100 Cr aggregate >=
10 Cr
INR 50 Cr
1 Director’s Responsibility
Statement (134)

2 Auditor Report (143)

3 Audit Committee (177)

4 Independent Directors
(Schedule IV)

5 Rule 8(5)(viii) of the

Companies (Accounts)
Rules, 2014 – BOD report –
Financial Statements only

9 Internal Financial Control

Consequences of Non- Compliance

10 Internal Financial Control

The Companies Act 2013 – Consequence of Non-Compliance

Section 134 : Every officer of the company who is in default shall be punishable
with imprisonment for a term which may extend to three years or with fine
which shall not be less than fifty thousand rupees but which may extend to
five lakh rupees, or with both

2(59) “officer” includes any director, manager or key managerial personnel or

any person in accordance with whose directions or instructions the Board of
Directors or any one or more of the directors is or are accustomed to act

11 Internal Financial Control

Comparison of regulations
Role Companies Act, 1956 Companies Act, 2013 Clause 49
Board of Sec 217 – The Directors’ Additional requirement: As a part of directors’ report , the
Directors Responsibility statement to Management Discussion and
state that, the directors had Listed Companies: Sec 134 - The Analysis report (‘MDNA’) should
taken proper and sufficient Directors’ Responsibility statement include discussion on Internal
care: to state that, directors had laid control systems and their
- for the maintenance of down IFC to be followed by the adequacy.
adequate accounting company and that such IFC are
records in accordance with adequate and operating effectively. Though there is no change in the
the provisions of this Act structure of MDNA, the reporting
for safeguarding the assets Other Companies*: Rule 8(5)(viii) on this clause has to be made
of the company and of the Companies (Accounts) Rules, considering the new definition
- for preventing and 2014 requires the board report of under the Act.
detecting fraud and other all companies to state the details in
irregularities; respect of adequacy of IFC with
reference to the “financial
statements” only.

Sch IV - The independent directors

should satisfy themselves on the
integrity of financial information and
ensure that financial controls and
systems of risk management are
robust and defensible.

* (1) As a result of the above rules, Board of Directors of all Companies are responsible in respect of IFC.
(2) As per Guidance note, even though no specific responsibility statement is made in respect of Unlisted Companies for IFC (i.e.
from operating controls+ fraud prevention perspective), still the responsibility of ensuring adequacy and operating
effectiveness of the IFC remains with the management and the persons charged with governance in the company.

12 Internal Financial Control

Comparison of regulations
Role Companies Act, 1956 Companies Act, 2013 Clause 49
Audit Sec 292A(7) - The Audit Additional requirement: The Audit Committee to review matters
Committee Committee required to be included in the Director’s
- should have Sec 177(5) - Audit committee Responsibility Statement .
discussions with the may call for comments of
auditors periodically auditors about internal control Evaluate IFC and risk management
about internal control systems before their submission systems. (new under Revised Clause
systems, the scope of to the Board and may also 49)
audit including the discuss any related issues with
observations of the the internal and statutory Reviewing, with the management,
auditors and auditors and the management performance of statutory and internal
- review the half-yearly of the company. auditors, adequacy of the internal
and annual financial control systems.
statements before Sec 177(4)(vii) - evaluation of
submission to the IFC and risk management Review Management letters / letters of
Board and systems. internal control weaknesses issued by
- also ensure the statutory auditors.
compliance of internal
control systems. Review Internal audit reports relating to
internal control weaknesses.

Reviewing the findings of any internal

investigations by the internal auditors
into matters where there is suspected
fraud or irregularity or a failure of
internal control systems of a material
nature and reporting the matter to the
board.

13 Internal Financial Control

Comparison of regulations
Role Companies Act, 1956 Companies Act, 2013 Clause 49
Auditor’s Under CARO, the Section 143 - The auditor’s If appointed, issue a certificate
Responsibility reporting on internal report should also state whether regarding regarding
controls was limited to the the company has adequate IFC compliance of conditions of
adequacy of controls over system in place and the corporate governance as
purchase of inventory and operating effectiveness of such stipulated in this clause and
fixed assets and sale of controls. annex the certificate with the
goods and services. directors’ report, which is sent
As per the Guidance Note, a annually to all the shareholders
As such, CARO did not separate audit report is required of the company.
require reporting on all to be issued by the auditor as
controls relating to annexure to the main audit
financial reporting and report covering items such as:
also did not require - Management’s responsibility
reporting on the on IFC
“adequacy and operating - Identification of Framework
effectiveness” of such - Auditor’s responsibility on
controls. ICFR
- Inherent Limitations of ICFR
- Auditors opinion on ICFR, etc.

