The new Companies Act; Are your internal financial controls in control
The new Companies Act, 2013, now requires auditors to also opine on whether a company has an adequate internal financial controls (IFC) system in place and the operating effectiveness of such controls. This is in addition to the existing audit opinion on financial statements. While this requirement was originally applicable to financial statements ending 31st March 2015, considering the lack of guidance, this applicability was deferred and is now effective for the year ending 31st March 2016. Due to the deferral of this reporting requirement, the Ministry of Corporate Affairs (MCA) retained the reporting requirement relating to internal controls in certain specific areas under the Companies (Auditor’s Report) Order, 2016 (CARO).
Reporting on IFC is undoubtedly a paradigm shift from the reporting required under CARO. The ICAI has now reissued the long awaited ‘Guidance Note on Audit of Internal Financial Controls over Financial Reporting’ (guidance note), which provides detailed guidance on this topic.
Section 134(5) (e) explains internal financial controls as the policies and procedures adopted by the Company for ensuring the orderly and efficient conduct of its business, including adherence to Company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records and the timely preparation of reliable financial information. Section 143(11) of 2013 Act requires that the auditor’s report of specified class of companies should include a statement on prescribed matters.
The guidance note provides the necessary criteria for maintaining effective IFC for companies. It draws upon the ‘Internal Control Components’ of Standard on Auditing (SA) 315, ‘Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment’, which includes the following five required components control environment, entity’s risk assessment process, control activities, information system and communication and monitoring of controls.
The guidance note explains that for auditor reporting, the term ‘IFC’ is restricted within the context of the audit of financial statements and relates to internal control over financial reporting only (ICFR). This is also consistent with the practice adopted internationally, e.g. Sarbanes-Oxley (SOX) reporting in the US.
This is a relief as it removes unnecessary ambiguity by excluding from the scope operational controls, i.e. those facilitating the effectiveness and efficiency of company’s operations, and also differentiates ICFR from enterprise risk management and risk management policies which boards of companies have to maintain.
Role of Various Authorities
Management: In case of listed companies, section 134(5)(e) of the Companies Act, 2013 requires Directors Responsibility Statement to state that the Directors had laid down internal financial controls and the same were adequate and operating effectively. In case of ALL companies, Rule 8(5)(viii) of Companies (Accounts) Rules, 2014 requires the Board of Directors’ Report to state the details in respect of adequacy of internal financial controls with reference to the financial statements. Clause 49 IX(C) of Equity Listing Agreement requires CEO’s of listed entities to certify effectiveness of internal control systems pertaining to financial reporting. In all cases, it is the management responsibility to establish Internal Control over Business Operations.
Auditor: Section 143(3) (i) of the Companies Act, 2013 requires the auditors of ALL companies to state in their report whether the company has adequate internal financial control system in place and the operating effectiveness of such controls. The auditor will have to modify its audit methodology to obtain reasonable assurance on the adequacy of internal financial controls over financial reporting and its operating effectiveness. It should be noted that when forming the opinion on internal financial controls, the auditor should test the same during the financial year under audit and not just as at the balance sheet date, though the extent of testing at or near the balance sheet date may be higher.
Independent Director: Schedule IV of the Companies Act, 2013 requires the Independent Directors of the Company to satisfy themselves on the integrity of financial information and financial controls and also to ensure that the systems of risk management are robust and defensible.
Audit Committee: Section 177(4) (vii) requires Audit Committee to evaluate internal financial controls and risk management systems. Also, section 177(5) gives power to the Audit Committee to call for comments of the auditors on internal control systems, scope of audit, their observations on internal control systems and financial statements before submission of the same to the board. They may also discuss any related issues with the internal auditors and the management of the company.
Both corporate and auditors in India will need to come to terms with the concept of a combined or an integrated audit, which includes an audit of ICFR over financial reporting and financial statements. The guidance note acknowledges that while the objectives of the audit of ICFR and audit of financial statements are not identical, the auditor now needs to plan and perform work in such a way that it achieves the objectives of both the audits in an integrated manner.