Audit of Internal Financial Control over Financial Reporting (IFCR) A complete guide

Contents
BRIEF BACKGROUND OF THE ENVIRONMENT
Internal Financial Control
Internal Financial Control over Financial Reporting-IFCR
IFC to IFCR for Auditors
Flow of Audit of Internal Financial Control over Financial Reporting-IFCR
Introduction
Planning the Audit
Combining the audits
Role of Risk Assessment
Addressing the Risk of Fraud
Using the Work of Others
Materiality
Using a Top-down Approach
Typical Flow of Audit of Internal Financial Controls over Financial Reporting
Audit Flow Diagram
Audit Execution - Testing of Controls:
The testing of controls
1. Testing design effectiveness of controls
2. Testing operating effectiveness of the controls
Optimizing the quantum of testing:
Risk Control Matrix
1. Control Environments
2. Entity’s Risk Assessment Process
3. Control Activities Information System and Communication
4. Monitoring of Controls
Making it easy-Ready to use drafts and formats for Risk and Control Matrix (RCM)
Entity level Control Matrix:- Areas of controls Testing ANNEXURE-I
IT General Control Matrix:- Areas of controls Testing ANNEXURE-II
Specimen-FS Closure Policy & Sample Check List;
Activity wise preplanning & closure-Annexure-III
Preparation of FS-Annexure-IV
Disclosures & NTA-Annexure-V
Illustrative List of Risks of Material Misstatement - Control Objectives - Control Activities
Appendix-IV to the SA-315
Table of contents for the Appendix
Illustrative Work-paper Template for Testing ROMM and Performing Walkthroughs

BRIEF BACKGROUND OF THE ENVIRONMENT

Internal Financial Control Internal Financial Control over
Financial Reporting-IFCR
Clause (e) of Sub-section 5 of Section 134 explains the
meaning of the term, “internal financial controls” as the
policies and procedures adopted by the company for
ensuring;
ICAI Guidance note says; (Definition taken from
AS-5 issued by PCAOB), IFCR includes those
polices & procedures that pertains to:







the orderly and efficient conduct of its
business,
adherence to management policies,
the safeguarding of assets,
the prevention and detection of fraud
and error,
the accuracy and completeness of the
accounting records, and
the timely preparation of reliable financial
information.
Maintenance of record
Transaction are recorded
Prevention and timely
detection of unauthorised
acquisition, use and
disposition of Companies
assets
•In reasonably detailed
•Accurately
•Fairly reflects txn&
disposition of
companies assets
•With necessary details
to permit preparation
of FS+IGAAP
•Receipts & Payments
are duly authorised
•that could have
material effect on the
financial statements
IFC
Fraud
prevention
Operational
controls
IFCoFR
Applicability of IFCR
Reporting by Auditors
Applicable to all Co. except
Exempted by
notification
issued by MCA
# Small Co/OPC-Clause-2 of the notification
# T/O < Rs.50 Cr or Borrowing <Rs.25 Cr as
per LAFS
# Default in filing annual return for last 3
years u/s-137 or u/s-92-Clause 2A of
the notification
A process
designed to
provide
reasonable
assurance
regarding the
reliability of
financial
Reporting and
the preparation
of financial
statements for;
External
Purposes
+IGAAP

IFC to IFCR for Auditors
Section 143(3)(i) of the
Companies Act, 2013 (“the
2013 Act” or “the
Act”) requires the auditors’
report to state whether the
company has adequate
internal financial controls
system in place and the
operating effectiveness of
such controls.

Globally, auditor’s
reporting on internal
controls is together with the
reporting on the financial
Statements and such
internal controls reported
upon relate to only internal
controls over financial
Reporting. For example, in
USA, Section 404 of the
Sarbanes Oxley Act of 2002,
prescribes that the
registered public
accounting firm (auditor) of
the specified class of issuers
(companies) shall, in
addition to the attestation of
the financial statements,
also attest the internal
controls over financial
reporting.

Further, Rule 8(5)(viii) of
the Companies (Accounts)
Rules, 2014 requires the
Board of Directors’ report
of all the companies to state
the details in respect of
adequacy of internal
financial controls with
reference to the “financial
statements” only

Considering the above the
auditor need to report on
Internal Financial control
over financial report only

Flow of Audit of Internal Financial Control over Financial Reporting-IFCR

Introduction
Effective internal financial controls over
financial reporting provide reasonable
assurance regarding the reliability of financial
reporting and the preparation of financial
statements for external purposes. If one or more
material weaknesses exist, the company's
internal financial controls cannot be considered
effective

Because of above the auditor must plan and
perform the audit to obtain appropriate evidence
that is sufficient to obtain reasonable assurance
about whether the material weaknesses exist as
of the balance sheet date.

