Guide for Internal Control over Financial Reporting (ICFR)

The importance of internal control increases with time as the company suffers from issues such as direct and indirect taxes, secretarial, labor, and other issues due to deficiencies in the controls of the company, which ultimately cause inaccurate reporting and usage that can leave the organization vulnerable to major security incidents when left unchecked.

Evaluating these errors can help identify inaccurate or incomplete information and ensure the accuracy and completeness of the compliance reports. The primary objective of having internal controls is to set up key points in a process, which allows the organization to monitor progress, maintain the sustainability of execution and improve the same accordingly.

Applicability and Exemption Notification by MCA for Private Companies

The provisions of Internal Control over Financial Reports under the Companies Act, 2013 apply to:

• All listed companies,
• All public companies, and
• Private companies (subject to some exemption by MCA).

The Ministry of Corporate Affairs (MCA) has provided exemption from Internal Financial Controls (IFCs) reporting to the following private companies:

1.    One Person Company (OPC) or

2.    Small Company; or

3.    Private Company whose turnover as per the last audited financial statement is less than INR 50 Crores and aggregate borrowings from banks or financial institutions at any time during the year are less than INR 25 Crores.

Note: The aforementioned exemption applies only to those private companies that have not failed to submit financial statements or annual returns to the Registrar of Companies.

Types of Control Areas

India is still anticipating comprehensive legal guidelines concerning corporate risk and compliance management. In the past few years, compliance with labor, secretarial, direct, and indirect taxation, supply chain and litigations has accumulated enormous momentum within the corporate sector.

Labor Compliance: India is a country with a large workforce. One of the major challenges for any company in the corporate sector is compliance with labor laws. As labor law is considered a “specialized field,” failure to follow labor law poses significant legal consequences and risks.

Businesses in India must establish effective contract management with employees and outside parties as per the provisions of the Indian Contracts Act to meet the growing need for enterprise risk management and compliance.

A company must adhere to the below-mentioned central laws (but is not limited to):

• The Factories Act 1948
• The Industrial Disputes Act 1947
• The Employees’ Provident Funds and Miscellaneous Provisions Act 1952
• The Employees State Insurance Act 1948
• The Contract Labor (Regulation & Abolition) Act 1970
• The Child Labor (Prohibition & Regulation) Act 1986
• The Payment of Gratuity Act 1972
• The Maternity Benefit Act 1961
• The Payment of Bonus Act 1965
• The Sexual Harassment of Women at Workplace (Prevention, Prohibition & Redressal) Act 2013

In addition to the above-mentioned central laws, there are state-specific laws as well that businesses must comply with, such as the Shops and Establishments Act and the Professional Tax Act, which apply to particular states.

Secretarial Compliance: Corporate governance is becoming increasingly popular in today's business landscape. Different stakeholders of an entity, including shareholders, investors, customers, and others assess the company's compliance management system before making any decisions. In this scenario, regulatory compliances and potential audits serve as valuable instruments for businesses to guarantee adherence to regulatory obligations.

It also involves independent examination by an expert to verify whether the company has followed applicable rules and regulations or not. The following are certain regulations that need to be given top priority for adherence:

• The Securities and Exchange Board of India Act 1992,
• The Reserve Bank of India,
• The Companies Act, 2013,
• The Foreign Exchange Management Act, 1999,
• Securities Contracts (Regulation) Act, 1956,
• Industry-specific laws and regulations relevant to the company’s sector.

Taxation Compliance: Changes in the trends are changing the way tax functions operate based on daily workings and future-oriented strategic planning. Below are some of the major areas we have noticed while dealing with Direct and Indirect Taxation:

• Multiple provisions applicability to a single entity and reporting thereof within the due dates as prescribed in numerous forms.
• Applicability of with-holding taxes u/s 195 of Income Tax Act, 1961.
• Assessments under the Income Tax Act, 1961 on account of issues related to Transfer Pricing Report, Tax Audit Report, Under-reporting of Income, Unexplained Expenditure, and Disallowance of Expenses u/s 37, etc.
• Wrong claim of ITC (Input Tax Credit) is a significant concern, prone to causing GSTR-3B filing mistakes.
• Assessments under the Central Goods and Services Tax Act, 2017 on account of issues related to applicability of tax, place of supply, tax rate, Input Tax Credit, etc.

The Tax function has always excelled in tax reporting, but it is crucial to enhance the tax reporting process by integrating advanced automation, streamlined data and processes, enhanced analytical capabilities, knowledgeable tax professionals, and robust internal controls. These enhancements will empower the Tax function to produce high-quality results in a shorter timeframe, thereby enabling a more impactful contribution to the organization's decision-making process.

Supply Chain: Our supply chain is exposed to a range of risks, including concrete external safety hazards like earthquakes, hurricanes, floods, and wars. Certain areas of the globe are also mired in political instability. The operations can also be severely affected by employee fraud, theft, strikes, sabotage, labor shortage, management, and staff incompetence, etc.

Henceforth, third parties are crucial in the supply chain. But to what extent do you rely on suppliers and customers? While working with major entities may enhance efficiency, it can also result in negative consequences like power imbalances and significant disruptions.

