Monday, February 29, 2016

Internal Controls over Financial Reporting – Mandate under Companies Act 2013 and ICAI Guidance

The new Companies Act, 2013 now requires auditors to also opine on whether a company has an adequate internal financial controls (IFC) system in place and the operating effectiveness of such controls. This is in addition to the existing audit opinion on financial statements. While this requirement was originally applicable to financial statements ending 31 March 2015, considering the lack of guidance, this applicability was deferred and is now effective for the year ending 31 March 2016. Due to the deferral of this reporting requirement, the Ministry of Corporate Affairs (MCA) retained the reporting requirement relating to internal controls in certain specific areas under the Companies (Auditor’s Report) Order, 2013 (CARO). The ICAI has now reissued the long-awaited ‘Guidance Note on Audit of Internal Financial Controls over Financial Reporting’, which provides detailed guidance on this topic.

Internal Controls over Financial Reporting (ICFR): Regulatory Mandate under Companies Act 2013

Relevant Clause
Directors’ Responsibility Statement: Sec. 134(5)(e)

Board to confirm that ICFR’s are adequate and operating effectively
Listed companies
Board Report: Rule 8(5) of Companies (Accounts) Rules
Board report to state the details in respect of the adequacy of ICFR with reference to the financial statements

All companies
Code for Independent Directors: Section 149(8) and Schedule IV
Independent Directors to satisfy themselves on the integrity of financial information and that financial controls are robust and defensible

All companies having Independent Directors
Audit Committee Terms of Reference: Section 177

Evaluation of ICFR
All companies having an Audit Committee
Auditor’s report: Sec. 143(3)(i)
Auditors to report if the company has adequate ICFR systems and that they are operating effectively (from 2015-16)
All companies

The guidance note clarifies that reporting on ICFR by auditors will be applicable to both listed and unlisted companies, including small and one person companies. This is in line with the requirements of section 143(3)(i) of the Companies Act, 2013. The guidance note also clarifies that auditors will have to report whether a company has an adequate ICFR system in place and whether the same was operating effectively as at the balance sheet date of 31 March 2016. In practice, this will mean that when forming its audit opinion on ICFR, the auditor will surely test transactions during the financial year ending 31 March 2016 and not just as at the balance sheet date, though the extent of testing at or near the balance sheet date may be higher.

Standards on Auditing issued by the ICAI, which now also need to be complied with under the Companies Act, 2013, do not fully address the auditing requirements for reporting on the system of ICFR. The guidance note suggests that the relevant portions of the Standards on Auditing will need to be considered by the auditor when performing an audit of ICFR (e.g. the requirements of SA 230, ‘Audit Documentation’, when documenting the work performed on ICFR; of SA 315, when understating internal controls).

The guidance note provides the necessary criteria for maintaining effective ICFR for companies. It draws upon the ‘Internal Control Components’ of Standard on Auditing (SA) 315, ‘Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment’, which includes the following five required components:
  • Control environment
  • Entity’s risk assessment process
  • Control activities
  • Information system and communication
  • Monitoring of controls

As per the guidance note, auditors will have to issue a qualified opinion on ICFR if material weaknesses in the company’s ICFR are identified as part of their audit. A material weakness in ICFR may exist even when the financial statements are not materially misstated.

In the light of the above requirement, it is recommended that an ICFR Manual be developed in writing, recording:
  1. All the processes in various departments of the company
  2. Authorizations
  3. Internal checks involved based on risks
  4. Internal Controls on all processes, transactions and IT levels relating to Financial Reporting
  5. Specify how the processes address the various types of risks of financial misstatement at entry level in the organization
  6. Identify areas of improvement
  7. Synchronization of all existing guidelines, training manuals, instructions, internal controls as laid down by the top management
  8. It is further recommended that this manual be then approved by the Board, to establish reassurance on effectiveness of the controls. It is recommended that this exercise be performed at the earliest, preferably before the conclusion of the Auditors Report on financial statements for the financial year 2015-16.