Internal Financial Controls
Role & Responsibility of Auditors
CA V. Balaji
November 2015
Contents
1. ICFR – Global Scenario
2. Key Matters For Consideration by Companies and Auditor’s
3. Framework for ICFR
4. Implications and Benefits of ICFR
5. Key Considerations- Implementation of ICFR Framework in a Company
6. Guidance
7. Key Considerations in Year - One
2
Internal Control over Financial
Reporting – Global Scenario
Internal Control Over Financial Reporting – Global
Scenario
Definition of ICFR
Those policies and procedures that pertain to an entity’s ability to initiate, record, process and
report financial data consistent with the assertions embodied in either annual or interim
financial statements
Requirements in USA
• In June 2003, US SEC adopted Rules for the implementation of Sarbanes – Oxley Act
(SOX) that required certification of the Internal Controls over Financial Reporting (ICFR) by
the management and by the auditors.
Requirements in Japan
• In June 2006, the Financial Institution and Exchange Laws (J-SOX) was passed by the
Diet. Requirements similar to SOX on ICFR.
4
Internal Control Over Financial Reporting – Global
Scenario
Reporting by the auditors
Integrated Audit - The auditor expresses two opinions:
1. Opinion on internal control over financial reporting, which requires:
 Evaluating and opining on management’s assessment of the effectiveness of internal
control over financial reporting (Japan).
 Evaluating and opining on the effectiveness of internal control over financial
reporting (Only in USA).
2. As well as the Opinion on the Financial statements
5
Internal Control Over Financial Reporting in India
•
Clause 49 of the Equity Listing Agreement requires CEO / CFO sign off on ICFR in case of
equity listed entities
•
Companies Act 2013 requires Directors’ Responsibility Statement, in the case of listed
companies, to include a statement that they have laid down internal financial controls to be
followed by the company and that such internal financial controls are adequate and were
operating effectively.
•
In case of unlisted companies, the Board Report to state the details in respect of
adequacy of internal financial controls with reference to the Financial Statements.
•
Audit Committee is required to evaluate the Company’s internal financial control systems
(IFC).
•
Auditors required to report on whether the company has adequate internal financial
controls system in place and the operating effectiveness of such controls.
‒ Such reporting required for all companies whether listed or not
•
6
Standards on Auditing (SA) 700 “Forming an Opinion and Reporting on Financial
Statements” issued by the ICAI, at present, specifically requires the auditor to state that
the auditor’s consideration of the internal controls in the entity are not for the purpose of
expressing an opinion on the effectiveness of the entity’s internal control.
Key Matters For Consideration
by Companies and Auditor’s
Internal Financial Controls under Companies Act, 2013
The Internal Financial
Controls in Companies
Act, 2013 goes beyond
Internal Financial
Controls Over Financial
Reporting (IFCoFR)
The resultant IFC
framework adopted by
the company will have to
address combination of
internal controls on
financial reporting and
other controls in order to
align with the definition of
IFC in the new Act.
Accuracy and
completeness of
accounting
records
Timely
preparation
of reliable
financial
information
Prevention and
detection of
frauds and
errors
INTERNAL FINANCIAL
CONTROLS
As per Companies Act
2013, Internal Financial
Controls means:
Safeguarding
of assets
Policies and procedures
adopted by the Company for
ensuring orderly and
efficient conduct of its
business
8
Internal Financial Controls
IFC and IFCoFR – Coverage for Reporting
Operations
Controls
Director
Responsibility for a
Listed company
+
IFCoFR
Board report for an unlisted company
Adequacy
© 2015 Deloitte Haskins & Sells LLP
+
Auditor
Effectiveness
9
Internal Financial Control Framework
Internal Controls over Financial
Reporting- Process level
controls 1
ISO Audits
Operations related
accreditation – E.g. US
FDA, etc.
