Directors are the custodians of a corporate entity. They are under fiduciary responsibility to operate business under a system of governance and controls, which reinforces stakeholders' trust and confidence in the entity. The Companies Act, 2017 obligates the directors of public companies to make a statement in the directors' report on the adequacy of internal financial controls. The Code of Corporate Governance applicable to listed companies also requires the directors to state that there is an effective system of internal control operating in the company.
Therefore, in terms of fiduciary responsibility, obligation under the company law and the requirements of the Code of Corporate Governance all points to the fact that directors have to not only set up but effectively operate and make explicit confirmation about the internal control system.
Looking at the prevalent practice and particularly in case of listed companies, directors have been publicly confirming the existence of a well-designed internal control system. However, one would ask do they really understand and have seen the proper structure of an internal control system. Have they ever checked that the internal control system whose effectiveness is being confirmed is based on recognized principles or a framework? What has been the basis of the management reporting to the directors on the design and operation of internal controls?
However, it is a fact that the legal provision though mandating the requirements relating to internal controls does not spell out what is the recognized meaning of internal control and on what basis the directors are going to give the adequacy statement. Further, to understand the point when preparing and reporting financial statements of the company, there are prescribed financial reporting frameworks such as International Financial Reporting Framework (IFRS). Such framework provides principles and guidance on matters of accounting and reporting and is accordingly referred to when financial statements are prepared that the directors approve and authenticate.
In the absence of a defined framework or principles of internal control, the companies are having a system of internal control whatever is considered appropriate by them. This exposes the company that whether for achieving the objectives of the company all risks have been considered, the relevant controls mitigating the happening of such risk situations are in place and where deficiencies exist these are handled in a structured and timely manner.
The common internal control frameworks that are being followed internationally include The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control - Integrated Framework, Canadian Institute of Chartered Accountants' (CICA's) Criteria of Control Framework (CoCo), The Basel Committee on Banking Supervision's Framework for Internal Control Systems, Control Objectives for Information and Related Technology (COBIT), International Organization for Standardization (ISO) Standards. However, it is believed that the COSO Framework is one of the most widely recognized and applied risk management frameworks in the world.
Considering the significance of internal controls in an entity that helps improve the performance and achieve important objectives, the regulators and directors should revisit the open-ended statement about the adequacy of internal controls in a company.
Comments
Comments are closed.