Making it easy – ready-to-use drafts and formats

4.1 Entity Level Controls – Specimen (refer paragraph 2.5.5)

ABC Private Limited
ICFR for the year ending 31st March, 2016
Entity Level Controls (ELC)

LIST OF CONTROL GROUPS

Control Ref Control Group
C01 Roles and responsibilities of Board of Directors
C02 Formal SOPs for various crucial processes
C03 Admin Manual covers various policies
C04 Risk Management policy
C05 Background Verification process in place
C06 Manpower planning and recruitment policy/process to ensure right crew for the
right job
C07 Board Review of business plans, budgets, budget vs. actual, periodic performance
and Internal Audit reports
C08 Monthly MIS reporting
C09 Staff hired through a management approved placement agency
C10 Promotions based on well-defined Performance Evaluation system.
C11 Talent growth through need-based and compliance related training
C12 Attrition management
C13 Independent Review and periodic updates by External Professional Consultant
C14 Access rights restrictions
C15 Independent Review by Internal Auditor
C16 Validation controls - confirmation, verifications of assets/bank balances,
valuations
C17 Compliance framework, tracker and reporting - controls on compliances and
regulatory reporting
C18 Sexual Harassment Policy
C19 Appointment letter covers ethical standards and other required terms and
conditions which is signed-off by employees at the time of joining
C20 Board/Management Approval
C21 Formal roll out of ICFR policy and testing
C22 Data Back-up strategy
C23 Defined BCP/DRP process
C24 Periodic department reviews
C25 Defined Financial Closure Policy
C26 Compliance with related-party transactions and disclosures
C27 Periodic updation and communication of ISO manual
C28 Formal KRA definition and communication of the same
C29 Information and Communication

1
ABC Private Limited
ICFR for the year ending 31st March, 2016
Entity Level Controls (ELC)

Sr Attribute Principle Process Risk Control Control Audit Step

No Activity Ref No. Description
1 Control Management Board Board does not C01 Board 1. Confirm the
Environment establishes Oversight clearly define powers are documentation of
structure, authority to be clearly Board powers and
authority and exercised at Board defined delegation of
responsibility level and authority authority done by
in pursuit of delegated to other the Board.
objectives Directors
2. Verify Board
minutes and
meeting frequency.
Verify attendance
records to ensure
participation and
insights.
2 Control Board of Board Board does not C02 1. Board 1. Verify that
Environment Directors Oversight acknowledge its minutes formal guidelines
exercises responsibility includes a have been provided
oversight of towards oversight for statement by the Board.
the establishing and acknowledgi
development performance of ng its 2. Verify that
and internal controls responsibility specific
performance for ICFR responsibility has
of internal Board does not been allocated for
controls formally delegate the 2. Board establishing
responsibility for provides internal financial
establishment of broad controls
internal financial guidelines
controls and for for internal
ensuring effective controls and
performance thereof. records
formal
delegation of
authority for
establishmen
t of controls.
3 Control Board of Board Board does not have C07, Board of 1. Verify Board
Environment Directors Oversight a mechanism to C08 Directors meeting minutes
exercises review ICFR review the where adequacy
oversight of adequacy and performance and effectiveness of
the performance of the internal controls
development company and have been
and adequacy of reviewed.
performance internal
of internal controls 2. Confirm that
controls through there are regular
regular interactions
interactions between Board
with the members and
Finance Finance Manager
Manager through CFO, and
other key
Budgets are management
established personnel to assess
on yearly quality of controls
basis and review
business
Monthly performance.

2
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
reporting is
done by 3. Review budget
Finance variances,
Manager to exceptional items
the Group to assess internal
CFO who in control gaps, if any.
turn reports
to BOD.
4 Control Demonstrates Board Board of Director C03 Policies are 1.Verify minutes of
Environment commitment Oversight does not set the right framed by Board meeting and
to integrity tone at the top to the Board Admin Manual/
and ethical encourage ethics and w.r.t. ethical directions issued by
values integrity. conduct, the Board of
anti-bribery Directors from time
and to time.
corruption,
anti-fraud. 2. Review
Appointment letter
of an employee.
5 Control Holds Board Board of Directors C02 Directions Verify minutes of
Environment individual Oversight does not set the right are given by Board meeting and
accountable tone at the top to the Board to policies/directions
for the encourage institution encourage issued by the Board
internal of controls and process- of Directors from
control systems and ensure driven time to time.
responsibilitie accountability for conduct,
s lapse of controls automation
and effective
monitoring
across the
organization.
6 Control Management Delegation Ambiguity in C01 1. Financial Confirm that
Environment establishes of delegation of powers in authorization/appr
structure, Authority financial powers terms of ovals of Directors is
authority and reduces the control signing in place, review
responsibility over financial /effecting Board resolution to
in pursuit of transactions and banking define powers of
objectives increase the risk of transactions Director
financial losses is with the
Director.