Internal Audits
Legal compliance
framework
Entity Level
Controls 2
Enterprise Risk Management
Leverage existing monitoring
framework for operational
controls
Standard Operating Procedures
Outcomes
1
Risk and control matrices for
processes - demonstrating
adequacy and effectiveness
of controls over Financial
Reporting (ICFR)
3
2
Risk and control
matrices for Entity Level
Controls
(IFC & ICFR)
Integrated framework leveraging
existing monitoring practices demonstrating adequacy and
effectiveness of operational
controls (IFC)
10
Key Issues To Be Noted By Companies
•
Companies Act, 2013 does not prescribe a framework that may be considered by
companies in establishing IFC
‒ In the absence of a framework to be adopted by the company, auditor cannot
benchmark and test the design and operating effectiveness of IFC with the framework.
‒ In India, Appendix 1 to SA 315 provides the components of an internal control system.
‒ Other international frameworks such as COSO, Turnbull Report, etc. available.
•
Responsibility statement on system of IFC not applicable in the case of consolidated
financial statements.
•
In large organisations, management likely to engage Internal Auditors in testing the design
and operating effectiveness of IFC to facilitate reporting by the Directors.
‒ Existing Standards on Auditing do not permit statutory auditor to use the work of the
Internal Auditor as deemed appropriate for reporting on IFC.
•
Reporting by auditor is specified for all companies.
‒ Reporting on IFC in USA is only applicable for listed companies – accelerated and large
filers
‒ In Japan, reporting on IFC is applicable for listed companies and other companies as
may be required by the Government
11
Key Issues To Be Noted By Auditors
•
Internal financial controls includes systems in the company for ensuring
‒ the orderly and efficient conduct of its business
This matter is proprietary and auditors may not be able to comment on the same. SA
200 specifically excludes this as an objective of the auditor.
‒ the accuracy of the accounting records, and the timely preparation of reliable financial
information
Auditors apply the concept of materiality in their audits. Audit is performed to obtain
reasonable assurance and the opinion would state whether an effective internal
financial control system was maintained and operated in all material respects.
•
Standards on Auditing 315 “Identifying and Assessing the Risk of Material Misstatement
Through Understanding the Entity and its Environment” defines Internal Control as follows:
“The process designed, implemented and maintained by those charged with
governance, management and other personnel to provide reasonable assurance about
the achievement of an entity’s objectives with regard to reliability of financial reporting,
effectiveness and efficiency of operations, safeguarding of assets, and compliance with
applicable laws and regulations. The term “controls” refers to any aspects of one or more
of the components of internal control.” (Emphasis added)
12
Key Issues To Be Noted By Auditors
•
Auditor’s reporting u/s 143(3)(i) shall relate to Internal Financial Controls over Financial
Reporting
•
Sec 143(3)(i) requires the auditor to report whether the company has adequate internal
financial controls system in place and the operating effectiveness of such controls.
‒ Reporting on internal financial controls system is similar to reporting on operations of the
company. Whilst the testing is carried out on the transactions recorded during the year,
the reporting is as at the balance sheet date. For example, if the company’s revenue
recognition was erroneous through the year under audit but was corrected, including for
matters relating to internal control that caused the error, as at the balance sheet date,
the auditor is not required to report on the errors in revenue recognition during the year.
IFCoFR is not applicable to interim financial statements unless such reporting
is required under law or regulation
Audit of IFCoFR is broader than the audit procedures carried out for reporting
under CARO clauses on adequacy of internal controls
13
Key Issues To Be Noted By Auditors
Applicability to consolidated financial statements
Section 129(4) of the 2013 Act states that the provisions of the 2013 Act applicable to
the preparation, adoption and audit of the financial statements of a holding company
shall, mutatis mutandis, apply to the consolidated financial statements.
