“Internal Audit –

Role in Governance
Practical Case Study
Internal Financial Control”

Speakers
CA S Bhaskar- Chief Internal Auditor- Tata Capital Ltd.
CA Nirav Shah - Head-Internal Audit- Tata Capital Housing Finance Ltd.
 Context for IFC?

• Major corporate and accounting scandals – Satyam, Financial

Technologies (India) Limited

• Decline of public trust in accounting and reporting practices

• Indian regulations modified to reflect the regulatory developments in

the western world.

• SOX Act 2002, HIPAA, J – SOX and PCI-DSS are few examples of
regulatory changes introduced by the western world.

• Introduction of Internal Financial Controls (IFC) in the Companies Act

2013, reflect the continuation of this trend.
 Then
Board Audit Committee Management Auditors

Directors - Section 217 (2AA) Clause 49 of CARO

Directors of a company to specifically state in listing agreement CARO required
the Directors Responsibility statement that CEO / CFO statutory auditors to
they have taken proper and sufficient care certification - report on internal
for the maintenance of adequate accounting Responsibility of control matters
records in accordance with the provision of control system and relating to inventory,
the Act for safeguarding the assets of the significant changes fixed assets and sale
company and for preventing and detecting in internal control of goods and services
fraud and other irregularities

Now
Sec 134 (5) (e) CFO & CFO – Sec 143 (3) (i) & Sec
Directors’ Sec 177 (4) (vii) Clause 49 of 143 (12)
Responsibility to & Clause 49 (III) listing agreement The auditor’s report
states that they have (D) Accept responsibility shall also state whether
laid down IFC to be for establishing and the company has
Audit committee to
followed by the maintaining IC for adequate internal
evaluate internal
company and such FR and that they financial control system
financial control and
controls are adequate have evaluated the in place and the
risk management
and operating effectiveness of ICS operating effectiveness
systems
effectively (Listed of the company of such control
Company)
 IFC definition as per Companies Act

Internal financial controls means

Policies and procedures adopted by the company for ensuring orderly and
efficient conduct of its business
Including
– Adherence to company’s policies

– the safeguarding of its assets

– the Prevention and detection of frauds and errors

– the accuracy and completeness of the accounting records, and

– The timely preparation of reliable financial information

 What is required?

• A demonstrable documented framework for internal financial controls

• Documentation of controls that actually mitigate the risk of significant

misstatements

• Requisite accountability for financial reporting structure

• Fraud risks and controls at the process level to be understood and are
demonstrable

• Testing of operating effectiveness of controls

 Roles in IFC - Three Lines of Defense
Board of Directors and Audit Committee

1st Line of Defense 2nd line of Defense 3nd line of Defense

To exercise On- To Advice / consult and

To design and
going Control Independent testing &
operation of Controls Monitoring Assurance

Regulator’s
External Auditor
Finance controller
Operational and
Compliance
Business Units
Risk Management Internal Audit

IS

Quality / process
To Whom / When IFC is applicable?

Advisory role of internal audit..

How to Design / Build IFC?

How to Test?

Are the IFC Adequate?

Are they operating Effectively?

 Whom & When?

Whom? Board of Directors Auditors

(From April 1, 2014) (Mandatory from April
1, 2015)
Public Limited (Listed) Internal Financial Controls
134 (5) (e) & Rule 8 (5)(viii)
Public Limited ICFR ICFR
(Unlisted) Rule 8 (5)(viii) 143(3)(i)
Private Limited ICFR
Rule 8 (5)(viii)
 Approach – Ownership – IA Role
Steps Who is responsible? IA Role

Framework &
Management  IA may help Management
Scope

Assess current  IA may help Management

documentation Management

 Option to additionally use

Risk Assessment Management assessment done by IA

 Option to additionally use

Define Controls Management assessment done by IA

Testing Management / IA  Testing can be done by IA

Remediation Management  IA may guide Management

 Road map for designing

Phase 1 Phase 2 Phase 3

• Plan the project • Perform ongoing

• Adopt/ • Build a controls repository testing
implement • Document control objectives • Monitor
framework
• Document control activities • Prepare assertion
• Assess the and map to control • Prepare internal
control objectives control report
environment
• Identify and remediate gaps
• Define the
• Perform initial tests of operating
scope-identify
and assess effectiveness
risk

