ABC Private Limited

ICFR for the year ending 31st March, 2016

Entity Level Controls (ELC)

Sr No Attribute Principle Process Department Risk

Activity

1 Control Management Board BOD Board does not clearly define

Environment establishes Oversight authority to be exercised at
structure, Board level and authority
authority and delegated to other Directors
responsibility in
pursuit of
objectives

2 Control Board of Directors Board BOD Board does not acknowledge its
Environment exercises oversight Oversight responsibility towards oversight
of the for establishing and
development and performance of internal controls
performance of
internal controls Board does not formally delegate
the responsibility for
establishment of internal
financial controls and for
ensuring effective performance
thereof.
3 Control Board of Directors Board BOD Board does not have a
Environment exercises oversight Oversight mechanism to review ICFR
of the adequacy and performance
development and
performance of
internal controls

4 Control Demonstrates Board BOD Board of Director does not set

Environment commitment to Oversight the right tone at the top to
integrity and encourage ethics and integrity.
ethical values

5 Control Holds individual Board BOD Board of Directors does not set
Environment accountable for Oversight the right tone at the top to
the internal encourage institution of controls
control and systems and ensure
responsibilities accountability for lapse of
controls
6 Control Management Delegation of BOD Ambiguity in delegation of
Environment establishes Authority financial powers reduces the
structure, control over financial
authority and transactions and increase the
responsibility in risk of financial losses
pursuit of
objectives

7 Control Demonstrates Ethics & BOD Flawed performance incentive/

Environment commitment to Integrity compensation policy not in line
integrity and with ethical tone and standards
ethical values may increase the risk of
compromise / non compliance
to ethical standards of conduct

8 Control Demonstrates Ethics & BOD If management does not take

Environment commitment to Integrity timely and appropriate
integrity and disciplinary action, it would
ethical values encourage non-adherence to
established policies and
procedures
9 Control Demonstrates Ethics & Hiring Applicant screening procedures
Environment commitment to Integrity Dept./Admin do not adequately consider
integrity and integrity and ethical values
ethical values

10 Control Demonstrates Recruitment & Hiring Dept. Lack of adequate talent or

Environment commitment to Selection and Admin mismatches in requirements and
attract, retain and Dept. skill sets may severely impact
develop competent achievement of objectives
individuals

11 Control Demonstrates Incentive Hiring Dept. In absence of a proper work

Environment commitment to and Admin environment the company may
attract, retain and Dept. have to deal with high attrition
develop competent levels
individuals

12 Control Board of Directors Internal Audit BOD A robust system of monitoring

Environment exercises oversight through periodic internal audits
of the or control Self Assessments has
development and not been established
performance of
internal controls
13 Control Demonstrates Training Hiring Dept. Inadequate attention to training
Environment commitment to and Admin may result into skill dilution,
attract, retain and Dept. lack of awareness about policies
develop competent and regulatory requirements
individuals and inability to discharge
assigned responsibilities.

14 Risk Assessment Specifies Risk Management Absence of enterprise-wide risk

objectives with Management assessment and absence of
clarity to identify Framework documented risk management
and assess the policy
risks

15 Risk Assessment Identifies and Business Management Absence of BCP/DRP may lead to
analyzes Continuity business interruptions and may
significant changes Plan, Disaster jeopardize business continuity
that could impact Recovery Plan
internal controls

16 Risk Assessment Identifies and Financial Finance Regulatory changes impacting

analyzes reporting business, financial conduct or
significant changes reporting requirements are not
that could impact understood, analyzed or
internal controls internalized.

17 Risk Assessment Identifies and Financial All Improper channels to

analyzes reporting communicate the changes in
significant changes business practices to the
that could impact accounting department may
internal controls affect the method or the process
of recording the transactions in
financial statements
18 Risk Assessment Identifies and Financial Finance Risk of regulatory non-
analyzes reporting compliance and financial
significant changes misstatements if suitable
that could impact accounting principles, policies or
internal controls rules not followed

19 Risk Assessment Identifies and Financial Finance Non identification of changes in

analyzes reporting accounting principles or
significant changes financial reporting requirements
that could impact may lead to non-compliance and
internal controls the financial statements will not
show true and fair figures or
may not include disclosures as
required.

