India: Internal Financial Control (IFC) – A gambit for overall risk mitigation

published on 27 April 2022 | reading time approx. 4 minutes

The business plan and operations inherent the risks associated with it in all corners of internal departments and external business partners. Such risks can only be mitigated via strong internal control framework in an organization.

The global acceptable framework in this regard are The COSO, (The Committee of Sponsoring Organizations of the Treadway Commission) 2013 and internationally regulated under Sarbanes-Oxley Act (SOX). In Germany, it is regulated under The Control and Transparency in Business Act.
  

• Definition of Internal Financial Control (IFC) in India »

• Applicability to private companies »

• The gambit of IFC framework »

• Finding the gap »

• Key documentation in IFC »

• Conclusion »

Definition of Internal Financial Control (IFC) in India

Explanation to Section 135 (5) (e) of the Companies Act, 2013 defines the internal control as:
 

Applicability to private companies

Section 143(3)(i) of Companies Act, 2013 requires statutory auditor to comment on adequacy of internal financial controls system in place and the operating effectiveness of such framework of controls. Hence, it is applicable to all Companies except for the Companies specifically exempted vide exemption notification dated 13 June 2017 by Ministry of Corporate Affairs (MCA):

• Which is one person Company (OPC) or a Small Company; or
• Which has turnover less than Rs. 50 Crores as per latest audited financial statement or which has aggregate borrowings from banks or financial institutions or any body corporate at any point of time during the financial year less then Rs. 25 Crore.

Additionally, the above exemption is not applicable to private companies who have defaulted in filing annual financial statements to Registrar of Companies (ROC).
 
As per the guidance note issued by Institute of Chartered Accountant of India (ICAI), the definition of Internal financial controls under section 143(3) is restricted to only financial reporting. Therefore, it is  also referred as ICFR (Internal Controls on Financial Reporting). Further, the Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 also requires the Board of Directors’ report of all companies to state the details in respect of adequacy of internal financial controls with reference to the “financial statements” only.

 
The gambit of IFC framework

The whole framework of IFC is to mitigate the strategic risk, operations risk, compliance risk and financial risk. In order to ensure the proper control framework, companies have to first identify the entity level controls with respect to;

• Control environment: How is the current control environment ?
• Risk assessment: How are the current risks are assessed and mitigated ?
• Control activities: What are current policies and procedures ?
• Information and communication: How are the internal and external communication set-up?
• Monitoring: What are the method and frequency to monitor control?

The first phase of implementation of IFC for a Company starts with discussing in detail with each and every department, process owner and other stakeholders about the general processes, sub-processes, activities, controls, policies and procedures currently followed by each team, how these processes are interlinked with each other and what are the significant types of transactions for the particular company. Generally, the areas which are covered in IFC are as follows:

• Revenue from sale of goods & services (order to collection),
• Expenditure – purchase of goods and services (procurement to payment),
• Payroll (Hire to Retire),
• Inventory,
• Fixed assets,
• Regulatory including taxes (compliances with all applicable laws),
• Treasury and
• Financial reporting/book closure processes

 
Additionally, controls related to the general information technology structure of the organization is as well covered.
 

Finding the gap 

During the process of understanding current framework; the crucial task it to identify the gaps in the processes/controls and detailed discussion on possible alternatives which can be practically implemented in the Company considering several factors into considerations such as size, materiality, no. of employees, dependency and business model.
 
Generally, the timeline for the new process or mitigation plan should also be clearly defined and implemented by the management and all stakeholder of the said process.
 

Key documentation in IFC

From audit perspective, the most vital part would be the documentation/evidences maintained by the Company on IFC. Further, it will additionally serve dual purpose and help the company to monitor the internal control framework as a whole. Below are the list of key documents/evidences to be maintained:

• Complete process narrative
• Flowchart of all processes
• Risk Control Matrix for all areas
• Testing templates and Gap Analysis Report
   

Conclusion

Internal financial control implementation is an extensive internal task for a company, which would take considerable time and resources. It requires technical know-how on risk management and internal control framework. The new processes and plans to mitigate existing identified risk from gap analysis will require a lot of changes in an organization from strategy and operations perspective. The whole process generally takes from 3-6 months depending on the size of the company and it is advisable to initiate the process at least 1 year before of the applicability based on projection to avoid any qualification in audit report.