ABC Private Limited

ICFR for the year ending 31st March, 2016

Entity Level Controls (ELC)

Sr No Attribute Principle Process Department

Activity

1 Control Management Board BOD

Environment establishes Oversight
structure,
authority and
responsibility in
pursuit of
objectives

2 Control Board of Directors Board BOD

Environment exercises oversight Oversight
of the development
and performance
of internal controls
3 Control Board of Directors Board BOD
Environment exercises oversight Oversight
of the development
and performance
of internal controls

4 Control Demonstrates Board BOD

Environment commitment to Oversight
integrity and
ethical values

5 Control Holds individual Board BOD

Environment accountable for the Oversight
internal control
responsibilities
6 Control Management Delegation of BOD
Environment establishes Authority
structure,
authority and
responsibility in
pursuit of
objectives

7 Control Demonstrates Ethics & BOD

Environment commitment to Integrity
integrity and
ethical values

8 Control Demonstrates Ethics & BOD

Environment commitment to Integrity
integrity and
ethical values
9 Control Demonstrates Ethics & Hiring
Environment commitment to Integrity Dept./Admin
integrity and
ethical values

10 Control Demonstrates Recruitment & Hiring Dept.

Environment commitment to Selection and Admin
attract, retain and Dept.
develop competent
individuals

11 Control Demonstrates Incentive Hiring Dept.

Environment commitment to and Admin
attract, retain and Dept.
develop competent
individuals

12 Control Board of Directors Internal Audit BOD

Environment exercises oversight
of the development
and performance
of internal controls
13 Control Demonstrates Training Hiring Dept.
Environment commitment to and Admin
attract, retain and Dept.
develop competent
individuals

14 Risk Assessment Specifies Risk Management

objectives with Management
clarity to identify Framework
and assess the
risks

15 Risk Assessment Identifies and Business Management

analyzes Continuity
significant changes Plan, Disaster
that could impact Recovery Plan
internal controls

16 Risk Assessment Identifies and Financial Finance

analyzes reporting
significant changes
that could impact
internal controls

17 Risk Assessment Identifies and Financial All

analyzes reporting
significant changes
that could impact
internal controls
18 Risk Assessment Identifies and Financial Finance
analyzes reporting
significant changes
that could impact
internal controls

19 Risk Assessment Identifies and Financial Finance

analyzes reporting
significant changes
that could impact
internal controls

20 Risk Assessment Identifies risks to Financial Finance/

the achievement of reporting Compliance
objectives and
analyzes risks to
manage them
21 Risk Assessment Assesses fraud risk IT Security IT
to the achievement
of objectives

22 Risk Assessment Identifies risks to Training Operations

the achievement of
objectives and
analyzes risks to
manage them

23 Control Activities Selects and Evaluation Finance

develops control
activities to
mitigate risks

24 Control Activities Selects and Financial Finance

develops control reporting
activities to
mitigate risks
25 Control Activities Deploys control Payments and Finance
activities through reimbursemen
policies and ts
procedures

26 Information & Communicates External BOD, Admin

Communication externally Communicatio
regarding matters n
affecting internal
controls

27 Information & Communicates External Finance

Communication externally Communicatio
regarding matters n
affecting internal
controls

28 Information & Communicates Internal Admin

Communication internally, Communicatio
information n
including
objectives and
responsibilities of
internal control

29 Information & Communicates Management Management

Communication internally, Oversight
information
including
objectives and
responsibilities of
internal control
30 Monitoring Evaluates and Financial Management,
communicates reporting Finance
deficiencies, to
enable corrective
actions being
taken

31 Monitoring Conducts ongoing/ Financial Finance

separate reporting
evaluations to
confirm that
internal controls
are functioning

32 Monitoring Evaluates and Grievance and Management

communicates dispute
deficiencies, to resolution
enable corrective mechanism
actions being
taken

33 Monitoring Conducts ongoing/ Management Management,

separate Oversight Finance
evaluations to
confirm that
internal controls
are functioning

34 Monitoring Conducts ongoing/ Management Finance

separate Oversight
evaluations to
confirm that
internal controls
are functioning
 Risk Control Control Description Audit Step
Ref No.

