Comments
Globalisation, technological innovation, and access to local and international capital and operations have presented unique opportunities to businesses, while simultaneously creating newer risks or amplifying existing ones. Financial scandals, stagnation, market volatility from inflation, and interest rate and foreign currency fluctuations have exacerbated the situation.
As corporations now operate in multiple jurisdictions, they need to comply with a web of intricate laws and are subject to greater regulatory scrutiny, including various securities, taxes and environmental laws. Similarly, there is operating complexity resulting from novel business models comprising multiple industry segments, legal structures, alliances and third-party service providers for critical business processes.
Technology is no longer an isolated function, but interconnected with business processes. The dependence on sophisticated technology has expanded from the use of an Enterprise Resource Planning system to social media, which brings its own risks. As frauds, corruption and other brand-damaging events are disconcerting for regulators, Boards and other stakeholders, there is growing focus on risk assessment and mitigation.
In addition to business improvement and growth strategies, many Boards recognise the need for rigorous enterprise risk management systems, including strong internal controls. Regulators across the world are introducing enhanced governance concepts and standards to promote stakeholder protection and confidence. For example, the Reserve Bank of India has issued guidelines on the implementation of Basel III Capital Regulations to improve the risk management, quality and quantity of bank capital. Similarly, the 2013 Indian Companies Act contains important provisions for governance, such as:
The Board of Directors’ report should indicate the development and implementation of a risk management policy, including identification of risk elements which, in their opinion, may threaten the company’s existence.
The Directors’ Responsibility Statement shall state, in the case of a listed company, that they have laid down adequate internal financial controls, which are operating effectively, including compliance with law.
A listed company should establish a vigilance mechanism for reporting genuine concerns, including providing adequate safeguards against victimisation and access to the chairperson of the audit committee.
The audit committee should specifically evaluate the company’s internal financial controls and risk management systems.
The auditor’s report should additionally state whether the company has adequate internal financial controls, and their operating effectiveness.
There is emphasis on the formulation of robust risk management systems and effective internal financial controls, with wide responsibilities extending to the Board, audit committee, and auditors. For example, the auditor’s current reporting on internal controls related to purchase and sales transactions — under Companies (Auditor’s Report) Order, 2003 — will now cover the operating effectiveness of the entire control system.
While this is a step in the right direction, given the broad scope of internal financial controls, there is need for a comprehensive, uniform control framework and associated principles for all constituents. This can also provide guidance on implementing an effective control framework, use of judgment and, importantly, meeting the organisation’s governance and control objectives.
Useful lessons can be drawn on the risk assessment and internal control guidance available to auditors under the Indian Standards on Auditing and the Committee of Sponsoring Organisations of the Treadway Commission’s (COSO) Internal Control — Integrated Framework 1992 extensively used by the Securities and Exchange Commission registrants and their auditors. The COSO Framework was revised in May 2013 and will supersede the 1992 version from December 15, 2014.
The framework articulates 17 principles that were implicit earlier, and details five components for an effective internal control system: Control environment, risk assessment, control activities, information and communication, and monitoring activities — each of these should be present, and operate in an integrated manner.
As detailed rules under Companies Act 2013 are being finalised, there is a need to develop a comprehensive internal control framework. This would ensure consistent application, assist the Board and the audit committee in implementing and evaluating controls, help auditors in reporting, and ultimately enhance corporate governance.
The author is Partner — Price Waterhouse
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.