Board Review

Ongoing Dialogue with Independent Auditor

 ● Guide to
Guidance
Report published
internal
on assessing
controls
by institute
controls
overoffinancial
chartered
published
reporting
accountant
by issued by committee on Internal

●
Control
COSO Framework
Frameworks
● COSO Framework

of treadway commission Guide to internal controls over financial

Integrated framework issued by committee reporting issued by committee on Internal
COSO Framework Audit of the ICAI (Standard is now
withdrawn)

Control Frameworks

report)
Guidance on assessing controls published combined code” (Known as Turnbull
by Canadian Institute of Chartered Control: Guidance for directors on
accountants accountant England and Wales “Internal
Report published by institute of chartered

Companies may either choose and adapt a globally accepted controls

framework or choose to create one of its own.
 Understanding COSO
Objectives

Elements of Applicability to
Internal Control Business
 Why COSO?
 Applies internal control to any type of entity, regardless of industry or legal structure, at the
levels of entity, operating unit, or function

 Expands the application of internal control beyond financial reporting to other forms of
reporting, operations, and compliance objectives

 A principles-based approach that provides flexibility and allows for judgment in designing,
implementing, and conducting internal control—principles that can be applied at the entity,
operating, and functional levels

 Dominant and most widely recognized Internal Control framework and Recommended by
major accounting and auditing organizations and
 Internal Control - Definition
Internal control is a process,
- effected by an entity’s board of directors, management, and other personnel,
- designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and
compliance

 A process consisting of ongoing tasks and activities

 Effected by people

 Able to provide reasonable assurance

 Geared to the achievement of objectives

 Adaptable to the entity structure

Operations Objective Financial Reporting
Reliability, timeliness,
Pertain to effectiveness and
transparency of
efficiency of the entity’s
- External Financial
operations, including - Internal Financial
operational and financial - External Non-Financial (CSR,
performance goals, and
Energy)
safeguarding assets against
- Internal Non-Financial
loss.
(Production, Accidents,
- Examples of such objectives
Operations Customer Satisfaction)
will be: (Includes financial
- Reduction of cost performance and
- Improving satisfaction Safeguarding of
Compliance
- Reduction in number of assets)
- Identification of
complaints/ defects
applicable laws
- Reducing down time
and regulations
- Improving quality of output Financial
Reporting Compliance - People and
- Reducing TAT for
(includes internal process to ensure
generation of invoices
and external compliance with
- Eliminating duplicate reporting) applicable laws
claims
and regulations
 Components of Internal Control
Internal control consists of five interrelated components,
derived from the way management runs a business, and
are integrated with the management process:
• Control Environment
• Risk Assessment
• Control Activities
• Information & Communication
• Monitoring
 Components of Internal Control
Control Environment Risk Assessment

the overall attitude, awareness, and

Process used to identify, analyze, and manage
actions of the directors and
the risks faced by the entity. Management’s
management concerning the
consideration and documentation of materiality
importance of internal control in the
levels for planning the scope
entity.

1. Demonstrates commitment to 6. Specifies suitable objectives

integrity and ethical values 7. Identifies and analyzes risk
2. Exercises oversight responsibility 8. Assesses fraud risk
3. Establishes structure, authority, 9. Identifies and analyzes significant change
and responsibility
4. Demonstrates commitment to
competence
5. Enforces accountability
 Components of Internal Control
Information systems and
Control Activities Monitoring
communication

IS and communication used

policies and procedures the process of assessing
to capture & exchange info
designed to help ensure the quality of internal
needed to conduct,
that management control performance over
manage, and control
directives are carried out time
operations

10. Selects and develops 13. Uses relevant 16. Conducts ongoing
control activities information and/or separate
11. Selects and develops 14. Communicates evaluations
general controls over internally 17. Evaluates and
technology 15. Communicates communicates
12. Deploys through externally deficiencies
policies and
procedures
 Entity Level Vs. Process Level

COSO Component Entity Level Process / Account Level

Control Environment Generally at the entity level -

Risk Assessment High-level business risk Account balance and

assessment assertions

Monitoring Internal audit and other Embedded monitoring into

share services function, self- process-level controls

assessment

Information and IT systems, communication Within a process as part of

Communications of roles and responsibilities the control

throughout the entity

Control Activities - Exists mostly at the process

level
 Entity and Process level controls

Classify below mentioned control activities between an entity level control and process /
account level control