Board does not clearly define C01 Board powers are clearly 1. Confirm the documentation
authority to be exercised at defined of Board powers and
Board level and authority delegation of authority done by
delegated to other Directors the Board.

2. Verify Board minutes and

meeting frequency. Verify
attendance records to ensure
participation and insights.

Board does not acknowledge its C02 1. Board minutes includes a 1. Verify that formal guidelines
responsibility towards oversight statement acknowledging its have been provided by the
for establishing and responsibility for ICFR Board.
performance of internal controls
2. Board provides broad 2. Verifiy that specific
Board does not formally delegate guidelines for internal responsibility has been
the responsibility for controls and records formal allocated for establishing
establishment of internal delegation of authority for internal financial controls
financial controls and for establishment of controls.
ensuring effective performance
thereof.
Board does not have a C07, Board of Directors review the 1. Verify Board meeting
mechanism to review ICFR C08 performance of the company minutes where adequacy and
adequacy and performance and adequacy of internal effectiveness of internal
controls through regular controls have been reviewed.
interactions with the Finance
Manager 2. Confirm that there are
regular interactions between
Budgets are established on Board members and Finance
yearly basis Manager through CFO, and
other key management
Monthly reporting is done by personnel to assess quality of
Finance Manager to the Group controls and review business
CFO who in turn reports to performance.
BOD.
3. Review budget variances,
exceptional items to assess
internal control gaps, if any.

Board of Director does not set C03 Policies are framed by the 1.Verify minutes of Board
the right tone at the top to Board wrt ethical conduct, meeting and Admin Manual/
encourage ethics and integrity. anti-bribery and corruption, directions issued by the Board
anti-fraud. of Directors from time to time.

2. Review Appointment letter

of an employee.

Board of Directors does not set C02 Directions are given by the Verify minutes of Board
the right tone at the top to Board to encourage process- meeting and
encourage institution of controls driven conduct, automation policies/directions issued by
and systems and ensure and effective monitoring the Board of Directors from
accountability for lapse of across the organization. time to time.
controls
Ambiguity in delegation of C01 1. Financial powers in terms of Confirm that
financial powers reduces the signing /effecting banking authorization/approvals of
control over financial transactions is with the Directors is in place, review
transactions and increase the Director. Board resolution to define
risk of financial losses powers of Director
2. Also, all the major contracts,
agreements, Purchase Orders
are signed/approved by the
Directors.

3. All the major decisions are

closely reviewed by the
respective HODs at Group
level before approval by the
Director.

Flawed performance incentive/ C03, 1. Admin Manual gives a 1. Verify Admin Manual to
compensation policy not in line C19 reference to ethical standards ensure all updations are
with ethical tone and standards expected from employees. included.
may increase the risk of
compromise / non compliance to 2. Appointment Letter 2. Verify Appointment Letter of
ethical standards of conduct includes relevant clauses employee

If management does not take C03 Management takes 1. Verify the mechanism for
timely and appropriate disciplinary action for recording non-adherences/
disciplinary action, it would violations/ non-adherence, in violations.
encourage non-adherence to a timely and appropriate
established policies and manner. 2. Verify the evidence of action
procedures being taken.
Applicant screening procedures C05, 1.Adequate background Review the appointment
do not adequately consider C09 verification is done for letters on sample basis for the
integrity and ethical values employees (Police Clearance, declarations obtained
Experience letter, etc.)

2.Majority of office staff is

hired through a placement
agency which is selected by
the management to ensure
right person for the right job

3.Declarations are obtained

from employees for non
disclosure and code of conduct
adherence as a part of joining
formalities

Lack of adequate talent or C05, 1. A rigorous recruitment and 1. Confirm the no. of exits and
mismatches in requirements and C06, selection process is adopted to the principal underlying
skill sets may severely impact C09 ensure selection of right reason/s.
achievement of objectives employees for the right job.
2. Confirm that key positions
2. Majority of office staff is are not left vacant for a long
hired through a placement time.
agency which is selected by
the management

