India’s Internal Control experiment
Corporate world has witnessed dramatic regulatory interventions, and the trend continues with the enactment of the Companies Act, 2013 which casts onerous responsibility on the Board of Directors while certifying the financial statements. In particular, section 134(5) of the Companies Act, 2013 requires the Board to include an statement as part of the Directors responsibility ensuring implementation of adequate internal financial controls (IFC), adherence to policy and procedures adopted by the company with an objective of orderly and efficient conduct of its business, safeguarding of company’s assets, prevention and detection of frauds, accuracy and completeness of the accounting records and timely preparation of reliable financial information. Further, the section prescribes penalties upto Rs. 25 lacs and imprisonment of 3 years for contravention of these provisions. IFC has noble intentions to align our country to global best practices in governance and restore the faith of investors. The IFC provisions are born from the fear of repeat of Satyams and other similar fraudulent financial reporting scams in the recent history of Corporate India. As a result, it appears that the law makers have embarked on a massive hunt for tracking down corporate control deficiencies.
Perusal of Companies Bill debates in the parliament reveal that the spirit was to rather have fewer regulations to ensure 100 per cent compliance as there is no point in having 1,000 regulations and companies meeting only half of them. The Companies Act, 2013 turned out to be contrary to this and thereafter a series of amendments followed to simplify and ensure compliance. One wonders, how Ministry of Corporate Affairs would monitor implementation of section 134 (5) - Internal Financial Controls. India has the largest population of listed entities in addition it appears that the IFC applicability extends to private companies as well. It seems an improbable monitoring task on hand and therefore Indian Corporates are oft tempted to apply short cuts knowing fully well that there is no regulatory oversight thereby adopting a “tick” approach to demonstrate compliance on paper.
Indian regulators have often adopted regulations passed by developed nations without debating the pros and cons of how such regulations can be localised to the Indian context. By considering how the law would apply to companies of different sizes the law makers could have built some level of flexibility into IFC provisions so as to avoid a one-size-fits-all approach. This flaw in the policy making process impacts the society at large and in particular small and emerging businesses who cannot absorb increasing costs of compliances. IFC is one such glaring example where law abiding Indian Corporates are struggling to find ways of complying with section 134 (5) of the Companies Act, 2013. IFC is a significant step ahead of the Clause 49 that requires certification of the CEO and CFO on controls over financial reporting and CARO that requires auditors to comment on the adequacy of internal control system and whether there is any continuing control deficiency that need to be corrected.
Majority of the Indian Corporates who have immensely benefitted from their controls journey over the years and who intend to comply in letter and spirit are looking at IFC as a one-time investment to refresh their repository of risk and controls.
IFC shall certainly improve transparency by highlighting control related disclosures but does it mean that actual evaluation of control as required by the spirit of law shall be effectively implemented – going by our previous corporate history and disclosure standards chances are rarest of rare.
A quick review of published information suggests that when in the US - SOX was implemented in late 2004 Sections 404(a), required management evaluation and reporting on ICFR, and 404(b), required an independent audit of ICFR effectiveness, the internal control information for investors substantially increased. Over time, the proportion of U.S. public companies disclosing material weaknesses has declined substantially. Further, majority of the deficiencies were not reported to the Audit Committee.
US opinion makers generally agree that despite high initial costs of designing and implementing sustainable internal control systems, evidence shows that it has proved beneficial. Markets have been able to use the information to assess companies more effectively, managers have improved internal processes, and the internal control testing has become more cost-effective over time [as per Forbes/HBS working knowledge March 2014].
In contrast to mandatory compliance in India, U.K. code requires firms listed on the main exchange to report how they comply with listing rules that include voluntary application of the Turnbull Guidance on internal control in the Combined Code. Listed firms can comply by disclosing, with or without independent auditor assurance, or by explaining why they do not comply, and let users assess the quality of non-compliance. Key advantage of comply or explain is that it allows individual firms to conduct cost benefit analyses regarding whether, and how, to comply over time and to avoid costs when they believe net benefits would be small. It therefore encourages standards setters for internal control criteria and auditing to develop cost-effective standards. A disadvantage of “comply or explain” is that firms with poor internal controls may use cost-benefit concerns to avoid auditor involvement in internal control disclosure where it may be most beneficial.
The Institute of Internal Auditors (IIA), USA in its various publications on the subject of Control Self-Assessment (CSA) states that CSA is a relevant approach to gathering internal control information in today`s environment, and it can effectively augment internal control initiatives. Verita Management Advisors and IIA India Mumbai carried out a research on the subject of CSA [in 2014] and how Corporates in India could benefit from the CSA technique. One of the major findings from the research paper was - Key stakeholders strongly agreed that from a cost benefit balance CSA could be the most suited and preferred option for meeting the Companies Act, 2013 and other regulatory and compliance requirements. Further, 54% strongly agreed that CSA is relevant in today`s times and that CSA is an absolute necessity in case of multi-product and multi-region companies.
The first few years of IFC would be hugely difficult—particularly for corporates, regulators and practitioners, as they have to navigate through emerging practical difficulties, however, with techniques such as CSA the process can be simplified. Global survey results reveal that SOX has increased investor confidence and reduced fraud potential. Therefore, intangibles far outweigh the tangible compliance costs involved and now that IFC is legally mandated Corporates should use the opportunity to elevate their governance practices.