Internal Financial Controls WIRC 24062017

Internal Financial Control –
Assessment and Reporting

requirements, Case Studies,
etc.
24th June, 2017
WIRC of ICAI
Table of Contents
Why Internal Financial Controls (IFC)? 3
Applying COSO 2013 13
Few Relevant Things 26
Scope and Coverage under IFC 49
Approach and Methodology under IFC 52
Project Planning under IFC 59
Key Outputs/Deliverables 67
Illustrative Work Papers 75
Status Reporting 82
Case Study 94
2 © 2017 Protiviti.
CONFIDENTIAL: This document is for your Company's internal use only and may not be copied nor distributed to another third party.
Why Internal Financial Controls (IFC)?
Internal Financial Controls (IFC) - Background
A substantial step in making regulations more coherent, Companies Act, 2013 had introduced the concept of
Internal Financial Controls (IFC) under section 134. Directors' responsibilities on IFC is laid down under section
134 (3) (c) read with section 134 (5) (e). The Auditor’s responsibilities towards IFC reporting was laid down in
section 143 (3) (i). The Audit Committee’s terms of reference on IFC is laid down under section 177 (4) (vii).
IFCs have been defined under section 134 (5) (e) as following:
‘The policies and procedures adopted by the company to ensure orderly and efficient conduct of its
business, including adherence to company’s policies, safeguarding of its assets, prevention and
detection of frauds and errors, accuracy and completeness of accounting records, and the timely
preparation of reliable financial information.’
This initiative needs a complete mandate from the Board and should be lead by the CEO/MD. There should be
clear sponsorship and the 'tone at the top' which is the whole essence of IFC.
Statutory Requirements on IFC – Companies Act, 2013
Considering the overhaul required in the Risk Management function of the Indian industries, the
government had introduced few new compliances that every organization needs to follow. Key
compliance requirement , as envisaged in the Companies Act, 2013, are as follows:
• Section 134 – Directors of all listed companies have to report that the laid down IFCs of the company
have been followed and that such IFC are adequate and were operating effectively.
• Section 177 – Every audit committee shall act in accordance with the terms of reference specified in
writing by the board which shall, inter alia, include, evaluation of internal financial controls and risk
management systems.
• Section 143 - The auditor’s report should also state for all companies except for private limited
companies which have been granted exemption as per amended notification No. G.S.R. 463(E), 464(E),
466(E) dated 5th June, 2015 (amended on 13th June, 2017) , whether the company has adequate IFC
system in place and the operating effectiveness of such controls.
• Schedule IV – The independent directors shall satisfy themselves on the integrity of financial information
and that financial controls and the system of risk management are robust and defensible.
Clause 49 Listing requirement
• As per part II of clause 49 listing agreement, role of Audit Committee shall include evaluation of internal
control and risk management.
• As per part V of clause 49 listing agreement, the CEO / CFO of he company shall certify the effectiveness
and adequacy of internal controls over financial reporting.
Statutory Requirements on IFC – Board Report
The Companies (Accounts) Rules, 2014
As per Rule 8(4) of the Companies (Accounts) Rules, 2014 : - “Every listed company and every other
public company having a paid up share capital of twenty five crore rupees or more calculated at the end
of the preceding financial year shall include, in the report by its Board of directors, a statement
indicating the manner in which formal annual evaluation has been made by the Board of its own
performance and that of its committees and individual directors”.
As per Rule 8 (5) (viii) of the Companies (Accounts) Rules, 2014 : - In addition to the information and
details specified in sub-rule (4), the report of the Board shall also contain –
“The details in respect of adequacy of internal financial controls with reference to the Financial
Statements.”
Applicability of IFC
Unlisted Public
Section Responsibility Listed Company Private Company
Company
Directors’
134(3) (c) read with Yes*, No,
Responsibility Yes
134 (5) (e) Note 1 Note 1
Statement
177 (4) (vii) and Yes**, No**,

Audit Committee Yes
177 (5) Note 2 Note 2
Audit Report*** Yes

143 (3) (i) Yes Yes
Note 3 Note 4
Section 149 (8)

Independent Yes**, No**,
read with Schedule Yes
Directors Note 2 Note 2
IV
* Note 1 : Whilst the Act specifies on listed companies, Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 read with Rule 8(4)
talks about listed and unlisted public companies only with paid up capital of Rs 25 crore or more calculated at the end of the
preceding financial year.
** Note 2 : All Public Companies with paid up capital of INR 10 crore or more, Turnover of INR 100 crores or more and Loan,
borrowing, debentures and deposits of INR 50 crores or more in aggregate. Private companies may require to adopt the same as
well.
*** Note 3 : Auditor Report comment upon IFC is limited to ICFR as per ICAI guidelines.
**** Note 4 : Chapter X, clause (i) of sub-section (3) of section 143 One person company or Small company or Private Company
which has a turnover of less than 50 Crore as per the latest Audited Financial Statements or which has an aggregate borrowing
from Banks or FIs or any Body Corporate at any point of time during the financial year less than Rs. 25 Crore have been granted
exempted from reporting on adequacy of internal financial controls system and operating effectiveness of such controls.
Definitions :-
 Section 2(62) of the Companies Act, 2013 defines “one person company” means a company which
has only one person as member.
Only a natural person who is an Indian citizen and resident in India shall be eligible to incorporate a
One Person Company shall be a nominee for the sole member of a One Person Company.
 Section 2(85) defines a Small Company as –
‘‘small company’’ means a company, other than a public company,—

(i) paid-up share capital of which does not exceed fifty lakh rupees or such higher amount as may
be prescribed which shall not be more than five crore rupees; or
(ii) turnover of which as per its last profit and loss account does not exceed two crore rupees or
such higher amount as may be prescribed which shall not be more than twenty crore rupees:
Provided that nothing in this Section shall apply to—

(A) a holding company or a subsidiary company;
(B) a company registered under Section 8; or
(C) a company or body corporate governed by any special Act
IFCs’ Equivalents Abroad
• Globally, auditor’s reporting on internal controls is together with the reporting on the financial
statements and such internal controls reported upon relate to only internal controls over financial
reporting. For example, in USA, Section 404 of the Sarbanes Oxley Act of 2002, prescribes that the
registered public accounting firm (auditor) of the specified class of issuers (companies) shall, in
addition to the attestation of the financial statements, also attest the internal controls over financial
reporting.
IFCs – Scope for Reporting
IFCs vs. Internal Controls (CARO)
• The scope for reporting on IFCs is significantly larger and wider than the reporting on internal
controls under the Companies (Auditor’s Report) Order, 2016 (“CARO”).
• Under CARO, the reporting on internal controls is limited to the adequacy of controls over
purchase of inventory and fixed assets and sale of goods and services.
• CARO does not require reporting on all controls relating to financial reporting and also does not
require reporting on the “adequacy and operating effectiveness” of such controls.
Reporting on IFCs in Financial Statements not covered under The Act
• Auditor’s reporting on IFCs is a requirement specified in the Companies Act, 2013 and therefore
will apply only in case of reporting on financial statements prepared under the Act and reported
under Section 143.
• Accordingly, reporting on IFCs shall not be applicable with respect to interim financial
statements, such as quarterly or half-yearly financial statements (unless such reporting is required
under any other law or regulation).
IFCs – Scope for Reporting (continued)
Context of Reporting
• The Companies Act, 2013 (The Act) specifies the auditor’s reporting on internal financial controls only
in the context of audit of financial statements.
• The Term ‘Internal financial controls’ stated in The Act relates to ‘internal financial controls over
financial reporting’ in accordance with the objectives of an audit stated in SA 200 “Overall Objectives
of the Independent Auditor and the Conduct of an Audit in Accordance with Standards on Auditing”
• Further, Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 requires the Board of Directors’ report
of all the companies to state the details in respect of adequacy of internal financial controls with
reference to the “financial statements” only.
• In light of the above, the auditor needs to obtain reasonable assurance about the adequacy of the
existing IFC system and whether such the system operated effectively in the company in all material
respects with respect to financial reporting only.
Requirements of IFC Under Companies Act 2013
IFC is an important tool to augment effective Corporate Governance:
Applying COSO 2013
COSO 2013
The COSO (Committee of Sponsoring Organizations of the Treadway Commission) 2013 Framework
should be utilized to design and review an IFC Framework
The COSO 2013 Internal Control: Integrated Framework

consists of 5 components.
The Components have to be effective across the Entities,

Divisions, Operating Units and Functions.
The new framework includes 17 COSO Principles to be

addressed and also includes 77 Points of Focus to provide
helpful guidance to assist management in designing,
implementing and operating an effective internal control
environment, as well as, in assessing whether relevant
principles are present and functioning.
COSO 2013 – Control Environment
COSO 2013 – Control Environment (continued)
COSO 2013 – Risk Assessment
COSO 2013 – Risk Assessment (continued)
COSO 2013 – Risk Assessment (continued)
COSO 2013 – Control Activities
COSO 2013 – Control Activities (continued)
COSO 2013 – Information and Communication
COSO 2013 – Monitoring Activities
Control Environment & Risk Assessment
Principles relating to the Control Environment component include:
 The organization demonstrates a commitment to integrity and ethical values
 The board of directors demonstrates independence from management and exercises oversight for the
development and performance of internal control
 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities
and responsibilities in the pursuit of objectives
 The organization demonstrates a commitment to attract, develop, and retain competent individuals in
alignment with the objectives
 The organization holds individuals accountable for their internal control responsibilities in the pursuit of
objectives
Principles relating to the Risk Assessment component include:
 The organization specifies objectives with sufficient clarity to enable the identification and assessment
of risks relating to objectives
 The organization identifies risks to the achievement of its objectives across the entity and analyzes
risks as a basis for determining how the risks should be managed
 The organization considers the potential for fraud in assessing risks to the achievement of objectives
 The organization identifies and assesses changes that could significantly impact the system of internal
control
Control Activities, Information Communication & Monitoring
Principles relating to the Control Activities component include:
 The organization selects and develops control activities that contribute to the mitigation of risks to the
achievement of objectives to acceptable levels
 The organization selects and develops general control activities over technology to support the
achievement of objectives
 The organization deploys control activities through policies that establish what is expected and in
procedures that put policies into action
Principles relating to the Information & Communication component include:
 The organization obtains or generates and uses relevant, quality information to support the functioning
of internal control
 The organization internally communicates information, including objectives and responsibilities for
internal control, necessary to support the functioning of internal control
 The organization communicates with external parties regarding matters affecting the functioning of
internal control
Principles relating to the Monitoring Activities component include:
 The organization selects, develops and performs ongoing and/or separate evaluations to ascertain
whether the components of internal control are present and functioning
 The organization evaluates and communicates internal control deficiencies in a timely manner to those
parties responsible for taking corrective action, including senior management and the board of
directors as appropriate
Few Relevant Things
What is covered in understanding business environment?
Environment Owners
 What factors lead to dramatic change?  What is the ownership structure and culture
 What global economic events affect the of the organization?
company?  Any information on the promoters or
 How is the political, ecological, management in terms of their pedigrees,
demographic factors affect the management styles, etc?
business?
Regulation Customers
 What is the effect of non –compliance  What is the overall customer base
to regulations i.e. change to regulation, and growth rates for the company
notification, and standard set by and the industry?
national, local or industry regulatory?  Classification of major customer
 What is the legal framework set up in segments and their preferences?
the organization?
Suppliers
Competitors
 Which are the broad group of suppliers
for the client by product type or region,  Who are the major players in the market and
etc.? their market share?
 What is the nature of suppliers  What are the Strengths and weaknesses of
(fragmented and small, large and the competitors vis-à-vis the company?
monopolistic, etc.)?
Processes Listing
Sr. No. Process Name Name of the Process and Sub-process
Section 1 Customer Management
Section 1.1 Marketing
1 CM.01.01.01 Capture Customer Insights and Develop Marketing Strategies
2 CM.01.01.02 Manage Brand, Advertising, and Sponsorship Agreements
3 CM.01.01.03 Manage Subsidies/Upgrades and Promotions
4 CM.01.01.04 Manage Customer Loyalty and Churn Prevention
Section 1.2 Customer Relations Management
5 CM.01.02.01 Vet Credit and Accept Customers
6 CM.01.02.02 Provision Services and process Customer Orders
7 CM.01.02.03 Implement and Update Customer Master Data including Customer Privacy
8 CM.01.02.04 Adjustments and Issue Credits
9 CM.01.02.05 Customer Complaint Management
Section 1.3 Sales Management
10 CM.01.03.01 Manage Individual Customer Contracts and Conditions
11 CM.01.03.02 Manage Distributors and Other Channels
12 CM.01.03.03 Manage Retail Outlets including Sales
13 CM.01.03.04 Manage Enterprise Sales
14 CM.01.03.05 Commission and Incentive
Section 2 Supply Chain Management
15 SC.02.01 Procurement - Planning, Demand Management and Sourcing
16 SC.02.02 Supplier Management
17 SC.02.03 Inventory, Warehousing and Logistics
Section 3 Product Management
18 PM.03.01 New Product Development, Product Portfolio and Product Life Cycle
19 PM.03.02 Manage Tariff Information
20 Section 4 Human Resource Management
Processes Listing (continued)
Section 5 Technology Management
Section 5.1 Change Technology
21 TM.05.01.01 Manage System Development
22 TM.05.01.02 Manage Technology Change
Section 5.2 Optimize Technology
23 TM.05.02.01 Network Capacity and Availability Management
24 TM.05.02.02 Operations and Maintenance
25 TM.05.02.03 IT Capacity and Availability Management
26 TM.05.02.04 Manage Software Assets
27 TM.05.02.05 Network Implementation
28 TM.05.02.06 IT Strategic Planning
29 TM.05.02.07 IT Project Management
Section 5.3 Operate and Support Technology
30 TM.05.03.01 Problem & Incident Management
31 TM.05.03.02 Manage Logical Security
32 TM.05.03.03 Manage Physical Security
33 TM.05.03.04 Manage Data Back-up
34 TM.05.03.05 Manage System Jobs
35 TM.05.03.06 ERP Review
36 TM.05.03.07 System Integration
Section 6 Corporate Governance
Section 6.1 Risk, Assurance and Compliance
37 CG.06.01.01 Prevent and Manage Non-revenue Fraud
38 CG.06.01.02 Manage Insurance
39 CG.06.01.03 Revenue Assurance & Fraud Management
Section 6.2 Business Continuity Management
40 CG.06.02.01 Business Continuity Management
Processes Listing (continued)
Section 7 Process Service Transactions and Billing
41 PT.07.01 Process Post-paid Service Transactions and Retail Billing
42 PT.07.02 Process Pre-paid Service Transactions and Top-Ups
43 PT.07.03 Process & Bill Other Revenues
44 PT.07.04 Share Content Service Transactions
45 PT.07.05 Share & Bill Interconnection Revenue & Charges
46 PT.07.06 Share & Bill Wholesale Revenue & Charges
47 PT.07.07 Share & Bill Roaming Revenue & Charges
48 PT.07.08 Prevent & Manage 3rd Party Fraud
49 PT.07.09 Mediation & Billing
50 PT.07.10 Bill Print and Dispatch
Section 8 Financial Management
51 FM.08.01 Receivables Management
52 FM.08.02 Collections Management
53 FM.08.03 Purchase to Pay including Payment Security
54 FM.08.04 Expense Review
55 FM.08.05 Project and Asset Accounting
56 FM.08.06 Treasury and Cash Management
57 FM.08.07 Budgeting & MIS
58 FM.08.08 General Accounting (including Financial Statements review)
Section 9 Legal, Tax and Property Management
59 LT.09.01 Legal and Regulatory Compliance
What are the Risks?
Strategic risk
“Doing the wrong thing”
Operations risk
“Doing the right thing

