Latest Blogs from SBS and Company LLP

    Internal Financial Controls - A Paradigm Shift In The Reporting Requirements Under CARO

    Internal Financial Controls - A Paradigm Shift In The Reporting Requirements Under CARO


    High-profile corporate disasters in the US made governments, regulators and corporations grasp afresh the significance of internal controls. These disasters were largely attributed to the failure to implement internal controls.Numerous terms are used by globally recognised control frameworks and market regulators - "Internal Control for Financial Reporting" (ICFR) mostly in the US after the Sarbanes Oxley (SOX) Act and "Internal Control" (IC) mostly outside the US.

    IC is defined in the three globally recognised frameworks: the Internal Control - Integrated Framework (COSO Framework) developed in the US in 1992, by the Committee of Sponsoring Organisations of the Commission ("COSO") of the Treadway Commission; the Turnbull Guidance for Directors on the UK's Combined Code on Corporate Governance, issued in 1999 by the Institute of Chartered Accountants of England and Wales; and the Board Guidance on Criteria of Control (CoCo) issued in 1995 by the Canadian Institute of Chartered Accountants (CICA). These frameworks not only define internal controls but also break down the controls into components and objectives and elucidate the basis of monitoring, testing, assessment and evaluation of controls. These frameworks serve only as guidance for boards, managements and auditors and have gained global prominence; and advocate a wide approach to internal control, covering objectives such as improving business effectiveness, consideration of significant risks in operations, safeguarding of assets, compliance and financial reporting. The Companies Act 2013 (the Act) created a new term - "Internal Financial Control" (IFC).

    Section 143(3)(i) of the CompaniesAct 2013 now requires statutory auditors to state in his /her reportwhether acompany hasadequate internal financial controls systems in place and the operating effectiveness of such controls. This requirement is in addition to the existing audit opinion on financial statements. Originally this requirement was applicable to the financial year ending 31 March 2015, due to lack of guidance this requirement was postponed tothe year ending 31 March,2016 by virtue of insertion of Rule 10A of Companies (Audit and Auditors) Rules, 2014.The auditor can report such ICFR for the year ending 31 March, 2015 on a voluntary basis. This requirement is applicable to all companies including One Person Company and Small Company. Consequently reporting requirement pertaining to internal control under the Companies (Auditor’s Report) Order, 2015(CARO) was retained by Ministry of Corporate Affairs (MCA) for certain areas.

    In clause (e), sub-section (5) of Section 134 of the Act, IFC to include policies and procedures adopted by the company for ensuring orderly and efficient conduct of it business, accuracy and completeness of the accounting records and timely preparation of reliable financial information.

    The absence of standards will make certification of the adequacy and operational effectiveness of a company's IFC by the auditors difficult. Even the Companies (Auditor's Report) Order (CARO), 2003, which statutory auditors have been following, required auditors to comment upon the adequacy of the internal control system, only with reference to the purchase of inventory and fixed assets and for the sale of goods and services and not specifically on the operating effectiveness of such controls. It is precisely for


    this reason that the US Securities Exchange Commission (SEC) used the term ICFR in its Rules for Section 404 of the SOX Act. ICFR is specific. It addresses only a subset of internal controls of the COSO Framework pertaining to financial reporting objectives and deliberately leaves out elements that relate to the effectiveness and efficiency of a company's operations and a company's compliance with applicable laws and regulations except financial reporting.

    For companies to maintain the effective IFC necessary criteria has been provided in the ICAI “Guidance Note on Audit of Internal Financial Controls over Financial Reporting” (guidance note). Definition of the term ICFR has been reproduced in the guidance note from the US Auditing Standard (AS) 5 – An audit of Internal Control Over Financial Reportingand it is integrated with an Audit ofFinancial Statements issued by PCAOB – A process designed to provide reasonable assurance regarding thereliability of financial reporting and the preparation of financial statements for external purposes in accordance with generallyaccepted accounting principles. A Company’s internal financial control over financial reporting includes those policies and procedures (i) pertains to maintenance of records that, in detail, accurately and fairly reflect the transaction and disposition of the asset of the company; (ii) provide reasonable assurance that transaction are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorisations of management and directors of the company and (iii) provide reasonable assurance regarding the prevention or timely detection of unauthorised acquisition, use, or disposition of the company’s assets that could have material effect on the financial statements.

