[Analysis] Strengthening Corporate Governance – The Role of Internal Audit & Internal Controls

Internal Audit is an independent, objective assurance and consulting activity designed to improve an organisation's operations. It systematically evaluates internal controls, governance processes, and risk management to ensure effectiveness, compliance, and efficiency.
Internal Controls, on the other hand, are the policies, procedures, and systems put in place to safeguard assets, ensure accurate financial reporting, prevent fraud, and maintain regulatory compliance.
Internal audits and controls are vital in enhancing corporate governance, reducing risks, and achieving an organisation's objectives.

Table of Contents

1. Introduction
2. Role of Internal Controls in Ensuring Corporate Efficiency and Compliance
3. Role of Internal Audit in Strengthening Internal Control
4. Applicability of Internal Audit
5. Common Deficiencies in Internal Control
6. Extracts of Identified Deficiencies in Internal Control Identified by the Auditor during the Audit of the Listed Company
7. Conclusion

1. Introduction

In the current global business landscape, maintaining robust internal controls and conducting thorough internal audits are vital to ensuring compliance, protecting assets, and sustaining investor confidence. This article delves into how effective internal controls, complemented by internal audits, strengthen corporate governance and operational efficiency.

2. Role of Internal Controls in Ensuring Corporate Efficiency and Compliance

Internal controls are the policies, procedures, systems, and processes that a company puts in place to ensure its business operations are conducted orderly and efficiently. These controls extend beyond financial oversight to cover operational aspects, safeguarding assets, preventing fraud, maintaining accurate records, and producing reliable financial and management information. As outlined in SA 315 (Identifying and Assessing the Risk of Material Misstatement), internal controls provide reasonable assurance that a company will achieve its financial reporting, operational efficiency, asset protection, and regulatory compliance objectives.

Under the Companies Act, 2013, the Board of Directors establishes and maintains effective internal financial controls (IFCs). Section 134(5)(e) mandates that the directors of listed companies include a statement confirming that adequate and effective IFCs are in place.

Effective IFCs are crucial for ensuring reliable financial reporting and the preparation of accurate financial statements. If material weaknesses are identified, the company’s controls are considered ineffective, increasing the likelihood of errors or misstatements, even if the financial statements are not materially misstated. This makes it essential for auditors to gather sufficient evidence to determine material weaknesses, focusing on high-risk areas.

The components of internal control are:

• Control Environment
• Risk Assessment
• Control Activities
• Information System and Communication
• Monitoring

3. Role of Internal Audit in Strengthening Internal Control

Internal audits are instrumental in enhancing the effectiveness of a company’s internal controls. By continuously evaluating the control systems, internal audits help identify deficiencies and suggest improvements to ensure adherence to policies, reduce the risk of fraud, and enhance operational efficiency.

Importance of Internal Audit:

• Increased Size and Complexity of Businesses – As companies grow, management oversight over various functions becomes diluted. Internal audits provide the necessary checks and balances, ensuring operations align with the company’s goals. For Example, A multinational corporation with decentralised operations requires internal audits to review compliance and operational efficiency across different regions.
• Enhanced Compliance Requirements – With the globalisation of business, companies must comply with various international and domestic regulations. Internal audits ensure adherence to these requirements and protect companies from legal risks. For Example, A company expanding into new markets may face varying tax laws and regulations. An internal audit can ensure compliance with each region’s legal requirements.
• Risk Management and Internal Controls – Internal audits focus on high-risk areas, providing value by identifying potential issues before they escalate. This enhances overall efficiency and strengthens risk management. For Example, An internal audit of an e-commerce company reveals vulnerabilities in its payment processing system, enabling the timely implementation of more robust cybersecurity measures.
• Unconventional Business Models – Adopting unconventional business models, such as outsourcing or digital transformation, introduces new risks. Internal audits address these challenges by evaluating the effectiveness of controls in these new environments. For Example, A company that outsources its IT operations can rely on internal audits to assess the vendor’s data security protocols and service-level agreements.
• Intensive Use of Information Technology – As companies become more reliant on technology, they face increased risks of data breaches, system failures, and cyberattacks. Internal audits ensure that IT controls are robust and compliant with relevant cybersecurity regulations. For Example, An audit of a cloud-based system reveals weak password policies, prompting immediate corrective actions to prevent unauthorised access.
• Regulatory Norms and Investor Protection – Internal audits help ensure adherence to the increasingly stringent regulatory norms, especially around corporate governance and financial reporting. This helps protect investor interests and maintains market confidence. For Example, A financial services firm’s internal audit ensures compliance with the latest SEBI guidelines, preventing potential regulatory breaches.
• Competitive Business Environment – Internal audits support companies in staying competitive by identifying operational inefficiencies and suggesting improvements that lower costs and enhance productivity. For Example, An audit identifies inefficient supply chain processes, helping a manufacturing company streamline operations and reduce costs.

4. Applicability of Internal Audit

Certain companies are legally required to appoint an internal auditor to conduct audits at regular intervals. According to Section 138 of the Companies Act, 2013, the following entities must comply:

These companies must comply with the internal audit provisions within six months of meeting the criteria.

5. Common Deficiencies in Internal Control

Deficiencies in internal control occur when a company’s policies, procedures, or systems fail to prevent or detect misstatements on time. According to SA 265, a deficiency exists if:

• A control is not designed or operated effectively to prevent, detect, and correct errors or fraud in financial statements.
• A necessary control is missing altogether.

Deficiencies in internal controls are categorised as:

• Design Deficiency – Controls are inadequately documented, or IT controls are poorly designed. For Example, A company implements new IT General Controls but fails to document them, resulting in inconsistent application across departments.
• Operating Deficiency – Controls fail during execution, such as failure in dual authorisation or management override of controls. For example, a company’s dual authorisation process for large payments is not followed due to management overriding, leading to unauthorised transactions.
• Significant Deficiency – Control weaknesses in accounting principles, anti-fraud measures, or period-end financial reporting. For Example, A company lacks proper anti-fraud controls, allowing for manipulation of expense reports by employees.
• Material Weakness – Serious flaws in internal audit functions, risk assessments, or fraud identification by senior management. For Example, A financial institution’s internal audit fails to detect fraudulent activities by senior management, resulting in significant financial losses.

6. Extracts of Identified Deficiencies in Internal Control Identified by the Auditor during the Audit of the Listed Company

• Deficiency related to operating effectiveness of the company’s Internal Financial control over financial reporting.

• Deficiency related to Material weakness in the operating effectiveness of the Company’s internal financial controls with reference to financial statements

7. Conclusion

Internal audits play a vital role in strengthening internal controls by continuously monitoring and assessing their design and effectiveness. By identifying deficiencies and suggesting improvements, internal audits enhance compliance and contribute to an organisation’s overall operational efficiency. Effective internal audits are essential for safeguarding assets, ensuring reliable financial reporting, and maintaining investor confidence.