A significant deficiency or material weakness in
internal financial controls over financial
reporting may exist even when financial
statements are not materially misstated.

The auditor should use the same system of
internal financial controls over financial
reporting to perform his or her audit of internal
financial controls over financial reporting as
management uses for its annual evaluation of
the adequacy and effectiveness of the
company's internal financial controls.

Obtaining sufficient evidence to support control
risk assessments for purposes of the financial
statement audit ordinarily allows the auditor to
reduce the amount of audit work that otherwise
would have been necessary to opine on the
financial statements.

Planning the Audit
The activities will include pre-engagement
activities such as agreeing the terms of the
engagement

When planning a combined audit; auditor
should evaluate various important factors for
how will it affect the audit procedure; such as
 Previous experience in other
engagements
 Change in the industry of operation
 Organisation structure, Capital structure
and operating characteristics
 Materiality, risk and other factors for
determination of material weakness
 Legal and regulatory matters etc.

Factors that might indicate less complex
operations include: fewer business lines; less
complex business processes and financial
reporting systems; more centralised accounting
functions; extensive involvement by senior
management in the day-to-day activities of the
business; and fewer levels of management, each
with a wide span of control.

Combining the audits
The audit of internal financial controls over
financial reporting should be combined with the
audit of the financial statements. The objectives
of the audits are not identical, however, and the
auditor must plan and perform the work to
achieve the objectives of both audits.

In a combined audit of internal financial
controls over financial reporting and financial
statements, the auditor should design his or her
testing of controls to accomplish the objectives
of both audits simultaneously:

 To obtain sufficient evidence to support
the auditor's opinion on internal financial
controls over financial reporting as of
year-end, and

 To obtain sufficient evidence to support
the auditor's control risk assessments for
purposes of the audit of financial
statements.

Role of Risk Assessment
There is a direct relationship between the degree
of risk of significant deficiency and the Audit
attention required in that area.
Risk assessment helps in determining the
significant account balance and disclosure and
relevant assertion in order to selection of
controls to test and obtaining necessary
evidences for controls to test.
The complexity of the organisation, business
unit, or process, will play an important role in
the auditor's risk assessment and the
determination of the necessary procedures.
The auditor needs to consider SA 315, for
detailed procedures in connection with risk
assessment.

Addressing the Risk of Fraud
Controls that might address these risks include:
 Controls over significant, unusual
transactions, particularly those that result
in late or unusual journal entries;
 Controls over journal entries and
adjustments made in the period-end
financial reporting process;
 Controls over related party transactions;
 Controls related to significant
management estimates; and
 Controls that mitigate incentives for, and
pressures on, management to falsify or
inappropriately manage financial results.

If the auditor identifies deficiencies the auditor
should consider directions as provided in SA
240 “The Auditor’s Responsibilities Relating
to Fraud in An Audit of Financial Statements”.

Using the Work of Others
While using the work of others in performing
the audit should act according to SA 610 “Using
the Work of Internal Auditors” and SA 620
“Using the Work of an Auditor’s Expert” that
apply in a combined audit of internal financial
controls over financial reporting and financial
statements.

Responsibility for use of the other will still be
lying with the auditor.

The auditor should assess the competence and
objectivity of the persons before using his work.
Degree of objectivity and competence of the
person shall be in the same direction to be fit for
use.

Materiality
In planning the audit of internal financial
controls over financial reporting, the auditor
should use the same materiality considerations
he or she would use in planning the audit of the
company's annual financial statements as
provided in SA 320 “Materiality in Planning
and Performing an Audit”.

Using a Top-down Approach
The auditor should use a top-down approach to the audit of internal financial controls over
financial reporting to select the controls to test

The top-down approach describes the auditor's sequential thought process in identifying risks
and the controls to test, not necessarily the order in which the auditor will perform the auditing
procedures.










