Internal Controls Over

Financial Reporting (ICOFR)

Talk to us!
www.anbglobal.com [email protected] [email protected]
www.anbglobal.com
 Early History of Auditing : INDIA
Vishnugupta
Kautilya – better
known as
Chanakya first
introduced concept
of auditing in his
book - Arthaniti

Birbal – A great
auditor for
Emperor Akbar.
Gave him facts
and solutions
on several
complex matters
with desired
evidence.

www.anbglobal.com [email protected]
requirements
Companies Act 1956 Companies Act 2013
• does not expressly state the requirement of internal audit • under section 138 has an expressly stated appointment of
• But has parked in Companies (Auditor’s Report) Order, 2003 internal auditor for better internal control and corporate
(CARO) and has also a specific requirement to comment on governance.
internal control.

Further Companies Act 2013 also requires the below mentioned stakeholders to comment on
adequacy on internal control of the organization
Auditors Directors Audit Committee Independent Directors

• Section 143(3): The • Section 134(5)(e) of the • Section 177(4): Every • Section 149 (8) :Code
auditor’s report shall 2013 Act, requires the Audit Committee shall for Independent
state whether the directors’ responsibility act in accordance with Directors has one of its
company has adequate statement of listed the terms of reference Roles and Function that
internal financial companies to specified in writing by the independent
controls system in place specifically assert on the Board which shall, directors shall satisfy
and the operating adequacy and operating inter alia, include themselves on the
effectiveness of such effectiveness of internal evaluation of internal integrity of financial
controls. financial controls. financial controls and information and that
risk management financial controls and
systems. the systems of risk
management are robust
and defensible

3
www.anbglobal.com [email protected]
scope and responsibility
Board Audit Committee Auditor

Scope: Responsibilities:
• Listed companies – Adequacy and operating effectiveness of
internal financial controls • Report on adequacy and
• Unlisted companies - Adequacy of internal controls over operating effectiveness of
financial reporting internal financial controls
system over financial
Responsibilities: Responsibilities: reporting
• Evaluate internal financial
• Laydown adequate and control system
effective internal financial • Review Auditor’s
control and include in comment / observation
Directors’ responsibility on internal financial
statement controls before
• Independent Directors’ to submission to Board
satisfy themselves on the • Discuss issue with
strength of financial management or
controls internal/statutory auditors
• Investigate and seek
external professional
advice

www.anbglobal.com [email protected]
introduction

Ensuring the Including

orderly and adherence to
efficient conduct company’s
of its business policies

ICOFR means Prevention and

Safeguarding of
any control its assets
detection of
frauds and errors
which helps in

Accuracy and Timely

completeness of preparation of
the accounting reliable financial
records information

www.anbglobal.com [email protected]
 CARO v/s IFC
• The scope for reporting on internal financial controls is
significantly larger and wider than the reporting on internal
controls under the Companies (Auditor’s Report) Order, 2015
(“CARO”).

• Under CARO, the reporting on internal controls

– Is limited to the adequacy of controls over purchase of
inventory and fixed assets and sale of goods and services.
– Does not require reporting on all controls relating to
financial reporting and
– Does not require reporting on the “adequacy and
operating effectiveness” of such controls.
• Ref: Guidance Note on Audit of Internal Financial Controls Over Financial Reporting
© The Institute of Chartered Accountants of India Guidelines

www.anbglobal.com [email protected]
Internal control v/s. Internal Financial Control
Definition components Per Standards Per explanation to
of Auditing 315 Sec 134(5)( e ) -
-Internal Internal financial
control by ICAI control in
Companies Act
2013
1. Reliability of financial reporting X

1A. Accuracy and completeness of accounting X

records and timely preparation of reliable
financial information
2. Effectiveness and efficiency of operations X
2A . Orderly and efficient conduct of business X
Product Manufacturing
including adherence to company’s policies
3. Safeguarding of assets X X
4. Compliance with applicable laws and X
regulations
5. Prevention and detection of frauds and errors X
7
www.anbglobal.com [email protected]
 reporting

• Reporting on internal financial controls over financial

reporting will not be applicable with respect to interim
financial statements, such as quarterly or half-yearly financial
statements, unless such reporting is required under any
other law or regulation.