Based on the above,
• Reporting on IFCoFR is applicable to consolidated financial statements
• Approach to be adopted similar to reporting on CARO – i.e. on the basis of reports
as submitted by auditors of components, which are Indian companies
• Concepts of materiality and professional judgment to apply to matters reported
by component auditors
14
Financial Statement Audit with Control Reliance Strategy
(FS-CRS) Vs. Combined audit (CA)
Audit Element
FS-CRS
CA
Requirement to test OE of Only when control activities Yes
Entity-Level Controls
we plan to rely on are
dependent on those EntityLevel Controls
Extent of our understanding
of the entity's flows of
transactions and of our
walkthroughs
Understanding
and Understanding
and
walkthrough to identify and walkthrough to identify
understand controls we controls that address
intend to rely on
every risk of material
misstatement
How
evaluation
of
information used in a
relevant control ("IUC")
vary?
May test accuracy and Test accuracy and
completeness of IUC either completeness through
directly or through test of test of controls
controls
15
Financial Statement Audit with Control Reliance Strategy
(FS-CRS) Vs. Combined audit (CA)
Audit Element
FS-CRS
CA
For which controls would we Those we intend to rely All relevant controls
test OE?
on in order to alter our
planned
substantive
procedures
Requirement to assess the No
“risk associated with the
control” (”RAWC”) and to
increase our sample size
based on RAWC being
assessed as higher
Yes
16
Framework for Internal
Financial Control over
Financial Reporting
Criteria / Framework by SA 315 - Components of Internal
Control
Control
Environment
Control
Activities
Information
system and
Communication
Risk
Assessment
Process
Monitoring
Controls
18
Criteria / Framework by SA 315 - Components of Internal
Control
• Companies need to adopt a Criteria / Framework that has the
components of internal controls as stated in the Guidance Note on Audit of
IFCoFR
• Auditor’s IFCoFR report to specify identification of the benchmark
criteria used by the management for establishing internal financial
controls over financial reporting
• Failure by the management to establish a system of IFCoFR
considering the essential components of internal controls stated in the
Guidance Note on Audit of IFCoFR would result in a disclaimer of
opinion in the IFCoFR reporting by the auditor
19
Implications and Benefits of
ICFR
What Does ICFR mean to Entities?
Directors' Responsibility on ICFR requires renewed emphasis and discipline regarding internal controls
over financial transactions, financial systems and financial statements
Stakeholders
Requirements
Audit
Committee
• Strong working relationship between audit committee and auditor while maintaining independence
• NEW: A financial expert on the audit committee; heightened involvement and oversight expectations
• NEW: Establish a procedure for receipt, retention and treatment of complaints and anonymous tips
CEO/CFO
• NEW: Adopt a structured and generally accepted internal controls framework
• NEW: Establish processes to assess risk and monitor the on-going effectiveness of internal controls
Controllers
• Implement and maintain effective internal controls over financial transactions
• NEW: Document, test, remediate and monitor internal controls
• NEW: Represent to Management that internal controls are operating effectively
Internal Audit
• NEW: Implement process to assess risk and monitor the on-going effectiveness of internal controls
• NEW: Provide and maintain supporting processes and infrastructure for on-going monitoring
External
Auditors
• Audit financial statements and opine to management’s representations about them
• NEW: Test internal control compliance and opine on the adequacy of the internal controls environment
Represents an opportunity for Company to standardize and enhance business processes and controls across the
global financial operation based on company “best practice”
Benefits of ICFR
•
•
•
•
•
•
Senior Management Accountability
Improved controls over financial reporting process
Improved investor confidence in entity’s financial reporting process
Promotes culture of openness and transparency within the entity
Trickling down of accountability to operational management
Improvements in board, audit committee, and senior management engagement in financial
reporting and improvements in financial controls
• More accurate, reliable financial statements
• Making audits more independent
Additional value to companies
• Fresh independent look at key business processes
• Identification of potential operating process opportunities
• Updated formal, centralized, and managed financial internal controls documentation for the
Company
• Enhanced support to CEO/CFO certifications
• Should result in an enhanced control environment and thereby mitigate Risk
• Better understanding of internal controls
Guidance on testing internal
controls
Some Key Terminologies
Abbreviation
Description
CISSP
Certified Information Systems Security Professional
CoCo
Guidance on Assessing Control published by the Canadian Institute of
Chartered Accountants
COSO
Committee of the Sponsoring Organisations of the Treadway Commission
D&P
Direct and Precise
ELC
Entity Level Controls
ERM
Enterprise Risk Management
GITC
General Information Technology Controls
ICFR
Internal Controls over Financial Reporting
IPE
Information Produced by the Entity
IT
Information Technology
PCAOB
Public Company Accounting Oversight Board
ROMM
Risk of material misstatements
SA
Standards on Auditing
SOX
Sarbanes – Oxley Act
24
Flowchart Illustrating Typical Flow of Audit of Internal
Financial Controls Over Financial Reporting
25
The Top-Down Approach
Internal Financial Controls over Financial Reporting –
Typical Coverage
 Receivable
Compliance
Governance
 Corporate
Governance
Risk Mgmt.
