Approach note on Internal Financial Controls

Internal Financial Controls and Internal Controls over Financial Reporting

Contents:
Introduction to ICOFR 1

Compliance Requirements for ICOFR 2

Introduction to Risks & Controls 3

Using Internal Control Framework for Evaluations 4

Managing ICOFR / ICFR – An Integrated Approach 5

Execution Approach for Assessment of ICOFR 6

Illustrative Project Plan for ICOFR 7

Illustrative Deliverables for ICOFR 8

Illustrative Policies & Procedure Documents 9

Annexures : Illustrative Reports & Documentation 10

 Introduction to ICOFR / ICFR

1
Taking a look at the definitions of Internal Financial
Controls (IFC) and Internal Controls Over Financial
Reporting (ICOFR / ICFR) along with definition of Fraud

3
Before We Begin:

Few words of Caution...

One size does not fit All

Note: The extent of documentation for Internal Financial Controls (IFC)

depends on various factors, including but not limited to, the nature & size
of the business & scale of operations, policies & procedures in existence,
systems & delegations in place and people involved.

Short Description Short Description 4

Introduction to IFC & ICOFR / ICFR – The Companies Act 2013 and ICAI Guidance Note on ICOFR / ICFR:

Reference Relevant Provisions as per the Companies Act 2013

“Internal Financial Controls” has been defined in the Companies Act 2013 Section 134(5), as to mean
Defining Internal policies and procedures adopted by the company for ensuring:
Financial Controls (IFC as ▪ The orderly and efficient conduct of its business
per the Companies Act ▪ The safeguarding of assets
2013) ▪ The prevention and detection of frauds and errors
▪ The accuracy and completeness of the accounting records
▪ The timely preparation of reliable financial information
Key Requirements as per ▪ Auditor’s report to comment upon adequacy of internal financial controls system (design as well as
the Companies Act 2013 operating effectiveness)
▪ Directors’ Responsibility Statement to state that directors, have laid down adequate internal financial
controls and such controls are operating effectively. Section 134(5)(e)
▪ The Independent Directors shall satisfy themselves on the integrity of financial information, and that
financial controls and the systems of risk management are robust and defensible
▪ Board Report to include a statement indicating development and implementation of a risk management
policy, including identification of risk elements. Section 134(3)(n)
▪ Audit Committee’s terms of reference to include evaluation of internal financial controls and risk
management systems
Definition of Fraud as per “Fraud” as defined under the New Companies Act, includes any act of omission, concealment of any fact, abuse
the Companies Act 2013 of position, connivance with intent to injure the interests of the company, shareholders, creditors, any other
person (A broad and all encompassing definition with severe penal consequences for Frauds)

Short Description Short Description Short Description Short Description 5

Introduction to IFC & ICOFR / ICFR – The Companies Act 2013 and ICAI Guidance Note on ICOFR / ICFR:

Reference Relevant Provisions as per ICAI Guidance note on ICFR & PCAOB Standard
“Internal Controls Over Financial Reporting” shall mean “A process designed to provide reasonable
assurance regarding the reliability of financial reporting and the preparation of financial statements for
Internal Controls Over external purposes in accordance with generally accepted accounting principles.” A company's internal
Financial Reporting control over financial reporting includes those policies and procedures that:
(ICOFR / ICFR) ▪ Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the
transactions and dispositions of the assets of the company
▪ Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial
statements in accordance with generally accepted accounting principles, and that receipts and
expenditures of the company are being made only in accordance with authorizations of
management and directors of the company; and
▪ Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use,
or disposition of the company's assets that could have a material effect on the financial statements
This definition of the term “Internal Controls Over Financial Reporting” has been reproduced from the Auditing Standard (AS) 5, An Audit of Internal
Control Over Financial Reporting that Is Integrated with An Audit of Financial Statements issued by the Public Company Accounting Oversight
Board (PCAOB), USA

In the Indian context, “Internal Control Components” of SA 315, “Identifying and Assessing the Risks of Material misstatement through
understanding the Entity and its Environment” provides the necessary criteria for internal financial controls over financial reporting for companies

As per the ICAI Guidance Note on ICFR – “a benchmark internal control system, based on suitable criteria, is essential to enable the management
and auditors to assess and state adequacy of and compliance with the system of internal control”

Note: Excerpts from the ICAI Guidance Note on Short

Internal Controls Over Financial Reporting
Description Short Description Short Description 6
Dec 20YY Start: Apr 20YY
Introduction to ICOFR – Typical Questions Around IFC and ICFR / ICOFR:

On the definition of IFC and ICOFR / ICFR

❑ Whether IFC and ICOFR / ICFR is exactly the same thing? r

❑ Is ICOFR / ICFR defined in the Companies Act 2013? r
❑ Is there a framework for both IFC and ICOFR / ICFR? a
On the applicability of IFC and ICOFR / ICFR

❑ Whether IFC is applicable for Private Companies? r

❑ Whether ICOFR / ICFR is applicable for All Private Companies? r
❑ Whether separate ICOFR / ICFR documentation is required for separate Business Units / Factories etc. within one Legal Entity? r
❑ Whether ICOFR / ICFR becomes applicable on Foreign Holding company by virtue of its Indian Subsidiary Company? r
On Auditors’ and Management reporting responsibilities on IFC and ICFR / ICOFR