Ref: Guidance Note on Audit of Internal Financial Controls Over Financial Reporting
© The Institute of Chartered Accountants of India

www.anbglobal.com [email protected]
 reporting
• The auditor, while commenting on the clause, makes an
assessment whether the major weakness noted by him has
been corrected by the management as at the balance sheet
date.

• If the auditor is of the opinion that the weakness has not

been corrected, then the auditor should report the fact while
commenting upon the clause.”

• Accordingly, the auditor should report if the company has

adequate internal control systems in place and whether they
were operating effectively as at the balance sheet date.
Ref: Guidance Note on Audit of Internal Financial Controls Over Financial Reporting
© The Institute of Chartered Accountants of India Guidelines

www.anbglobal.com [email protected]
 reporting

• Section 129(4) of the 2013 Act states that the provisions of

the 2013 Act applicable to the preparation, adoption and
audit of the financial statements of a holding company shall,
mutatis mutandis, apply to the consolidated financial
statements.

Ref: Guidance Note on Audit of Internal Financial Controls Over Financial Reporting
© The Institute of Chartered Accountants of India Guidelines

www.anbglobal.com [email protected]
 reporting

• The auditor’s opinion does not assure the future viability of

the entity nor the efficiency or effectiveness with which the
Management conducted the affairs of the entity

Ref: Guidance Note on Audit of Internal Financial Controls Over Financial Reporting
© The Institute of Chartered Accountants of India Guidelines

www.anbglobal.com [email protected]
benefits
ICOFR can provide the reader of financial statements with:

• Assurance that financial statements fairly reflect all financial transactions;

• Assurance that all transactions are recorded in accordance with applicable

policies, directives and standards;

• Assurance that transactions are carried out in accordance with delegated

authorities;

• Assurance that financial resources are

safeguarded against material loss due to
waste, abuse, mismanagement, errors,
fraud, omissions and other irregularities;

12
www.anbglobal.com [email protected]
adoption of frameworks
The Companies Act 2013 does not specify or recommend any framework that may be
considered by companies when they establish their internal financial control.

To state whether a set of financial statement present a true and fair view, it is essential
to check and benchmark financial statements for compliance with a framework and the
generally accepted accounting principles such as IFRS, US GAAP etc..

Similarly to assess and report on adequacy and compliance of the system of internal
control, it is essential that the management adopts one or a combination of
frameworks of internal controls.
Following are few commonly applied framework:

• COSO (USA)- 98% of US listed companies use

this

• COCO (CANADA) (Criteria of Control) 20 controls

in four areas : purpose, commitment, capability
monitoring and learning.

• TURNBULL REPORT (UK) have good internal

controls/audits to ensure quality of financial
reporting and catch frauds 13
www.anbglobal.com [email protected]
essential components of internal controls
A company may adopt any of the commonly applied frameworks or establish a
framework of its own. Pending issuance or recommendation of a framework by
the Ministry of Corporate Affairs (MCA), in case a company choose to establish
and internal control framework of its own, it should ensure that the framework
addresses the following essential components of internal controls:

Control Risk Control

Environment Assessment Activities

Information
Monitoring
& activities
Communication

www.anbglobal.com [email protected]
 control environment

Ethical Value

Management
Style &
Philosophy

Mission

Competence

Structure

Morale

www.anbglobal.com [email protected]
 risk assessment
• Assess and Manage risks
– Assess Type of Risk
Internal and External Risks

– Manage Risks
Prevent risk
Accept risk
Reduce risks to acceptable risk
Avoid risk

www.anbglobal.com [email protected]
 Guide for evaluating risk
High

II IV
Area of Minimal Concern Area of Most Concern
Likelihood

Guide for
evaluating risks

I III
Area of Least Concern Area of Moderate Concern
Low

Low High
Impact
www.anbglobal.com [email protected]
 control activities
Automated

