As per Sec 143 (3) (i) of The Companies Act, 2013, the Statutory Auditor has to certify whether the company has adequate internal financial controls sys tems inplace and al so comment on the operating effectiveness of such controls.
Hitherto, the auditor was commenting that his audit procedures were based on risk assessments made including his assessment of internal control relevant to Company's preparation and fair presentation of Financial Statements. But he does not give any opinion on the same and this disclaimer is expressly stated so in the audit report. No longer is such a disclaimer possible!!
Even in CARO, the auditor was commenting on the internal control systems for purchase of inventory, fixed assets and sale of goods and services alone.
It was restricted to specific areas and not generic / related to financial reporting process as a whole.
The Directors' Responsibility Statement also, u/s 134 (5) (e), requires the Directors to give their assurance on the adequacy of internal financial controls. But then, this stipulation is only for listed companies whereas the auditor has to give his opinion on listed, unlisted public and also private companies! Audit Committee is also required to review thi s aspect but then, again, audit committee is not mandatory for every class of company.
What is meant by “Internal Financial Controls”?
These are controls that give comfort on the following aspects:
- policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business
- adherence to company's policies
- the safeguarding of its assets
- accuracy and completeness of the accounting records
- timely preparation of reliable financial information
The Internal Controls over Financial Reporting may be classified as controls at the
- Entity Level;'
- Transaction Level and also
- IT General Controls.
Entity level controls generally are “top”controls which can impact all related operational controls under it. On a positive side, even if the transaction level control does not operate effectively, an entity level control can still'cap' the risk from affecting the financial reporting. In the same way,ineffective entity level controls can spell disaster for the operating controls that underly such entity level controls.
For documenting the transaction level controls, it would be good to approach from identification of important accounts in the trial balance and then identifying the processes that affect the recording of transaction in these accounts. Thereafter a risk assessment with control mapping needs to be done. Once this effort is done, then the controls can be tes ted, say in internal audit, and effectiveness concluded upon.
IT Controls refer to security of data (confidentiality, integrity and availability) and help in efficient processing and reporting requirement. IT Controls reduces manual level controls and thereby eliminates the vicissitudes of human error.
The auditor has to evaluate the design effectiveness as well as the operational effectiveness of controls. In design effectiveness stage focus is on risk identification and also controls that exist to mitigate such risks.
Operational effectiveness stage focuses on the testing of the above controls to ensure they are operating effectively throughout the period under audit.
The issue on hand: The above is very similar to the SOX Framework etc that exists in the USA nowadays and applicable to US based companies wherever they operate. These companies have a separate team for SOX Testing (either in-house or outsourced) apart from regular internal audit teams. Will this situation lend itself in Indian scenario?
Conclusion:The challenges are primarily to educate the management on the requirements of not only having proper internal control frameworks but also a mechanism to properly demonstrate the documentation (2) regular update of processes (3) regular design effectiveness testing (4) making internal audit risk-based and focused on testing operating effectiveness of controls apart from traditional objectives.
The downside of not having visibility on the above requirements may force the statutory auditors in not giving a clean chit. The Institute of Chartered Accountants of India should also devise suitable guidance and approach for various practical scenarios and organise awareness programmes to the Members in Industry in particular.
CA. Mahesh Krishnan