These days IFC has become the new buzz word in professional circles and represents a very promising practice area for Chartered Accountants.
When my firm first took up an IFC assignment for reviewing and suggesting improvements in the Internal Financial Controls (IFC) of two reputed listed companies, I had searched through many resources online but did not get a simplified step by step guidance on what needs to be done.
So my team had to spend many long days piecing together an action plan and methodology which could help make the process smoother and more understandable.
So i thought of penning down this article to serve as a guidance and a starting point for any one looking to undertake any work in the Internal Financial Reporting space, whether it be designing of IFC, Independent review or whether you are reporting on IFC in the capacity as an auditor I hope this article adds value to you.
What are IFC?:
Before I delve into formal definitions, let me take an example of a small shopkeeper who:-
- Has a lock on his shutter.
- Puts cash received during the day in a locked safe box.
- Next day deposit all the cash in the bank.
- Ensures that names and amounts of all those who have taken goods on credit are properly recorded and regularly follows up with his customers to ensure timely recovery.
- Ensures that the stock godown is locked and only select few persons have access.
- Ensures that all inwards and outwards movement of goods from the godown are recorded.
- Gets the stocks counted regularly to ensure there is no mischief or error in recording stock movements etc.
All the common checks & balances that i mentioned above, which you would ordinarily expect any prudent business owner to have in place are nothing but Internal Financial Controls.
The scale, complexity and nature of these checks & balances change according to the nature and size of the business but at the heart of it the core concept remains the same, which is :-
- To ensure business operations run smoothly
- Wastages and losses are minimized
- Records and information derived from such records are accurate and reliable
- Assets are safeguarded
Put in a more formal way, Explanation to Section 134(5)(e) of the Companies Act 2013 defines “internal financial controls” means the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.
Ministry of Corporate Affairs (MCA) has notified that Section 143(3)(i) of the Companies Act 2013 shall not be applicable for those audit reports of private limited companies /One-person companies (OPC) which has Annual turnover of less than Rs 50 Crores or has aggregate borrowings of less than 25 Crores from banks, Financial institutions or body corporate at any time during the financial year issued after 13th June 2017.
Professional Opportunities around IFC:
Chartered Accountants can add immense value by:-
1. Helping design IFC
2. Conducting independent reviews to ascertain whether such IFC are adequate and are working effectively.
3. Helping in meet compliance requirements around IFC
Typical steps in an IFC design / review exercise:
For any such exercise to be effective it is of paramount importance that top management takes lead and communicates the need to all internal stakeholders.
Such exercises are multi-functional and will require the involvement of suitable representatives from across functions to form a “Task Force” for the same.
The typical steps involved are as under:-
1. Get top management buy in, in both word and spirit
2. Conduct a detail study of the business of the entity.
3. Study all the key SOPs and process flow charts (for smaller companies the same may not be available, so you may have to first document or help them document the same, depending on your scope of engagement)
4. For each process list down everything that you can imagine to go wrong and note all these down as risks. This step requires some degree of experience, imagination and knowledge of the process being reviewed.
5. Quantify the likely hood of such risk actually materialising as either Low, Medium or High.
6. For each risk mention the controls in place to either prevent or mitigate the impact of the risk on the business. In case of design engagements for new entities you will need to mention all those controls which in your opinion should be in place. This is by far the most important step.
7. For review engagements, check whether such controls are working effectively by performing substantive and analytical review procedures for each control.
8. Once you follow the steps till here, you will get a Rick-Control Matrix which looks something like the image given below.
9. Summarise findings and suggestions for each risk-control into a Risk – Control Report and present to management.
Types of controls:
While mapping out the controls in the Risk-Control Matrix as detailed above it is a prudent practice to classify these controls as under:-
1. Preventive Controls -> Those controls which are aimed at preventing the corresponding risk from materialising.
2. Corrective controls -> The controls aimed at correcting mistakes or misstatements before they are used by the users.
3. Compensating controls -> Those controls which address certain risks when such risks are not addressed explicitly with any other control
Often when it comes to new assignments, we get bogged down by fancy words and lengthy definitions but when we go beyond these to the core purpose behind the concept, things start becoming clearer and easier to grasp.
If you are currently working on IFC and have something to share, do leave a comment or write in to me, I would love to hear your insights on the same.
Hoping this will add value.