SECTION 4

MAKING IT EASY –
READY-TO-USE DRAFTS
AND FORMATS

4.1 Entity Level Controls – Specimen (refer paragraph

2.5.5)
ABC Private Limited
ICFR for the year ending 31st March, 2016
Entity Level Controls (ELC)
LIST OF CONTROL GROUPS
Control Ref Control Group
C01 Roles and responsibilities of Board of Directors
C02 Formal SOPs for various crucial processes
C03 Admin Manual covers various policies
C04 Risk Management policy
C05 Background Verification process in place
C06 Manpower planning and recruitment policy/process
to ensure right crew for the right job
C07 Board Review of business plans, budgets, budget
vs. actual, periodic performance and Internal Audit
reports
C08 Monthly MIS reporting
C09 Staff hired through a management approved
placement agency
C10 Promotions based on well-defined Performance
Evaluation system.
C11 Talent growth through need-based and compliance
related training
C12 Attrition management

| 64 |
 | Section 4 : Making it easy – Ready-to-use drafts and formats |

Control Ref Control Group

C13 Independent Review and periodic updates by
External Professional Consultant
C14 Access rights restrictions
C15 Independent Review by Internal Auditor
C16 Validation controls - confirmation, verifications of
assets/bank balances, valuations
C17 Compliance framework, tracker and reporting -
controls on compliances and regulatory reporting
C18 Sexual Harassment Policy
C19 Appointment letter covers ethical standards and
other required terms and conditions which is
signed-off by employees at the time of joining
C20 Board/Management Approval
C21 Formal roll out of ICFR policy and testing
C22 Data Back-up strategy
C23 Defined BCP/DRP process
C24 Periodic department reviews
C25 Defined Financial Closure Policy
C26 Compliance with related-party transactions and
disclosures
C27 Periodic updation and communication of ISO
manual
C28 Formal KRA definition and communication of the
same
C29 Information and Communication
 

| 65 |
 ABC Private Limited
ICFR for the year ending 31st March, 2016

| 66 |
Entity Level Controls (ELC)

Sr Attribute Principle Process Risk Control Control Description Audit Step

No Activity Ref No.
1 Control M a n a g e m e n t B o a r d Board does not clearly define C01 Board powers are clearly defined 1. Confirm the
Environment e s t a b l i s h e s Oversight authority to be exercised at documentation of Board
structure, Board level and authority powers and delegation of
authority and delegated to other Directors authority done by the Board.
responsibility
in pursuit of 2. Verify Board minutes and
objectives meeting frequency. Verify
attendance records to ensure
participation and insights.
2 Control Board of B o a r d Board does not acknowledge C02 1. Board minutes includes a 1. Verify that formal
Environment D i r e c t o r s Oversight its responsibility towards statement acknowledging its guidelines have been
exercises oversight for establishing responsibility for ICFR provided by the Board.
oversight of the and performance of internal
development controls 2. Board provides broad guidelines 2. Verify that specific
and performance for internal controls and records responsibility has been
of internal Board does not formally formal delegation of authority for allocated for establishing
controls delegate the responsibility establishment of controls. internal financial controls
for establishment of internal
financial controls and for
ensuring effective performance
thereof.
| ICFR – A Handbook for Private Companies and their Auditors |
 Sr Attribute Principle Process Risk Control Control Description Audit Step
No Activity Ref No.
3 C o n t r o l Board of B o a r d Board does not have a C07, Board of Directors review the 1. Verify Board meeting
Environment D i r e c t o r s Oversight mechanism to review ICFR C08 performance of the company and minutes where adequacy
exercises adequacy and performance adequacy of internal controls and effectiveness of
oversight of the through regular interactions with internal controls have been
development the Finance Manager reviewed.
and performance
of internal Budgets are established on yearly 2. Confirm that there are
controls basis regular interactions between
Board members and Finance
Monthly reporting is done by Manager through CFO, and
Finance Manager to the Group CFO other key management
who in turn reports to BOD. personnel to assess quality
of controls and review
business performance.
3. Review budget variances,
exceptional items to assess
internal control gaps, if any.
4 C o n t r o l Demonstrates B o a r d Board of Director does not set C03 Policies are framed by the Board 1. Verify minutes of Board
Environment commitment to Oversight the right tone at the top to w.r.t. ethical conduct, anti-bribery meeting and Admin Manual/
integrity and encourage ethics and integrity. and corruption, anti-fraud. directions issued by the
ethical values Board of Directors from time
to time.
| Section 4 : Making it easy – Ready-to-use drafts and formats |

2. Review Appointment
letter of an employee.

| 67 |
 Sr Attribute Principle Process Risk Control Control Description Audit Step
No Activity Ref No.

| 68 |
5 C o n t r o l Holds individual B o a r d Board of Directors does not C02 Directions are given by the Board to Verify minutes of Board
Environment accountable for Oversight set the right tone at the top encourage process-driven conduct, meeting and policies/
the internal to encourage institution of automation and effective monitoring directions issued by the
c o n t r o l controls and systems and across the organization. Board of Directors from time
responsibilities ensure accountability for lapse to time.
of controls
6 C o n t r o l M a n a g e m e n t Delegation of Ambiguity in delegation C01 1. Financial powers in terms Confirm that authorization/
Environment e s t a b l i s h e s Authority of financial powers reduces of signing /effecting banking approvals of Directors
structure, the control over financial transactions is with the Director. is in place, review Board
authority and transactions and increase the resolution to define powers
responsibility risk of financial losses 2. Also, all the major contracts, of Director
in pursuit of agreements, Purchase Orders are
objectives signed/approved by the Directors.
3. All the major decisions are
closely reviewed by the respective
HODs at Group level before approval
by the Director.
7 C o n t r o l Demonstrates Ethics & Flawed performance incentive/ C03, 1. Admin Manual gives a reference 1. Verify Admin Manual
Environment commitment to Integrity compensation policy not in C19 to ethical standards expected from to ensure all updations are
integrity and line with ethical tone and employees. included.
ethical values standards may increase the
risk of compromise / non- 2. Appointment Letter includes 2. Verify Appointment Letter
compliance to ethical standards relevant clauses of employee
of conduct
| ICFR – A Handbook for Private Companies and their Auditors |
 Sr Attribute Principle Process Risk Control Control Description Audit Step
No Activity Ref No.
8 C o n t r o l Demonstrates Ethics & If management does not C03 Management takes disciplinary 1. Verify the mechanism for
Environment commitment to Integrity take timely and appropriate action for violations/ non-adherence, recording non-adherences/
integrity and disciplinary action, it would in a timely and appropriate manner. violations.
ethical values encourage non-adherence
to established policies and 2. Verify the evidence of
procedures action being taken.

