Companies Act 2013:

Gearing up to be incontrol of Internal

Financial Controls

Gearing up for implementing

Section 134
Preamble
Indian regulations have been modified to reflect the developments in the Western world. Introduction of Internal Financial
Controls (IFC) in the Companies Act 2013, reflect the continuation of this trend. According to the Companies Act 2013, the
term IFC has been defined as the policies and procedures adopted by the company to ensure orderly and efficient conduct of
its business, including adherence to companys policies, safeguarding of its assets, prevention and detection of frauds and
errors, accuracy and completeness of accounting records, and the timely preparation of reliable financial information.

Requirements as per the New Companies Act 2013

Section 134: In the case of a listed company, the Directors Responsibility states that directors, have laid down IFC to be
followed by the company and that such controls are adequate and operating effectively.
Section 177:
Audit committee may call for comments of auditors about internal control systems before their submission to the Board
and may also discuss any related issues with the internal and statutory auditors and the management of the company
Audit committee should act in accordance with the terms of reference specified in writing by the board, which should,
inter alia, include evaluation of IFC and risk management systems
Section 143: The auditors report should also state whether the company has adequate IFC system in place and the operating
effectiveness of such controls.
Schedule IV: The independent directors should satisfy themselves on the integrity of financial information and ensure that
financial controls and systems of risk management are robust and defensible.

Call to action
Familiarize the Board of Directors (especially the Audit Committee and Independent Directors) and Senior Management Personnel
with respect to their enhanced responsibilities regarding IFC.
Assess the controls set-up in your organization using the following grid:
Policies/Guidelines

Operating Procedures

Key policies are defined, understood and enforced

Clearly defined, detailed and harmonized procedures are

available across the organization

Technology
Several controls are preventive in nature and
automated. Detective controls and monitoring
processes are technology enabled with one
version of truth

Assess the
current state of
IFC

Roles and Responsibilities

All stakeholders are aware of their roles and
responsibilities with respect to processes and
controls

Behaviour

Management Information System

The culture of compliance with laid down guidelines and

procedures is evident through the actions and behavior of
individuals and teams

This should ensure that adequate and accurate information is

available for reporting and decision making

| Companies Act

Decoding IFC - What are its components?

The expanded coverage and focus goes way beyond the Financial Reporting Controls and the focus is on all the elements
of a Controls Framework including tone at the top, policies and procedures, operating controls, controls design, controls
monitoring etc.
The figure shows a Controls Framework, which attempts to highlight all the different building blocks of an Internal Financial
Controls Framework

Entity
Controls

Ethics & Values strategy

Culture
Communication

Control Governance
& Standards

Policies & Procedures

Oranisational Structures
Performance Objectives
Roles & Responsibilities

Control Design

Risk Identication
Capacity to Deliver Objectives

Control Operation

Control Compliance Monitoring

Control Systems
Continuous Improvement
Compliance Monitoring
Control Monitoring

How to implement IFC and who all need to be involved?

The Three Lines of Defense model provides a simple and effective way to enhance communications on Internal Financial Controls by
clarifying roles and duties.
The first line is responsible for setting up the controls, mitigation of risk and defining policies and procedures to be complied with
The second line monitors compliance with the laid down controls. It is not an independent assurance function, but a monitoring
tool for the management
The third line provides the independent assurance on the activities of first and second lines of defence
Audit Committee and board of directors provide overall direction and oversight

Board of Directors/Audit Committee

Senior Management

1st Operational and

Business Units
(design and
operation of controls)

Management
Assurance (Ongoing
Controls Monitoring)

| Companies Act

3rd Line of Defense

Independent
Assurance
Internal Audit

Regulators

2nd Line of Defense

External Audit

1st Line of Defense

Questions to be considered
by a CXO
Structure/Framework
Do we have a structure/program to train our employees on their role in the overall internal
controls process?
Do we have relevant skills (skills around fraud risks, IT controls, analytics for continuous
controls monitoring etc.), focused teams and bandwidth to the support the IFC agenda?
Do we have entity level controls w.r.t policies and procedures, risk assessment, whistle
blowing, ethics etc. that are clearly established, communicated and monitored?
Do we periodically review, assess and refresh our controls framework in line with emerging
guidance around applicable standards like COSO?