wrongly”
Compliance risk
“Not doing what should be

done”
Financial risk
“Doing it in a way that

loses money or incurs
unnecessary liabilities”
Examples of Risks
Financial Risk Strategic Risk Compliance Risk Operational Risk
 Accounting and reporting  Planning and resource  Governance (e.g., board,  Information technology (e.g.,
(e.g., accounting, allocation (e.g., organization tone at the top) IT management, security,
reporting, internal structure, strategy, budgeting) availability)
controls)  Regulatory (e.g., labor,
 Communications and investor safety, trade/customs)  Physical assets (e.g., real
 Market (e.g., interest relations (e.g., media, investor estate; property, plant and
rate, currency) and employee communications)  Legal (e.g., contracts, equipment)
intellectual property)
 Liquidity and credit (e.g.,  Major initiatives and capital  Sales and marketing (e.g.,
cash management, programs (e.g., vision, planning,  Code of conduct (e.g., advertising, pricing, customer
hedging) execution, monitoring) ethics, fraud) support)
 Tax (e.g., tax strategy and  Competitive market dynamics  People (e.g., recruiting,
planning, indirect taxes, (e.g., competitive pricing) retention, development)
transfer pricing)
 Mergers, acquisitions and  Research and development
 Capital structure (e.g., divestitures (e.g., valuation, due (e.g., market research, product
debt, equity, options) diligence, integration) design and development,
product testing)
 Macro-market dynamics (e.g.,
economic, social, political)  Supply chain (e.g., planning,
inventory, distribution)
 Hazards (e.g., natural events,
terrorist acts)
To counter the risks there are controls…
So what are controls?
The steps which we put in place to address risks are known as controls
A control is defined as any action taken by management, the board and other parties to
enhance risk management and increase the likelihood that established objectives and
goals will be achieved
Source: COSO
Lets look at a few examples…
Approval of engineering drawings by competent authority as per quality plan

Automatic serial numbering of purchase orders
Periodic site inspection by project manager
Signing contracts with customers
Controls need to be put in place for each root cause to effectively mitigate a risk
Nature of Control
Preventive
Definition Examples
Controls we perform PRIOR TO processing

transactions, implementing systems, or • Authorization
recording data to AVOID risks in our operating • Segregation of duties
process.
Detective
Definition Examples
Controls performed AFTER processing

• Reconciliations
transactions, implementing systems or
• Edit reports
recording data to determine if any error or
• Security violation reports
irregularities HAVE occurred.
Types of Control
Manual
Definition Examples
• Management review
Controls that require human intervention • Account reconciliations
• Reviewing exception reports
Automated
Definition Examples
• Segregation of duties
Controls automated through the IT System • Authorization matrices
• Back-up and recovery controls
Categories of Controls
Typically, companies try to categorize the controls identified into different

categories in order to have a better balance of the types of controls. A
suggested list of such control categories is discussed below:
System Exception and Edit

Authorization
Configuration Reports
Key Performance Management

Indicators review
Segregation of
Reconciliation System Access
duties
Controls Classification - ICAI
As determined by ICAI, consider the following while drafting controls in RCM – appropriateness of
the purpose of the controls and its correlation to risk, nature and significance of risk, competence and
authority of the person performing the control, frequency & consistency, level of aggregation &
predictability, criteria for investigation & follow up and dependency on other controls. Some of these
have been explained below:
Preventive Detective
Controls to be performed PRIOR TO Controls performed AFTER

processing transactions, processing transactions,
implementing systems, or recording implementing systems or recording
Nature of Control data to AVOID risks in operating data to determine if any error or
process. irregularities HAVE occurred.
 Authorization  Reconciliations
 Segregation of duties  Edit reports
 Security violation reports
Manual Automated
Controls that require human Controls automated through the IT

intervention System
Type of Control
 Management review  Segregation of duties
 Account reconciliations  Authorization matrices
 Reviewing exception  Back-up and recovery controls
reports
Sampling – Test of Controls (TOC)
The following are some factors which the internal auditor shall considers when determining the sample size required
for tests of controls (TOC). These factors need to be considered together assuming the internal auditor does not
modify the nature or timing of TOC or otherwise modify the approach to substantive procedures in response to
assessed risks.
Factors to be considered by an Internal Auditor Effect on Sample Size
An increase in the extent to which the risk of material misstatement is

Increase
reduced by the operating effectiveness of controls
An increase in the rate of deviation from the prescribed control

Decrease
activity that the internal auditor is willing to accept
An increase in the rate of deviation from the prescribed control

Increase
activity that the internal auditor expects to find in the population
An increase in the internal auditor’s required confidence level Increase
An increase in the number of sampling units in the population Negligible effect
Note:
1. Other things being equal, the more the internal auditor relies on the operating effectiveness of controls in risk
assessment, the greater is the extent of the internal auditor’s tests of controls, and hence the sample size is
increased.
2. The lower the rate of deviation that the internal auditor is willing to accept, the larger the sample size needs to
be.
Frequency of Control Activity and Sample Size
The following guidance related to the frequency of the performance of control may be considered when planning the
extent of tests of operating effectiveness of manual controls for which control deviations are not expected to be found.
The internal auditor may determine the appropriate number of control occurrences to test based on the following
minimum sample size for the frequency of the control activity dependant on whether assessment has been made on a
lower or higher risk of failure of the control.
Minimum Sample Size

Factors to be considered by an Internal
Risk of Failure
Auditor
Lower Higher
Annual 1 1
Quarterly (including period-end, i.e. +1) 1+1 1+1
Monthly 2 3
Weekly 5 8
Daily 15 25
Recurring manual control 25 40
Note: Although +1 is used to indicate that the period–end control is tested, this does not mean that for more frequent
control operations the year-end operation cannot be tested.
Each business process has a number of associated risks…
Identifying risks in a process – Challenging every activity
Purchase requisition is Why is the Purchase Requisition prepared by Marketing Executive?

Marketing Material is obtained
prepared for the
from stores department
Executive required material
Is he a authorized to prepare the Purchase Requisition?
Yes
Has the management defined maximum value of material which the

Verifies current Marketing No canIdentifies
Executive
Is there enough vendor
requisition for?from Sends requests for
availability of stock from stock available? vendor database for the
quotations
warehouse department material
Procurement Why is he not taking any approval before sending the requisition to
Executive Purchase department?
Selects vendor on the Prepares and sends
Issues Purchase order
basis of comparative Purchase Orders for
to vendor
analysis
Why? of price
Why?? approval
Why??? Why????
Send price quotations to

Vendors the buyer Gaps
1. Policy (schedule of authority) for raising purchase
requisition not defined.
2. No mechanism to review and approve purchase
Manager Approves and signs the
Purchase order
requisition before procuring material.
Purchase
Purchase requisition is If items are available in warehouse then

Material is obtained
prepared for the
Marketing Executive required material
from stores department why does not the Marketing Executive
check with warehouse department before
Yes raising purchase requisition?
Verifies current Identifies

What vendor
if the from
Procurement Executive did notfor
Is there enough No Sends requests
availability of stock from vendor database for the
stock available? check with quotations
warehouse before procuring
warehouse department material
Procurement material?
Executive
Selects vendor on the Prepares and
Why? sends
Why?? Why???
Issues Purchase order
to vendor
analysis of price Why????
approval
Send price quotations Gaps

Vendors to the buyer
1. Lack of MIS reports on stock

status with Production department
Manager Approves and signs the
Purchase order
Purchase
Purchase requisition Executive

Does Marketing Material is obtained
Marketing is prepared for the from stores
continuously identify vendors
required material for
department
Executive
regular items?
Yes
Why does
Verifies Procurement Executive
current Identifies vendor from
send request
availability for quotation
of stock every
Is there time? No
enough vendor database for Sends requests for
from stores stock available? the material quotations
department
Procurement Why don’t they enter into Long Term
Executive Rate contracts?
Selects vendor on the Prepares and sends
Issues Purchase
order to vendor
analysis
Has the company defined of price
minimum approval
Gaps
number of quotations to be invited?
Why?
Send Why??
price quotations Why??? 1. Absence of policy defining
Vendors to the buyer minimum number of quotations
Why????
to be invited?
2. Possibility of entering into
Manager Approves and signs
Long Term Rate contracts with
Purchase the Purchase order vendors not explored.
Case Study 1: What Are the Risks Around these Revenue Processes?
Revenue Processes Primary Revenue Risks
 Management of the existing product  Unprofitable product launched

portfolio
 Product launched without sufficient processes to
Product &  Development of new products and services completely bill for all services
Offer
Management  Offer management
 Order capture  Customer details not captured

correctly/fraudulent details given
 Order provisioning
Order Entry  Service provisioned but not set to bill
 Disconnections
&  Disconnections not processed correctly
Provisioning  Order variations
 Network data build  Call records not being generated on network

 Event recording  CDRs filtered incorrectly by mediation
Network &  Mediation  Call records not being processed to correct billing
Usage system
 Usage management
 Prepay billing system downtime
 Reference data setup  Call records not rated correctly

 Event record processing  Discounts/bundle allowance not applied
Rating & correctly
Billing  Rating process
 Bills not calculated correctly
 Bill calculation
 Bills not sent to customers
 Bill production
 Bad debt write-offs
 Customer acquisition
 Overpayment of credits
 Usage management
Receivables  Cash is tied up in disputes for too long with a
Management  Billing consequent adverse impact on working capital
 Debt path management
 Dispute management
 Bad debt management  Revenue not booked completely and accurately
 Provisions in G/L
Finance &
Accounting  Unbilled and deferred revenue  Bad debt provision required is high
 Revenue recognition and policies

 Revenue reporting and KPIs
 Reconciliations
 Care credits  Prepay top-ups not applied to accounts

