Companies Act 2013:Gearing up to be in-control of Internal Financial Controls

Gearing up for implementing Section 134

Preamble

Indian regulations have been modified to reflect the developments in the Western world. Introduction of Internal Financial Controls (IFC) in the Companies Act 2013, reflect the continuation of this trend. According to the Companies Act 2013, the term IFC has been defined as the policies and procedures adopted by the company to ensure orderly and efficient conduct of its business, including adherence to company’s policies, safeguarding of its assets, prevention and detection of frauds and errors, accuracy and completeness of accounting records, and the timely preparation of reliable financial information.

Requirements as per the New Companies Act 2013

Section 134: In the case of a listed company, the Directors’ Responsibility states that directors, have laid down IFC to be followed by the company and that such controls are adequate and operating effectively.

Section 177:

► Audit committee may call for comments of auditors about internal control systems before their submission to the Board and may also discuss any related issues with the internal and statutory auditors and the management of the company

► Audit committee should act in accordance with the terms of reference specified in writing by the board, which should, inter alia, include evaluation of IFC and risk management systems

Section 143: The auditor’s report should also state whether the company has adequate IFC system in place and the operating effectiveness of such controls.

Schedule IV: The independent directors should satisfy themselves on the integrity of financial information and ensure that financial controls and systems of risk management are robust and defensible.

Call to action

Familiarize the Board of Directors (especially the Audit Committee and Independent Directors) and Senior Management Personnel with respect to their enhanced responsibilities regarding IFC.

Assess the controls set-up in your organization using the following grid:

Policies/Guidelines Operating Procedures

Key policies are defined, understood and enforced Clearly defined, detailed and harmonized procedures are available across the organization

Technology Roles and Responsibilities Several controls are preventive in nature and Assess the

All stakeholders are aware of their roles and automated. Detective controls and monitoring current state of responsibilities with respect to processes and processes are technology enabled with one IFC controlsversion of truth

Behaviour Management Information System

The culture of compliance with laid down guidelines and This should ensure that adequate and accurate information is procedures is evident through the actions and behavior of available for reporting and decision makingindividuals and teams

| Companies Act 2

Decoding IFC - What are its components?

► The expanded coverage and focus goes way beyond the “Financial Reporting Controls” and the focus is on “all the elements” of a Controls Framework including tone at the top, policies and procedures, operating controls, controls design, controls monitoring etc.

The figure shows a Controls Framework, which attempts to highlight all the different building blocks of an Internal Financial Controls Framework

► Ethics & Values strategy Entity ► Culture Controls ► Communication

Control Governance & Standards

Control Design

Control Operation

Control Compliance Monitoring

► Policies & Procedures ► Oranisational Structures ► Performance Objectives

► Roles & Responsibilities ► Risk Identification ► Capacity to Deliver Objectives

► Control Systems ► Continuous Improvement

► Compliance Monitoring ► Control Monitoring

How to implement IFC and who all need to be involved?

The “Three Lines of Defense” model provides a simple and effective way to enhance communications on Internal Financial Controls by clarifying roles and duties.

► The first line is responsible for setting up the controls, mitigation of risk and defining policies and procedures to be complied with

► The second line monitors compliance with the laid down controls. It is not an independent assurance function, but a monitoring tool for the management

► The third line provides the independent assurance on the activities of first and second lines of defence

► Audit Committee and board of directors provide overall direction and oversight

Board of Directors/Audit Committee

Senior Management

1st Line of Defense 2nd Line of Defense 3rd Line of Defense

Independent 1st Operational and Management Assurance Business Units Assurance (Ongoing (design and Controls Monitoring) Internal Audit

operation of controls)

External Audit

Regulators

| Companies Act 4

Questions to be considered by a CXO

Well Requires prepared consideration

Structure/Framework ► Do we have a structure/program to train our employees on their role in the overall internal

controls process?

► Do we have relevant skills (skills around fraud risks, IT controls, analytics for continuous controls monitoring etc.), focused teams and bandwidth to the support the IFC agenda?

► Do we have entity level controls w.r.t policies and procedures, risk assessment, whistle blowing, ethics etc. that are clearly established, communicated and monitored?

► Do we periodically review, assess and refresh our controls framework in line with emerging guidance around applicable standards like COSO?

Implementation ► Are authority, responsibility and accountability clearly (delegation of authority and segregation of

duties) defined such that decisions are made and actions taken at an appropriate level?

► Do we periodically assess and optimize controls to improve effectiveness, reduce costs and support business performance?

► Do we have policies and procedures covering all domains such as Finance and Accounts, Business Operations and Compliance?

► Are our policies and procedures easy to access and comprehend? Are these maintained and updated on the technology platform on a regular basis?

► Do we regularly up-skill our employees to address the emerging needs of your organisation in areas such as GRC, IT controls, fraud risks etc.?

► Do we have common understanding on the “Risk that Matter” among relevant stakeholders?

► Do we consider fraud risks as part of the risk management exercise and address them with clear action, accountability and ownership?

► Do we pay adequate focus on safeguarding of assets, fraud indicators and perform periodic independent verification in this area?

► Do we effectively track and proactively monitor our compliance agenda around domestic/ international footprint, covenants, compliance with guidelines etc.?

