Road to Self Governance
|
|
|
- Darren Dorsey
- 5 years ago
- Views:
Transcription
1 Road to Self Governance Transform internal controls; sustain business performance 8 January 2015
2 Contents 1. Setting the Context 2. What needs to be done 3. Perspectives on IFC coverage 4. Leveraging IFC effectively 1
3 Contents 1. Setting the Context 2
4 What do we mean by Controls WRT IFC Internal Controls on Financial Reporting Financial Reporting Controls Operational Controls Controls to address Financial Assertions. (Includes Fraud And IT Risks) Fraud Implications Efficiency / Service Implications Technical Controls Quality / Maintenance / etc 3
5 Companies Act Raising the bar on governance Clause 49, Listing agreement CEO/ CFO Certification: Listed Companies Act 2013, Sec 134 Listed/ Unlisted* Establish & maintain internal controls Evaluate effectiveness of the internal controls system Deficiencies in design or operations of internal controls Steps taken to rectify the deficiencies Directors to lay down Internal Financial Controls (IFC) and ensure adequacy and operating effectiveness. Audit Committee to evaluate IFC Independent Directors to satisfy themselves on robust and defensible financial controls Rule 8 (5) (VII) requires the Board of Directors report of all companies to state in details the adequacy of internal financial controls with reference to the financial statements Defined + + Adequate Operating Effectively 4
6 Internal Financial Control (IFC) requirements as per the Companies Act 2013? Section 134 Responsibility Statement As per Section 134 (5) (e) the directors, in the case of a listed company, had laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively As per Section 134 (5) (c) - the directors had taken proper and sufficient care for the maintenance of adequate accounting records in accordance with the provisions of this Act for safeguarding the assets of the company and for preventing and detecting fraud and other irregularities; Schedule IV The roles and functions codified in Schedule IV of The Companies Act 2013 clearly state that independent directors shall satisfy themselves on the integrity of financial information and that financial controls and the systems of risk management are robust and defensible Section 177 Under Section 177 (4) (vii), the duties of the Audit Committee include evaluation of internal financial controls 5
7 Internal Financial Control (IFC) requirements as per the Companies Act 2013? Section 143 Under Section 143 (3) (i), Statutory Auditors are required to make a statement in their Auditors Report, whether the company has adequate IFC system in place and the operating effectiveness of such controls Sec 143 (12) If an auditor of a company, in the course of the performance of his duties as auditor, has reason to believe that an offence involving fraud is being or has been committed against the company by officers or employees of the company, he shall immediately report the matter to CG within prescribed time and manner 6
8 Companies Act 2013 Definition of Internal Financial Controls Focus Area Policies and procedures Key Requirements on Internal Financial Controls Define process and control guidelines Assignment of responsibility, delegation of authority, segregation of duties to provide a basis for accountability and controls What Companies Need to do? Define and disseminate policies and procedures Develop a Delegation of Authority Review of policies and procedures Safeguarding of assets Assets and ownership interests exist at a specific date Assess adequacy of insurance of assets Carry out periodic physical verification of assets Prevention and detection of frauds and errors Enable proactive anti-fraud controls and a fraud risk management framework to mitigate fraud risks to the company Implement an Anti-fraud program. Carry out fraud risk Assessment Accuracy and completeness of the accounting records All transactions occurred during a specific period have been recorded Assets, liability, revenue and expense components are recorded at appropriate amounts Perform an assessment of: Entity Level Controls Process Level Controls IT Controls Fraud Controls Timely preparation of reliable financial information Financial items are properly described, sorted and classified Financial information is provided as per the timelines defined by the relevant stakeholders Develop and disseminate accounting policy manual Develop a robust financial close process with inbuilt controls for oversight and monitoring There should also be a robust mechanism to report the effectiveness of the above mechanisms to the board and the audit committee 7