 Loyalty and discount schemes  Loyalty discounts are applied to a customer
account without an end date
Customer  Top-up of pre-pay accounts
Management
 Churn management
 Query resolution
 Overpayment of costs to roaming partner
 Settlement of interconnect and roaming inter-
company payments  TAP files not sent and received
Partner  Management of channel partners  Overpayment of interconnect costs

Management  Overpayment of commissions
 Settlement of content and revenue share
payments  Overpayment of revenue share to content
 Wholesale management partner
Sample Risk & Controls
Scope and Coverage under IFC
Engagement Scope
Develop Internal Financial Controls (IFC) framework in accordance with the guidelines issued by ICAI to
identify gaps and provide recommendation:
Phase 1 Phase 2
 Walkthrough:  Management Testing
 Meeting and walkthrough with the senior management, process  Conduct Test of
owners and various stakeholders; Operating Effectiveness
 Gaining an understanding on the business and alignment to (ToE) of the key controls
various business processes; (25% of the total
controls) identified
 Develop the scoping document considering the significant account across all the processes
balances/classes of transactions and its mapping with business
processes;  Identification,
assessment and
 Identify the key controls in all the processes and document in RCM evaluation of gaps
 Document Narratives & RCM (Risk Control Matrix) for business
processes, ITGC (Information Technology General Controls) and
RCM for ELCs (Entity Level Controls).
 Gap Remediation and Mitigation plan/controls:
 Identify the design gaps in business process controls, ITGC and

Entity Level Controls during the course of walkthrough;
 Discussed gaps with the process/control owners and suggested
remediation/recommendation;
 Suggest Mitigation Plan/Control for the identified gaps.
Key Indicative Business Processes Under IFC Scope (continued)
Procurement Inventory Management Revenue Information Technology
• Procurement Planning • Review of Stock • Revenue recognition • IT Organization

• Identification of vendors Requirements • Accounting policy review • Change management
• Raising of purchase orders • Recording of Material • Control over manual journal • IT policies and procedure
• Material In warding Inwards entries • IT Security
• Supplier Management • Recording of Material • Financial reporting • Business Continuity
• Purchase Requisition (PR) inwards in Books • Billing process Planning & Disaster
• Recovery
Purchase Ordering (PO) • Minimum Level Stock • Collection process
• Access Controls
• Transportation maintenance • Accurate provisioning of
• Contract management • Control over issue of long pending debts
• Inventory Management Material
• Assessment of Vendor • Storage of Material
Performance • Physical Count Process
• Quality management
c
Finance & Account Human Resources Fixed Assets Taxation
• Financial statement • Master Management • Proper tagging of all Fixed • Applicable Taxes & Duties
closing (Employee) Assets • Service Tax
• Cash and Bank • Hiring Process • Recording of Fixed Assets • VAT etc.
• Annual Budgeting • Compensation in FAR
• Account Payables / Management / Payroll • Physical count process of
receivables Processing Fixed Assets
• Treasury management • Performance Management • Assets are safeguarded
• Journal entries System through Insurance Policy
• Separation and Retirement • Adherence with accounting
• Ledger Accounts
policies in recording
• Adjusting entries Benefits
• Disposal of Fixed Assets
• Full & Final Settlement
• Statutory Compliances –
Gratuity, PF etc.
c
Approach & Methodology under IFC
IFCs Project Approach – Top-Down Risk Based Scoping
A top down approach (suggested by ICAI) while developing / reviewing internal financial controls over
financial reporting framework for the company is graphically represented below:
Internal Financial Control Network
Financial Reporting
Financial Statement Assertions Controls

- Completeness - Authorisation
- Existence of Occurrence - Safeguarding of Assets
- Rights and Obligations - Maintenance of records
- Valuation
- Presentation and Disclosure
Business Cycles
Sub-processes
Objectives
Activities
IFCs Project Approach – Graphical Representation
Identify
Identify
Identify and controls Identify
Significant
understand Identify risk of (ELC’s and applications
account
Planning
significant material PLC’s) which associated IT

balances /
flows of misstatements addresses risk environment
disclosure
transactions of material ITGC
items
misstatements
Is the Report as an exception and

design and suggest remediation
Assess the Assess the implementation of No
Walkthrough
design Implementation controls

of controls of controls appropriate? Yes
Design &
(including mapping
to COSO 2013)? Plan operative effectiveness
testing
Plan nature,
Assess
Effectiveness
timing Perform
findings and Prepare
and extent of operative
Operating
conclude on Draft
testing effectiveness
operative Report
operative testing
effectiveness
effectiveness
Discuss with
Reporting
Final Report
Management
Effective Quality and Project Management
Project Plan for Implementation of IFC (As per ICAI Guidelines)
Document Identify key Test of
Identify Processes Risk Assessment Test of Design
Processes controls and KCI Effectiveness
 Identification of  Documentation of  Determine relevant  Documentation of all  Evaluate the design  Obtain concurrence
business processes processes in population of risks and controls in of key controls on sample size and
that may impact accordance with processes / sub- RCM for each of the  Conduct test of sample period for
reporting agreed guidelines process identified processes design of Key testing of
 Identification of sub-  Conduct a change  Revalidate / Identify  Identify potential controls effectiveness
process and management inherent risks which KCIs for business  Identify and  Validation of
activities that need exercise for existing may result in controls document design controls for
to be covered under processes material mis- documented deficiencies and appropriateness and
the scope of review statement TOD failures effective operation
 Validate the control  Identify KEY  Indentify and
 Identify changes to activities by  Map inherent risks management document  Validate the
processes / sub- conducting a to the respective controls under each compensating remediated controls
process that may be walkthrough risk category process controls for TOD for effectiveness
already documented  Undertake impact &  Identify redundant failures  Identify and
 Obtain sign off from probability analysis controls based on  Develop document Test of
management on  Obtain sign off from the above remediation plans to Effectiveness
scope of coverage management on the assessments for address the key failures
risk universe consolidation control deficiency in  Populate TOE
 Identify the case controls do not results for all Key
interdependency of operate as expected Controls in
controls across  Obtain management proposed template
process sign off on the
 Obtain management
identified
 Document test plans sign off on the
deficiencies and
for key controls identified
remediation plans
deficiencies
 Obtain materiality
impact for deficient
controls from
management
 Populate
walkthrough
template
Identification of Significant Account Balance and
Underlying Process
 Identify significant accounts and
disclosures at the financial statement and
at the account level
 The quantitative and qualitative factors to

be considered in deciding significance of
accounts include:
• Account size and composition
• Susceptibility of loss due to errors or
fraud
• Volume of transactions
• Nature of the account; accounting
and reporting complexities
• Changes from the prior period in
account characteristics
• Existence of related party
transactions
Scoping of Significant Account Balances and Processes
Scoping of account balances for IFC Implementation
Expense Mapping of Significant
Type /Income FSLI Process Total % Total Sr. No. Name of Process
Account Balances
1 Accounts Payable
BS Liability Share Capital Share Capital Financial Reporting (1749,55,074) 1.7% 2 Accounts Receivable
BS Liability RESERVES & SURPLUS Reserve & Surplus Financial Reporting (60719,45,652) 58.5% 3 Treasury
4 Financial Reporting
BS Liability Net Of long term Borrowing and Maturities Long
of Long
Term
term
Borrowing
Borrowings Treasury (25174,86,070) 24.3%
5 Fixed Assets Management
BS Liability DEFERRED TAX LIABILITY Income Tax Financial Reporting (317,10,657) 0.3%
6 Payroll & HR
BS Liability SHORT TERM BORROWINGS Unsecured Loans Treasury (3189,05,047) 3.1%
7 Fuel Station Operations
BS Liability Long term provisions Provisions Financial Reporting (3810,03,703) 3.7%
8 Revenue Assurance
BS Liability Other Long Term Liabilities Long Term Borrowing Financial Reporting (440,14,099) 0.4% 9 Compliance
BS Liability TRADE PAYABLES Trade payable Accounts Payable/ COD Management
(4087,43,723) 3.9% 10 Ecom Operations
BS Liability OTHER CURRENT LIABILITIES - OTHERS Total Current Liability Accounts Payable/ COD Management
(2983,71,442) 2.9% 11 COD Management
BS Liability SHORT TERM Provisions Provisions Accounts Payable/ COD Management
(1242,14,750) 1.2% 12 International - Freight Forwarding
Liability Total (103713,50,217) 100.0% 13 Admin Procurement
BS Assets Fixed Assets Fixed Asserts Fixed Assets Management 1289917963 12.4% 14 ELCs
BS Assets LONG TERM LOANS AND ADVANCES Long Term Borrowing Financial Reporting 311247912 3.0% 15 Customer Taxation
BS Assets TRADE RECEIVABLES Sundry Receivables Accounts Receivable 703211447.3 6.8%
BS Assets CASH AND BANK BALANCES Cash at Bank Treasury 226610820 2.2%
BS Assets Interest Accrued Interest Financial Reporting 188900404.1 1.8%
BS Assets Inventories Invetory Fuel Station Operations 10263629 0.1%
BS Assets Cenvat Credit Taxation Compliance 12354376.95 0.1%
BS Assets Advance to employees Advance to employees Payroll & HR 633446.71 0.0%
BS Assets Loans & Advances to Subsidiaries Inter Company Balances Financial Reporting 30002734.34 0.3%
BS Assets Loans & Advances to an Associate Inter Company Balances Financial Reporting 13236146 0.1%
BS Assets Loans & Advances to Other Parties Inter Company Balances Financial Reporting 568214225.2 5.5%
BS Assets Other Non current assets Total Non Current assets Financial Reporting/Payroll & HR 9639578 0.1%
BS Assets Non Current Investments Investments Financial Reporting 6583195302 63.5%
BS Assets Tax Deducted at Source Taxation Compliance 346679573 3.3%
BS Assets Prepaid Expenses Prepaid Expenses Financial Reporting 7962232.51 0.1%
BS Assets OTHER CHARGES RECEIVABLE Total charges receivable Revenue Assurance/ International69280428.69
Freight Fowarding0.7%
Assets Total 103713,50,218 100.0%
Scoping of Significant Account Balances and Processes
Scoping of account balances for IFC Implementation
Expense Mapping of Significant Sr. No. Name of Process
Type /Income FSLI Account Balances Process Total % Total 1 Accounts Payable
2 Accounts Receivable
3 Treasury
IS Income Freight, Demurrage and Miscellaneous charges Revenue From Operations Revenue Assurance/ International
(20501,48,957)
Freight Fowarding/
55.9%Customer Taxation4 Financial Reporting
IS Income Other Operating Income Revenue From Operations Revenue Assurance/ International
(1089,74,869)
Freight Fowarding3.0% 5 Fixed Assets Management
IS Income Sale of Diesel, Petrol and Lubricants Revenue From Operations Fuel Station Operations (14184,47,269) 38.7% 6 Payroll & HR
7 Fuel Station Operations
IS Income Liabilities no longer required written back Other Income Financial Reporting (35,26,362) 0.1%
8 Revenue Assurance
IS Income Rent Received Other Income Revenue Assurance/ International(241,84,554)
Freight Fowarding0.7% 9 Compliance
IS Income Profit On Sale Of Fixed Assets Other Income Fixed Assets Management (56,49,148) 0.2% 10 Ecom Operations
IS Income Interest Other Income Financial Reporting (551,07,672) 1.5% 11 COD Management
12 International - Freight Forwarding
Income Total (36660,38,831) 100.0%
13 Admin Procurement
IS Expenses Operating Expenses Operating Expenses E Com Operations/ Admin Procurement
14972,25,664 42.6% 14 ELCs
IS Expenses Purchase of Stock-in-trade Inventory Fuel Station Operations 13823,34,978 39.4% 15 Customer Taxation
IS Expenses Changes in Inventories of Stock-in-Trade Inventory Fuel Station Operations (12,11,119) 0.0%
IS Expenses Other Operating Expenses Operating Expenses Accounts Payable/ COD Management
1232,37,866 3.5%
IS Expenses Employee Benefit expenses Employee Expenses Payroll & HR 2563,60,313 7.3%
IS Expenses Interest Expenses Total Interest expenses Treasury 1324,47,527 3.8%
IS Expenses Depreciation Expenses Depriciation & Ammortization Fixed Assets Management 1212,00,593 3.5%
Expense Total 35115,95,822 100.0%
Identification of Significant Business Units / Locations
Determine the relevance of business units/locations for scoping and evaluated factors such as the relative
financial significance of the business unit/location and the risk of material mis-statement arising from the
business unit/location
Is the location or business
I unit
1 individually important?
Yes
Generally locations that have over 5% of a

certain criteria but are required to make
the total for all significant locations
2 Are there specific significant risks? Yes
Generally locations under 5% of a certain

criteria but contain a risk or risks that could
create a material misstatement
Are there locations or business units that are not