Further, in case of modified

opinion, the auditor should
determine the effect of modified
opinion on ICFR for providing
opinion on the financial
statements.

14 Internal Financial Control

Key matters for consideration

15 Internal Financial Control

Key matters for consideration

Whether directors are required to comment on Operating controls + Fraud Prevention + ICFR?

Listed Companies: Based on the reading of law, since the specific definition of IFC is prescribed under the
Act for Listed Companies, the directors are required to comment on all the 3 components of IFC.

Other Companies: Under Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014, the board report of all
companies to state the details in respect of adequacy of IFC with reference to the “financial statements”
only.

However, Guidance Note states that, even though no specific responsibility statement is made in respect of
Unlisted Companies for IFC (i.e. from operating controls+ fraud prevention perspective), still the
responsibility of ensuring adequacy and operating effectiveness of the IFC remains with the management
and the persons charged with governance in the company.

Clause 49 requires certification by the CEO/CFO stating that they accept responsibility for establishing and
maintaining internal controls for financial reporting and that they have evaluated the effectiveness of intern
control systems of the company pertaining to financial reporting and they have disclosed to the auditors
and the audit committee, deficiencies in the design or operations of such internal controls, if any, of which
they are aware and the steps they have taken or propose to take to rectify those deficiencies.

16 Internal Financial Control

Key matters for consideration

As per section 143 , the auditor’s report should also state whether the company has adequate IFC system
in place and the operating effectiveness of such controls. In this regard, whether auditors are responsible
for reporting on operating controls?

As per Guidance note, the auditor needs to obtain reasonable assurance to state whether an adequate
internal controls system was maintained and whether such IFC system operated effectively in the company
in all material respects with respect to financial reporting only.

Accordingly, the term ‘Internal Financial Control – IFC’ wherever used in this Guidance Note in the context
of the responsibility of the auditor for reporting on such controls under Section 143(3)(i) of the Act, per se
implies and relates to internal financial controls over financial reporting i.e. ICFR.(applicable to both listed
and unlisted entities).

In India, auditors are not required to report on the management’s assertion of effectiveness on internal
financial controls. Reporting under the Act will be an independent assessment and assertion by the auditor
on the adequacy and effectiveness of the entity’s system of internal financial controls.

17 Internal Financial Control

Key matters for consideration
What is the specific date for reporting on the adequacy and operating effectiveness of IFC systems
over financial reporting in case of Auditors and Directors?

Auditors: As per Guidance Note, the auditor should report if the company has adequate internal
control systems in place and whether they were operating effectively as at the balance sheet date.
Hence, if any weakness noted by him has been corrected by the management as at the balance
sheet date, then reporting is not required.

Directors: Directors are responsible for ensuring adequacy and operating effectiveness of controls,
hence reporting may be required even in cases where the weakness noted by them have been
corrected as at the balance sheet date. As there is no clarity in law, MCA could clarify on this
matter.

Whether IFC reporting is required in case of interim financial statements?

The reporting on IFC will not be applicable with respect to interim financial statements, such as
quarterly or half-yearly financial statements, unless such reporting is required under any other law
or regulation.
Reporting on internal control systems is similar to reporting on the commercial operations of the
company. Whilst, the testing is carried out on the transactions recorded during the year, the
reporting is at the balance sheet date.

18 Internal Financial Control

Key matters for consideration
What is the auditor’s responsibility for reporting on IFC in case of Consolidated Financial
Statements?
As per the Guidance Note, the requirements relating to reporting on IFC are not intended to apply in
the case of the consolidated financial statements.

Further, Rule 8 of Companies (Accounts) Rules, 2014 states that the Board’s Report, which includes
the Directors’ Responsibility on IFC, is required to be prepared only based on the standalone
financial statements and, thus, the responsibility for establishing such controls on the subsidiaries,
joint ventures and associates, in any case, may not rest with the Board of the parent company but
with the management of the respective component.

However, in case of branch operations, the same is considered as integral part of the standalone
financial statements and accordingly reporting on IFC would be required.

In determining the adequacy of ICFR, whether materiality needs to be considered or not?

In planning the audit of ICFR, the auditor should use the same materiality considerations as he or
she would use in planning the audit of the company's annual financial statements as provided in SA
320 “Materiality in Planning and Performing an Audit”.

