This material has been prepared by SKL & Associates on a specific request from you and contains confidential information. The information contained in this material is intended solely
for you thereby, any disclosure, copy or further distribution of thismaterial or the contentsthereofis strictly prohibited.
• Journey
• IFC Requirement as per o Overview of the Company • Key Recommendations
Companies Act 2013 o Areas Covered
o Approach & Methodology of IFC
o ELC Framework
o Testing Controls for Operating Effectiveness
Section 4 Section 5
No reporting responsibility for Board of Directors, Audit Committee and Independent Directors
Companies Act
1956 Statutory Auditors expected to report on adequate internal control procedures for purchase of inventory and
fixed assets and for sale of goods and services under CARO 2003
Board of Audit
Directors Committee Statutory Independent
(Section 134#) (section 177#) Auditors Directors
(Section 143#) (Schedule IV#)
- Evaluation of Internal
State in Director's
Controls and risks management - Report on whether Satisfy themselves on
responsibility statement systems the company has the integrity of
that directors - Call for/discuss the adequate internal financial information
- had laid down internal comments of the auditors about financial controls and that financial
financial controls to be internal control systems, the system and operating controls and the
followed by the scope of audit, including the effectiveness of such systems of risk
Company observations of the auditors and controls. management are robust
- and that such internal review of financial statement
and defensible
financial controls were before their submission to the
adequate and Board and
operating effectively - May also discuss any related
issues with the internal and
statutory auditors and the
management of the company.
Information Technology
Program Development
General IT Programs Changes
Controls Access to programs and data
Computer Operations
• IRCON operates not only in a highly competitive environment but also in difficult terrains
and regions in India and abroad and is an active participant in prestigious nation building
projects. IRCON has so far completed more than 300 infrastructure projects in India and
more than 100 projects across the globe in more than 21 countries.
Foundation on which an effective system of internal control is built and operated in an organization that
strives to (1) achieve its strategic objectives, (2) provide reliable financial reporting to internal and external
Control
stakeholders, (3) operate its business efficiently and effectively, (4) comply with all applicable laws and
Environment regulations, and (5) safeguard its assets.
Risk Review and monitoring of annual Plan, Existence of Risk Management Policy,
Assessment Appointment of Independent directors
ENTITY
LEVEL Actions taken to minimize risk and it includes policies, procedures,
Control techniques, and mechanisms that helps to ensure management's response to
CONTROLS Activities reduce risks identified during the risk assessment process.
Information
Systems &
Communicati Existence of IT Strategy Committee, Disaster Recovery Plan, Existence of a robust
on Management Information System.
Monitoring
Change Management process. Audit committee reviews the internal audit reports; maintain regular
surveillance over different activities
Management
• Full and Final Settlement
• Assessment of investment proposal
Treasury
• Approval & Authorization before making
• Authorisation for procurement Investments
• Purchase quotation for fixed • Safe Custody of Investment Related Documents
assets
• Accounting of Investments & its Income
• FAR Maintenance
• Valuation of Investments
• Insurance of Fixed Assets
• Depreciation
• Physical Verification
• Recording of Prepaid Expenses
• Sale/Disposal
• Provisioning
• Chart of Accounts
• Vouchers – preparation and authorisation
• Fund Projection
• Contingent Liability
• Authorisation & Approval of transaction
• Deferred Tax
• MIS reporting to Senior Management
• Related Party Transactions
• Bank Documentation
• Impairment of Fixed Asset
• Bank Payments
• Inter Unit – Reconciliation
• Bank Electronic Payment
• Exchange Fluctuation
• Bank Receipt
• Balance Confirmation
• Bank Reconciliation
• Variance Analysis
• Bank charges
• Consolidation of Projects
• Cash Insurance Policy
• Cash Payments
• Cash Verification
Strictly Private & Confidential
Information Technology General Controls
This head covers the major IT risks. Major components covered are as follows:-
1 2 3 4 5 6 7
Access Backup
Policies, Accountability Safeguarding Uniformity & Network or
Control & and
Procedures & of Action of user Integration of System
Password Monitoring
Data accounts ERP Security &
management
Classification Asset License
Management
In respect of I.T. General Controls, existing controls has been taken as explained by IT team of Ircon International ltd.
Establish Context & Scope Entity Level Controls Test of Design Test of Operating
– Validation of Existing Assessment and Process Effectiveness
Documentation Level Controls
• Interviewed key operating • Agree upon sampling
• Performed account level Circulate questionnaire to personnel & updated the methodology with the
M materiality and chart of evaluate Entity Level existing documentation management
E accounts analysis Controls (ELC) to evaluate • Test control design
T • Reviewed existing following components: effectiveness by conducting • Test Operating
documentation to
H process walkthroughs (TOD) Effectiveness (TOE) for
identify gaps in • Control Environment
O • Identification of control points the key controls
documentation for • Risk Assessment
D with improvement identified, for the agreed
material accounts • Control Activities
O opportunities sample. TOE have been
• Detailed project plan • Information & • Understanding the root cause performed for controls
L prepared and process Communication for the design weakness to the where TOD was
O owners identified • Monitoring extent practical effective.
