www.casdn.in/

Internal

Financial Controls Over

Financial Reporting (ICFR)

ICFR : Regulatory mandate under Companies Act 2013

Relevant clauses Requirement Applicability

Sections 143(3)(i) Auditor report

The auditor’s report should also state whether the company has adequateIFC system in places and operating effectively of such control.

Listed/unlisted companies

Section 134(5)(e) Director’s responsibilities statement

In the case of listed company, the director’s responsibility in the states thatdirectors, have laid down IFC to be follow by the company and that suchcontrol are adequate and operating effectively.

Listed companies

Rule 8(5)(Viii) of companies (Accounts) Rule 2014

Requires the Board of Director’s report of all the companies to state thedetails in respect of adequacy of internal financial controls with reference tothe “financial statements” only.

All companies

Sections 177 Audit committee

Audit committee call for comments of auditor about internal control systemsbefore their submission to board and may also discuss any related issue withinternal and statutory auditor and the management of the company

Listed/unlisted companies having audit committee

Section.149(8) and Schedule VI Independent director

The Independent director should satisfy themselves on their integrity offinancial information and ensure that financial control and the system of therisk management are robust and defensible.

Listed/unlisted companies having

Independent Director

About Internal Controls Over Financial Reporting (ICFR)

Applicability

Listed /unlisted companies

Sections 143(3)(i) of the companies Act 2013 -Auditor report.

“Internal control over financial reporting “‘A process design to provide reasonable assurance regarding the reliability of financial reporting and the preparation offinancial statements for external purpose in accordance with generally accepted accounting principles’

A company's internal financial control over financial reporting includes those policies and procedures that• pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and

dispositions of the assets of the company• provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial

statements in accordance with generally accepted accounting principles, and that receipts and expenditures of thecompany are being made only in accordance with authorisations of management and directors of the company; and

• Provide reasonable assurance regarding prevention or timely detection of unauthorised acquisition, use, ordisposition of the company's assets that could have a material effect on the financial statements.”

ICFR

ComponentsMaintenance of

financial records(details

/Accuracy)

Authorizations of transactions (in

accordance with GAAP)

Safeguarding of the assets of the company

About Internal Controls Over Financial Reporting (ICFR) –Cont.

Sections 134(5)(e) of the companies Act 2013 -Director’s responsibilities statement

The term “Internal financial control “ means the polices and procedures adopt by the company for ensuring :-

Efficiency and effectiveness in Operations of its business• Defined Policies and procedures to ensure effective and efficient

operations.• Effective Delegation of Authority and Entity level controls

Safeguarding of assets• Adequate control over asset movement, storage, loss or theft.• Risk identification and mitigation plan to reduce loss of asset

Prevention and detection of fraud and error• Preventive controls to address Fraud risk• Mechanism for timely detection of fraud and errors

Accuracy and completeness of Accounting records • Controls over accurate and timely update of accounting records• Control over completeness of accounting records

Reliability of Financial reporting• Timely preparation of financial reports• Adequate controls over preparation of financial reports

Compliance with applicable laws and regulations• Adequate framework to ensure compliance to applicable laws and

regulations• Adequate framework to monitor the compliance

Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014

Requires the Board of Directors’ report of all companies to state the details in respect of adequacy of internal financial controls with reference to the financial statements.

Flow of Audit of Internal Financial Control

Planning and scoping

Base on COSO framework:1. Control Environment2. Risk assessment3. Control Activity4. Information and communication5. Monitoring

Base on Key work steps1.Map/ Identify significant accounts, processes and key locations2. Segregate scope between Business Process and IT3. Define materiality – Key/ non-key Risks4. Finalize templates, documentation standards, reporting packs

Design and Implementation

1. Perform walkthroughs2. Document process flows3. Segregate controls (Entity/

Process/ IT)4. Segregation of duties5. IT system overview6. Control benchmarking

1. Finalize Process Owners across each process/ location2. Perform & document walkthroughs (recommended)3. Document process maps with input, output, risk/ controls, IPE 4. Segregate controls into Entity/ Process/ IT 5. Identity controls into Manual, Automated, IT dependent, Preventive/

Detective 6. Segregate controls into Document Risk & Control matrix with control

description, owner, frequency, control evidence etc.

Gap remediation

1. Material weakness2. Test of Design (TOD)3. Remediation plans

1. Prioritize operational/ reputational gaps (if any) into H/M/L impact 2. Co-develop remediation plan with owners & implementation timelines 3. Periodic monitoring of remediation plans 4. Standardized/ centralize processes (wherever possible) 5. Enhance SOP/ MIS/ DOA etc. 6. Interim testing to confirm remediated gaps

Operating Effectiveness

1. Sampling methodology2. Prepare testing plan and templates3. Timing of testing4. Analysis of error in the sample,

tolerable error etc.

