The Firm

Show Timings:

Friday: 10.30 pm, Saturday: 11.30 am

Sunday: 9:30am & 11.00pm


Cost Rationalization Of Internal Financial Control

Published on Wed, May 27,2015 | 17:47, Updated at Wed, May 27 at 17:51Source : 

By: Sunil S Kothari, Partner, Deloitte Haskins & Sells LLP and Nikhil Kenjale, Senior Manager, Deloitte Haskins & Sells LLP

Compliance requirements especially relating to the governance have evolved over a period and essentially reflect the regulators’ intention to enhance the stakeholders’ value in the long term. Continuous series of corporate frauds has compelled the regulators across globe to bring stricter laws enforcing the strong corporate governance requirements like the SOX, Basel etc. over and above the applicable corporate laws.

India’s multifold industrial progress post opening of economy around 1991-92 is visible. With more and more money getting invested in the corporate entities including significant foreign investments and corporate frauds which took place in the last two decades, the regulators brought in corporate governance requirements like Clause 49 CEO / CFO certification, Auditors reporting on certain prudential aspects in CARO etc.

The financial year (FY) recently concluded i.e. FY 2014-15 was the first year where the directors have to sign the directors responsibility statement in terms of the requirements of the section 134 (5) of the Companies Act, 2013. This includes certification on the “Internal Financial Controls” (IFC) – one of the widely discussed topics. The auditors have to report on the adequacy and operating effectiveness of IFC from the coming FY i.e. 2015-16.

Any new compliance requirement has its own obvious costs and the inherent risk of being interpreted in an inappropriate manner which is definitely not intended by the legislation. Presently the listed entities in India have to comply with below key requirements in terms of internal controls:

·        Role of the audit committee as per the Clause 49 of the listing agreement in terms of reviewing the adequacy of the internal controls and internal audit function

·        CEO / CFO certification as per the requirements of the Clause 49 of the listing agreement

·        Directors / Auditors certification of IFCs in terms of the requirements of the Companies Act, 2013

·        Maintenance of records, evidences, clarifications to enable an audit trail of internal financial controls

Also the Indian companies and/or because of their Global Ultimate Parent entities which are listed on the international stock exchanges have to comply with legislations like the Sarbanes Oxley Act, 2002.

Let us discuss some of the key aspects which one needs to consider when it comes to the IFC.

Indian context of the Control Environment - Before getting into the technical control jargons like entity level, process level controls, tone at the top, compensating controls etc. it is necessary to understand the typical Indian Control Environments.  In India, owner / promoters driven companies are not uncommon. In these type of entities it is very difficult to demonstrate the so called “entity level” controls like commitment to the ethical values, demonstrating the existence of the control environment etc. Of course, that does not mean that these elements are not there. But it is very difficult to capture them when it comes to have evidence around it especially where there is thin line between the ownership and management.

Considering above overlapping compliance requirements and Indian context, the key considerations for the corporate entities would be:

·        What is the exactly an entity should do to become the compliant with the new requirements?

·        What is already there?

·        What are the overlapping requirements for which no new compliance actions are needed

Over reacting on the new legislative requirements may result into inappropriate compliance or over compliance and may lead to excessive costs.

135 (5) The Directors’ Responsibility Statement referred to in clause (c) of sub-section (3) shall state that—

(a) in the preparation of the annual accounts, the applicable accounting standards had been followed……;

(b) the directors had selected such accounting policies and applied them consistently and made judgments and estimates that are reasonable and prudent so as to give a true and fair view of the state of affairs …….;

(c) the directors had taken proper and sufficient care for the maintenance of adequate accounting records in accordance with the provisions of this Act for safeguarding the assets of the company and for preventing and detecting fraud and other irregularities;

(d) the directors had prepared the annual accounts on a going concern basis; and

(e) the directors, in the case of a listed company, had laid down internal financial controls to be followed by the company and that such internal financial controls are adequate and were operating effectively.

