internal financial controls role & responsibility of auditors ca v. balaji november 2015
TRANSCRIPT
Internal Financial ControlsRole & Responsibility of Auditors
CA V. Balaji
November 2015
Contents
2
1. ICFR – Global Scenario
2. Key Matters For Consideration by Companies and Auditor’s
3. Framework for ICFR
4. Implications and Benefits of ICFR
5. Key Considerations- Implementation of ICFR Framework in a Company
6. Guidance
7. Key Considerations in Year - One
Internal Control over Financial Reporting – Global Scenario
Internal Control Over Financial Reporting – Global ScenarioDefinition of ICFR
Those policies and procedures that pertain to an entity’s ability to initiate, record, process and report financial data consistent with the assertions embodied in either annual or interim financial statements
Requirements in USA
• In June 2003, US SEC adopted Rules for the implementation of Sarbanes – Oxley Act (SOX) that required certification of the Internal Controls over Financial Reporting (ICFR) by the management and by the auditors.
Requirements in Japan
• In June 2006, the Financial Institution and Exchange Laws (J-SOX) was passed by the Diet. Requirements similar to SOX on ICFR.
4
Internal Control Over Financial Reporting – Global ScenarioReporting by the auditors
Integrated Audit - The auditor expresses two opinions:
1. Opinion on internal control over financial reporting, which requires: Evaluating and opining on management’s assessment of the effectiveness of internal
control over financial reporting (Japan). Evaluating and opining on the effectiveness of internal control over financial
reporting (Only in USA).
2. As well as the Opinion on the Financial statements
5
Internal Control Over Financial Reporting in India
• Clause 49 of the Equity Listing Agreement requires CEO / CFO sign off on ICFR in case of equity listed entities
• Companies Act 2013 requires Directors’ Responsibility Statement, in the case of listed companies, to include a statement that they have laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively.
• In case of unlisted companies, the Board Report to state the details in respect of adequacy of internal financial controls with reference to the Financial Statements.
• Audit Committee is required to evaluate the Company’s internal financial control systems (IFC).
• Auditors required to report on whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls.
‒ Such reporting required for all companies whether listed or not
• Standards on Auditing (SA) 700 “Forming an Opinion and Reporting on Financial Statements” issued by the ICAI, at present, specifically requires the auditor to state that the auditor’s consideration of the internal controls in the entity are not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control.
6
Key Matters For Consideration by Companies and Auditor’s
8
Internal Financial Controls under Companies Act, 2013
The Internal Financial Controls in Companies Act, 2013 goes beyond Internal Financial Controls Over Financial Reporting (IFCoFR)
The resultant IFC framework adopted by the company will have to address combination of internal controls on financial reporting and other controls in order to align with the definition of IFC in the new Act.
Accuracy and completeness of accounting records
Prevention and detection of frauds and errors
Safeguarding of assets
Policies and procedures adopted by the Company for ensuring orderly and efficient conduct of its business
Timely preparation of reliable financial information
INTERNAL FINANCIAL CONTROLS
As per Companies Act 2013, Internal Financial
Controls means:
© 2015 Deloitte Haskins & Sells LLP 9
IFC and IFCoFR – Coverage for Reporting
Board report for an unlisted company
Adequacy Effectiveness+
Auditor
Director Responsibility for a Listed company
Operations Controls
Inte
rnal
Fin
anci
al C
ont
rols
+
IFCoFR
10
Internal Financial Control Framework
Outcomes
Risk and control matrices for processes - demonstrating adequacy and effectiveness of controls over Financial Reporting (ICFR)
Risk and control matrices for Entity Level
Controls(IFC & ICFR)
Integrated framework leveraging existing monitoring practices -
demonstrating adequacy and effectiveness of operational
controls (IFC)
Internal Controls over Financial Reporting- Process level
controls
Entity Level Controls
Enterprise Risk Management
Operations related accreditation – E.g. US FDA, etc.