20 Risk Assessment Identifies risks to Financial Finance/ Absence of an appropriate

the achievement of reporting Compliance mechanism of related party
objectives and transactions identification can
analyzes risks to lead to regulatory non-
manage them compliance and/ or financial
misstatements
21 Risk Assessment Assesses fraud IT Security IT Company infrastructure and IT
risk to the systems being used for
achievement of fraudulent activities thereby
objectives affecting the reputation and
increasing the legal risks
attached

22 Risk Assessment Identifies risks to Training Operations Changes in the procedure

the achievement of manual of a particular
objectives and department without the
analyzes risks to knowledge of its employees
manage them leads to dilution of the impact of
the changes implemented

23 Control Activities Selects and Evaluation Finance Risk of recurrence of issues if

develops control not evaluated and policies/
activities to procedures not modified
mitigate risks accordingly

24 Control Activities Selects and Financial Finance Risk of financial loss and/ or
develops control reporting financial misstatement in the
activities to absence of an established
mitigate risks physical verification of assets
mechanism
25 Control Activities Deploys control Payments and Finance Absence of policies will lead to
activities through reimburseme reimbursement/ allowance of
policies and nts non agreed expenses to the
procedures employees or reimbursement of
expenses over and above the set
limit to the employees.

26 Information & Communicates External BOD, Admin May result in

Communication externally Communicatio reputational/financial/reporting
regarding matters n risk due to erroneous
affecting internal communications to external
controls parties/ external reporting

27 Information & Communicates External Finance In the absence of clear

Communication externally Communicatio communicating channels for
regarding matters n external parties, employee/
affecting internal management malpractices may
controls not come to light, may have a
reputation risk with respect to
third parties

28 Information & Communicates Internal Admin Absence of clear communication

Communication internally, Communicatio on performance measures may
information n lead to ambiguities and increase
including in attrition levels
objectives and
responsibilities of
internal control

29 Information & Communicates Management Management Risk events, exceptional and

Communication internally, Oversight unusual events remain
information unreported to the management
including and hence the risk management
objectives and framework is not duly enhanced.
responsibilities of
internal control
30 Monitoring Evaluates and Financial Management, Inadequate process for obtaining
communicates reporting Finance third party confirmations to
deficiencies, to validate financial figures and to
enable corrective detect financial frauds.
actions being
taken

31 Monitoring Conducts ongoing/ Financial Finance Absence of review of the

separate reporting financials by management
evaluations to
confirm that
internal controls
are functioning

32 Monitoring Evaluates and Grievance and Management Inappropriate grievance

communicates dispute processes may lead to delay in
deficiencies, to resolution detection of frauds, misreporting
enable corrective mechanism of financial figures, need for
actions being provisioning due to disputes
taken

33 Monitoring Conducts ongoing/ Management Management, Process gaps, errors and

separate Oversight Finance misstatements may not be
evaluations to identified by the management
confirm that which may also lead to fraud or
internal controls non-compliance due to absence
are functioning of well established risk and
internal audit review system

34 Monitoring Conducts ongoing/ Management Finance Absence of communication of

separate Oversight deficiencies and monitoring
evaluations to corrective action may lead to
confirm that unremediated deficiencies and
internal controls resultant control gaps wrt ICFR
are functioning
Control Control Description Audit Step Key or Control Type of
Ref No. Non Key? exists? Control

C01 Board powers are clearly 1. Confirm the documentation Key Yes Manual
defined of Board powers and
delegation of authority done
by the Board.

2. Verify Board minutes and

meeting frequency. Verify
attendance records to ensure
participation and insights.

C02 1. Board minutes includes a 1. Verify that formal guidelines Key Yes Manual
statement acknowledging its have been provided by the
responsibility for ICFR Board.