3 important even when aggregated with others? Yes
Generally locations under 5% of a certain criteria but contain

a risk or risks that could create a material misstatement
Are there documented company-level controls

4 over this group?
Yes
Identification of Key Transactions
Identify SCOT
 Significant class of transaction (SCOT) is any transaction that has a significant impact on the
financial statement. Some examples of SCOTs are:
• Sales rendered through different channels viz. direct, internet etc.
• Fixed assets and depreciation
• Cash receipts
• Major expenses such as administration, vendor vehicle, business partner etc.
• Provision for/payment of income taxes
• Salaries and employee benefits (e.g. payroll)
• Application of new accounting pronouncements
• Period end financial reporting
 SCOTs can be classified into routine (sale, purchase), non-routine (physical verification, depreciation)
and estimation (provision, reserves) based on the transactions and type of operation
Identification of Key Controls
 Controls which are most likely to prevent and detect errors/fraud in a process e.g., bank reconciliation,
three-way match of GRN, PO and Invoice, etc..
 Controls including general controls (e.g. information technology) on which other significant controls are
dependent.
 Controls over significant non-routine and non-systematic transactions (such as accounts involving
judgements and estimates).
 Controls over the period end financial closing process, including controls over procedures used to enter
transaction totals into the general ledger; to initiate, process and record journal entries in the general
ledger; and to record recurring and non-recurring adjustments to the financial statements.
 Controls with a high likelihood that its failure would result in a material financial misstatement.
Remember!
All controls are not key controls. Operationalizing and Testing
controls cost the Company
Process Understanding & Documentation
As defined in ICAI guidelines, some of the key considerations that have to be taken into account prior to
documentation are:
 End objective from the documentation – compliance or business driver
 Uniformity in format and content of control documentation
 Scope and detail of process level workflow and documentation of ICOFR (including IT systems and
processing facilities)
 Level of existing documentation (processes, policies, procedures, roles etc.)
 Specific requirements of external auditors for documentation
 Subject Matter Experts (SMEs) or specialists for all key processes
 Process for capturing information in a manner that can be maintained on an ongoing basis
Process Understanding & Documentation (continued)
Key activities for process understanding entails the following:
 Identify the relevant process owners and SPOC for each relevant and scoped sub-process.
 Conduct discussion meetings and focused-group discussions with the process coordinators.
 Document the As-is processes.
 Identify the existing controls in the processes.
 Clearly understand and document the Control parameters viz.
• Control Owner: Individual who is responsible for the efficiency of the control. This may be
different than the processor/ executor. E.g. Invoices processed by the Accounts Executive after
verifying the supporting documents may not be a control; however, validation checks of the
processed invoices by the Deputy Manager is a control. Hence, Deputy Manager becomes the
Control Owner.
• Control Frequency: The frequency at which the control activity is performed. Control activities
are based on the propensity of the activity happening. Generally, they can transactional, daily,
weekly, monthly, semi-annual and/or annual in nature. It is crucial to note, since the testing and
sampling methodology will be depend on the control frequency.
• Nature of Control: Controls can be either Preventive or Detective. (Explained in subsequent
slide
• Type of Control: Controls can be Manual or Automated. (Explained in the subsequent slide)
 Discuss and identify the gaps in processes
Identification of Entity Level Controls
Control Environment
Integrity and Ethical Values
Commitment to Competence
Attention and Direction of Board of Directors and Audit Committee
Management’s Philosophy and Operating Style
Organizational Structure
Assignment of Authority and Responsibility
Human Resources Policies and Procedures
Risk Assessment
The procedures used to evaluate a Company’s
Company-wide Objectives
effectiveness of internal controls at the entity level are
Process-level Objectives
as follows:
Risk Identification and Analysis
 Conduct an entity-level survey of top
Managing Change
management to assess their views on the entity-
Control Activities
level controls
Policies and Procedures
 Review documentation of entity-level controls as
Information System Controls
they exist (for instance, review the current code of
Regulatory Monitoring
conduct, WB mechanism, audit committee charter,
Information and Communication
and similar documentation for each componet),
Quality of Information  Review entity-level information technology
Effectiveness of Communication controls
Monitoring  Assess control effectiveness at the entity level
On-going Monitoring and make recommendations for improvement as
Separate Evaluations appropriate
Reporting Deficiencies  Consider the impact on process-level controls
Each of these Entity Level Component has been explained in ICAI guidelines which are reproduced subsequent slides
Identification of IT General Controls (ITGC)
IT Organization IT Entity-level IT Process-
and Structure Control level Control
Critical IT processes Critical OS/DB

control (End User
 Program Development Computing)
 Program Change
 Computer Operations  Access to
 Access to Program and Operating System
Data (OS) / Database
 Interface Controls Critical application and data owner process (DB)
evaluations  Change
management
 Segregation of incompatible duties (SOD)  Data backup
 Limit access to transactions and data  Data protection
 Data validation/error checking routines  Input control, etc.
 Complex calculations
Identify Significant Flow of Transactions through IPE Controls
Though the auditing standards do not provide a specific definition of Information Produced by Entity (IPE).
IPE is in the form of a report which is either system generated, manually prepared or a combination of
both. IPE evaluation by Protiviti is represented as below:
Key Outputs / Deliverables
IFC Review and Implementation – Key Deliverables
The following are the key deliverables:
Steps Key Deliverables
1. Process understanding  Process narratives and Flowcharts
2. Developing Risk Control Matrix  Risk Control Matrices for all areas under scope (Business
for key controls / risks Processes, ELCs)
3. Design Effectiveness Testing  Testing templates

 Gap Analysis Report
Entity Levels Control Assessment
Component Principle Point Of Focus Control
Control Environment Principle 1 – Demonstrates a POF 1 – Sets the tone at the top. None
commitment to Integrity and
Ethical values
While mapping and assessing the Entity Level Controls, one may come across different kinds of deficiencies such as;
• Principle Gap – No documented control has been identified to cover the principle.
• POF Gap – No documented control has been identified to cover the point of focus (POF).
• POF Recommendation – Control required rewording / additional details to cover the POF.
Deficiency Recommendation- Control

Component Principle Point of Focus Severity
Description Examples to Consider
The Company has designed
and implemented Mission
and values statements,
policies and practices,
Principle 1 –
employee brochure /
Demonstrate There is no
handbook covering at least:
sa documented control
Risk POF 1 – Sets the 1. Mission and Values
commitment Principle Gap on how the
Assessment tone at the top. statements
to Integrity Company sets the
2. Code of Conduct and
and Ethical tone at the top.
Business Ethics
values
3. Discrimination
4. Harassment
5. Health and Safety
6. Whistle-blower
Process Risk Control Matrix
Using the process understanding documented in the process narrative, we shall then document the Risk Control Matrix
(RCM) clearly identifying differently elements of the controls like type of control (automated or manual), nature of control
(preventive or detective), frequency (Annual, Quarterly, Monthly, etc.) shall be documented.
Process / Risks Control Activity P6 – Risk P10 – Selects P12 – Deploys P13 – Uses
Control Assessment and develops through policies relevant
Objective control activities and procedures information
Sales – POF – Is the POF – is the POF – is the POF – Is all
Revenue objective control responsive control performed information
clearly to risk? on a timely basis? captured?
articulated? Is it performed at Does the control Is control
appropriate level? include follow-up dependent on IPE
Are the duties corrective action? and is it complete
adequately and accurate?
segregated?
Revenue Revenue In case of Y X Y Y
is recognized Construction
recognize is not as per Projects, %
d as per the Completion is used
the Accounting for recognition of
IGAAP Standards revenue, the
resulting in calculations and
material journal entry
misstateme recorded are
nt of recorded and
Revenue approved by
Manager Finance
The controls will be documented in a way to ensure that the relevant Principles and POFs pertaining to the respective
COSO Components are addressed. I.e. Controls shall be documented in way to ensure that objective is suitably
articulated, risk is addressed, segregation of controls is maintained, etc. Deficiencies shall be recorded in the gap log
shown in the subsequent slide.
Process Controls Mapping and Gap Log
Process Sub- Control Assertions Risks Control Activity Gap Principle and
Process Objective descriptio POF violated.
n
E V C P R
Sales Revenue Revenue X Revenue In case of The duties Principle 10-

Recogniti is recognized Construction of review Selects and
on recognized is not as per Projects, % and develops Control
as per the the Completion is used approval Activities
IGAAP Accounting for recognition of are not POF 43 –
Standards revenue, the adequately Addresses
resulting in calculations and segregated. segregation of
material journal entry duties
misstatemen recorded for
t of Revenue accounting is
approved by
Manager Finance.
Status of Internal Control Effectiveness
Total Controls Controls

# Process/ Sub Process Controls failed Remediation
Controls Tested passed
1 ELC Controls
2 Process level controls
Project Budgeting, Planning,

Execution and Forecasting
Contractor Management
Bidding and Estimation

Site development and Improvement
Construction Monitoring
Built to Suit Process
Fixed Assets
Project Accounting
3 IT General Controls
Risk Control Matrix (RCM) and Gap Mapping
Type of Frequency
Nature Control of Control
Completeness
& Obligations
& Disclosure
Presentation
of (Manual or (As needed,
Occurrence
S Fraud
Existence
Valuation
Control Automated daily, Date for
Rights
r. Sub- Process Gap Control/ Recom- Next Management
Control Objective Risk Identified Control description (Preventi or fortnightly, implement
N Process Owner description Key mendation step Comment
ve or dependent monthly, -tation
o. control
Detectiv on system semi-
e) generated annually,
reports) annually)
Absence of
Finance executive documentary
generates the vendor review
Vendor payments
payment run report from evidence by
are processed to
To ensure vendor CRM which is reviewed another finance
Centralis- incorrect bank
payments are by another Finance executive
ed HO account Prevent- Manual
1 processed to executive for a a regarding As needed Y
payment Finance Disruption of ive
correct accounts correctness of bank accuracy of
process services by vendor
account number, IFSC bank account
due to non receipt
code and master code number, IFSC
of payment
of the vendor (from code and
vendor master file). master code of
the vendor
Vendor payments
are processed to Vendor payment run
To ensure vendor
Centralis- incorrect bank report is further
payments are
ed HO account reviewed and approved Detecti-
2 processed to a a a NA Manual As needed Y
payment Finance Disruption of for payment by Sr. ve
correct accounts
process services by vendor Manager Finance and
due to non receipt Manager Finance.
of payment
ID and
passwords are
DGM Finance/Manager
not linked with
Finance have to enter
To ensure the IP address
Centralis- Payments their ID and password
payments are of the system
ed HO released for on bank site to Prevent-
3 authorised and a a a and can be Manual As needed Y
payment Finance unauthorised authorize vendor ive
paid to the used to
process vendor invoices payment file for making
correct vendor authorise
payments to the
payment from
vendors
another
system.
Claim form (system

