Internal Financial Control Over Financial Reporting
Under Section 143(3)(i) of the Companies Act, 2013 (2013 Act), an auditor of a company is required to state in his/her audit report whether the company has an adequate internal financial controls (IFC) system in place and the operating effectiveness of such controls. Explanation to Section 134(5)(e) of the 2013 Act defines IFC to include policies and procedures adopted by the company for ensuring orderly and efficient conduct of its business, accuracy and completeness of the accounting records, and timely preparation of reliable financial information.
The Institute of Chartered Accountants of India (ICAI) had issued a Guidance Note in November 2014. This Guidance Note has been revised subsequently and the ICAI issued a revised ‘Guidance Note on Audit of Internal Financial Controls Over Financial Reporting’ (Guidance Note) on 14 September 2015.
What is Internal Financial Control Over Financial Reporting?
Internal Controls are to be an integral part of any organization’s financial and business policies and procedures. Internal controls consist of all the measures taken by the organization for the purpose of:
- Protecting its resources against waste, fraud, and inefficiency
- Ensuring accuracy and reliability in accounting and operating data
- Securing compliance with the policies of the organization
- Evaluating the level of performance in all organizational units of the organization.
Responsibilities of Monitoring Internal Financial Control
The Responsibility for monitoring the Internal Financial Control rests with the whole organization and not with any one individual. Of course, each individual within a unit should be aware of proper Internal control procedures associated with their specific job responsibilities. Internal control procedures operate at different levels of effectiveness. Effective controls provide reasonable assurance regarding the accomplishment of established objectives.
Elements of Internal Control
For any Internal Control procedure to be effective, it is essential that the “Internal” as well as “External” risks are adequately managed. Following are some of the Internal and External Risks to be taken care of:
- Process weakness (eg. access Control systems)
- People weakness (eg.no proper training)
- Technology weakness (eg. Operating system controls)
- Environmental weakness (eg. Fire control systems)
- Compliance requirements (eg. Various statutory laws)
- Customer requirements (eg. Protection of customer identity)
- Service Providers ( eg. Internet providers)
The above list is only indicative and there may be many more risks that need to be assessed depending on the type of item or service they provide.
Process weaknesses can be many since most of the transactions in an organization are automated. These weaknesses cannot come out unless we do an IT audit. To cite an example, recently we did an audit of the travel module of a company and we found out that some of the personal travels of senior people in the organization were paid by the company. On further analysis, we observed that the person is originating the request for travel in the system can also approve the same. Due to this loophole, the employee took advantage of the process weakness and the personal bills were paid by the company.
The process of identifying and analyzing risk is an ongoing process and is a critical component of an effective internal control system. Attention must be focused on risks at all levels and necessary actions must be taken to manage them.
Managing change requires a constant assessment of risk and the impact on internal controls. Mechanisms are needed to identify and react to changing conditions.
Monitoring of Internal Controls
Internal controls can be monitored by having proper checks and balances in the workplace.
On the Personnel front, the organization has to ensure proper background verifications are made for all the employees (senior or junior) before being appointed. There should be clearly established lines of authority and responsibility documented in written job descriptions and procedure manuals. Organizational charts provide a visual presentation of lines of authority and periodic updates of job descriptions ensure that employees are aware of the duties they are expected to perform.
Authorization Procedures need to include a thorough review of supporting information to verify the propriety and validity of transactions. Approval authority is to be commensurate with the nature and significance of the transactions and in compliance with Organizational policies.
Segregation of Duties reduces the likelihood of errors and irregularities. An individual is not to have responsibility for more than one of the three transaction components: authorization, custody, and record keeping. When the work of one employee is checked by another, and when the responsibility for custody for assets is separate from the responsibility for maintaining the records relating to those assets, there is appropriate segregation of duties. This helps detect errors in a timely manner and deter improper activities; at the same time, it should ensure operational efficiency and allow for effective communications.
Documentation and Record Retention is another important element under Internal Control to ensure that all information and transactions of value are accurately recorded and retained. Records are to be maintained and controlled in accordance with the established retention period and properly disposed of in accordance with established procedures and documented.
SBS Global is an ISO 9001:2015 & ISO 27001:2013 certified company serving since 2007. SBS Global offers a comprehensive range of Outsourced Financial Accounting Services, CFO Services, Compliance (i.e., Company Secretary services) & HR Services catering to the needs of Small & Medium Organizations across industry sectors to meet their changing needs & expectations. Our team includes employees having industry & domain expertise who have insights drawn from years of professional experience.
For more details on outsourced financial accounting advisory services please visit or contact us