Internal Financial Controls (IFC) - An Overview

Transcription

1 Internal Financial Controls (IFC) - An Overview

2 Increased responsibilities of the Board: Companies Act 2013 Board s responsibility extended to ensure Legal compliances to all applicable statutes. The increasingly onerous requirements mean that the role of Legal assurance function will need to be redefined. Expanded the applicability beyond financial reporting controls covers operational aspects. Companies will now need to embed internal control monitoring into their operations, reporting and compliance processes. Significant responsibilities on the board and audit committee members to assess the robustness of company s risk management policies, processes and systems. 2

3 Regulatory focus on Internal Financial Controls Sec 134 As per Section 134(5)(e) requires, directors to make an assertion in Directors Responsibility Statement that they have laid down internal financial controls to be followed and that such IFCs are adequate and operating effectively Sec. 143 Under Section 143(3)(i), Statutory Auditors are required to make a statement in their Auditors Report, whether the company has adequate IFC system in place and the operating effectiveness of such controls Sec. 177 Under Section 177(4)(vii), the duties of the Audit Committee include evaluation of internal financial controls & to make a report to the board Sch. IV The roles and functions codified in Schedule IV of The Companies Act 2013 clearly state that independent directors shall satisfy themselves on the integrity of financial information and that financial controls and the systems of risk management are robust and defensible Companies Act 2013 casts responsibility to ensure existence and operating effectiveness of Internal Financial Controls for various stakeholders Ensure adequacy and operating effectiveness of IFC Evaluation of internal financial controls Directors Internal Financial Audit Committee To comment on adequacy and operating effectiveness of IFC Control Satisfy themselves on the robustness of internal financial controls framework Auditors Independent Directors 3

4 IFC as defined and the areas of focus Definition of Internal Financial Controls as per Companies Act, 2013 policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information Building block (Component) Policies and procedures Safeguarding of assets Prevention and detection of frauds and errors Accuracy and completeness of the accounting records Timely preparation of reliable financial information Key objectives of coverage Assignment of responsibility, delegation of authority, segregation of duties and establishment of related policies and procedures to provide a basis for accountability and controls Assets and ownership interests exist at a specific date Assets are the rights of the entity at a specified date Enable proactive anti-fraud controls and a fraud risk management framework to mitigate fraud risks to the company All transactions occurred during a specific period have been recorded Assets, liability, revenue and expense components are recorded at appropriate amounts Financial items are properly described, sorted and classified Financial information is provided as per the timelines defined by the relevant stakeholders 4

5 The IFC equation ICOFR + Operations Controls + Anti Fraud Controls = IFC ICOFR Operational Controls Anti Fraud Controls 1 Is quantity recorded in invoice less than the actual dispatched quantity Are dispatch of goods to the customers delayed Can goods be dispatched to customer without a valid invoice EXAMPLES Is monthly reconciliation between headcount and payroll run performed and approved Inputs and cut off (period end) controls for recording raw material consumption Are Purchase Orders authorized as per the delegation of authority matrix Is attendance, for all employees, tracked through biometric or manual attendance sheets Monitoring standard consumption v/s actual consumption for variations Is the lead time in raising the PO against a PR monitored to avoid delays in procurement Can salary be disbursed to dummy/ ghost employees or absconding employees Reporting incorrect yield to mask inventory pilferage Can vendors be shortlisted without inviting multiple quotations 5 Material receipts are accurately accounted for in books of accounts Can physical verification of material be done through technology instead of manual certification Can we record a receipt without a physical receipt (access control) 5

6 A typical IFC Framework Assignment [ ] of Authority and Responsibility Key activities Integrity and ethics framework Controls on outsourced processes Financial Reporting Controls Asset Controls Oversight over Financial Reporting and Disclosures IT Controls Operationa l Financial Controls Fraud Risk Controls Organization Structure, Policies and Procedures Board and Audit Committee Oversight over Internal Financial Controls (Financial Risk Assessment) Enterprise Risk Management Identification of key business / financial processes Entity level controls Process flow charts Process level controls IT general controls Anti fraud controls Test of design Test of effectiveness Reporting Entity Level Elements Process Level Elements 6

7 What companies need to do Assess control environment by identifying and documenting entity level controls. 7

8 Entity Level Controls The following 5 components and 17 principles are considered for Entity Level Assessment of controls, it is required to be ensured that each of these principles are present and working within the company: Control Environment 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability Risk Assessment 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change Control Activities 10.Selects and develops control activities 11.Selects and develops general controls over technology 12.Deploys through policies and procedures Information and Communication 13.Uses relevant information 14.Communicates internally 15.Communicates externally Monitoring Activities 16.Conducts ongoing and/or separate evaluations 17.Evaluates and communicates deficiencies 8

