Internal Financial Controls: Testing Times!!

Blogger: Jyotin Mehta & Purvi Malani

It is that time of the year when the organization is buzzing with IFC TESTING!

How does it work in your organization – is this activity the most mundane or significantly meaningful?

Our guess is, that for most, it would be the ‘most mundane’.

Ever since the confirmation of internal financial controls became an explicit part of the Directors’ Responsibility Statement, we have come across interesting views on the role of Internal Audit in this context, some of which, in our opinion, need a review.

It is the responsibility of the Management for ensuring that controls exist and are effective, and the ownership of these controls lies with the process owners.

Despite this, we have come across internal auditors being questioned by management, the audit committee, and the statutory auditors when the controls fail.

Hence, we felt it may be interesting to clear the air by attempting to spell out some basic principles as also explain the context.

We are all aware of the speed and urgency with which IFC was rolled out by companies when the Companies Act, 2013 came in force. Many companies availed services of
external consultants to draft the framework. The brief was clear – ensure compliance with requirements of the Companies Act by the target date and keep it simple so as to
avoid complications (read: embarrassment) with an intent of improvising in the coming year. (We do, however, know that more often than not, intents do not get translated into
action! )

Given these boundaries, the framework was completed in record time and many companies passed the test with flying colors. Statutory auditors were advised by ICAI to
restrict their review to controls that impacted financial reporting.

So, it was a ‘tick on the box’ approach used by most companies to ensure compliance in its first year.

By and large, a vast majority ended up paying lip service to the new requirement – paying attention to the form, in the most minimal way possible; with the good intentions of catching up with the spirit of the enactment at a later date.

The spirit versus the letter.

The spirit, with which these requirements were mandated, has perhaps been overshadowed with the thrust of compliance with the letter.

Some corporate boards view IFC as necessary technical compliance and, is logically delegated to the Audit Committee; Boards, as a whole, maybe spending not more than 30 minutes annually on the subject.

And herein lie both, the problem and the opportunity!!

Just as features of a new ERP package often are grossly underutilized, we believe that the power of IFC remains largely untapped. Even though we have been living with SOX requirements for over a decade, many companies have not matured or optimized their IFC programs.

Leveraging IFC for enhancing assurance and improving quality of internal audit.

We came across a survey which mentioned that majority of Indian companies are not treating compliance as an end-game. For all of them, this is a journey well begun. But why stop here?

While the intent is right, companies must now move up the curve and leverage IFC to enhance the control environment. We don’t think it’s possible to lock internal controls into a static framework. The controls are good for a period of time, but then these have to change.

Whilst the continuous re-evaluation and documentation may appear to be a burden, if institutionalised well, it will yield benefits beyond expectations. Changes in organization structure or processes or addition of new lines of business should trigger the reevaluation and revised documentation.

And, in addition, review cycles should ensure that all Risk Control Matrices (RCMs) get attention at least once in two years. Internal audit can play a decisively constructive role in this journey – for example, recommendations to auditees must be comprehensive to encompass required changes in RCMs.

In fact, a one pager annexure to each audit report on how the internal audit findings align with the effectiveness of IFCs reflected in RCMs could be an easy way to facilitate this exercise.

Auditing at the Speed of Risk in the Digital Age.

IA needs to keep up to date with the latest market developments and update their risk assessments more frequently. Technology is the biggest game changer. Some of the threats that will surface during a threat assessment could be malicious software, hacking attempts, unencrypted information, hacking and data theft.

As Internal auditors, check if RCMs have been amended to provide for Work from Home (WFH) controls. The digital space is exciting and scary at the same time – the social media is like the genie that can no longer go back in the lamp….hence, controls need to dynamically adjust.

It is important to thoroughly test the disaster recovery plans (DRPs) and Business Continuity Plans (BCPs) when reviewing IT General Controls (ITGC).

“Risk is like fire: If controlled it will help you; if uncontrolled it will rise up and destroy you.”- Theodore Roosevelt

Entity Level Controls(ELC): Auditing the Culture.

The approach to establishing Internal Financial Controls and auditing them can only be top down, as it starts with the senior most management and drills down to the lowest operating level.

Basis our practical experience, we know that not all companies are able to demonstrate a control environment that creates confidence in entity level controls.

Frauds highlight the weaknesses in the governance structure. Culture audits can help gain insight into the causes of poor organizational behaviour. Not enough firms are auditing culture. It can be challenging because it is subjective and complex.

Culture is shaped by values that influence everyday behaviour within the organization. Managements create sub-cultures among their teams. Different departments have different cultures and risk tolerances etc. Building an ELC would foster a control conscious work culture for people entrusted with controls.

Stronger the culture, stronger will be the ELCand thus higher will be the reliance on overall controls.

The way forward

We recommend that internal auditors assume the role of evangelists for IFC – they are best positioned and they will do great service to the management and the board by doing this.

How is this possible? Here are some suggestions:

• RCMs were initially drafted to ensure tests of IFC would not fail and hence minimal approach for documented controls was adopted. Thereafter, the IFC check has become more of a routine compliance issue and hence the spirit of IFC is either lost or not completely upheld. As Internal Auditors, we can make a case for a more purposeful IFC framework and thereby nudge the management to leverage the power of IFC.
• ELC and ITGC – it is futile to spend energy in locking every closet if you have left the main door wide open. Strong ‘main-door’ security eliminates major risks by controlling who can go in – similarly, ELCs and ITGCs minimize the possibility of certain risks entering the company‘s systems.
• Make RCMs comprehensive and include all processes – accounting and operating. Capture all controls and document the intent. Business operations have evolved continuously and there may be changes in the policies and processes. Documentation of a new process or sub-process must include supporting RCM and flowchart. An effective change management process needs to be defined and incorporated in these RCMs. Adequate training is to be imparted to process owners on documentation and change management.
• Have an annual presentation to the Audit committee on review of RCMs.
• Make IFC check an integral part of internal audit execution without worrying about comprehensive documentation. And reinforce your audit observations dealing with process issues by referencing the applicable RCM. The result will be surprising – process owners will retrieve the RCMs.

The above pre-supposes a strong support from management and the audit committee; if not, when initiating these, buy stakeholder support. A progressive improvement will result in raising the bar of the control environment, and hence governance.

To conclude, IFC is not just a matter of compliance, it is in fact, a mine of opportunities to be tapped by organisations to ensure stress free business environment. And IA has the role of a catalyst in this….