What is IFC
IFC stands for internal financial control, a new scenario in Indian financial reporting system which has evolved from Companies Act 2013. With massive increase in the size of the companies having gigantic transactions size, verification of each and every transaction has become impossible. Audit sampling has and always had an inherent risk of non finding of error or fraud. Therefore, establishing trust on Internal Controls implemented by the Companies has become the ultimate recourse to Auditors to take hold on the Entity’s financial environment and thus on reporting of the same. Internal Financial Controls does not only give comfort to Auditors but to other stake holders like Independent Directors, Shareholders, Banks and Government Bodies. Indian Authority has introduce reporting requirement on Internal Financial Controls making Statutory Auditors responsible to comment on implementation and operating efficiency of IFC through Companies Act 2013. The similar concept was introduced by USA in 2002 through SOX i.e. Sarbanes – Oxley Act.
Below is the summary of the requirement of Companies Act related to IFC:
Going through the requirement of Companies Act as presented above, it is clear that all three main pillers of an Entity’s Management are required not only to ensure proper implementation of IFC but also to ensure it’s efficiency. Also, it is to be noted that while Directors, Audit Committee, Independent Directors are responsible for IFC, Statutory Auditors are responsible for ICOFR i.e. Internal Controls Over Financial Reporting.
Though the Companies Act has defined the compliance requirement related to IFC/ICOFR, it has no where prescribed any framework or guidelines for the same. The Institute of Chartered Accountants of India has announced a guidance note on ICOFR which is based on COSO framework. The COSO framework is being used worldwide for establishing Internal Controls. There are 5 elements and 17 principals prescribed in COSO framework. An Entity is required to draft it’s Internal Controls Framework based on these 5 elements and 17 principals and auditors are required to evaluate the internal controls based on the same. The 5 elements and 17 principals are as follows:
Auditors’ Roles and Responsibilities towards IFC
Since now Auditors have to comment on implementation and of IFC and it’s operating efficiency, it’s became their duty to ensure proper internal controls mitigating key risks the entity is expose to considering the environment they are oprating in. The recent few financial frauds has made IFC implementation far more important as it is evident that those frauds would not have occurred or atleast would have identified much earlier, had those entities has strong internal controls in place with good control environment.
The below is an analysis of How and Why, Auditors are at Risk when they comment on IFC of any entity:
Auditors’ Action Points
Auditors needs to be vigilant first on Entity’s control environment then on their Risk Identification Process.
The biggest risk an Entity is exposed to is the Risk of non-identification of Risks it is exposed to.
While the control environment represent attitude of the top management towards the Risk and Controls, risk identification is the first step towards establishing controls within the entity.
Auditors then map the various controls to identified Risks and is also required to evaluate the design of controls.
However, how does it is practically being done?
World wide, Auditors are relying on management testing of IFC by evaluating the testing methodology and effectiveness. As it is the prime responsibility of the management to implement and operate IFC within the Entity, Auditors take thier comfort based on Management Testing of IFC with regards to Test of Design as well as Test of Controls. Having said that, now comes the biggest challenge or risk in such management testing. The two biggest challenge/risk involve in management testing of IFC are :
- Availabilty of required skill-set with the management for the purpose of such testing.
- Unbiasedness and effectiveness of such testing.
To deal with above two risks, Auditors has started asking for an external report i.e. management testing performed by an external agencies having required skill-set and experience. This is a known fact that external evidences are more reliable then internal evidence, therefore Auditors are more inclined towards external evidences hence ask for external report for IFC review purpose.