We are in the middle of the Union Budget season where corporates are trying to understand the nuances of the budget just presented by the Finance Minister of India. However, another topic is as relevant as any other for the corporates this year. The concept of Internal Financial Control (IFC) has remained so relevant ever since (rather it gained in relevance) that I am forced to write on it again! The good part about this concept is that it has remained more or less constant since the time it came out as part of the Companies Act, 2013 (‘the Act’). I would love to start from where I left in my earlier blog, so I would try to pull up a bridge between the two and set it up in the right context.
The practical applicability both from the company’s point of view as well as from the auditors’ angle has created some flutter in the relevant circles, as a result of which, quite a few companies, and quite understandably so, are taking services of ‘consultants’ to assist them in getting prepared for the audit sign off for the year ending 31 March 2016.
Though, IFC as a concept was being included as part of Directors’ Report (DRS to be precise) under section 134 of the Act for the last 2 years, it was also well known that the auditors’ reporting responsibility on IFC was deferred by a year to year ended 31 March 2016.
The initial guidance note issued by the Institute of Chartered Accountants of India (ICAI) on auditors’ reporting responsibility in 2014 was withdrawn soon after. Thereafter, a revised GN was released sometime in September last year, which many thought was a bit delayed, but which clearly spelt out the requirements as far as reporting by the auditors is concerned. This Guidance Note (GN) though called ‘Audit of Internal Financial Controls Over Financial Reporting’, serves as a good parallel guide to the managements as well on what the auditors would exactly be looking for, for their reporting purposes.
Besides giving a very detailed guidance on how the auditors should approach the audit of internal financial controls, The GN also gives the circumstances and the formats of issuing either a Clean, Qualified etc. report on internal financial controls over financial reporting. This will ensure consistency between reporting by various auditors and also reduce the altercations between management and auditors as to what should be qualified and what shouldn’t.
It also gives instances where a ‘negative’ report on the IFC will become so pervasive that it will impact the opinion on the True and Fair nature of the Financial Statements. This is a very scary proposition, as most companies would want to avoid a qualified main audit report at any cost.
In our experience as IFC consultants to some and as statutory auditors to others has been that the management of many companies weren’t taking it very seriously till very recently. Not that they did not want their internal financial controls to be robust in terms of both design and operating effectiveness; they were not quite ready for this extent of scrutiny and reporting.
Additionally, a thought that was emerging and rightfully so was that there was supposed to be some kind of ‘phasing’ or ‘threshold’ for this to be applicable. In fact, the first few reactions before it sank in was in the nature of ‘ we are a cost-plus company, why should we be doing it’. ‘We are a Company with almost no operations, should it be applicable to us as well?
This thought was also emanating from the fact that even requirements such as reporting on Companies Auditors’ Report Order (CARO) is also not applicable to all companies and only to companies above a certain monetary threshold. Therefore, it was but obvious for the stakeholders to expect that some criteria will come out which will exclude some of the companies, which has however not happened yet.
However, with time, most of them came to realize that this is a reality now and there is no other way but to move in the desired direction.
We had a hard time convincing our statutory audit clients what additional work we will be doing while issuing a report on IFCFR. Thankfully for us, we were able to demonstrate the value they will be getting out of this exercise and also the additional work that it will entail for us.
Further, irrespective of the fact that it is a completely different report on a different topic altogether, it will be wise for the auditors to not de-alienate the audit of financial statements and the audit of internal financial controls. Rather, the latter should be integrated with the financial statements audit and to achieve that the auditor must plan and perform the work to achieve the objectives of both audits. As also very rightfully mentioned in the guidance note, this direction applies to all aspects of the audit, and it is particularly relevant to tests of controls (ToC).
Wherever we were engaged as consultants, we made sure that we had regular interactions with the company’s statutory auditors and the managements to make sure that they are also completely in sync with our progress. Last thing that we wanted was any disconnect between us and the other stakeholders, either in terms of ‘risks’ or the ‘processes’ identified.
The statutory auditors are usually the ones who know the most about company’s internal control systems, design deficiencies etc. and would have been the best bet to design the internal financial controls for companies, however, they were conflicted out as they can’t be playing this dual role or designing as well as reporting for the same organisation. This meant that the managements either went in-house or hired another firm to assist it with the same.
In larger organisations such as listed companies or even companies with bigger operations, these internal financial controls may already exist and there may be a system already running. However, in cases of very small companies and typical owner managed and less complex organisations, with pervasive control deficiencies, it may be a challenge for the auditors to issue an unqualified opinion.
The challenge from the auditors’ point of view is in these companies with numerous or pervasive deficiencies in internal financial controls. Smaller, less complex companies can be particularly affected by ineffective entity-level controls, as these companies typically have fewer employees and fewer process-level controls.
It has to be accepted that while auditing these smaller entities with pervasive deficiencies, the audit strategy will be influenced by the nature of the control deficiencies and factors such as the effect of the deficiencies on other controls and the availability of audit evidence. In these circumstances, the difficult part for both the auditors and the management would be that the auditor may not be able to find out a way to express an unqualified opinion on the effectiveness of internal financial controls in some of these typical situations.
Flowing from the above, it is important that sufficient time be allowed to evaluate and test controls. If deficiencies are discovered, management should have an opportunity to correct and address these deficiencies prior to the reporting date. The amount of time a remediation control should be in existence for placing reliance on the control by the auditor is a matter of professional judgement. Under ordinary circumstances, control remediation that occurs after year-end will not mitigate an identified deficiency for reporting purposes and the auditors may not be able to express an unqualified opinion on management’s disclosure about corrective actions taken by the company after the balance sheet date.
Now that we are in the last month of the financial year, and most of the companies have ensured compliance, it remains to be seen how the audit reports on IFCFR shape up. Some companies who still haven’t taken note of the situation will do well to do it now without further loss of time.
It will be interesting to look at the kind of reports that will be issued and how many of them are ‘other than clean reports’. Also, will there be implications on the businesses and operations in case an IFC report of a Company states that the Internal financial controls around say, sales and receivables and missing or weak is a big question at the moment.
Irrespective of the implications of this reporting and other nuances attached to it, it remains a step in the right direction and its a matter of time before the stakeholders stop looking at it as a ‘compliance‘ and realize its long term and sustained advantage for the business operations as well.
Puneet heads the Assurance and Risk Advisory practice at International Business Advisors. He is a Chartered Accountant with 13 years of post qualification experience. He has rich experience in the field of accounting and auditing, due diligences and risk advisory to various mid-sized and large companies (Indian as well as trans-nationals) across various sectors. For most of his professional career he has worked with Big4 consulting firms such as KPMG and Deloitte. He has also spent a few years with Mazars India, where he was looking at the risk management function for the organization, in addition to being a partner with the Assurance division. He regularly writes on various accounting and auditing matters. For any professional assistance, he can be reached on Puneet.firstname.lastname@example.org