❑ Whether the Auditor has to give an IFC opinion with reference to Financial Statements only? a
❑ Whether the Management can delegate evaluation of IFC and ICFR / ICOFR to Internal Auditors / External Consultant? a
❑ Whether Directors of Private Companies have to comment on effectiveness of ICFR / ICOFR in their report? r
❑ Whether Directors of Private Companies have to comment on the adequacy of Risk Management Systems in their report? r
a Yes Short Description r No x Law is not Explicit – Matter of Interpretation
Short Description 7
Points to Remember – Key Considerations for IFC / ICFR Project:

Understand the difference between IFC and ICFR / ICOFR

Evaluate the legal entity & operating structures and assess the applicability accordingly
Understand the applicable provisions / compliances, framework, guidance notes etc.
Evaluate the specific Governance, Risk and Compliance requirements for IFC and ICFR / ICOFR
Determine the objectives of the documentation / evaluation and extent of coverage
Evaluate Management responsibilities & Auditor’s responsibilities & reporting requirements for IFC / ICOFR / ICFR
Review the existing policies, procedures & systems in place – to avoid duplication of efforts and cut down on redundant
documents
Plan to Integrate IFC / ICFR / ICOFR and Internal Audits – so far as the policies, procedures & internal controls are concerned
Work out a customized plan for assessment of IFC / ICFR / ICOFR and testing of controls to ensure compliance to the
applicable provisions and for discharging Management & Auditors responsibilities for IFC / ICFR / ICOFR
Agree on the approach & methodology with the Statutory Auditors / External Auditors and leverage the Internal Audit testing
procedures
Use standard templates to address multiple requirements viz. ICAI Guidance note on ICFR, Internal Audit Program / work
steps, Management Assessment of Internal Financial Controls and External Auditors’ assessment of Internal Financial Controls
Optimize the cost of compliance – for Internal Audit and IFC / ICFR / ICOFR

Note: All the above points will get covered during project planning & for execution approach and methodology Short Description 8
 Compliance Requirements for
ICOFR / ICFR
2
A brief on legal and regulatory requirements for
evaluation of Internal Financial Controls (IFC) / Internal
Controls Over Financial Reporting (ICOFR / ICFR)

9
Snapshot of Legal & regulatory requirements for IFC / ICFR / ICOFR in India:

In case of a listed company, the Directors’ Responsibility Stating that Directors have, laid down IFC and
that such controls are adequate and operating effectively
IFC Section 134
Public Listed
The Auditors report should also state that the Company has adequate Internal Financial Controls system
with reference to Financial Statements** and also comment on the operating effectiveness of such
ICFR Section 143 controls
All Companies*** with Exceptions
Audit Committee to evaluate IFC & Risk Management Systems. Audit Committee may call for comments
from Auditors about internal control systems, before submission to the Board and may also discuss any
IFC Section 177 related issues with Statutory / Internal auditors or Management
Public (Listed & Unlisted)
The Independent Directors must satisfy themselves on the integrity of financial information and ensure
that the financial controls and risk management systems are robust and defensible
ICFR Schedule IV
Public (Listed & Unlisted)

Note: Rule 8(5) (viii) of the Companies (Accounts) Rules 2014 requires the Board of Directors (of All Companies) to report on the adequacy of
Internal Financial Controls with reference to Financial Statements only (ICFR / ICOFR) – except for One Person Company or Small Company, as
per (Rule 8(6) of the Companies (Accounts) Rules 2018)

** MCA Notification dated 7th May 2018 – Rule 10 A of the Companies (Audit and Auditors) Rules 2014 - ICOFR / ICFR Only
*** Except for One Person Company or Small Company as per Companies (Amendment) Act 2017

Note: Exact applicability and extent of applicability of IFC / ICFR related provisions will have to be assessed for the particular legal entity 10
Snapshot of Legal & regulatory requirements for IFC / ICFR / ICOFR in India:

Paid-up share Loans, Borrowing

Turnover >=
Public capital>=INR 10 in aggregate >=
Requirements as per previous slide Applicability INR 100 Cr OTHERS*
Listed Cr INR 50 Cr
Public Unlisted
Director’s Responsibility Statement
1 IFC a
(Section 134)
2 Auditor Report (Section 143) ICOFR / ICFR a a a a a
3 Audit Committee (Section 177) IFC a a a a
4 Independent Directors (Schedule ICOFR / ICFR a a a a
IV)
Rule 8(5)(viii) of the Companies
5 Accounts) Rules, 2014 – BOD
ICOFR / ICFR a a a a
report - Financial Statements only
(ICFR) – ALL*

* Refer new guidance note by ICAI on IFC for smaller Companies

* MCA Notification dated 7th May 2018 – Rule 10 A of the Companies (Audit and Auditors) Rules 2014 - ICOFR / ICFR Only
* Except for One Person Company or Small Company as per Companies (Amendment) Act 2017 and Rule 8(6) of the Companies (Accounts)
Rules 2018.

