Genesis | The Sarbanes-Oxley Act (‘SOX’)

Assessments of ICFR for the effectiveness of their design and operation, gained prominence with SOX in 2022. Following accounting scandals at significant organizations (such as Enron, Tyco International and WorldCom), Section 404 of SOX introduced the requirement for public companies in the United States of America (‘USA’) to establish and report on their ICFR.

Companies listed in USA need to include their own assessment of the effectiveness of their internal controls (management assertion), as well as have their auditor attest on the management assertion, in their annual reports. Publicly listed companies in the USA also need to document, test and maintain their internal controls and procedures on an ongoing basis.

Equally significant is the personal accountability of signing officers on disclosure controls and procedures, which through Section 302 of SOX requires the principal executive and financial officers of a company (typically the CEO and CFO) to personally attest that the published financial information is accurate and reliable. These officers need to make their attestations within the quarterly 10-Q and annual 10-K reports that are filed with the Securities Exchange Commission.

Control assessments in India

With the advent of SOX in the USA, India also established new corporate governance norms under Clause 49 of Listing Agreement, which first came into effect from December 31, 2005 and have been mandatory for all listed companies ever since. However, Clause 49 made the requirement for IFCs broader to encompass ICFR, in addition to other controls (such as those stated in the ensuing section).

The second area where the requirements for assessing IFCs in India has deviated from SOX is in terms of its coverage. While SOX is applicable at a consolidated financial statement level and requires only material subsidiaries to be covered, the listing regulations in India (as amended from time to time) and specific provisions of the Companies Act 2013 (‘the Companies Act’) require the assessment of IFCs and ICFR to be undertaken at a stand-alone entity level.

IFC v/s ICFR

IFC has been defined under explanation to Section 134(5)(e) of the Companies Act as policies and procedures adopted by a company for ensuring the orderly and efficient conduct of its business, including adherence to the company’s policies, safeguarding of its assets, prevention and detection of frauds and errors, in addition to the accuracy and completeness of the accounting records and the timely preparation of reliable financial information. This is where the concept of controls assessment moves beyond ICFR to include internal controls relating to operations, compliances and fraud prevention.

ICFR has been defined in the guidance note issued by the Institute of Chartered Accountants of India in September 2015 and this definition is consistent with Auditing Standard 5 on "Audit of Internal Control Over Financial Reporting that Is Integrated with An Audit of Financial Statements" issued by the Public Company Accounting Oversight Board, USA. According to this definition, ICFR refers to a process which is implemented by those charged with governance and management to provide reasonable assurance that a mechanism of internal control is in place to achieve the following main objectives:



• Preparation of financial statements as per the applicable financial reporting framework.
• Authorized transactions & events reported in the financial statements as per the established protocols.
• Prevention, timely detection and amendment of any unauthorized use of assets.

Applicability in India

IFC and ICFR are applicable to all companies except for those specifically exempted by the Ministry of Corporate Affairs. IFCs and ICFR are applicable without any terms and conditions for listed companies and public unlisted companies. ICFR is applicable to private companies, whose turnover is greater than 500 million or outstanding loan & borrowings from the bank are greater than 250 million.

The provisions in the Companies Act that draw specific references to IFCs and ICFR with the roles of the respective stakeholders are covered below.

The management should assess the scope of coverage of their assessment of IFC or ICFR (as the case may be) on quantitative and qualitative aspects, after considering the company’s size, complexity, global reach and risk profile.

The statutory auditor should make an independent attestation of a company’s ICFR; which is possible when it has no role in enabling or assisting the management in forming their assertion over the design and operation of the same.

Companies that choose to undertake this exercise objectively will unlock value from this assessment, reduce fraud risk, avoid financial reporting surprises and facilitate sustained business performance over the long term. 

Should you require any clarifications or assistance, please do not hesitate to reach out to us at contactus@mgcglobal.co.in.

Best regards

Markets Team

MGC Global Risk Advisory

About Allinial Global

Allinial Global (formerly PKF North America) is currently the world's second-largest member-based association (with collective revenues of approximately USD 5 billion) that has dedicated itself to the success of independent accounting and consulting firms since its founding in 1969. It currently has member firms in over 100 countries, who have over 28,000 professional staff and over 6,000 partners operating from nearly 700 offices across the globe.

Allinial Global provides its member firms with a broad array of resources and support that benefit both its member firms and their clients in the key impact areas of learning and development, human resources, international outreach, technical support, knowledge-sharing platforms through its specialized communities of practice, marketing resources, information technology and best practices in practice management.