9 What companies need to do Assess control environment by identifying and documenting entity level controls. Identify key financial and non- financial processes at the company, based on the materiality of account balances 9

10 Planning & Scoping Business cycles / Process universe is required to be decided based on a top-down approach; Financial Statement s Risks to Financial Controls Business Cycles Subprocesses Objectives Activities Typical Process Universe Order to cash Procurement to pay Legal & Secretarial compliance Research & Development Fixed Assets Financial Processes HR and Payroll Non-financial Processes Inventory management Treasury Book Closure, Finance & Accounts Manufacturing, Quality & Operations 10

11 What companies need to do Assess control environment by identifying and documenting entity level controls. Identify key financial and non- financial processes at the company, based on the materiality of account balances Document process flows and narratives to document the key financial processes 11

12 Process flows Process flows are documented to depict the process to initiate, authorize, process, record and report transactions. Process flows are also helpful in identification of the potential red flags where misstatements could occur and the control activities that are defined to detect or prevent the same. Key elements to be included in a process flow diagram Process Objective Various applications involved IPE involvement Sequence of activities & document flow Frequency of activity People involved Makers & Checkers Controls in the process Segregation of duties Overview Information & Activities Control Environment Supported by Process Narratives comprising of: - Detailed description of all activities enumerated in the flow chart - Background / information on aspects that cannot be described in a flow chart 12

13 Process flows: Sample Buyer PROCESS Adds the vendors to the bidder list Buyer Yes Authorized personnel Buyer Buyer PR Approval PROCESS Prepares a bidder list and sends to authorized personnel (user, Manager, Supply Chain) as per policy for approval PP.1.01.A Changes recommended? No AUTHORISE Approve the bidder list via hard copy / (with a copy to the Manager, Supply Chain) PROCESS Floats the RFP to the potential vendors (via Smart Source ) PROCESS Follows-up with vendors for responses, and answers relevant queries, where applicable Authorized personnel Buyer Buyer & User Price approvals AUTHORISE Approve the bid extension (via hard copy / ) PROCESS Prepares request for extension in pre-defined format and sends to authorised personnel as per policy for approval Yes Are bid timelines to be extended? PROCESS Receive bids before bid closure date No Buyer Buyer & User Buyer & User Buyer & User PROCESS Prepares a price comparison sheet and submits it for the approval as per the Schedule of Authority PP.1.01.A PROCESS Prepare queries / clarifications and discuss the same with the bidders PROCESS Conduct commercial and technical evaluation as per predefined commercial and technical criterion PROCESS Receive bids till last date via hard copy; sign off the unpriced bid opening form and open techno commercial bids 13

14 What companies need to do Assess control environment by identifying and documenting entity level controls. Identify key financial and non- financial processes at the company, based on the materiality of account balances Document process flows and narratives to document the key financial processes Document Fraud Risk Controls, Process level controls and IT General Controls for the above processes in Risk Control matrices (RCMs) 14

15 Controls Risks Objective setting is a precondition to risk assessment; enables the management to identify the risks Control Objective The function of What Can Go Wrong with regards to the objectives defined Controls in place with the company to ensure that the risks identified are duly mitigated Existing Controls Types of controls Preventive Detective Automated Manual Process vs. controls Process Procedures defined to depict the data flow (origin, transfer or change) and can introduce errors Example: Employees complete their timesheets Controls Procedures designed to prevent and detect inconsistencies in the processes and cannot generate errors Example: Project manager approves timesheets 15

16 Sample Process RCM Risk Sub process Control Objective Control # Completeness Existence/ Occurrence Accuracy Valuation Rights & Obligations Presentation & Disclosure Entity Actual Control Key / Non Key Unique / Referred Preven tive / Detecti ve Type of Control (Automate d or Manual) Freque ncy Purchase orders are created for inaccurat e rate / quantity. P2P - Indent to Orderin g All purchase orders are authorized for rate and quantity. PP A X X X Spend up to INR 4-20 Lacs (Inclusive of taxes and overheads) As per policy, procurement is initiated by the user; coordinated, executed and negotiated by the Supply Chain. Vendor is selected on the basis of a comparative statement prepared by the buyers and approved by Supply Chain DOA holder via post reviewing all the supporting. If a preferred vendor is recommended by the user then only one bid is sought. The vendor is finalized based on approval of user and Supply Chain DOA holder via post reviewing all the supporting. Supporting documents and the approvals are attached in SAP by the buyer at the time of creation of PO / SO to provide a reference for approval. Key Unique Preve ntive Manual Transa ctional 16