Note: Exact applicability and extent of applicability of IFC / ICFR related provisions will have to be assessed for the particular legal entity 11
Some key notifications and exemptions for Auditors for IFC reporting:

MCA vide its notification dated 13th June 2017 provided exemption from Internal Financial Controls to below-mentioned class of private
companies, wherein, Chapter X, clause (i) of sub-section (3) of section 143 shall not apply to a Private Company:
Which is a One Person Company (OPC) or a Small Company, or
Which has turnover less than rupees fifty crores as per latest audited financial statement or which has aggregate borrowings from
banks or financial institutions or any body corporate at any point of time during the financial year less than rupees twenty five crore
Small Company, as defined under the Companies Act, 2013, means:
Paid-up share capital of which does not exceed fifty lakh rupees or such higher amount as may be prescribed which shall not be more
than ten crore rupees; or
Turnover of which as per as per profit and loss account for the immediately preceding financial year does not exceed two crore rupees or
such higher amount as may be prescribed which shall not be more than one hundred crore rupees
Note: A Small Company is a Private Company, not a holding or Subsidiary Company, not a section 8 Company, and is not regulated by a special
Act. Also, the above exemptions shall be applicable to a private company which has not committed a default in filing its financial statements
under section 137 of the Companies Act 2013 or annual return under section 92 of CA 2013 with the Registrar
Note on CFS: It would be sufficient if the Auditor expressed a true and fair opinion on the Consolidated Financial Statements (CFS) and
reported on the relevant and significant matters concerning subsidiaries/associates requiring attention of shareholders rather than the
entire reporting requirements of Section 143(3) of the Act
Note on Foreign Company: A foreign Company in which not less than 50 percent of the paid-up share capital (whether equity or preference or
partly equity or partly preference) is held by one or more citizens of India or one or more companies / body corporate incorporated in India,
whether singly or in aggregate, such company is required to comply with the provisions of the 2013 Act prescribed for the business carried on
by it in India, as if it were a company incorporated in India.

Note: Exact applicability and extent of applicability of IFC / ICFR related provisions will have to be assessed for the particular legal entity 12
 Introduction to Risks &
Controls
3
Understanding Risks & Controls as per SA 315 and
COSO definition of Internal Control

13
Introduction to Risks and Controls – ICAI Guidance note on ICFR & Standards on Auditing:

Standard on Auditing (SA) 315 “Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its
Environment” defines Internal Control as follows:
The process designed, implemented and maintained by those charged with governance, management and other personnel to provide
reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and
efficiency of operations, safeguarding of assets, and compliance with applicable laws and regulations. The term “controls” refers to any
aspects of one or more of the components of internal control.” (ICAI Guidance Note on ICFR)
Appendix I to SA 315 explains the five components of any internal control as they relate to a financial statement audit. The five components are:
1. Control environment
2. Entity’s risk assessment process
3. Control activities
4. Information system and communication
5. Monitoring of controls

Note: These are same as those given in the COSO Framework for Internal Controls (Given in subsequent slides). With reference to these:

SA 315 requires the auditor to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement
and assertion levels, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for
designing and implementing responses to the assessed risks of material misstatement and help the auditor to reduce the risks of material
misstatement to an acceptably low level

Risks relevant to reliable financial reporting include external and internal events, transactions or circumstances that may occur and adversely
affect an entity’s ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial
statements.

Risk & Controls and Risk of Material Misstatement are not a NEW thing – the Companies Act 2013 has just made these more important 14
Introduction to Risks & Controls - Frequently used terms:

• Entity level
– Highest level(s) within the organization that dictate controls, sometimes referred to as control units. It is at this level that the COSO
entity-level assessment is conducted
• Process or activity level
– The various business cycles through which procedures are performed to execute transactions that eventually impact the financial
statements
• Risk
– The “what could go wrong” within a process. The inverse of risk is commonly referred to as the “control objective”
• Assertions
– Financial reporting objectives
• Key Controls
– The controls in which the most reliance is placed with respect to mitigating risk. Not every control is a key control and requires testing

COSO Definition: Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to
provide reasonable assurance regarding the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations

COSO – The Committee of Sponsoring Organizations 15

Introduction to Risks & Controls – Illustrative Risk & Control Evaluation Template:

Presentation/Disc
Rights/Obligation
Occurrence (P&L)

Financial (F / NF)
Allocation (P&L)

Financial / Non-
losure( B/S and
Existence (B/S)

Valuation (B/S)
(B/S and P&L)
Completeness

Key/Non Key
s (B/S)
ROMM or Risk

P&L)
Risk Control Design Gap / Improvement Control Design
Sr. No. Sub-Process Risk ("What Could go Wrong") Risk due to Risk Ref: "As-Is" Process to mitigate the risk Associated Control Attributes to be Tested IFC Component Nature of Control
Classification Ref: Opportunity Conclusion
Fraud with Control