 Risk Assessment
Compliance
Compliance
 Policies & Procedures
Entity
Compliance
Level
Control
 Procure to Pay
Governance
 Payroll & Hire to
Retire
Risk
Process
Mgmt.
Level Risk Mgmt.
Control
Compliance
Risk Mgmt.
Governance
Risk Mgmt.
IT Controls
 Inventory
Management
 Treasury
Compliance
Governance
 Fixed Assets
 Record to Report
Risk Mgmt.
 Duties and Taxes
Billing system
ERP
Other Applications
27
Entity Level Controls
•
•
•
•
•
•
•
•
•
Tone at the TOP
Board of Directors and Audit Committee Charters
Risk Management
Integrity and Ethical values
Assignment of Authority and responsibility
Organization structure
Management’s Philosophy and Operating style
Human Resource management
Monitoring
ELCs are generally not direct and precise and accordingly may not be controls
addressing specific risks for our IFCoFR audit opinion.
Evaluation of ELCs can result in increase / decrease in testing that auditor
otherwise would have performed on other controls
Direct and Precise Controls – Design Criteria
Level of precision is whether the control is designed and operating to prevent or detect on a
timely basis misstatements that could cause the financial statements to be materially
misstated. Factors that can affect the level of precision of an entity-level control include the
following:
•
Objective of the review - A procedure that functions to prevent or detect misstatements
generally is more precise than a procedure that merely identifies and explains differences.
•
Level of aggregation - A control that is performed at a more granular level generally is
more precise than one performed at a higher level. For example, an analysis of revenue
by location or product line normally is more precise than an analysis of total company
revenue.
•
Competency of the person performing the control
•
Consistency of performance - . A control that is performed routinely and consistently
generally is more precise than one performed sporadically.
Direct and Precise Controls – Design Criteria
•
Correlation to relevant assertions - A control that is indirectly related to an assertion
normally is less likely to prevent or detect misstatements in the assertion than a control
that is directly related to an assertion. For example, a control designed to detect errors in
the recorded amounts of accounts receivable might not operate with a sufficient level of
precision to detect errors in the valuation of doubtful receivables.
•
Predictability of expectations - Some entity-level controls are designed to detect
misstatements by using key performance indicators or other information to develop
expectations about reported amounts ("detective controls"). The precision of those
controls depends on the ability to develop sufficiently precise expectations to highlight
potentially material misstatements.
•
Criteria for investigation - For detective controls, the threshold for investigating
deviations or differences from expectations relative to materiality is an indication of a
control's precision. For example, a control that investigates items that are near the
threshold for financial statement materiality has less precision and a greater risk of failing
to prevent or detect misstatements that could be material than a control with a lower
threshold for investigation.
Evaluate the Design of Control
• Process level controls generally operate at number of levels:
 At senior levels of management, the control activities are more likely to be high-level
procedures performed by management and are likely to involve greater aggregation of
data and less consideration of detail.
 At lower levels, the control activities are likely to be focused on distinct sets of data and
at a much greater level of detail.