1 Detailed Financial Delegation of Authority Matrix

2 Procurement policy
3 Payment authorization control in SAP
4 Risk Management Policy
5 Existence of disciplinary action grid / policy
6 Process of communication of policies and procedures
7 Monthly Operational Committee Meeting
8 Existence of internal audit plan that considers organizational risk
in allocation of resources
9 Departmental budgets for revenue and expenditures
10 Review of Open PO, unaccounted invoices and payable during
month-end
11 Physical controls over vulnerable assets
12 Access restrictions to and accountability for resources and
1 Detailed Financial Delegation of Authority Matrix Entity

2 Procurement policy Entity

3 Payment authorization control in SAP Process

4 Risk Management Policy Entity

5 Existence of disciplinary action grid / policy Entity

6 Process of communication of policies and procedures Entity

7 Monthly Operational Committee Meeting Entity

8 Existence of internal audit plan that considers organizational risk Entity

in allocation of resources
9 Departmental budgets for revenue and expenditures Entity
10 Review of Open PO, unaccounted invoices and payable during Process
month-end
11 Physical controls over assets Process

12 Access restrictions to and accountability for resources and Process

records
 Planning & Scoping

Identify ELCs

Documentations Define
Materiality level

Identify
Identify
Processes /
significant ALC
Business cycles
 Materiality

• Overall materiality - involves the risk of material misstatement of

the consolidated FS
Quantitative • Planning materiality - to determine the significance of individual
Measures accounts (a higher risk entity would have a lower planning
materiality, and a lower risk entity would have a higher planning
materiality)

• Volume of activity, complexity, and homogeneity of the transactions

• Nature of the account (for example, suspense accounts generally
Qualitative warrant greater attention)
Measures • Accounting and reporting complexities associated with the account
• Existence of related-party transactions in the account
• Changes in account characteristics since the previous
 Identification of Significant Accounts and
Processes
• What is a significant account?
– An account for which there is more than a remote
likelihood that the account or disclosure could
contain misstatements that, individually, or when
aggregated with others, could have a material
effect on the financial statements.
 Financial Statement Assertions
 Existence & Occurrence

 Existence - Assets, liabilities and ownership interests exist at a particular point in time

 Occurrence - Recorded transactions represent economic events that actually occurred during the period.
Corollary of occurrence is recording – All transaction the occurred during the specific period has been
recorded.

 Rights and Obligations - Assets and liabilities shown on the balance sheet are rights and obligations of the
enterprise at a certain point in time

 Completeness & Accuracy - All transactions and economic events that occurred during the financial year have
been recorded in the financial statements. There are no unrecorded assets, liabilities, unrecorded revenue and
expenses and no omitted disclosures.

 Presentation and Disclosure - Items in financial statements are properly described and fairly represented

 Valuation - Assets, liabilities, revenue and expenses are recorded in the financial statements at appropriate
amounts in accordance with accounting principles
 Financial Statement Assertions

Map financial statement assertions against each of below mentioned control objective

1 Loan book represents loans disbursed as on cut off date

2 The loan system is accurately calculating and recording interest

income on loans on accrual

3 All non performing assets are classified as Non performing assets

4 Collaterals against loans as stated actually exists

5 Policies and procedures relating to loan underwriting are

reviewed and are being adhered

6 Collections of penal charges is recorded in appropriate account

7 Clearing of Items in suspense accounts

8 Amounts posted to payables represent goods or services received

1 Loan book represents loans disbursed as on cut off Rights & Obligation
date and Completeness
2 The loan system is accurately calculating and recording Completeness &
interest income on loans on accrual Accuracy

3 All non performing assets are classified as Non Presentation and

performing assets disclosure

4 Collaterals against loans as stated actually exists Existence & Valuations

5 Policies and procedures relating to loan underwriting Occurrence

are reviewed and are being adhered

6 Collections of penal charges is recorded in appropriate Completeness

account

7 Clearing of Items in suspense accounts Presentation &

Disclosures

8 Amounts posted to payables represent goods or Completeness and

services received Rights and Obligations
 Risk Assessment

Risk assessment is the

- identification and Perform
Walkthrough
analysis of relevant
risks to the
achievement of the
objectives Assess
Identify Risk
Control
- and forms a basis for
how risks should be
managed in an
organization,