generated) and invoice (scan
copy) are directed to user
Invoices processed for
department head by
services not received.
GDW/ EDC/ accountant for review and
Claim form and Claims not
Zonal/ HO approval. Without approval of
invoice is approved approved/approved by
BAC team claim form, invoice will not be
Payment and validated by user incompetent
User processed. User Department
process department and authorities Manual /
4 department, Head approves claim form in a a a a NA Preventive As Needed Y
through accounts payable Incorrect accounting of Automated
HO the system.
BAZ team invoices
accounts Post approval from user
Payments are made Payments made for
payables department, the treasurer
for approved invoices services not received/
team scans the barcode of the
partly received/
approved claim form basis
disputed.
which liability is automatically
accounted in the books.
Enterprise Level Controls (ELCs) Matrix
Sr.No COSO 2013 COSO 2013 COSO 2013 Principle COSO 2013 Focus COSO 2013 Focus Control Description Responsibl Existing Evidence
Component Principle Point Number Point e Function Documentation
Number
1 Control Principle : 1 Demonstrates POF:1 Sets the Tone at the The Company has Code of Conduct which is required to be HR Code of Conduct
Environment commitment to Top followed in every aspect. Policy
integrity and ethical Company has a whistle blower policy in place which is displayed on Whistle blower
values the website of the Company. policy, Print screen
where policy is
displayed
2 Control Principle : 1 Demonstrates POF:1 Sets the Tone at the Communication Channels (as per Whistle Blowers Policy) are set HR Whistle blower policy
Environment commitment to Top up to facilitate individuals and external parties to report departures
integrity and ethical from policy and significant internal control issues.
values
3 Control Principle : 1 Demonstrates POF:1 Sets the Tone at the Investigation process has been documented as part of the Whistle Vigilance Investigation process
Environment commitment to Top Blower Policy. Decisions relating to ethics violations / whistle- Team document, Ethics &
integrity and ethical blower alerts are taken by CGC of Executives and reviewed / noted Audit committee(AC)
values by Audit Committee on quarterly basis. minutes
4 Control Principle : 1 Demonstrates POF:1 Sets the Tone at the Actionable provided by Audit Committee or Board are tracked Company Action taken
Environment commitment to Top through Action Taken Report by Senior Management for secretary Report(ATR)
integrity and ethical implementation. presentations, AC
values minutes
5 Control Principle : 1 Demonstrates POF:1 Sets the Tone at the Code of conduct policy is signed by new employees at the time of HR Code of conduct
Environment commitment to Top joining. Online module for training is available and to be undertaken signed by employees
integrity and ethical at the time of new employee joining and online training
values results for
employees
6 Control Principle : 1 Demonstrates POF:2 Establishes Communication Channels (as per Whistle Blowers Policy) are set HR Whistle blower policy
Environment commitment to Standards of Conduct up to facilitate individuals and external parties to report departures
integrity and ethical from policy and significant internal control issues.
values
7 Control Principle : 1 Demonstrates POF:2 Establishes Code of conduct policy is signed by new employees at the time of HR Code of conduct
Environment commitment to Standards of Conduct joining. Online module for training is available and to be undertaken signed by employees
integrity and ethical at the time of new employee joining and online training
values results for
employees
8 Control Principle : 1 Demonstrates POF:2 Establishes Vigilance teams have been formed for easy and convenient Vigilance Ethics counsellor
Environment commitment to Standards of Conduct accessibility for employees and associates to report violation of Team communicated to all
integrity and ethical policy or any potential violation as well. employees via mail
values to report violations/
ethics journal
9 Control Principle : 1 Demonstrates POF: 3 Evaluates adherence to Communication Channels (as per Whistle Blowers Policy) are set up to HR Whistle blower policy
Environment commitment to integrity Standards of Conduct facilitate individuals and external parties to report departures from policy and
and ethical values significant internal control issues.
Illustrative Work Papers
Work Paper – Process Flowchart
Work Paper – Process Narrative
Work Paper - Test of Design Effectiveness Template
Control Summary
Control ID
Control Activity
Summary Description
Control Description -
Detailed Description of How the Control Is Expected to Be
Performed
Risk(s) of Material Misstatement Addressed
Account Balance and Assertion(s) Addressed Account balance:-

Assertions:-
Frequency of Control Operation
Test and Evaluation of Control Design

Procedures Performed to Test the Design of the Control
Design Factor 1: Appropriateness of the Purpose of the Control and Its Correlation to the Risk/Assertion
Document considerations of the appropriateness of the
purpose of the control and correlation to the risk/assertion
identified in the ROMM
Design Factor 2: Appropriateness of the Control Considering the Nature and Significance of the Risk
Document considerations of the appropriateness of the
control given the nature and significance of the risk
Design Factor 3: Competence and Authority of the Person(s) Performing the Control
Control Owner(s)
Document considerations of the appropriateness of authority
and competence of the process owner(s) to perform the
control
Design Factor 4: Frequency and Consistency with Which the Control Is Performed
Document considerations of how the frequency and
consistency of operation of the control are appropriate
Is the effectiveness of the control dependent upon information produced by the entity (IPE)?
Identify the controls that address the accuracy and
completeness of the IPE, where the IPE is tested and the
conclusion reached as a result of that testing.
Conclusion
Design Effectiveness Conclusion Effective
Work Paper - Test of Operating Effectiveness Template
Perform Tests of Operating Effectiveness of Controls (Interim/Apportion)
CONTROL ACTIVITY TESTING:

Note 8 Note 9
Exception or
Selection # Selection Date Deviation?
Perform Tests of Operating Effectiveness of Controls (Rollforward)
CONTROL ACTIVITY TESTING:

Note 8 Note 9
Exception or
Selection # Selection Date Deviation?
Operating Effectiveness Testing Conclusion

Conclusion Interim/Apportion Deviations Identified
Rollforward Deviations Identified
Evaluation if exceptions or deviations identified are control
deficiencies and the severity of the deficiency, if applicable
Work Paper - Project Schedule Status with reasons for
variance, if any.
Process/ Sub
# Backlog Reasons (The past week’s reasons are stated in italics)
Process
Process level
2
controls
• 3 Automated controls pertaining to access rights can be done after SAP ID is provided.
Project
Accounting
-31 • Process owner for 25 controls has just resumed and hence testing will be done now.
• Data to be received in some cases for walkthrough performed of manual controls
• Process owner has not yet been identified for 3 controls
Fixed Asset -4
• 1 Automated controls are pending to be tested
• 29 Automated controls are pending to be performed.
PTP (Material) -31
• Spent time on understanding the narrative, flowchart and the RCM
Product
• Process walkthrough has now been initiated
80 Development
© 2017 Protiviti. -16
Cost
CONFIDENTIAL: • PDC
This document is for your Company's internal process
use only and may notunderwent changes
be copied nor distributed and
to another RCM was
third party. shared on December 14th.
Work Paper - Overall Assessment of System of Internal Control over
Financial Reporting
Overall Assessment of a System of Internal Control over Financial Reporting
Entity or part of organization structure subject to the assessment (entity, division, operating unit, function)
Objective(s) being considered for the scope of internal control being Considerations regarding management's acceptable level of
assessed risk
Operations
Reporting
Compliance
Explanation/
Present? (Y/N) Functioning? (Y/N)
Conclusion
Control
Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring Activities
Are all components operating together in an integrated manner?
Evaluate if a combination of internal control deficiencies, when aggregated across components, represent a major deficiency*
<Update Summary of Deficiency Template as needed>
Is the overall system of internal control effective? <Y/N>*
Basis for conclusion
*For major deficiency, management must conclude that the system of internal control is not effective
Status Reporting
Status of Entity Level Controls
Status of Entity Level Controls
Based on walkthrough and review of certain documents, following is the list of gaps identified
Principle and Point to
Gaps Identified Current Practice Way Forward Entities
be addressed
Principle: 1,15 Code of conduct has been Company has a code of
POF: 1,2,63 adopted but not reviewed conduct which is
regularly for its displayed on the
(The board of directors completeness. Further it is company’s website
and management at all not displayed at various
levels demonstrate the prominent places within
importance of integrity company premises
and ethical values)
Principle: 1 Code of Conduct is not Code of conduct is signed
POF: 1,2 signed by employees and by the employees at the
key management persons time of joining only.
(Established Standards and all the directors every
of Conduct) year.
Principle: 1 Code of conduct reference

POF: 1,2 is not documented in
contracts and agreements
(Established Standards with all the vendors dealing
of Conduct) with company.
Basis review of all the documents and relative controls prevailing, the status of ELCs including changes in gaps
(either D, SD or MW) to be updated to the management later
Status of Process Level Controls
Summary of Process Level Controls
Total Process
Process Automated Manual Key Controls
Controls GAPs
Warehousing 12 3 11 11 8
Regulatory 11 4 10 8 -
Customer taxation 6 1 6 5 -
Business partner management 14 7 11 14 3
E commerce 19 8 15 14 3
Total - - - - -
We have started the test of operating effectiveness (TOE) for 25% of the total controls. TOE is pending due to non-
availability of data / information. Individual control wise pending list has already been shared with the concerned.
The status of pending controls including changes in gaps will be updated upon completion of testing these controls.
In subsequent slides we have presented the key gaps
Summary of Key Gaps
Following is the summary of key gaps identified
Key Gaps
Mitigating
Sub
Process Control Gap Controls (if Management Action Plan
Process
any)
Payroll & HR Master Absence of independent review and NA • Not required, checks at the time of
Creation approval within HR for employee creation. payment of salary
Details entered in employee master are
not reviewed/verified by an appropriate
authority with supporting documents
Payroll & HR Master System accepts duplicate PAN and Bank NA • Duplicate PAN, Bank details check
Creation details at the time of creation of staff have been started.
code.
No documented policy for signing the
appointment letters.
Payroll & HR Master Changes in employee master made by NA • Will discuss and identify the details
Updation Executive HR are not reviewed and which needs parking and posting and
approved in system. have the mechanism in new system.
Status of IT General Controls
Summary of Key Gaps
Following is the summary of key gaps identified
Key Gaps
Mitigating
Sub
Process Control Gap Controls (if Management Action Plan
Process
any)
1. CRM - Direct Data Direct data update from the backend is NA
Application Update possible in CRM Application. There is no
Security controls in place to ensure backend data
controls update is completely restricted.
It was noted that the DBA users have
access to modify Business data directly at
the tables of the database level using SQL
command.
The backend database Oracle does not
capture log of all backend entries hence a
log review is not possible.
There is no formal periodic detective
review of history of SQL query updates
captured to recertify the backend data
updates
2. Oracle Apps- Generic Ids There are around 27 generic user Ids in NA
Application the Oracle Apps and most of these user
Security Ids are shared between multiple users
controls
Relevant Standards on Auditing
Relevant Standards on Auditing
SA Description
SA 230 (Revised) Audit Documentation
SA 500 (Revised) Audit Evidence
SA 501 (Revised) Audit Evidence—Specific Considerations for Selected Items
SA 530 (Revised) Audit Sampling
SA 700 (Revised) Forming an Opinion and Reporting on Financial Statements
SA 705 Modifications to the Opinion in the Independent Auditor’s Report
SA 706 Emphasis of Matter Paragraphs and Other Matter Paragraphs in the
Independent Auditor’s Report
Standards on Auditing
SA 230 – Audit Documentation
 Scope of SA 230 - This Standard on Auditing (SA) deals with the auditor’s responsibility to prepare audit
documentation for an audit of financial statements. It is to be adapted as necessary in the circumstances when
applied to audits of other historical financial information. The specific documentation requirements of other SAs
do not limit the application of this SA. Laws or regulations may establish additional documentation requirements.
 Audit documentation serves a number of additional purposes, including the following:
 Assisting audit team to plan and perform direct and supervise the audit work, and to discharge their review
responsibilities in accordance with SA 220.
 Enabling the engagement team to be accountable for its work
 Retaining a record of matters of continuing significance to future audits
 Enabling the conduct of quality control reviews and inspections in accordance with SQC
 Enabling the conduct of external inspections in accordance with applicable legal, regulatory or other
requirements
 Definition
 Audit documentation – The record of audit procedures performed, relevant audit evidence obtained, and
conclusions the auditor reached (terms such as “working papers” or “work papers” are also sometimes
used).
 Audit file – One or more folders or other storage media, in physical or electronic form, containing the
records that comprise the audit documentation for a specific engagement.
Standards on Auditing (Contd.)
 Requirement
 Timely Preparation of Audit Documentation
 Documentation of the Audit Procedures Performed and Audit Evidence Obtained
 Form, Content and Extent of Audit Documentation
o The nature, timing, and extent of the audit procedures performed to comply with the SAs and
applicable legal and regulatory requirements
o The results of the audit procedures performed, and the audit evidence obtained
o Identifying characteristics of the specific items or matters tested
o Who performed the audit work and the date such work was completed; and who reviewed the audit
work performed and the date and extent of such review.
o The auditor shall document discussions of significant matters with management, those charged with
governance, and others, including the nature of the significant matters discussed and when and with
whom the discussions took place
o If the auditor identified information that is inconsistent with the auditor’s final conclusion
regarding a significant matter, the auditor shall document how the auditor addressed the
inconsistency
 Departure from a Relevant Requirement
 Matters Arising after the Date of the Auditor’s Report
 Assembly of the Final Audit File
 Ownership of Audit Documentation
Audit documentation – The record of audit procedures performed, relevant audit evidence obtained, and
conclusions the auditor reached (terms such as “working papers” or “workpapers” are also sometimes used).
The auditor shall prepare audit documentation sufficient to enable an experienced auditor, having no previous
connection with the audit, to understand results of audit procedures and significant matters.
Audit documentation is property of auditor.
Minimum period of retention of engagement documentation is 10 years.
Auditor shall document following:

 Discussions of significant matters with management
 Information inconsistent with auditor’s final conclusion regarding a significant matter,
 How the alternative audit procedures performed achieve the aim of that requirement, and the reasons for the
departure if the auditor judges it necessary to depart from a requirement in a SA
 New conclusions after the date of the auditor’s report
 Documentation of How Inconsistencies have been addressed
However, it is neither necessary nor practicable for the auditor to document every matter considered, or professional
judgment made, in an audit.
SA 230 which is briefly described below in flowchart:
Sufficient to Nature, Timing