All applicable compliances not being identified by the To be evaluated at the time of control testing • Completeness of the Compliance Checklist? NF K To be evaluated at the time of control
Management, leading to unidentified compliances for • Actual Compliance status reported to the Board of testing
determining applicability / for including in the Directors?
Policies and
compliance checklist No R.1.1 HIGH Higher C.1.1 To be evaluated Preventive
Procedures
Compliance
1 Identification and
Applicability
Recent amendments not being identified for including To be evaluated at the time of control testing • Completeness of the Compliance Checklist? NF K To be evaluated at the time of control
in the compliance checklist or not being • Actual Compliance status reported to the Board of testing Accuracy and
communicated to the concerned personnel, leading to No R.1.2 HIGH Higher C.1.2 Directors? To be evaluated completeness of Preventive
delay in ensuring compliance / non-compliance to the Records
legal / regulatory / statutory requirements

Organization: Super Systems India Pvt. Ltd. Conclusion on

Process Name: Legal & Secretarial Control
Control Owner(s): Shrawan Kumar

Frequency of Anti Fraud IPE (Information Produced Application System / Sample Residual
Type of Control Control Executor Control Reviewer Test results Conclusion
Control Controls by the Entity) Application Used size Risk Rating
Design Gaps in Any des ign gaps in the proces s (e.g. Lis t of applicable com pliances note m aintained for regular com pliance and Monitoring etc.)
the Process

Operating Non-com pliances noted to any legal / regulatory / s tatutory com pliances and interes t, penalties and fines paid during the audit period
Inefficiency
Noted
• List of applicable Compliances To be evaluated at the
Manual Monthly  MS Excel To be Identified To be Identified TBD Effective LOW (Operating
time of control testing Failures)

Details of Sample Testing a Complied r Not Complied  Not Applicable

Sr. No. Partiulars C.1.1 C.1.2 C.2.1 C.3.1 C.4.1 C.5.1

• List of applicable Compliances To be evaluated at the

Manual Event Driven  MS Excel To be Identified To be Identified TBD Effective LOW
time of control testing

The above is illustrative only – Templates are designed keeping in view the ICAI guidance note on ICFR 16
 Using Internal Control
Framework for Evaluations
4
A brief on the COSO framework for Internal Controls
and using the framework for ICFR / IFC evaluations

17
Internal Control Process and Framework supported with parameters for evaluation:

Define Assess Evaluate

Objectives Risks Controls

IFC 1. Demonstrates commitment to integrity and ethical values

ICFR 2. Exercises oversight responsibility
Control Environment 3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability

6. Specifies suitable objectives

7. Identifies and analyzes risk
Risk Assessment
8. Assesses fraud risk
9. Identifies and analyzes significant change

10. Selects and develops control activities

Control Activities 11. Selects and develops general controls over technology
12. Deploys through policies and procedures

13. Uses relevant information

Information & Communication 14. Communicates internally
COSO Internal Control Framework
15. Communicates externally

Monitoring Activities 16. Conducts ongoing and/or separate evaluations

ICFR + Fraud + Operational Controls = IFC
17. Evaluates and communicates deficiencies

Source: COSO Outreach Deck – The Committee of Sponsoring Organizations (COSO) 18

Using the COSO framework for Internal Control Evaluations:

Define Assess Evaluate

Objectives Risks Controls

Inability to grow the revenues or increase

Growth
the market share
Inability to enter into new geography or
▪ Operations Objectives Geography inability to expand to profitable geography /
region
New ERP application does not provide
▪ Reporting Objectives Accounting
accurate financial reports
Financial Non-compliance to applicable Accounting
Reporting Standards for Reporting
▪ Compliance Objectives
Inadequate measures for data protection
Fraud &
leading to frauds / loss of Intellectual
Compliance
Property

• Clearly defined set of business objectives viz. Operational, Reporting and Compliance
• Risk based approach for identification and evaluation of Financial, Operational and Compliance Risks
• Standard framework for evaluation of Controls and for assessing the design & operating effectiveness of Internal Financial Controls. Using
the principles and point of focus for each parameter of the Framework.

19
 Managing ICFR / ICOFR – An
Integrated Approach
5
Brief comparison between the typical approach and a
customized / hybrid approach for saving cost of
compliance for IA and ICFR

20
Typical Activities in IFC / ICFR Assessment – Illustrative:

Phase I - Design Phase II - Testing Phase III – Operating Effectiveness

▪ Workshop & Training to

▪ Identify Key Processes ▪ Control Testing Sheets
process owners for RCSA

▪ Identify Financial & ▪ Sampling & Control

▪ Risk & Control Self-
Compliance Risks Attributes for testing
Assessment (RCSA) by
process owners
▪ Perform Design Assessment ▪ Exception Reporting
& Identify design gaps Templates
▪ Test of Operating
Effectiveness of RCSA
▪ Documentation of Risks & ▪ Meeting with Process
Controls owners & remediation plans
▪ Remediation Plans

Risk & Control Matrices Control Testing Sheets Control Exceptions / Failures

Process Flowcharts Control Exceptions / Failures Report on Operating

Effectiveness
Design Evaluation Report Summary report for
Management

21
Illustrative Approach:
Phase I Phase II Phase III

Integrating
Internal Audit & Business Process
ICFR Evaluations Policies & Procedures Review / Internal ICFR / ICOFR
Audit

