The net widens for internal control

Companies Bill 2012 mandates that the Directors’ Responsibility Statement must declare that the directors in a listed company have laid down internal financial controls and these are adequate and operating effectively. The statutory auditor too should report on the presence and operating effectiveness of such controls.

The concept is not without precedence — the best-known example is the Sarbanes–Oxley (SOX) Act of 2002, enacted in the US in response to large corporate accounting scandals such as Enron. One of the most contentious aspects of SOX is Section 404 (SOX-404), which requires the management and external auditor of US-listed companies to report on the adequacy and effectiveness of a company’s internal control on financial reporting (ICFR). In 2006, Japan introduced similar requirements, known as J-SOX. The Companies (Auditor’s Report) Order, 2003, or CARO also requires auditors to report on internal controls in certain areas.

It is worth noting that the Companies Bill’s requirement for reporting on internal control applies to all companies. This is inconsistent with the applicability for directors, which pertains only to listed companies. Both the US and Japan made their laws applicable only to listed companies.

Furthermore, both SOX-404 and J-SOX have a narrow scope, and focus on financial reporting and processes/ controls underlying the preparation and finalisation of financial statements. However, the Companies Bill defines internal financial controls quite broadly, including “policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to the company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.”

This definition appears to have been taken from the Institute of Chartered Accountants of India’s statement on CARO, which guides auditors on reporting responsibilities under CARO. However, when this definition is introduced in the Bill, it takes on greater significance, as it now becomes law (as opposed to mere guidance earlier), and applies to both companies and their auditors.

A broad scope, coupled with inclusion into law, would lead to significantly higher compliance costs. In the US, despite a narrower scope, the documenting and testing of important financial controls requires enormous effort. A 2007 study by Financial Executives International found that the costs of annual compliance on SOX-404 for a public company were almost $2 million. In addition, other surveys found that the cost of complying with SOX-404 impacts smaller companies disproportionately, as there is a significant fixed cost involved.

Similar to Enron, a number of high-profile accounting scandals and frauds have shaken India Inc and its regulators over the past few years. The prevention of such occurrences is a welcome objective, and the inclusion of these clauses in the Companies Bill is a step in the right direction. However, it would prove very expensive and inefficient for companies to document and test operating effectiveness in all functional areas. Furthermore, it would be onerous for auditors to extend their scope of duty beyond financial statements, and to be held liable on it. They may not even have the requisite capabilities in several areas.

The biggest challenge will be in enforcement and monitoring — the scope of the requirements should be narrowed (restricted to ICFR) and apply only to listed companies and large public interest entities. Otherwise, companies may be forced to divert a large part of their efforts towards documenting how they do business rather than actually doing business.

Yogesh Sharma is Partner, Financial Reporting Advisory Services, Grant Thornton