19 Internal Financial Control

Key matters for consideration
Internal Control Vs. Enterprise Risk Management (‘ERM’)?
Internal control is an integral part of enterprise risk management.

The following are some of the key differences between internal controls over financial reporting and ERM:

► ERM is applied in strategy setting while IFC operate more at the process level.
► ERM is applied across the enterprise, at every level and unit, and includes taking an entity level
portfolio view of risk while IFCs are applied for the processes which contribute to financial reporting.

Section 134(3)(n) - Board report to include a statement indicating development and implementation of a
risk management policy for the company including identification therein of elements of risk, if any, which in
the opinion of the board may threaten the existence of the company.

The existence of an appropriate system of IFC does not in itself provide an assurance to the board of
directors that the company has developed and implemented an appropriate risk management policy or vice
versa.

IFC in case of Joint audits?

The professional responsibilities which the auditors undertake in case of Joint Audit for reporting on IFCs
to be considered in line with present guidance available under SA 299 “Responsibility of Joint Auditors”.

20 Internal Financial Control

Global Scenario

21 Internal Financial Control

IFC - SOX Vs. Companies Act, 2013
Particulars Section 404 – SOX Companies Act, 2013
Applicability All companies, including Indian Companies, which are Applies to all Indian Companies.
listed on US stock exchanges are required to comply.
Coverage ICFR IFC=Operating controls+ Fraud Prevention+ICFR
Issued on* Consolidated Financial Statements – Requires Annual Standalone Financial Statements – Annual basis
assessment and Quarterly review for change
Report** Sec 404 requires management to file “Internal Directors’ Responsibility Statement to state that directors,
Controls Report". This report must contain : have laid down IFC to be followed by the company and that
such controls are adequate and operating effectively.
► statement of management’s responsibility for
establishing and maintaining adequate ICFR. Further, a Separate Audit report is issued by the auditor as
► A statement identifying the framework used by annexure to the main audit report covering items such as:
management to evaluate the effectiveness of the - Management’s responsibility on IFC
company’s ICFR. - Identification of Framework
► Management’s assessment of the effectiveness - Auditor’s responsibility on ICFR
of the ICFR. - Inherent Limitations of ICFR
► A statement that its auditor has issued an - Auditors opinion on ICFR, etc.
attestation report on management’s evaluation of
the company’s ICFR. Further, in case of modified opinion, the auditor should
determine the effect of modified opinion on ICFR for
providing opinion on the financial statements.

* Under SOX, ICFR is assessed at group level for adequacy i.e. the processes are spread across entities, where as under the Act,
the adequacy of the processes are required at entity level.

** (a) Under SOX, Management is responsible for ICFR whereas under the Act, Directors are responsible for IFC.
(b) Since SOX is applicable on consolidated financial statements, the sample can be selected from the entire population of the
group, whereas IFC is applicable only on standalone financial statements, accordingly the population would be restricted to the
entity.

22 Internal Financial Control

IFC provisions - India and Global comparison
India USA UK
Scope Operating Controls+Fraud ICFR All material controls, including
Prevention+ financial, operational and
ICFR compliance controls

Framework Not defined COSO The UK Corporate Governance

Code

Guidance ICAI Guidance issued in AS-5 UK Combined Code/Turnbull

November 2014* guidance

Control Yes – CEO/CFO, Yes Yes

assessment Board

Auditor attestation Yes – ICFR Yes – ICFR Yes

Rigour of Past precedent – Low High High

implementation Now expected to be High

* The Guidance Note on ICFR has been withdrawn by the ICAI. References made herein are based on the Guidance Note as earlier issued
by ICAI for discussion purposes only

23 Internal Financial Control

Way Forward

24 Internal Financial Control

Framework to be adopted for ensuring compliance with IFC
In India, which framework has to be adopted for compliance with IFC?
Under the Act, no framework has been prescribed. As per the Guidance Note, any of the following
frameworks can be used in India:

► Internal Control - Integrated Framework issued by Committee of the Sponsoring Organisations of the
Treadway Commission (COSO Framework).

► Guidance on Assessing Control published by the Canadian Institute of Chartered Accountants (CoCo).

► “Internal Control: Guidance for Directors on the Combined Code”, published by the Institute of
Chartered Accountants in England & Wales (known as the Turnbull Report)

► SA 315 “Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity
and its Environment”, could also provide the necessary framework for companies. (currently under
revision by the ICAI).

COSO framework has become the most widely used internal control framework in the U.S. and has been
adopted by numerous countries and businesses around the world.

