Beruflich Dokumente
Kultur Dokumente
Role in Governance
Practical Case Study
Internal Financial Control”
Speakers
CA S Bhaskar- Chief Internal Auditor- Tata Capital Ltd.
CA Nirav Shah - Head-Internal Audit- Tata Capital Housing Finance Ltd.
Context for IFC?
• SOX Act 2002, HIPAA, J – SOX and PCI-DSS are few examples of
regulatory changes introduced by the western world.
Now
Sec 134 (5) (e) CFO & CFO – Sec 143 (3) (i) & Sec
Directors’ Sec 177 (4) (vii) Clause 49 of 143 (12)
Responsibility to & Clause 49 (III) listing agreement The auditor’s report
states that they have (D) Accept responsibility shall also state whether
laid down IFC to be for establishing and the company has
Audit committee to
followed by the maintaining IC for adequate internal
evaluate internal
company and such FR and that they financial control system
financial control and
controls are adequate have evaluated the in place and the
risk management
and operating effectiveness of ICS operating effectiveness
systems
effectively (Listed of the company of such control
Company)
IFC definition as per Companies Act
Policies and procedures adopted by the company for ensuring orderly and
efficient conduct of its business
Including
– Adherence to company’s policies
• Fraud risks and controls at the process level to be understood and are
demonstrable
Regulator’s
External Auditor
Finance controller
Operational and
Compliance
Business Units
Risk Management Internal Audit
IS
Quality / process
To Whom / When IFC is applicable?
How to Test?
Framework &
Management IA may help Management
Scope
Board Review
●
Control
COSO Framework
Frameworks
● COSO Framework
Control Frameworks
report)
Guidance on assessing controls published combined code” (Known as Turnbull
by Canadian Institute of Chartered Control: Guidance for directors on
accountants accountant England and Wales “Internal
Report published by institute of chartered
Elements of Applicability to
Internal Control Business
Why COSO?
Applies internal control to any type of entity, regardless of industry or legal structure, at the
levels of entity, operating unit, or function
Expands the application of internal control beyond financial reporting to other forms of
reporting, operations, and compliance objectives
A principles-based approach that provides flexibility and allows for judgment in designing,
implementing, and conducting internal control—principles that can be applied at the entity,
operating, and functional levels
Dominant and most widely recognized Internal Control framework and Recommended by
major accounting and auditing organizations and
Internal Control - Definition
Internal control is a process,
- effected by an entity’s board of directors, management, and other personnel,
- designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and
compliance
Effected by people
10. Selects and develops 13. Uses relevant 16. Conducts ongoing
control activities information and/or separate
11. Selects and develops 14. Communicates evaluations
general controls over internally 17. Evaluates and
technology 15. Communicates communicates
12. Deploys through externally deficiencies
policies and
procedures
Entity Level Vs. Process Level
assessment assertions
assessment
level
Entity and Process level controls
Classify below mentioned control activities between an entity level control and process /
account level control
Identify ELCs
Documentations Define
Materiality level
Identify
Identify
Processes /
significant ALC
Business cycles
Materiality
Existence - Assets, liabilities and ownership interests exist at a particular point in time
Occurrence - Recorded transactions represent economic events that actually occurred during the period.
Corollary of occurrence is recording – All transaction the occurred during the specific period has been
recorded.
Rights and Obligations - Assets and liabilities shown on the balance sheet are rights and obligations of the
enterprise at a certain point in time
Completeness & Accuracy - All transactions and economic events that occurred during the financial year have
been recorded in the financial statements. There are no unrecorded assets, liabilities, unrecorded revenue and
expenses and no omitted disclosures.
Presentation and Disclosure - Items in financial statements are properly described and fairly represented
Valuation - Assets, liabilities, revenue and expenses are recorded in the financial statements at appropriate
amounts in accordance with accounting principles
Financial Statement Assertions
Map financial statement assertions against each of below mentioned control objective
- including what
controls should be Identify
Classify Risk
implemented to Controls
mitigate the risk to an
acceptable level.
RA – Factors to be considered
Identify controls
Classify Design
Identify for testing
Deficiencies
Remediate
Example – Documentation of Process
Documentation of Risk & Control Matrix
Process Branch collections activity
Sub-Process empanelment of field agency
Risk CIBIL, internal dedupe report not considered for vendor
recommendation
Business Impact
Recommendation
Responsible Person
Management Response
Target Implementation Date
Testing
Testing Plan
(Who, When,
time Estimate)
Who
• Testing by internal audit
• Testing by others under the direction of management
• Self-assessment process with procedures to verify
• Use of service organization reports for outsourced processes
When
• Year-end / On-going
Factors
to be
Time Estimate
conside
• No. of Process, Risk, Controls and tests
red
• No of Key controls, Manual / Automated
• Results of Test of Design
• Nature of documentation templates
• Deficiencies
How
• Nature of tests to be used
• Extent of testing
Test Operating Effectiveness
Identify controls to be evaluated
Inquiry and observation are less persuasive forms of evidence than inspection and
re-performance.