Manual

Preventive

Detective

www.anbglobal.com [email protected]
 examples of control activities

• Documentation • Safeguarding of assets

• Approval and • Reporting

authorization • Information System
• Verification Controls
– General IT controls
• Supervision
– Application Controls
• Separation of duties – Backup and disaster
recovery

www.anbglobal.com [email protected]
 monitoring

• Monitoring is review of an organization’s activities and transactions

to assess the quality of performance over time and to determine
whether controls are effective.

• Major areas: Control activities Mission

Control Risks &

Environment Opportunities

Communication Results

www.anbglobal.com [email protected]
 communication

• Elements of communication

Clear and
Sufficient but
open
not excessive
horizontal and
detail
vertical

Appropriate to
Timeliness
user

www.anbglobal.com [email protected]
www.anbglobal.com [email protected]
overview
Activities Value to be derived Users

 Establishment of Entity  Formal and Periodic  Process owners and HODs

level controls monitoring system around
Internal Financial Controls  Internal Audit
 Establishment of Process
level controls  List of Inadequate and less  Directors/Audit Committee
efficient controls
 Establishment of IT controls
 Analysis of high risk
 Establishment of Fraud process areas
Mitigation controls
 Analysis of Red flag areas
 Testing and validation of
controls  Assurance on adequacy and
operational efficiency of
Internal Financial Controls

www.anbglobal.com [email protected]
 planning

• Auditor is required to:

• Establish an overall strategy that sets scope, timing and
direction of audit.
• It involves:
• Identification of significant account balances
• Identification of risk of material mis-statements
• Identification and understanding of significant flow of
transactions
• Identification of controls

www.anbglobal.com [email protected]
 design and implementation
Testing of Design effectiveness of controls by
determining whether:
• the company’s controls, if they are operated as prescribed by
persons possessing the necessary authority and competence
to perform the control effectively,

• satisfy the company’s control objectives and

• can effectively prevent or detect errors or fraud that could

result in material misstatements in financial statements

www.anbglobal.com [email protected]
 reporting

Where there are deficiencies that individually or in

combination result in one or more material weakness:

The auditor should evaluate need to express a modified

opinion i.e. qualified or averse on the company’s IFC –
FR, unless there is restriction on scope of the
engagement.

www.anbglobal.com [email protected]
 limitations
• Internal controls are driven by cost benefit analysis
• Frauds and collusions cannot be ruled out however strong the
controls
• Internal controls are designed for standard transactions. But
innovative products are designed and launched even before
systems and processes are put in place
• Management overrule processes while dealing with crisis
which then sometimes become a practice. Exceptions become
a rule.

www.anbglobal.com [email protected]
ANB @ ICOFR
COSO’s framework
According to COSO “ Internal control is the process effected by an entity’s board of
director , management and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives relating to operations, reporting
and compliance”.

28
www.anbglobal.com [email protected]
approach
Using financial statement and COSO’s framework as base

Testing the “As Is” Control Environment Risk Assessment

• Discussion with Management • Mapping of Financials to the business &
• Auditors report its operation
• Regulatory Bodies if any • Conducting process walkthroughs
• Assessing type of risk and its impact.

Information & Communication systems

What are the organization controls? Identifying, classifying and disseminating
Mapping of existing controls against risk information in the form & timeframe that
identified. i.e. Entity level controls, process makes it relevant , sufficient to enable
level controls and technology controls effective decision making and mitigating
possible losses

Monitoring
Ascertaining whether components of
internal control are present and
functioning

www.anbglobal.com [email protected]
methodology

www.anbglobal.com [email protected]
internal control over financial reporting

www.anbglobal.com [email protected]
risk assessment
Review of Control environment to assess “tone at the top”

Board Senor Management

ELC commitment
to integrity
”
Structure,
commitment Enforces
oversight authority and
and ethical to competence accountability
values responsibility