Considering the fact that the control environment may vary from one framework to another, the auditor
would need to consider the framework selected by the Company for the purpose of reporting on ICFR.

25 Internal Financial Control

Components of Internal Control as per SA 315

Control
environment

Entity’s risk
Monitoring of
assessment
controls
process

Information Control
system and activities
communication

26 Internal Financial Control

Principles embedded in the framework
Principles-based approach: Principles represent the fundamental concepts associated with the components of internal
control. It is generally expected that all principles will, to some extent, be present and functioning for a organization to
have effective internal control. When a principle is not being met, some form of internal control deficiency exists.

§ Demonstrates commitment to integrity and ethical values

§ BOD demonstrates independence from management & exercises
1. Control oversight of the development & performance of internal control
Environment § Management, with board oversight, establishes structure,
authority and responsibility
§ The organization demonstrates commitment to competence
§ The organization establishes accountability

§ Specifies relevant objectives with sufficient clarity to enable

identification of risks
2. Risk Assessment § Identifies and assesses risk
§ Considers the potential for fraud in assessing risk
§ Identifies and assesses significant change that could impact
system of internal control
§ Selects and develops control activities to mitigate risks
3. Control Activities § Selects and develops general controls over technology
§ Deploys controls activities through policies and procedures
§ Obtains or generates relevant, quality information
4. Information & § Communicates internally w.r.t functioning of internal controls
Communication
§ Communicates externally w.r.t functioning of internal controls
§ Selects, develops and performs ongoing and separate
5. Monitoring evaluations
§ Evaluation of deficiencies and taking corrective actions

27 Internal Financial Control

Points to focus - Examples
Environment Principle Points to focus
Control The organization demonstrates a ► Establishes Policies and Practices
Environment commitment to attract, develop and ► Segregation of Duties
retain competent individuals in ► Evaluates Competence and Addresses Shortcomings
alignment with objectives.
► Attracts, Develops, and Retains Individuals Takes Corrective Action
► Plans and Prepares for Succession
Risk Assessment The organization considers the ► Considers Various Types of Fraud Identification of business risk relevant to the
preparation of Financial Statements in
potential for fraud in assessing risks to ► Assesses Incentive and Pressures accordance with the entity’s applicable financial
the achievement of objectives. ► Assesses Opportunities reporting framework, assess the likelihood of their
occurrence, and decide upon actions to respond
► Assesses Attitudes and Rationalizationsto and manage them and the results thereof.
Control Activity The organization deploys control ► Establishes Policies and Procedures to Support Deployment of
activities through policies that establish Management’s Directives
what is expected and procedures that ► Establishes Responsibility and Accountability for Executing Policies and
put policies into action. Procedures Performance Reviews
► Performs in a Timely Manner Information Processing
► Takes Corrective Action
Physical Controls
► Performs Using Competent Personnel
► Reassesses Policies and Procedures
Information & The organization communicates with ► Communicates to External Parties
Communication external parties regarding matters ► Enables Inbound Communications
affecting the functioning of internal ► Communicates with the Board of Directors
control.
► Provides Separate Communication Lines
► Selects Relevant Method of Communication
Monitoring Evaluation of deficiencies and taking ► Perform ongoing and/or separate evaluations to ascertain whether the
corrective actions components of internal control are present and functioning
► Communicate internal control deficiencies in a timely manner and take
corrective actions

28 Internal Financial Control

 IFC – How Should You Proceed : Key Components

Culture & enabling Business and Organisation

Delegation of Compensation
structure long range structure and
authority and rewards
Define ‘Tone at the Top’ - Ensures planning SOD
alignment with objectives

Policies
Policies and
and Budgeting
Budgeting and
and IT/ERP controls
IT controls Risk management
Internal control system procedures
procedures reporting
reporting
facilitates oversight and supporting
of the Board’s agenda Code of conduct & FCPA/ Anti bribery Transaction
Fraud program
vigil mechanism controls controls

Monitoring & assurance Management

Internal Audit/ Control Self
Direct and indirect monitoring and Information External Audit
Special reviews Assessment (CSA)
control activities Systems

UK (FRC) COSO Framework Companies Act

29 Internal Financial Control

Top-down approach
u The Guidance note recommends the use of a top-down approach to the audit of IFC over
FR
u A top-down approach begins at the financial statement level with the auditor’s
understanding of the overall risks to IFC over FR. The auditor then focusses on entity-
level controls and works down to significant accounts and disclosures and their relevant
assertions

30 Internal Financial Control

Entity Level Controls
Entity Level Controls include:
u Controls related to the Control Environment
u Controls over management override
u The company’s risk assessment process
u Centralized processing and controls, including Shared Service environments
u Controls to monitor results of operations
u Controls to monitor other controls, including activities of the internal audit function,
the audit committee and self-assessment programs
u Controls over the period-end financial reporting process
u Controls over the recording of unusual transactions; and
u Policies that address significant business control and risk management practices.