2. Board provides broad 2. Verifiy that specific

guidelines for internal responsibility has been
controls and records formal allocated for establishing
delegation of authority for internal financial controls
establishment of controls.
C07, Board of Directors review the 1. Verify Board meeting Key Yes Manual
C08 performance of the company minutes where adequacy and
and adequacy of internal effectiveness of internal
controls through regular controls have been reviewed.
interactions with the Finance
Manager 2. Confirm that there are
regular interactions between
Budgets are established on Board members and Finance
yearly basis Manager through CFO, and
other key management
Monthly reporting is done by personnel to assess quality of
Finance Manager to the Group controls and review business
CFO who in turn reports to performance.
BOD.
3. Review budget variances,
exceptional items to assess
internal control gaps, if any.

C03 Policies are framed by the 1.Verify minutes of Board Key Yes Manual
Board wrt ethical conduct, meeting and Admin Manual/
anti-bribery and corruption, directions issued by the Board
anti-fraud. of Directors from time to time.

2. Review Appointment letter

of an employee.

C02 Directions are given by the Verify minutes of Board Key Partial Manual
Board to encourage process- meeting and
driven conduct, automation policies/directions issued by
and effective monitoring the Board of Directors from
across the organization. time to time.
C01 1. Financial powers in terms Confirm that Key Yes Manual
of signing /effecting banking authorization/approvals of
transactions is with the Directors is in place, review
Director. Board resolution to define
powers of Director
2. Also, all the major
contracts, agreements,
Purchase Orders are
signed/approved by the
Directors.

3. All the major decisions are

closely reviewed by the
respective HODs at Group
level before approval by the
Director.

C03, 1. Admin Manual gives a 1. Verify Admin Manual to Key Yes Manual
C19 reference to ethical standards ensure all updations are
expected from employees. included.

2. Appointment Letter 2. Verify Appointment Letter

includes relevant clauses of employee

C03 Management takes 1. Verify the mechanism for Key Yes Manual
disciplinary action for recording non-adherences/
violations/ non-adherence, in violations.
a timely and appropriate
manner. 2. Verify the evidence of action
being taken.
C05, 1.Adequate background Review the appointment Key Yes Manual
C09 verification is done for letters on sample basis for the
employees (Police Clearance, declarations obtained
Experience letter, etc.)

2.Majority of office staff is

hired through a placement
agency which is selected by
the management to ensure
right person for the right job

3.Declarations are obtained

from employees for non
disclosure and code of
conduct adherence as a part
of joining formalities

C05, 1. A rigorous recruitment and 1. Confirm the no. of exits and Key Yes Manual
C06, selection process is adopted the principal underlying
C09 to ensure selection of right reason/s.
employees for the right job.
2. Confirm that key positions
2. Majority of office staff is are not left vacant for a long
hired through a placement time.
agency which is selected by
the management

C10, 1. Promotions are based on 1. Review the appraisal Key Yes Manual
C12 well defined Performance process for appropriateness
Evaluation system. and confirm that there is due
process for redressal of
2. Management ensures a very appraisal related grievances.
low attrition rate.
2. Review attrition rate and
related analysis

C07, 1. Internal audits are done 1.Verify Internal audit scope Key Yes Manual
C15 quarterly as per pre-defined and reports
scope which is approved by
the management. 2.Review Board Minutes

2. Board meetings discuss

internal audit reports - key
findings.
 C11 1. Training for regulatory and Verify training process Key Partial Manual
process changes is imparted
on a timely basis as per either
client's requirement or
regulatory requirement.

2. Training is identified and

imparted as needed

C04 Formal risk management Review the risk management Key Yes Manual
policy is presented to the policy adopted by the
Board and approved by the Company
Board of Directors.

C22, C23 1. Business Continuity Plan 1. Review the BCP and DRP. Key Partial Manual
(BCP) and Disaster Recovery
Plan(DRP) are in place. 2. Review the data recovry
plan.
2. Data recovery plan is
established and operational.

C17 1. Regulatory changes are Verify formal assessment of Key No Manual

understood and assessed for key regulatory changes.
their impact on business.

2. Compliance tracker is filled

in at defined frequency and
updated periodically for
amendments.