- including what
controls should be Identify
Classify Risk
implemented to Controls
mitigate the risk to an
acceptable level.
 RA – Factors to be considered

Following factors to be considered while performing risk assessments

• Complexity or magnitude of the programs, operations, and transactions

• Decentralized versus centralized operations or accounting and reporting functions
• Extent of manual processes or applications
• New or amended laws, regulations, or accounting standards
• Changes in the operating environment
• Significantly new or changed programs or operations
• New personnel or significant personnel changes
• New or revamped information systems
• New technology
• Existence of related-party transactions
• Need for accounting estimates
 Access Controls

Identify controls

Evaluate the design of the controls

Effective Not Effective

Classify Design
Identify for testing
Deficiencies

Remediate
Example – Documentation of Process
 Documentation of Risk & Control Matrix
Process Branch collections activity
Sub-Process empanelment of field agency
Risk CIBIL, internal dedupe report not considered for vendor
recommendation

Risk Rating Medium

Financial Risk (Cost Impact) N
Financial Risk - Reporting N
Legal Risk Y
Regulatory Risk N
Operational Risk Y
Reputational Risk N
Fraud Risk Y
Financial Statement Linkage - N.A.
GL

Financial Statement Linkage - N.A.

Sub GL
 Documentation of Risk & Control Matrix
Control Reference No CR:BCA:1
Control 1. As per standard checklist for vendor empanelment CIBIL,
internal dedupe report is compulsory.
2. 2.The collection agency obtains the CIBIL & internal
dedupe report from the operations team and sends to
RCM/NCM & collection head for approval of vendor via
mail
Key Control (Y/N) Y
IFC Component Policies & Procedures
Control owner Collection Manager
Control Type Manual
System used N.A.
Frequency Event based
Preventive/Detective Preventive
Financial statement assertion N.A.
1
Financial statement assertion N.A.
2
 Documentation of Risk & Control Matrix
Testing procedure 1. Verify standard checklist. 2. Sample basis check vendor file.
3. Approval mail
Evidence Documentation Standard checklist, Vendor file and approval mail

Walkthrough details Evidenced by observing checkilist,reports and approval mails

Process clarifications N.A.

Gap/improvement opportunity  

Business Impact  
Recommendation  
Responsible Person  
Management Response  
Target Implementation Date  
 Testing

Testing Plan
(Who, When,
time Estimate)

Exceptions and Extent of

Failures Testing

Document Test Population /

Results Sample Size
 Testing
Test of Design
Internal control is designed effectively
when
- the controls in place would meet the
control objectives and be expected to
prevent or detect errors or fraud that
could result in material misstatements in
the financial statements
Test of Operating effectiveness
Internal control is operating effectively
when a
- properly designed control is
operating as designed
- and the individual performing the
control possesses the necessary
authority and qualifications to
perform the control effectively.
 Test Plan

Who
• Testing by internal audit
• Testing by others under the direction of management
• Self-assessment process with procedures to verify
• Use of service organization reports for outsourced processes

When
• Year-end / On-going
Factors
to be
Time Estimate
conside
• No. of Process, Risk, Controls and tests
red
• No of Key controls, Manual / Automated
• Results of Test of Design
• Nature of documentation templates
• Deficiencies

How
• Nature of tests to be used
• Extent of testing
Test Operating Effectiveness
Identify controls to be evaluated

Plan test of controls

Perform test of controls

If controls are effective, If controls are not

document successful effective, document
control test control deficiency

Prioritize control deficiencies

based on risk and cost/benefit

Develop remediation plan

Implement remediation plan and

retest
 Testing
Test Procedure are developed to test controls. These Procedure may be in the
nature of
• Inquiries of appropriate personnel

• Inspection of documents, reports, or electronic files indicating performance of

the Control

• Observation of the application of a specific controls

• Re-performance of the application of the control

Inquiry and observation are less persuasive forms of evidence than inspection and
re-performance.
 Testing of Manual Controls
Audit sampling” means the application of audit procedures to less than 100%
of the items within an account balance or class of transactions to enable the
auditor to obtain and evaluate audit evidence about some characteristic of the
items selected in order to form or assist in forming a conclusion concerning
the population.