31 Internal Financial Control

Identifying significant accounts and disclosures
The auditor should identify significant accounts and disclosures and their relevant
assertions. Relevant assertions are those financial statement assertions that have a
reasonable possibility of containing a misstatement that would cause the financial
statements to be materially misstated. The financial statement assertions include:

u Existence or occurrence
u Completeness
u Valuation or allocation
u Rights and obligations
u Assertions relating to presentation and disclosure

32 Internal Financial Control

Identifying significant accounts - example

Accounts Amount Significant account

Cash & cash equivalents

Cash in hand 600,000 4 Susceptibility to fraud/error
Cash at bank 980,123,000 4 Materiality
Accounts Receivable
4 Materiality
Accounts receivable 502,405,110
Accrued revenue 4 Susceptibility to fraud/error
55,550,400
Allowance for bad debt (1,940,305) 4 Subjectivity in estimation
Inventories
Raw-materials 59,204,240 4 Materiality
Work-in-progress 49,042,040 4 Materiality + Subjectivity
Finished goods 189,204,000 4 Materiality
Goods-in-transit 45,603,000 4 Susceptibility to fraud &
Provision for obsolescence (34,104,049) 4 error
Other current assets Subjectivity in estimation
Current portion of deferred taxes 78,802,840 4
Prepaid expenses 5,607,000 6 Subjectivity in estimation
Employee receivables 43,789,900 4 Not a significant account
Advances to vendors 8,794,000 4 Susceptibility to fraud/error
Susceptibility to fraud/error

33 Internal Financial Control

Mapping accounts and processes - example

Accounts PTP Production Sales Payroll Accounting Taxation Treasury

Cash & cash equivalents 4

4 4 4 4
Cash in hand
4 4 4 4 4
Cash at bank 4
Accounts Receivable
4 4
Accounts receivable
Accrued revenue 4 4
Allowance for bad debt 4 4
Inventories
Raw-materials
4 4 4
Work-in-progress 4 4
Finished goods 4 4
Goods-in-transit 4 4 4
Provision for obsolescence 4
Other current assets
Current portion of deferred taxes 4 4
Prepaid expenses 4 4
Employee receivables 4 4
Advances to vendors 4 4

34 Internal Financial Control

For each process identify activities that impact financial reporting
u Break down a process into all sub-activities
u For each sub-activity, assess its impact on financial reporting

Purchase to Payment

Purchase Invoice Payables

Update masters Buying Receiving
planning processing management

Advances
Goods Vendor master Goods Goods

At warehouse Payment
Manufacturing Item master Manufacturing

Cheque
Non- Non- printing
manufacturing manufacturing Services
Manual
cheques
Services Services System based
receipt
Vendor
reconciliation
Manual receipt

35 Internal Financial Control

Reporting considerations

Page 36
Reporting - Control Exception Vs. Control Deficiency
► Address control exceptions
Conclude that the
exception is a
Is the Yes
control
exception deficiency.
systematic?

No

Consider expanding our • Discuss with management; and

sample size for testing. • Challenge management’s decision
to rely on the control.

Is rate of No A ‘Deficiency’ exists when the

occurrence design or operation of a control does
acceptable? not allow management or employees,
in the normal course of performing
their assigned functions, to prevent or
Yes detect misstatements on a timely
basis.
Conclude not a
Deficiency

37 Internal Financial Control 37

Reporting – Evaluating Control Deficiency (Contd.)
► The severity of a deficiency depends on:
▬ Whether there is a reasonable possibility that the entity's controls will fail to prevent or detect
a misstatement of an account balance or disclosure; and
▬ The magnitude of the potential misstatement resulting from the deficiency or deficiencies.

► Evaluate the severity of each control deficiency that comes to attention to determine whether the
deficiencies, individually or in combination, as of the balance sheet date are,
▬ significant deficiencies; or
▬ material weaknesses.
► A ‘significant deficiency’ is a deficiency, or a combination of deficiencies, in ICFR that is important
enough to merit attention of those charged with governance since there is a reasonable possibility
that a misstatement of the company's annual or interim financial statements will not be prevented
or detected on a timely basis.
► A ‘material weakness’ is a deficiency, or a combination of deficiencies, in ICFR, such that there is a
reasonable possibility that a material misstatement of the company's annual or interim financial
statements will not be prevented or detected on a timely basis.

