November 9, 2015
In the aftermath of major global financial frauds, several countries enacted legislation around financial reporting controls that mandates that the board of directors, senior management and the auditors of the financial statements assess and report on the adequacy and effectiveness of an organization’s internal control over financial reporting, with an objective of enhancing the robustness of the corporate governance structure in place. The enactment of The Companies Act, 2013 (“Act”) was a major step towards this objective in India1 More recently, the Institute of Chartered Accountants of India (ICAI) issued an updated “Guidance Note on Audit of Internal Financial Controls Over Financial Reporting” (“Guidance Note”) in September 2015 that toughens the requirements in The Companies Act by involving the external auditor in the compliance process in a substantive way2
This Flash Report provides an overview of the requirements, which apply to all companies listing their stock on an Indian stock exchange, public companies not listed on an Indian stock exchange (unlisted public companies), and private companies, irrespective of where the companies are domiciled.
Definition of the Scope of Internal Control
The Companies Act introduces the term, internal financial controls (IFC), and defines it as “the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to [the] company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.” For companies listed on an Indian stock exchange, the Act states that the board of directors is responsible for issuing a Directors’ Responsibility Statement (DRS) that must assert, among other things, that the directors have established IFC that are adequate and operating effectively. This requirement effectively stipulates that the board is responsible for the overall control environment that ensures reliable financial reporting.
The Guidance Note engages external auditors of listed companies, unlisted public companies and private companies using the term, internal controls over financial reporting (ICFR). It defines ICFR as “a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in
2See www.moneycontrol.com/news_html_files/news_attachment/2015/Internal%20Fin... %20ICAI%20Guidance%20Note%20-%20September%202015.pdf for the ICAI standard. accordance with generally accepted accounting principles. A company's internal financial control over financial reporting includes those policies and procedures that:
- pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;
- provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
- provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.”
Individuals familiar with compliance with Sarbanes-Oxley Section 404 in the United States will recognize that the above definition is similar to the one adopted by the regulators (Securities Exchange Commission (SEC) and the Public Company Accounting Oversight Board) in that country. While IFC is addressed by the board of directors in its DRS for listed public companies, Rule 8 requires private companies to report only on IFC for financial reporting. ICFR defines the scope of the audit by the statutory auditors in expressing an opinion on the effectiveness of internal control relating to the financial statements. As in the United States, this opinion encompasses both design effectiveness and operating effectiveness of ICFR. Readers will note there is considerable overlap between IFC and ICFR.
Applicability of the Requirements
Reporting with respect to IFC and ICFR is applicable to all Indian subsidiaries, associates and joint venture companies (on a standalone basis) of global multinationals registered under The Companies Act, 2013, irrespective of where the holding or group company is located. This requirement is specific to Indian law and is in addition to reporting required in other countries, including compliance with Sarbanes-Oxley requirements in the United States where the global/group company is a SEC registrant.
In determining whether the Act and Guidance Note apply, a threshold is provided for listed and unlisted public companies by Rule 8(4) of Companies (Accounts) Rules, 20143 of Rs 25 crs (250 million rupees, or US$3.7 million using current exchange rates) of paid up share capital, which is calculated as of the end of the preceding financial year. “Paid up share capital” is defined as the “aggregate amount of money credited as paid up as is equivalent to the amount received as paid up in respect of shares issued and also includes any amount credited as paid up in respect of shares of the company, but does not include any other amount received in respect of such shares.” However legal counsel advises companies to apply this provision in view of their specific circumstances, the threshold is relatively low, e.g., most companies will likely be required to comply. Surprisingly, the Act does not mention any threshold for private companies.
Pursuant to Sections 134(3)(c) and (134(5)(e) of The Companies Act, the directors of all listed Indian companies must issue a DRS addressing the adequacy and effectiveness of IFC. With respect to ICFR, Section 143(3)(i) of the Act stipulates that the statutory auditors must issue an opinion in the auditors’ report on the adequacy and operating effectiveness of ICFR for all companies including consolidated financial statements. In accordance with the Guidance Note
3See the rules at www.mca.gov.in/Ministry/pdf/NCARules_Chapter9.pdf. Note that the English version begins on page 30. and Rule 8(5)(viii) of the Companies (Accounts) Rule, 2014, the directors and the statutory auditors of all other companies (within the class of companies as mentioned above and including unlisted public and private companies) are also required to report on the adequacy and operating effectiveness of IFC and ICFR within the DRS and auditors’ report, respectively.