2. Also, all
the major
contracts,
agreements,
Purchase
Orders are
signed/appro
ved by the
Directors.

3. All the
major
decisions are
closely
reviewed by
the
respective
HODs at
Group level
before

3
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
approval by
the Director.
7 Control Demonstrates Ethics & Flawed performance C03, 1. Admin 1. Verify Admin
Environment commitment Integrity incentive/ C19 Manual gives Manual to ensure
to integrity compensation policy a reference all updations are
and ethical not in line with to ethical included.
values ethical tone and standards
standards may expected 2. Verify
increase the risk of from Appointment Letter
compromise / non- employees. of employee
compliance to ethical
standards of conduct 2.
Appointment
Letter
includes
relevant
clauses
8 Control Demonstrates Ethics & If management does C03 Management 1. Verify the
Environment commitment Integrity not take timely and takes mechanism for
to integrity appropriate disciplinary recording non-
and ethical disciplinary action, it action for adherences/
values would encourage violations/ violations.
non-adherence to non-
established policies adherence, 2. Verify the
and procedures in a timely evidence of action
and being taken.
appropriate
manner.
9 Control Demonstrates Ethics & Applicant screening C05, 1.Adequate
Environment commitment Integrity procedures do not C09 background
to integrity adequately consider verification is
and ethical integrity and ethical done for
values values employees
(Police
Clearance,
Experience
letter, etc.)

2.Majority of
office staff is
hired
through a
placement
agency which
is selected by
the
management
to ensure
right person
for the right
job

3.Declaration
s are
obtained
from
employees
for non-
disclosure
and code of
conduct

4
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
adherence as
a part of
joining
formalities
10 Control Demonstrates Recruitmen Lack of adequate C05, 1. A rigorous 1. Confirm the no.
Environment commitment t& talent or mismatches C06, recruitment of exits and the
to attract, Selection in requirements and C09 and selection principal underlying
retain and skill sets may process is reason/s.
develop severely impact adopted to
competent achievement of ensure 2. Confirm that key
individuals objectives selection of positions are not
right left vacant for a
employees long time.
for the right
job.

2. Majority
of office staff
is hired
through a
placement
agency which
is selected by
the
management
11 Control Demonstrates Incentive In absence of a C10, 1. 1. Review the
Environment commitment proper work C12 Promotions appraisal process
to attract, environment the are based on for appropriateness
retain and company may have well-defined and confirm that
develop to deal with high Performance there is due process
competent attrition levels Evaluation for redressal of
individuals system. appraisal related
grievances.
2.
Management 2. Review attrition
ensures a rate and related
very low analysis
attrition rate.

12 Control Board of Internal A robust system of C07, 1. Internal 1.Verify Internal

Environment Directors Audit monitoring through C15 audits are audit scope and
exercises periodic internal done reports
oversight of audits or control Self quarterly as
the Assessments has not per pre- 2.Review Board
development been established defined Minutes
and scope which
performance is approved
of internal by the
controls management
.

2. Board
meetings
discuss
internal audit
reports - key
findings.

5
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
13 Control Demonstrates Training Inadequate attention C11 1. Training Verify training
Environment commitment to training may result for process
to attract, into skill dilution, lack regulatory
retain and of awareness about and process
develop policies and changes is
competent regulatory imparted on
individuals requirements and a timely basis
inability to discharge as per either
assigned client's
responsibilities. requirement
or regulatory
requirement

2. Training is
identified
and imparted
as needed

14 Risk Specifies Risk Absence of C04 Formal risk Review the risk
Assessment objectives Manageme enterprise-wide risk management management policy
with clarity to nt assessment and policy is adopted by the
identify and Framework absence of presented to Company
assess the documented risk the Board
risks management policy and
approved by
the Board of
Directors.
15 Risk Identifies and Business Absence of BCP/DRP C22, 1. Business 1. Review the BCP
Assessment analyzes Continuity may lead to business C23 Continuity and DRP.
significant Plan, interruptions and Plan (BCP)
changes that Disaster may jeopardize and Disaster 2. Review the data
could impact Recovery business continuity Recovery recovery plan.
internal Plan Plan(DRP)
controls are in place.

2. Data
recovery
plan is
established
and
operational.

16 Risk Identifies and Financial Regulatory changes C17 1. Regulatory Verify formal
Assessment analyzes reporting impacting business, changes are assessment of key
significant financial conduct or understood regulatory changes.
changes that reporting and assessed
could impact requirements are not for their
internal understood, analyzed impact on
controls or internalized. business.

2.
Compliance
tracker is
filled in at
defined
frequency
and updated
periodically
for

6
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
amendments
.
17 Risk Identifies and Financial Improper channels to C24 Periodic Review
Assessment analyzes reporting communicate the departmenta modification in
significant changes in business l reviews are processes, if any, by
changes that practices to the done the accounts team
could impact accounting wherein
internal department may Finance team
controls affect the method or is also
the process of present;
recording the review
transactions in covers
financial statements discussions
on changes
in business
practices
affecting
financial
statements.
18 Risk Identifies and Financial Risk of regulatory C13, 1.Manageme 1. Verify financial
Assessment analyzes reporting non-compliance and C15, nt specifies statements with
significant financial C25 financial adequate
changes that misstatements if reporting disclosures
could impact suitable accounting rules and
internal principles, policies or standards 2. Verify statutory
controls rules not followed which are auditor's report
consistent
with 3. Verify internal
accounting audit reports
principles
suitable and
appropriate
for the
entity.

2. Reviews
by/consultati
ons with the
Statutory
Auditors as
required by
the
regulation
(annual
review) or as
considered
necessary by
the
management
, are done.

3.Internal
audit
coverage
extends to
compliance
review and
financial
reporting
review.

