Executive Summary
The Companies Act, 2013 has placed additional responsibility on the statutory auditor to report on the Internal Financial Control of the company as per clause (i) of sub-section 3 of section 134. Although the section was notified in 2014-15 the requirement for reporting on the Internal Financial control has been deferred by a year and has become mandatory from 2015-16. The Companies Act, 2013 has also introduced the concept of internal audit in section 138.
As a general practice prior to introduction of the internal financial control, the statutory auditor reported controls under Companies (Auditor’s Report) Order, 2015 / 2003 (CARO) which was restricted to the adequacy of controls over purchase of inventory and fixed assets and sale of goods and services. The internal auditors on the other hand generally reported on internal controls or carry risk based internal audit which primarily focus on the risk involved in the activities or system and provide assurance regarding management of risk of the functional or the operational areas of the company as per the scope decided by the management / audit committee.
With the introduction of internal financial control, the scope and responsibilities of the statutory auditor and the internal auditor with respect to reporting on the controls of the company has resulted in ambiguity.
This article is an attempt to bring out the distinction between the roles of statutory auditor and the internal auditor of the company and integration between the internal audit and internal financial control.
Definition
Guidance notes issues by Institute of Chartered Accountant of India on September 2015 states that Internal financial control over financial reporting shall mean a process designed to provide reasonable assurance regarding the reliability of financial reporting and preparation of financial statements for external purposes in accordance with generally accepted accounting principles.
As per section 134 of Companies Act, 2013 the term internal financial control means policies and procedures adopted by company for ensuring orderly and efficient conduct of its business, including adherence to companies policies, safeguarding of its assets, prevention and detection of fraud and errors, accuracy and completeness of accounting records and timely preparation of reliable financial information.
Thus, internal financial control includes internal financial control over financial reporting, operational control and controls for prevention of fraud.
The Institute of Chartered Accountant of India defined internal audit as an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system.
On analysis of the above definition, it is evident that the focus of internal audit on mostly on the functioning of the entity and improvement suggested thereto whereas the internal financial control includes the financial impact of lack of control and control for prevention of fraud. The approach of internal financial control considers all the areas which effects the financial statement of the company.
Requirement of Companies Act, 2013 and applicability
The scope of reporting of internal financial control is as per clause (i) of sub-section 3 of section 143 of Companies Act, 2013. The responsibility of reporting has been placed on the statutory auditor in addition to the reporting on the financial statement. Management responsibility and the auditor’s responsibility has been specifically defined for the purpose. The directors of listed companies are made responsible as per clause ( e ) of sub-section 5 of section 134 of the Companies Act, 2013.
As section 143 (3) applies to statutory auditors of all the companies. Hence it appears that auditors of all the companies are required to report on the internal financial control.
Section 138 of the Companies Act, 2013 makes it mandatory for certain companies listed below to appoint internal auditor who shall be chartered accountant, cost accountant or such other professional as decided by the Board of the company to conduct internal audit and other functions of the company. The companies which are required to conduct internal audit are:
· All the listed companies,
· Unlisted companies having paid up share capital of Rs. 50 crores or more during the preceding financial year or turnover of Rs.200 crore rupees or more during the preceding financial year or outstanding loans or borrowings from banks or financial institutions exceeding Rs. 100 crores or more at any point of time.
· Every private company having turnover of Rs.200 crores or more during the preceding financial year or having outstanding loans or borrowing from banks or public financial institution exceeding Rs.100 crore or more at any point of time during the preceding financial year.
From the above definition of ICAI and the applicability of Companies Act, 2013 for the internal audit and the internal financial control, it appears that the scope of internal financial control has wider implication than the internal audit. Further, in internal financial control, the auditor has to address various fraud risk and the impact on the financial statement of the company whereas in the internal audit assignment the focus is on the various activities and the functioning of the company. /span>
Scope
The scope of internal audit will be decided by the audit committee of the company or the board in consultation with the internal auditor along with the functioning, periodicity and methodology for conducting the internal audit.
The Companies Act, 2013 has significantly expanded the scope of internal controls to cover all aspects of operations of the company including the policies and procedures adopted by the company, safeguarding its assets, prevention and detection of frauds and errors, accuracy and completeness of accounting records and timely preparation of reliable financial information.
The controls which are generally taken into consideration for evaluation of internal financial controls are:
· Controls at the entity level
· IT General controls
· Controls at process / transaction level
Role of Management
Companies Act, 2013 defines the director’s responsibility in clause (e ) of sub-section 5 of section 134. The act requires the directors of listed company to state that they have laid down the internal financial control which is required to be followed by the company. Directors are also required to state that the financial controls are adequate and they are operating effectively.
Further, as per Rule 8 (5) (vii) of Companies (Accounts) Rule, 2014 Board of Directors of all companies should state in details the adequacy of internal financial controls with reference to financial statement.
Companies Act, 2013 is however silent on the responsibilities of the management except for deciding the scope of internal audit in consultation with the internal auditor.
Reporting responsibility
The report for the internal financial controls would be issued as per auditing standard SA 700 “Forming an opinion and reporting on the financial statements”. The auditor addresses the shareholders / members of the company regarding the operating effectiveness of the internal financial control of the company. The report is issued as an annexure to the independent auditor’s report along with the financial statement of any company as per the requirement of clause (i) of sub-section 3 of section 143 of the Companies Act, 2013.
The internal audit report is generally presented to the Audit committee of the company or those charged with governance in the company. The internal audit report is considered to be internal document of the organization. The statutory auditor can however use the internal audit report as per auditing standard SA 610 “Using work of internal auditors” as per his / her discretion.
Thus, on interpretation of the Companies Act, 2013 the responsibility for the reporting of Internal financial controls has more importance as it would be used by the members and other external parties who has stake in the company.
Integration of Internal Financial Controls with Internal audit
· The Internal Financial Control includes all aspects of operation of the company including the policies and procedures. Thus, the internal financial control provides a holistic view of the company. It would help the internal auditor in scoping and planning the Audit calender.
· Since the emphasis of Internal Financial Control is on the policies and procedures of the company, it imparts process understanding of the company to the internal auditor and facilitates the risk assessment.
· The internal auditor can use the risk control template for control testing and the validation process.
· Internal auditor can provide assurance on the risk mitigation to the audit committee and to Those Charged with Governance prior to the financial closing process.
· The risk control matrix would help the internal auditor to focus on the risk involved in the activities or the system and provide remedial action / suggestion to the management regarding management of the risk identified.