C24 Periodic departmental Review modification in Key Yes Manual

reviews are done wherein processes, if any, by the
Finance team is also present; accounts team
review covers discussions on
changes in business practices
affecting financial statements.
 C13, 1.Management specifies 1. Verify financial statements Key Yes Manual
C15, C25 financial reporting rules and with adequate disclosures
standards which are
consistent with accounting 2. Verify statutory auditor's
principles suitable and report
appropriate for the entity.
3. Verify internal audit reports
2. Reviews by/consultations
with the Statutory Auditors as
required by the regulation
(annual review) or as
considered necessary by the
management, are done.

3.Internal audit coverage

extends to compliance review
and financial reporting
review.

C13, C25 1. Defined and documented Review financial statements Key Yes Manual
Financial Statement Closure and all other relevant
Process is in place. information.

2. Periodic updates are

received from professional
consultants.

C20, C26 1. Various compliances under Verify Board noting and Key Yes Manual
different statutes in relation approval of related party
to transactions with related transactions.
party (transfer pricing related
compliance and return filing)
are verified.

2. Board approval is taken for

related party transaction
C14 1. Access is restricted to 1. Review list of user-ids with Key Partial IT
users who are either access rights dependent
employees or authorized
personnel. 2. Verify protocol for access to
systems and policy
2. Password and user id highlighting security of user id
protected systems exist. and passwords

3. Deactivation of external
storage devices on company
PC's has been done.

4. Access to all public sites

and domains is restricted.

C27 Periodic review of process 1. Verify that the manuals are Key Yes Manual
manual is done and updates periodically reviewed.
are communicated to all
employees concerned. 2. Verify evidence of
communication of changes to
employees.

C15 Periodic internal audit is done Verify internal audit reports Key Yes Manual
by an external agency and available, and record of
changes made basis agreed resolution of agreed actions.
actions.

C16, 1. Physical verification of fixed 1. Verify fixed asset Key Yes Manual
C20 assets, cash is done. verification report and check
for periodicity
2. Third party and bank (CARO, 2015)
balance confirmations
statements are taken. 2. Verify third party
confirmations.
3. Board discusses findings of
physical verification of assets/ 3. Verify records showing full
discrepancy resolution particulars - quantitative
details and situation of fixed
assets
(CARO, 2015)
4. Verify Board meeting
minutes
 C03 All financial policies relating Verify remuneration structure Key Yes Manual
to employees are in place for financial policies relating
along with defined level of to employees.
approvals.

C03 1. Clear identification of Verify the Admin Manual for Key Yes Manual
persons authorized to communicating with external
communicate with external parties
parties on relevant company
matters.

2. A formal social media

policy is in place.

C03, C18 There are properly identified Review grievance mechanism Key Yes Manual
communication channels and sexual harassment policy
(email ids) for third parties
under grievance mechanism,
sexual harassment policy

C28 Clear communication of the Verify the communication for Key Yes Manual
Key Result Areas in the the KRAs
evaluation process

C07, 1. Formal communication 1. Verify periodic MIS on Key Yes Manual

C08, C29 process established for sample basis
escalating disruption to
operations, occurrence of risk 2. Verify management and
events and any material Board meeting minutes
exceptional event.

2. Periodic MIS/ dashBoards,

highlighting of all exceptions.

3. Board meeting,
management review meeting
discuss unusual events.
C16 1. Third party confirmations Verify confirmations obtained Key Yes Manual
obtained from banks, debtors, from counter parties and
related parties Government website (such as
Income Tax) for reconciling
2. Web based review done to statutory figures and other
assess tax status, TDS status, balances.
regulatory compliance related
numbers.

C07, Monthly MIS consisting of Verify financial statements/ Key Yes Manual
C08 financial statements and other reports, periodic MIS and
operations, reconciliations reconciliations
prepared by Finance Manager
are reviewed and analyzed by
Group CFO

C03 Employee grievance policy (to Verify policy to resolve Key Yes Manual
resolve complaints and complaints and grievances, as
grievances) forms part of stated in Admin Manual
Admin Manual

C03, 1. Internal audit function 1. Verify Internal Audit reports Key Yes Manual
C07, reports to Board of Director
C15 and highlights deficiencies 2. Verify meeting minutes
observed.
3. Verify sample policies and
2. Polices and processes are process notes
introduced and revised from
time to time to plug identified
gaps and controls lapses.