Review the documented Review the existing DOA and IT Testing the ICFR documentation with
Policies & Procedures vis-à- Application Controls sample data for all Areas
vis the existing processes
Carry out pilot internal audit / Management Testing of ICFR
Gap analysis / Design ICFR evaluation and check
Assessment for IA / ICFR adherence level of policies & Refreshing policies & procedures
procedures wherever required
Cutting down the Assist in updating policies /
cost of Compliance creation of new policies & Process improvements through Training on ICFR self-assessment
for Internal Audit & procedures Internal Audits
ICFR evaluations Control Testing Reports
Training on new policies & Documentation for the ICFR
procedures evaluations Integrated IA & ICFR going forward

We can come up with a customized approach to save cost of compliance for Internal Audit & IFC / ICFR / ICOFR – Above is illustrative approach 22
 Execution Approach

6
Illustrative steps involved in the execution of Internal
Control Evaluations for ICFR

23
Internal Control Evaluation Methodology – Broad Overview:

Using a top down, risk-based approach will address the requirements of ICFR while maintaining efficiency throughout the
organization and meeting the objective of evaluating internal controls over financial reporting:
Understanding the Evaluate Control Evaluating “As Is” Controls Data Analytics Test of Controls Reporting Improvement
Business Objectives Opportunities

▪ Understanding ▪ Understand the ▪ Evaluating the financial ▪ Identify control ▪ Identify gaps in the ▪ Root cause analysis for
business functions & existing policies & & compliance risks objectives and KPIs for existing design of control exceptions
Org Structure and procedures evaluation controls /
business operations ▪ Identifying the existing improvement ▪ Exception reporting
▪ Understand the “As-is” controls ▪ Build Hypothesis for opportunities / non- and recommendations
▪ Define scope of design of controls, as implemented to address analytics compliances for improvement to
coverage and documented in the the compliance & the existing controls
assessment policies financial risks ▪ Prepare data for analysis
and perform the analysis ▪ Substantive testing on ▪ Agreeing action plan
▪ Define control ▪ Understand ▪ Review the compliances against the objectives the issues identified with the management
parameters for applicability of the for applicability & and Hypothesis through data analytics to address the design
evaluation (Using policies and defining adequacy to evaluate operating & operating
frameworks) control objectives for ▪ Validate the Findings effectiveness of the inefficiencies for the
risk evaluation and plan for substantive controls & compliance controls
▪ Understand testing of the controls to control objectives
regulatory aspects identified ▪ Executive Summary

Phase I - Design Phase II - Testing Phase III – Operating Effectiveness

There will be some overlap in the three phases, however the work of each phase will be leveraged for the next phase to avoid any duplication of effort 24
Evaluating Internal Controls – Procedural Overview:

Process Defining Exception

Understanding Design Review Objectives Data Review Sample Testing Reporting
Carrying out Assessing the design for Gathering the Identifying the samples Reporting exceptions /
discussion on in- Identify control
inadequacies (noted objectives and KPIs for population data & for test of controls and control gaps and
scope processes during walkthrough) evaluation performing ledger for checking improvement
scrutiny & analysis compliance to the opportunities and gaps
existing policies and in the underlying
Understanding the Understanding the Identify performance documents for samples
procedures (also
KPIs of the business existing policies & objectives to evaluate Build Hypothesis for identified
efficiency and covering compliance to
processes to delegations defined analytics and prepare
effectiveness of the law)
evaluate risks data for analysis and
processes
perform the analysis Preparing executive
Evaluate policy / DOA against the objectives Validate the findings, summary and report
Walkthrough of the non-compliance risks for the stakeholders for
Define control and Hypothesis perform substantive
processes to objectives for data action plans and
testing, identify control
understand the analytics and timelines for
failures and operating
process and design Evaluate DOA for performance analytics implementation of
inefficiencies
comprehensiveness action plans

Risk coverage while executing the above-mentioned steps

Operational Reporting Compliance Technology

The above-mentioned risk categories will be covered within the ambit of defined policies and procedures

Using a standard framework and customized approach to meet the objectives 25

 Illustrative Project Plan for
ICFR / ICOFR
7
Illustrative project plan covering various stages
involved in building the ICFR framework

26
Illustrative Project plan for ICFR Development & Assessment:

Planning Execution Reporting

Plan is customized on the basis of specific expectations from the Client 27

 Illustrative Deliverables for
ICOFR / ICFR
8
Illustrative Deliverables relating to ICFR evaluations /
assessments

28
Illustrative Deliverables for ICFR documentation:

Illustrative Deliverables:
Account
Sr. No.
1
2
Area for ICFR Assessment
Treasury Finance & Accounts
Fixed Asset Management Particulars as per B/S and P/L
Reference to Trial Balance
GL Accounts Linked
TaggingLinked
GL Accounts Corresponding Business Process Trial Balance / Account Mapping
Business Process cycles for
3 Sales Commercial & Revenue Shareholder's Funds: BalanceLinked
GL Accounts Sheet
Share Capital BalanceLinked
Sheet Treasury, Finance & Accounts + Legal & Secretarial