In absence of a proper work C10, 1. Promotions are based on 1. Review the appraisal
environment the company may C12 well defined Performance process for appropriateness
have to deal with high attrition Evaluation system. and confirm that there is due
levels process for redressal of
2. Management ensures a very appraisal related grievances.
low attrition rate.
2. Review attrition rate and
related analysis

A robust system of monitoring C07, 1. Internal audits are done 1.Verify Internal audit scope
through periodic internal audits C15 quarterly as per pre-defined and reports
or control Self Assessments has scope which is approved by
not been established the management. 2.Review Board Minutes

2. Board meetings discuss

internal audit reports - key
findings.
Inadequate attention to training C11 1. Training for regulatory and Verify training process
may result into skill dilution, lack process changes is imparted
of awareness about policies and on a timely basis as per either
regulatory requirements and client's requirement or
inability to discharge assigned regulatory requirement.
responsibilities.
2. Training is identified and
imparted as needed

Absence of enterprise-wide risk C04 Formal risk management Review the risk management
assessment and absence of policy is presented to the policy adopted by the
documented risk management Board and approved by the Company
policy Board of Directors.

Absence of BCP/DRP may lead to C22, C23 1. Business Continuity Plan 1. Review the BCP and DRP.
business interruptions and may (BCP) and Disaster Recovery
jeopardize business continuity Plan(DRP) are in place. 2. Review the data recovry
plan.
2. Data recovery plan is
established and operational.

Regulatory changes impacting C17 1. Regulatory changes are Verify formal assessment of
business, financial conduct or understood and assessed for key regulatory changes.
reporting requirements are not their impact on business.
understood, analyzed or
internalized. 2. Compliance tracker is filled
in at defined frequency and
updated periodically for
amendments.

Improper channels to C24 Periodic departmental Review modification in

communicate the changes in reviews are done wherein processes, if any, by the
business practices to the Finance team is also present; accounts team
accounting department may review covers discussions on
affect the method or the process changes in business practices
of recording the transactions in affecting financial statements.
financial statements
Risk of regulatory non- C13, 1.Management specifies 1. Verify financial statements
compliance and financial C15, C25 financial reporting rules and with adequate disclosures
misstatements if suitable standards which are
accounting principles, policies or consistent with accounting 2. Verify statutory auditor's
rules not followed principles suitable and report
appropriate for the entity.
3. Verify internal audit reports
2. Reviews by/consultations
with the Statutory Auditors as
required by the regulation
(annual review) or as
considered necessary by the
management, are done.
3.Internal audit coverage
extends to compliance review
and financial reporting review.

Non identification of changes in C13, C25 1. Defined and documented Review financial statements
accounting principles or financial Financial Statement Closure and all other relevant
reporting requirements may lead Process is in place. information.
to non-compliance and the
financial statements will not 2. Periodic updates are
show true and fair figures or may received from professional
not include disclosures as consultants.
required.

Absence of an appropriate C20, C26 1. Various compliances under Verify Board noting and
mechanism of related party different statutes in relation to approval of related party
transactions identification can transactions with related transactions.
lead to regulatory non- party (transfer pricing related
compliance and/ or financial compliance and return filing)
misstatements are verified.

2. Board approval is taken for

related party transaction
Company infrastructure and IT C14 1. Access is restricted to users 1. Review list of user-ids with
systems being used for who are either employees or access rights
fraudulent activities thereby authorized personnel.
affecting the reputation and 2. Verify protocol for access to
increasing the legal risks 2. Password and user id systems and policy
attached protected systems exist. highlighting security of user id
and passwords
3. Deactivation of external
storage devices on company
PC's has been done.

4. Access to all public sites and

domains is restricted.

Changes in the procedure C27 Periodic review of process 1. Verify that the manuals are
manual of a particular manual is done and updates periodically reviewed.
department without the are communicated to all
knowledge of its employees employees concerned. 2. Verify evidence of
leads to dilution of the impact of communication of changes to
the changes implemented employees.

Risk of recurrence of issues if not C15 Periodic internal audit is done Verify internal audit reports
evaluated and policies/ by an external agency and available, and record of
procedures not modified changes made basis agreed resolution of agreed actions.
accordingly actions.