C21 Formal roll out of ICFR policy 1. Check ICFR framework and Key Yes Manual
and testing process for control documented RCMs
design and effectiveness
2. Check the process adopted
for testing control design and
operational effectiveness
 Nature Control Document/ Evidence
Frequency

Preventive Ongoing 1. Board powers are derived from Companies Act, MoA
& AoA. Also, for Directors appointed during the year,
Board Resolution passed to define general powers of a
Director.

2. Board meeting has been held once every quarter.

Attendance records maintained have been reviewed.

Preventive Ongoing Board minutes documenting guidelines for Internal

Financial Controls and formal delegation for
establishment of internal controls.
Preventive Monthly 1. Minutes of Board Meetings where the Internal Audit
reports are reviewed and adopted by the Board.

2. There is an established process of monthly

reporting on operations, performance and financial
reporting

3. Monthly MIS prepared by the Finance Manager is

reviewed by the Board of Directors

Preventive As and when Admin Manual broadly covers Mission Statement &
Quality Policy, Business Principles and Ethics, Policy
on Personal Conduct and Disciplinary Procedures
(covering examples of serious misconduct such as
Anti-bribery and corruption, Anti-fraud) and attention
is drawn to the same in the appointment letter
provided to the employees.

Preventive As and when Board minutes for FY 2015-16, Admin Manual, various
other documented policies such as CSR
Preventive Ongoing Board resolution defines power of Director and for
signing authority

Preventive As and when 1.Admin Manual revised in Apr 2015.

2.Appointment letter of employees contains clause for

code of conduct and confidentiality of information

Preventive As and when Open communication is encouraged and the

organization has several informal processes that
would bring violations, if any, to light.
 Preventive As and when 1.Appointment letter of employees contains clause for
code of conduct and confidentiality of information. On
joining, signoff on Appointment Letter is taken from
the employees.

2.Background verification is done

Preventive As and when Hiring is done on the basis of past experience.

Adequate documents are collected before the
employees are recruited. Certain background checks
are performed.

Preventive Annually 1. Performance based incentives are given based on

internal appraisals through a structured process.

2. Functional heads are appraised by Group level HODs

Policies are conducive to talent attraction and
retention.

Both : As and when Internal audit reports

Preventive &
Detective
 Preventive As and when Training Certificates/ Course Certificates

Preventive Ongoing Risk Management Policy

Preventive Ongoing Data recovery plan is established and operational as

evidenced and as explained by IT executive in terms of
back-up. However off site storage of back up is not
kept.

Preventive As and when -

Both : As and when Once discussed, the changes required to be made in

Preventive & various business departmental processes that have an
Detective impact on financial reporting are communicated to the
concerned Heads.
 Both : As and when 1. Accounting policies and principles followed are
Preventive & stated in the 'Notes to accounts' in the financial
Detective statements (Compensating control in place of
Finance manual).

2. Circulars/email issued for closure of financial

transactions is shared

3. Internal audit is done by professional firm and

Internal Audit Reports identifies the issues observed

4. Annual review is done by Statutory Auditors.

Both : Annually 1. Financial Statement Closure Policy.

Preventive &
Detective 2. Email updates received from professional consultant
by CFO, Accounts & Finance Manager.

Preventive As and when Related party disclosures as required under

Companies Act in Board minutes reviewed
 Preventive Ongoing List of user-ids with access rights

Preventive As and when Process Manuals reviewed and revised in Apr 2015.

Detective As and when IA Reports

Both : Annually 1. Fixed Asset Register

Preventive &
Detective 2. Third party confirmation

3. Board Minutes
 Preventive As and when Remuneration Structure (CTC Sheet)

Preventive Ongoing Admin Manual

Both : As and when 1. Admin Manual and Sexual Harassment policy

Preventive &
Detective 2. Dedicated email id created to register complaints.
Details available on company website.