1. Prepare testing plan & templates 2. Finalize resources – competency & independence/ objectivity 3. Prioritize testing gaps into Material/ non-material 4. Identify mitigation/ compensating controls for material gaps 5. Co-develop remediation plans for testing gaps including owners and

implementation timelines

Assessments and Reporting

1. Opinion on IFC2. Martial weakness

1. Finalize material weakness and update Executive management 2. Report to Audit Committee (AC) and Board

Internal Control As per guidelines note ICAI

As per guidelines ICAI

1. Control Environment

1. Communication and enforcement of integrity and ethical values2. Commitment to competence3. Participation by those charged with governance4. Management’s philosophy and operating style5. Organisational structure6. Assignment of authority and responsibility7. Human resource policies and practices

2. Risk Assessment

1. Specific suitable objectives2. Identifies & analyses of risk3. Identifies & analyses of significant changes4. Assessment of risk fraud5. Change in Technology6. New accounting pronouncements

3.Control Activities

1. Performance review2.Information Processing3.Physical Controls4.Segregastion of duties

4.Information & communication

1. User relevant information2. Communication from inside to outside3. Communication from outside to inside4. Communication within the organization

5.MonitoringActivities

1. Conduct ongoing and/or separate evaluation2. Evaluate and communicate deficiencies

Risk Control Matrix (RCM)

Key Elements under ICFR

Under entity level control, the following elements will be examined

Delegation of authority (DOA)

Organisations structure, job descriptions & succession plan

Corporate policies and standard operating procedures (SOP)

Risk assessments and mitigations

Compliances framework

Ethics and fraud managements

Managements information systems

Internal audits and control self-assessments

Budgeting systems

Area of RCM cycles under Internal Financial Control

1. Procure to pay process (P2P)

2. Inventory Managements

3. Manufacturing process (M2D)

4. HR and Payroll process (H2R)

5. Accounts and treasury process(R2R)

6. Order to cash process (O2C)

7. Plant maintenances process

8. Statutory compliances

9. Fixed assets

10.Investments

11.Loan and advances review process

12.Contract labour charges review

13. Other area relevant to company

Risk and control process under IFC

Payment process

“What can go wrong”

• Advances to vendors not being adjusted against the bills

• Payment made in excess of invoice amount

• Duplicate payment made to the vendors

• Payment made to wrong vendor

Control Activities to mitigate the Risk:

• Periodical process of review of open/long pending advances

• Payments are made only after reconciling it with appropriate invoice. System based control payment only as per the invoice amount

• Process for periodical review of list of pending invoices.

• Purchase requisitions are reviewed and approved by an individual with the appropriate signatory authority approval limits

• Obtain balance confirmations from vendors

Control - An overview

Operational Control

• Performance evaluation of vendors is conducted on an annual basis.• Physical counting and checking of material/goods received at the warehouse to ensure that

the correct quantity and quality of material/goods have been received.• Setting of credit limit for customers.• The SCM team takes comparative quotes from a minimum of 3 vendors prior to selection of

the final vendor.

Financial Control

• Accounting of vendor related invoices• Creation of GRN on receipt of goods at the warehouse.• Recording of invoices on dispatch and monitoring of accounts receivables• Creation of vendor master with all the requisite fields

Key Controls (Operational and Financial)

• Physical verification of fixed assets/stock on a periodic basis and reconciling them withrecords maintained

• Segregation of duties at various stages of financial reporting• IT General controls are kept in place• Proper authorization as per the authorization matrix for all the transactions entered into the

system• Employees and 'covered persons‘ must sign an Insider Trading Certification as per the

corporate policy prior to trading in the company stock.

Non Key Control• Review of the existence of non-key fields with in master data stored in the system• Review of inactive accounts with low and immaterial balances• Physical verification of “C” category inventory(low value items)

Fraud Controls• Presence of multiple authorization at various stages of high value transactions• Periodic review of debtors ageing• Proper vendor evaluation process to avoid collusion with third parties

Financial Controls –Preparing and testing of Risk control matrix (RCM)

• Following template will be used for preparing of RCM

SerialNo.

Sub process Risk category -High, medium and low

Control Objective

Control Description

Key /not Key Nature of Control(Preventive/ Detective/Corrective)

Type of Control(Automated or Manual)

Whether Fraud Risk

Frequency

• Following template will be used for Testing of RCM

Process Actions owner Documents and date of verification

Relevant/Process RCM control

Observation Recordation ManagementsComments/Actions

Time line of implications date

L-10, D.G. Point,Near Hanuman Temple, Parvat patiya,Surat-365 010

O:- +91 261 264 3264E:- info@casdn.in W:- www.casdn.in

Mr. Nitin PrajapatiPartner

M:- +91 85117 83117E:- nitin.prajapati@casdn.in