Mapping
4 Procurement and Inventory Management GL Accounts
5 HR Labour and Payroll Share Application Money Pending Allotment GL Accounts
BalanceLinked
Sheet Treasury, Finance & Accounts + Legal & Secretarial
6 Financial Statement Closure Process Loan Funds
(FSCP) BalanceLinked
GL Accounts Sheet Treasury, Finance & Accounts + Legal & Secretarial

evaluation
7 Legal & Secretarial Secured Loans BalanceLinked
GL Accounts Sheet Treasury, Finance & Accounts + Legal & Secretarial
8 Unsecured
Information Technology General Controls Loans
(ITGC) Balance Sheet
Linked to individual processes Treasury, Finance & Accounts + Legal & Secretarial
9 Entity Level Controls Application of Funds: Balance processes
Linked to individual Sheet
The above coverage is done on the basis of previous year Trial Balance and signed
Fixed Assets Financial
Balance Sheet Fixed Asset Management

Process Universe for ICFR evaluation

Notes: Statements shared by the Burda Finance Team - For the purpose of creating templates
Gross Block as per EL
Balance Sheet Fixed Asset Management
Less: Accumulated Depreciation Balance Sheet Fixed Asset Management
The above coverage is for the purpose of management assessment & evaluation of Internal Controls
Net Block Balance Sheet Fixed Asset Management
Over Financial Reporting (ICFR) as per the guidance note issued by the ICAI in this regard
Capital Work-in-Progress including Capital Advances Balance Sheet Fixed Asset Management + Treasury, Finance & Accounts
It is the management responsibility to ensure
Deferred Taxcompliance
Asset to the requirements ofBalance
the Companies
Sheet Act Treasury, Finance & Accounts
2013 Current Assets, Loans and Advances: Balance Sheet

Illustrative Deliverables:
Does this
COSO
Control Objectives linked to Risks
Flow Charts / Process Narratives
# ELC Attribute Area Point of Focus/Control Objective control
Principle
exist?

Risk Registers /
Sr. No. Sub-Process Risk ("What Could go Wrong") ROMM or Risk Ref: Risk "As-Is" Process to mitigate the risk
Existing / Management / Authorized Representatives establish, with Controls operating Risk due to Classification
Control Owner board oversight,
Teststructures,
Procedures reporting lines,
Documentation Reference
and appropriate
New? effectively? Errors
authorities and responsibilities in the pursuit of objectives

Control Testing Sheets

Entity-Wide Board Procedures & Obtain a copy of the org structure and Board minutes to 1)- Copy of Organization Chart
1 review the thresholds and approvals required for key 2)- Copy of Board Minutes Yes Principle 3 Sr. No. User Name Department ERP Rights Attributes for C.1.1 Attributes for C.1.2

Risk & Control

Objectives Governance
business activities and transactions. Discuss with the Absence of approval mechanism / procedures to As is process to mitigate the Risk: Currently there is no documented
Management personnel if the documented delegations Issue provide access to ERP users, leading to Assigned as
policy / procedure for providing access to ERP users. Configuration
Existing CEO / CFO Partially Effective
unauthorized
are followed forELCexecuting
Areas / Actitransactions
vities for Coverage # Sample Improvement Opportunichanges
ties to the ERP configurations level changes in the ERP system are governed by the Functional
per Role

Control Attributes for testing & control

/ set-ups etc. Requirement Document (FRD)
Board has established a Delegation of Authority for carrying
1 ManiR.1.1sh Singhal HIGH Finance & Accounts
Controls: Access SAP
to ERP/system
NAVISION
is controlled byYes

Evaluation
out various transactions and such delegation is approved by Process the IT team
the Board. BoardThe
Procedures
DOA & Governance
also considers 1 Therematters
is no comprehensi ion of Authority matrix (DOA) for key business activities; covering various types of transactionsYes
ve Delegatexplicitly
which and access to users is provided by AM - IT on the basis of approval
 
Entity-Wide Board Procedures & Obtain a copy of the org structure and Board minutes to 1)- Copy of Organization Chart
2 require an approval by the BOD as per the requirements from the respective HOD, IT Head and Financial Advisor. Any changes
Objectives Governance review the thresholds and approvals required for key and havi2)-ngCopy
document approval for allof
ed boardMinutes
of Board key delegations Yes Principle 3

exception summary
thebusiness
Companies to the ERP configurations are done by the third party ERP support
activities and Act 2013Discuss the Board 3)- List of matters requiring Board
transactions.
Business Planning and Budgeting 2 Budgets are not reviewed and approved by the Board and there is no process to formalize and approve the CAPEX budgets . Al2s o, Sheelu Maurya Storesservice& Inventory SAP partner
provider / implementation / NAVISION Yes by
and same are reviewed
Existing CEO / CFO minutes with the Company Secretary / Management approval Partially Effective  

Templates
Financial Advisor and IT Head. User roles in ERP system are
Personnel and seek clarification if all key items there is4)-noCopy
formalofizedFinal
process
1 of communi
Trial ERPcatAdministration
Balance ing the Budget changes to the Board and seeking approvals for any deviations from
(TB) reviewed by the Group Team in Germany
Composition
appearing in the TBofareBoard mapped toof Directors
approvalstheis
specific defias per the regulatory
ned Budget s and no process for review / approval of un-budget ed expendi
Incorrect globalturedata
by th/ edimension
Board of Disettings
rectors may As is process to mitigate the Risk: Currently there is no documented
requirements. The Board of directors of the company impact the integrity of the financial information or 3 Configuration Changes for GST NAVISION Yes
policy / procedure for making changes to the ERP systems.
 