Preventive As and when Defined KRA

Both : Monthly Monthly reporting is done by the Finance Manager to

Preventive & Group CFO for Balance Sheet, Profit & Loss, cash flows
Detective and working capital, Budget Vs. Actual
 Detective Annually Third Party confirmations

Both : As and when Monthly reporting is done by the Finance Manager to

Preventive & Group CFO for Balance Sheet, Profit & Loss, cash flows
Detective and working capital, Budget Vs. Actual

Both : Ongoing Admin Manual consists of grievance policy

Preventive &
Detective

Both : Ongoing 1.Board Minutes

Preventive & 2.Internal Audit scope & reports
Detective

Both : As and when 1. RCMs documented

Preventive &
Detective 2. RCM-based testing of control design and operational
effectiveness has been planned and rolled out.
Deficiencies Reference to
Document

- Board Minutes

MoA & AoA of the

Company

- Board minutes for

FY 2015-16
 - 1.Board Minutes
2.MIS for the month
of December, 2015

- 1.Admin Manual
2.Appointment letter

Certain SOPs have not been 1. ISO Manual,

documented 2.Admin Manual
3.CSR Policy
4. Board minutes for
FY 2015-16
- Board minutes for
FY 2015-16

- 1.Appointment
letters of employees
2.Admin Manual

- Admin Manual
- 1.Appointment letter
of office staff
2.Police Clearance
Certificate(PCC),
Experience
Certificate, Salary
Slip

- CV along with all the

certificates and
supporting
documents

- Performance
Appraisal Form

- 1.Board Minutes
2.Internal Audit
scope & Reports
Training for Accounts & Finance Training
staff for regulatory & compliance Certificates/ Course
changes not conducted Certificates

- Risk Management
Policy

1. Absence of Business Continuity -

Plan (BCP)/ Disaster Recovery
Plan(DRP).

2. No facility for off-site storage of

back up.

Compliance Tracker is not -

maintained

- -
- -

- -

- Board Minutes
Access to public sites and domain List of user-ids with
has not been restricted access rights

- Existing ISO manual

- IA Reports reviewed

- 1. Fixed Asset
Register

2. Third party
confirmation
3. Board Minutes
- Remuneration
Structure (CTC
Sheet)

- Admin Manual

- Admin Manual and

Sexual Harassment
policy

- Defined KRA

- MIS for the month of

December, 2015
- Third Party
Confirmations

- MIS for the month of

December, 2015

- Admin Manual

- 1.Board Minutes
2.Internal Audit
scope & Reports

- -
Remedial Plan Remarks

- -

- -
 - The established process of regular reporting
is sufficient in view of the size of the company
and nature of its operations.

The style of management is 'hands on' and

Board meetings are more procedural; hence,
Board meetings may not provide details of
budget/performance reviews etc.

We are explained that the Group CFO is in

continuous communication with Finance
Manager to overview Financial matters. He in
turn, communicates with BOD to update the
same.

- -

Document various SOPs for standardization of Some of the standard Operating Procedures
processes and to have process-driven functioning are not formally documented such as SOPs for
rather than people-driven functioning. Accounts & finance department. ISO manual
covers certain parts of Operational/Business
activities.
However, various initiatives taken by the
Board of Directors and Finance Manager
evidencing the intention to establish internal
controls and effective monitoring - e.g.
documentation of various policies
- Organization structure is defined. However, all
the approvals and signing authority is
restricted with Director. Also, there is dotted
line of reporting at Group level for all the
functional HODs.

- There is no performance based incentive

scheme in the company. Increments are
finalized basis effective performance
appraisal process

- If any violations/non adherence observed,

appropriate steps are taken by the
management including termination of
employees
- -

- Exit interviews are conducted for employees.

- -

- -
Provide training related to regulatory changes, -
financial reporting regulations etc. to Accounts &
Finance staff

- As informed to us, at Group-level, risk matrix

and risk register is maintained for financial
risk by the Group CFO

Develop and document Business Continuity Plan

(BCP)/ Disaster Recovery Plan(DRP).

Maintain compliance tracker ensuring that all statutory -

compliances are included

- -
- -

- -

- -
Restrict access to public sites and domains. -

- -

- -

- Board meetings are more procedural; hence,

Board meetings may not provide details of
budget/performance reviews.
- -

- -

- -

- -

- -
- -

- -

- -

- -

- -