• Column: Fix internal financial control issues fast

India’s Companies Act, 2013, sets new standards of corporate governance for the entire world. Out of 470 sections and 29 chapters, 282 sections are already in force and final Rules on 19 chapters have been made effective from April 1, 2014.

While the prompt implementation of the new requirements reinforces the commitment to enforce the new legislation, at the same time it is also too aspirational in expecting Indian companies to adopt the sea of changes with little time or no time to plan and prepare. There are implementation challenges, including the interpretational issues and confusion arising from the requirements relating to Internal Financial Controls—one such requirement being the expected compliance during the financial year beginning April 1, 2014.

Section 134(5)(e) defines ‘internal financial controls’ to include any control which helps in ‘ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information’. The directors in the Board report need to state if they have laid down internal financial controls to be followed and whether there are proper systems to ensure compliance with the provisions of all applicable laws and, if such controls and systems are adequate and have been operating effectively. Unlike for listed companies, for unlisted companies, the Act 2013 explicitly provides that the requirement is applicable specifically to financial statements. Thus, in the absence of explicit provisions, for listed companies, the requirements, as they read right now, seem to be applicable for all internal controls and not just those related to financial statements and financial reporting.

Further, section 143(3)(i) provides that auditor’s report should state whether the company has adequate internal financial controls system in place and the operating effectiveness of such internal financial controls for the year under audit. It is interesting to note that while the director’s responsibility for at least the unlisted companies is limited to controls related to the financial statements , the auditors’ responsibility as it is worded in the Act 2013 appears to cover the entire spectrum of controls for both, listed and unlisted companies. Also, the definition is just too broad and extends beyond the scope of auditor responsibilities as widely understood and recognized across the globe i.e. specific only to the audit of financial statements. For example, controls over efficient conduct of business will possibly cover all controls and processes in a company and its decision making, and it is neither practical nor warranted for auditors to comment on the same.

Further, the new requirements are effective from 1 April 2014. The process for control evaluation and conclusion as at the year-end requires that controls should be operating effectively for a period of time; generally the last six months, for example, quarterly controls should have operated effectively for at least the last two quarters before they can be apprised for operating effectiveness. This requires companies to adopt and implement the requisite control framework, make necessary changes to processes and have the control documentation in place by the end of second quarter, i.e., latest by September 30, 2014. However, as they stand now, it is believes that Indian companies are far from achieving this milestone and it is likely that there could be several defaulters at year-end. Even if companies wish to ensure a timely compliance, there is no detailed guidance provided by the MCA or the ICAI adding to confusion on the next steps. Further making it effective for all companies irrespective of the size is expected to result in undesirable inefficiencies, as corporates maybe already running short on resources because other requirements of the Act 2013.

Also adding to the perplexity is the existing guidance on internal controls reporting, through Statement on Companies (Auditor’s Report) Order or CARO by the auditors. There are limited assertions already being made on certain internal controls aspects in the CARO report. It is also critical to be clarified that whether the intent of the new requirements is to achieve compliance with the new requirements with the same level of rigor as has been done for CARO reporting in the past or expand the work and procedures involved in compliance and monitoring beyond the existing level.

Considering all the uncertainty of action by Indian companies due to lack of detailed guidance, the government should reconsider these requirements to defer the implementation date and they shall be made effective not earlier than April 1, 2015 to allow the Indian companies sufficient time to establish and maintain necessary internal controls. Also, the requirement for reporting by auditors should be first made applicable only for large listed companies in India.

Furthermore, these requirements should be reconsidered to modify the reporting requirement by auditors to replace the term ‘internal financial controls’ with ‘internal controls over financial reporting’ in that context.

By Yogesh Sharma, Partner, Assurance, Grant Thornton India LLP


The article appeared in the Financial Express. The article can be found here.