9 C o n t r o l Demonstrates Ethics & Applicant screening procedures C05, 1. Adequate background verification
Environment commitment to Integrity do not adequately consider C09 is done for employees (Police
integrity and integrity and ethical values Clearance, Experience letter, etc.)
ethical values
2. Majority of office staff is hired
through a placement agency which
is selected by the management to
ensure right person for the right job
3. Declarations are obtained from
employees for non-disclosure and
code of conduct adherence as a part
of joining formalities
10 C o n t r o l Demonstrates Recruitment Lack of adequate talent or C05, 1. A rigorous recruitment and 1. Confirm the no. of exits
Environment commitment to & Selection mismatches in requirements C06, selection process is adopted to and the principal underlying
attract, retain and skill sets may severely C09 ensure selection of right employees reason/s.
and develop impact achievement of for the right job.
| Section 4 : Making it easy – Ready-to-use drafts and formats |

competent objectives 2. Confirm that key

individuals 2. Majority of office staff is hired positions are not left vacant
through a placement agency which for a long time.
is selected by the management

| 69 |
 Sr Attribute Principle Process Risk Control Control Description Audit Step
No Activity Ref No.

| 70 |
11 C o n t r o l Demonstrates Incentive In absence of a proper work C10, 1. Promotions are based on well- 1. Review the appraisal
Environment commitment to environment the company may C12 defined Performance Evaluation process for appropriateness
attract, retain have to deal with high attrition system. and confirm that there is
and develop levels due process for redressal of
competent 2. Management ensures a very low appraisal related grievances.
individuals attrition rate.
2. Review attrition rate and
related analysis
12 C o n t r o l Board of I n t e r n a l A robust system of monitoring C07, 1. Internal audits are done quarterly 1.Verify Internal audit scope
Environment D i r e c t o r s Audit through periodic internal C15 as per pre-defined scope which is and reports
exercises audits or control Self approved by the management.
oversight of the Assessments has not been 2. Review Board Minutes
development established 2. Board meetings discuss internal
and performance audit reports - key findings.
of internal
controls
13 C o n t r o l Demonstrates Training Inadequate attention to C11 1. Training for regulatory and Verify training process
Environment commitment to training may result into skill process changes is imparted
attract, retain dilution, lack of awareness on a timely basis as per either
and develop about policies and regulatory client’s requirement or regulatory
competent requirements and inability requirement
individuals to discharge assigned
responsibilities. 2. Training is identified and
imparted as needed
14 R i s k Specifies R i s k Absence of enterprise-wide C04 Formal risk management policy is Review the risk management
| ICFR – A Handbook for Private Companies and their Auditors |

Assessment o b j e c t i v e s Management risk assessment and absence of presented to the Board and approved policy adopted by the
with clarity to Framework documented risk management by the Board of Directors. Company
identify and policy
assess the risks
 Sr Attribute Principle Process Risk Control Control Description Audit Step
No Activity Ref No.
15 R i s k Identifies Business Absence of BCP/DRP may C22, 1. Business Continuity Plan (BCP) 1. Review the BCP and DRP.
Assessment and analyzes Continuity lead to business interruptions C23 and Disaster Recovery Plan(DRP)
significant Plan, Disaster and may jeopardize business are in place. 2. Review the data recovery
changes that Recovery continuity plan.
could impact Plan 2. Data recovery plan is established
internal controls and operational.

16 R i s k I d e n t i f i e s Financial Regulatory changes impacting C17 1. Regulatory changes are Verify formal assessment of
Assessment and analyzes reporting business, financial conduct understood and assessed for their key regulatory changes.
significant or reporting requirements are impact on business.
changes that not understood, analyzed or
could impact internalized. 2. Compliance tracker is filled in
internal controls at defined frequency and updated
periodically for amendments.
17 R i s k I d e n t i f i e s Financial Improper channels to C24 Periodic departmental reviews are Review modification in
Assessment and analyzes reporting communicate the changes done wherein Finance team is also processes, if any, by the
significant in business practices to the present; review covers discussions accounts team
changes that accounting department may on changes in business practices
could impact affect the method or the affecting financial statements.
internal controls process of recording the
transactions in financial
statements
18 R i s k I d e n t i f i e s Financial Risk of regulatory non- C13, 1.Management specifies financial 1. Verify financial statements
| Section 4 : Making it easy – Ready-to-use drafts and formats |

Assessment and analyzes reporting compliance and financial C15, reporting rules and standards which with adequate disclosures
significant misstatements if suitable C25 are consistent with accounting
changes that accounting principles, policies principles suitable and appropriate 2. Verify statutory auditor’s
could impact or rules not followed for the entity. report

| 71 |
internal controls
 Sr Attribute Principle Process Risk Control Control Description Audit Step
No Activity Ref No.