17 Control documentation Journal Entries Common Practice Control objective Risk All manual journal entries are prepared in accordance with the company policy, are appropriately authorized and correctly recorded in the appropriate accounting period Inappropriate, unauthorized, and inaccurate calculation and recording of manual journal entries resulting in invalid transactions and financial misstatement Entity Actual Control All JVs are approved by HoD Finance Backup calculations are verified by HoD Finance Is the control documented adequate? How is it ensured that only authorized transactions are posted? What is the evidence of approval? How is review of backup calculation by HOD ensured? How is it ensured that the approval is provided by the right authority? How do you ensure that process was followed for all JVs? 17

18 Control documentation Journal Entries Suggested Practice Control objective Risk All manual journal entries are prepared in accordance with the company policy, are appropriately authorized and correctly recorded in the appropriate accounting period Inappropriate, unauthorized, and inaccurate calculation and recording of manual journal entries resulting in invalid transactions and financial misstatement Entity Actual Control Transactional All Journal Vouchers (JVs) are prepared by Finance team and manually approved (hard copy) by Finance Manager All approvals are provided as per defined Schedule of Authority Approvals are provided only based on review of backup calculations. All such backup calculations are attached to JV (hard copies) and also updated on the shared drive with limited access to team members Monthly HoD Finance downloads a log of all JVs recorded from ERP in a standard report Log of JVs is reconciled with back up and approval documents; the log is signed off 18

19 Control documentation GRN process Common Practice Control objective All material receipts are appropriately authorized and correctly recorded in the appropriate accounting period Risk Unauthorized receipt of materials / receipt in excess of purchase order quantities, resulting in inflation of vendor liabilities Entity Actual Control GR is recorded by stores based on sign-off provided by security for quantity verified and Manager QC for Quality of material received All GRs are recorded against purchase orders Is the control documented adequate? Who ensures no material enters the plant without PO? What is the control to ensure dummy GR are not recorded? How is accuracy of GR recorded ensured? What is the control on price and which liability is booked Are there any automated controls? 19

20 Control documentation Suggested Practice Entity Actual Control Automated Transactional Monthly GRs can be recorded only against an approved Purchase Order Material price / vendor code is automatically captured from the released PO; access for manual updates to the same is not available Access to record GR is restricted to Stores Details of consignment (PO number, invoice no., etc.) are stated in manual gate entry register and security stamp is affixed on the invoice Authorized person records GRN against PO for quantity physically received or DC quantity, whichever is lower based on quantity verified by Stores officer Quality clearance for material ensure checking of GRN is prepared for the right quantity Stores Manager conducts monthly reconciliation of all GRN in ERP vs. manual gate entry register maintained by security to ensure all transactions are posted and avoid dummy GRNs 20

21 Assertions Financial statement assertions have been defined in the Guidance Note on IFC to assist in identification of areas in which financials can be potentially misstated. Assertions laid down in the note are: Existence or occurrence Completeness Valuation or allocation Rights and obligations Assertions relating to presentation and disclosure 21

22 ITGC controls Process of testing ITGC (Information Technology General Controls): Identify IT environment Identify IT Risks impacting the significant accounts Identify the existing IT General controls to mitigate the IT Risks Test the controls and report results 22

23 ITGC controls Process of testing ITGC (Information Technology General Controls): Identify IT environment Identify IT Risks impacting the significant accounts Identify the existing IT General controls to mitigate the IT Risks Test the controls and report results IT environment IT applications Application system management IT General controls Access Security IT Infrastructure End user computing Program change System software change Data center and network operations 23

24 IPE: Information Produced by entity What is IPE: Any report (system generated, manually prepared or combination of both) that, in the IFC context, is referred by an auditor as an audit evidence to conduct test of operating effectiveness or conduct substantive testing Elements of IPE Source Report Logic Report Parameters Objective of testing IPE: All 3 elements generate complete and accurate IPEs Key considerations for testing 1 Completeness of data 2 Incorrect information input 3 Incorrect report logic 4 Manual changes to data / logic 5 Incorrect report parameters Modes of testing of IPEs auditor proposes to use: Direct tests Perform procedures to test completeness and accuracy Combination of the two 24

25 What companies need to do Assess control environment by identifying and documenting entity level controls. Identify key financial and non- financial processes at the company, based on the materiality of account balances Document process flows and narratives to document the key financial processes Document Fraud Risk Controls, Process level controls and IT General Controls for the above processes in Risk Control matrices (RCMs) Undertake Test of Design (TOD) for the controls listed in RCMs and report results. 25

26 Test of Design Test of design (TOD) is conducted to determine whether the controls, if operated as prescribed by authorized personnel, satisfy the company's control objectives and can effectively prevent or detect errors or fraud TOD is to be conducted for all controls documented in the RCMs Key considerations for TOD: Controls correlation to risk / assertion Controls correlation to significance of the risk Competence and Authority of personnel Level of of aggregation & predictability In Review controls - Criteria for investigation & follow up Dependency on other controls 26