For Indian listed companies, the board’s assertion regarding the adequacy and effectiveness of IFC in the DRS is required for fiscal years ending on or after March 31, 2015. Therefore, this reporting is already effective. The auditor’s opinion on the effectiveness of ICFR, however, is not effective until fiscal years ending on or after March 31, 2016. With respect to the remaining classes of companies beyond listed companies, the requirements relating to both the DRS and auditors’ report are effective for fiscal years ending on or after March 31, 2016.
Thus, for all Indian companies and subsidiaries, associates and joint venture companies of global multinationals that have yet to determine that effective IFC/ICFR is in place, it is imperative that they start planning very soon their approach to make that determination.
Comparison with U.S. Sarbanes-Oxley Requirements
The Sarbanes-Oxley Act of 2002 in the U.S. states that all SEC registrant companies must issue an internal controls report annually and companies meeting certain threshold requirements must engage the external auditor to express an opinion on ICFR. Thus, management must establish a framework for their financial reporting and must document, test and maintain the internal controls within that framework to support an assertion that such controls are effective in terms of both design and operation.
The reporting requirement under Section 302 of Sarbanes-Oxley requiring an executive certification as to the “corporate responsibility for financial reports” is very similar to the Indian IFC reporting requirement by the board. The executive certification requires reporting on the effectiveness of disclosure controls and procedures. The “management assessment of internal controls” under Section 404 requires an annual internal control report by management and an attestation by statutory auditors on the effectiveness of ICFR is also very similar to the requirements of ICFR reporting under Indian law.
The Reporting Date
The Guidance Note issued by the ICAI states that the auditor should report on the adequacy of the internal control system and its operating effectiveness as of the balance sheet date, similar to the point-in-time assessment practice in the United States. In addition, all listed companies have to conform to the quarterly reporting requirements of the Securities and Exchange Board of India (SEBI), which states that the CEO and CFO of all listed companies should report their acceptance of responsibility for establishing, maintaining and evaluating the effectiveness of ICFR. However, Section 134(5)(e) of the Act does not specify any reporting intervals and periods. Thus, internal control should be operating effectively throughout the period/year under audit.
An Implementation Roadmap
The Guidance Note provided a flowchart illustrating the typical flow of an audit of ICFR. An adaptation of this flowchart is provided on the following page depicting four phases – planning, design and implementation, operating effectiveness, and reporting. Again, this process flow is very similar to the process undertaken in the United States.
The planning phase is especially critical, as it entails awareness sessions for the board, audit committee and appropriate management on the significance of IFC and ICFR, as well as planning for implementation of the evaluation process. The planning phase must also address establishing an appropriate internal controls framework covering entity level controls, information technology general controls and process controls relevant to leading industry and internal controls practices related to significant financial reporting elements. In this respect, a framework such as the COSO Internal Control – Integrated Framework may be useful. Training of process owners and other relevant staff may be required to familiarize them with the process and the critical importance of IFC/ICFR.
With respect to the design and implementation phase, it is necessary to perform an “as-is” and a “to-be” review of key internal controls within the critical business processes, as well as the appropriate information technology general controls and entity level controls. The objective of this review is to support management’s assertion as to the effectiveness of the controls design. Any gaps identified by the review must be addressed through enhancements to existing controls to meet the underlying financial reporting objectives or implementation of new controls to address the risks emanating from the gaps. This phase requires the performance of detailed walkthroughs of financial reporting processes and controls to corroborate understanding of the controls as part of the design effectiveness review. It also entails preparation of process narratives, flowcharts, and risk and control matrices for all the critical processes.
The operating effectiveness phase requires development and execution of test plans, identification of controls requiring remediation, and performance of retesting of the remediated controls. This phase results in assessing the severity of control deficiencies and formulation of a conclusion on the effectiveness of the controls.
Management will need to perform the above process to enable the board to issue the DRS and the auditor to express an opinion on a cost-effective basis. Through the process, there will be reporting to the board, audit committee and senior management on the outcome of the implementation. In addition, the board and management may find that outside resources are needed to complete the compliance project, particularly in the first year, e.g., as a fully outsourced function or as a co-sourced function with the internal audit team.
In the United States, experience has shown that internal control evaluations can be time consuming, particularly when an external auditor is involved. Under The Companies Act and the more recent Guidance Note, an auditor of a company is required to state in the audit report whether the company’s IFC system is adequate and operating effectively. Without adequate planning and experienced “know how,” a lot of time and money can be wasted in supporting this audit process. Any company – whether domiciled in India or a multinational operating in India – that believes it could be subject to the Act’s requirements should consult with legal counsel to ascertain its responsibilities and proceed accordingly to prepare itself for compliance.