| 72 |
2. Reviews by/consultations with 3. Verify internal audit
the Statutory Auditors as required reports
by the regulation (annual review)
or as considered necessary by the
management, are done.
3. Internal audit coverage extends
to compliance review and financial
reporting review.
19 R i s k I d e n t i f i e s Financial Non identification of changes C13, 1. Defined and documented Review financial statements
Assessment and analyzes reporting in accounting principles C25 Financial Statement Closure Process and all other relevant
significant or financial reporting is in place. information.
changes that requirements may lead to non-
could impact compliance and the financial 2. Periodic updates are received
internal controls statements will not show true from professional consultants.
and fair figures or may not
include disclosures as required.
20 R i s k I d e n t i f i e s Financial Absence of an appropriate C20, 1. Various compliances under Verify Board noting and
Assessment risks to the reporting mechanism of related party C26 different statutes in relation to approval of related party
achievement of transactions identification transactions with related party transactions.
objectives and can lead to regulatory non- (transfer pricing related compliance
analyzes risks to compliance and/ or financial and return filing) are verified.
manage them misstatements
2. Board approval is taken for
related party transaction
| ICFR – A Handbook for Private Companies and their Auditors |
 Sr Attribute Principle Process Risk Control Control Description Audit Step
No Activity Ref No.
21 R i s k Assesses fraud IT Security Company infrastructure and C14 1. Access is restricted to users who 1. Review list of user-ids
Assessment risk to the IT systems being used for are either employees or authorized with access rights
achievement of fraudulent activities thereby personnel.
objectives affecting the reputation and 2. Verify protocol for access
increasing the legal risks 2. Password and user id protected to systems and policy
attached systems exist. highlighting security of user
id and passwords
3. Deactivation of external storage
devices on company PC’s has been
done.
4. Access to all public sites and
domains is restricted.
22 R i s k I d e n t i f i e s Training Changes in the procedure C27 Periodic review of process manual is 1. Verify that the manuals
Assessment risks to the manual of a particular done and updates are communicated are periodically reviewed.
achievement of department without the to all employees concerned.
objectives and knowledge of its employees 2. Verify evidence of
analyzes risks to leads to dilution of the impact communication of changes
manage them of the changes implemented to employees.

23 C o n t r o l Selects and Evaluation Risk of recurrence of issues C15 Periodic internal audit is done by an Verify internal audit reports
Activities develops control if not evaluated and policies/ external agency and changes made available, and record of
activities to procedures not modified basis agreed actions. resolution of agreed actions.
mitigate risks accordingly
| Section 4 : Making it easy – Ready-to-use drafts and formats |

| 73 |
 Sr Attribute Principle Process Risk Control Control Description Audit Step
No Activity Ref No.

| 74 |
24 C o n t r o l Selects and F i n a n c i a l Risk of financial loss and/ C16, 1. Physical verification of fixed 1. Verify fixed asset
Activities develops control reporting or financial misstatement in C20 assets, cash is done. verification report and check
activities to the absence of an established for periodicity (CARO, 2015)
mitigate risks physical verification of assets 2. Third party and bank balance
mechanism confirmations statements are taken. 2. Verify third party
confirmations.
3. Board discusses findings of
physical verification of assets/ 3. Verify records showing
discrepancy resolution full particulars - quantitative
details and situation of fixed
assets (CARO, 2015)
4. Verify Board meeting
minutes
25 C o n t r o l Deploys control Payments Absence of policies will lead C03 All financial policies relating to Verify remuneration
Activities activities and to reimbursement/ allowance employees are in place along with structure for financial
through policies reimburse- of non agreed expenses to the defined level of approvals. policies relating to
and procedures ments employees or reimbursement employees.
of expenses over and above the
set limit to the employees.
26 Information Communicates E x t e r n a l May result in reputational/ C03 1. Clear identification of persons Verify the Admin Manual
& Communi- e x t e r n a l l y C o m m u n i - financial/reporting risk due authorized to communicate with for communicating with
cation r e g a r d i n g cation to erroneous communications external parties on relevant company external parties
matters affecting to external parties/ external matters.
internal controls reporting
| ICFR – A Handbook for Private Companies and their Auditors |

2. A formal social media policy is

in place.
 Sr Attribute Principle Process Risk Control Control Description Audit Step
No Activity Ref No.
27 Information Communicates E x t e r n a l In the absence of clear C03, There are properly identified Review grievance
& Communi- e x t e r n a l l y C o m m u n i - communicating channels for C18 communication channels (email mechanism and sexual
cation r e g a r d i n g cation external parties, employee/ ids) for third parties under grievance harassment policy
matters affecting management malpractices may mechanism, sexual harassment
internal controls not come to light, may have a policy
reputation risk with respect to
third parties
28 Information Communicates I n t e r n a l Absence of clear C28 Clear communication of the Key Verify the communication
& Communi- i n t e r n a l l y , C o m m u n i - communication on performance Result Areas in the evaluation for the KRAs
cation i n f o r m a t i o n cation measures may lead to process
including ambiguities and increase in
objectives and attrition levels
responsibilities
of internal
control
29 Information Communicates Management Risk events, exceptional C07, 1. Formal communication process 1. Verify periodic MIS on
& Communi- i n t e r n a l l y , Oversight and unusual events remain C08, established for escalating disruption sample basis
cation information unreported to the management C29 to operations, occurrence of risk
including and hence the risk events and any material exceptional 2. Verify management and
objectives and management framework is not event. Board meeting minutes
responsibilities duly enhanced.
of internal 2. Periodic MIS/ dashboards,
highlighting of all exceptions.
| Section 4 : Making it easy – Ready-to-use drafts and formats |

control
3. Board meeting, management
review meeting discuss unusual
events.

| 75 |
 Sr Attribute Principle Process Risk Control Control Description Audit Step
No Activity Ref No.

