Internal financial controls are a system consisting of specific policies and procedures designed to provide management with reasonable assurance that the goals and objectives it believes important to the entity will be met. “Internal Control System” means all the policies and procedures (internal controls) adopted by the management of an entity to assist in achieving management’s objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.
- To state whether a set of financial statements presents a true and fair view, it is essential to benchmark and check the financial statements for compliance with the financial reporting framework. The Accounting Standards specified under the Companies Act, 1956 (which are deemed to be applicable as per Section 133 of the Companies Act, 2013 read with Rule 7 of Companies (Accounts) Rules, 2014) is one of the criteria constituting the financial reporting framework on which companies prepare and present their financial statements under the Act and against which the auditors evaluate if the financial statements present a true and fair view of the state of affairs and the results of operations of the company in an audit of the financial statements carried out under the Act.
- Meaning of internal financial controls under the Act
The explanation provided in clause (e) of Sub-section 5 of Section 134, inter alia, states that the internal financial controls system includes policies and procedures for ensuring efficiency and effectiveness of business and ensuring accuracy of accounting records.
- Standard on Auditing 315 “Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment” defines Internal Control as follows: “The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control.”
- Similarly, a benchmark system of internal control, based on suitable criteria, is essential to enable the management and auditors to assess and state adequacy and compliance of the system of internal control.
- Internal control is a process/set of processes designed to facilitate and support the achievement of business objectives. Any system of internal control is based on a consideration of significant risks in operations, compliance and financial reporting. Objectives such as improving business effectiveness are included, as are compliance and reporting objectives.
- The fundamental therefore is that effective internal control is a process affected by people that supports the organization in several ways, enabling it to provide reasonable assurance regarding risk and to assist in the achievement of objectives.
- Fundamental to a system of internal control is that it is integral to the activities of the company, and not something practiced in isolation.
- An internal control system:
- Facilitates the effectiveness and efficiency of operations.
- Helps ensure the reliability of internal and external financial reporting.
- Assists compliance with laws and regulations.
- Helps safeguarding the assets of the entity.
- Internal financial controls system needs to be dynamic to address the changes in entity’s operating environment, including:
- Business developments, including changes in information technology and business processes, changes in key management, and acquisitions, mergers and divestments.
- Legal and regulatory developments such as changes in industry regulations and new regulatory reporting requirements.
- Changes in the financial reporting framework, such as changes in accounting standards.
- It may be noted that Clause (n) of Sub-section 3 of Section 134 of the Act requires the board report to include a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the board may threaten the existence of the company. The existence of an appropriate system of internal financial control does not by itself provide an assurance to the board of directors that the company has developed and implemented an appropriate risk management policy.
- The control environment sets the tone of an organization, influencing the control consciousness of its people. The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity’s internal control and its importance in the entity.
- Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements. Implementation of a control means that the control exists and that the entity is using it. There is little point in assessing the implementation of a control that is not effective, and so the design of a control is considered first. An improperly designed control may represent a material weakness or significant deficiency in the entity’s internal control.
- An entity’s system of internal control contains manual elements and often contains automated elements. The use of manual or automated elements in internal control also affects the manner in which transactions are initiated, recorded, processed, and reported. An entity’s mix of manual and automated elements in internal control varies with the nature and complexity of the entity’s use of information technology. Manual elements in internal control may be more suitable where judgment and discretion are required such as for the following circumstances:
- Large, unusual or non-recurring transactions.
- Circumstances where errors are difficult to define or anticipate or predict.
- In changing circumstances that require a control response outside the scope of an existing automated control.
- In monitoring the effectiveness of automated controls
- The extent and nature of the risks to internal control vary depending on the nature and characteristics of the entity’s information system. The entity responds to the risks arising from the use of IT or from use of manual elements in internal control by establishing effective controls in light of the characteristics of the entity’s information system.
Limitations of internal control system
- Internal control, no matter how effective, can provide an entity with only reasonable assurance and not absolute assurance about achieving the entity’s operational, financial reporting and compliance objectives. Internal control systems are subject to certain inherent limitations, such as:
- Management’s consideration that the cost of an internal control does not exceed the expected benefits to be derived.
- The fact that most internal controls do not tend to be directed at transactions of unusual nature. The potential for human error, such as, due to carelessness, distraction, mistakes of judgement and misunderstanding of instructions.
- The possibility of circumvention of internal controls through collusion with employees or with parties outside the entity.
- The possibility that a person responsible for exercising an internal control could abuse that responsibility, for example, a member of management overriding an internal control.
- Manipulations by management with respect to transactions or estimates and judgements required in the preparation of financial statements.
- In general, a system of internal control to be considered adequate should include the following five components:
- Control environment
- Risk assessment
- Control activities
- Information system and communication
Responsibility of Management
- It may be noted that the management has the primary responsibility for the design, implementation and maintenance of internal control relevant to the preparation and presentation of the financial statements that give a true and fair view and are free from material misstatement, whether due to fraud or error. Consequently, the responsibility of designing, implementing and maintaining appropriate internal financial controls also rests with the management. It may also be noted that Clause (vii) of Sub-section 4 of Section 177 of the Act states that every audit committee shall act in accordance with the terms of reference specified in writing by the board which shall, inter alia, include, “evaluation of internal financial controls and risk management systems”.
- In addition, Rule 8(5)viii) of the Companies (Accounts) Rules, 2014 requires the board report of all companies to state the details in respect of adequacy of internal financial controls with reference to the financial statements. Consequently, even if a specific statement of responsibility of the directors over internal financial controls is not made in the board’s report to the members of unlisted companies, ensuring adequacy and operating effectiveness of the internal financial controls system still remains with the management and the persons charged with governance in the company.