As per Companies Act 2013, the term IFC (Internal Finance Controls) has been defined as:
The policies and procedures adopted by the company to ensure orderly and efficient conduct of its business, including adherence to company’s policies, safeguarding of its assets, prevention and detection of frauds and errors, accuracy and completeness of accounting records, and the timely preparation of reliable financial information.
- The Details of Sections:
Section 143(3)(i) [Auditor’s Responsibility]
Auditors’ Report to state whether
– the company has in place an adequate system of internal financial controls and
– the implemented controls are effective during the period of reporting
- Section 134(5)(e) [Management’s Responsibility]
In case of a Listed company the “Directors’ Responsibility Statement” to state that:
– the directors have established a set of internal financial controls to be followed by the company and
– that such internal financial controls are adequate and were operating effectively.
- Rule 8(5)(viii) of Companies (Accounts) Rules, 2014 [BoD’s Responsibility]
In case of All companies, the “Board of Directors’ report” to state
– the details in respect of adequacy of internal financial controls with reference to the financial statements
- The Companies Act 2013 mandates that ALL Companies implement Internal Financial Controls.
- Management, Audit Committee, Auditors and Board of Directors have been made responsible to review the Controls and report on them.
- These provisions were recommendatory in FY 2014-15 and are MANDATORY from FY 2015-16.
- Hence, Management is responsible for implementing the Internal Financial Controls.
- Audit Committee, Auditors and Board of Directors are supposed to review and express their opinion.
Section 134 (8) states that … Non-Compliance by a Company to the Sections 143 and 134 (5) related to establishing Internal Financial Controls would have following Penalties:
- The Company shall be punishable with fine of up to Rs. 25 Lakhs
- Every officer of the company who is in default shall be punishable with imprisonment up to 3 years or a fine of up to Rs. 5 Lakhs, or with both.
- Establish and maintain a set of Internal Controls on Financial Reporting with a special focus on Fraud Risks
- Evaluate the effectiveness of the controls established
- Identify the deficiencies in the controls thus established
- Identify the steps to rectify the deficiencies
- Report the deficiencies and the steps to Audit Committee and the auditors.
- Detailed Process Narratives
- Risk and Control Matrix
- Test of Design / Adequacy of Controls (TOD)
- Test of Operating Effectiveness (TOE)
- Identify key processes (A few examples could be Purchase, Sales, HR, Inventory, Compliance, Book Closure . . . )
- Document and map the processes (Create Narrations)
- Identify the risks in the processes (Create Risk and Control Matrix)
- Identify the applications and the IT controls (including General Computer Controls)
- Identify the controls that have been put in place– both manual and automated
- Identify the key controls out of these
- Document the Controls – Design, process and end result
- Test the controls for their design – whether the control is performing as designed
- Check for the frequency of the transactions
- Check the number of times each of the control functions
- Decide the sample size for data collection
- Collect random samples as per the sample size
- Test the controls for their effectiveness
- Entity Level Controls
- Book Close
- Order to Cash (O2C)
- Procure to Pay (P2P)
- Hire to Retire (H2R)
- Regulatory/ Compliance
- IT General Controls
- Inventory management
- Fixed Assets
- Treasury Operations
- Guide in identifying the scope of the work by indicating the Processes to be documented
- Identify the controls that need to be established and test the Design of these controls .
- Check the frequency of the occurrence and define the no. of samples to be selected. Test the samples selected for effectiveness of the controls.
- Based on the testing results express their opinion on the effectiveness of the controls and the processes and the Complete Financial reporting, such opinion is in addition to and distinct from the opinion expressed by the auditor on the financial statements.
- Provide an assurance to Management as well as helps to improve business performance
- Assists in Development of Standard Operating Procedures
- Lays foundation for process re-engineering through identification & elimination of non value added processes
- Helps to plug revenue leakages & explore cost reduction opportunities
- Improves control environment thru migration/ up-gradation to semi-automated/ automated controls
- Increases the risk awareness in the organization