| 76 |
30 Monitoring Evaluates and F i n a n c i a l Inadequate process for C16 1. Third party confirmations Verify confirmations
communicates reporting obtaining third party obtained from banks, debtors, obtained from counter
deficiencies, to confirmations to validate related parties parties and Government
enable corrective financial figures and to detect website (such as Income
actions being financial frauds. 2. Web based review done to assess Tax) for reconciling statutory
taken tax status, TDS status, regulatory figures and other balances.
compliance related numbers.
31 Monitoring C o n d u c t s F i n a n c i a l Absence of review of the C07, Monthly MIS consisting of financial Verify financial statements/
o n g o i n g / reporting financials by management C08 statements and other operations, reports, periodic MIS and
separate reconciliations prepared by Finance reconciliations
evaluations to Manager are reviewed and analyzed
confirm that by Group CFO
internal controls
are functioning
32 Monitoring Evaluates and Grievance Inappropriate grievance C03 Employee grievance policy (to Verify policy to resolve
communicates and dispute processes may lead to delay resolve complaints and grievances) complaints and grievances,
deficiencies, to resolution in detection of frauds, forms part of Admin Manual as stated in Admin Manual
enable corrective mechanism misreporting of financial
actions being figures, need for provisioning
taken due to disputes
33 Monitoring C o n d u c t s Management Process gaps, errors and C03, 1. Internal audit function reports 1. Verify Internal Audit
o n g o i n g / Oversight misstatements may not be C07, to Board of Director and highlights reports
separate identified by the management C15 deficiencies observed.
evaluations to which may also lead to fraud 2. Verify meeting minutes
| ICFR – A Handbook for Private Companies and their Auditors |

confirm that or non-compliance due to 2. Polices and processes are

internal controls absence of well-established introduced and revised from time 3. Verify sample policies and
are functioning risk and internal audit review to time to plug identified gaps and process notes
system controls lapses.
 Sr Attribute Principle Process Risk Control Control Description Audit Step
No Activity Ref No.
34 Monitoring C o n d u c t s Management Absence of communication of C21 Formal roll out of ICFR policy and 1. Check ICFR framework
o n g o i n g / Oversight deficiencies and monitoring testing process for control design and documented RCMs
separate corrective action may lead to and effectiveness
evaluations to un-remediated deficiencies and 2. Check the process
confirm that resultant control gaps w.r.t. adopted for testing control
internal controls ICFR design and operational
are functioning effectiveness

Note:
The above work-sheet can be enhanced with columns such as department, details with respect to
controls (whether key or non-key, whether control exists – yes or no, type of control – manual or
automated, nature of control – preventive, detective or both preventive and detective, control frequency
– daily, weekly, fortnightly, monthly, half-yearly, annually, event-based, as and when),document/
evidence, deficiencies, remedial plan, reference to document and remarks
| Section 4 : Making it easy – Ready-to-use drafts and formats |

| 77 |
 | ICFR – A Handbook for Private Companies and their Auditors |

4.2 IT General Controls – Specimen (refer paragraph

2.5.6)
ABC Private Limited
ICFR for the year ending 31st March, 2016
RCM - IT General Controls
LIST OF CONTROL GROUPS
Control Ref Control Group/ Attribute
ITGC 01 Comprehensive IT Policy
ITGC 02 Access Rights Restrictions
ITGC 03 User account management - User id and password
security
ITGC 04 Data management - back up and restoration of
data and system
ITGC 05 Connectivity management - LAN, internet,
firewall, anti-virus,
ITGC 06 Sign-off of stakeholders/management for changes
made to key applications relevant to financial
reporting
ITGC 07 Restriction to share data
ITGC 08 Controls or authorization for acquisition /
development of new system / migration /
subsequent changes
ITGC 09 Incident handling – In-house IT Personnel
ITGC 10 Approval/periodic review of user access rights
 

| 78 |
 ABC Private Limited
ICFR for the year ending 31st March, 2016
IT General Controls (ITGC)

Sr. Attribute Activity Description Identification of Risk of Material Misstatement Control Ref Control That Addresses Risk of Material
No. (“What Could Go Wrong”) Number Misstatement — Control Name
Risk Description
1 Risk IT Policy Intended IT related processes not followed due ITGC 01 A defined comprehensive IT policy document
Assessment to absence of defined comprehensive IT policy to provide various guidelines to work in the IT
document environment, is in place
2 Control Access Rights Editable access of Financial System (Accounting ITGC 02 View-only access of Accounting Software provided
Environment Software) provided to persons other than to persons other than Company employees (Internal
Company employees (Internal and Statutory and Statutory Auditors, Consultants, etc.) who are
Auditors, Consultants, etc.) not required to modify the financial transactions
3 Control Closing of Accounting Erroneous/intentional posting of Accounting ITGC 02 Closing of previous period/year to restrict back-
Environment period/year in the entry in the earlier closed period/year dating of transactions
Accounting Software
4 Control Selects and develops Unauthorized access to IT systems, applications ITGC 03 1. For CMS System - all new users are given pre-
Environment general controls over and data results in errors in financial reporting expired password and the system prompts the user
technology to set new password at the time of first login
2. For Tally - all new users are given pre-expired
password and the system prompts the user to set
new password at the time of first login
| Section 4 : Making it easy – Ready-to-use drafts and formats |