ISO Audits
Standard Operating Procedures
Internal Audits
Leverage existing monitoring framework for operational
controls
1 2 3
Legal compliance framework
1
2
Key Issues To Be Noted By Companies
• Companies Act, 2013 does not prescribe a framework that may be considered by companies in establishing IFC‒ In the absence of a framework to be adopted by the company, auditor cannot benchmark
and test the design and operating effectiveness of IFC with the framework.‒ In India, Appendix 1 to SA 315 provides the components of an internal control system.‒ Other international frameworks such as COSO, Turnbull Report, etc. available.
• Responsibility statement on system of IFC not applicable in the case of consolidated financial statements.
• In large organisations, management likely to engage Internal Auditors in testing the design and operating effectiveness of IFC to facilitate reporting by the Directors.‒ Existing Standards on Auditing do not permit statutory auditor to use the work of the
Internal Auditor as deemed appropriate for reporting on IFC.
• Reporting by auditor is specified for all companies.‒ Reporting on IFC in USA is only applicable for listed companies – accelerated and large
filers‒ In Japan, reporting on IFC is applicable for listed companies and other companies as
may be required by the Government11
Key Issues To Be Noted By Auditors
• Internal financial controls includes systems in the company for ensuring ‒ the orderly and efficient conduct of its business
This matter is proprietary and auditors may not be able to comment on the same. SA 200 specifically excludes this as an objective of the auditor.
‒ the accuracy of the accounting records, and the timely preparation of reliable financial informationAuditors apply the concept of materiality in their audits. Audit is performed to obtain
reasonable assurance and the opinion would state whether an effective internal financial control system was maintained and operated in all material respects.
• Standards on Auditing 315 “Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity and its Environment” defines Internal Control as follows:“The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control.” (Emphasis added)
12
• Auditor’s reporting u/s 143(3)(i) shall relate to Internal Financial Controls over Financial Reporting
• Sec 143(3)(i) requires the auditor to report whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls.‒ Reporting on internal financial controls system is similar to reporting on operations of the
company. Whilst the testing is carried out on the transactions recorded during the year, the reporting is as at the balance sheet date. For example, if the company’s revenue recognition was erroneous through the year under audit but was corrected, including for matters relating to internal control that caused the error, as at the balance sheet date, the auditor is not required to report on the errors in revenue recognition during the year.
13
Key Issues To Be Noted By Auditors
IFCoFR is not applicable to interim financial statements unless such reporting is required under law or regulation
Audit of IFCoFR is broader than the audit procedures carried out for reporting under CARO clauses on adequacy of internal controls
14
Key Issues To Be Noted By Auditors
Applicability to consolidated financial statements
Section 129(4) of the 2013 Act states that the provisions of the 2013 Act applicable to the preparation, adoption and audit of the financial statements of a holding company shall, mutatis mutandis, apply to the consolidated financial statements.
Based on the above, • Reporting on IFCoFR is applicable to consolidated financial statements• Approach to be adopted similar to reporting on CARO – i.e. on the basis of reports
as submitted by auditors of components, which are Indian companies• Concepts of materiality and professional judgment to apply to matters reported
by component auditors
Financial Statement Audit with Control Reliance Strategy (FS-CRS) Vs. Combined audit (CA)
15
Audit Element FS-CRS CA
Requirement to test OE of Entity-Level Controls
Only when control activities we plan to rely on are dependent on those Entity-Level Controls
Yes
Extent of our understanding of the entity's flows of transactions and of our walkthroughs
Understanding and walkthrough to identify and understand controls we intend to rely on
Understanding and walkthrough to identify controls that address every risk of material misstatement
How evaluation of information used in a relevant control ("IUC") vary?
May test accuracy and completeness of IUC either directly or through test of controls
Test accuracy and completeness through test of controls
Financial Statement Audit with Control Reliance Strategy (FS-CRS) Vs. Combined audit (CA)
16
Audit Element FS-CRS CA
For which controls would we test OE?