Risk of financial loss and/ or C16, 1. Physical verification of fixed 1. Verify fixed asset
financial misstatement in the C20 assets, cash is done. verification report and check
absence of an established for periodicity
physical verification of assets 2. Third party and bank (CARO, 2015)
mechanism balance confirmations
statements are taken. 2. Verify third party
confirmations.
3. Board discusses findings of
physical verification of assets/ 3. Verify records showing full
discrepancy resolution particulars - quantitative
details and situation of fixed
assets
(CARO, 2015)
4. Verify Board meeting
minutes
Absence of policies will lead to C03 All financial policies relating Verify remuneration structure
reimbursement/ allowance of to employees are in place for financial policies relating to
non agreed expenses to the along with defined level of employees.
employees or reimbursement of approvals.
expenses over and above the set
limit to the employees.

May result in C03 1. Clear identification of Verify the Admin Manual for
reputational/financial/reporting persons authorized to communicating with external
risk due to erroneous communicate with external parties
communications to external parties on relevant company
parties/ external reporting matters.
2. A formal social media policy
is in place.

In the absence of clear C03, C18 There are properly identified Review grievance mechanism
communicating channels for communication channels and sexual harassment policy
external parties, employee/ (email ids) for third parties
management malpractices may under grievance mechanism,
not come to light, may have a sexual harassment policy
reputation risk with respect to
third parties

Absence of clear communication C28 Clear communication of the Verify the communication for
on performance measures may Key Result Areas in the the KRAs
lead to ambiguities and increase evaluation process
in attrition levels

Risk events, exceptional and C07, 1. Formal communication 1. Verify periodic MIS on
unusual events remain C08, C29 process established for sample basis
unreported to the management escalating disruption to
and hence the risk management operations, occurrence of risk 2. Verify management and
framework is not duly enhanced. events and any material Board meeting minutes
exceptional event.

2. Periodic MIS/ dashBoards,

highlighting of all exceptions.

3. Board meeting,
management review meeting
discuss unusual events.
Inadequate process for obtaining C16 1. Third party confirmations Verify confirmations obtained
third party confirmations to obtained from banks, debtors, from counter parties and
validate financial figures and to related parties Government website (such as
detect financial frauds. Income Tax) for reconciling
2. Web based review done to statutory figures and other
assess tax status, TDS status, balances.
regulatory compliance related
numbers.

Absence of review of the C07, Monthly MIS consisting of Verify financial statements/
financials by management C08 financial statements and other reports, periodic MIS and
operations, reconciliations reconciliations
prepared by Finance Manager
are reviewed and analyzed by
Group CFO

Inappropriate grievance C03 Employee grievance policy (to Verify policy to resolve
processes may lead to delay in resolve complaints and complaints and grievances, as
detection of frauds, misreporting grievances) forms part of stated in Admin Manual
of financial figures, need for Admin Manual
provisioning due to disputes

Process gaps, errors and C03, 1. Internal audit function 1. Verify Internal Audit reports
misstatements may not be C07, reports to Board of Director
identified by the management C15 and highlights deficiencies 2. Verify meeting minutes
which may also lead to fraud or observed.
non-compliance due to absence 3. Verify sample policies and
of well established risk and 2. Polices and processes are process notes
internal audit review system introduced and revised from
time to time to plug identified
gaps and controls lapses.

Absence of communication of C21 Formal roll out of ICFR policy 1. Check ICFR framework and
deficiencies and monitoring and testing process for control documented RCMs
corrective action may lead to design and effectiveness
unremediated deficiencies and 2. Check the process adopted
resultant control gaps wrt ICFR for testing control design and
operational effectiveness
 Key or Control Type of Nature Control
Non Key? exists? Control Frequency