Size , complexities of client, Nature of Audit Procedures
enable and Extent of
Identified risk of material misstatement s, Significance of audit
Experienced Audit procedures
evidence , Nature extent of identified exception, Audit
Auditor to to comply with
methodology, tools need of document
understand SA's
Significant
matters,
Results of Audit
No Previous conclusions
Procedures and Paper/Electronic/
connection with thereon and
Evidences other media
Audit professional
obtained
judgements w.r.t
to conclusions
SA 530 – Audit Sampling
 Audit sampling – The application is such that all sampling units have a chance of selection in order to draw
conclusion about the entire population.
 Sampling Risk – It can lead to two types of erroneous conclusions:

i. Affecting audit effectiveness – where in case of test of controls, that controls are more effective than
they actually are, or in the case of test of details, that a material misstatement does not exist when in
fact it does.
ii. Affecting audit efficiency – where in case of test of controls, that controls are less effective than they
actually are, or in the case of test of details, that a material misstatement exists when in fact it
does not.
 Statistical Sampling – An approach to sampling that has the following characteristics:

i. Random selection – generally using random number tables in MS Excel
ii. Use of probability theory to evaluate sample results, including measurement of sampling risk.
iii. Statistical sampling is not being applied, then fall back on non-statistical sampling
 Tolerable Misstatement – To obtain an appropriate level of assurance that the monetary amount set by the
auditor is not exceeded by the actual misstatement . It may be the same amount or an amount lower than
performance materiality.
 Tolerable rate of deviation – To obtain an appropriate level of assurance that the rate of deviation set by the
auditor is not exceeded by the actual rate of deviation.
Testing methodology (Contd.)
Test Procedures:
There are four types of testing techniques performed to obtain evidence about the operating effectiveness of
controls. Those types are (listed in order of highest to lowest level of assurance obtained): Re-performance,
Inspection/Examination, Observation and Inquiry.
 Re-performance gives the greatest assurance that a control is operating effectively. The testing team will perform
validation procedures for selected controls. This type of test is where the control activity is re-performed. An
example of when this would be used is in testing a physical inventory control when you would observe a count and
perform an independent test of quantities. This should be used when a high-degree of confidence in the control is
necessary.
 The next level assurance can be obtained through Inspection/Examination procedures. This will be the most
frequently used techniques. This includes reviewing documents that are used in the application of the control or
result from the operation of the control. An example would be reviewing evidence that controls are being
performed, reconciliations are prepared and signed off by supervisors; exception reports are reviewed and marked
with check marks or written explanations. This is used when there is evidence of a manual control being
performed.
 Observation is used when no documentation exists and is often used in combination with inquiry. This is used
frequently with system controls where an error message or validation check cannot be easily evidenced via a paper
trail, however can be seen on the operator’s screen.
 Inquiry should be used in combination with the other controls to gain an understanding of the control being
performed and gather information about the control. This involves questioning or interviewing the person
performing the control and can be oral or written. For example, inquiry is used when questioning an accountant on
what documents are necessary and how they perform the reconciliation.
© 2017 Protiviti.
97
97
Testing Frequency
For fiscal year 20XX, testing will be performed in two stages – initial(portion of the full sample will be tested at this
time) and refresh testing(remainder to be captured in refresh testing to serve as evidence of the control functionality
throughout the year.). If necessary, remediation testing may also need to be performed for controls that fail initial
testing.
Testing Exceptions
Test exceptions will be identified when a control does not meet the specifications in the test or evidence of the
control performance does not exist. In these situations, inquiry should be performed to determine if it is an isolated
incident. For controls that fail testing through September 20XX, action plans will be implemented by Company X
Management to fix the issue. For control failures identified after September 20XX, the SOX PMO will determine
whether an action plan should be implemented before year-end or whether the sample will be expanded. If the
control is a failure, an action plan will be drafted and implemented and the control will need to be retested during
remediation testing in Q3/Q4.
The testing period for remediation testing starts whenever the action plan was implemented as a result of the control
failure. If a control was identified during initial testing as an exception, and an action plan was implemented as of
July 1st, the testing period would start on July 1st, 20XX. There would also need to be a minimum length of time that a
remediated control needs to be in place before an adequate sample can be available and the control can be relied on.
© 2017 Protiviti.
9898 CONFIDENTIAL: This document is for your Company's internal use only and may not be copied nor distributed to another third party.
Evaluate the Test Results
The objective of evaluating test results is to conclude whether the controls are operating effectively to support the
financial statement assertions. For example, consider the review and sign-off of a reconciliation of a subsidiary ledger
for sales to the general ledger. Management must conclude, on the basis of the testing performed, whether the
control effectively supports the completeness assertion. Other controls in the sales process would be tested to
ensure that all sales transactions have been posted in the subsidiary ledger to support further the completeness
assertion. And, still other controls would be tested to support the other relevant assertions such as valuation,
existence, rights and obligations, and presentation and disclosure.
When evaluating the results and related evidence of specific tests, the following questions may be useful for
consideration:
 What risk is the control intended to mitigate?
 Were exceptions found?
 Were exceptions resolved?
 Is there a process for correcting recurring exceptions?
In general, controls are tested on an accept/reject basis (i.e., a control is either working reliably or it is not). If the
control is deemed deficient, Company X Management will assess whether other controls help to mitigate the risk,
and the impact/significance of the deficiency.
© 2017 Protiviti.
99
99
SA 700 – Forming an opinion and reporting on financial statements

 Title – “independent” auditor`s report
 Addressee- those for whom the report is prepared
 Introductory paragraph - title of each statement ,date/period covered
 Management`s Responsibility – Board of Directors is responsible for matters stated in Section 134(5) of the
Companies Act, 2013(Act) with respect to preparation of financial statement that give true and fair view of the
financials position of the company in accordance with the accounting principles generally accepted in India,
including the Accounting Standard specified under Sec 133 of the act, read with Rule 7 of the companies
(Accounts) Rules 2014.
 Auditor`s Responsibility – express opinion on financial statements taking into account provisions of Act, relevant
Rules, and Standards on Auditing specified u/s/ 143(10) of the Act and obtain reasonable assurance about
whether the financial statements(FS) are free from material misstatement.
 An Audit involves:
a) Performing procedures to obtain audit evidence about amounts and disclosures in FS based on
auditor`s judgement and company`s internal control.
b) Evaluating appropriateness of accounting policies, reasonableness of accounting estimates of
management and overall presentation of FS.

SA 700 – Forming an opinion and reporting on financial statements
 Opinion - “ In our opinion and to best of our information and according to the explanations given to us , the
aforesaid standalone financial statement give the information required by the act in the manner so required and
give a true and fair view in conformity with the accounting principles generally accepted in India, of the state of
affairs of the company as at 31st March, 20XX, and its cash flows for the year ended on the date”.
 Report on other legal and regulatory requirements – As required by the companies (Auditor’s Report) Order,
2015 issued by the central Government in terms of Sec 143 (11) of the act and as required by section 143(3) of
the Act.
 Signature – For XYZ & Co, Chartered Accountants (Firm’s Registration No.) Signature (xxx.xxx), (Designation)
(Membership No. XXXXX)
 Place & Date – Place of Signature and Date

SA 705-Modifications to the opinion in the independent auditor`s report
If sufficient appropriate audit evidence is not obtained, then auditor is unable to conclude whether Financial
Statement as a whole are free from material misstatement.
Evidence Misstatements Opinion

Obtained or not Material but not pervasive Qualified
Obtained Material and pervasive Adverse
Not obtained Material and pervasive Disclaimer
Even though Obtained Uncertain Disclaimer
 Report shall contain all elements as per SA 700 + Basis for modification para (describing matter of
modification) placed just above opinion para.
 Modifications and their wordings should be communicated to those charged with Governance (TCWG).
Misstatements/possible misstatements are pervasive or not depend on following:

1) Whether they are not confined to specific components accounts or items.
2) If so confined, represent a substantial portion.
3) Where pertaining to disclosures, are fundamental to user`s understanding of Financial Statement (FS).

 Pervasive have been defined as following: A term used, in the context of misstatements, to describe the effects
on the financial statements of misstatements or the possible effects on the financial statements of
misstatements, if any, that are undetected due to an inability to obtain sufficient appropriate audit evidence.
Pervasive effects on the financial statements are those that, in the auditor’s judgment:
 Pervasive misstatement does not automatically means that it is material as well. Same goes for material
misstatement which is not always pervasive also.
 However, usually pervasive misstatement may amount to material misstatement as well. For example, cash
embezzlement by cashier is discovered. This fraud be material in nature but it will hardly be pervasive whereas if
the same embezzlement is discovered in relation to key personnel in the management then it is bound to have
pervasive effect as many other assertions might also be misstated. Audit has to consider both characteristics of
the misstatements in order to correctly understand the implications of misstatements on the financial statements
and auditor’s report. That is why auditor always evaluate whether uncorrected, undetected misstatements are:
• material and pervasive in which case auditor will give adverse or disclaimer of opinion according to the
circumstances or
• just material but not pervasive in which case the auditor will express a qualified opinion.
It is auditor who determines whether misstatements are both material and pervasive or not using his professional
judgement.

 Scope limitation imposed by management after accepting engagement, may result in qualified opinion or
disclaimer and management does not remove the scope limitation even after request made by auditor, then
auditor can consider alternative procedures or can communicate to TCWG. If sufficient appropriate audit
evidence is not obtained and concludes the effect of undetected misstatements as:
1) Material but not pervasive, then he shall qualify.

2) Material and pervasive, then he shall resign if allowed else give disclaimer.
 When expressing adverse opinion or disclaiming opinion on FS as a whole, auditor CANNOT also express
unmodified opinion on one or more specific elements, accounts or items in FS with respect to same financial
reporting framework.
 The effect of misstatement should be described and quantified in audit report and if not possible explain how
disclosures are misstated and state reason for why sufficient appropriate audit evidence was unavailable.
 In case of non disclosure, auditor shall discuss with TCWG and describe omitted information.
 Where adverse or disclaimer of opinion is expressed, but there are other matters that would have required
modification, state reasons and effects of such other matters in basis of modification para.

Type of Opinion Example of Opinion Auditor`s Responsibility Para
Qualified due to In our opinion, except for effect of Audit Evidence is sufficient and
material misstatement matters in basis of qualified appropriate to provide basis for
opinion para, FS…........... modified audit opinion
Qualified as sufficient …………except for the possible Same as above
appropriate audit effects of matter….
evidence (SAAE)not
obtained
Adverse Because of significance of matter Same as above
…….
Disclaimer Because of significance of matter Because of matter described in basis
……auditor has not been able to for disclaimer of opinion para,
obtain SAAE to provide basis and however, we were not able to obtain
does not express opinion…. SAAE to provide basis for an audit
opinion.

SA 706 – EOM para and OM para in independent auditor`s report
Emphasis of Matter Other Matter

Draw user`s attention to matters Draw user`s attention to matters NOT presented/disclosed in FS that are
presented/disclosed in FS that are fundamental to user`s understanding of audit, auditor`s responsibilities
fundamental to user`s understanding of FS or auditor`s report.
Obtain SAAE for matter is not materially

misstated
Placed AFTER opinion para Placed AFTER opinion and EOM para, but may also be placed in Other
Reporting Responsibilities section if its contents relate to such
responsibilities.
Reference to where matter emphasized
can be found in FS should be given
Indicate that auditor`s opinion is NOT

MODIFIED in respect of matter
emphasized

Illustrations of Audit Report

Example of separate unmodified audit report for an audit of
internal financial controls over financial reporting in the case
of standalone financial statements.

Important Illustrations of Audit Report
ANNEXURE TO THE INDEPENDENT AUDITOR’S REPORT OF EVEN DATE ON THE STANDALONE FINANCIAL
STATEMENTS OF ABC COMPANY LIMITED
Report on the Internal Financial Controls under Clause (i) of Sub-section 3 of Section 143 of the Companies Act,
2013 (“the Act”)
I / We have audited the internal financial controls over financial reporting of ABC Company Limited (“the Company”) as of
March 31, 20X1 in conjunction with my / our audit of the standalone financial statements of the Company for the year
ended on that date.
Management’s Responsibility for Internal Financial Controls

The Company’s management is responsible for establishing and maintaining internal financial controls based on _______ [for
example, “the internal control over financial reporting criteria established by the Company considering the essential
components of internal control stated in the Guidance Note on Audit of Internal Financial Controls Over Financial Reporting
issued by the Institute of Chartered Accountants of India”.] These responsibilities include the design, implementation and
maintenance of adequate internal financial controls that were operating effectively for ensuring the orderly and efficient
conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and
detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of
reliable financial information, as required under the Companies Act, 2013.
Auditors’ Responsibility
My / Our responsibility is to express an opinion on the Company's internal financial controls over financial reporting based on
my / our audit. I / We conducted my / our audit in accordance with the Guidance Note on Audit of Internal Financial Controls
Over Financial Reporting (the “Guidance Note”) and the Standards on Auditing, issued by ICAI and deemed to be prescribed
under section 143(10) of the Companies Act, 2013, to the extent applicable to an audit of internal financial controls, both
applicable to an audit of Internal Financial Controls and, both issued by the Institute of Chartered Accountants of India. Those
Standards and the Guidance
Important Illustrations of Audit Report (Contd.)
Note require that I / we comply with ethical requirements and plan and perform the audit to obtain reasonable assurance
about whether adequate internal financial controls over financial reporting was established and maintained and if such
controls operated effectively in all material respects.
My / Our audit involves performing procedures to obtain audit evidence about the adequacy of the internal financial controls
system over financial reporting and their operating effectiveness. My / Our audit of internal financial controls over financial
reporting included obtaining an understanding of internal financial controls over financial reporting, assessing the risk that a
material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the
assessed risk. The procedures selected depend on the auditor’s judgement, including the assessment of the risks of material
misstatement of the financial statements, whether due to fraud or error.
I / We believe that the audit evidence I/we have obtained is sufficient and appropriate to provide a basis for my /our audit
opinion on the Company’s internal financial controls system over financial reporting.
Meaning of Internal Financial Controls Over Financial Reporting
A company's internal financial control over financial reporting is a process designed to provide reasonable assurance regarding
the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with
generally accepted accounting principles. A company's internal financial control over financial reporting includes those policies
and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the
transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as
necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that
receipts and expenditures of the company are being made only in accordance with authorisations of management and
directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorised
acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements.