 At the lowest level, detailed control activities are likely to relate to specific transactions.
• Commonly performed process controls :
 Reviews:
 Analytical
 Transactional
 Reconciliations & Comparisons
 Safeguarding of assets
• Controls relating to information technology:
 Data centre operations controls
 System software controls
 Access security controls
• Application controls:
Tolerances, Authorizations, edits and validations, data reasonableness tests, predefined
data listings, balancing control activities
Which Control to be Evaluated
• Any controls that fall under these categories may need to be evaluated:
 controls related to the initiation, recording, processing and reconciling of account
balances, classes of transactions,
 disclosures, and related assertions included in the financial statements
 controls related to the initiation and processing of non-routine and nonsystematic
transactions
 controls related to the selection and application of accounting policies
 controls related to the prevention, identification, and detection of fraud
• Controls, including information technology general controls, on which other controls are
dependent. General controls include:
 data center operation controls
 system software controls
 access security controls
 application system development and
 maintenance controls
Evaluate Design Effectiveness
• In performing design effectiveness we need to evaluate the following:
 Owner of control
 Description of process flow
 Properly designed i.e. is the control meeting the desired control objective
 Document control deficiencies, if any
 Classify deficiencies into:
 Material weakness
 Significant deficiency
 Internal control deficiency
• Prepare Remediation plan
Process vs. Control
• Process and controls are two very different aspects. Often they are used interchangeably;
hence it is important to understand the difference between them.
‒ A Process describes the action of taking a transaction or an event through an
established and usually a routine set of procedures or steps.
‒ A Control is an action or activity taken to prevent or detect misstatements within the
process.
• The following examples distinguishes a process from a control:
Example 1:
Control description: Company engages an Actuary Firm to prepare the actuarial report.
Pitfall: Hiring a specialist may add competency to management’s control and is a process,
but it is not a control in itself.
Improved control description: Management reviews and discusses the Actuarial Report,
including key assumptions, with the specialist to assess the appropriateness of the
assumptions and conclusions reached.
Process vs. Control
Example 2:
Control description: The Financial Controller prepares a memo documenting the basis for
the entity’s conclusions regarding impairment.
Pitfall: Preparing an analysis is typically a process step and not a control; the control is the
activities performed to verify that the analysis is appropriate.
Improved control description: The CFO reviews the Impairment Analysis Memo and
supporting documentation prepared by the Controller to assess the appropriateness of the
conclusions reached.
Example 3:
Control description: The billed revenue file is summarised at the month end and the total
is recorded into revenue.
Pitfall: Recording an event or transaction is a process step; the control is the activity that is
performed to verify that the recording was appropriately performed.
Improved control description: The Accounting Manager verifies that the billed revenue
was properly recorded to revenue by comparing the billed revenue file to the revenue
recorded in the general ledger.
Process vs. Control
Example 4:
Control description: When new contracts are entered into or existing contracts are
modified, the accounting manager determines and documents in a memo, the applicable
revenue recognition model to be used for the contract.
Pitfall: Determining the revenue recognition model and documenting the same are process
steps. They do not have any preventive or detective action steps.
Improved control description: The controller reviews and approves the revenue
recognition memo prepared by the accounting manager. As part of the review process, the
controller reads all the relevant excerpts from the contract and applicable professional
standards as well as reviews and challenges, as appropriate, the conclusions documented
in the memo.
Test the Operating Effectiveness of Control
Tests of controls are usually performed using the following techniques, often in combination:
Corroborative enquiry: This procedure, consisting of detailed interviews to obtain evidence
about the effectiveness of controls, is performed in tandem with other procedures (e.g.,
examination of documentary evidence) to corroborate the information derived from the
inquiry.
Observation: Observing the performance of a control activity often provides substantial
evidence of its effectiveness. For example, the auditor may test controls over inventory by
observing that employees who perform and record the counts follow management's written
instructions. But observation of a control activity in action ordinarily does not, in itself, provide
sufficient evidence of the effectiveness of the control activity, mainly because observations
may not be representative of the usual performance of a control activity because
management and staff may perform their tasks more diligently if they know they are being
observed.