7
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
19 Risk Identifies and Financial Non identification of C13, 1. Defined Review financial
Assessment analyzes reporting changes in C25 and statements and all
significant accounting principles documented other relevant
changes that or financial reporting Financial information.
could impact requirements may Statement
internal lead to non- Closure
controls compliance and the Process is in
financial statements place.
will not show true
and fair figures or 2. Periodic
may not include updates are
disclosures as received
required. from
professional
consultants.
20 Risk Identifies Financial Absence of an C20, 1. Various Verify Board noting
Assessment risks to the reporting appropriate C26 compliances and approval of
achievement mechanism of under related party
of objectives related party different transactions.
and analyzes transactions statutes in
risks to identification can relation to
manage them lead to regulatory transactions
non-compliance and/ with related
or financial party
misstatements (transfer
pricing
related
compliance
and return
filing) are
verified.

2. Board
approval is
taken for
related party
transaction
21 Risk Assesses IT Security Company C14 1. Access is 1. Review list of
Assessment fraud risk to infrastructure and IT restricted to user-ids with access
the systems being used users who rights
achievement for fraudulent are either
of objectives activities thereby employees 2. Verify protocol
affecting the or authorized for access to
reputation and personnel. systems and policy
increasing the legal highlighting
risks attached 2. Password security of user id
and user id and passwords
protected
systems
exist.

3.
Deactivation
of external
storage
devices on
company
PC's has
been done.

4. Access to

8
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
all public
sites and
domains is
restricted.
22 Risk Identifies Training Changes in the C27 Periodic 1. Verify that the
Assessment risks to the procedure manual of review of manuals are
achievement a particular process periodically
of objectives department without manual is reviewed.
and analyzes the knowledge of its done and
risks to employees leads to updates are 2. Verify evidence
manage them dilution of the impact communicat of communication
of the changes ed to all of changes to
implemented employees employees.
concerned.
23 Control Selects and Evaluation Risk of recurrence of C15 Periodic Verify internal audit
Activities develops issues if not internal audit reports available,
control evaluated and is done by an and record of
activities to policies/ procedures external resolution of
mitigate risks not modified agency and agreed actions.
accordingly changes
made basis
agreed
actions.
24 Control Selects and Financial Risk of financial loss C16, 1. Physical 1. Verify fixed asset
Activities develops reporting and/ or financial C20 verification verification report
control misstatement in the of fixed and check for
activities to absence of an assets, cash periodicity
mitigate risks established physical is done. (CARO, 2015)
verification of assets
mechanism 2. Third party 2. Verify third party
and bank confirmations.
balance
confirmation 3. Verify records
s statements showing full
are taken. particulars -
quantitative details
3. Board and situation of
discusses fixed assets
findings of (CARO, 2015)
physical
verification 4. Verify Board
of assets/ meeting minutes
discrepancy
resolution
25 Control Deploys Payments Absence of policies C03 All financial Verify
Activities control and will lead to policies remuneration
activities reimburse reimbursement/ relating to structure for
through ments allowance of non employees financial policies
policies and agreed expenses to are in place relating to
procedures the employees or along with employees.
reimbursement of defined level
expenses over and of approvals.
above the set limit to
the employees.
26 Information & Communicate External May result in C03 1. Clear Verify the Admin
Communicati s externally Communic reputational/financia identification Manual for
on regarding ation l/reporting risk due of persons communicating
matters to erroneous authorized to with external
affecting communications to communicat parties
internal external parties/ e with
controls external reporting external

9
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
parties on
relevant
company
matters.

2. A formal
social media
policy is in
place.
27 Information & Communicate External In the absence of C03, There are Review grievance
Communicati s externally Communic clear communicating C18 properly mechanism and
on regarding ation channels for external identified sexual harassment
matters parties, employee/ communicati policy
affecting management on channels
internal malpractices may not (email ids)
controls come to light, may for third
have a reputation parties under
risk with respect to grievance
third parties mechanism,
sexual
harassment
policy
28 Information & Communicate Internal Absence of clear C28 Clear Verify the
Communicati s internally, Communic communication on communicati communication for
on information ation performance on of the Key the KRAs
including measures may lead Result Areas
objectives to ambiguities and in the
and increase in attrition evaluation
responsibilitie levels process
s of internal
control
29 Information & Communicate Manageme Risk events, C07, 1. Formal 1. Verify periodic
Communicati s internally, nt exceptional and C08, communicati MIS on sample
on information Oversight unusual events C29 on process basis
including remain unreported established
objectives to the management for escalating 2. Verify
and and hence the risk disruption to management and
responsibilitie management operations, Board meeting
s of internal framework is not occurrence minutes
control duly enhanced. of risk events
and any
material
exceptional
event.