Four Primary Factors

1. Materiality of the amounts

•Large Amount transactions Process-level
•High volume of transactions Risk Assessment
•Significant impact on key ratios
or disclosures
High
Risk Assessment

2. Complexity of the process

PLC •Limited internal skills

•Multiple data handoffs Medium
•Highly technical in nature
3. History of accounting adjustments Low
•Accounting errors
•Valuation adjustments, etc.
4. Propensity for change in
•Business processes or controls
•Related accounting

www.anbglobal.com [email protected]
 control activities
Using the COSO framework as a guide, the control environment
plays a significant role in the overall internal control system.
ELC provide the “tone at the top” of the
organization, and as a result directly or in-directly
Entity Level impact all underlying controls.
Controls (ELC) Effective ELC’s can provide excellent leverage to
reduce testing at lower levels.
The starting point for assessing the
effectiveness of the transaction level
controls is defining what business
processes are in scope.

Step 1 – identify the significant

accounts
Step 2 – associate the significant
business processes
Step 3 – perform a
detailed risk
assessment
Process Level IT General
Controls IT controls protect data
integrity and are a
(PLC) Controls significant component of
an organization’s ICOFR.
Information systems support the flow of information
from initiation to recording and are one of the most
important and pervasive pieces of an organization’s
financial reporting system.

www.anbglobal.com [email protected]
monitoring
• The goal is to evaluate the consistency of control
operation.

• Controls are tested based on the frequency of

performance (daily, weekly, monthly, quarterly,
annually)

• Test samples are not selected based on materiality

www.anbglobal.com [email protected]
automation

www.anbglobal.com [email protected]
www.anbglobal.com [email protected]
 ELC
SR. COSO COSO - Point of Control Objective Control Activity Documents / Evidence
No Principles Focus

1. The • Sets the tone • Management maintains an • The Company has in place • Code of Conduct
organization at top approved code of conduct ("CoC") the following approved
demonstrates a and other policies regarding Codes of Conduct, which are • Code of Conduct for
commitment to acceptable business practices, posted on Company's Non Executive
integrity and conflicts of interest and expected intranet: Directors
ethical values standards of ethical behavior. • Code of Conduct (for
employees and the Executive • Minutes of meeting
Director); and
• Code of Conduct for Non-
Executive Directors
• CoC gives a reference to
ethical standards expected
from employees
2.a • Establishes • Management maintains an • The Company has in place • Code of Conduct
standards of approved code of conduct ("CoC") the following approved
conduct and other policies regarding Codes of Conduct, which are • Code of Conduct for
acceptable business practices, posted on Company's Non Executive
conflicts of interest and expected intranet: Directors
standards of ethical behavior. • Code of Conduct (for
employees and the Executive • Minutes of meeting
Director); and
• Code of Conduct for Non-
Executive Directors

• CoC gives a reference to

ethical standards expected
from employees

www.anbglobal.com [email protected]
 ELC – contd.
SR. COSO COSO - Point of Control Objective Control Activity Documents / Evidence
No Principles Focus

2.b • Establishes • There is a means for employees to • Whistle Blower Policy which • Whistle Blower Policy
standards of communicate upstream, defines mechanism for
conduct anonymously if so desired, other directors and employees of
than through a direct supervisor. the Company to report any
actual or potential violation
of the CoC is approved by
Board of Directors

3.a • Evaluates • Employees are aware of and • Code of Conduct is made • Code of Conduct
adherence to understand the policies regarding available on the Intranet of
standards of acceptable behavior and what to the Company at all times and • Whistle Blower Policy
conduct do when they encounter improper is accessible to all employees
behavior. of the Company.
• The Whistle Blower Policy is
also posted on the Intranet.