Monitoring & Reporting ► Do we periodically update the key stakeholders on Controls and Risk management effectiveness

of our organization? Is there a technology platform to enable proactive and timely monitoring of controls effectiveness?

► Do we have adequate and reliable information to certify compliance with IFC requirements according to the Act?

► Have we considered self-assessments and automation of control monitoring?

► What kind of assurance is provided to the Management and Board on IFC by internal audit and external audit?

6 | Companies Act

Structure/Framework

Implementation

Monitoring & Reporting

Notes

7

How can EY assist you in your IFC journey?

Areas of intervention Do I need support?

► Train Board members (including Audit Committee and Independent Directors) on IFC-related requirements of the Act

► Establish internal controls framework covering both Entity Level Controls and Process Controls (covering finance and accounts, business processes, compliance and IT) in line with leading industry/controls practices

► Benchmark controls against leading practices; IT controls, prevent v. detect, manual v. automated

► Establish a comprehensive Risk Management Framework and/or targeted intervention in areas such as:

► Identifying and prioritizing risks that matter

► Automating the risk monitoring process

► Defining “value at risk” and/or “risk impact”

► Monitoring and management of fraud risks

► Continuous controls monitoring and fraud risk analytics through Data Analytics lab

► Design and implement controls self-assessment

► Design and assist in implementation of delegation of authority, segregation of duties etc.

► Implementation support for GRC rollout

► Develop standard operating procedures including relevant policies and guidelines

► Rationalize and automate current controls portfolio to reduce overall cost of control while improving effectiveness

► Design MIS and board reporting pack to facilitate evaluation of IFCs

► Train employees on their role in the overall internal controls process and on leading practices for managing emerging risks in areas such as IT, fraud, contract compliance etc.

Related EY service offerings ► Enterprise Risk Management ► Compliance Management

► Business Performance Management ► Controls Transformation

To measure the gap that you need to bridge to comply with the Act and understand more about how we are assisting our clients with IFCs, please contact us at ifcsolutions@in.ey.com

8 | Companies Act

EY officesAhmedabad 2nd floor, Shivalik Ishaan Near C.N. Vidhyalaya Ambawadi Ahmedabad - 380 015 Tel: + 91 79 6608 3800 Fax: + 91 79 6608 3900

Bengaluru 12th & 13th floor “UB City”, Canberra Block No.24 Vittal Mallya Road Bengaluru - 560 001 Tel: + 91 80 4027 5000

+ 91 80 6727 5000 Fax: + 91 80 2210 6000 (12th floor) Fax: + 91 80 2224 0695 (13th floor)

1st Floor, Prestige Emerald No. 4, Madras Bank Road Lavelle Road Junction Bengaluru - 560 001 Tel: + 91 80 6727 5000 Fax: + 91 80 2222 4112

Chandigarh 1st Floor, SCO: 166-167 Sector 9-C, Madhya Marg Chandigarh - 160 009 Tel: + 91 172 671 7800 Fax: + 91 172 671 7888

Chennai Tidel Park, 6th & 7th Floor A Block (Module 601,701-702) No.4, Rajiv Gandhi Salai, Taramani Chennai -600113 Tel: + 91 44 6654 8100 Fax: + 91 44 2254 0120

Hyderabad Oval Office, 18, iLabs Centre Hitech City, Madhapur Hyderabad - 500081 Tel: + 91 40 6736 2000 Fax: + 91 40 6736 2200

Kochi 9th Floor, ABAD Nucleus NH-49, Maradu PO Kochi - 682304 Tel: + 91 484 304 4000 Fax: + 91 484 270 5393

Kolkata 22 Camac Street 3rd floor, Block ‘C’ Kolkata - 700 016 Tel: + 91 33 6615 3400 Fax: + 91 33 2281 7750

Mumbai 14th Floor, The Ruby 29 Senapati Bapat Marg Dadar (W), Mumbai - 400028 Tel: + 91 022 6192 0000 Fax: + 91 022 6192 1000

5th Floor, Block B-2 Nirlon Knowledge Park Off. Western Express Highway Goregaon (E) Mumbai - 400 063 Tel: + 91 22 6192 0000 Fax: + 91 22 6192 3000

NCR Golf View Corporate Tower B Near DLF Golf Course Sector 42 Gurgaon - 122002 Tel: + 91 124 464 4000 Fax: + 91 124 464 4050

6th floor, HT House 18-20 Kasturba Gandhi Marg New Delhi - 110 001 Tel: + 91 11 4363 3000 Fax: + 91 11 4363 3200

4th & 5th Floor, Plot No 2B, Tower 2, Sector 126, NOIDA 201 304 Gautam Budh Nagar, U.P. India Tel: + 91 120 671 7000 Fax: + 91 120 671 7171

Pune C-401, 4th floor Panchshil Tech Park Yerwada (Near Don Bosco School) Pune - 411 006 Tel: + 91 20 6603 6000 Fax: + 91 20 6601 5900

Ernst & Young LLP EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit www.ey.com/in.

Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata - 700016

© 2014 Ernst & Young LLP. Published in India. All Rights Reserved.

EYIN1402-012 ED None

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

For any queries on howEY can assist you please contact us at:

ifcsolutions@in.ey.com