2. Periodic
MIS/
dashboards,
highlighting
of all
exceptions.

3. Board
meeting,
management
review
meeting
discuss
unusual
events.

10
Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
30 Monitoring Evaluates and Financial Inadequate process C16 1. Third party Verify
communicate reporting for obtaining third confirmation confirmations
s deficiencies, party confirmations s obtained obtained from
to enable to validate financial from banks, counter parties and
corrective figures and to detect debtors, Government
actions being financial frauds. related website (such as
taken parties Income Tax) for
reconciling
2. Web statutory figures
based review and other balances.
done to
assess tax
status, TDS
status,
regulatory
compliance
related
numbers.
31 Monitoring Conducts Financial Absence of review of C07, Monthly MIS Verify financial
ongoing/ reporting the financials by C08 consisting of statements/
separate management financial reports, periodic
evaluations to statements MIS and
confirm that and other reconciliations
internal operations,
controls are reconciliatio
functioning ns prepared
by Finance
Manager are
reviewed
and analyzed
by Group
CFO
32 Monitoring Evaluates and Grievance Inappropriate C03 Employee Verify policy to
communicate and dispute grievance processes grievance resolve complaints
s deficiencies, resolution may lead to delay in policy (to and grievances, as
to enable mechanism detection of frauds, resolve stated in Admin
corrective misreporting of complaints Manual
actions being financial figures, and
taken need for provisioning grievances)
due to disputes forms part of
Admin
Manual
33 Monitoring Conducts Manageme Process gaps, errors C03, 1. Internal 1. Verify Internal
ongoing/ nt and misstatements C07, audit Audit reports
separate Oversight may not be identified C15 function
evaluations to by the management reports to 2. Verify meeting
confirm that which may also lead Board of minutes
internal to fraud or non- Director and
controls are compliance due to highlights 3. Verify sample
functioning absence of well- deficiencies policies and process
established risk and observed. notes
internal audit review
system 2. Polices
and
processes
are
introduced
and revised
from time to
time to plug
identified

11
 Sr Attribute Principle Process Risk Control Control Audit Step
No Activity Ref No. Description
gaps and
controls
lapses.

34 Monitoring Conducts Manageme Absence of C21 Formal roll 1. Check ICFR

ongoing/ nt communication of out of ICFR framework and
separate Oversight deficiencies and policy and documented RCMs
evaluations to monitoring testing
confirm that corrective action may process for 2. Check the
internal lead to un- control process adopted for
controls are remediated design and testing control
functioning deficiencies and effectiveness design and
resultant control operational
gaps w.r.t. ICFR effectiveness

Note:
The above work-sheet can be enhanced with columns such as department, details with respect to controls (whether
key or non-key, whether control exists – yes or no, type of control – manual or automated, nature of control –
preventive, detective or both preventive and detective, control frequency – daily, weekly, fortnightly, monthly,
half-yearly, annually, event-based, as and when),document/ evidence, deficiencies, remedial plan, reference to
document and remarks

12
4.2 IT General Controls – Specimen (refer paragraph 2.5.6)

ABC Private Limited

ICFR for the year ending 31st March, 2016
RCM - IT General Controls

LIST OF CONTROL GROUPS

Control Ref Control Group/ Attribute
ITGC 01 Comprehensive IT Policy
ITGC 02 Access Rights Restrictions
ITGC 03 User account management - User id and password security
ITGC 04 Data management - back up and restoration of data and system
ITGC 05 Connectivity management - LAN, internet, firewall, anti-virus,
ITGC 06 Sign-off of stakeholders/management for changes made to key applications
relevant to financial reporting
ITGC 07 Restriction to share data
ITGC 08 Controls or authorization for acquisition / development of new system /
migration / subsequent changes
ITGC 09 Incident handling – In-house IT Personnel
ITGC 10 Approval/periodic review of user access rights

13
ABC Private Limited
ICFR for the year ending 31st March, 2016
IT General Controls (ITGC)

Sr. Attribute Activity Identification of Risk of Control Ref Control That Addresses Risk of
No. Description Material Misstatement Number Material Misstatement
("What Could Go Wrong") — Control Name
Risk Description

1 Risk IT Policy Intended IT related ITGC 01 A defined comprehensive IT

Assessment processes not followed policy document to provide
due to absence of defined various guidelines to work in the
comprehensive IT policy IT environment, is in place
document

2 Control Access Rights Editable access of ITGC 02 View-only access of Accounting

Environment Financial System Software provided to persons
(Accounting Software) other than Company employees
provided to persons other (Internal and Statutory Auditors,
than Company employees Consultants, etc.) who are not
(Internal and Statutory required to modify the financial
Auditors, Consultants, transactions
etc.)
3 Control Closing of Erroneous/intentional ITGC 02 Closing of previous period/year
Environment Accounting posting of Accounting to restrict back-dating of
period/year in entry in the earlier closed transactions
the period/year
Accounting
Software
4 Control Selects and Unauthorized access to IT ITGC 03 1. For CMS System - all new
Environment develops systems, applications and users are given pre-expired
general data results in errors in password and the system
controls over financial reporting prompts the user to set new
technology password at the time of first login

2. For Tally - all new users are

given pre-expired password and
the system prompts the user to
set new password at the time of
first login

5 Control Selects and Unauthorized access to IT ITGC 02 1. For CMS - Users access rights
Environment develops systems, applications and are granted by IT only upon
general data results in errors in specific approval by the
controls over financial reporting concerned functional head
technology
2. For Tally - Users access rights
are granted by IT only upon
specific approval by the
concerned functional head
6 Control Selects and Unauthorized access to IT ITGC 03 System prompts the user to
Environment develops systems, applications and change the password after the
general data results in errors in expiration of 30 days.
controls over financial reporting
technology
7 Control Selects and Unauthorized access to IT ITGC 03 Password must contain at least 7
Environment develops systems, applications and characters, alpha numeric
general data results in errors in (alphabets, numbers and special
controls over financial reporting characters).
technology

14
Sr. Attribute Activity Identification of Risk of Control Ref Control That Addresses Risk of
No. Description Material Misstatement Number Material Misstatement
("What Could Go Wrong") — Control Name
Risk Description