Key Yes Manual Preventive Ongoing

Key Yes Manual Preventive Ongoing

Key Yes Manual Preventive Monthly

Key Yes Manual Preventive As and when

Key Partial Manual Preventive As and when

Key Yes Manual Preventive Ongoing

Key Yes Manual Preventive As and when

Key Yes Manual Preventive As and when

Key Yes Manual Preventive As and when

Key Yes Manual Preventive As and when

Key Yes Manual Preventive Annually

Key Yes Manual Both : As and when

Preventive &
Detective
Key Partial Manual Preventive As and when

Key Yes Manual Preventive Ongoing

Key Partial Manual Preventive Ongoing

Key No Manual Preventive As and when

Key Yes Manual Both : As and when

Preventive &
Detective
Key Yes Manual Both : As and when
Preventive &
Detective

Key Yes Manual Both : Annually

Preventive &
Detective

Key Yes Manual Preventive As and when

Key Partial IT Preventive Ongoing
dependent

Key Yes Manual Preventive As and when

Key Yes Manual Detective As and when

Key Yes Manual Both : Annually

Preventive &
Detective
Key Yes Manual Preventive As and when

Key Yes Manual Preventive Ongoing

Key Yes Manual Both : As and when

Preventive &
Detective

Key Yes Manual Preventive As and when

Key Yes Manual Both : Monthly

Preventive &
Detective
Key Yes Manual Detective Annually

Key Yes Manual Both : As and when

Preventive &
Detective

Key Yes Manual Both : Ongoing

Preventive &
Detective

Key Yes Manual Both : Ongoing

Preventive &
Detective

Key Yes Manual Both : As and when

Preventive &
Detective
 Document/ Evidence Deficiencies

1. Board powers are derived from Companies Act, MoA -

& AoA. Also, for Directors appointed during the year,
Board Resolution passed to define general powers of a
Director.

2. Board meeting has been held once every quarter.

Attendance records maintained have been reviewed.

Board minutes documenting guidelines for Internal -

Financial Controls and formal delegation for
establishment of internal controls.
1. Minutes of Board Meetings where the Internal Audit -
reports are reviewed and adopted by the Board.

2. There is an established process of monthly reporting

on operations, performance and financial reporting

3. Monthly MIS prepared by the Finance Manager is

reviewed by the Board of Directors

Admin Manual broadly covers Mission Statement & -

Quality Policy, Business Principles and Ethics, Policy on
Personal Conduct and Disciplinary Procedures
(covering examples of serious misconduct such as Anti-
bribery and corruption, Anti-fraud) and attention is
drawn to the same in the appointment letter provided
to the employees.

Board minutes for FY 2015-16, Admin Manual, various Certain SOPs have not been
other documented policies such as CSR documented
Board resolution defines power of Director and for -
signing authority

1.Admin Manual revised in Apr 2015. -

2.Appointment letter of employees contains clause for
code of conduct and confidentiality of information

Open communication is encouraged and the -

organization has several informal processes that would
bring violations, if any, to light.
1.Appointment letter of employees contains clause for -
code of conduct and confidentiality of information. On
joining, signoff on Appointment Letter is taken from
the employees.

2.Background verification is done

Hiring is done on the basis of past experience. -

Adequate documents are collected before the
employees are recruited. Certain background checks
are performed.

1. Performance based incentives are given based on -

internal appraisals through a structured process.

2. Functional heads are appraised by Group level HODs

Policies are conducive to talent attraction and
retention.

Internal audit reports -

Training Certificates/ Course Certificates Training for Accounts & Finance staff
for regulatory & compliance changes
not conducted

Risk Management Policy -

Data recovery plan is established and operational as 1. Absence of Business Continuity

evidenced and as explained by IT executive in terms of Plan (BCP)/ Disaster Recovery
back-up. However off site storage of back up is not Plan(DRP).
kept.
2. No facility for off-site storage of
back up.

- Compliance Tracker is not

maintained

Once discussed, the changes required to be made in -

various business departmental processes that have an
impact on financial reporting are communicated to the
concerned Heads.
1. Accounting policies and principles followed are -
stated in the 'Notes to accounts' in the financial
statements (Compensating control in place of
Finance manual).

2. Circulars/email issued for closure of financial

transactions is shared

3. Internal audit is done by professional firm and

Internal Audit Reports identifies the issues observed

4. Annual review is done by Statutory Auditors.

1. Financial Statement Closure Policy. -

2. Email updates received from professional consultant

by CFO, Accounts & Finance Manager.