G • Communication and
• Remedial action
Y reporting protocols
recommended for gaps
identified
identified, in line with leading
practices
D
E
L
I
V ELC Assessment Risk & Control
E
Process Flow Chart Matrix Matrix Report of TOE
R
A
B
L
E
S
Strictly Private & Confidential
ELC Framework
Control Environment 5 18
Risk Assessment 4 17
Control Activities 3 15
Monitoring Activities 2 9
Total 17 73
Organizations Objective
Controls
2.5%
2.5%
11%
Effective
Design Gap
Ineffective
84%
Partly Ineffective
Management Comments: Analysis of participation in tender and results thereof are being carried out by
BD cell. However a record of such analysis shall henceforth be maintained for future reference.
PROJECT OPERATION
To ensure that Non establishment The company keep The company does The company should
contingency of contingency plans contingency provision not have any laid formulate Project Specific
plans are well may lead to failure with the main plan of down contingency contingency plans for the
established by of planned execution. Normally, plan. risks associated with its
the company execution of work. company get the work critical functions.
before executed through
execution of subcontractors. In case of
Contingen
work. failure of one
cy Plans
subcontractor, work is
(PO 8)
awarded to other
contractor. In case of
contingency, company
has its own plant &
machinery which can be
deployed at projects at
short notice to execute
the projects.
Management Comments: These have been laid down in the Risk Management Policy of the Company.
The contingency management also includes events like re-tendering, Risk & Cost Tendering and limited
departmental working etc. However, suggestion related to Project Specific contingency plans are noted
for review.
Management Comments: The Right & Responsibilities of the employees in SAP have now been defined to
fix the responsibilities and accountability of each employee.
PROJECT OPERATION
To ensure that there Selection of the party 1. The company is having a 1. As per agreement with 1. The company must
is proper procedure without evaluation may proper tendering system subcontractors, the company has to evaluate the performance
followed for selection lead to failure of job. for selection of evaluate performance of of such parties on a
of subcontractors, subcontractors, suppliers subcontractors periodically. If the periodic basis and
suppliers and third & third parties. performance is found unsatisfactory accordingly 'Non-Performer
parties. 2. Generally procurement (<85% for Works Contract), as per the Subcontractor' should not
of railway related items parameters set by the company, the be considered for future
are purchased from RDSO subcontractor is liable to be declared contracts.
approved vendor list. In a 'Non-Performer' and will be
some cases, tenders are ineligible for participation in future
invited from the vendor tenders for a period of 2 years from 2. It is suggested that in
list approved by the client. the date of such decision. case of high value tenders,
Generally other However the company has not been where quoted rates are
Selection procurements are made evaluating the performance of such much higher than the
Criteria of after selecting parties from subcontractors periodically. estimated rates, tender
parties pre qualification criteria. committee should also
(PO 7) 2. During our testing we have found consider justification of
some cases where in an open tender, rates quoted against
only single bidder has quoted, inspite estimated cost. Otherwise
of such poor response in high value option of retendering may
tender, tenders have been finalised also be considered except
at much higher rates then the in case of urgency.
estimated cost and option of
retendering was not considered. 3.Negotiation should be
made with the L1 bidder in
3. Also in some of the cases, all cases and same should
negotiation were not made with the be documented in the
L1 bidders. minutes of Tender
Committee.
PROJECT OPERATION
Management Comments: 1. Guidelines of the company in tendering procedure are properly followed and depending on
the performances of the Agencies, they are declared as a non performer contractor, as per their performance and are
disqualified in the technical qualifying stage in case of future open tenders and are banned from the business as per
company norms. In case of Limited tender the non performer subcontractors are not considered in the shortlisted list of
vendors.
2. Retendering is followed in case of limited tender when the bidder is one but not generally followed in case of open
tender if the quoted rates are well within the estimate & prevailing market rates as well as sanctioned estimate of client.
However recommendation will be considered and examined and will be applied from case to case basis.
3. Regarding negotiations with L-1, instructions of CVC issued vide Circular No. 01/01/10 dated 20.01.2010 are
reproduced below : "it is clarified to all concerned that- there should normally be no post tender negotiations. If at all
negotiations are warranted under exceptional circumstances, then it can be with L-1 (Lowest tenderer) only if the tender
pertains to the award of work/supply orders etc., where the Government or Government company has to make
payment."
