Guest Author: Munish Saraogi
Chartered Accountant

Clause (e) of Section 134(5) of the Companies Act, 2013 requires that The Directors' Responsibility Statement referred to in clause (c) of sub-section (3) shall state that—

(e) the directors, in the case of a listed company, had laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively.

Section 143(3)(i) of the Act requires that auditor should state in his report that:

"Whether the Company has adequate internal financial controls system in place and the operating effectiveness of such controls"

Definition of Internal Control as defined in the Companies Act, 2013

The Companies Act, 2013 has defined internal control in two places. One definition is given under Section 134(5) (e). Another definition is given in Section 134(10) by way of inclusion of Standard on Auditing. Auditing Standards which are now part of the Companies Act, 2013, by virtue of Section 143(10) defines internal control as follows:

Definition as per Section 134(5) of the Companies Act, 2013 Definition as per SA 315
Explanation.--For the purposes of this clause, the term "internal financial controls" means the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company's policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information; Internal control – The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity's objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, safeguarding of assets, and compliance with applicable laws and regulations. The term "controls" refers to any aspects of one or more of the components of internal control.

It may be noted that both the definition are not similar at the same time they have vast coverage.

Further, it may be noted that both Management and the Auditor will need to follow both the definition as given in the charging Section 143 i.e. as per Standard on Auditing and also the definition given in Section 134(5). Standards on Auditing are applicable to all the companies and are mandatorily required to be followed.

Distinction between Internal Financial Control and Operating Control

It may be noted that Internal Controls and policies can be applied by the management for various operational activities of the Company.

A question arises whether auditor is required to comment on all the controls of the Company or only those which are related to Financial Controls. A close review of above definitions suggests that only the Financial Controls as required to be reported in SA 315 is the auditor's responsibility for reporting. This is also termed as ''Internal controls relating to financial reporting'.

Management on the other hand may have more controls relating to various operations of the Company viz. Shop Floor management etc. Unless they impact financial reporting they would not come under preview of above section.

Auditors Duty

Auditor while ascertaining the operating and effectiveness of control will have to comply with all the requirements enumerated in SA 315 and document his findings.

Documentation of Auditor should therefore needs to be robust enough to demonstrate that he has looked into the Internal Controls for each assertion and mapped them to various risks in respect of account balances and each class of transaction.

Management's Responsibility

The approach of new Companies Act is of self-governance and in case of non-governance, stringent penalties are provided in the Act. Management should therefore, be cautious to take following steps to ensure that there exist a proper internal control system.

  1. Review existing process and map them with risks & controls and ensure that they are adequate.
  2. Improve the process and controls wherever it is observed that process is slack.
  3. Assess Fraud Risk and built processes around the same so that risk is minimised.
  4. Test Internal controls so formed on regular basis and ensure that processes are working effectively.
  5. In-house team may be assigned this task or a consultant may also be appointed in the first year of implementation.

What are the consequences when auditor concludes that internal controls were not effective?

  1. The Auditor report will include a qualified opinion. Not only merely for internal control, but also under section 143(3)(f) of the Act as non-existence of appropriate internal control can also have adverse affect on the functioning of the Company.
  2. It can be safely concluded that non existence of internal control would imply that existence of Fraud cannot be effectively monitored and the financial statements would lack credibility.
  3. Credit rating agencies will take it negatively also it may affect negotiation power of the entity with borrowers.

Conclusion

The requirement of internal control is now legally mandated. In respect of the listed companies, it is by virtue of Section 134(5) of the Companies Act, 2013. Private limited companies are covered by inclusion of Standard on Auditing, in the Companies Act and reporting requirement by auditors. It is therefore, suggested that all the companies should re-visit the existing internal controls and strengthens them to ensure that whenever they are tested will not fail.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.