Those we intend to rely on in order to alter our planned substantive procedures
All relevant controls
Requirement to assess the “risk associated with the control” (”RAWC”) and to increase our sample size based on RAWC being assessed as higher
No Yes
Framework for Internal Financial Control over Financial Reporting
18
Criteria / Framework by SA 315 - Components of Internal Control
Control Environment
Information system and
Communication
Control Activities
Monitoring Controls
Risk Assessment
Process
19
Criteria / Framework by SA 315 - Components of Internal Control
• Companies need to adopt a Criteria / Framework that has the components of internal controls as stated in the Guidance Note on Audit of IFCoFR
• Auditor’s IFCoFR report to specify identification of the benchmark criteria used by the management for establishing internal financial controls over financial reporting
• Failure by the management to establish a system of IFCoFR considering the essential components of internal controls stated in the Guidance Note on Audit of IFCoFR would result in a disclaimer of opinion in the IFCoFR reporting by the auditor
Implications and Benefits of ICFR
What Does ICFR mean to Entities?
Directors' Responsibility on ICFR requires renewed emphasis and discipline regarding internal controls over financial transactions, financial systems and financial statements
• NEW: Adopt a structured and generally accepted internal controls framework• NEW: Establish processes to assess risk and monitor the on-going effectiveness of internal controls
Audit CommitteeAudit Committee
CEO/CFOCEO/CFO
• Strong working relationship between audit committee and auditor while maintaining independence• NEW: A financial expert on the audit committee; heightened involvement and oversight expectations• NEW: Establish a procedure for receipt, retention and treatment of complaints and anonymous tips
• Implement and maintain effective internal controls over financial transactions• NEW: Document, test, remediate and monitor internal controls• NEW: Represent to Management that internal controls are operating effectively
ControllersControllers
• NEW: Implement process to assess risk and monitor the on-going effectiveness of internal controls• NEW: Provide and maintain supporting processes and infrastructure for on-going monitoringInternal AuditInternal Audit
Represents an opportunity for Company to standardize and enhance business processes and controls across the global financial operation based on company “best practice”
Stakeholders Requirements
• Audit financial statements and opine to management’s representations about them• NEW: Test internal control compliance and opine on the adequacy of the internal controls environment
External AuditorsExternal Auditors
Benefits of ICFR
• Senior Management Accountability• Improved controls over financial reporting process• Improved investor confidence in entity’s financial reporting process• Promotes culture of openness and transparency within the entity• Trickling down of accountability to operational management • Improvements in board, audit committee, and senior management engagement in financial
reporting and improvements in financial controls• More accurate, reliable financial statements• Making audits more independent
Additional value to companies• Fresh independent look at key business processes• Identification of potential operating process opportunities• Updated formal, centralized, and managed financial internal controls documentation for the
Company• Enhanced support to CEO/CFO certifications• Should result in an enhanced control environment and thereby mitigate Risk • Better understanding of internal controls
Guidance on testing internal controls
Abbreviation Description
CISSP Certified Information Systems Security Professional
CoCo Guidance on Assessing Control published by the Canadian Institute of
Chartered Accountants
COSO Committee of the Sponsoring Organisations of the Treadway Commission
D&P Direct and Precise
ELC Entity Level Controls
ERM Enterprise Risk Management
GITC General Information Technology Controls
ICFR Internal Controls over Financial Reporting
IPE Information Produced by the Entity
IT Information Technology
PCAOB Public Company Accounting Oversight Board
ROMM Risk of material misstatements
SA Standards on Auditing
SOX Sarbanes – Oxley Act
24
Some Key Terminologies
25
Flowchart Illustrating Typical Flow of Audit of Internal Financial Controls Over Financial Reporting
The Top-Down Approach
27
Internal Financial Controls over Financial Reporting – Typical Coverage
ComplianceCompliance
Compliance
Compliance
Compliance
Governance
Compliance
Risk Mgmt.
Governance Risk Mgmt.
Risk Mgmt.
Governance
Risk Mgmt.
Risk Mgmt.
Risk Mgmt.
Governance
Compliance
Risk Mgmt.
Governance
Billing system
Receivable
Procure to Pay
Payroll & Hire to Retire
Fixed Assets
Inventory Management
Treasury
Record to Report
Duties and Taxes
Entity Level
Control
Process Level
Control
IT Controls
Corporate Governance
Risk Assessment
Policies & Procedures
ERP Other Applications
Entity Level Controls
• Tone at the TOP• Board of Directors and Audit Committee Charters• Risk Management• Integrity and Ethical values• Assignment of Authority and responsibility• Organization structure• Management’s Philosophy and Operating style• Human Resource management• Monitoring
ELCs are generally not direct and precise and accordingly may not be controls addressing specific risks for our IFCoFR audit opinion.