Another important area for management’s attention is Information Technology. The organization's supply chain relies heavily on the quality of its IT infrastructure and data management.

Litigation: Legal issues may seem like a dull and uninspiring perspective of running a business, but they are the foundation upon which the success of the organization is built. The careful deliberation of these issues, such as contracts, can determine whether your business objectives are successfully met or not. Contracts not only offer clarity and structure for your business transactions, but they also establish limits and expectations that can avert future misunderstandings or conflicts. They serve to guarantee that both parties are in agreement and that the interests of all parties involved are safeguarded.

Standards and Guidelines for Managing Processes in Risk and Compliances

India does not have specific standards or guidelines for risk and compliance processes. However, these have been outlined in various laws and regulations. The fundamental principles for managing risk and compliance processes are:

• Reporting: The Board receives reports from management that encompass the various aspects necessary for a comprehensive evaluation of the significant risks and the efficacy of the internal control system in managing those risks. Any notable failures or deficiencies in control should be thoroughly explained in these reports, along with the potential or actual impact on the company's operations and the necessary steps to address them.
• Roles and Responsibilities: All employees bear a certain level of responsibility for internal control as a component of their obligation to accomplish the objectives. Collectively, the employees must possess the essential knowledge, skills, information, and authority to establish, execute, and oversee the internal control system.

A comprehensive risk and compliance management system framework has the ability to mitigate risks by:

• Identifying the inherent risks associated with achieving goals and objectives.
• Establishing risk appetite across the entire spectrum of risks.
• Establishing and communicating risk management frameworks.
• Developing accurate and consistent risk assessment methods.
• Implementing measurement reporting standards and methodologies.
• Creating a risk profile.
• Establishing key control processes, practices, and reporting requirements.
• Monitoring the effectiveness of controls.
• Ensuring that all exposures are adequately identified, measured, and managed.
• Alerts for early warning signals.
• Ensuring that risk management practices are sufficient and appropriate for managing risks.
• Reporting areas of stress where risks are likely to crystallize.
• Presenting remedial actions to reduce or mitigate such risks.
• Reporting on sensitive and key risk indicators.
• Communicating with relevant parties.
• Reviewing and challenging all aspects of the risk profile.
• Providing advice on optimizing and improving the risk profile.
• Reviewing and challenging risk management practices.

Ways to Approach These Risk Areas

Businesses understand the consequences of insufficient and excessive control. Insufficient control can lead to unreliable data, legal violations, asset loss, resource wastage, and goal failure. In particular, a company may be at higher risk of litigation, reputation damage, fraud, global issues, negative publicity, and critical assessments of its internal control system if proper controls are not established. These factors can pose a serious threat to a company's survival.

The consequences of excessive control are equally substantial. Organizations may suppress their employees, waste resources on repetitive or unnecessary controls, complicate procedures unnecessarily, diminish customer satisfaction, or underutilize information technology if they excessively prioritize internal control. In the current competitive landscape, these costs can also jeopardize a company's survival. Companies can no longer afford to maintain intricate and superfluous control systems.

We acknowledge the significance of Internal Controls over Financial Reporting (ICFR) in today's landscape, encompassing scope, maturity, reporting, and digital enhancement. As a result, we have examined global best practices and are contemplating a stronger focus on the "FOCUSED" approach, which is mentioned below:

• F: Framework Development – It brings an effective administration culture and provides clarity of roles by developing an entity-specific ICFR framework based on the financial reporting standards and leading control practices followed.
• O: Operations Assessment – It assesses the operations of the company and provides a value-focused approach to identify the scope of processes, report risks, and align them with the financial statements.
• C: Control Design Review – Different walk-throughs, data analytics, and control dynamic techniques are employed to evaluate the effectiveness of current controls pertaining to financial reporting.
• U: Upgrading Internal Practices - This stage adds value to the business by re-engineering current processes and implementing cutting-edge digital practices to enhance control design, based on identified gaps.
• S: Sampling Techniques – Different data-driven sampling techniques are utilized to choose the appropriate value-centric approach in order to acquire comprehensive experiences and assurance within the target population area.
• E: Effectiveness Testing – A combination of traditional testing methods and data analytics is employed to guarantee compliance with financial reporting regulations for transactions conducted within the specified timeframe.
• D: Documentation and Representation - The ICFR life cycle remains dynamic and ensures the establishment of an efficient governance culture by identifying the necessary roles, timelines, templates, and other requirements.

The FOCUSED approach extends beyond just achieving regulatory compliance which is based on international leading practices, internal control frameworks, and lessons learned from the advanced economies tailored to the specific requirements of the organizations.

The FOCUSED strategy goes further than simply meeting regulatory standards by incorporating global best practices, internal control structures, and other insights from developed economies.

Conclusion

The effectiveness of an ICFR exercise greatly relies on how it is strategized, implemented, and supervised within an organization. Even if an ICFR exercise adheres to all the necessary criteria, it may fail to identify crucial control design or operational shortcomings if the organization does not adopt the appropriate approach. It is imperative to cultivate a "FOCUSED" approach that encompasses all areas of concern for organizations of any magnitude and aids them in their journey toward ICFR maturity.

We can assist your business with Internal Control over Financial Reporting concerns. You can get in touch with us by submitting a query below.