9 Internal Financial Control Framework Approach Overview IFC Components Entity and Process Level Elements Plan & Scope Define project approach, scope, milestones, timeline and resources Identify and agree pilot locations to implement IFC Document Risk and Controls Key Activities Evaluate Controls Evaluate design and operating effectiveness of the IFCs through management self assessment/eval uation Remediate gaps and re-evaluate effectiveness Key Stakeholder (including external auditors) buy-in at key stages Management Reporting Provide a summary report on the internal financial control evaluation to the entity as well as group senior management Group senior management completes a governance checklist and summarises the results of their internal financial control evaluation to the board Our approach will take into consideration of requirements of Companies Act 2013, relevant guidelines such as COSO 2013 and will also effectively leverage and rely on control mechanisms already in place Deliverables Plan, Scope and Materiality thresholds Conduct discussions at pilot locations to understand process, risk and controls for in-scope business processes. Develop risk control matrices(rcms)and high level process flows at pilot locations to finalise entity and process level controls over financial reporting including fraud and IT controls. Conduct workshops at other locations to identify key variances and finalise templates High level process flows/narratives Risk Control Matrices for Entity level and process level elements Management testing/re-testing documents including gap summary Final Gap Assessment and assessment by Management including remediation plan Stakeholder reporting Management Training on IFC requirements is essential all through the implementation Stakeholder Reporting 8
10 Penalties for non compliance with IFC requirements Certain personnel defined as Officer in default include: Whole-time Directors Key Managerial Personnel (CEO/CFO/Co. Secretary) Any person in accordance with whose advice, boards acts Every director, in respect of a contravention of any of the provisions of this Act, who is aware of or participated in such contraventions Penal Provisions under Companies Act - Imprisonment up to 5 years or fine up to INR 5 lakh or both. - Penal provisions for not complying with Section 134 : Failure to give this disclosure will lead to penalty up to INR 25 lakh on the company and 3 years and / or up to INR 5 lakh on the Officers in default 9
11 Contents 2. What needs to be done? 10
12 What constitutes Internal Financial Controls The policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company s policies Internal Financial Controls means The safeguarding of its assets The prevention and detection of frauds and errors Accuracy and completeness of the accounting records Timely preparation of reliable financial information 11
13 COSO 2013 Framework and Principles 12
14 COSO 2013 Framework and Principles Controls related to the COSO components can be found at the entity level and transaction level. Control Environment Risk Assessment Information and Communication Monitoring Activities Control Activities Entity-Level Controls (ELCs) Transaction-Level Controls (TLCs) GITCs Controls that do not specifically relate to an assertion (indirect) Controls that specifically relate to an assertion (direct) 13
15 What do we mean by IFC framework? Deliverables Fraud IT IT entity level IT General controls Application controls Key Spreadsheets Entity Fraud Risk Process level fraud risk Process Flows/Narratives Risk Control Matrices Testing Documentation 14
16 Approach for implementing IFC framework? 6. Independent Audit and reporting of IFC Controls 1. Plan and Scope the Evaluation Defining materiality and scope Discuss and agreement with statutory auditors Phase-wise testing of controls 5. Evaluate Operating Effectiveness (including remediation and re-testing) Project Management 2. Design the IFC Framework Focus on key risks Include all elements process, IT and fraud Develop documentation Assess materiality and prioritize areas for improvement Focus on compensating controls 4. Identify and Correct Deficiencies 3. Evaluate the Design Effectiveness 15
17 Key Activities in a typical end to end IFC implementation Phases Activity Description I II III IV Plan and Scope the Evaluation Document Risk and Controls Evaluate the Design Effectiveness Identify and Correct Deficiencies V VI VII Evaluate Operating Effectiveness Half Yearly Self Assessment by Management Evaluate Operating Effectiveness IA Testing as part of IA plan Remediation and Re-testing of failed controls Independent Audit and reporting of IFC Controls 16
18 Internal Financial Controls Key Sub-elements Processes Strategic Operational Budgetary Controls & MIS, Capital Expenditure, etc. Order To Cash, Procure To Pay, Inventory Management, Production, etc. Support Finance & Accounts, Human Resource, Information Technology, etc. Risk Classification Controls Rating Entity Level Controls IT General Controls Process Level Controls (ICOFR, OFC including safeguarding of assets and IT controls) Fraud Risk Control Categorization Material / significant / control deficiencies on the basis of discussed and agreed criteria Code of conduct, Whistle blower policy, Transparent organization structure, HR polices, etc. This will also include IT Entity controls General IT Controls (GITC) Application Controls, Entity Level Controls (ELC) around IT Environment Process driven manual controls like BRS preparation, PO creation, etc. Automated IT controls like restricted user rights, invoice validation, etc. Controls mitigating inherent fraud risks within business processes Financial Reporting; Preventive/ Detective; Frequency; 17