Risk Description
PROJECT OPERATION
To ensure that Inadequate Bank Guarantees are 1. Bank Guarantee 1. It is suggested that BG
original bank control over bank kept in original at details are not posted in details should be posted
guarantees are guarantees may projects with Finance SAP. This may lead to in SAP on timely basis to
retained in lead to financial Heads under safe. Time chances of errors or have centralised control
records. losses to the to time confirmations omission. over Bank Guarantees.
Bank
company. are received from 2. One original BG for Rs. 2. Also company may use
Guarant
To ensure that issuing bank. Also to 16,44,504/- issued on the SFMS (Structured
ee
bank ensure that validity of behalf of M/s Polycab Financing Messaging
(PO 14)
confirmations BG proper mechanism is Wires Pvt. Ltd. has been System) facility of bank as
are taken. in place for intimation in misplaced at CE-06 bank confirmation to
advance. Project. verify the genuineness of
To ensure the BG.
validity of BG.
Risk Description
PROJECT OPERATION
To ensure Excess/shortage of The company 1. The company does not 1. It is suggested that inventory should be
that stock is stock may leads procured the maintain its stock details in maintained in the accounting software to
maintained fund blockage or material as per the the accounting system. The have better control.
properly. delay in work. agreement and work stocks are maintained 2. Inventory should be verified on
progress. Also all manually. quarterly basis instead of annual basis.
stock are kept as 2. Stock is physically verified 3. For Inventory of more than 3 years,
secure. on annual basis instead of expert advice needs to be taken for their
quarterly basis. further use and accordingly valuation
3. During our testing at should be made in the books. And in
Material Benihal Project, we have future proper care should be taken at the
in Store found that more than 3years time of purchase of materials to avoid
(PO 15) stock of amounting Rs 4.43 further blockage of funds. If possible,
crores is maintained by the minimum or maximum level should be
project. fixed for the inventory.
4. More than half of the 4. Inventory should be kept under shed in
stocks are kept in open area secure environment.
at Benihal (Jammu) and 5. It is suggested that on periodical basis
RAPDRL (Jammu) Project. physical verification should be conducted
of the materials held with sub contractor
and confirmation for the same should also
be taken.
Management Comments:Implementation of Material module in SAP is under consideration. taking into account the
nature of the business, materials are periodically reviewed by the project authorities . The items which are fixed at open
area like sleepers, rails, transformer etc are kept in open area only. However their proper records are maintained.
Risk Description
PROJECT OPERATION
To ensure that Incompliance of law The company are doing work 1. As per the agreement with 1. The company should take
labour laws, local and regulation may in compliance with laws and the client, it is the company attendance sheet of the sub
laws or other leads to legal regulations. liability to comply with the contractor labours to verify
applicable laws disputes or labour laws. But we have their overtime wages.
are being penalties. found the cases where sub
Complian
implemented by contractor labours are 2. Electronic Challan Cum
ces of Law
the subcontractor working for more than 12 Return (ECR) should be taken
&
properly. hours per day (normal by the company from every
Regulatio
working hours 9 hours) and sub contractor to verify the
ns
no overtime wages are paid status of PF of the labours as
(PO 16)
to them for extra 3 hours. company is the ultimate
principal of the labours
2. Also the company has no working on the projects.
control over the PF of the
subcontractors labours.
Management Comments: 1. To develop an effective mechanism for ensuring compliance of labour laws, Project Head and Coordinating
Head at Corporate Office have been made responsible.
2. A list of labour laws applicable to Ircon's projects is attached herewith.
3. HRM Deptt. has already written various letters to Project-Heads for taking copy of pay-roll of every sub-contractor before releasing their
payments.
4. The Consultant has passed remarks that the Company has no control over the PF of the sub-contractors' labour. As per the provisions of
the Employees' Provident Fund Act, each establishment having 10 and more employees in a calendar year has to get itself registered with
EPF authorities and the establishment itself will be responsible for timely deduction of PF from the wages of its employees and depositing
the same with EPF authorities, along with matching contribution of the employer. Suggestion are noted for compliance as per Labour Laws.
Identification of Risk of
Material Misstatement
Sub
Control ("What Could Go Wrong")
Process As Is Control Ineffective Controls Recommendations
Objective
Risk Description
Management Comments:Inter unit reconciliation is being done on a regular basis. However, figures are not being frozen
at the end of each quarter. The same will be taken care of in FICO module implementation.
IFC Consultant Further Comments : Balance Confirmation letters which are undelivered needs to be examined.
Risk Description
Management Comments: Will be taken up in the forth coming HCM module of ERP implementation.
Risk Description
Risk Description
Management Comments: Implemented for FICO module in SAP. When all other modules like PS, HCM, MM etc are
implemented the entire system will be integrated.