27 What companies need to do Assess control environment by identifying and documenting entity level controls. Identify key financial and non- financial processes at the company, based on the materiality of account balances Document process flows and narratives to document the key financial processes Document Fraud Risk Controls, Process level controls and IT General Controls for the above processes in Risk Control matrices (RCMs) Undertake Test of Design (TOD) for the controls listed in RCMs and report results. Select samples from all transactions at the company and perform Test of Operating Effectiveness (TOE). 27

28 Test of Operating Effectiveness Test of operating Effectiveness (TOE) is conducted to determine whether the control is operating as designed and whether the personnel have the competency to perform the control effectively. Factors that determine if TOE is required Risk associated with a control Competency of personnel performing the control Risks associated with financial misstatement Dependency on manual operations History of errors Nature and frequency of the control Characteristics of control activity Dependency on other controls Effectiveness of entity level controls (monitoring mechanisms) Complexity of control, significance on judgment Based on the results of the testing, deviations and deficiencies in the controls need to be reported Impact Sample Size 28

29 Sampling methodology Control frequency Low Risk of Failure High Annual 1 1 Quarterly Monthly 2 3 Weekly 5 8 Daily Recurring / Manual control (Multiple times in a day) Note: +1 indicates that the year end control needs to be tested. 29

30 Deviations and Deficiencies What is a significant deficiency? What is a deficiency? Deficiencies important enough to merit attention of governing bodies since there is a reasonable possibility of material misstatement What is a deviation? Design & Operations controls that do not allow management, in normal course of performing their functions, to prevent misstatement or detect and correct Any exception noted during testing 30

31 Deviations and Deficiencies Deficiency in Design exist if Controls not designed Controls not adequate What is a deviation? Any exception noted during testing What is a deficiency? Design & Operations controls that do not allow management in normal course of performing their functions to prevent misstatement or detect and correct What is a significant deficiency? Deficiencies important enough to merit attention of governing bodies since there is a reasonable possibility of material misstatement Deficiency in Operation exist if: Controls not operating as designed Authorities not assigned to person responsible for control 31

32 What companies need to do Assess control environment by identifying and documenting entity level controls. Identify key financial and non- financial processes at the company, based on the materiality of account balances Document process flows and narratives to document the key financial processes Document Fraud Risk Controls, Process level controls and IT General Controls for the above processes in Risk Control matrices (RCMs) Undertake Test of Design (TOD) for the controls listed in RCMs and report results. Select samples from all transactions at the company and perform Test of Operating Effectiveness (TOE). Report on deficiencies noted during audit 32

33 Reporting Reporting on overall IFC by auditors Unmodified report : In case deficiencies noted in the documentation & testing of IFC do not result in material weakness Modified report: In case material weakness is noted. Reporting includes definition of material weakness and details of weakness identified *Modified Report as per standard template defined in the Guidance Note A material weakness is a deficiency, or a combination of deficiencies, in IFC, such that there is a reasonable possibility that a material misstatement of the company s annual or interim financial statement will not be prevented or detected on a timely basis. Additional periodic communication of deficiencies Management: All deficiencies Governing Bodies: All significant deficiencies Directors: If oversight of Audit Committee is Ineffective Auditor shall not issue a report stating that no deficiencies were noted 33

34 Our experience: Key takeaways from an IFC framework Standardization of controls across business locations Opportunity to benchmark leading practices into business processes Review manual controls and examine possibilities of control automation Optimization of the processes through identification and elimination of non value added activities in the process or duplicate controls being performed Development of risk aware culture in the organization Improved visibility of control environment in the organization for CEOs and CFOs 34

35 Our experience: Challenges in establishing an IFC framework Getting buy-in from process owners Document retention especially evidence of reviews Balancing Segregation Of Duty conflicts with Lean Management Continuous adherence to controls implemented Incorporating changes in the process flow charts and RCM to accommodate changes in processes or platforms Marrying process flowcharts with ISO documentation Willingness of organization for accepting the changes in the processes and adherence to it Managing the cost of compliance 35

36 Our experience: Key issues noted in IFC implementation across industries Absence of maker-checker controls over transactional recording Inadequate document retention especially in case of review evidences Balancing Segregation Of Duty conflicts with Lean Management Inadequate confirmations / approval notes in case on policy non-compliance / deviations Inconsistency in operations across locations / units Lack of clarity with regards to Policy / SOP among the users and relevant process owners leading to inconsistent practices Lack of consistency, since IFC is considered as an event and not as a process 36

37 Thank You Deep Jaggi Director, Risk Consulting KPMG, India Mob: