Académique Documents
Professionnel Documents
Culture Documents
ICAI Ahmedabad
Internal Financial Controls Effectiveness 28-12-2015
CA Kartik B. Radia
Table of Content
1
IFC Basics
Slide 2
1
IFC Basics
2.
3.
4.
Reinforce senior managed focus and visibility on key risks and controls by Controls Self
Assessment (2nd Line of defense)
5.
Establish Independent Testing 2nd Line and 3rd Line and Independent Internal Reporting
and its reporting to Board
Slide 4
Applicability
Responsibility
Coverage
Term internal
financial controls
is defined in the Act
as to mean:
Safeguarding
of its assets
Prevention and
detection of
frauds and
errors
Accuracy and
completeness of
the accounting
records
Timely preparation
of reliable
financial
information
Responsibility for ensuring adequacy in IFCs and reporting responsibility has moved from
CEO/ CFO to Board of Directors
Slide 5
Slide 6
Slide 7
Internal
Financial
Controls
Benchmarked
to a Globally
recognized
Internal
Controls
Framework
Slide 8
Clause 49 of Listing Agreement as per SEBI Guidelines already have IC compliance requirements for Listed Entities
ICAI Ahmedabad IFC: 28-12-2015
Non compliance
may lead to:
Monetary penalty
Imprisonment
up to Rs. 25 lacs
up to 3 years
Auditors
Slide 9
qualification
Auditors to provide
reasonable assurance only
Attestation of Control is
on Balance Sheet Date;
Testing needs to be
during the financial year
IFC Framework is
different from ERM
Framework
Material Weakness in
IFC is not necessarily
equal to Material
Misstatement in
Financial statement
Slide 10
2
IFC Scope
CSA framework
Slide 12
Slide 13
1. Whistleblower Policy
2. Code of conduct
3. Risk Management policy
4. HR Policies
Slide 14
Functional/Process Level
Entity Level
Organizational Structure
Statutory Compliance
Mechanism
Segregation of Duty
Whistleblower Mechanism
KPI/ Compensation Policy*
Disaster Recovery *
Business Continuity *
Slide 15
IFC Set
+
Moderate Antifraud controls
+
Moderate Operating Controls
Slide 16
Financial Statement
Assestions (E)xistence ,
COSO
(C)ompleteness
(Control
(R)ights&oblig,
Framework)
(V)aluation
Assersion
(D)isclosure,
13
(S)afeguarding
14
Test
Plan
15
Control Type
(O)perating,
(F)inancial,
(C)ompliance
8
Periodicity
Sample
(Y)early /
(As Per
(Q)uarterly / Control
Methodology
(M)onthly /
Gaps
approved by
(W)eekly / Observed
designated
(D)aily /
18
authority)
(O)ther
16
17
Control Criticality
Responsibility
(F)raud,
Responsibility Mapping to
(Process
(M)anagement,
(Reviewer)
GL Code
Owner)
Both - (FM)
11
12
10
9
Root Cause/
Control Pass
Document Concluding
Weakness Status Remedia ation Comment Design /
Yes, No, Needs
l Action Source, Auditor, Audit
Adequacy/
Remediation,
Plan
Design,
Committee,
Operating Need additional
21
Evidence
Board
Effectiveness
testing
22
23
19
20
C. Link Assertions
22 key Data Points- Aligned to Control Self Assessment Preferably Driven through Tool
Source Point
Global knowledge library
for Insurance
Standard Risk and
Control
Matrix
Review SOPs
ICAI Ahmedabad IFC: 28-12-2015
Interviews and
Deliberations
with Process
Owners
Circulation of Draft
RCMs
Senior
Management
deliberations
Slide 17
3
Implementation Approach &
Methodology
Implementation Approach
Phase II
Phase I
1
Scoping
Review Financial
statement/trial
balance to
identify
significant
accounts
Identify relevant
processes to be
covered
Finalize scoping
with respect to
anti fraud and IT
General Controls
Assessment
Controls
Discuss with process
financial control
documentation
(RCMs) for in scope
processes
Identify Key Controls
Review and identify
controls gaps
Documentation
and roll out
and
recommendations
with management
and agree on changes
to controls
Update and finalize
RCMs
Develop control test
controls
Testing
Conduct the
operating
effectiveness
testing for key
controls
Prepare draft
with management
and finalize
control failure
report
Provide
Phase III*
5
Automate
Develop
questionnaire for
control self
assessment to be
uploaded in the CSA
tool
Assign ownerships
to controls
Deploy CSA tool on
your server
Conduct user and
admin training
workshops
Go-live of CSA tool
recommendations to
address gaps
3 Months
1 Month
Project Management
Slide 19
4
Key Questions
Key Questions
1.
Slide 21
5
COSO Framework
Holistic approach to the risk & controls landscape of the entities and the group
Recognition by Board of Directors & professional bodies globally of three lines of defence as per COSO,
which should be a cornerstone for Indian Companies driving IFC
IFC emphasizes the Governing body focus on further strengthening of 1st & 2nd line of Defense through :
Entity Level Control, Process Level Controls adequacy and operating effectiveness
Enhanced Control Awareness of Organization through Controls-Self-Assessment
Greater role of Board of Directors to ensure a timely disclosure of all risks and mitigation
External Auditors to
attest adequate and
effective internal
control framework run
by the Companys
Governing Body
Regulators to ensure
vigilance & penalties
for non compliance
Slide 23
Board Report
3rd Line - Internal
Audit Independent
Testing Report
CEO/CFO
2nd Line Independent
Testing
Statutory
Auditors
Independent
Opinion
2nd Line of
defense
Controller and Risk
Management
function
Independent Testing
3rd Line of
defense
Independent Internal
Audit Testing
External Statutory
Auditor
Slide 24
Slide 25
Control
Environment
Principles
1.
2.
3.
4.
5.
Risk Assessment
6.
7.
8.
9.
Control
Activities
Information &
Communication
Monitoring
17 Principles
further drill
down to 77
points of focus
which need to
be mapped for
IFC compliance
Slide 26
6
Risk Assessment
for IFC Inherent
and Residual Risk
Assessment
Controls Classification
Critical
Key
Not Operating
High
Key
Operating
Moderate
Non-Key
Operating
Low
Non-Key
Not Operating
Slide 28
Operating
& Financial
Risks
observed
across 11
Business
Cycles
Gross Risk
Impact
Likelihood Risk
Probability
Scale:
Low
Moderate
High
Critical
Scale:
Expected
High Likely
Likely
Not Likely
Inherent
Risk Rating
Inherent Risk
Rating: Red, Amber
=
Key Control
Inherent Risk
Rating: Yellow and
Green
=
INHERENT RISK
RATING (IR)
Expected
Red
Highly Likely
Red
Likely
Red
Not Likely
Amber
Expected
Red
Highly Likely
Amber
Likely
Amber
Not Likely
Yellow
Critical
High
EXISTING MITIGATION
EFFECTIVENESS (M)
Needs Improvement
Reasonably Adequate
Effective
Needs Improvement
Reasonably Adequate
Effective
Needs Improvement
Reasonably Adequate
Effective
Needs Improvement
Reasonably Adequate
Effective
Needs Improvement
Reasonably Adequate
Effective
Needs Improvement
Reasonably Adequate
Effective
Needs Improvement
Reasonably Adequate
Effective
Needs Improvement
Reasonably Adequate
Effective
Critical
High
Moderate
Critical
High
Moderate
Critical
High
Moderate
High
Moderate
Low
Critical
High
Moderate
High
Moderate
Low
High
Moderate
Low
Moderate
Moderate
Low
Slide 30
INHERENT LIKLIHOOD
PROBABILITY RATING
(P)
INHERENT RISK
RATING (IR)
Expected
Amber
Highly Likely
Amber
Likely
Yellow
Not Likely
Green
Expected
Yellow
Highly Likely
Yellow
Likely
Green
Not Likely
Green
Moderate
Low
EXISTING MITIGATION
EFFECTIVENESS (M)
Needs Improvement
High
Reasonably Adequate
Effective
Needs Improvement
Reasonably Adequate
Effective
Needs Improvement
Reasonably Adequate
Effective
Needs Improvement
Reasonably Adequate
Effective
Needs Improvement
Reasonably Adequate
Effective
Needs Improvement
Reasonably Adequate
Effective
Needs Improvement
Reasonably Adequate
Effective
Needs Improvement
Reasonably Adequate
Effective
Moderate
Low
High
Moderate
Low
Moderate
Moderate
Low
Low
Low
Low
Moderate
Moderate
Low
Moderate
Moderate
Low
Low
Low
Low
Low
Low
Low
Slide 31
Financial
Impact
Qualitative
Description
Inability to achieve business objectives, ex.