8 Control Selects and Unauthorized access to IT ITGC 03 If the password is wrongly

Environment develops systems, applications and entered continuously for 5 times
general data results in errors in within 30 minutes, the respective
controls over financial reporting login id gets locked.
technology
9 Control Selects and Unauthorized access to IT ITGC 03 If a user is not accessing the
Environment develops systems, applications and system for more than specified
general data results in errors in time, the system gets
controls over financial reporting automatically locked.
technology
10 Control Identifies and Unauthorized access to IT ITGC 10 There exists a periodic review of
Environment analyses systems, applications and the user profiles for systems
significant data results in errors in access, to confirm
changes that financial reporting appropriateness.
could impact
internal
controls
11 Information & Selects and Unauthorized access to IT ITGC 03 Requests for creation of new user
Communicatio develops systems, applications and ids are received by the IT
n general data results in errors in Executive on standardized form,
controls over financial reporting duly signed by the respective
technology HOD.
12 Information & Selects and Unauthorized access to IT ITGC 03 1. User termination, resignation is
Communicatio develops systems, applications and informed to IT Executive through
n control data results in errors in email by HR.
activities to financial reporting
mitigate risks 2. User account is disabled
immediately after receiving an
email request. Before processing
this request, IT archives the mail
box of the user.

3. Full & Final Settlement Form is

signed by the IT Executive only
when the necessary access rights
have been disabled in the system.

13 Control Selects and Absence of regular back- ITGC 04 1. Regular back-up strategy
Environment develops up which may lead to loss defined for server and auto-back
general of crucial data up is taken at defined frequency.
controls over
technology 2. Retrieval is tested at
reasonable frequency
14 Control Selects and Absence of regular back- ITGC 04 Off-site storage of back-up to
Environment develops up which may lead to loss tackle any unforeseen event at
general of crucial data the office premises.
controls over
technology

15
 Sr. Attribute Activity Identification of Risk of Control Ref Control That Addresses Risk of
No. Description Material Misstatement Number Material Misstatement
("What Could Go Wrong") — Control Name
Risk Description

15 Control Identifies Servers and end users PCs ITGC 05 1. Desktops:

Environment risks to the are infected with virus All the user desktops are installed
achievement with anti virus scanner, which
of objectives scans the new files on an ongoing
and analyses basis
risks to
manage them 2. Servers:
All servers are installed with anti
virus scanner.

3. Gateway:
Mail server is managed and all
the Emails are scanned by threat
management gateway.

4. The anti virus gets

automatically updated with the
latest version through process of
auto updates
16 Control Assesses Unauthorized access to ITGC 05 1. Firewalls have been installed.
Environment fraud risk to the IT systems, 2. The logs are regularly reviewed
the applications and data by by IT Executive
achievement external parties
of objectives
17 Control Selects and Unauthorized access to IT ITGC 06 Changes in programs can be
Environment develops systems, applications and made only with prior approval of
control data results in errors in the Board of Directors or the
activities to financial reporting HOD concerned, with the
mitigate risks simultaneous involvement and
approval of the IT personnel.
18 Control Selects and Significant developments ITGC 06 Decisions around significant
Environment develops and changes to developments and changes to
control information systems information systems relevant to
activities to relevant to financial financial reporting are made in
mitigate risks reporting are made, conjunction with Finance
resulting in errors in Manager and after approval of
financial reporting. BOD
19 Control Identifies and Errors in changes made to ITGC 06 Specific changes are made to key
Environment analyses key applications relevant applications relevant to financial
significant to financial reporting. reporting only after sign off from
changes that the relevant stakeholders
could impact
internal
controls
20 Control Selects and Problems and incidents ITGC 09 An in-house IT personnel resolves
Environment develops are not effectively issues faced by users as required
general managed.
controls over
technology
21 Control Selects and Intentional sharing of ITGC 07 1. Deactivation of external
Environment develops crucial and confidential storage devices on company PCs.
general data of the company by
controls over staff to outsiders (e.g. 2. Restricting access to all public
technology competitors) sites and domain

Note:
The above work-sheet can be enhanced with columns such as department, details with respect to controls (whether
key or non-key, whether control exists – yes or no, type of control – manual or automated, nature of control –

16
preventive, detective or both preventive and detective, control frequency – daily, weekly, fortnightly, monthly,
half-yearly, annually, event-based, as and when),document/ evidence, deficiencies, remedial plan, reference to
document and remarks
4.3 Specimen - Financial Statement Closure Policy and sample
checklists (refer paragraph 2.7.3)
ABC Pvt. Ltd.

Financial Statements Closure Policy (FSCP)

1. OBJECTIVES:

This policy is prepared to achieve the following broad objectives:

 Provide guidance for the financial closure process leading to preparation of financial statements.
 Ensure adherence to applicable laws, regulations and disclosure requirements relevant to the
financial reporting.
 Ensure completion of the financial closure efficiently and in a timely manner.
 Ensure adherence to the approval matrix laid out for the closure process.
 Retain and protect related documents, evidences and approval trails.

2. SCOPE:

This policy covers the following:

 Financial reporting framework applicable to the entity.
 IT application (system), if any, used for financial closure
 Checklist to be used to ensure completeness of financial statements
 Approval matrix related to financial closure activities.
 Document Management Policy, including retention policy for documents related to financial
closure.