Evaluation of ELCs can result in increase / decrease in testing that auditor otherwise would have performed on other controls
Direct and Precise Controls – Design Criteria
Level of precision is whether the control is designed and operating to prevent or detect on a timely basis misstatements that could cause the financial statements to be materially misstated. Factors that can affect the level of precision of an entity-level control include the following: • Objective of the review - A procedure that functions to prevent or detect misstatements
generally is more precise than a procedure that merely identifies and explains differences. • Level of aggregation - A control that is performed at a more granular level generally is
more precise than one performed at a higher level. For example, an analysis of revenue by location or product line normally is more precise than an analysis of total company revenue.
• Competency of the person performing the control
• Consistency of performance - . A control that is performed routinely and consistently generally is more precise than one performed sporadically.
Direct and Precise Controls – Design Criteria
• Correlation to relevant assertions - A control that is indirectly related to an assertion normally is less likely to prevent or detect misstatements in the assertion than a control that is directly related to an assertion. For example, a control designed to detect errors in the recorded amounts of accounts receivable might not operate with a sufficient level of precision to detect errors in the valuation of doubtful receivables.
• Predictability of expectations - Some entity-level controls are designed to detect misstatements by using key performance indicators or other information to develop expectations about reported amounts ("detective controls"). The precision of those controls depends on the ability to develop sufficiently precise expectations to highlight potentially material misstatements.
• Criteria for investigation - For detective controls, the threshold for investigating
deviations or differences from expectations relative to materiality is an indication of a control's precision. For example, a control that investigates items that are near the threshold for financial statement materiality has less precision and a greater risk of failing to prevent or detect misstatements that could be material than a control with a lower threshold for investigation.
Evaluate the Design of Control
• Process level controls generally operate at number of levels:- At senior levels of management, the control activities are more likely to be high-level
procedures performed by management and are likely to involve greater aggregation of data and less consideration of detail.
- At lower levels, the control activities are likely to be focused on distinct sets of data and at a much greater level of detail.
- At the lowest level, detailed control activities are likely to relate to specific transactions.• Commonly performed process controls :
- Reviews: Analytical Transactional
- Reconciliations & Comparisons- Safeguarding of assets
• Controls relating to information technology:- Data centre operations controls- System software controls- Access security controls
• Application controls:Tolerances, Authorizations, edits and validations, data reasonableness tests, predefined data listings, balancing control activities
Which Control to be Evaluated
• Any controls that fall under these categories may need to be evaluated:- controls related to the initiation, recording, processing and reconciling of account
balances, classes of transactions,- disclosures, and related assertions included in the financial statements- controls related to the initiation and processing of non-routine and nonsystematic
transactions- controls related to the selection and application of accounting policies - controls related to the prevention, identification, and detection of fraud
• Controls, including information technology general controls, on which other controls are dependent. General controls include:- data center operation controls- system software controls- access security controls- application system development and- maintenance controls
Evaluate Design Effectiveness
• In performing design effectiveness we need to evaluate the following:- Owner of control- Description of process flow- Properly designed i.e. is the control meeting the desired control objective - Document control deficiencies, if any- Classify deficiencies into:
Material weakness Significant deficiency Internal control deficiency
• Prepare Remediation plan
Process vs. Control
• Process and controls are two very different aspects. Often they are used interchangeably; hence it is important to understand the difference between them.
‒ A Process describes the action of taking a transaction or an event through an established and usually a routine set of procedures or steps.
‒ A Control is an action or activity taken to prevent or detect misstatements within the process.
• The following examples distinguishes a process from a control:
Example 1:
Control description: Company engages an Actuary Firm to prepare the actuarial report.
Pitfall: Hiring a specialist may add competency to management’s control and is a process, but it is not a control in itself.
Improved control description: Management reviews and discusses the Actuarial Report, including key assumptions, with the specialist to assess the appropriateness of the assumptions and conclusions reached.
Process vs. Control
Example 2: Control description: The Financial Controller prepares a memo documenting the basis for the entity’s conclusions regarding impairment.