Management Comments: As regards preparation of unaudited results as per Ind AS, this being first year of
implementation of Ind AS, full fledged unaudited accounts could not be prepared as per Ind AS. However, we have
attempted to prepare unaudited results for the quarter ending December 16 and put up to Audit Committee. Annual
Accounts are prepared as per Ind AS. In view of above, this may not be treated as weakness in the system.
IFC Consultant Further Comments : Mitigation plan of the identified risk are not yet implemented throughout the
organization.
IFC Consultant Further Comments : Mitigation plan of the identified risk are not yet implemented throughout the
organization.
Management Comments: The Right & Responsibilities of the employees in SAP have been defined now to fix the
responsibilities and accountability of each employee.
Strictly Private & Confidential
Princi
Comp Focus
ple Principle Point of Focus Entity Actual Control Remarks Recommendation
onent No.
No.
Management Comments: It has been implemented for FI module and P&L Account and Balance Sheet is being generated
through SAP . Payroll will be integrated with the SAP in 2017-18.
Risk Description
HIRE TO RETIRE
To ensure that Leaves not properly 1. Concerned Departments send 1. Biometric system is not 1.To have better control
posting of leaves recorded may lead the leave of their personnel to AO followed at the projects. over attendance
is accurately done to financial losses to (HR) on monthly basis. These 2. CL and RH are maintained biometric system should
in system the company. details include only Earned Leave manually by department be installed at projects
(EL), Leave Half Pay (LHP), Leave instead of record in SAP. and accordingly salary
Without Pay (LWP) only. AO (HR) would be processed.
record the leaves in SAP & further 2. CL and RH should also
Leave send it to DGM (Payroll) for salary be maintained in SAP for
Record processing. proper control.
(H2R 6) 2. The details of Casual Leave (CL),
Restricted Holiday (RH) are not
being recorded in SAP and the data
is maintained at department level
only.
3. The leave records of project
employees are not being recorded
in SAP on timely basis.
Management Comments
1. Leave Record can be maintained with timely update in IRCON's Intranet also as all employees have access to
Intranet. This will be examined and taken up during the forthcoming implementation of HCM module.
2. It is not practical to install biometric system at projects as project officials go to their respective sites instead of
reporting at project office. However, possibility of biometric attendance at project offices will be explored.
Risk Description
Risk Description
PROJECT OPERATION
To ensure that Uninsured assets 1. There are safety manuals During out visit to Tunnel 1. The number of fire
project has may lead to and policies in the company. T-49 (Jammu Banihal extinguisher and
safety financial losses 2. Assets are adequately Project), we have found sand buckets needs
measures and to the company. insured at projects. less no. of fire extinguisher to be increased.
Safety & its assets are 3. There are adequate safety and sand buckets. 2. Labours should use
Insuranc adequately measures at project locations. safety helmets with
e insured. helmet lamps.
(PO 11) 3. Entry register
should be properly
maintained at each
tunnels and site
offices.
Management Comments
1. Sufficient no. of fire extinguisher are available as per requirement. However as suggested adequacy of number of fire
extinguisher will be explored.
2. Helmet is used by all who enters in tunnel. Tunnel is always illuminated so helmet torch is not required. And there is
power back also in case of electricity failure.
Risk Description
PROJECT OPERATION
To ensure that Incorrect billing Billing is being done to the In Item Rate Contracts, It is recommended
billing for the or billing not client as per defined Billing is made to the client that projects should
work to the done on time will schedules in the project on the basis of In-house ensure that work
client is made lead to loss of agreement. Engineer's Report. In CE- should be certified
Billing properly and revenue and 06 project, it was observed properly before
(PO 12) on timely opportunity cost. that there was a huge raising bill to the
basis. difference in proforma bill client.
raised to the client and
amount approved by the
client for payment.
Management Comments : The same is being followed in the projects. Further, IRCON functions as “Engineer” in the cost
plus projects and are authorized for certification as per MOU with client and bill to client. Clients recoup the bill only in
terms of MOU.
In the Item Rate contracts the bills are being raised by IRCON as per IRCON's measurement. The client re-checks the
measurements and certify the bills as per BOQ/Drawing and sometimes the difference arises due to different reasons.
After deductions the matter is taken up with the client and reconciled with reasons for deductions. After approval of the
deviation etc. by the competent authority the balance amount is released. However measures will be taken to minimise
the difference between bill raised and accepted.
The company is having the Whistle Blower Policy for their employees to report to
the Management, concerns about unethical behaviour, actual or suspected fraud,
or violation of the company’s code of conduct or ethical policy and to provide the
necessary safeguards against victimisation of employees.
There are no cases which are registered under Whistle Blower Policy in past three
years.
processes.
FY 2017-18 and
• †Document remediation plan for controls failing the test of design effectiveness
• †Communicate the remediation plan to all concerned process owners for action