- Loss of significant business capacity
- Loss of high value customers, customer loyalty and sales opportunities due to process failure
Critical
High
Slide 32
Rating
Financial
Qualitative
Impact
Description
Moderate impact on achievement of business objectives
- Less that material gaps in books of account
Moderate
1% to 3% of
PAT
- Process failure leading to loss of transaction with moderate value restricted to small number
of transaction
- Moderate errors in books of accounts, financial statement which was fixed before closing
- Delay, Inability to reconcile key vendor, partner accounts impacting short terms transaction
- Moderate rated audit findings on process gaps
- Non compliance with internal polices and procedures which have penalty
Low
Less than 1%
Slide 33
Risk Probability
PROBABIILITY RATING GUIDANCE
Rating
Expected
Highly Likely
Likely
Inherent Probability of the risk events to occur and lead to assessed consequences
Occurrence in future
% Chance
Over 80%
10% to 49%
Slide 34
1. We will do the inherent risk assessment for risks with critical and high impact. No such assessment will be done for
moderate and low impact risks
2. Likelihood assessment is going to be based on proposed number that we would suggest is on our understanding (on basis
of interviews and explanations done with him and our understanding of the process) and will have to be validated by the
management
3. Year 2 onwards the inherent likelihood assessment would be based on the data actually collected and analysed (without
consideration of mitigating controls). Inherent risk assessment will have to be done on an annual basis after considering
the change in the internal control environment and exceptions noted during internal audit process and root causes
ICAI Ahmedabad IFC: 28-12-2015
Slide 35
identified.
Description
Mitigation plans though in place but do not ensure any control over
risk occurrence and impact.
Mitigation plans involved duly laid down approval and reporting
norms though not ensuring complete control over the risk
Effective
Slide 36
Slide 37
7
Live Case Studies
on
Implementation
8
Professional
Profile of the
speaker
Background: Kartik is currently working Price Waterhouse as a Partner in Risk Assurance Services
and helps clients implement Internal Financial Controls, Risk Management Frameworks and Internal
Audit Co-sourcing models. Kartik specializes in Risk Management Solutions like Enterprise Risk
Management, Internal Financial Controls and Internal Audit Effectiveness. After working for nearly 15
years in profession, Kartik firmly believes that there should be visible and transparent business value
addition that should come out from any Risk Management or Internal Controls solutions and the
delivery model should be based on Business Context.
Consulting activities and services:
1.
Kartik has worked on some of the complex Risk Modeling assignments such as Capital Adequacy
Reviews, Stress testing financial reviews, Internal Audit Effectiveness and Governance
Effectiveness Reviews for Banks and Financial Institutions and Large MNCs.
2.
Kartik has worked on Capital Adequacy Reviews, Stress testing financial reviews, Internal Audit
Effectiveness and Corporate Governance Policy Framework.
Slide 40
Kartik has in past worked with Ernst & Young, WPP Group (for implementing SOX in North
Americas and European Region for 3 years).
4.
Have worked on International assignments across geographies incluing United States, UK,
Canada, France, Germany, Netherlands, Africa, Japan, Singapore, Hong Kong, Greece, Spain.
Slide 41
Thank you
The views expressed in the presentation and webcast are the views of the authors in their
individual capacity and should not be taken as views of ICAI or to any other organizations
ICAI Ahmedabad IFC: 28-12-2015
Slide 42