Examination of Documentation: If performance of a control activity is documented, the
auditor can obtain evidence of its performance by examining the documentation, both
electronic and written.
Re-performance: Re-performance may be effective for testing application controls, because
the computer processes transactions systematically.
Test the Operating Effectiveness of Control
Points to be kept in mind:
• Inquiry alone is not adequate; extensive testing procedures should be carried out
• Management should not rely solely on self assessment procedures but Independent
Monitoring is required
• If the company uses an outside service provider for certain business functions you should
request from the provider a reports which reports on the effectiveness of internal control at
the outside company.
Frequency of Control Activity and Sample Size
The following guidance related to the frequency of the performance of control may be
considered when planning the extent of tests of operating effectiveness of manual controls for
which control deviations are not expected to be found. The auditor may determine the
appropriate number of control occurrences to test based on the following minimum sample
size for the frequency of the control activity dependent on whether assessment has been
made on a lower or higher risk of failure of the control.
Frequency of control activity
Minimum sample size
Risk of failure
Lower
Higher
1
1
1+1
1+1
Monthly
2
3
Weekly
5
8
Daily
15
25
Recurring manual control (multiple times per day)
25
40
Annual
Quarterly (including period- end, i.e., +1)
IT General Controls – Typical Coverage
General IT
Risk Mgmt.
Controls
Compliance(IFCoFR)
1.Governance
User access management
Governance
2.
Compliance 3.
Compliance
Risk
Change management
Mgmt. (IFCoFR)
Compliance
Risk Mgmt.
Data center – physical and environmental controls (IFC)
Compliance
Risk Mgmt.
Governance
Risk Mgmt.
4.
Information security – logical access to application, database
Compliance
and operating
system (IFCoFR)
ERP/ Other Applications
Governance
5.
Backup and restoration (IFC)
6.
Job scheduling (IFC)
Risk Mgmt.
40
GITCs and IPE
When identifying and understanding relevant controls, it is important to consider whether a
control is dependent upon other controls [e.g., General IT controls (GITC)] or information
produced by the entity (IPE).
•
The design of the control cannot be concluded upon without also considering the other
control or IPE, or
•
The effectiveness of the control cannot be concluded to be effective unless the other
controls are also effective.
For example, the automated generation of invoices may be dependent upon the price look-up
table that is maintained by the invoicing clerk, in which case, the controls related to that lookup file (e.g., access controls) would be relevant in determining whether the automated
generation of invoices is effective.
GITCs and IPE
Similarly, if the control is dependent on the accuracy and completeness of a report, then
either the controls related to the preparation and maintenance of the report need to be
evaluated or the report needs to be directly tested. However, if the accuracy and
completeness of the information is the objective of the control, then the control is operating on
that information and, therefore, is not dependent upon it.
Example of IPE that a control is dependent upon:
If a headcount report is used by the controller to perform a reasonableness test of payroll
expense, the effectiveness of the controller’s analysis/review is dependent upon the accuracy
and completeness of the headcount report. Accordingly, the headcount report is IPE and,
therefore, its accuracy and completeness are considered as part of the evaluation of the
design.
Example of IPE that a control is not dependent upon:
A bank reconciliation is reviewed by the controller to determine that it was prepared properly.
The purpose of the control is to determine that the bank reconciliation is accurate and
complete, so the bank reconciliation is the subject of the control and, therefore, is not
dependent on the IPE.
Testing IPE
IPE has 3 elements - Source Data, Report Logic and Report Parameters
Element
Source Data
Description
The information from which the IPE is created. This may include data maintained in
the IT system (e.g., within an application system or database) or external to the
system (e.g., data maintained in an Excel spreadsheet or manually maintained), which
may or may not be subject to general IT controls.