Clause 49 / CEO/CFO certification

CEO/ CFO have reviewed the financial statements and the cash flow statement and the Directors’ Report and that to the best of their knowledge and belief:

  • these statements do not contain any materially untrue statement or omit any material fact or contain statements that might be misleading;
  • these statements together present a true and fair view of the company’s affairs and are in compliance with existing accounting standards, applicable laws and regulations.
  • There are…no transactions entered into by the company which are fraudulent, illegal or violative of the company’s code of conduct or ethics policy.
  • They accept responsibility for establishing and maintaining internal controls and that they have evaluated the effectiveness of the internal control systems…..
They have indicated to the auditors and the Audit committee significant changes in internal control, accounting policies, and instances of significant fraud……




















What is common between Clause 49 and new Companies Act requirements?

Purposive reading of both the above requirements reveals that these two requirements mainly revolve around ensuring the reliable financial reporting in accordance with the applicable reporting framework and maintenance of effective internal control system.

Definition as per the Companies Act, 2013

“internal financial controls” means the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.






The IFC has been defined for the first time in the Companies Act, 2013. The definition of IFC also captures the additional element i.e. “ensuring the orderly and efficient conduct of it business” This has fairly enlarged the scope of the duties of directors and the auditors. This is a relative concept and is difficult to evaluate.  

What is control rationalization?

The best way to optimize the compliance cost in terms of IFC is to look at all the controls differently, i.e. Control Rationalization. This is nothing but taking the “Process Engineering” view on the existing compliance mechanism in light of the new requirements of the Companies Act, 2013. The exercise will not only corroborate the controls which are already existing, but it will also help entities identify the areas where the entity can map the existing automated controls instead of manual controls and thereby reduce the total control testing efforts. Most of the listed companies in the United States of America, faced pressure to reduce Sarbanes-Oxley related costs in the initial years and started thinking on the optimization of the compliance costs without jeopardizing compliance.

Some of the key measures which the entities can think of are:

Use of top-down and risk based approach: This is the first exercise which can be undertaken to ensure that the controls are scoped in line with the risks relevant to entity / industry. Aspects suggested by the new COSO framework viz. risk impact, probability, velocity and momentum are to be considered when identifying the controls. Controls identified using the “Bottom-up” approach may result in the identification of too-many transaction level controls which might not be relevant from the financial reporting and internal control perspective. The risk with “Top-down” approach is one would end up identify not all risks / controls which might be needed considering the volume and complexities of the business.

Have a lean and balanced control design: To reduce costs, some companies started reducing the number of controls without a methodical approach. This is not definitely desired by the control rationalization exercise. In fact identifying and testing right automated and manual control is the key when it comes to lean and balanced control design. One may note, but may not consider the redundant controls for the purpose of his / her testing. This is because the redundant / alternative controls might be meant to achieve objectives other than reliable financial reporting e.g. Monthly MIS review may be the additional control which management might have over and above the transaction level authorization and review type of controls to take care of the business strategies.

Use of technology controls: With a growing business scale in terms of number of transactions, geographies etc. and technology advancement, one should first consider identify the technology controls over the transaction approval, duty segregation, exception escalation etc. Mostly the automated controls are “Preventive” in nature and give the broader assurance than the assurance gathered from the manual control testing.  

Use of appropriate control framework: How much control is sufficient for the organization is a matter of professional judgement and the answer can differ from person to person. Therefore, for a large scale entity, it is very much important to use a reference framework like COSO, COCO, ICAI framework on the internal controls etc. Internal control frameworks generally assists management, boards of directors, external stakeholders, and others interacting with the entity, in their respective duties regarding internal control without being overly prescriptive. It does so by providing both an understanding of what constitutes a system of internal control and insight into when an internal control is being applied effectively.

To summarize, control rationalization should be viewed as a continuous process to be integrated into the regular routines of the business and into singular events such as mergers and acquisitions, cost reduction programs etc. considering the dynamism in the compliance requirements.


Copyright © Ltd. All rights reserved. Reproduction of news articles, photos, videos or any other content in whole or in part in any form or medium without express written permission of is prohibited.