Testing of Manual Controls
Audit sampling” means the application of audit procedures to less than 100%
of the items within an account balance or class of transactions to enable the
auditor to obtain and evaluate audit evidence about some characteristic of the
items selected in order to form or assist in forming a conclusion concerning
the population.
Manual Daily 15 25
Manual Weekly 5 8
Manual Monthly 2 3
Manual Annually 1 1
Manual Daily 15
Manual Weekly 5
Manual Monthly 2
Manual Quarterly 1
Manual Annually 1
General Computer Controls Follow the guidance above for manual and
programmed aspects of general computer
controls.
Test of Design – Template
Prepared By: Date:
Reviewed By: Date:
Location
Mega Process Sub Process
Inquiry with (Name, title and date) Corroborated with (Name, title and date)
Sr. No. Particulars Details
1 RCM Ref. No.
2 Control Objective
3 Control Description
4 Performer of control
5 Performer of activity
6 Control Profile
7 Test Procedures Performed
8 Documents collected
9 Activities observed/traced in the system
10 Activities re-performed
11 TOD Conclusion
Test of Design – Inquiry Sheet
Sr. No. Inquiry Question Reply Comments
obtained
1 Is there any change in the nature of the control?
(e.g. manual to automated, change in frequency, change in personnel
performing the control)
2
2.1 Are there any other types of transactions that are not covered by this
control?
2.2 How do you ensure that all the transactions are subjected to this
control?
3
3.1 How do you ensure correctness?
(e.g. all / sample transaction are checked, reliance on alternate
procedures, what reports and other information is used and how)
3.2 How would you know if error has occurred?
(what would you look for to determine that error has occurred and what
types of errors are identified)
3.3 In case of your absence who performs the control?
4
4.1 Are there any alternate controls that would prevent / detect errors if this
control is not performed?
5
Test of Design – Inquiry Sheet
Sr. No. Inquiry Question Reply Comme
obtaine nts
d
5
5.1 How are the exceptions reported and acted upon?
5.2 Have you experienced situations where control does not function as intended?
(e.g. past history where reports did not run, processing errors, need for corrective
actions, reviews do not take place, etc.)
5.2 Whether this control can be bypassed?
(e.g. consider estimates, non routine transactions, exceptional situations)
6
6.1 Whether authorization, recording and/or custody is with the same individual?
6.2 If answer to the above is yes, what is the mechanism to ensure that objectivity is not
hampered?
7
7.1 Stress Test for the control
a) What is the volume of transactions?
b) What is the time required to perform the control?
c) What are the other job responsibilities with the person?
d) Whether the time available is sufficient to perform the control?
7.2 How does data from this sub-system flow into next sub-system/SAP?
(e.g. are interfaces between processes are manual or automatic? What controls are in
place to manage these?)
7.3 Any other question that you may ask
Test of Operative Effectiveness - Template
Sr No Particulars Details
1 Person performing the test:
2 Date of Test
3 Location
4 Mega Process
5 Key Control ID
6 Key Control Description
7 Control Owner
8 Test Objective
9 Control Frequency
10 Sample Period
11 Sample Size
12 Basis of sample selection:
13 Test Steps selected
14 Test Procedures
15 Conclusion
16 Retest required ?
17 Retest result
Deficiency and Material Weakness
• Values involved
• History of errors
51
Classification of Deficiencies
Identify
Deviations
Root cause
Reporting
analysis
Remediation
Re-test
plan
Reporting on Internal Controls
Qualified Opinion
Qualified
Opinion
Unqualified
Opinion
To Sum up….Placing more accountability and responsibility on the Board and AC with
respect to IFC, the 2013 act is attempting to align the corporate governance and financial reporting
standards with global best practices
Enhanced
control
Senior Improved
environment
Management compliance
Accountability to laws
Improved
Accountability Control over
of operational FR processes
Mgt Benefits of
IFC
Support to Improved
CEO / CFO investors
Certification confidence
DISCLAIMER
This presentation has certain references obtained from published sources and there is no separate claim of an IPR on these . The information used herein, is for
educational purposes and not in any way for commercial use. This presentation cannot be copied and/or disseminated in any manner. This communication is for
general information purpose only, without regard to specific objectives, financial situations and needs of any particular person. The information contained in this
presentation is only current as of its date. Any reliance placed by a reader/viewers on the information contained in this presentation is wholly at their risk.
Copyright of presentation solely and exclusively belongs to Tata Capital Ltd, and regardless of the purpose, any reproduction and/or use of this presentation in any
shape or form without the prior written consent of Tata Capital Ltd is strictly prohibited.