Pitfall: Preparing an analysis is typically a process step and not a control; the control is the activities performed to verify that the analysis is appropriate.
Improved control description: The CFO reviews the Impairment Analysis Memo and supporting documentation prepared by the Controller to assess the appropriateness of the conclusions reached.
Example 3: Control description: The billed revenue file is summarised at the month end and the total is recorded into revenue.
Pitfall: Recording an event or transaction is a process step; the control is the activity that is performed to verify that the recording was appropriately performed.
Improved control description: The Accounting Manager verifies that the billed revenue was properly recorded to revenue by comparing the billed revenue file to the revenue recorded in the general ledger.
Process vs. Control
Example 4: Control description: When new contracts are entered into or existing contracts are modified, the accounting manager determines and documents in a memo, the applicable revenue recognition model to be used for the contract.
Pitfall: Determining the revenue recognition model and documenting the same are process steps. They do not have any preventive or detective action steps.
Improved control description: The controller reviews and approves the revenue recognition memo prepared by the accounting manager. As part of the review process, the controller reads all the relevant excerpts from the contract and applicable professional standards as well as reviews and challenges, as appropriate, the conclusions documented in the memo.
Test the Operating Effectiveness of Control
Tests of controls are usually performed using the following techniques, often in combination:
Corroborative enquiry: This procedure, consisting of detailed interviews to obtain evidence about the effectiveness of controls, is performed in tandem with other procedures (e.g., examination of documentary evidence) to corroborate the information derived from the inquiry.
Observation: Observing the performance of a control activity often provides substantial evidence of its effectiveness. For example, the auditor may test controls over inventory by observing that employees who perform and record the counts follow management's written instructions. But observation of a control activity in action ordinarily does not, in itself, provide sufficient evidence of the effectiveness of the control activity, mainly because observations may not be representative of the usual performance of a control activity because management and staff may perform their tasks more diligently if they know they are being observed.
Examination of Documentation: If performance of a control activity is documented, the auditor can obtain evidence of its performance by examining the documentation, both electronic and written.
Re-performance: Re-performance may be effective for testing application controls, because the computer processes transactions systematically.
Test the Operating Effectiveness of Control
Points to be kept in mind:
• Inquiry alone is not adequate; extensive testing procedures should be carried out• Management should not rely solely on self assessment procedures but Independent
Monitoring is required• If the company uses an outside service provider for certain business functions you should
request from the provider a reports which reports on the effectiveness of internal control at the outside company.
The following guidance related to the frequency of the performance of control may be considered when planning the extent of tests of operating effectiveness of manual controls for which control deviations are not expected to be found. The auditor may determine the appropriate number of control occurrences to test based on the following minimum sample size for the frequency of the control activity dependent on whether assessment has been made on a lower or higher risk of failure of the control.
Frequency of Control Activity and Sample Size
Frequency of control activity Minimum sample size
Risk of failure
Lower Higher
Annual 1 1
Quarterly (including period- end, i.e., +1) 1+1 1+1
Monthly 2 3
Weekly 5 8
Daily 15 25
Recurring manual control (multiple times per
day)
25 40
40
IT General Controls – Typical Coverage
ComplianceCompliance
Compliance
Compliance
Compliance
Governance
Compliance
Risk Mgmt.
Governance Risk Mgmt.
Risk Mgmt.
GovernanceRisk
Mgmt.Risk Mgmt.
Risk Mgmt.
Governance
Compliance
Risk Mgmt.
Governance
ERP/ Other Applications
1. User access management (IFCoFR)
2. Change management (IFCoFR)
3. Data center – physical and environmental controls (IFC)
4. Information security – logical access to application, database and operating system (IFCoFR)
5. Backup and restoration (IFC)
6. Job scheduling (IFC)
General IT Controls
When identifying and understanding relevant controls, it is important to consider whether a control is dependent upon other controls [e.g., General IT controls (GITC)] or information produced by the entity (IPE). • The design of the control cannot be concluded upon without also considering the other
control or IPE, or • The effectiveness of the control cannot be concluded to be effective unless the other
controls are also effective.