3. STAGES OF FINANCIAL CLOSURE:

# Particulars Review Approval/ Suggested

Responsibility Authorization Timeline
1. Financial Reporting Framework Senior Person of CFO or By end
 The financial closure process shall be A & F Dept equivalent December/
carried out in adherence to the position January
following
 The Companies Act, 2013 and
allied Rules
 Applicable accounting
standards
 Pronouncements of the ICAI
applicable to preparation of
financial statements and
financial reporting
 Adequate care shall be taken to
incorporate the effects of
modifications to existing regulations
and pronouncements.
 Any new pronouncements impacting
the financial accounting, closure
process or reporting requirements

17
# Particulars Review Approval/ Suggested
Responsibility Authorization Timeline
will be reviewed internally, approved
as per Authority matrix and
incorporated in the appropriate
checklist, SOP or templates.
 Knowledge update provided by the
statutory auditors or other
accounting/law firms from time to
time may be reviewed and where
appropriate, to be considered for
updating respective checklist.
 The CFO is required to hold a formal
meeting with the statutory auditors
to confirm that all additional
reporting requirements for the
financial year have been duly
identified by the company – if there
has been a miss out, the same may
be incorporated after review.
2. System Environment Senior Person of CFO or By end
 List all the systems from which data A & F Dept. equivalent December/
will flow into financial statements position January
either directly or indirectly.
 Proposed changes/ enhancements
to the IT applications which have a
bearing on the financial closure
process or the financial statements
need to be pre-approved by the
Finance Department as per authority
matrix.
 For any changes in the financial
reporting requirements, Finance
Department to review if the required
information is available from the IT
system and if not, initiate a request
for configuring the IT system to
ensure the availability of the
requisite information.
3. Pre-planning for Closure & Closure As per Checklist As per Checklist For Pre-
Activity for Operational Areas planning by
Activity wise pre-planning checklist to be end
prepared as per Company’s defined December/
SOPs, Policies and Business January and
Requirements. A specimen general For Closure at
format indicating illustrative checkpoints year end date
and processes is presented in Annexure – and
I. subsequent
month
4. Process for Preparation of Financial As per Checklist As per Checklist As per defined
Statements timeline by the
A specimen general format indicating management
illustrative checkpoints and processes is for finalizing
presented in Annexure – II. audited
Financials

18
# Particulars Review Approval/ Suggested
Responsibility Authorization Timeline
5. Process for Disclosure requirements As per Checklist As per Checklist As per defined
A specimen general format indicating timeline by
illustrative checkpoints and processes is management
for finalizing
presented in Annexure – III.
audited
Financials

6. Approval Matrix for closure process Senior Person of CFO or Approval

A & F Dept. equivalent Matrix to be
The closure process will follow the position defined as part
approval matrix defined as per the SOP of of SOP of A& F
Accounts & Finance department. If it is dept. or at the
not defined then define the same for beginning of
maker-checker control at various stages the year
and documentation trail
7. Retention of Documents Senior Person of CFO or N.A.
A & F Dept. equivalent
 All documents related to the position
financial closure process shall be
retained in a safe manner.
 Clear naming protocols will be
followed to ensure version control
on financial statement drafts.
 Soft copies of the financial
statements need to be stored in a
folder, access rights to which have
been approved by the Chief Financial
Officer.
 Documents to be retained at least
until the time required to comply
with related regulations.
8. Post Closure Process Senior Person of CFO or Within 15 days
A & F Dept. equivalent of completion
 Take printout of Final Trial balance. position of Annual
 Keep printed copies of audited Accounts
Financial Statements. closure
 Close the books of account for the
Financial Year.
 Block the IT system for amendment
in that financial year.
 Review opening balance in the
subsequent period with audited
financial statement.

19
Annexure – I
ABC Pvt. Ltd.
Sample and Specimen Checklist for Activity wise Pre-planning & Closure

# Area Process Process Reviewer Proposed Proposed Status

Owner Start Date End Date
1 Cash Circular to be sent to
various branches to send
cash expenses statement
with closing balance as on
Year end
Co-ordination with the
statutory auditors if they
want to conduct year end
physical verification of
cash
conduct physical
verification on the last
working day of the
Financial year
Document the Physical
verification papers with
sign of maker and checker
2 Bank Bank Reconciliation
statements to be called
from all branches for all
bank accounts
BRS to be prepared for all
the HO Accounts as per
the BRS process defined
by the company
Un-reconciled items in
BRS to be investigated
and necessary
adjustments to be carried
out with proper approvals
Cheques pending to be
deposited to be
presented to bank for
clearance
Online transfers from
customers, kept in
suspense / unexplained
accounts, to be knocked
off from customer
balances
Print out of Final Copies of
BRS to be taken and
signed by the maker and
checker
Balance confirmations to
be called from banks to
assert bank balances
3 Inventory Circular to be sent to
branches to inform them
to carry year end stock
verifications
Factory / Warehouse /
Operations of any other
inventory holding
location to be suspended

20
# Area Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
during the period of
verification , if required
Necessary co-ordinations
to be made with Internal
/ Statutory auditors in
case they are to attend
inventory verification
Year-end transactions for
sales and purchases to be
meticulously recorded
keeping in mind cut off
procedures affecting
inventory position
Plan for Inventory
verification to be decided
basis certain methods
suitable for Company's
inventory such as:
1. ABC analysis
2. Analysis based on fast /
slow moving items
3. Critical and non-critical
items
4. Form of inventory i.e.
size,
weight, state of matter
etc.
Confirmations to be
called from third party
holding company's
inventory (on
consignment basis, for
job work purposes etc.)
Value of inventory as per
books to be compared
with actual value
Adjustments , if required,
to be made to inventory
value with proper
approvals
4 Fixed Assets FA register to be updated,
/Capitalization finalized
FA register to be
compared with books of
account
Scrutinize the major
repairs account to find
out if any item of capital
nature has been debited
Capitalisation of expenses
to the point of
installations such as
transportation, octroi,
testing charges, training
for operation of FA
Review CWIP Account to
review completion stage
and capitalization if
required
Physical verification of
Fixed Assets with proper