For example, for a report of all sales greater than Rs.10,000, the source data is the
database of all sales transactions.
Report Logic
The computer code, algorithms, or formulas for transforming, extracting or loading the
relevant source data and creating the report. Report logic may include standardised
report programs, user-operated tools (e.g., query tools and report writers) or Excel
spreadsheets, which may or may not be subject to the general IT controls.
For example, for the Debtors Aging report, the report logic is typically a program in
the Debtors application that contains the code and algorithms for creating the Debtors
Aging (report) from the Debtors sub-ledger detail (source data).
Report Parameters Report parameters allow the user to look at only the information that is of interest to
them. Common uses of report parameters including defining the report structure,
specifying or filtering data used in a report or connecting related reports (data or
output) together. Depending on the report structure, report parameters may be created
manually by the user (user-entered parameters) or they may be pre-set (there is
significant flexibility in the configuration of parameters, depending on the application
system), and they may or may not be subject to the general IT controls.
For example, for a monthly report of slow moving inventory by warehouse location,
the user enters the month and location code parameters to generate the reports.
Test the Operating Effectiveness of Controls
Next steps:
• Document test results:
‒ tests performed and evidence obtained
‒ results of the tests
‒ conclusion as to the effectiveness of each control tested
• If the control is not operating effectively, document the internal control deficiency.
• Evaluate remediation plan
• Test outcome of remediation
Test the Operating Effectiveness of Controls
Suggested approach for classifying deficiency:
Evaluation of Severity of Deficiencies
• Document considerations and basis for conclusions
• Where significant judgement is required to evaluate severity of a deficiency,
apply appropriate professional skepticism.
© 2015 Deloitte Haskins & Sells LLP
46
Report on internal financial
controls over financial
reporting
Report on Adequacy and Effectiveness of Control
• A ‘deficiency’ in internal financial control over financial reporting exists when the
design or operation of a control does not allow management or employees, in the
normal course of performing their assigned functions, to prevent or detect
misstatements on a timely basis.
• A ‘significant deficiency’ is a deficiency, or a combination of deficiencies, in
internal financial control over financial reporting that is important enough to merit
attention of those charged with governance since there is a reasonable
possibility that a misstatement of the company's annual or interim financial
statements will not be prevented or detected on a timely basis.
• A ‘material weakness’ is a deficiency, or a combination of deficiencies, in internal
financial control over financial reporting, such that there is a reasonable
possibility that a material misstatement of the company's annual or interim
financial statements will not be prevented or detected on a timely basis.
Report on Adequacy and Effectiveness of Control
• A deficiency in design exists when (a) a control necessary to meet the control
objective is missing or (b) an existing control is not properly designed so that,
even if the control operates as designed, the control objective would not be met.
• A deficiency in operation exists when a properly designed control does not
operate as designed, or when the person performing the control does not
possess the necessary authority or competence to perform the control
effectively.
• The severity of a deficiency does not depend on whether a misstatement
actually has occurred but depends on whether there is a reasonable
possibility that the company's controls will fail to prevent or detect a
misstatement.
Report on Adequacy and Effectiveness of Control
• The auditor shall express a qualified opinion on Internal Financial Controls
Over Financial Reporting when the auditor, having obtained sufficient appropriate
audit evidence, concludes that such controls are designed, implemented or
operated in such a way that it is unable to prevent, or detect and correct material
misstatements in the financial statements on a timely basis; or the control is
missing, but the effects/possible effects of the material weakness in such
internal controls are material but is not pervasive to the financial statements.
• The auditor shall express an adverse opinion on Internal Financial Controls
Over Financial Reporting when
(a)the effects/possible effects of the material weakness in such internal controls
are both material and pervasive to the financial statements, even if the audit
opinion on the financial statements is unmodified;
(b)the internal control framework adopted by the Company does not consider /
adequately consider the essential components of internal control; or
(c)the audit opinion on the financial statements is required to be modified and
such modification is also consequent to the material weakness in the
company’s internal financial controls over financial reporting. .