Factors to be considered while selecting sample size: 

• Materiality
• Complexity
• Judgment involved
• Competence required
• Impact of changes in volume or personnel involved in the process
• Significance of the control (multiple assertions, only control etc.)

Source: SA 530 (AAS 15 ) issued by ICAI

 Sampling Process
1. Define the Test Objective
 
2. Define a Failure
 
3. Determine the population
 
4. Select the sampling approach
 
5. Calculate the sample size
 
6. Select the sample
 
7. Perform the test and evaluate the results
 Sample testing plan

Nature of Control Frequency of Performance of the Number of Selections

Control
Risk of Failure is Risk of Failure is
lower higher

Manual Many times per day 25 40

Manual Daily 15 25

Manual Weekly 5 8

Manual Monthly 2 3

Manual Quarterly (Including period end) 1 1

Manual Annually 1 1

Source: As per SIA 5

 Sample testing plan

Nature of Frequency of Performance Number of Selections (1)

Control of the Control
No Deviations One Deviation Two Deviations
Planned Planned Planned

Manual Many times per day 25 50 100

Manual Daily 15

Manual Weekly 5

Manual Monthly 2

Manual Quarterly 1

Manual Annually 1

Programmed controls Test one instance of each programmed control

General Computer Controls Follow the guidance above for manual and
programmed aspects of general computer
controls.
 Test of Design – Template
Prepared By: Date:
Reviewed By: Date:
Location  
Mega Process Sub Process
Inquiry with (Name, title and date) Corroborated with (Name, title and date)
Sr. No. Particulars Details
1 RCM Ref. No.  
2 Control Objective  
3 Control Description  
4 Performer of control  
5 Performer of activity  
6 Control Profile  
     
7 Test Procedures Performed  
     
8 Documents collected  
9 Activities observed/traced in the system  

10 Activities re-performed  
11 TOD Conclusion  
 Test of Design – Inquiry Sheet
Sr. No. Inquiry Question Reply Comments
obtained
1 Is there any change in the nature of the control?    
(e.g. manual to automated, change in frequency, change in personnel
performing the control)
2    
2.1 Are there any other types of transactions that are not covered by this    
control?
2.2 How do you ensure that all the transactions are subjected to this    
control?
3    
3.1 How do you ensure correctness?    
(e.g. all / sample transaction are checked, reliance on alternate
procedures, what reports and other information is used and how)
3.2 How would you know if error has occurred?    
(what would you look for to determine that error has occurred and what
types of errors are identified)
3.3 In case of your absence who performs the control?    
4    
4.1 Are there any alternate controls that would prevent / detect errors if this    
control is not performed?
5    
 Test of Design – Inquiry Sheet
Sr. No. Inquiry Question Reply Comme
obtaine nts
d
5    
5.1 How are the exceptions reported and acted upon?    
5.2 Have you experienced situations where control does not function as intended?    
(e.g. past history where reports did not run, processing errors, need for corrective
actions, reviews do not take place, etc.)
5.2 Whether this control can be bypassed?    
(e.g. consider estimates, non routine transactions, exceptional situations)
6    
6.1 Whether authorization, recording and/or custody is with the same individual?    
6.2 If answer to the above is yes, what is the mechanism to ensure that objectivity is not
hampered?    
7    
7.1 Stress Test for the control  
a)      What is the volume of transactions?  
b)      What is the time required to perform the control?  
c)      What are the other job responsibilities with the person?  
d)     Whether the time available is sufficient to perform the control?    
7.2 How does data from this sub-system flow into next sub-system/SAP?
(e.g. are interfaces between processes are manual or automatic? What controls are in
place to manage these?)    
7.3 Any other question that you may ask    
 Test of Operative Effectiveness - Template
Sr No Particulars Details
1 Person performing the test:  
2 Date of Test  
3 Location  
     