21
# Area Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
internal controls such as
verification by
independent verifier ,
maker checker control on
verification process,
reporting of discrepancy,
if any and appropriate
accounting of the same
Review of sale / scrap of
assets , profits / loss on
disposal of Assets
Depreciation workings
based on applicable
accounting standards
5 Investment Accounting of accrued
income based on year end
investment
Accounting of gains /
losses on sale of
investments
Validation of investment
balance with counter
party statements
Physical verification of
investment instruments
to ensure ownership of
the same
Revaluation of
investments as per
applicable accounting
standards
6 Income Booking Circular to be sent to
various branches / depots
from where sales are
effected to send
information / data for
dispatches made till cut-
off date
Ensure invoice booking
for materials where
ownership has been
transferred to customers
Ensure invoice booking /
billing for services where
provision of service is
completed as per defined
terms and conditions
Accounting of pending
Debit and credit notes
(rejections / sales returns
/ disputed provision of
services)
7 Expense Circular to be sent to
Booking various branches / depots
calling for all relevant
details of expenses
incurred within defined
timeline after year end
Advances paid for
expenses to employees

22
# Area Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
be settled against
reimbursable expenses
Provision of expenses
based nature of expense
i.e. time based or
otherwise backed by
actual supporting
documents to be
accounted
Provision of expenses
basis estimation -
Company policy for
estimation to be
reviewed and adhered
Review accounting of
prepaid expenses
Review provisions /
prepaid expenses of
previous periods / years
for its existence and
continuity
8 Debtors/ Debtors balances to be
Receivables knocked off against
money received but
accounted in suspense /
unexplained accounts
Initiate communication
for debtors confirmation
Prepare reconciliation of
differences in debtors
balances and post
adjustments with
appropriate approvals
Scrutinize debtors
accounts and follow up
with the sales/ marketing
team for status of long
standing debtors
Provide for doubtful
debts / disputed debtors
in consultation with
marketing / legal dept. /
Management
9 Creditors Initiate communication
/Payables for creditors confirmation
Prepare reconciliation of
differences in creditors
balances and post
adjustments with
appropriate approvals
Scrutinize advance to
creditors accounts and
follow up with the
procurement team for
status of long standing
advances
Write back creditors
balances which are not
payable in consultation
with procurement / legal
dept. / Management

23
# Area Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
10 Related Party Obtaining account
Reconciliation confirmation from all the
related parties
Prepare reconciliation of
differences in balances
and post adjustments
with appropriate
approvals

24
Annexure – II
ABC Pvt. Ltd.
Sample and Specimen Checklist for Preparation of Financial Statements

# Area Process Process Reviewer Proposed Proposed Status

Owner Start Date End Date
1 Opening balances Validation of opening
validation balances at the time of audit
of subsequent year with
closing balances of previous
year
2 General Ledger Scrutiny Allocate responsibility within
the accounts team to
scrutinize specific accounts
All accounts with non-moving
balances, intermediary
accounts , suspense accounts
to be scrutinized thoroughly
to ensure genuineness of
transactions recorded in
these accounts
Based on this scrutiny pass
appropriate entries with
approval of senior personnel
in the accounts team ideally
the CFO
3 Review of accounts Allocate responsibility within
related to statutory the accounts team to
compliance scrutinize specific accounts
Reconcile company's data
with the data available on the
website of respective
regulator (such as 26 AS
reconciliation)
Review all the assessment
orders, refund / demand
orders issued by various
regulatory authorities during
the year
Compare all statutory returns
filed with the books of
account
Record all the necessary
entries required based on
above scrutiny
4 Independent Review Get independent review
done by professional
retainer, if any, engaged by
the company
5 IT Systems blocking Blocking of various IT
Systems for data entry of
transactions posting by
respective employees for
basic transaction posting
such as cash, bank ,petty
cash, purchase, sales etc.
Rights to pass entries to be
granted to only few
personnel in the accounts
department

25
# Area
6 Provision for Gratuity &
Employee benefits
Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
Provide necessary data/
information after validation
to the appointed actuary
Actuarial valuation report to
be referred for estimations
provided by the auditee.
Workings for provisions to be
computed and validated by
senior personnel
Provisions for employee
benefit to be recorded with
appropriate approvals

7 Inventory Valuation Inventory verification reports

to be referred to ascertain
inventory figures
Inventory as ascertained to
be valued adopting suitable
methodology and adhering
to applicable accounting
standards and company
policy
Necessary adjustment
entries to reflect appropriate
value of inventory to be
recorded with due approvals
8 Revaluation of Assets & Ascertain the balances of
Liabilities in Foreign foreign assets and liabilities
Currency Depending on the class of
asset / liability and guidelines
laid down in applicable
accounting standards,
appropriate foreign
exchange rate to be selected
The selected rate(s) to be
validated by senior authority
and applied to closing
balance of such classes(s) of
assets / liability
Appropriate effect of
revaluation to be recorded in
books of account
9 Year-end adjustment of Refer to closing balance of
Exchange rate debtors/ creditors
difference for trade Revalue debtors and
payables and creditors basis closing
receivables exchange rate
10 Income Tax working Based on profits / losses as
computed prepare Income
Tax working
Co-ordinate with tax
consultant for validation of
the same
Incorporate changes
suggested by consultant
Record necessary provision
for income tax
11 Prepare working for deferred
tax assets / liabilities