    Criteria to be considered for developing, establishing and reporting on IFC

    As such theguidance note does not provide any particular framework for IFC instead it states that a benchmark system internal control, based on suitable criteria, is essential to enable the management and auditors to assess and state the adequacy and compliance of the system of internal controls. The guidance note explains that for auditor’s reporting, the term IFC is restricted within the context of the audit of financial statement and relates to internal control over financial reporting (ICFR) and this is in line with the international practice.

    Necessary criteria for IFC over financial reporting for the companies has been provided in “ Internal Control Components” of Standards on Auditing (SA) 315 “ Identifying and Assessing the Risks of Material Misstatement through Understanding the entity and environment” issued by ICAI. SA 315 explains the five components of any internal control as they relate to a financial statement audit. The five components are:

    Control environment

    Entity risk assessment process

    Control activities

    Information system and communication Monitoring of controls


    Management ’s responsibility

    The 2013 Act has radically expanded the scope of internal controls to be considered by the management of companies to cover all aspects of the operations of the company.

    Boards of directors of the listedcompanies are required to affirm in the Directors' Responsibility Statements in Annual Reports that IFC systems in the companies are adequate and operationally effective as required under Section 134(5)(e) of the 2013 Act.

    Rule 8(5)(viii) of the Companies (Accounts) Rules,2014 requires the Board of Directors report of all companies to state the details in respect of adequacy of internal financial controls with reference to the financial statements.

    The inclusion of the matters relating to internal financial controls in the directors’ responsibility statement is in addition to the requirement for the directors to state that they have taken proper and sufficient care for the maintenance of adequate accounting records in accordance with the provisions of the 2013 Act, for safeguarding the assets of the company and for preventing and detecting fraud and other irregularities.

    Auditor’s responsibility

    The auditor's objective in an audit of internal financial controls over financial reporting is to express an opinion on the effectiveness of the company's internal financial controls over financial reporting and the procedures in respect thereof are carried out along with an audit of the financial statements.

    The auditor must plan and perform the audit to obtain sufficient appropriate evidence to obtain reasonable assurance about whether material weakness exists as of the date specified in management's assessment. Company's internal controls cannot be considered effective if one or more material weakness exists. A material weakness in internal financial controls may exist even when the financial statements are not materially misstated. SA 200 - Overall objectives of the Independence Auditor and the Conduct of an Audit in Accordance with Standards on Auditing, issued by ICAI, states that the auditor’s opinion on the financial statements does not assure the future viability of the entity nor the efficiency or effectiveness with which the management conducted the affairs of the entity.

    Globally, auditor’s reporting on internal controls is together with the reporting on the financial statements and such internal controls reported upon relate to only internal controls over financial reporting. For example, in USA, Section 404 of the Sarbanes Oxley Act of 2002, prescribes that the registered public accounting firm (auditor) of the specified class of issuers (companies) shall, in addition to the attestation of the financial statements, also attest the internal controls over financial reporting. The Companies Act, 2013 specifies the auditor’s reporting on internal financial controls only in the context of audit of financial statements. Consistent with the practice prevailing internationally, the term ‘internal financial controls’ stated in Clause (i) of Sub- section 3 of Section 143 would relate to ‘internal financial controls over financial reporting’ in accordance with the objectives of an audit stated in SA 200 “Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with


    Standards on Auditing”, issued by ICAI.Further, Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 requires the Board of Directors’ report of all the companies to state the details in respect of adequacy of internal financial controls with reference to the “financial statements” only.

    Audit of IFC

    The guidance note provides procedures that would need to be considered by the auditor for planning, performing and reporting in an audit of IFC under section 143(3)(i) of 2013 Act. The guidance note specifically states that since the audit of IFC is in connection with financial reporting, the concept of materiality will be applicable even in such audits. In planning the audit of internal financial controls over financial reporting, the auditor should use the same materiality considerations he or she would use in planning the audit of the company's annual financial statements as provided in SA 320 “Materiality in Planning and Performing an Audit”, issued by ICAI.

