Auditing internal control in India

Auditing internal controls help in providing reasonable assurance to the stakeholders regarding the effectiveness of operations, as well as true and fair financial reporting. Besides, they help enterprises to manage risks, safeguard their assets, assure compliance with applicable regulations, and mitigate possibilities of frauds.

INTERNAL CONTROL FRAMEWORK

Of the various benchmarks available for internal controls, the Committee of Sponsoring Organisation of the Treadway Commission (COSO)'s international framework integrating internal control, Enterprise Risk Management (ERM) and fraud deterrence takes predominance. COSO perceives internal control as a process to be applied in formulation of the organisation's strategy, aligning it across the enterprise, enhancing communication by removing ‘silos of risks'. The main goal is capturing the potential risks including IT risks and mitigating them to the risk appetite level of the entity, ‘providing a reasonable assurance regarding achievement of goals'.

COSO ERM framework addresses issues of governance, risk and compliance (GRC) in two main documents: While the ERM Framework defines fundamental principles and concepts for risk management, the Application Techniques guide the user on how to apply both the qualitative and quantitative methodologies with detailed discussions on benchmarking, probabilistic and non-probabilistic models from different business environments.

COSO views entity risks in four categories: Strategic, operations, reporting and compliance. There are eight interrelated ERM components: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication and monitoring. Risk management, being a dynamic, continuous, iterative process that spans across the entity level, division, business unit and subsidiary levels, a third dimension is added to the framework.

MANAGEMENT RESPONSIBILITY

It is the responsibility of the management to establish an effective internal control system in the organisation based on the benchmarked criteria. The control environment of the organisation sets the tone at the top, incorporating management philosophy, ethical values and professional conduct and standards. Focus is on strengthening the governing structure, formulation of strategy, policy and planning, clearly laying down processes and goals with allocation of adequate resources, delineated work flow, charter of responsibilities, segregation of powers, checks and balances, delegation of authority and financial powers.

Insistence on proper documentation and systematic records management, manuals, rules, procedures and standards, controls and guides all activities and operations to optimise achievement of strategic goals. Most importantly, the board is required to review and monitor strategy, policies, planning and procedures and ensure that appropriate internal controls are in place. The Public Company Accounting Oversight Board (PCAOB) developed Auditing Standard 2, and subsequently substituted it by Auditing Standard 5 for audit of internal control. The standard elaborates the audit process and requires auditors to issue an opinion on the effectiveness of internal control of the audited public company.

In India, ICAI hasn't made any specific standard for internal controls, but developed 17 standards for internal audit, encompassing essential aspects of audit of internal controls, such as enterprise risk management, internal control evaluation, evidence, analytical procedures, communication with management. Audit of internal control should highlight both systemic and compliance deficiencies to enable the board to take remedial and preventive actions promptly.

(The author is Director-General, CAG Office.)