5 Control Selects and develops Unauthorized access to IT systems, applications ITGC 02 1. For CMS - Users access rights are granted by
Environment general controls over and data results in errors in financial reporting IT only upon specific approval by the concerned
technology functional head

| 79 |
 Sr. Attribute Activity Description Identification of Risk of Material Misstatement Control Ref Control That Addresses Risk of Material
No. (“What Could Go Wrong”) Number Misstatement — Control Name

| 80 |
Risk Description
2. For Tally - Users access rights are granted by
IT only upon specific approval by the concerned
functional head
6 Control Selects and develops Unauthorized access to IT systems, applications ITGC 03 System prompts the user to change the password
Environment general controls over and data results in errors in financial reporting after the expiration of 30 days.
technology
7 Control Selects and develops Unauthorized access to IT systems, applications ITGC 03 Password must contain at least 7 characters,
Environment general controls over and data results in errors in financial reporting alpha numeric (alphabets, numbers and special
technology characters).
8 Control Selects and develops Unauthorized access to IT systems, applications ITGC 03 If the password is wrongly entered continuously
Environment general controls over and data results in errors in financial reporting for 5 times within 30 minutes, the respective login
technology id gets locked.
9 Control Selects and develops Unauthorized access to IT systems, applications ITGC 03 If a user is not accessing the system for more
Environment general controls over and data results in errors in financial reporting than specified time, the system gets automatically
technology locked.
10 Control Identifies and analyses Unauthorized access to IT systems, applications ITGC 10 There exists a periodic review of the user profiles
Environment significant changes that and data results in errors in financial reporting for systems access, to confirm appropriateness.
could impact internal
controls
11 Information & Selects and develops Unauthorized access to IT systems, applications ITGC 03 Requests for creation of new user ids are received
Communication general controls over and data results in errors in financial reporting by the IT Executive on standardized form, duly
| ICFR – A Handbook for Private Companies and their Auditors |

technology signed by the respective HOD.

 Sr. Attribute Activity Description Identification of Risk of Material Misstatement Control Ref Control That Addresses Risk of Material
No. (“What Could Go Wrong”) Number Misstatement — Control Name
Risk Description
12 Information & Selects and develops Unauthorized access to IT systems, applications ITGC 03 1. User termination, resignation is informed to IT
Communication control activities to and data results in errors in financial reporting Executive through email by HR.
mitigate risks
2. User account is disabled immediately after
receiving an email request. Before processing this
request, IT archives the mail box of the user.
3. Full & Final Settlement Form is signed by the IT
Executive only when the necessary access rights
have been disabled in the system.
13 Control Selects and develops Absence of regular back-up which may lead to ITGC 04 1. Regular back-up strategy defined for server and
Environment general controls over loss of crucial data auto-back up is taken at defined frequency.
technology
2. Retrieval is tested at reasonable frequency
14 Control Selects and develops Absence of regular back-up which may lead to ITGC 04 Off-site storage of back-up to tackle any unforeseen
Environment general controls over loss of crucial data event at the office premises.
technology
15 Control Identifies risks to the Servers and end users PCs are infected with ITGC 05 1. Desktops:
Environment achievement of objectives virus
and analyses risks to All the user desktops are installed with anti virus
manage them scanner, which scans the new files on an ongoing
basis
| Section 4 : Making it easy – Ready-to-use drafts and formats |

2. Servers:
All servers are installed with anti virus scanner.

| 81 |
 Sr. Attribute Activity Description Identification of Risk of Material Misstatement Control Ref Control That Addresses Risk of Material
No. (“What Could Go Wrong”) Number Misstatement — Control Name

| 82 |
Risk Description
3. Gateway:
Mail server is managed and all the Emails are
scanned by threat management gateway.
4. The anti virus gets automatically updated with
the latest version through process of auto updates
16 Control Assesses fraud risk to the Unauthorized access to the IT systems, ITGC 05 1. Firewalls have been installed.
Environment achievement of objectives applications and data by external parties
2. The logs are regularly reviewed by IT Executive
17 Control Selects and develops Unauthorized access to IT systems, applications ITGC 06 Changes in programs can be made only with prior
Environment control activities to and data results in errors in financial reporting approval of the Board of Directors or the HOD
mitigate risks concerned, with the simultaneous involvement and
approval of the IT personnel.
18 Control Selects and develops Significant developments and changes to ITGC 06 Decisions around significant developments and
Environment control activities to information systems relevant to financial changes to information systems relevant to
mitigate risks reporting are made, resulting in errors in financial reporting are made in conjunction with
financial reporting. Finance Manager and after approval of BOD
19 Control Identifies and analyses Errors in changes made to key applications ITGC 06 Specific changes are made to key applications
Environment significant changes that relevant to financial reporting. relevant to financial reporting only after sign off
could impact internal from the relevant stakeholders
controls
20 Control Selects and develops Problems and incidents are not effectively ITGC 09 An in-house IT personnel resolves issues faced by
| ICFR – A Handbook for Private Companies and their Auditors |

Environment general controls over managed. users as required

technology
 Sr. Attribute Activity Description Identification of Risk of Material Misstatement Control Ref Control That Addresses Risk of Material
No. (“What Could Go Wrong”) Number Misstatement — Control Name
Risk Description
21 Control Selects and develops Intentional sharing of crucial and confidential ITGC 07 1. Deactivation of external storage devices on
Environment general controls over data of the company by staff to outsiders (e.g. company PCs.
technology competitors)
2. Restricting access to all public sites and domain

Note:
The above work-sheet can be enhanced with columns such as department, details with respect to
controls (whether key or non-key, whether control exists – yes or no, type of control – manual or
automated, nature of control – preventive, detective or both preventive and detective, control frequency –
daily, weekly, fortnightly, monthly, half-yearly, annually, event-based, as and when),document/ evidence,
deficiencies, remedial plan, reference to document and remarks
| Section 4 : Making it easy – Ready-to-use drafts and formats |

| 83 |
 | ICFR – A Handbook for Private Companies and their Auditors |

4.3 Specimen – Financial Statement Closure Policy and

sample checklists (refer paragraph 2.7.3)

ABC Pvt. Ltd.

Financial Statements Closure Policy (FSCP)

1. OBJECTIVES:
This policy is prepared to achieve the following broad
objectives:
• Provide guidance for the financial closure process
leading to preparation of financial statements.
• Ensure adherence to applicable laws, regulations
and disclosure requirements relevant to the financial
reporting.
• Ensure completion of the financial closure efficiently
and in a timely manner.
• Ensure adherence to the approval matrix laid out for
the closure process.
• Retain and protect related documents, evidences and
approval trails.