Implementation
Are authority, responsibility and accountability clearly (delegation of authority and segregation of
duties) defined such that decisions are made and actions taken at an appropriate level?
Do we periodically assess and optimize controls to improve effectiveness, reduce costs and
support business performance?
Do we have policies and procedures covering all domains such as Finance and Accounts, Business
Operations and Compliance?
Are our policies and procedures easy to access and comprehend? Are these maintained and
updated on the technology platform on a regular basis?
Do we regularly up-skill our employees to address the emerging needs of your organisation in
areas such as GRC, IT controls, fraud risks etc.?
Do we have common understanding on the Risk that Matter among relevant stakeholders?
Do we consider fraud risks as part of the risk management exercise and address them with clear
action, accountability and ownership?
Do we pay adequate focus on safeguarding of assets, fraud indicators and perform periodic
independent verification in this area?
Do we effectively track and proactively monitor our compliance agenda around domestic/
international footprint, covenants, compliance with guidelines etc.?

Monitoring & Reporting

Do we periodically update the key stakeholders on Controls and Risk management effectiveness
of our organization? Is there a technology platform to enable proactive and timely monitoring of
controls effectiveness?
Do we have adequate and reliable information to certify compliance with IFC requirements
according to the Act?
Have we considered self-assessments and automation of control monitoring?
What kind of assurance is provided to the Management and Board on IFC by internal audit and
external audit?

Well
prepared

Requires
consideration

Structure/Framework

Implementation

Monitoring & Reporting

Notes

| Companies Act

How can EY assist you in your IFC

journey?
Areas of intervention

Do I need support?

Train Board members (including Audit Committee and Independent Directors) on IFCrelated requirements of the Act
Establish internal controls framework covering both Entity Level Controls and Process
Controls (covering finance and accounts, business processes, compliance and IT) in line
with leading industry/controls practices
Benchmark controls against leading practices; IT controls, prevent v. detect, manual v.
automated
Establish a comprehensive Risk Management Framework and/or targeted intervention in
areas such as:
Identifying and prioritizing risks that matter
Automating the risk monitoring process
Defining value at risk and/or risk impact
Monitoring and management of fraud risks
Continuous controls monitoring and fraud risk analytics through Data Analytics lab
Design and implement controls self-assessment
Design and assist in implementation of delegation of authority, segregation of duties etc.
Implementation support for GRC rollout
Develop standard operating procedures including relevant policies and guidelines
Rationalize and automate current controls portfolio to reduce overall cost of control while
improving effectiveness
Design MIS and board reporting pack to facilitate evaluation of IFCs
Train employees on their role in the overall internal controls process and on leading
practices for managing emerging risks in areas such as IT, fraud, contract compliance etc.

Related EY service offerings

Enterprise Risk Management

Compliance Management

Business Performance Management

Controls Transformation

To measure the gap that you need to bridge to comply with the Act and understand more about how we are assisting our clients
with IFCs, please contact us at ifcsolutions@in.ey.com
7

