Internal Financial Controls Under Companies Act, 2013
Internal Financial Controls Under Companies Act, 2013In India, regulations relating to companies have been modified to highlight the developments in the modern world. As per Companies Act, 2013, internal financial control has been defined as the policies and procedures adopted by the company to ensure orderly and efficient conduct of its business which includes adherence to company policies, safeguarding the assets, prevention and detection of frauds and timely preparation of reliable financial information.
The Companies Act, 2013, under section 134 (5) (e), requires preparation of the Directors responsibility statement for listed companies including public companies having paid up share capital of 25 crores or more as given under clause 40A of the listing agreement and auditor’s report for all companies to comment on whether the company has adequate internal financial controls system in place and operating effectiveness for such control.
In the USA, the concept of reporting on Internal Financial Control Reporting started after the enactment of the Sarbanes Oxley Act 2002. Under section 404 of the Sarbanes Oxley Act, the management is required to issue a report on internal control as a part of its annual report. This report must affirm the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. The external auditor is also required to report the adequacy of the company’s Internal Financial Control Reporting.
Until now, reporting on the internal controls by auditors was restricted to a few selected areas mandated under the Companies (Auditor Report) Order, 2003. However, the new Companies Act, 2013 significantly expanded this requirement, which is now not restricted to the reporting by auditors of only the listed companies but applies to all companies.
The auditor should form an opinion on the adequacy and operating effectiveness of internal control financial reporting by evaluating evidence obtained from all sources including the report from the auditor testing the controls, misstatements detected during the financial statement audit and any other identified control deficiencies. The auditor should evaluate the disclosures made by the management and board of directors in the annual report.
The management is required to implement adequate internal financial controls across all significant processes whether performed in house or outsourced to a third party service provider. Thus, while outsourcing business or IT process the management needs to ensure that the key controls shall operate for the third party service provider in the same manner or better than how they perform at the company’s own locations. IPR INDIA
The user organisation needs to evaluate whether the control objectives and the key controls identified to achieve the control objectives are appropriate and review that the tests performed by the service auditor are sufficient to evaluate the effectiveness of the controls. In determining the ability and appropriateness of the tests performed by the service auditor the user organisation needs to assess the service auditor’s professional competence and independence from the service organisation. Independent tests of controls by the service auditor provide more independence and objectivity than tests performed by the internal auditor on which the service auditor would rely.
The guidance note further provides detailed implementation guidance on the procedures to be performed including reporting considerations. Further, it provides an illustrative engagement letter management representation letters and reports on internal control financial reporting. There may be certain controls and objectives that may be relevant to internal control as it relates to operations or compliance with established laws and corresponding regulations.
A deficiency in internal financial control over financial reporting exists when the design or operation of a control does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatements on a timely basis. A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively. Section 134(5)(e) of the Companies Act puts the onus clearly on the Board of Directors to state in their Directors’ Responsibility Statement that they have laid down internal financial controls to be followed by the company and that such controls are adequate and were operating effectively.
Although section 134(5) (e) is applicable to listed companies, section 143(3) (i) requires the auditor to state that whether the company has an adequate internal financial control system in place and operating effectiveness of such controls. While the changes in the Companies Act 2013 are significant and will influence user’s organisation, it is important that user organisation proactively look at their obligations as per section 134(5) (e) and take effective steps to address the same-
- Engaging the user organisation’s auditor to discuss and align with their expectations of the requirements of the Companies Act on internal financial reporting.
- Engaging the service organisation and their auditor to understand the impact of this requirement of the Companies Act 2013.
- Understanding the requirements and service provider’s obligations by reviewing service provider contracts by modifying the service contracts/agreements as necessary.
- Communicating the impact on the stakeholders in the organisations.
The scope, responsibilities of the Board and auditors can be summarised below-
- For Listed Companies– Adequacy and operating effectiveness of internal financial controls.
- For Unlisted Companies– Adequacy of internal financial reporting over financial reporting.
- To lay down adequate and effective internal financial controls and include it in the Director Responsibility Statement.
- The independent directors should satisfy themselves on the strength of financial controls.
Indeed, the companies act, 2013 has taken a major step towards raising the bar on corporate governance in India. It has re-emphasised the importance of having a robust internal controls environment by introducing the phrase ‘internal financial controls’ and casting specific responsibilities on the audit committee, board, management as well as the auditors of the company.