Inherent Limitations of Internal Financial Controls Over Financial Reporting
Because of the inherent limitations of internal financial controls over financial reporting, including the possibility of collusion
or improper management override of controls, material misstatements due to error or fraud may occur and not be detected.
Also, projections of any evaluation of the internal financial controls over financial reporting to future periods are subject to
the risk that the internal financial control over financial reporting may become inadequate because of changes in conditions,
or that the degree of compliance with the policies or procedures may deteriorate.
Opinion
In my / our opinion, the Company has, in all material respects, an adequate internal financial controls system over financial
reporting and such internal financial controls over financial reporting were operating effectively as at March 31, 20X1, based
on __________ [for example, “the internal control over financial reporting criteria established by the Company considering
the essential components of internal control stated in the Guidance Note on Audit of Internal Financial Controls Over
Financial Reporting issued by the Institute of Chartered Accountants of India”].
For XYZ & ASSOCIATES Chartered Accountants

(Firm‘s Registration No.)
Signature (Name of the Member Signing the Audit Report)

(Designation)
Place:
Date:
Example of separate modified (qualified / adverse) audit
report for an audit of internal financial controls over financial
reporting and not impacting the audit opinion on the
standalone financial statements of the company

2013 (“the Act”)
I / We have audited the internal financial controls over financial reporting of ABC Company Limited (“the Company”) as of
March 31, 20X1 in conjunction with my / our audit of the standalone financial statements of the Company for the year
ended on that date.

The Company’s management is responsible for establishing and maintaining internal financial controls based on _______ [for
example, “the internal control over financial reporting criteria established by the Company considering the essential
components of internal control stated in the Guidance Note on Audit of Internal Financial Controls Over Financial Reporting
issued by the Institute of Chartered Accountants of India”.] These responsibilities include the design, implementation and
maintenance of adequate internal financial controls that were operating effectively for ensuring the orderly and efficient
conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and
detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of
reliable financial information, as required under the Companies Act, 2013.
my / our audit. I / We conducted my / our audit in accordance with the Guidance Note on Audit of Internal Financial Controls
Over Financial Reporting (the “Guidance Note”) and the Standards on Auditing, issued by ICAI and deemed to be prescribed
under section 143(10) of the Companies Act, 2013, to the extent applicable to an audit of internal financial controls, both
applicable to an audit of Internal Financial Controls and, both issued by the Institute of Chartered Accountants of India. Those
Standards and the Guidance
I / We believe that the audit evidence I / we have obtained is sufficient and appropriate to provide a basis for my / our
qualified / adverse audit opinion on the Company’s internal financial controls system over financial reporting.



Opinion
Scenario 1 - Qualified Opinion on adequacy (and therefore operating effectiveness) of Internal Financial Controls
Over Financial Reporting
Qualified opinion
According to the information and explanations given to me / us and based on my / our audit, the following material
weakness/es has / have been identified as at March 31, 20X1:
a) The Company did not have an appropriate internal control system for customer acceptance, credit evaluation and
establishing customer credit limits for sales, which could potentially result in the Company recognising revenue without
establishing reasonable certainty of ultimate collection.
b) [list other deficiencies identified]
A ‘material weakness’ is a deficiency, or a combination of deficiencies, in internal financial control over financial reporting,
such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial
statements will not be prevented or detected on a timely basis.
In my / our opinion, except for the effects/possible effects of the material weakness/es described above on the
achievement of the objectives of the control criteria, the Company has maintained, in all material respects, adequate internal
financial controls over financial reporting and such internal financial controls over financial reporting were operating
effectively as of March 31, 20X1, based on [for example “the internal control over financial reporting criteria
established by the Company considering the essential components of internal control stated in the Guidance Note on Audit of
Internal Financial Controls Over Financial Reporting issued by the Institute of Chartered Accountants of India”].
I / We have considered the material weakness/es identified and reported above in determining the nature, timing, and extent
of audit tests applied in my / our audit of the March 31, 20X1 standalone financial statements of the Company, and the / these
material weakness/es does not / do not affect my / our opinion on the standalone financial statements of the Company.

Scenario 2 - Adverse Opinion on adequacy (and therefore operating effectiveness) of Internal Financial Controls Over
Financial Reporting
Adverse opinion
According to the information and explanations given to me / us and based on my / our audit, the following material weakness/es has /
have been identified as at March 31, 20X1:
a) The Company did not have an appropriate internal control system for customer acceptance, credit evaluation and establishing
customer credit limits for sales, which could potentially result in the Company recognising revenue without establishing reasonable
certainty of ultimate collection.
b) The Company did not have an appropriate internal control system for inventory with regard to receipts, issue for production and
physical verification. Further, the internal control system for identification and allocation of overheads to inventory was also not
adequate. These could potentially result in material misstatements in the Company’s trade payables, consumption, inventory and
expense account balances.
c) [list other deficiencies identified]
A ‘material weakness’ is a deficiency, or a combination of deficiencies, in internal financial control over financial reporting, such that
there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be
prevented or detected on a timely basis.
In my / our opinion, because of the effects/possible effects of the material weakness/es described above on the achievement of
the objectives of the control criteria, the Company has not maintained adequate internal financial controls over financial reporting and
such internal financial controls over financial reporting were not operating effectively as of March 31, 20X1, based on _______[for
example “the internal control over financial reporting criteria established by the Company considering the essential components of
internal control stated in Guidance Note on Audit of Internal Financial Controls Over Financial Reporting issued by the Institute of
Chartered Accountants of India”].
I / We have considered the material weakness/es identified and reported above in determining the nature, timing, and extent of audit
tests applied in my / our audit of the March 31, 20X1 standalone financial statements of the Company, and the / these material
weakness/es does not/ do not affect my / our opinion on the financial statements of the Company.

Example of separate modified (disclaimer) audit report for an
audit of internal financial controls over financial reporting with
/ without impact on audit opinion on the standalone financial
statements

2013 (“the Act”)
I / We were engaged to audit the internal financial controls over financial reporting of ABC Company Limited (“the Company”)
as of March 31, 20X1 in conjunction with my / our audit of the financial statements of the Company for the year ended on
that date.

The Company’s management is responsible for establishing and maintaining internal financial controls based on
[……………….for example, “the internal control over financial reporting criteria established by the Company considering the
essential components of internal control stated in the Guidance Note on Audit of Internal Financial Controls Over Financial
Reporting issued by the Institute of Chartered Accountants of India”]. These responsibilities include the design,
implementation and maintenance of adequate internal financial controls that were operating effectively for ensuring the
orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the
prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely
preparation of reliable financial information, as required under the Companies Act, 2013.
my/our audit conducted in accordance with the Guidance Note on Audit of Internal Financial Controls Over Financial
Reporting (the “Guidance Note”) and the Standards on Auditing, to the extent applicable to an audit of internal financial
controls, both issued by the Institute of Chartered Accountants of India.
Because of the matter described in Disclaimer of Opinion paragraph below, I / we was / were not able to obtain sufficient
appropriate audit evidence to provide a basis for an audit opinion on internal financial controls system over financial reporting
of the Company.

Disclaimer of Opinion
Scenario 1 – Framework for internal financial control over financial reporting not established but does not impact the audit
opinion on financial statements
According to the information and explanation given to us, the Company has not established its internal financial control over
financial reporting on criteria based on or considering the essential components of internal control stated in the Guidance
Note on Audit of Internal Financial Controls Over Financial Reporting issued by the Institute of Chartered Accountants of
India. Because of this reason, we are unable to obtain sufficient appropriate audit evidence to provide a basis for my / our
opinion whether the Company had adequate internal financial controls over financial reporting and whether such internal
financial controls were operating effectively as at March 31, 20X1.
I / We have considered the disclaimer reported above in determining the nature, timing, and extent of audit tests applied in
my / our audit of the standalone financial statements of the Company, and the disclaimer does not affect my / our opinion on
the standalone financial statements of the Company.

Scenario 2 – Auditor unable to obtain sufficient appropriate audit evidence on internal financial controls over financial
reporting but does not impact audit opinion on the financial statements
The system of internal financial controls over financial reporting with regard to one of the significant branches of the
Company at _________ were not made available to me / us to enable me / us to determine if the Company has established
adequate internal financial control over financial reporting at the aforesaid branch and whether such internal financial
controls were operating effectively as at March 31, 20X1.
my / our audit of the financial statements of the Company, and the disclaimer does not affect my / our opinion on the
financial statements of the Company.
Scenario 3 – Auditor unable to obtain sufficient appropriate audit evidence on internal financial controls over financial
reporting and impacting audit opinion on the financial statements
The system of internal financial controls over financial reporting with regard to the Company were not made available to me /
us to enable me / us to determine if the Company has established adequate internal financial control over financial reporting
and whether such internal financial controls were operating effectively as at March 31, 20X1.
my / our audit of the standalone financial statements of the Company, and the disclaimer has affected my / our opinion on
the financial statements of the standalone Company and I / we have issued a qualified (/ adverse / disclaimer of) opinion on
the financial statements.

Example of unmodified audit report for an audit of internal
financial controls over financial reporting in the case of
consolidated financial statements.

ANNEXURE TO THE INDEPENDENT AUDITOR’S REPORT OF EVEN DATE ON THE CONSOLIDATED FINANCIAL
2013 (“the Act”)
In conjunction with my / our audit of the consolidated financial statements of the Company as of and for the year ended March 31, 20X1,
I / We have audited the internal financial controls over financial reporting of ABC Company Limited (hereinafter referred to as “the
Holding Company”) and its subsidiary companies, its associate companies and jointly controlled companies, which are companies
incorporated in India, as of that date.

The respective Board of Directors of the of the Holding company, its subsidiary companies, its associate companies and jointly controlled
companies, which are companies incorporated in India, are responsible for establishing and maintaining internal financial controls based
on __________[for example, “the internal control over financial reporting criteria established by the Company considering the essential
components of internal control stated in the Guidance Note on Audit of Internal Financial Controls Over Financial Reporting issued by the
Institute of Chartered Accountants of India (ICAI)”.] These responsibilities include the design, implementation and maintenance of
adequate internal financial controls that were operating effectively for ensuring the orderly and efficient conduct of its business,
including adherence to the respective company’s policies, the safeguarding of its assets, the prevention and detection of frauds and
errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information, as required
under the Companies Act, 2013.
Auditor’s Responsibility
My / Our responsibility is to express an opinion on the Company's internal financial controls over financial reporting based on my / our
audit. I / We conducted my / our audit in accordance with the Guidance Note on Audit of Internal Financial Controls Over Financial
Reporting (the “Guidance Note”) issued by the ICAI and the Standards on Auditing, issued by ICAI and deemed to be prescribed under
section 143(10) of the Companies Act, 2013, to the extent applicable to an audit of internal financial controls, both issued by the Institute
of Chartered Accountants of India. Those Standards and the Guidance Note require that I/we comply with ethical requirements
and plan and perform the audit to obtain reasonable assurance about whether adequate internal financial controls over financial
reporting was established and maintained and if such controls operated effectively in all material respects.

I / We believe that the audit evidence I / we have obtained and the audit evidence obtained by the other auditors in terms of
their reports referred to in the Other Matters paragraph below, is sufficient and appropriate to provide a basis for my /our
audit opinion on the Company’s internal financial controls system over financial reporting.