Financial Reporting
Business Cycle
(E.g. Production, Working capital, Output)
Sub-Processes
(E.g. Capital expenditures recording)
Objectives
(E.g. Accuracy)
Activities
(E.g. Transaction
recording)
Financial Statements Assertion
-Completeness
-Existence & Occurrence
-Rights and Obligation
-Valuation
-Presentation & Disclosure

Controls
-Authorization
-Safeguarding of Assets
-Maintenance of Records


Internal Financial Control Framework

Typical Flow of Audit of Internal Financial Controls over Financial
Reporting
Audit Flow Diagram


A.
P L A N N I N G
•START
•1.Identify signifcant
account balance and
disclosure items
•2.Identify and
understand
significant flow of
transaction
•3. Identify risk of
material
misstatements
•4.Identify controls
which address risk
of material
misstatements
•5. Identify
applications,
associated IT
environment, ITGC
B.
D E S I G N &
IMPLIMENTATION
•6. Assess the design
of controls
•7. Assess the
Implementation of
controls
•Appropriate design
& Implementation
of controls?
•8. YES-Plan
operative
effectiveness
testing
•9. NO-Assess
audit impact and
plan other suitable
procedures
C.
O P E R A T I NG
EFFECTIVENESS
•10. Plan nature,
timing and extent
of testing
operative
effectiveness
•11. Perform
operative
effectiveness
testing
•12. Assess findings
and conclude on
operative
effectiveness
•13. Form opinion
on IFC
D.
R E P O R T IN G
•14. Assess impact
on audit opinion
•15. Form audit
opinion on
financial
statements
•END
A. B. C. D.
Order of the process of Audit for each phases i.e., A, B, C and D above

Audit Execution - Testing of
Controls:

The auditor’s report is required to state whether the
company has adequate internal financial controls system
in place and the operating effectiveness of such controls.

Essentially, this requires the auditors to identify the
financial reporting risks or the risk of material
misstatements and review the controls to confirm:

The audit of ICFR is expected to be integrated with audit
of financial statements. The auditors need to maintain
adequate documentation to support their conclusion on
ICFR – this requires effective design and use of smart
templates for work paper documentation.

The testing of controls is done at 2 levels:
1. Testing design effectiveness of controls
2. Testing operating effectiveness of the
controls

Testing design effectiveness of controls is essentially
confirming that the controls, as indicated by the
company, are in existence and designed properly. E.g.
one of the stated controls is that a purchase invoice
cannot be entered into the IT system without entering a
purchase order, duly approved by the Head-
Procurement. Here, the design effectiveness testing
would require a walkthrough of the IT system to check
that the system does not permit entering a purchase
invoice without a PO and that the IT system-based
approval rights are available only with the Head –
Procurement. Testing design effectiveness is best done
at the time of review/documenting of controls by means
of process walkthrough and live testing of 1-2 sample
transactions.

Testing operational effectiveness comprises of the
substantive testing done to confirm that a control is
operating consistently and as intended. For manual
controls, this entails checking of a sample of transactions
against the control parameters. For automated controls,
this entails testing the system configuration and logic
and then testing a very small sample for validation of the
automated control.

It is expected that most of the controls identified as key
controls in the ICFR exercise would get tested as part of
normal audit of financial statements. The controls that
may not have been tested adequately are:
 IT system related controls
 Financial statement closure process and related
controls, specifically with reference to estimates
and year-end provisions; (the working and the
accounting entries would be tested in normal
course, but the underlying controls and evidence
of controls may not have been tested).

Hence, the auditor needs to ensure that the testing of
controls is done in a manner that there is no duplication
of efforts, and that the documentation of testing is
sufficient for both - the financial statements audit and
ICFR audit.

Optimizing the quantum of testing:
A company, in its design of controls, will need to
implement controls at various stages in a transaction
cycle. E.g. for procurement cycle, there may be controls
on PO placement, on receipt of materials, on bill
approval and on payment release. The company may also
monitor and test all these controls as and when the
activity is taking place.

The auditors need not test each of the controls
individually, if they can get an assurance that all the
controls are existing and operational by checking the
documentation of the last stage (payment release) with
all related approvals and documentation for PO, GRN
and invoice booking. Such composite controls testing
can reduce the time and efforts of the auditors.

Similarly, for a company that normally gives 30 days’
credit to its customers, one of the risks identified is the
‘risk of raising sales invoices without rendering
services’. The corresponding control is ‘obtaining an
email confirmation from the customer at the time of
billing’. Now, in this case, at the year-end, the control
needs to be tested only for invoices that have not been
paid – the fact that a customer has paid for the services
billed automatically implies that the services were
rendered during the year. Thus, for effective testing of
this control, a sample may be drawn from outstanding
invoices.

It is thus important for the auditors to perform controls
testing in a manner that it optimizes efforts and gives
greater assurance or identifies weaknesses effectively.
Selection of controls, timing of testing and method of
testing are important considerations for the auditors.

Risk Control Matrix

The risk control matrix (RCM) is a matrix for the risks existing in the process and the controls that mitigate the risks.
The RCM populates the risk and the control sub process wise. The RCM, as we understand it are being given separately
to the management.