Related party disclosures as required under Companies -

Act in Board minutes reviewed
List of user-ids with access rights Access to public sites and domain
has not been restricted

Process Manuals reviewed and revised in Apr 2015. -

IA Reports -

1. Fixed Asset Register -

2. Third party confirmation

3. Board Minutes
Remuneration Structure (CTC Sheet) -

Admin Manual -

1. Admin Manual and Sexual Harassment policy -

2. Dedicated email id created to register complaints.

Details available on company website.

Defined KRA -

Monthly reporting is done by the Finance Manager to -

Group CFO for Balance Sheet, Profit & Loss, cash flows
and working capital, Budget Vs. Actual
Third Party confirmations -

Monthly reporting is done by the Finance Manager to -

Group CFO for Balance Sheet, Profit & Loss, cash flows
and working capital, Budget Vs. Actual

Admin Manual consists of grievance policy -

1.Board Minutes -
2.Internal Audit scope & reports

1. RCMs documented -

2. RCM-based testing of control design and operational

effectiveness has been planned and rolled out.
 Reference to Remedial Plan
Document

Board Minutes -

MoA & AoA of the

Company

Board minutes for FY -

2015-16
1.Board Minutes -
2.MIS for the month
of December, 2015

1.Admin Manual -
2.Appointment letter

1. ISO Manual, Document various SOPs for standardization of

2.Admin Manual processes and to have process-driven functioning
3.CSR Policy rather than people-driven functioning.
4. Board minutes for
FY 2015-16
Board minutes for FY -
2015-16

1.Appointment -
letters of employees
2.Admin Manual

Admin Manual -
1.Appointment letter -
of office staff
2.Police Clearance
Certificate(PCC),
Experience
Certificate, Salary
Slip

CV along with all the -

certificates and
supporting
documents

Performance -
Appraisal Form

1.Board Minutes -
2.Internal Audit
scope & Reports
Training Provide training related to regulatory changes, financial
Certificates/ Course reporting regulations etc. to Accounts & Finance staff
Certificates

Risk Management -
Policy

- Develop and document Business Continuity Plan (BCP)/

Disaster Recovery Plan(DRP).

- Maintain compliance tracker ensuring that all statutory

compliances are included

- -
 - -

- -

Board Minutes -
List of user-ids with Restrict access to public sites and domains.
access rights

Existing ISO manual -

IA Reports reviewed -

1. Fixed Asset -
Register

2. Third party
confirmation

3. Board Minutes
Remuneration -
Structure (CTC
Sheet)

Admin Manual -

Admin Manual and -

Sexual Harassment
policy

Defined KRA -

MIS for the month of -

December, 2015
Third Party -
Confirmations

MIS for the month of -

December, 2015

Admin Manual -

1.Board Minutes -
2.Internal Audit
scope & Reports

- -
Remarks

-
The established process of regular reporting is
sufficient in view of the size of the company
and nature of its operations.

The style of management is 'hands on' and

Board meetings are more procedural; hence,
Board meetings may not provide details of
budget/performance reviews etc.

We are explained that the Group CFO is in

continuous communication with Finance
Manager to overview Financial matters. He in
turn, communicates with BOD to update the
same.

Some of the standard Operating Procedures

are not formally documented such as SOPs for
Accounts & finance department. ISO manual
covers certain parts of Operational/Business
activities.
However, various initiatives taken by the
Board of Directors and Finance Manager
evidencing the intention to establish internal
controls and effective monitoring - e.g.
documentation of various policies
Organization structure is defined. However, all
the approvals and signing authority is
restricted with Director. Also, there is dotted
line of reporting at Group level for all the
functional HODs.

There is no performance based incentive

scheme in the company. Increments are
finalized basis effective performance appraisal
process

If any violations/non adherence observed,

appropriate steps are taken by the
management including termination of
employees
 -

Exit interviews are conducted for employees.

-
 -

As informed to us, at Group-level, risk matrix

and risk register is maintained for financial
risk by the Group CFO

-
-

-
 -

Board meetings are more procedural; hence,

Board meetings may not provide details of
budget/performance reviews.
-

-
-