Opinion
In my / our opinion, the Holding Company, its subsidiary companies, its associate companies and jointly controlled
companies, which are companies incorporated in India, have, in all material respects, an adequate internal financial controls
system over financial reporting and such internal financial controls over financial reporting were operating effectively as at
March 31, 20X1, based on [for example, “the internal control over financial reporting criteria established by
the Company considering the essential components of internal control stated in the Guidance Note on Audit of Internal
Financial Controls Over Financial Reporting issued by the Institute of Chartered Accountants of India”].
Other Matters
Our aforesaid reports under Section 143(3)(i) of the Act on the adequacy and operating effectiveness of the internal financial
controls over financial reporting insofar as it relates to __ (number) subsidiary companies, __ (number) associate
companies and (number) jointly controlled companies, which are companies incorporated in India, is based on the
corresponding reports of the auditors of such companies incorporated in India.
For XYZ & ASSOCIATES Chartered Accountants

(Firm‘s Registration No.)
Signature (Name of the Member Signing the Audit Report)

(Designation)
Place:
Date:

Common Mistakes in Audit Report

Common Mistakes in Audit Report
Auditor’s Comment Requirements
Auditor has signed the Auditor’s report prior to SA – 700 (Para – 26) Since the Auditor’s responsibility is to
the date when the financial statements were report on the Financial Statements as prepared and
signed and authenticated by the director of the presented by the management, the auditor should not date
company. the report earlier than that the date on which the Financial
Statements are signed or approved by management.
Auditor has mentioned his membership number SA – 700 (Para – 28) Neither Institute allots Membership
“F” is prefixed to Auditor’s Report. Number to its members with any prefix like “F” or “A” nor SA
700 permits to use of such prefixes with the membership
number in the Auditors Report.
Opening paragraphs of the Auditors Report Term ‘examined’ signifies wider function than the actual
states to have “examined the attached Balance responsibility of the auditor. Auditor should have used the
Sheet…” word ‘audited’ rather than using the word ‘examined’ to
reflect his correct responsibility.
In the Auditor’s Reports no reference was made SA 700 – (Para – 9) The auditor’s report should identify the
to the Cash Flow Statement in opening cash flow statement as a part of financial statements and
paragraph and opinion paragraph. further, also express an opinion on the cash flow statement
audited.
Noted that, although the auditors have qualified With regards to SA 700, it is viewed that while expressing
their report with regard to noncompliance of opinions other than unqualified, the auditor should report
certain accounting standards; the reasons for such opinion and should also report the

Common Mistakes in Audit Report (Contd.)
they have omitted to report the quantification of quantitative impact of such on the financial statements of
the possible effect either individually or in each, individually as well as their aggregate. Where it is not
aggregate. practicable to quantify the same, the auditor must quantify
the same based on estimates provided by the management.
In the opinion para, it was mentioned that “In However there was profit in the current year, reference to
the case of the Profit and Loss Account, of the loss is incorrect.
loss for the year ended on that date”.
“We have audited the attached balance sheet of Paragraph 10 of SA 700 requires the auditor to state the
X Ltd. as at 31st March, XXXX and profit & Loss responsibility of management towards the financial
Account for the year ended on that date statement along with their own responsibility to express an
annexed thereto. The financial statements are opinion on the financial statements based on audit. The latter
the responsibility of the company’s has been omitted here.
management.”
The auditor had expressed opinion on the • “Subject to” is improper although the company had made
Balance Sheet, the Profit and Loss Account as sufficient disclosure of change in accounting policy. It was felt
well as on the accounts of the company ‘subject that perhaps auditors were not in agreement with the
to a note’ stating change in an accounting policy management for change in depreciation method. In that case,
of depreciation method. ‘subject matter of qualification’ is ambiguous.
Auditor often omit to state whether the SA 700 – (Para – 20) The opinion paragraph of the auditor’s
statements prepared are in conformity with the report should clearly indicate the financial reporting

Common Mistakes in Audit Report (Contd.)
financial reporting framework and statutory framework used to prepare the FS and state the auditor’s
requirements relevant to the company. opinion as to whether the FS give a true and fair view in
accordance with the financial reporting framework and,
where appropriate, whether the FS comply with the statutory
requirements.
Report was not addressed to anyone. SA – 700 (Para – 8) The auditor’s report should be
appropriately addressed as required by the circumstances of
engagement and applicable laws and regulations. Ordinarily
the auditor’s report is addressed to the authority appointing
the auditor [Under CA 2013, audit report on CFS will be
addressed to Members, earlier it was addressed to Board of
Directors]
SA- 700 (Para – 28) The partner/proprietor signing the audit

report should also mention the membership number
assigned by the ICAI. Also required on BS and P&L.
Membership no. of auditor was not mentioned Firm Registration No. is also required to be given as per ICAI
in Audit Report, CARO, Balance Sheet,
Statement of Profit and Loss.

Confidentiality Statement and Restriction for Use
This document contains confidential material proprietary to Protiviti India, a Member Firm of Protiviti Inc. ("Protiviti"), a w holly-ow ned subsidiary of Robert Half ("RHI"). RHI is a
publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the
capabilities of Protiviti to provide assistance to your Company, and should not be used in any inappropriate manner or in violation of applicable securities law s. The contents are
intended for the use of your Company and may not be distributed to third parties.
Thank You
Murtuza Onali Kachwala
Managing Director
9833015334
murtuza.kachwala1@protivitiglobal.in

Case Study

Procurement
Quick Overview
Key challenges of Telecom Operators
Challenge Solution
 Reduce cost of providing services to the customers: Telcos need to  Procurement of right
dramatically reduce the cost of bringing services to customers: technology and material at the
investments in next-generation Operation Support System (OSS) / right time from the right
Business Support System (BSS) is massive. A wrong decision on source at the right price.
technology, implementation and it’s integration with other systems
can prove expensive
 Rationalize supply side: Telcos need to reduce the number of  Strategic Vendors and Contract
suppliers used to build their service offerings. This includes the Management
network and the BSS/OSS needed to turn the network into a service
platform.
 Outsourcing of services
 Automation: Automation, customization and integration of service
platforms, acceleration of product life cycles and portal access to
service activation, monitoring and billing are critical to remain
competitive. All automations may not be feasible to manage in-
house due to resource and skill limitations
• Thus, procurement function plays an important role in meeting current challenges.

• Failure to effectively and efficiently carrying out procurement function can have adverse cost
and revenue implications.

Procurement Department’s Objectives
 Serving the internal customers effectively by procuring:

 Right material / services;
 Of optimum quality standards;
 From right vendors;
 At right price; and
 On right time.
 Keeping multiple vendor base for key items to avoid vendor dependencies
 Specific procurement strategies to ensure cost effective procurement and procurement within
budget
….thereby Maximizing shareholders value by playing an effective role in vendor identification,

selection, contracting, item master management, procurement decision making, vendor
performance monitoring, etc.

Procurement Objectives
 Planning for future requirements of materials and services
Support Business  Engagements for existing and new vendors to meet planned demand
Requirements both
strategic and  Entering into strategic vendor contracts for mission critical operations
operational with adequate Service Level Agreements without compromising
organization’s interests
 Implementation of appropriate policies , processes and procedures backed by technology to
keep the operations effective and efficient
 Evaluation and selection of the existing vendors

 Vendor development
 Review the specification of the requirements of organization
Manage the
procurement  Exploring alternative material, services to meet the organization’s
process and supply requirements
base effectively and
 Determining method of awarding contract
efficiently
 Improvement and development of non-competitive existing vendors
 Manage internal operations with appropriate policies, process,
procedures, technology, staff and training
Procurement Objectives (continued)
 With Marketing – for product development and in turn, vendor

development
 With Operations and Sales – for ensuring timely delivery of desired
input material, technology and services
Develop strong
relationship with  With Logistics - to ensure that delivery takes place at desired time to
other functional the desired internal customer
groups
 With Finance & Accounts – to ensure that timely payment is made as
well as penalty is charged and recovered in case of Vendor deviation
from the agreed SLA
 With Legal – to ensure that all non-standardized Purchase Orders and
Contracts are drafted to safeguard organization’s interests.

Procurement – Internal and External Interaction
An Organization
Vendors
Strategic
Network Engineering Marketing
Operations Vendors
Information Technology Sales • Strategic
OSS / BSS outsourcing
• OSS/BSS
• For assessing vendor capability, • For insights into demand and
• Technology
• For an early insights into future quality, cost, delivery cycle and supply forecast
requirement of material & service levels • For insight into new product
technology idea
Material
Vendors
Procurement Function
Finance & Services

Warehousing & Vendors
Legal Function Accounting
Logistics
Function

Efficiency and Effectiveness Indicators
 Process developed to set, monitor and review KPIs in Procurement Operations.

 Few Procurement KPIs:
 Turnaround Time (TAT) from requisitioning to PO preparation
Key Performance
Indicators (KPIs)
 TAT for delivery schedule compliance
 Unadjusted advances pending beyond predetermined timeframe
 Orders placed vs. delivery rejected
 Existence of proactive auditing and management action plan and timely resolution of the
issue.
Internal/External  Few good indicators are:
Audit Reports and  Timely implementation of audit findings
Management  Priority for resolving high risk issues on a regular basis
Observations on the
 Satisfactory rating of all procurement processes
departmental
 Conduct periodic self assessments
functions
 No 'qualifications' by external auditor's on the customer care process
 Positive comments in the audit reports

Risk & Control – Procurement
Workshop Precursor
© 2012 Protiviti Member Firm (Middle East Region)

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Illustrative Risks Associated with Procurement’s objectives
Vendor Management
 Vendors incapable of delivering

Procurement Process right quantity of right quality , at Vendor Monitoring
right price at right time
 Non availability of vendors for
 Conflict of interest in future requirements
‘procurement process’  Continuation of sub-standard
vendor performance
 Excess Procurement
 Selection of blacklisted vendors
 Short Procurement
 Non review of compliance to
 Lack of mechanism to assess strategic contracts due to inability
quality to review/ audit / qualified staff
 Orders placed although adequate  Absence of MIS and review
inventory exists Legal Management mechanism
 Excess Payment  Absence of SLAs for Vendor
 Unadjusted advances  Non standardized contracts signed with performance
vendors without review by Legal
department
 Clauses in contracts with vendors
compromising organization’s interest

Thank You
Murtuza Onali Kachwala
Managing Director
9833015334
murtuza.kachwala1@protivitiglobal.in


Internal Financial Controls WIRC 24062017

Uploaded by

Copyright:

Available Formats

Internal Financial Controls WIRC 24062017

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Financial Controls WIRC 24062017

Uploaded by

Copyright:

Available Formats

Internal Financial Control –

Assessment and Reporting

24th June, 2017

Applying COSO 2013 13

Few Relevant Things 26

Scope and Coverage under IFC 49

Approach and Methodology under IFC 52

Project Planning under IFC 59

Illustrative Work Papers 75

Clause 49 Listing requirement

The Companies (Accounts) Rules, 2014

177 (4) (vii) and Yes**, No**,

Audit Report*** Yes

Section 149 (8)

 Section 2(85) defines a Small Company as –

‘‘small company’’ means a company, other than a public company,—

Provided that nothing in this Section shall apply to—

Reporting on IFCs in Financial Statements not covered under The Act

The COSO 2013 Internal Control: Integrated Framework

The Components have to be effective across the Entities,

The new framework includes 17 COSO Principles to be

“Doing the wrong thing”

“Doing the right thing

“Not doing what should be

“Doing it in a way that

Lets look at a few examples…

Approval of engineering drawings by competent authority as per quality plan

Controls we perform PRIOR TO processing

Controls performed AFTER processing

Typically, companies try to categorize the controls identified into different

System Exception and Edit

Key Performance Management

Controls to be performed PRIOR TO Controls performed AFTER

Controls that require human Controls automated through the IT

Factors to be considered by an Internal Auditor Effect on Sample Size

An increase in the extent to which the risk of material misstatement is

An increase in the rate of deviation from the prescribed control

An increase in the rate of deviation from the prescribed control

An increase in the internal auditor’s required confidence level Increase

An increase in the number of sampling units in the population Negligible effect

Minimum Sample Size

Quarterly (including period-end, i.e. +1) 1+1 1+1

Recurring manual control 25 40

Purchase requisition is Why is the Purchase Requisition prepared by Marketing Executive?

Has the management defined maximum value of material which the

Send price quotations to

Purchase requisition is If items are available in warehouse then

Verifies current Identifies

Send price quotations Gaps

1. Lack of MIS reports on stock

Purchase requisition Executive

 Management of the existing product  Unprofitable product launched

 Order capture  Customer details not captured

 Network data build  Call records not being generated on network

 Reference data setup  Call records not rated correctly

 Revenue recognition and policies

 Care credits  Prepay top-ups not applied to accounts

Partner  Management of channel partners  Overpayment of interconnect costs

 Walkthrough:  Management Testing

 Identify the design gaps in business process controls, ITGC and

177 (4) (vii) and Yes, No,