19 Entity Level Controls Key Sub-elements Board and Audit Committee (AC) Operations Integrity and Ethical Values Assignment of Authority and Responsibility Organization Structure Composition and Functional experience Roles and responsibilities including Agenda Independent Directors Communication to the Board/AC including information provided to the Board/AC Board/AC oversight and monitoring Effectiveness Evaluation Code of Conduct Whistle Blower Mechanism Vendor Relations Customer Relations Delegation of Authority Policies and Procedures Segregation of Duties Organisational Structure Third party relationships Legal Third party relationships Investor relations Third party relationships External Auditors Subsidiary Management Management s Philosophy and Operating Style Financial Reporting and Disclosures Oversight and Monitoring IT Entity Controls Enterprise Risk Management Budgeting and MIS Contingent Liabilities Accounting estimates Disclosure controls Notes to Accounts Internal Audit Control Self Assessment Continuous control monitoring and assurance through data analytics/ control dashboards Financial review and oversight IT Strategy and Infrastructure IT Risk Management Disaster Recovery Planning 18
20 6 Steps of Identifying & Evaluating Internal Control Deficiencies Identifying the Internal Control Deficiency Evaluating the Internal Control Deficiency 1. Determine whether a control deficiency exists. 2. Identify the deficient control by performing a root cause analysis. 3. Determine whether the control deficiency is indicative of other deficiencies. 4. Evaluate the severity of the deficiency by considering magnitude and likelihood of the potential misstatement. 5. Identify relevant compensating controls and conclude on the severity. 6. Aggregate similar deficiencies and evaluate the aggregated deficiencies for severity. 19
21 How can a Control Deficiency be Identified? During our walkthroughs and/or Test of Design & Implementation, and/or Test of Operating Effectiveness While performing substantive audit test work (even in absence of an actual misstatement). Through management review. Internal audit or other internal sources. While reviewing external sources (e.g. regulatory reports, SEC comment letters, service organization auditor s reports, etc.) This list is not all inclusive, deficiencies can be found in many different ways! As a result of a non-gaap policies and procedures. 20
22 Identify Relevant Compensating Controls and Conclude on Severity What are Compensating Controls? Controls which limit the severity of the deficiency, but do not eliminate the deficiency. Controls which compensate for deficiencies, including deficiencies in GITC, and are designed and operating effectively at a level of precision that would prevent/detect a potentially material misstatement. Key Considerations: Compensating controls do not need to operate at the same level of precision as the original control. High-level analytical procedures generally do not constitute effective compensating controls. 21
23 Document Final Assessment of Control Deficiencies If we identify deficiencies in controls designed to prevent or detect fraud during the audit of ICOFR, the auditor should take into account those deficiencies when developing his or her response to risks of material misstatement during the financial statement audit. Determine the impact of the deficiencies on the audit approach, procedures and our evaluation of ELCs. Documentation of consideration of the impact of deficiencies in GITC on the Company's application controls as well as the impact on the nature, timing and extent of the substantive audit procedures performed (GITC Control Deficiencies Document as required. Risk and audit quality assessment (RAQA) Completion meeting. Timely review by and communication with management. 22
24 Fraud Risk Procedure FRAUD RISK ASSESSMENT FRAUD DETECTION FRAUD PREVENTION Understand organizations business environment Review documentation of previous/suspected frauds, frauds at similar organizations, root cause analysis Include potential fraud indicators in the Risk Control Matrix/Audit Program Identify red flags, the techniques used to commit fraud Leverage data mining/data analytics to find unusual items Perform detailed analyses of high risk accounts and transactions Define robust control activities Appropriate authority limits Segregation of incompatible duties Employee training; Ethics training sessions Monitoring whistleblower hotline ANTI FRAUD CONTROLS: PROCESS LEVEL Controls over significant, unusual transactions Controls over adjustments in the period-end financial reporting process Controls over related party transactions Controls related to significant management estimates Controls that mitigate incentives for, and pressures on, management to falsify or inappropriately manage financial results ANTI FRAUD CONTROLS: ENTITY LEVEL Whistleblower hotline/whistleblower protection policy Board oversight Results of continuous monitoring Code of conduct 23
25 Three elements of a comprehensive legal compliance framework Governance level Compliance organization structure, policies and procedures documents, well defined roles and responsibilities, a welldefined reporting structure Comprehensive Legal Framework Compliance with Provisions of All Applicable Laws Operating level Business practices aligned with all applicable laws An automated tool to ensure compliance monitoring is effective Document retention and training will be key to ensuring proper compliance Monitoring level Ensure proper monitoring systems in place, which include MIS & reporting, Audits, Inspections and Site visits if required, Self-Certification, Third party compliance programs and remediation plans and processes for noncompliances 24