2. SCOPE:
This policy covers the following:
• Financial reporting framework applicable to the
entity.
• IT application (system), if any, used for financial
closure
• Checklist to be used to ensure completeness of
financial statements
• Approval matrix related to financial closure activities.
• Document Management Policy, including retention
policy for documents related to financial closure.

| 84 |
 3. STAGES OF FINANCIAL CLOSURE:
No. Particulars Review Approval/ Suggested Timeline
Responsibility Authorization
1. Financial Reporting Framework Senior Person of CFO or By end December/
A & F Dept e q u i v a l e n t January
3 The financial closure process shall be carried out in adherence to the following position
• The Companies Act, 2013 and allied Rules
• Applicable accounting standards
• Pronouncements of the ICAI applicable to preparation of financial
statements and financial reporting
3 Adequate care shall be taken to incorporate the effects of modifications to
existing regulations and pronouncements.
3 Any new pronouncements impacting the financial accounting, closure
process or reporting requirements will be reviewed internally, approved as
per Authority matrix and incorporated in the appropriate checklist, SOP or
templates.
3 Knowledge update provided by the statutory auditors or other accounting/
law firms from time to time may be reviewed and where appropriate, to be
considered for updating respective checklist.
3 The CFO is required to hold a formal meeting with the statutory auditors to
| Section 4 : Making it easy – Ready-to-use drafts and formats |

confirm that all additional reporting requirements for the financial year have
been duly identified by the company – if there has been a miss out, the same
may be incorporated after review.

| 85 |
 No. Particulars Review Approval/ Suggested Timeline
Responsibility Authorization

| 86 |
2. System Environment Senior Person of CFO or By end December/
A & F Dept. e q u i v a l e n t January
3 List all the systems from which data will flow into financial statements either position
directly or indirectly.
3 Proposed changes/ enhancements to the IT applications which have a bearing
on the financial closure process or the financial statements need to be pre-
approved by the Finance Department as per authority matrix.
3 For any changes in the financial reporting requirements, Finance Department
to review if the required information is available from the IT system and if
not, initiate a request for configuring the IT system to ensure the availability
of the requisite information.
3. Pre-planning for Closure & Closure Activity for Operational Areas As per As per For Pre-planning
Checklist Checklist by end December/
Activity wise pre-planning checklist to be prepared as per Company’s defined January and For
SOPs, Policies and Business Requirements. A specimen general format indicating Closure at year end
illustrative checkpoints and processes is presented in Annexure – I. date and subsequent
month
4. Process for Preparation of Financial Statements As per As per As per defined
Checklist Checklist timeline by the
A specimen general format indicating illustrative checkpoints and processes is management for
presented in Annexure – II. finalizing audited
Financials
5. Process for Disclosure requirements As per As per As per defined
| ICFR – A Handbook for Private Companies and their Auditors |

Checklist Checklist timeline by

A specimen general format indicating illustrative checkpoints and processes is management for
presented in Annexure – III. finalizing audited
Financials
 No. Particulars Review Approval/ Suggested Timeline
Responsibility Authorization
6. Approval Matrix for closure process Senior Person of CFO or Approval Matrix to
A & F Dept. e q u i v a l e n t be defined as part of
The closure process will follow the approval matrix defined as per the SOP of position SOP of A& F dept. or
Accounts & Finance department. If it is not defined then define the same for maker- at the beginning of
checker control at various stages and documentation trail the year
7. Retention of Documents Senior Person of CFO or N.A.
A & F Dept. equivalent
3 All documents related to the financial closure process shall be retained in a position
safe manner.
3 Clear naming protocols will be followed to ensure version control on financial
statement drafts.
3 Soft copies of the financial statements need to be stored in a folder, access
rights to which have been approved by the Chief Financial Officer.
3 Documents to be retained at least until the time required to comply with
related regulations.
8. Post Closure Process Senior Person of CFO or Within 15 days
A & F Dept. e q u i v a l e n t of completion of
3 Take printout of Final Trial balance. position Annual Accounts
3 Keep printed copies of audited Financial Statements. closure

3 Close the books of account for the Financial Year.

| Section 4 : Making it easy – Ready-to-use drafts and formats |

3 Block the IT system for amendment in that financial year.

3 Review opening balance in the subsequent period with audited financial

| 87 |
statement.
 | ICFR – A Handbook for Private Companies and their Auditors |

Annexure – I
ABC Pvt. Ltd.
Sample and Specimen Checklist for Activity wise
Pre-planning & Closure

No. Area Process Process Reviewer Proposed Proposed Status

Owner Start End
Date Date
1 Cash Circular to be sent to various
branches to send cash expenses
statement with closing balance
as on Year end
Co-ordination with the statutory
auditors if they want to conduct
year end physical verification
of cash
conduct physical verification
on the last working day of the
Financial year
Document the Physical
verification papers with sign of
maker and checker
2 Bank Bank Reconciliation statements
to be called from all branches
for all bank accounts
BRS to be prepared for all the
HO Accounts as per the BRS
process defined by the company
Un-reconciled items in BRS to
be investigated and necessary
adjustments to be carried out
with proper approvals
Cheques pending to be
deposited to be presented to
bank for clearance
Online transfers from customers,
kept in suspense / unexplained
accounts, to be knocked off from
customer balances
Print out of Final Copies of BRS
to be taken and signed by the
maker and checker
Balance confirmations to be
called from banks to assert bank
balances