• All the directors and

employees are required to
complete a web-based
learning on ethics and
compliance to this learning
module is monitored by Chief
Ethics Counsellor
3.b • The importance of high ethics and • All new employees are • Ethics Update
controls is discussed with newly assigned to the 'Code of
hired employees through Conduct' online tool and all
orientations or interviews. the ethics policies are shared
with them.

www.anbglobal.com [email protected]
 ELC – contd.
SR. COSO COSO - Point of Control Objective Control Activity Documents / Evidence
No Principles Focus

4.a • Addresses • Management has laid down • The Whistle Blower Policy • Whistle Blower Policy
deviations in a oversight responsibility to address defines the oversight
timely manner reported deviations responsibility of Ethics
Counsellor / Chairman of the
Audit Committee to present
the report to the Audit
Committee on a periodic
basis.

4.b • The audit committee (or other • Chief Ethics Counsellor • Minutes of the meeting
committee) specifically addresses reports to the Ethics and
management's adherence to the Compliance Committee for all
company's established code of the cases reported, status of
conduct. these cases and outcome
from investigation. Ethics and
Compliance Committee on a
periodic basis presents to the
Audit Committee a summary
on cases reported, status of
these cases and outcome
from investigation

www.anbglobal.com [email protected]
 ELC – contd.
SR. COSO COSO - Point of Control Objective Control Activity Documents / Evidence
No Principles Focus

1. The • Communicates • There is a means for third • The Company on a periodic • Code of Conduct
organization to external parties to be informed and to basis conducts classroom
communicates parties communicate financial reporting trainings for Vendors, • status of Ethics and
with external • Enables inbound issues, anonymously if so Channel Partners, Associates trainings
parties communications desired. on ethical standards to be
regarding • Provides observed in dealing with or • Sample training deck
matters separate on behalf of the Company
affecting the communication and also on the reporting
functioning of lines mechanism if any unethical
internal control. behavior is noted.

2. • Communicates • The audit committee (or other • Chief Ethics Counsellor • Minutes of the meeting
with the board committee) specifically reports to the Ethics and
of directors addresses management's Compliance Committee for all
adherence to the company's the cases reported, status of
established code of conduct. these cases and outcome
from investigation. Ethics and
Compliance Committee on a
periodic basis presents to the
Audit Committee a summary
on cases reported, status of
these cases and outcome
from investigation

www.anbglobal.com [email protected]
 PLC
74% of total
Identification of significant accounts expenses

Accounts affecting
payroll

www.anbglobal.com [email protected]
PLC
Processes Impacting Payroll accounting

Employee Master Register Appointment letter

 Entry in Payroll master after  Process of recruitment
completion of Probation Period.  Issue of appointment
 Other Benefits to employee as per letter
eligibility  Maker-Checker
methodology

Statutory Deduction Resignation of employee

 Checking of Process of Calculation of  Process of relieving employee
Tax of employee after considering  Serving of notice period
Investment declaration/ Proofs.  Settlement of account
 Deduction of PT, PF, ESIC etc.

Increment/ Bonus
 Process of Increments i.e.
performance appraisal, Self
appraisal.

www.anbglobal.com [email protected]
 PLC
SR. Sub Process Risk Description Control Description COSO Documents / Evidence
No component & required
Principles
1. Inputs for • Salary not processed for eligible • All inputs from circle are Control • Employee master
Payroll employees updated in employee activities maintained by HR team
Processing • Incorrect salary paid to transferred / master by HR Team via • Deploys • Evidence from the
promoted employees tickets. through payroll input file
• Advances not recovered / incorrectly • All transfers and policies validating the
recovered from employees promotions are effected in and computation of salary
system by HR itself procedures of an employee
• Respective department • Evidence of amount
give inputs to payroll team recovered employee
for updation of recovery where it was
amount in SAP which is recoverable basis
subsequently validated in inputs given by
salary register. respective dept. with
payroll team.
2. Inputs for • Unauthorized changes in inputs provided • All changes are updated Control • Sample tickets raised
Payroll by circle for payroll processing based on tickets raised by activities for change of payroll
Processing • Inadequate bifurcation of departments circle and same is • Deploys data along with details
• No mapping of departments to employee confirmed by HR SSC by through on ticket closure,
budgets closing tickets with policies remarks etc.
relevant remarks. and • CC data to validate
• Mapping of departments procedures department and
to employee budgets is employee budgets
handled by business mapping
finance using cost center
data.
• The CC data is updated on
a annual basis based on
which employee mapping
is done.