For example, the automated generation of invoices may be dependent upon the price look-up table that is maintained by the invoicing clerk, in which case, the controls related to that look-up file (e.g., access controls) would be relevant in determining whether the automated generation of invoices is effective.
GITCs and IPE
Similarly, if the control is dependent on the accuracy and completeness of a report, then either the controls related to the preparation and maintenance of the report need to be evaluated or the report needs to be directly tested. However, if the accuracy and completeness of the information is the objective of the control, then the control is operating on that information and, therefore, is not dependent upon it.
Example of IPE that a control is dependent upon: If a headcount report is used by the controller to perform a reasonableness test of payroll expense, the effectiveness of the controller’s analysis/review is dependent upon the accuracy and completeness of the headcount report. Accordingly, the headcount report is IPE and, therefore, its accuracy and completeness are considered as part of the evaluation of the design.
Example of IPE that a control is not dependent upon: A bank reconciliation is reviewed by the controller to determine that it was prepared properly. The purpose of the control is to determine that the bank reconciliation is accurate and complete, so the bank reconciliation is the subject of the control and, therefore, is not dependent on the IPE.
GITCs and IPE
IPE has 3 elements - Source Data, Report Logic and Report Parameters
Testing IPE
Element Description
Source Data The information from which the IPE is created. This may include data maintained in the IT system (e.g., within an application system or database) or external to the system (e.g., data maintained in an Excel spreadsheet or manually maintained), which may or may not be subject to general IT controls.For example, for a report of all sales greater than Rs.10,000, the source data is the database of all sales transactions.
Report Logic The computer code, algorithms, or formulas for transforming, extracting or loading the relevant source data and creating the report. Report logic may include standardised report programs, user-operated tools (e.g., query tools and report writers) or Excel spreadsheets, which may or may not be subject to the general IT controls.For example, for the Debtors Aging report, the report logic is typically a program in the Debtors application that contains the code and algorithms for creating the Debtors Aging (report) from the Debtors sub-ledger detail (source data).
Report Parameters Report parameters allow the user to look at only the information that is of interest to them. Common uses of report parameters including defining the report structure, specifying or filtering data used in a report or connecting related reports (data or output) together. Depending on the report structure, report parameters may be created manually by the user (user-entered parameters) or they may be pre-set (there is significant flexibility in the configuration of parameters, depending on the application system), and they may or may not be subject to the general IT controls.For example, for a monthly report of slow moving inventory by warehouse location, the user enters the month and location code parameters to generate the reports.
Next steps:• Document test results:
‒ tests performed and evidence obtained‒ results of the tests‒ conclusion as to the effectiveness of each control tested
• If the control is not operating effectively, document the internal control deficiency. • Evaluate remediation plan• Test outcome of remediation
Test the Operating Effectiveness of Controls
Test the Operating Effectiveness of Controls
Suggested approach for classifying deficiency:
© 2015 Deloitte Haskins & Sells LLP 46
Evaluation of Severity of Deficiencies
• Document considerations and basis for conclusions
• Where significant judgement is required to evaluate severity of a deficiency, apply appropriate professional skepticism.
Report on internal financial controls over financial reporting
• A ‘deficiency’ in internal financial control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
• A ‘significant deficiency’ is a deficiency, or a combination of deficiencies, in internal financial control over financial reporting that is important enough to merit attention of those charged with governance since there is a reasonable possibility that a misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.
• A ‘material weakness’ is a deficiency, or a combination of deficiencies, in internal financial control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.
Report on Adequacy and Effectiveness of Control
• A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met.
• A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.
• The severity of a deficiency does not depend on whether a misstatement actually has occurred but depends on whether there is a reasonable possibility that the company's controls will fail to prevent or detect a misstatement.
Report on Adequacy and Effectiveness of Control
• The auditor shall express a qualified opinion on Internal Financial Controls Over Financial Reporting when the auditor, having obtained sufficient appropriate audit evidence, concludes that such controls are designed, implemented or operated in such a way that it is unable to prevent, or detect and correct material misstatements in the financial statements on a timely basis; or the control is missing, but the effects/possible effects of the material weakness in such internal controls are material but is not pervasive to the financial statements.
