Companies Act 2013 and internal financial controls |
Aswathe of high- profile corporate disasters in the US and elsewhere around 2000 made governments, regulators and corporations grasp afresh the significance of internal controls. These disasters were largely attributed to the failure to implement internal controls. But rapidly changing terminology has been one obstacle in the development of an accepted understanding of internal control. Several terms are used by globally recognised control frameworks and market regulators — "Internal Control for Financial Reporting" ( ICFR) mostly in the US after the Sarbanes Oxley ( SOX) Act and " Internal Control" ( IC) mostly outside the US. The Companies Act 2013 ( the Act) coined a new term — " Internal Financial Control" ( IFC) — which is a bit of IC and a bit of ICFR. The Act very correctly strongly emphasises internal control and casts a responsibility on the board for overseeing it. In clause ( e), sub- section ( 5) of Section 134 of the Act, IFC is defined in the widest possible sense to encompass anything and everything that a company does. Boards of listed companies and hundreds and thousands of specified unlisted companies are required to affirm in the Directors' Responsibility Statements in Annual Reports that IFC systems in the companies are adequate and operationally effective. Statutory auditors too are required in Section 143 to report on the adequacy and operational effectiveness of IFC, though presently this requirement has been deferred for a year. IC is defined in the three globally recognised frameworks: the Internal Control - Integrated Framework ( COSO Framework) developed in the US in 1992, by the Committee of Sponsoring Organisations of the Commission (" COSO") of the Treadway Commission; the Turnbull Guidance for Directors on the UK's Combined Code on Corporate Governance, issued in 1999 by the Institute of Chartered Accountants of England and Wales; and the Board Guidance on Criteria of Control ( CoCo) issued in 1995 by the Canadian Institute of Chartered Accountants ( CICA). These frameworks serve only as guidance for boards, managements and auditors and have gained global prominence through wide usage; see internal control as a set of processes designed to facilitate and support the achievement of business objectives; and advocate a wide approach to internal control, covering objectives such as improving business effectiveness, consideration of significant risks in operations, safeguarding of assets, compliance and financial reporting. But most importantly, all the frameworks not only define internal controls in great detail, but also break down the controls into components and objectives and elucidate the basis of monitoring, testing, assessment and evaluation of controls. Clause ( e)( 5) 134 of the Act on the contrary does nothing of the above. Though the term implicitly leans heavily on the COSO meaning of internal control, it severely lacks the precision and detail of the COSO Framework. The language of the " explanation" to the clause is obtrusively nebulous, and there is no reference to any standard or any acceptable benchmark, nor has any method or need of testing, evaluation or assessment been suggested. One may say such details cannot be laid down in an Act; but the Rules framed under the Act do not prescribe these either. The outcome of the woolliness of the clause will be felt on implementation. The possible endgame scenarios will be: a) most companies ( and the number will be in hundreds of thousands) will interpret the term IFC in their own convenient ways and somehow comply with the Act merely by passing Board resolutions, complacent that no external agency will monitor or verify the controls; b) among well governed companies, some in any case have already been using a globally recognised framework, and the others who are not, will be naturally inclined to adopt such a framework or something akin to it. The absence of standards will make certification of the adequacy and operational effectiveness of a company's IFC by the auditors difficult. Even the Companies ( Auditor's Report) Order ( CARO), 2003, which statutory auditors have been following, required auditors to comment upon the adequacy of the internal control system, only with reference to the purchase of inventory and fixed assets and for the sale of goods and services and not specifically on the operating effectiveness of such controls. Globally independent accountants traditionally have not been responsible for reviewing and testing, or attesting to an assessment by management of internal controls that are outside the boundary of financial reporting. It is precisely for this reason that the US Securities Exchange Commission ( SEC) used the term ICFR in its Rules for Section 404 of the SOX Act. ICFR is specific. It addresses only a subset of internal controls of the COSO Framework pertaining to financial reporting objectives and deliberately leaves out elements that relate to the effectiveness and efficiency of a company's operations and a company's compliance with applicable laws and regulations except financial reporting. It also requires managements to use a standard evaluating framework, though no standard has been specified. In the opinion of the SEC, as ICFR is the predominant term used by companies and auditors and best encompasses the objectives of the SOX Act, use of this term would need no familiarisation with investors, companies and auditors with new terminology and hence lessen confusion. Interestingly, Sebi's Clause 49 uses the term ICFR and requires the CEO, i. e. the managing director and the CFO, i. e. the whole- time finance director, to accept responsibility for establishing, maintaining and evaluating the effectiveness of ICFR. But where it falls short is that it does not define the term. ICFR is not a commonly used terminology in India, so its definition is needed and the basis on which companies would evaluate the effectiveness of the controls needs to be specified by Sebi. The Institute of Chartered Accountants of India in its guidance ( currently withdrawn) to auditors had used ICFR in lieu of the term IFC used in the Act. The new guidance is expected shortly. When it comes to meanings of words, the advice of March Hare and Humpty Dumpty are too grave to be trifled with. The March Hare's advice to Alice was, " Then you should say what you mean...' I see what I eat' is not the same thing as ' I eat what I see!'" Humpty Dumpty separately advises Alice as follows: " When I use a word," Humpty Dumpty said in rather a scornful tone, " it means just what I choose it to mean — neither more nor less." " The question is," said Alice, "whether you can make words mean so many different things." " The question is," said Humpty Dumpty, " which is to be master — that's all." The writer is a former executive director of Sebi. pratipkar21@ gmail. com Implementation will be weakened if we fail to define terms used in the Act clearly and precisely Legal frameworks developed abroad define internal controls in detail, break them down into components and elucidate the basis of monitoring and evaluating them |
__._,_.___
No comments:
Post a Comment