Worldwide there has been a growing realization among various government and regulatory authorities to have regulations that ensure strong internal controls are implemented in organizations to protect the interests of various stakeholders, particularly the shareholders. For instance, in India the new Companies Act, 2013 lays very strong emphasis on Internal Financial Controls (IFC) and holds the board to be directly responsible for overseeing its implementation and enforcement in the organization. The responsibility of the directors of a company with respect to internal financial controls is mentioned in Clause (e), sub-section (5) of Section 134 of the Act which states that "the directors, in the case of a listed company, had laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively". Another additional requirement mentioned in 143(3)(i) of the Act which is applicable from the current financial year is the need for statutory auditors to report on the adequacy and effectiveness of IFC. These requirements are similar to the U.S Sarbanes-Oxley Act (SOX) requirements and some experts are already referring to IFC as Indian version of SOX.
Expectations from Information Technology
The list of legal, statutory and regulatory requirements for organizations to comply with keeps increasing with every passing year. With the growing dependence of business on Information systems, the role of IT function over the years has evolved from a purely operational role to that of a being an enabler for achieving an organization’s strategic objectives. In such a scenario, the organization’s IT function needs to be prepared for any change in the regulatory requirements that may come up. Implementing the necessary internal controls into its operational processes would enable the IT function to meet the objectives set by the management and ensure adequate compliance.
Scope of IFC assessment
The Internal Financial Controls can be explained as the policies, processes and procedures adopted by the company to ensure the smooth and efficient functioning of the business, safeguarding the assets, preventing frauds and errors and ensuring the integrity ,accuracy and timely publication of the organisation’s financial reports. All the organisational processes which relate to financial reporting are considered to be in scope of an IFC assessment. Additionally, other operational processes covering nonfinance related activities could be included in scope depending on the role they play in effectively running the business and the impact that any deviation in the normal working of such processes could have on the organization’s reputation or revenue. From a purely IT perspective, any IT policy, procedure or process which directly or indirectly supports IFC would also fall under the purview of an IFC assessment. So all financially critical applications and the systems and platforms supporting them would be considered in the scope of an IFC assessment.
Approach for control selection for IT
A top-down approach is followed to identify the risks and the internal controls to be tested. The internal financial controls are classified into the following broad areas
Entity level controls (ELC): ELC are controls that are strategic in nature having organization-wide scope such as organizational policies and procedures where direct management oversight is required e.g. Business continuity Plan, Entity Level IT Usage Policy. The controls are finalized based on the understanding gained from discussion with the relevant stakeholders. For ELC, an entity level questionnaire is prepared by the assessors and management interviews are conducted for better understanding the organization. Post the discussions and interviews a signoff is obtained on the selected controls by the relevant management personnel which becomes the basis for preparing the ELC document. ELC are usually mapped to a globally recognized framework such as COSO 2013 as shown in the sample below (Refer Table 1).
Process Level Controls (PLC): The PLC controls are more operational in nature covering the IT processes and procedures such as Change management process, Backup procedure etc. Here the process owners are interviewed to identify the risks of material misstatements and the controls in place to address those risks. Post the discussions and interviews a signoff is obtained on the controls by the process owners which becomes the basis for preparing the risk and control matrix (RCM).The RCM maps the risks against the controls and the evidences are sought to verify the effectiveness of the implemented controls. The IT General Controls (ITGC) are included as part of the unified RCM and usually mapped to a globally recognized framework such as COSO 2013. A sample entry from a typical RCM document is shown below in table 2
Some of the other IT processes that could commonly be covered are Incident Management, Problem Management, Information Security Management, Access management, Software outsourcing and Vendor management etc. as applicable to the organization.
Control testing methodology
The overall objective of the testing teams is to validate the effectiveness of the controls identified in the RCM and verify whether they are operating as stated in the RCM document. The controls should be able to meet the control objectives set by the management such as deterring fraud or detecting possible errors which can result in misstatements in the financial statements. Based on the test results and assurance provided by the controls, the controls are categorized as either “effective” or “ineffective” and the results shared with management for review.
With the ever-growing alphabet soup of regulations, it is necessary that the IT function stay updated with the changing regulatory landscape. For this, it is imperative for the various IT teams to understand the purpose behind the various regulations applicable to their organization, the IT specific scope and the role of IT teams in ensuring compliance.
Taxmann, 2015. Companies Act 2013 with Rules. Edition. Taxmann Publications Private Limited.
Guidance Note. 2015. Guidance Note on Audit of Internal Financial Controls Over Financial Reporting issued by Auditing and Assurance Standards Board. - (14-09-2015). [ONLINE] Available at: http://icai.org/new_post.html?post_id=11919&c_id=219.
Authored by Suhas Bhat