Section 134 (3) of the Companies Act 2013 says board reports shall include a Director's Responsibility Statement. In the case of listed companies, among other things, the statement indicates that directors had laid down internal financial controls and these are adequate and were operating effectively. Section 177 of the Act stipulates that the terms of reference of the audit committee shall include "evaluation of internal financial controls and risk management system".
The Act uses the term internal financial controls in the same sense as internal control. Section 134 (3) states that internal financial controls are policies and procedures that ensure the orderly and efficient conduct of business. Orderly and efficient conduct implies that the business is conducted to achieve the firm's strategic, operational and other objectives over a long period and that its exposure to risks are within the acceptable limit decided by the board.
Read more from our special coverage on "ACCOUNTANCY"
Section 143 of the Act requires the statutory auditor to specifically report whether the controls system is adequate and operating effectively. The guidance note issued by the Institute of Chartered Accountants of India advises auditors to report on "internal financial controls with reference to financial statements." The Companies (Amendment) Bill, 2016, proposes substitution of the words "internal financial controls system" with "internal financial controls with reference to financial statements".
Clause 17 (8) of the Sebi (Listing Agreement and Disclosure Requirements) Regulations 2015 requires that the chief executive officer and the chief financial officer shall submit a certificate to the board of directors that they accept responsibility for establishing and maintaining internal controls for financial reporting and that they have evaluated the effectiveness of the system.
"Internal financial controls over financial reporting" refers to a process designed to provide reasonable assurance regarding the reliability of financial reporting. It includes those policies and procedures that give assurance that the transactions are recorded appropriately, receipts and expenditures are made with proper authorisations, and prevention or timely detection of unauthorised acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements.
It is quite clear that the responsibility of the board and the audit committee is to establish, maintain and operate effectively an internal control system, while the responsibility of the statutory auditors is limited to evaluating the effectiveness of the control system necessary to ensure reliability of financial reporting. Therefore, a clean report from the statutory auditor does not give the board the comfort that internal control, which cuts across the organisation, are well designed and operating effectively. The audit committee should establish a robust monitoring system to evaluate internal control.
Ideally, internal audit is used as the third line of defence. The second line includes the risk control and compliance over-sight functions, and the first line of defence is management control. The audit committee should have an intensive engagement with the internal auditor. It should ensure that the scope of the internal audit is not limited to monitoring internal control pertaining to financial reporting. For example, with limited scope, the internal audit cannot provide a reasonable assurance that the risk identification and evaluation process is adequate and effective, and strategic risk responses are appropriate and being implemented effectively. Internal audit should be allowed to conduct management audit, which involves a review of higher-level decisions, and operations audit. It is also the responsibility of the audit committee to protect the audit independence. This is challenging, particularly if the internal auditor functionally reports to the CEO/CFO. Ideally, the internal auditor should report to the chairman of the audit committee. If, the audit committee fails to adopt best internal audit practices, it is likely to fail in fulfiling its responsibility pertaining to internal control.
Although the law has made the audit committee primarily responsible for establishing and operating internal control, the board is not absolved from its responsibility. It is the responsibility of the board to ensure that the audit committee is constituted properly and that it has established a robust mechanism to ensure adequacy and effectiveness of the internal control system.
If it is found that the company is hurt because of weak internal control and that the board has failed to establish and maintain internal control and risk management systems, directors might be accused of not applying due-diligence in performing duties.
The writer is chairman, Riverside Management Academy Private Limited, and professor and head, School of Corporate Governance and Public Policy, Indian Institute of Corporate Affairs
asish.bhattacharyya@gmail.com
