Internal Financial Control Over Financial Reporting
According to Section 143(3)(i) of the Companies Act, 2013, auditors are required to report in their audit whether a company has an adequate internal financial controls (IFC) system in place, and its operating effectiveness. IFC includes policies and procedures adopted by the company for ensuring efficient conduct of its business, accuracy and completeness of accounting records, and timely preparation of reliable financial information, as defined in the Explanation to Section 134(5)(e) of the Act.
In November 2014, the Institute of Chartered Accountants of India (ICAI) issued a Guidance Note on the audit of the IFC. The ICAI subsequently revised this note, issuing a revised ‘Guidance Note on Audit of Internal Financial Controls Over Financial Reporting’ on 14 September 2015.
What is Internal Financial Control Over Financial Reporting?
Internal controls are essential components of an organization’s financial and business policies and procedures. They encompass all the measures implemented by the organization to achieve the following objectives:
- Protect resources from waste, fraud, and inefficiency
- Ensure accuracy and reliability in accounting and operating data
- Secure compliance with organizational policies
- Evaluate performance levels in all organizational units
Responsibilities of Monitoring Internal Financial Control
The responsibility for monitoring internal financial controls lies with the entire organization, not just one person. Each person in a unit should know the appropriate internal control procedures for their specific job.
Controls operate at various levels of effectiveness, with effective controls offering reasonable assurance of meeting objectives.
Elements of Internal Control
Effective Internal Control procedures require managing both Internal and External risks. Internal risks are those that arise from within the organization, while External risks are those that come from outside the organization such as:
- Process weakness
- Lack of access control systems
- Inefficient monitoring of access and authorization
- Inadequate documentation of access controls
- People weakness
- Insufficient training and awareness about security measures
- Lack of understanding of security risks and vulnerabilities
- Human error due to fatigue, carelessness, or lack of attention to detail
- Technology weakness
- Weak or outdated operating system controls
- Lack of security patches and updates
- Poor configuration of security settings
- Environmental weakness
- Inadequate fire control systems and procedures
- Lack of backup power and data storage systems
- Failure to regularly test and maintain environmental controls
- Compliance requirements
- Statutory laws need to be followed by the company
- The company must stay up-to-date with any changes to these laws
- The company must ensure that its policies and procedures are compliant with these laws
- Customer requirements
- The protection of customer identity is a key concern for the company
- The company must ensure that customer data is kept confidential and secure
- The company must comply with any data protection laws that are in place
- Service Providers
- The company must work with service providers, such as internet providers, to ensure that compliance requirements are met
- The company must ensure that any third-party providers it works with are also compliant with relevant laws and regulations
- The company must have processes in place to manage the relationship with its service providers and ensure that they meet their obligations
There may be more risks to assess depending on the item or service provided. Process weaknesses can be numerous due to automation and may require an IT audit to identify them.
For instance, during a recent travel module audit, it was discovered that senior employees had personal travels paid for by the company due to a loophole in the system where the requestor could also approve the request.
Risk identification and analysis are crucial for an effective internal control system. It’s an ongoing process that should focus on risks at all levels, and necessary actions must be taken to manage them.
Managing change requires continuous risk assessment and adjusting internal controls accordingly. Adequate mechanisms are needed to identify and react to changing conditions.
Monitoring of Internal Controls
Effective internal controls are crucial for organizations to ensure compliance with policies and regulations, prevent errors and fraud, and protect their assets. Here are some key points to consider:
- Personnel: conduct background verifications for all employees and establish clear lines of authority and responsibility with written job descriptions and organizational charts.
- Authorization Procedures: verify the propriety and validity of transactions with a thorough review of supporting information and ensure approval authority is appropriate.
- Segregation of Duties: separate authorization, custody, and record-keeping responsibilities to reduce errors and irregularities, detect errors promptly, and deter improper activities while ensuring operational efficiency and effective communications.
- Documentation and Record Retention: accurately record and retain all valuable information and transactions, maintain records by established retention periods, and properly dispose of them according to established procedures.
SBS Global is a certified company providing Outsourced Financial Accounting Services, CFO Services, Compliance, and Staffing Services to small, medium and large organizations since 2007. With expertise in various industries and years of experience we bring you the deep insights that help your company to sustain, grow and expand in a rapidly changing legal landscape.