26 IFC Charter: To be launched anchored on 4 themes Assess and evaluate tone at the top Develop internal control framework aligned to COSO 2013 Develop combined risk and controls assurance plan Test operating effectiveness of internal controls Comprehensive Legal Compliance Framework Robust Internal Financial Controls New Internal Audit Charter Continuous, top down risk assessment Expand risk assessment to include strategic risks Facilitate portfolio view of risks Educate stakeholders on risk mgt practices. Adopt dynamic audit plans Strengthening ERM practices Detailed legislation mapping Identify compliance gaps; additional controls Implement integrated internal audit and compliance model Assessing Fraud Risk vulnerabilities Review entity level anti-fraud controls Identify relevant fraud risk factors Include Potential Fraud Indicators in the audit plan Leverage data analytics to look through unusual transactions 25
27 Assurance Role for AC/BoD 1. Assess and Evaluate Tone at the Top Review management's philosophy and operating style Review Board/Audit committee s oversight responsibility over financial reporting & internal control Ensure presence of defined policies and procedures 2. Develop an Internal Control Framework Ensure holistic coverage of operational, financial and fraud risks Design in accordance with the COSO / COBIT Frameworks 3. Develop a combined Assurance Plan Develop a combined Assurance Plan for risk management and continuous monitoring Evaluate, document and prioritize risks across the organization / business segments 4. Test the operating Effectiveness of Internal Financial Controls Assist management s assessment of design of controls over business operations Enable evaluation of operating effectiveness and deviation identification 26
28 Contents 3. Perspectives on IFC coverage 27
29 Perspectives on scope and coverage (Listed Entities) Focus Areas Governance / Stakeholder Responsibility Board Responsibility Reporting Auditor Responsibility Operational controls, Efficiency Related controls Safe guarding of Assets Internal Controls over Financial Reporting Control Framework at overseas subsidiaries Governance and Policy Related Procedures / Controls - IFC Framework Related 28
30 Key challenges and potential solutions Challenges Solutions Leverage existing programs Developing a Robust Framework Adopt COSO Quality of Controls Increase in Compliance Costs Focus on Key Risks Integrate with IA Automate Controls Efficiency Automated Testing Control Self Assessment 29
31 Integration with Internal Audit Internal Audit Scope Planning Process Understanding and Risk Assessment Controls Validation Reporting Follow-up Reviews Key audit areas can be covered in second half of the year; Audit process can include validation of control self assessments Leverage process understanding: To document/ update process flows/ Narratives To document key risk control RCMs Control tests to be document in Risk Control Matrices (RCM) Separate control tests towards YE Separate file documentation for testing Linkage between gaps identified in the audit procedures Provide assurance on closure of deficiencies especially prior to YE Increase in IA efforts however lower than reinventing the process 30
32 Effective use of Data Analytics for Assurance Defining Key Risk Indicators (KRIs) and automating the data feeds for computing the KRI is a critical starting point. Identifying the quantum of error / inconsistency in transactions / balances 1 2 Planning & Risk Assessment Materiality Data Analytics Testing and Control Monitoring Fraud Risk Analytics 3 4 Automating the Key Control Indicators (KCIs) for the IFC such as SOD conflicts, etc. Real time assessment of control failures through automating critical input information from multiple systems / through the ERPs for monitoring risks, Analyzing enterprise and entity level data for: Identifying unusual transactions that result in late or unusual journal entries Analyzing journal entries and adjustments made in the period-end financial reporting process 31
33 Contents 4. Leveraging IFC effectively 32
34 Benefits of IFC Enhancing Governance Framework Defines clear accountability and transparency Controls Automation Reduction in number of surprises Streamlining / standardizing controls Opportunity to plug leakages / potential frauds 33
35 Increasing regulatory Complex business and risk mgt process Business and risk management information Internal External Stakeholders Board/Committees Executive / Senior Management Shareholder Auditor Regulator Rating Agencies Reporting & Disclosure process process Oversight functions Risk Management Compliance Internal Audit Finance and Treasury Department Human Resources Legal Department Inefficiencies Inefficiencies Data analysis capture and analysis Business Units BU BU BU BU BU BU 34
36 Case for integrated assurance: Aggregate, align, formulate a complete and consistent message for stakeholders Benefits include common risk vocabulary, consistent reporting, cost savings Business and risk management information Internal External Stakeholders Executive / Senior Board/Committees Executive / Senior Shareholder Auditor Regulator Management Rating Agencies Reporting & Disclosure process Oversight functions Data capture and analysis Finance and Risk Internal Human Legal Compliance Treasury Management Audit Resources Department Department Simplification of Business and Risk Management Processes Executive mgt is likely to task the CAE for the Inefficiencies Integrated Assurance Initiative Business Units BU BU BU BU BU BU 35
37 Thank you Rajesh Guraria