    Audit procedures mentioned in the guidance note have been framed for an auditor; these procedures could also be used by the companies to perform a self – evaluation. Following steps are included in the audit procedures.

    Planning Step 1


    Design and
    Step 2

    Step 3



    Step 4


    Planning– The planning stage involves identification of significant account balances, disclosures items, identification and understanding significant flow of transactions, identification of Risk of Material Misstatement, and identification of controls. The auditor is required to establish an overall audit strategy which sets the scope, timing and direction of the audit, and that guides the development of the audit plan.

    Design and Implementation- The auditor should test the design effectiveness of controls by determining whether the company’s control, if they are operated as prescribed by persons posessing the necessary authority and competence to perform the controls effectively, satisfy the company’s control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements. The auditors should obtain understanding of the entity’s flow of transactions and identify controls that are relevant to the audit and gain an understanding of those controls.

    Operating effectiveness - Testing operating effectiveness involves planning and nature, timing and extent of procedures to be performed, assessing findings and concluding on operating effectiveness. Operating effectiveness of a control is tested by determining whether the control is operating as designed and whether the person performing the control possesses the necessary authority and competence to perform the control effectively. In some instances, when the auditor is testing controls, the walkthrough procedures may be used to obtain evidence about the operating effectiveness of a control. In performing a walkthrough, the auditor generally follows a single transaction from its origination through the procedures or steps in the process to the transaction’s ultimate recording in the general ledger or its sub-ledgers.


    Reporting - Where there are deficiencies that, individually or in combination, result in one or more material weakness, the auditor should evaluate the need to express a modified opinion (qualified or adverse on the company’s IFC) unless there is a restriction on the scope of the engagement in which case the auditors should either disclaim the opinion or withdraw from the engagement. As per the guidance note, auditors will have to issue a qualified or an adverse opinion on ICFR if ‘material weaknesses’ in the company’s ICFR are identified as part of their audit.

    The auditor shall modify the opinion in the auditor’s report on internal financial controls over financial reporting when: (i) The auditor concludes that, based on the audit evidence obtained, the internal financial controls over financial reporting is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct material misstatements in the financial statements on a timely basis; or the control is missing; or (ii) The auditor is unable to obtain sufficient appropriate audit evidence to conclude that the internal financial controls over financial reporting is adequate and / or operating effectively to provide reasonable assurance that it is designed, implemented or operated in such a way that it is able to prevent, or detect and correct material misstatements in the financial statements on a timely basis.

    IFC reporting on Consolidated Financial Statements (CFS)

    Section 129(4) of the 2013 Act states the provisions of the 2013 Act applies to the preparation, adoption and audit of the financial statement of a holding company shall, mutatis mutandis, apply to the CFS. With regard to the consolidated financial statements, the financial reporting process would include understanding the procedures for:

    1. I) Identification of subsidiaries, associates and joint ventures that would form part of the consolidation process;
    2. Identification of inter-company transactions for elimination and elimination of any unrealized profits on such transactions;
    • Identification and quantification of minority interest;
    1. Ensuring consistency of accounting policies amongst the consolidating entities; e) ensuring

    consistency of the classification of account balances amongst the consolidating entities;

    1. Recording recurring and non-recurring adjustments to the annual and quarterly consolidated

    financial statements; and

    1. Ensuring appropriate disclosures in the consolidated financial statements.

    I FC reporting on interim financial statements

    Auditor reporting on IFC is a requirement specified in the 2013 Act, and therefore will apply only in a case of reportingon financial statements prepared under the 2013 Act and reported under section 143 of the 2013 Act.Accordingly, reporting on IFC will not be applicable with respect to interim financial statements, such as quarterly or half yearly financial statements, unless such reporting is required under any other law or regulations.

