Internal Controls: Companies Act 2013 and Control Catalogues

Background:
I got the opportunity to attend a meeting organised by ISACA and ICAI. The meeting was for launching “Guidance note on Corporate Governance, ERM and Assurance for COBIT 5”.
Indian companies act 2013 has mandated that CEO and CFO to certify that “internal financial Controls are adequate and operating effectively”. This is also required to be confirmed by external auditors.
A speaker has raised a point on whether there is any Standard available which can be referred by an external auditor and comment that (If these number of internal controls are implemented and working effectively), internal controls are adequate.
What is the answer?
I have seen the answer in various shape depending upon the type of companies.

1. Self Certification: Companies required to comply with SOX of USA or Clause 49 of Listing agreement in India or some other equivalent regulations. The CEO/ CFO of these companies (as well as external auditors) are required to certify that internal controls are existing and effective. They in turn depend on the function heads for certification who certify for their functions.
2. External help: Companies appoint external consultant who does testing and confirm to management.
3. Control Self Assessment: Some companies have developed control catalogue and requires various functions and business units to assess the control existence, effectiveness and maturity of the control.

Way forward
In my opinion this is what companies / auditors should do:

1. Create a Control Catalogue: Create a control catalogue for every function. This can be based on “as is” process which can be reviewed every year based on internal audit’s observations, external auditor’s input, other stakeholders input.
2. Define Key Controls in Control Catalogue: Depending upon philosophy of the organization, number of controls identified can be small or large. Management, external auditors and internal auditors should come together and identify key controls.
3. Get a consensus of Key Controls: Management should first agree on key controls and have a buy-in of external auditors and internal auditors on key controls.
4. Run controls with independent directors: Run key controls and control catalogue with board and get a in-principle approval of directors (specially independent directors and audit committee, if applicable).
5. Repeat the process annually: Run the process again at the end of year, year after year. An annual review of control catalogue would ensure to keep the control catalogue relevant and updated.

The result of above 4 steps would give the standard of Internal controls as applicable to that specific organization to external auditors. The existence and effectiveness of the control will be assessed by functional team (First line of defense) , their supervisors/ Risk Management/ Compliance (Second line of defense) , Internal auditors (Third line of defense), management and external auditors.
E.g. What can be top 10 key controls for an eCommerce organisation?

1. Vendor risk assessment: Assessing and approving vendors who can put their goods and services on the eCommerce Portal. A non existent supplier/ fictitious supplier can threaten the existence of organization.
2. Vendor reconciliations (for sales, discounts, revenue)
3. Discount/ promo codes control and reconciliations (Including
4. Monitoring of goods and services listing for prohibited goods/services
5. Inventory should be “Zero” or Inventory ageing / custody/count.
6. ITGC/ Information security
7. Transaction integrity: Tracking the entire transaction/ rejecting incomplete transaction.
8. Transaction validation: organization need to devise a system to ensure prevention of fraudulent transaction . (Different billing address of user/ credit card/ delivery address).
9. Fraud Monitoring
10. Defining and monitoring of KPIs (sales, delivery time, returns, vendor return rate, customer feedback, customer complaints,server loads)

Call for action:
Inputs/ comments/ suggestion: I welcome inputs/ comments / suggestions from readers on how to approach this issue. Feel free to correct me, educate me.
Share the Article: If you like it, share it. If you share it with others, and they comment, we all will get more learned.
(Disclaimer: The views expressed constitute the opinion of the author and the author alone; they do not represent the views and opinions of the author ’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the author is, or has been a part of.)