4 Mega Process  
5 Key Control ID  
6 Key Control Description  
7 Control Owner  
     
8 Test Objective  
9 Control Frequency  
10 Sample Period  
11 Sample Size  
12 Basis of sample selection:  
     
13 Test Steps selected  
14 Test Procedures  
     
15 Conclusion  
     
16 Retest required ?  
17 Retest result  
 Deficiency and Material Weakness

Internal Exists when the design or operation of a control does not

Control allow management or employees, in the normal course of
Deficiency performing their assigned functions, to prevent or detect
misstatements on a timely basis.
Significant An internal control deficiency or combination of control
Deficiency deficiencies that adversely affects the company’s ability to
initiate, authorize, record, process, or report external
financial data reliably such that there is a more-than-
remote likelihood that a misstatement is more than
inconsequential will not be prevented or detected.
Material A significant deficiency or combination of significant
Weakness deficiencies that results in a more-than-remote likelihood
that a material misstatement will not be prevented or
detected.
Steps to assess deficiencies
 Assessing the deficiencies
• The nature of the financial statement accounts, disclosures, and assertions involved;

• Values involved

• The susceptibility of the related asset or liability to loss or fraud;

• Complexity in determining the amount involved

• History of errors

• Complexity of the control

• The interaction of the deficiencies; and

• The possible future consequences of the deficiency.

 Evaluation of deficiencies

Type of Likelihood of Magnitude of

deficiency occurrence misstatement

Internal Remote And Inconsequential

control
deficiency
Significant More than And/or More than
deficiency remote inconsequential
Material More than And/or Material
weakness remote

51
 Classification of Deficiencies

Classify the following deficiencies

1 Understatement of NPA by accounting Cheques collected on cut off

dates as Demand draft (understatement by 12%)
2 12% of procurement are from blacklisted vendors
3 Ineffective internal audit function
4 No action taken on more than 50% of critical internal audit
observations for more than 1 year
5 2 instances of double payment in a sample of 100 (0.1% of excess
payment)
6 Vendor creation and Invoice processing done by sample person
7 Non disclosure of legal case filed by customer for damaged product
supplied (Value of damage is 1 % of total sales)
8 Point no. 2, 6 and 7
9 35% of payment processed without appropriate authorization
 Classification of Deficiencies

Classify the following deficiencies

1 Understatement of NPA by accounting Cheques collected on cut Material

off dates as Demand draft (understatement by 12%) Weakness
2 12% of procurement are from blacklisted vendors Deficiencies
3 Ineffective internal audit function Can be either
4 No action taken on more than 50% of critical internal audit Can be either
observations for more than 1 year
5 2 instances of double payment in a sample of 100 (0.1% of excess Deficiencies
payment)
6 Vendor creation and Invoice processing done by same person Deficiencies
7 Non disclosure of legal case filed by customer for damaged Significant
product supplied (Value of damage is 1 % of total sales) deficiencies
8 Point no. 2, 6 and 7 Significant
deficiencies
9 35% of payment processed without appropriate authorization Deficiencies
 Remediation & Reporting

Identify
Deviations

Root cause
Reporting
analysis

Remediation
Re-test
plan
 Reporting on Internal Controls

Qualified Opinion

Qualified
Opinion

Unqualified
Opinion
To Sum up….Placing more accountability and responsibility on the Board and AC with
respect to IFC, the 2013 act is attempting to align the corporate governance and financial reporting
standards with global best practices
Enhanced
control
Senior Improved
environment
Management compliance
Accountability to laws

Improved
Accountability Control over
of operational FR processes
Mgt Benefits of
IFC
Support to Improved
CEO / CFO investors
Certification confidence

Audits more More

comprehensiv accurate and
e Promotes reliable FS
culture of
transparency
 Thank You

DISCLAIMER
This presentation has certain references obtained from published sources and there is no separate claim of an IPR on these . The information used herein, is for
educational purposes and not in any way for commercial use. This presentation cannot be copied and/or disseminated in any manner. This communication is for
general information purpose only, without regard to specific objectives, financial situations and needs of any particular person. The information contained in this
presentation is only current as of its date. Any reliance placed by a reader/viewers on the information contained in this presentation is wholly at their risk.
Copyright of presentation solely and exclusively belongs to Tata Capital Ltd, and regardless of the purpose, any reproduction and/or use of this presentation in any
shape or form without the prior written consent of Tata Capital Ltd is strictly prohibited.