Report on Adequacy and Effectiveness of Control
• The qualified or adverse opinion on internal financial controls over financial
reporting may relate only to the operating effectiveness of such controls or may
relate to both the adequacy and operating effectiveness of such controls, based
on the audit evidence obtained.
• The auditor shall disclaim an opinion on the company’s internal financial
controls over financial reporting:
(a)if the company has not established its internal financial control over financial
reporting on criteria based on any of the recognised internal control
frameworks / considering the essential components of internal control; or
(b)the auditor is unable to obtain sufficient appropriate audit evidence to express
an opinion on the internal financial controls over financial reporting but is able
to perform appropriate substantive procedures to express an opinion on the
financial statements; or
(c)when the auditor is unable to obtain sufficient appropriate audit evidence on
which to base the opinion on the company’s internal financial controls over
financial reporting, and / or the auditor concludes that consequent to the
material weakness in such internal controls the possible effects on the
financial statements of undetected misstatements, if any, could be both
material and pervasive.
Effect of modified report over IFCoFR on the audit of financial
statements
Does not imply that audit report on
financial statements should also be
qualified. Assurance obtained by
auditor is through both internal
controls and substantive procedures
Auditor should determine the effect,
of deficiency in internal financial
controls, on substantive procedures
to be performed to reduce audit risk
to an appropriately low level
Regardless of assessed level of
control risk or material misstatement,
substantive procedures to be
performed for all assertions
As a result of substantive
procedures , if sufficient reliable
audit evidence is obtained to
address identified risk, do not qualify
audit opinion on financial statements
52
Key Considerations in Year One
ICFR - Common Myths of Companies
We have a good
SLA with service
providers. We
don’t need to
evaluate their
controls
Scope and
plan
Materiality is for
financials. It
doesn't really
impact control
considerations
54
Meeting
CARO
requirement is
sufficient
There is no
need to
document
processes and
controls
We don’t need
to revisit
processes and
controls.
We don’t need
to link risks with
controls.
Assess and
define
Why do we need
to look at cost /
benefit for
controls?
Everything is
essential
Identify and
document
Automation
through ERP –
Controls are
automatically in
place
Testing of
controls and
remediation of
deficiencies is
the
responsibility of
auditors
We don’t need
a process for
ICFR
certification to
Board / AC. We
know people
are doing it and
no exceptions
are identified
by the auditors
Test and
remediate
Monitor,
certify and
assert
We don’t need
an oversight
body to
oversee all
changes in
processes /
controls
We understand
controls. There
is no need for
training and
development of
our people
Points of Focus – Mindset of Auditors
Shift from ‘only substantive’ procedures
Mindset change from obtaining assurance from ‘only substantive’ procedures
to control reliance; which should lead to cost benefits on the audit.
Timing of procedures
 Should give adequate time, to management for remediating deficiencies identified,
and to the audit team to test the remediated controls
 Consultation to be early – to permit remediation before reporting date
55
Key Considerations
• Implementation of enterprise-wide, executive-driven internal control management
program
• Implementation of enterprise risk management program
• Controls associated with the recording of non routine, complex, and unusual
transactions
• Formalization of processes, standard operating procedures, workflows, authority
matrix
• Redeployment of work routines to enable audit trails, evidencing the reviews, etc.
• Maker – checker control / 4 eye principle
• Segregation of duties and access controls
Key Challenges
• Lack of an enterprise-wide, executive-driven internal control management
program
• Lack of a formal enterprise risk management program
• Inadequate controls associated with the recording of non routine, complex, and
unusual transactions
• Lack of effective controls over the IT environment
• Ineffective financial reporting and disclosure preparation processes
• Lack of formal controls over the financial closing process
• Lack of current, consistent, complete, and documented accounting policies and
procedures
• Inability to evaluate and test controls over outsourced processes
• Inadequate board and audit committee understanding of risk and control
Questions?