ELC assessment template & deficiency

Entity-Wide Board Procedures & Obtain a listHRof Pol
establishes icboard
ies & Procedures
thereporting lines and
sub-committees 3 There
constitutes
and details of 1)- is noList
document
ofvarious ed Code ofsub-
Directors Conduct and there are no policieUnauthorized
s formalized fororganizational
HR (except for Leave policy & travelor
data additions Configuration level changes in the ERP system are governed by the
3
Objectives Governance
committees
the composition of(as thoseper the requirements
committees. Examine whether ofICC
reim bursement
2)- the poliCompanies
cy) andComplaints
(Internal ed delAct
no documentCommittee)egation of AuthoriYes tychanges suchPrinciple
for approvalcanofalso expenses.
result into General 2HR practices are adopted
inappropriate Change Functional Requirement Document (FRD)
2013) forsub-committee
the board governance and oversight
was approved by the Board of composition and reporting transaction processing and inaccurate financial
Existing CS & HR Head Directors. Examine whether the Board maintains
by th e Company, wi th out any fo rmal communi
3)- Board committee charter / terms of
c ati o n regardi n g th e same to
statement th e empl
data
Effective
o yees. Furth er, th e t 4 lYesy
ravel policy is not formal Work Flow in As per theProcess
R.1.2 HIGH
FRDControls:
documentConfigurationNAVISION
settings are done as perYes
the blue
 
oversight on the sub-committees and oversight is alsoapproved by the Management
reference (if applicable / if any) print / Functional Requirement Document (FRD). Any changes to the
ERP

summary
ERP configurations are done by the third party ERP service provider
maintained on other committees
HR Policies & Procedures 4 No process defined for creating and maintaining awareness and educating employees about the code of conduct and related and same are reviewed by Financial Advisor and IT Head. ERP level
changes are monitored by the Group Team in Germany
policies

Illustrative Deliverables:
Design Gap Assessment Report
Control Testing Results &
Reporting & Exception Reports
Monitoring Summary Reports for
Related Management
Audit Committee / Board
Presentation

29
 Illustrative Policies &
Procedures
9
Illustrative policies & procedures for strengthening
Entity Level Controls and for standardizing the
business processes

30
Illustrative Policy & Procedure Documents:

Risk & Control Procurement

Risk Management
Self Assessment Manual

Too Many or Too Few – Policies contribute to the Culture of an Organization 31

 Annexure : Illustrative Reports
& Documentation
10
A quick glance at some of the key deliverables in a
simple Internal Audit solution and you can always
work on industry / client specific solutions

32
Illustrative Documents – “Fit to Order / Tailor Made” solutions and quality documentation

Illustrative Deliverables:
Product Manufacturing Resource Planning Sourcing
Production Storage of Sale of Transport
Design Materials &
of Goods Inventory Goods of Goods
Services
Business Production

Core Process
Plant / Plan Plan

Risk Classification schema

S.No. Control Objective Analysis to be performed Files to be used
R&D
Sales & Material Population data provided should be valid, accurate and complete and • Completeness, validity and accuracy of the population data received (for the audit • Previous period Signed TB / Financial Statements

Planning
Requirement
Operations relevant for the audit period period) S No Module Process
• Vendor Trial for previous period and current period Sub-Process Analysis Control Objective

Internal Control Environment

Corporate Plan Plan
/ Head Controlled at Plant / Business Unit 1
• Testing the balances for validity and accuracy from the TB and Vendor Trial and • Expense ledger dumps for the current audit period

Office Capacity establishing the completeness of the population data from SAP / received from the 1 MM Purchase to Pay Purchase Requisition (PR) Splitting of PR's. Circumvention of threshold limits

Project Plan and Timelines

Planning client
PR item wise quantity requisitioned covered Wasteful indenting
• Scrutiny of the Trial balance, vendor trial and expense ledger dump
2 MM Purchase to Pay Purchase Requisition (PR)

Related
Human Resource Management & Administration
Payments should be authorized as per the SOA / DOA and there • DOA approved by the Board / Authority is mapped in the SAP system • DOA / SOA Matrix as approved by the Board / Auth. by existing stock on hand quantity.
should be no fraudulent payments being routed through the expense • Transactions are approved as per the DOA mapped in SAP and there are no • DOA / SOA Matrix as mapped in the SAP System
GL Accounts transactions to bypass the approval process • Duplicate invoice report Open PR Aging Report. Evaluation of the business need for the PR.

List of Control Objectives for IA

Information Technology 2
3 theMM Purchase to Pay Purchase Requisition (PR)

Support Processes
• Fraudulent payments are not routed through the expense ledgers • AP Expense trackers from departments
• All expense entries are supported with valid narration and are posted using the • GL Dumps for expenses / invoices
Red-flag testing of fictitious requisitioning.
Financial Management and Asset Management
correct document type in SAP • List of document types in SAP
Requisitioning of obsolete or prohibited Wasteful indenting
Similar services / goods should ideally be procured at similar / nearby • PO rate comparisons • Expense Ledger Dump 4 MM Purchase to Pay Purchase Requisition (PR)
Environment Health and Safety Management programs
items.