26
# Area Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
Deferred Tax Co-ordinate with tax
Assets/Liabilities consultant and Statutory
working Auditors for validation of the
same
Incorporate changes
suggested by consultant
Record necessary entries for
deferred tax assets /
liabilities
12 Preparation of Financial Extract trial balance from
Statements as per accounting system
prescribed formats Save the same with date and
time in soft
Prepare appropriate
groupings
Validate all the excel
formulas and linkages if
financials are prepared in
excel
As per prescribed format
classify respective assets and
liabilities as current , non -
current , short term , long
term
Take print out of financials
prepared and revalidate
again with base trial balance
for accuracy
Provide audit trail of
revalidation on hard copy of
financials
13 Co-ordination with Arrange for Stat audit,
statutory auditors and prepare information as per
get the audit done their prescribed format
During Stat audit liaison with
their team for smooth
conduct of audit
Formal meetings for
discussion of queries /
clarifications
Passing of rectification JVs, if
required in system
14 Prepare revised Repeat process given in step
Financial Statements 12
Maintain version control and
modification trail
15 Grouping and Detailed review of previous
regrouping of previous years grouping with current
year’s figures grouping and make
necessary changes in the
grouping of previous year
16 Freeze the numbers Get the revised financials
after review of Statutory validated from Statutory
Auditors Auditors
17 Present the Provisional To facilitate management to
Financial statements to take certain decisions about
Management/Audit managerial remuneration,
committee proposed dividend

27
# Area Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
18 Calculate Managerial Prepare workings for
remuneration if it is on managerial remuneration as
% basis of profit/surplus per applicable rules and
regulations and company
policy
19 Prepare Proposed Proposed dividend working
dividend working to be prepared based on the
dividend proposed by Board
of Directors
Workings to validated by
senior personnel
Entries to record proposed
dividend to be passed in
books of account
20 Make necessary Necessary changes to be
changes in the Financial validated by Statutory
Statements Auditors

28
Annexure – III
ABC Pvt. Ltd.
Sample and Specimen Checklist for Disclosure & Notes to Accounts

# Area Process Process Reviewer Proposed Proposed Status

Owner Start Date End Date
1 Review of Notes to Take notes to account
Accounts of of pervious year as a
Previous year and base
evaluate it for If there are any
necessary changes changes in the
accounting policies
adopted by the
company during the
year incorporate the
same in notes to
account
If there are any
regulatory changes
which require change
in company policy
incorporate the same
in Notes to account
2 Prepare As per disclosure
Disclosures checklist provided by
Stat auditors prepare
disclosures
Validate all the
numbers given in the
disclosures with the
financial statements
Also ensure
disclosure for
contingent liability
after consultation
with various
operational dept.
HODs and HOD of
legal dept.
3 Get it reviewed by Notes to accounts
Statutory Auditors and disclosures to be
sent to Statutory
Auditors for review
and validation
4 Revise Notes to As per suggestion by
Accounts & Statutory Auditors
Disclosures after revise notes to
review by accounts and
Statutory auditors disclosures
5 Review entire set Take print out of
of Financial entire set of Financial
statements & statements, notes to
disclosures all account and
together disclosures
Revalidate again with
base trial balance for
accuracy
Provide audit trail of
revalidation on hard
copy of financials
6 Arrange for Arrange for signature
Signatures on the Financial

29
# Area Process Process Reviewer Proposed Proposed Status
Owner Start Date End Date
Statements by the
appropriate authority
of the Company
Arrange for signature
on the Financial
Statements by the
Statutory Auditors

30
5. Glossary of abbreviations used:

Sr. Abbreviations Full Form

No.
1. BoD Board of Directors
2. BCP/ DRP Business Continuity Plan/ Disaster Recovery Plan
3. CARO Companies (Auditor’s Report) Order
4. CD Compact Disc
5. CEO/CFO Chief Executive Officer / Chief Financial Officer
6. CSA Control Self-Assessment
7. DoA Delegation of Authority
8. ECG Electrocardiogram
9. ELC Entity Level Controls
10. FSCP Financial Statement Closure Policy
11. GRN Goods Received Note
12. ICAI Institute of Chartered Accountants of India
13. ICFR Internal Controls over Financial Reporting
14. IFC Internal Financial Controls
15. ISO International Organization for Standardization
16. IT Information Technology
17. ITGC Information Technology General Controls
18. KYC Know Your Customer
19. MIS Management Information Systems
20. PCAOB Public Company Accounting Oversight Board
21. PLC Process Level Controls
22. PO Purchase Order
23. RCM Risk Control Matrix
24. RoMM Risk of Material Misstatements
25. SA Standard on Auditing
26. SME Small and Medium-sized Enterprises
27. SOP Standard Operating Procedures

31
6. Useful links and recommended reading:

1. Guidance Note on Audit of Internal Financial Control Over

Financial Reporting by the Institute of Chartered Accountants
of India
http://icai.org/new_post.html?post_id=11919&c_id=219

2. A Layperson’s Guide to Internal Control Over Financial

Reporting by the Public Company Accounting Oversight
Board
https://pcaobus.org/News/Speech/Pages/03312006_Gillan
CouncilInstitutionalInvestors.aspx

3. BCAJ May 2016 issue – From Published Accounts

http://bcajonline.org/artcile.aspx?Id=16405&Cid=52

32