EY offices

Ahmedabad
2nd floor, Shivalik Ishaan
Near C.N. Vidhyalaya
Ambawadi
Ahmedabad - 380 015
Tel: + 91 79 6608 3800
Fax: + 91 79 6608 3900
Bengaluru
12th & 13th floor
UB City, Canberra Block
No.24 Vittal Mallya Road
Bengaluru - 560 001
Tel: + 91 80 4027 5000
+ 91 80 6727 5000
Fax: + 91 80 2210 6000 (12th floor)
Fax: + 91 80 2224 0695 (13th floor)
1st Floor, Prestige Emerald
No. 4, Madras Bank Road
Lavelle Road Junction
Bengaluru - 560 001
Tel: + 91 80 6727 5000
Fax: + 91 80 2222 4112
Chandigarh
1st Floor, SCO: 166-167
Sector 9-C, Madhya Marg
Chandigarh - 160 009
Tel: + 91 172 671 7800
Fax: + 91 172 671 7888
Chennai
Tidel Park, 6th & 7th Floor
A Block (Module 601,701-702)
No.4, Rajiv Gandhi Salai, Taramani Chennai 600113
Tel: + 91 44 6654 8100
Fax: + 91 44 2254 0120
Hyderabad
Oval Office, 18, iLabs Centre
Hitech City, Madhapur
Hyderabad - 500081
Tel: + 91 40 6736 2000
Fax: + 91 40 6736 2200
Kochi
9th Floor, ABAD Nucleus
NH-49, Maradu PO
Kochi - 682304
Tel: + 91 484 304 4000
Fax: + 91 484 270 5393
Kolkata
22 Camac Street
3rd floor, Block C
Kolkata - 700 016
Tel: + 91 33 6615 3400
Fax: + 91 33 2281 7750

| Companies Act

Ernst & Young LLP

Mumbai
14th Floor, The Ruby
29 Senapati Bapat Marg
Dadar (W), Mumbai - 400028
Tel: + 91 022 6192 0000
Fax: + 91 022 6192 1000

EY | Assurance | Tax | Transactions | Advisory

About EY
EY is a global leader in assurance, tax, transaction and
advisory services. The insights and quality services we
deliver help build trust and confidence in the capital
markets and in economies the world over. We develop
outstanding leaders who team to deliver on our promises
to all of our stakeholders. In so doing, we play a critical
role in building a better working world for our people, for
our clients and for our communities.

5th Floor, Block B-2

Nirlon Knowledge Park
Off. Western Express Highway
Goregaon (E)
Mumbai - 400 063
Tel: + 91 22 6192 0000
Fax: + 91 22 6192 3000

EY refers to the global organization and may refer to

one or more of the member firms of Ernst & Young
Global Limited, each of which is a separate legal entity.
Ernst & Young Global Limited, a UK company limited by
guarantee, does not provide services to clients. For more
information about our organization, please visit ey.com.

NCR
Golf View Corporate Tower B
Near DLF Golf Course
Sector 42
Gurgaon - 122002
Tel: + 91 124 464 4000
Fax: + 91 124 464 4050

Ernst & Young LLP is one of the Indian client serving member firms of
EYGM Limited. For more information about our organization, please visit
www.ey.com/in.
Ernst & Young LLP is a Limited Liability Partnership, registered under the
Limited Liability Partnership Act, 2008 in India, having its registered office
at 22 Camac Street, 3rd Floor, Block C, Kolkata - 700016
2014 Ernst & Young LLP. Published in India.
All Rights Reserved.

6th floor, HT House

18-20 Kasturba Gandhi Marg
New Delhi - 110 001
Tel: + 91 11 4363 3000
Fax: + 91 11 4363 3200

EYIN1402-012
ED None

4th & 5th Floor, Plot No 2B, Tower 2, Sector

126,
NOIDA 201 304
Gautam Budh Nagar, U.P. India
Tel: + 91 120 671 7000
Fax: + 91 120 671 7171

This publication contains information in summary form and is therefore

intended for general guidance only. It is not intended to be a substitute
for detailed research or the exercise of professional judgment. Neither
Ernst & Young LLP nor any other member of the global Ernst & Young
organization can accept any responsibility for loss occasioned to any
person acting or refraining from action as a result of any material in this
publication. On any specific matter, reference should be made to the
appropriate advisor.

Pune
C-401, 4th floor
Panchshil Tech Park
Yerwada
(Near Don Bosco School)
Pune - 411 006
Tel: + 91 20 6603 6000
Fax: + 91 20 6601 5900

For any queries on how

EY can assist you please
contact us at:

ifcsolutions@in.ey.com