List of Business Objectives for IA

rates and any spikes in the rates / cost should be exceptionally • PO vs. Non-PO rate comparisons • Purchase Order Dump
3 approved by the managmement and should have a valid business case • Approval of increase in the rates / cost
Legal Secretarial and Compliance scenario • Ledger scrutiny to check on the narrations in the PO and non-PO cases
Multiple amendments to PR by same user. Red-flag testing of preferential requisitioning.
(separately)
5 MM Purchase to Pay Purchase Requisition (PR)
Change Management Related party transactions should be approved as per the policy on • Employee master and vendor master comparison • Vendor Master dump
RPT and employees having any financial interest in the transactions • Vendor master and employee master comparison • Employee master dump PR item wise value to user approval limit Unauthorized requisitioning
4 should disclose the same as per the Code of Conduct • Ledger scrutiny to check employee names in the narration text • MCA Check screenshot 6 MM Purchase to Pay Purchase Requisition (PR)
• Checking the potential cases for company master data as per MCA • Approval as per DOA and as per policy on related party testing.
transactions

Illustrative Deliverables:
S.No Sub Area

HR policies and controls 1. Monthly payroll is appropriately authorized.

Control Objective Risk

Unauthorized/Un-approved policies may lead to Control Objectives linked to Risks

Test Plans to check compliance to
1 2. Manual payroll check is appropriately unauthorized/excess payroll cost to the company

Execution &
authorized. Manage m e nt's
2 3. Payroll-related payments are appropriately Unauthorized payments to the payroll vendor Im pact Lik e lihood Planne d
Actions

policies
HR Policies and HR related policies and procedures are duly authorized / Lack of strategic consent from the board (or Authority as per
Procedures approved and reveiwed on periodicKe basisy Bus ine s s DOA) S SAPleading to inappropriate
Ris kforskey policies & procedures Sub
Stakeholder Operational Risk Grouping
Project
Process Analysis Control Objective SAP Input Table/s
design of controls
Keyfor No transactions
executing
Business Module
Risk 1 Process
and weak policy Monitor
MW Inadequate
EKKO - Purchasemitigation
Order Header Detaiof
l exchange risk – limited hedging 1
Risk Group 1
governance Key
mechanism

Category 1
Business Risk Purchase
2 Purchase Splitting of PO's. Circumvention of threshold ZME2N
Monitor

Test plans to evaluate efficiency of

11 MM

Risk
Employee Entitlement Appropriate segregation of Duties to avoid conflict of interest Absence of SOD for updating employee master
Key Business Risk
to Pay andOrder
3 payroll Monitor
(PO) limit s Aggressive
EKPO - Purchasemarket
Order Line Ishare
tem Detail related strategy from Amadeus (Bird Group) – impact from shift

Management
information To ensure authorized changes in employee master processing may
Key results into unauthorized/excess
Business Risk 4 payments to Improve
Single vendor ordering Group
Low negotiation position and ZME2N
3
employee Key Business Risk
13 MM 6
Purchase
5 Purchase
wise possible going concern
MW
Monitor of EKKO
a single large customer
- Purchase Order Header Detail
8

processes / operations
Key Business Risk to Pay Order (PO) Monitor

Categor
Risk
threat if stock-out. EKPO - Purchase Order Line Item Detail

Related y2
Key Business Risk 7 Improve
Risk Group 2

Key Business Risk 8 Monitor

Single vendor ordering Value Low negotiation position and ZME2N
MW Outsourcing risk – primarily with respect to performance and training for the helpdesk 16
13 Purchase Purchase
Category 3

Integration approach for various controls

Key BusinessMMRisk 9 Wise possible going concern Monitor EKKO - Purchase Order Header Detail
MW Inadequate control over tracking of company’s assets with agents 2
Risk

A to Pay Order (PO)

Key Business Risk 10
threat if stock-out. Monitor
EKPO - Purchase Order Line Item Detail
Multiple orders raised for 'C Value-analysis of standing ZME2N Staff not adequately trained to tap into sales especially through newer distribution
Purchase Purchase

to be tested under IA, IFC / ICFR

14 MM Class' items instead of order costs vis-à-vis MW channels Order Header Detail
EKKO - Purchase 8
to Pay Order (PO)
standing orders. distributed orders. EKPO - Purchase Order Line Item Detail
MW Attrition, especially key personnel 3

Illustrative Deliverables:
Risk Based Hypothesis for testing
Scorecards / Trends for Business
Reporting & Performance
Monitoring Control Analytics Dashboards
Related Presentation to Audit Committee
Board Reporting Pack on
Governance, Risk & Compliance

Note: The above documentation is for an Integrated solution for Risk Management, Internal Audit & ICOFR 33
 Contact Details for Guidance,
Networking and Knowledge
Sharing
Feel free to write in through email or connect over
LinkedIn or reach out to us over the telephone – just in
case you need guidance or further details on the topic

34
Contact Us:

+91-98180-30666

https://www.youtube.com/c/derisk
https://www.linkedin.com/in/de-risk
T H A N K YO U