    Integrated Audit - Combined audit of internal financial controls over financial reporting and financial statements

    (1) Corporates and auditors in India will need to come to terms with the concept of a combined or an integrated audit, which includes an audit of internal control over financial reporting and financial statements.In a combined audit of internal financial controls over financial reporting and financial statements, the auditor should design his or her testing of controls to accomplish the objectives of both audits simultaneously. In a combined audit of internal controls over financial reporting and financial statements, the auditor expresses opinion on the following aspects:

    (i)        Opinion on internal control over financial reporting, which requires:

    Evaluating and opining on management’s assessment of the effectiveness of internal financial controls (In Japan based on the requirements of the Financial Instruments and Exchange Act). Evaluating and opining on the effectiveness of internal controls over financial reporting (In USA based on the requirements of Section 404 of the Sarbanes – Oxley Act).

    (ii) Opinion on the financial statements.

    (2) While the objectives of the audit of internal controls over financial reporting and audit of financial statements are not identical, the auditor plans and performs the work to achieve the objectives of both the audits in an integrated manner. Therefore, in a combined audit of internal financial controls over financial reporting and financial statements, the auditor should design his or her testing of controls to accomplish the objectives of both audits simultaneously

    (3)       In such an audit, the auditor plans and conducts the audit:

    • To obtain sufficient evidence to support the auditor's opinion on the internal financial controls as of the year-end, and

    • To obtain sufficient evidence to support the auditor's control risk assessments for purposes of the audit of the financial statements

    Specified date for reporting on the adequacy and operating effectiveness of IFC

    Another aspect which required clarification was whether the comments in the auditor’s report should describe the existence and effective operation of ICFR during the period under reporting of the financial statements or as at the balance sheet date. Section 143(3)(i) of the 2013 Act does not specify whether the auditor’s report should state if IFC existed and operated effectively during the period under reporting of the financial statements or at the balance sheet date up to which the financial statements are prepared.The guidance note clarifies that auditors will have to report whether a company has an adequate ICFR system in place and whether the same was operating effectively as at the balance sheet date of 31 March 2016. In practice, this will mean that when forming its audit opinion on ICFR, the auditor will surely test transactions during the financial year ending 31 March 2016 and not just as at the balance sheet date, though the extent of testing at or near the balance sheet date may be higher.If control issues

    or deficiencies are identified during the interim period and are remediated before the balance sheet date, then the auditor may still be able to express an unqualified opinion on the ICFR. For example, if deficiencies are discovered, the management may have the opportunity to correct and address these deficiencies by implementing new controls before the reporting date. However, sufficient time will need to be allowed to evaluate and test controls, which will again depend on the nature of the control and how frequently it operates. This will be a matter of professional judgment.

    Comparison with International practice

    It is interesting to note that the guidance note has similarities with PCAOB Auditing Standard No. 5, which is applied by auditors in the context of SOX reporting in the US. For example, various paragraphs from the US auditing standard have been inserted within the guidance note, including definitions such as significant deficiency and material weakness related to internal controls. Also, in India, auditors are not required to report on the management’s assertion of effectiveness on IFC. Reporting under the act will be an independent assessment and assertion by the auditor on the adequacy and effectiveness of the entity’s ICFR.

    The guidance note is a fairly comprehensive document , with detailed guidance in several areas related to ICFR, such as the internal control components, entity-level controls, information technology controls, understanding and documentation of process flows, including flow charts, use of service organisations and sampling. Both the management and auditors will have to quickly familiarise themselves with and decipher the details of this guidance note in order to gear up for the year-end reporting on IFC.

    Flowchart Illustrating Typical Flow of Audit of Internal Financial Controls Over Financial Reporting

    Assess and Manage Risk

    Manage Audit Engagement











    Identify and



    Identify risk of



    controls which

    addresses risk












    balance and




    flow of






    of mater

















    design &




    Assess audit impact and plan

    other suitable procedures




    Assess the design

    of controls


    Assess the


    n of controls








    Plan operative effectiveness
















    Plan,nature, timing

    and extent of

    testing operative


    Perform operative



    Assess findings

    and conclude on



    Form opinion on



















    Assess impact on audit


    Form audit opinion on

    financial statements













    Prepare and Control Audit Documentation



    Continuous Focus on Audit Quality


    This article is contributed by Partners of SBS and Company LLP - Chartered Accountant Company. You can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it.

    Looking for suggestions?

    Subscribe SBS AND COMPANY LLP updates via Email!