| 88 |
 | Section 4 : Making it easy – Ready-to-use drafts and formats |

No. Area Process Process Reviewer Proposed Proposed Status

Owner Start End
Date Date
3 Inventory Circular to be sent to branches
to inform them to carry year end
stock verifications
Factory / Warehouse / Operations
of any other inventory holding
location to be suspended during
the period of verification , if
required
Necessary co-ordinations to be
made with Internal / Statutory
auditors in case they are to
attend inventory verification
Year-end transactions for
sales and purchases to be
meticulously recorded keeping
in mind cut off procedures
affecting inventory position
Plan for Inventory verification
to be decided basis certain
methods suitable for Company’s
inventory such as:
1. ABC analysis
2. Analysis based on fast /
slow moving items
3. Critical and non-critical
items
4. Form of inventory i.e. size,
weight, state of matter etc.
Confirmations to be called from
third party holding company’s
inventory (on consignment basis,
for job work purposes etc.)
Value of inventory as per books
to be compared with actual
value
Adjustments , if required, to be
made to inventory value with
proper approvals

| 89 |
 | ICFR – A Handbook for Private Companies and their Auditors |

No. Area Process Process Reviewer Proposed Proposed Status

Owner Start End
Date Date
4 Fi x e d FA register to be updated,
Assets / finalized
Capitali- FA register to be compared with
zation books of account
Scrutinize the major repairs
account to find out if any item
of capital nature has been
debited
Capitalisation of expenses to
the point of installations such
as transportation, octroi, testing
charges, training for operation
of FA
Review CWIP Account to
review completion stage and
capitalization if required
Physical verification of Fixed
Assets with proper internal
controls such as verification
by independent verifier ,
maker checker control on
verification process, reporting
of discrepancy, if any and
appropriate accounting of the
same
Review of sale / scrap of assets,
profits / loss on disposal of
Assets
Depreciation workings based on
applicable accounting standards
5 I n v e s t - Accounting of accrued income
ment based on year end investment
Accounting of gains / losses on
sale of investments
Validation of investment balance
with counter party statements
Physical verification of
investment instruments to
ensure ownership of the same
Revaluation of investments
as per applicable accounting
standards

| 90 |
 | Section 4 : Making it easy – Ready-to-use drafts and formats |

No. Area Process Process Reviewer Proposed Proposed Status

Owner Start End
Date Date
6 I n c o m e Circular to be sent to various
Booking branches / depots from where
sales are effected to send
information / data for dispatches
made till cut-off date
Ensure invoice booking for
materials where ownership has
been transferred to customers
Ensure invoice booking / billing
for services where provision
of service is completed as per
defined terms and conditions
Accounting of pending Debit
and credit notes (rejections
/ sales returns / disputed
provision of services)
7 E x p e n s e Circular to be sent to various
Booking branches / depots calling for
all relevant details of expenses
incurred within defined timeline
after year end
Advances paid for expenses to
employees be settled against
reimbursable expenses
Provision of expenses based
nature of expense i.e. time based
or otherwise backed by actual
supporting documents to be
accounted
Provision of expenses basis
estimation - Company policy for
estimation to be reviewed and
adhered
Review accounting of prepaid
expenses
Review provisions / prepaid
expenses of previous periods
/ years for its existence and
continuity

| 91 |
 | ICFR – A Handbook for Private Companies and their Auditors |

No. Area Process Process Reviewer Proposed Proposed Status

Owner Start End
Date Date
8 Debtors/ Debtors balances to be knocked
R e c e i - off against money received
vables but accounted in suspense /
unexplained accounts
Initiate communication for
debtors confirmation
Prepare reconciliation of
differences in debtors balances
and post adjustments with
appropriate approvals
Scrutinize debtors accounts
and follow up with the sales/
marketing team for status of long
standing debtors
Provide for doubtful debts /
disputed debtors in consultation
with marketing / legal dept. /
Management
9 Creditors Initiate communication for
/ Payables creditors confirmation
Prepare reconciliation of
differences in creditors balances
and post adjustments with
appropriate approvals
Scrutinize advance to creditors
accounts and follow up with the
procurement team for status of
long standing advances
Write back creditors balances
which are not payable in
consultation with procurement /
legal dept. / Management
10 Related Obtaining account confirmation
P a r t y from all the related parties
Recon- Prepare reconciliation of
ciliation differences in balances and post
adjustments with appropriate
approvals

| 92 |
 | Section 4 : Making it easy – Ready-to-use drafts and formats |

Annexure – II
ABC Pvt. Ltd.
Sample and Specimen Checklist for
Preparation of Financial Statements

No. Area Process Process Reviewer Proposed Proposed Status

Owner Start End Date
Date
1 Opening Validation of opening balances
balances at the time of audit of
validation subsequent year with closing
balances of previous year
2 G e n e r a l Allocate responsibility within
L e d g e r the accounts team to scrutinize
Scrutiny specific accounts
All accounts with non-moving
balances, intermediary accounts,
suspense accounts to be
scrutinized thoroughly to ensure
genuineness of transactions
recorded in these accounts
Based on this scrutiny pass
appropriate entries with
approval of senior personnel
in the accounts team ideally
the CFO
3 Review of Allocate responsibility within
accounts the accounts team to scrutinize
related to specific accounts
statutory Reconcile company’s data
compli- with the data available on the
ance website of respective regulator
(such as 26 AS reconciliation)
Review all the assessment
orders, refund / demand orders
issued by various regulatory
authorities during the year
Compare all statutory returns
filed with the books of account
Record all the necessary entries
required based on above
scrutiny