The risks are identified based on the “as is process” which is mapped in the process flow. The risks are populated based
on “What can go wrong in the process”. Since our examination focuses on internal financial control over financial
reporting (IFC-FR), the risks which are in the nature of regulatory and/or financial, and can potentially affect financial
reporting, have been identified and evaluated.

According to the risks identified, the controls required for mitigating the same were informed by the respective process
owners. In case there was no suitable control for the risk identified or the controls seemed to us to be inadequate, the
same was considered as design deficiency.

The RCM outlines the control mechanism based on the description of the control. The control frequency is one of the
items based on which the controls are tested. According to the walkthrough carried out, the control is either effective or
ineffective based on the availability / unavailability of evidence in the sample tested by our team.

A Risk Control Matrix (RCM) refers to a tool used for documentation of risks and controls in a structured manner, on a
standard template. An RCM prepared for ICFR documentation generally provides the following details:
1. Process and sub-process name
2. Risk description
3. Characteristics of risk in terms of fraud risk, risk level, etc.
4. Control description
5. Nature of control – preventive/ detective, manual/ automated, frequency of control, etc.
6. Evidence of control
7. Result of design testing
8. Result of testing operational effectiveness.

The Risk matrix is prepared based on the benchmark set under SA-315 for Components of Internal Controls
1. Control Environments
2. Entity’s Risk Assessment Process
3. Control Activities Information System and Communication
4. Monitoring of Controls

Making it easy-Ready to use drafts and formats for Risk and Control Matrix
(RCM)

Entity level Control Matrix:- Areas of controls Testing ANNEXURE-I

IT General Control Matrix:- Areas of controls Testing ANNEXURE-II

Specimen-FS Closure Policy & Sample Check List;
Activity wise preplanning & closure-Annexure-III
Preparation of FS-Annexure-IV
Disclosures & NTA-Annexure-V

Click to open

Illustrative List of Risks of Material Misstatement - Control Objectives -
Control Activities
Appendix-IV to the SA-315 Appendix IV -
RoMM Control Objectives and Control Activities.doc
This appendix has been developed to provide guidance and examples to assist in identifying risks of material
misstatement at the assertion level and relevant controls that may address the applicable risks of material misstatement.
For each class of transactions and account balance, risks of material misstatement and relevant controls are divided into
two categories: “Core Risks and Controls,” which may be applicable for normal risks of material misstatement on most
entities, and “Other Possible Risks and Controls,” which may or may not be applicable
This appendix will assist in the identification of relevant controls that may address the applicable risks of material
misstatement. This includes specific application or general IT controls.
This appendix also illustrates the risk of material misstatement and the control related to the risk that is likely to be
reflected in the Other Affected Accounts
Table of contents for the Appendix
Cash/Bank Balances Error! Bookmark not defined.
Prepaid Expenses Error! Bookmark not defined.
Trade receivables Error! Bookmark not defined.
Inventory Error! Bookmark not defined.
Goodwill and Intangible Assets Error! Bookmark not
defined.
Trade payables Error! Bookmark not defined.
Provision for expenses Error! Bookmark not defined.
Loans/Borrowings Error! Bookmark not defined.
Employee Benefits Error! Bookmark not defined.
Income Taxes Error! Bookmark not defined.
Deferred Taxes Error! Bookmark not defined.
Provision for Income taxes/ Advance Income taxes
Error! Bookmark not defined.
Provision for Income taxes/ Advance Income taxes
Error! Bookmark not defined.
Share Capital and Reserves and Surplus Error!
Bookmark not defined.
Revenue from Operations Error! Bookmark not
defined.
Cost of Sales Error! Bookmark not defined.
Depreciation/Amortisation and Other Expenses Error!
Bookmark not defined.
Finance Cost Error! Bookmark not defined.

Illustrative Work-paper Template for Testing ROMM and Performing
Walkthroughs
This template has been developed to provide illustrative examples to assist the auditors in addressing the Risks of
Material Misstatement (ROMM) for material classes of transactions and account balances. The pre-populated risks of
material misstatement (i.e., "what could go wrong") and relevant control activities included within this template are
derived from Appendix IV "Illustrative Risks of Material Misstatement, Related Control Objectives and Control
Activities" of the Guidance Note on Audit of Internal Financial Controls Over Financial Reporting. The substantive
procedures responsive to the risks identified are also illustrative.
Click to Open

Illustrative
Work-paper Template for Testing ROMM and Performing Walkthroughs.xlsx

2
Click to Open