www.anbglobal.com [email protected]
 PLC
SR. Sub Risk Description Control Description COSO Documents / Evidence
No Process component & required
Principles
3. Accounting • Incorrect accounting entries for booking • Accounting entries posted Control • Summary of Payroll
entries for payroll cost, advance payments, advance are automated basis the activities cost for a sample
salary recoveries and other elements of payroll payroll data uploaded by HR • Selects and month
payouts develops • Evidence of posting of
control same in SAP
activities (Screenshot from SAP)

4. FNF • Incorrect FNF payout • The process of providing No- Monitoring • Sample NDC for a
Settlement • Non - recovery of dues/ loan from Due Certificate (NDC) is now • Selects, resigned employee.
terminating employees completely automated. Once develops • Evidence of verification
all the process owners and of FNF calculation by
approve the NDC for an performs HR SSC team &
employee, the final payout ongoing confirmation sent to
file is uploaded in the system and payroll team.
for confirmation of the separate • Evidence of payments /
relevant employee. evaluations recoveries made based
on HR SSC inputs
• Once employee confirms the
payout computation, the F&F
payment is sent for
processing as per agreed
timelines.

www.anbglobal.com [email protected]
 PLC
SR. Sub Process Risk Description Control Description COSO Documents / Evidence
No component & required
Principles
5. Validation • Inaccurate salary processed / inaccurate • Payroll team performs Control • Reconciliation of Salary
of the salary payout to employees reconciliation of salary as per activities as per register with
data (to be salary register v/s bank • Selects and salary payable as per
uploaded) transfer file prior to seeking develops bank register file.
v/s Salary approval for payment. control • Bank master file
register & • Bank details are updated in activities updated in SAP by HR
upload of SAP as part of employee SSC.
the file. master by HR SSC. • Evidence of any
• Any changes / modifications changes made to bank
are done based on employee master duly authorized
confirmation. Further, & approved by
employees themselves can employee & HR head.
also change bank details of • Evidence of any change
their own account. to bank master by
employee using his
login credentials
6. Increment • What ensures that any change in annual • All the increments are now Control • Details of increment
salary increments are correctly updated managed through a activities computed and paid for
in the payroll system? completely automated system • Selects and one sample employee.
(OIA). Once the business develops
• What ensures that any change in Salary approvals increments, HR control
Increment is appropriately approved? updates individual wise activities
increment details in the IOA
system. The access to OIA is
with 2 designated individuals
only. OIA is then linked SAP
through which the final payout
file is generated

www.anbglobal.com [email protected]
 PLC
SR. Sub Risk Description Control Description COSO Documents / Evidence
No Process component & required
Principles
7. Payroll • What ensures that fictitious or duplicate • Adequate controls are built into Control • List of duplicate
payment employee records are not created? the recruitment system (Insta activities employee alarms
HR) and duplication check is • Selects and raised by the system
done by the system in the PAN develops
number, name, mobile number, control
email id etc. activities

8. Employee • What ensures that Invalid changes to • Employee master will need a Control • Details of increment
Master the Employee Master don’t go change whenever there is a activities computed and paid for
undetected? organizational announcement • Selects and one sample employee.
(realignment), separation or develops
transfer. control
• Separation process is handled activities
through the automated NDC
process that links with HR
system
• Organization realignment
related cases are highlighted to
HR by the business and upon
relevant business approvals, a
mass update is done in the HR
system to reflect the correct
mapping between employee &
the reporting manager
• Transfer cases are handled
through the e-Transfer
application. Here are details are
auto updated as part of the
transfer process in the HR
system.
www.anbglobal.com [email protected]
Thank you