| 93 |
 | ICFR – A Handbook for Private Companies and their Auditors |

No. Area Process Process Reviewer Proposed Proposed Status

Owner Start End Date
Date
4 Indepen- Get independent review done
d e n t by professional retainer, if any,
Review engaged by the company
5 I T Blocking of various IT Systems
Systems for data entry of transactions
blocking posting by respective employees
for basic transaction posting
such as cash, bank ,petty cash,
purchase, sales etc.
Rights to pass entries to be
granted to only few personnel
in the accounts department
6 Provision Provide necessary data/
f o r information after validation to
Gratuity & the appointed actuary
Employee Actuarial valuation report to
benefits be referred for estimations
provided by the auditee.
Workings for provisions to be
computed and validated by
senior personnel
Provisions for employee benefit
to be recorded with appropriate
approvals
7 Inventory Inventory verification reports
Valuation to be referred to ascertain
inventory figures
Inventory as ascertained to
be valued adopting suitable
methodology and adhering to
applicable accounting standards
and company policy
Necessary adjustment entries
to reflect appropriate value of
inventory to be recorded with
due approvals
8 Revalua- Ascertain the balances of
tion of foreign assets and liabilities
Assets & Depending on the class of asset
Liabili- / liability and guidelines laid
ties in down in applicable accounting
Fo r e i g n standards, appropriate foreign
Currency exchange rate to be selected

| 94 |
 | Section 4 : Making it easy – Ready-to-use drafts and formats |

No. Area Process Process Reviewer Proposed Proposed Status

Owner Start End Date
Date
The selected rate(s) to be
validated by senior authority
and applied to closing balance
of such classes(s) of assets /
liability
Appropriate effect of revaluation
to be recorded in books of
account
9 Ye a r- e n dRefer to closing balance of
adjustment debtors/ creditors
of Exchange Revalue debtors and creditors
rate differ- basis closing exchange rate
ence for
t r a d e
payables
and receiva-
bles
10 I n c o m e Based on profits / losses as
T a x computed prepare Income Tax
working working
Co-ordinate with tax consultant
for validation of the same
Incorporate changes suggested
by consultant
Record necessary provision for
income tax
11 Deferred Prepare working for deferred tax
T a x assets / liabilities
A s s e t s / Co-ordinate with tax consultant
Liabilities and Statutory Auditors for
working validation of the same
Incorporate changes suggested
by consultant
Record necessary entries for
deferred tax assets / liabilities
12 Prepara- Extract trial balance from
tion of accounting system
Finan-cial Save the same with date and
S t a t e - time in soft
ments as Prepare appropriate groupings
per pres-
Validate all the excel formulas
cribed
and linkages if financials are
formats
prepared in excel

| 95 |
 | ICFR – A Handbook for Private Companies and their Auditors |

No. Area Process Process Reviewer Proposed Proposed Status

Owner Start End Date
Date
As per prescribed format
classify respective assets and
liabilities as current , non -
current , short term , long term
Take print out of financials
prepared and revalidate again
with base trial balance for
accuracy
Provide audit trail of
revalidation on hard copy of
financials
13 C o - Arrange for Stat audit, prepare
ordination information as per their
w i t h prescribed format
statutory During Stat audit liaison with
auditors their team for smooth conduct
and get of audit
the audit Formal meetings for discussion
done of queries / clarifications
Passing of rectification JVs, if
required in system
14 Prepare Repeat process given in step 12
revised Maintain version control and
Financial modification trail
State-
ments
15 Grouping Detailed review of previous
a n d years grouping with current
regroup- grouping and make necessary
ing of changes in the grouping of
previous previous year
year’s
figures
16 Freeze the Get the revised financials
numbers validated from Statutory
a f t e r Auditors
review of
Statutory
Auditors

| 96 |
 | Section 4 : Making it easy – Ready-to-use drafts and formats |

No. Area Process Process Reviewer Proposed Proposed Status

Owner Start End Date
Date
17 Present To facilitate management to
the Provi- take certain decisions about
sional managerial remuneration,
Financial proposed dividend
state-
ments to
Manage-
m e n t /
Au d i t
commi-
ttee
18 Calculate Prepare workings for managerial
Mana- remuneration as per applicable
gerial rules and regulations and
remune- company policy
ration if
it is on
% basis
of profit/
surplus
19 Prepare Proposed dividend working
Proposed to be prepared based on the
dividend dividend proposed by Board of
working Directors
Workings to validated by senior
personnel
Entries to record proposed
dividend to be passed in books
of account
20 M a k e Necessary changes to be
necessary validated by Statutory Auditors
changes
in the
Financial
State-
ments

| 97 |
 | ICFR – A Handbook for Private Companies and their Auditors |

Annexure – III
ABC Pvt. Ltd.
Sample and Specimen Checklist for
Disclosure & Notes to Accounts

No. Area Process Process Reviewer Proposed Proposed Status

Owner Start Date End Date
1 Review of Take notes to account of
Notes to pervious year as a base
Accounts of If there are any changes
Previous year in the accounting
and evaluate it policies adopted by the
for necessary company during the
changes year incorporate the
same in notes to account
If there are any
regulatory changes
which require change
in company policy
incorporate the same in
Notes to account
2 Prepare As per disclosure
Disclosures checklist provided by
Stat auditors prepare
disclosures
Validate all the numbers
given in the disclosures
with the financial
statements
Also ensure disclosure
for contingent liability
after consultation with
various operational dept.
HODs and HOD of legal
dept.
3 Get it reviewed Notes to accounts and
by Statutory disclosures to be sent to
Auditors Statutory Auditors for
review and validation

| 98 |
 | Section 4 : Making it easy – Ready-to-use drafts and formats |

No. Area Process Process Reviewer Proposed Proposed Status

Owner Start Date End Date
4 Revise Notes As per suggestion by
to Accounts Statutory Auditors revise
& Disclosures notes to accounts and
after review disclosures
by Statutory
auditors
5 Review entire Take print out of
set of Financial entire set of Financial
statements & statements, notes to
disclosures all account and disclosures
together Revalidate again with
base trial balance for
accuracy
Provide audit trail of
revalidation on hard
copy of financials
6 Arrange for Arrange for signature
Signatures on the Financial
Statements by the
appropriate authority of
the Company
Arrange for signature on
the Financial Statements
by the Statutory
Auditors

** Note: Soft copies of the ‘ready to use drafts and
formats’ given in this section are hosted on the website of BCAS
www.bcasonline.org.

| 99 |