• The auditor shall express an adverse opinion on Internal Financial Controls Over Financial Reporting when(a)the effects/possible effects of the material weakness in such internal controls
are both material and pervasive to the financial statements, even if the audit opinion on the financial statements is unmodified;
(b)the internal control framework adopted by the Company does not consider / adequately consider the essential components of internal control; or
(c)the audit opinion on the financial statements is required to be modified and such modification is also consequent to the material weakness in the company’s internal financial controls over financial reporting. .
Report on Adequacy and Effectiveness of Control
• The qualified or adverse opinion on internal financial controls over financial reporting may relate only to the operating effectiveness of such controls or may relate to both the adequacy and operating effectiveness of such controls, based on the audit evidence obtained.
• The auditor shall disclaim an opinion on the company’s internal financial controls over financial reporting:(a)if the company has not established its internal financial control over financial
reporting on criteria based on any of the recognised internal control frameworks / considering the essential components of internal control; or
(b)the auditor is unable to obtain sufficient appropriate audit evidence to express an opinion on the internal financial controls over financial reporting but is able to perform appropriate substantive procedures to express an opinion on the financial statements; or
(c)when the auditor is unable to obtain sufficient appropriate audit evidence on which to base the opinion on the company’s internal financial controls over financial reporting, and / or the auditor concludes that consequent to the material weakness in such internal controls the possible effects on the financial statements of undetected misstatements, if any, could be both material and pervasive.
Report on Adequacy and Effectiveness of Control
52
Effect of modified report over IFCoFR on the audit of financial statements
Does not imply that audit report on financial statements should also be
qualified. Assurance obtained by auditor is through both internal
controls and substantive procedures
Auditor should determine the effect, of deficiency in internal financial
controls, on substantive procedures to be performed to reduce audit risk
to an appropriately low level
Regardless of assessed level of control risk or material misstatement,
substantive procedures to be performed for all assertions
As a result of substantive procedures , if sufficient reliable
audit evidence is obtained to address identified risk, do not qualify audit opinion on financial statements
Key Considerations in Year - One
ICFR - Common Myths of Companies
Scope and plan
Assess and define
Identify and document
Test and remediate
Monitor, certify and
assert
Meeting CARO
requirement is sufficient
There is no need to
document processes and
controls
Testing of controls and
remediation of deficiencies is
the responsibility of
auditors
We don’t need a process for
ICFR certification to
Board / AC. We know people
are doing it and no exceptions are identified
by the auditors
We don’t need to revisit
processes and controls.
Why do we need to look at cost /
benefit for controls?
Everything is essential
Materiality is for financials. It
doesn't really impact control considerations
We have a good SLA with service
providers. We don’t need to evaluate their
controls
We understand controls. There is no need for training and
development of our people
Automation through ERP – Controls are
automatically in place
We don’t need an oversight
body to oversee all changes in processes /
controls
We don’t need to link risks with
controls.
54
55
Points of Focus – Mindset of Auditors
Shift from ‘only substantive’ procedures
Timing of procedures
Should give adequate time, to management for remediating deficiencies identified, and to the audit team to test the remediated controls
Consultation to be early – to permit remediation before reporting date
Mindset change from obtaining assurance from ‘only substantive’ procedures to control reliance; which should lead to cost benefits on the audit.
Key Considerations
• Implementation of enterprise-wide, executive-driven internal control management program
• Implementation of enterprise risk management program• Controls associated with the recording of non routine, complex, and unusual
transactions• Formalization of processes, standard operating procedures, workflows, authority
matrix• Redeployment of work routines to enable audit trails, evidencing the reviews, etc.• Maker – checker control / 4 eye principle• Segregation of duties and access controls
• Lack of an enterprise-wide, executive-driven internal control management program
• Lack of a formal enterprise risk management program• Inadequate controls associated with the recording of non routine, complex, and
unusual transactions• Lack of effective controls over the IT environment• Ineffective financial reporting and disclosure preparation processes• Lack of formal controls over the financial closing process• Lack of current, consistent, complete, and documented accounting policies and
procedures• Inability to evaluate and test controls over outsourced processes• Inadequate board and audit committee understanding of risk and control
Key Challenges
Questions?