38 Internal Financial Control 38

Reporting – Evaluating Control Deficiency (Contd.)

Reasonable possibility
Remote possibility of a
of a material
Magnitude
material misstatement
misstatement

Remote possibility of Reasonable possibility of

an immaterial an immaterial
misstatement misstatement

Likelihood (Possibility)
► If there are deficiencies that, individually or in combination, result in one or more material weaknesses, must
evaluate the need to express a modified opinion. -- Qualified or Adverse opinion.
► The PCAOB Auditing Standard No.5 “An Audit of Internal Control Over Financial Reporting” does not provide for
issuing a Qualified opinion.
Note: As per Guidance note, if a material weakness is identified with respect to customer acceptance, credit
evaluation and establishing credit limits for customers resulting in a risk of revenue recognition where potential
uncertainty exists for ultimate realisation of the sale proceeds, the auditor may modify the opinion on IFC in that
respect. However, in an audit of financial statements, the auditor when performing substantive procedures obtains
evidence of confirmation of customer balances and also observes that all debtors as at the balance sheet date have
been subsequently realised by the date of the audit, the audit opinion on the financial statements should not be
qualified, though the internal control deficiency exists.

39 Internal Financial Control 39

Indicators of Material Weakness
u Identification of fraud, whether or not material, on the part of the senior management.
u Errors observed in previously issued financial statements in the current financial year
u Identification by the auditor of a material misstatement of financial statements in the
current period in circumstances that indicate that the misstatement would not have been
detected by the company’s internal financial controls over financial reporting
u Ineffective oversight of the company’s external financial reporting and IFC by the company’s
audit committee.

Auditor should determine level of detail and degree of assurance that would satisfy prudent
officials in the conduct of their own affairs that they have reasonable assurance that transactions
are recorded as necessary to permit the preparation of financial statements in conformity with
GAAP. Materiality should be considered by auditor while treating severity of deficiency or a
combination of deficiencies.

40 Internal Financial Control

Subsequent Events
Changes in IFC over financial reporting or other factors that might significantly affect IFC over
financial reporting might occur subsequent to the date as of which internal financial controls
over financial reporting is being audited but before the date of Auditors report. Such events are
called Subsequent events.

Following reports can be examined to keep a check on subsequent events:

► Internal audit report issued during the subsequent period
► Regulatory agency reports on the Company’s IFC over Financial Reporting.
► Information on IFC on Financial Reporting through other engagements

41 Internal Financial Control

Obtaining Written Representations
Company's ICFR written representation should include management’s statement/acknowledgment of :

► responsibility for establishing and maintaining adequate ICFR effectively;

► performing an evaluation & assessment of the adequacy and effectiveness of ICFR and specifying
control criteria;

► accepting that auditor’s procedures performed during the audits of ICFR has not been used as a
basis for management’s assessment of adequacy and effectiveness of ICFR.

► describing about fraud resulting in material misstatement to the company’s financial statement
and any other fraud that doesn’t result in material misstatement but involves senior management
who has significant role in ICFR if any;

► concluding about the adequacy and effectiveness of the company’s ICFR based on the control
criteria as of the balance sheet date;

► stating whether control deficiencies identified and communicated to the audit committee during
previous engagements pursuant to paragraph 137 and 139 have been resolved and details of any
subsequent events identified.

42 Internal Financial Control

Forming an Opinion

u Auditor should form an opinion on the adequacy and operating effectiveness of ICFR by evaluating
evidence obtained from all sources, including the auditor’s TOC, misstatements detected or any
identified control deficiencies.

u Auditor should evaluate by reviewing reports issued during the year by internal audit or similar
functions.
u After forming an opinion auditor should evaluate the disclosures that the management and BOD is
required to make, under the Companies Act, 2013 on IFC.
u If auditor determines that any required elements are incomplete or improperly presented ,auditor
should perform procedures according to SA-720.
u Auditor may form an opinion on the adequacy and operating effectiveness of ICFR only when
there are no restrictions on the scope of auditor’s work. A scope limitation requires the auditor to
disclaim an opinion or withdraw from the engagement

43 Internal Financial Control

Let’s Discuss

44 Internal Financial Control