Anda di halaman 1dari 50

SKL & Associates

Internal Financial Controls for IRCON


INTERNATIONAL LTD.

This material has been prepared by SKL & Associates on a specific request from you and contains confidential information. The information contained in this material is intended solely
for you thereby, any disclosure, copy or further distribution of thismaterial or the contentsthereofis strictly prohibited.

SKL Strictly Private & Confidential


Contents

Section 1 Section 2 Section 3

• Journey
• IFC Requirement as per o Overview of the Company • Key Recommendations
Companies Act 2013 o Areas Covered
o Approach & Methodology of IFC
o ELC Framework
o Testing Controls for Operating Effectiveness

Section 4 Section 5

• Limitations of Internal • Way Forward


Control

Strictly Private & Confidential


Section – I – IFC
REQUIREMENT AS PER
COMPANIES ACT, 2013

Strictly Private & Confidential


Changing landscape of Corporate Governance

No reporting responsibility for Board of Directors, Audit Committee and Independent Directors
Companies Act
1956 Statutory Auditors expected to report on adequate internal control procedures for purchase of inventory and
fixed assets and for sale of goods and services under CARO 2003

Companies Act 2013

Board of Audit
Directors Committee Statutory Independent
(Section 134#) (section 177#) Auditors Directors
(Section 143#) (Schedule IV#)

- Evaluation of Internal
State in Director's
Controls and risks management - Report on whether Satisfy themselves on
responsibility statement systems the company has the integrity of
that directors - Call for/discuss the adequate internal financial information
- had laid down internal comments of the auditors about financial controls and that financial
financial controls to be internal control systems, the system and operating controls and the
followed by the scope of audit, including the effectiveness of such systems of risk
Company observations of the auditors and controls. management are robust
- and that such internal review of financial statement
and defensible
financial controls were before their submission to the
adequate and Board and
operating effectively - May also discuss any related
issues with the internal and
statutory auditors and the
management of the company.

Strictly Private & Confidential # Relevant Sections of Companies Act 2013


Who all need to Comply ?

A glance on applicability requirements of w.r.t various class of companies


1 2 3
• Director's Responsibility Statement (Section 134)
• Audit Committee (Section 177)
Listed Companies • Independent Directors (Schedule IV)
• Statutory Auditor Report (Section 143)
• Clause 49 (Listing agreement)

• Rule 8 of the Companies (Accounts) Rules, 2014


• Audit Committee (Section 177)
Specific class of • Independent Directors (Schedule IV)
companies* • Statutory Auditor Report (Section 143)

• Rule 8 of the Companies (Accounts) Rules, 2014


Other Companies • Statutory Auditor Report (Section 143)#

* Specified class of companies:


• public companies with a paid up capital of Rs.10 Crores or more;
• public companies having turnover of Rs.100 Crores or more;
• public companies, having in aggregate, outstanding loans or borrowings or debentures or deposits exceeding Rs.50 Crores or more
The above thresholds as existing on the date of last audited Financial Statements shall be taken into account.

# Statutory Auditor Report (Section 143(3)(i)) w.e.f. 13th June 2017:


Following companies have been granted exemption to have in their Auditor’s Report, reporting on adequacy of internal financial controls system
and operating effectiveness of such controls:
1. OPC(One Person Company)
2. Small Companies
3. the Private Company which has a turnover of less than 50 Crore as per the latest Audited Financial Statements or which has an aggregate
borrowing from Banks or FIs or any Body Corporate at any point of time during the financial year less than Rs.25 Crore.

Strictly Private & Confidential


TYPE OF CONTROLS

Entity Level Controls


(ELC )

ELC Matrix Evaluate the existence of


ELC across the 5
components.

Process Level Controls (PLC)


Risk Consider risks of material
Control misstatements and frauds to identify
significant accounts. Prepare Risk and
Matrices Control Matrices for all such accounts
across various business processes

Information Technology
Program Development
General IT Programs Changes
Controls Access to programs and data
Computer Operations

Strictly Private & Confidential


Section – II – JOURNEY

Strictly Private & Confidential


Company Overview

• Ircon International Limited (IRCON), a government company incorporated by the Central


Government (Ministry of Railways) under the Companies Act, 1956 on 28th April, 1976
originally under the name Indian Railway Construction Company Limited, is the leading
turnkey construction company in the public sector known for its quality, commitment and
consistency in terms of Performance. IRCON has widespread operations in several States in
India and in other countries(Malaysia, Nepal, Bangladesh, Mozambique, Ethiopia,
Afghanistan, U.K. Algeria & Sri Lanka Now).

• IRCON is a specialized Constructions organization covering the entire spectrum of


construction activities and services in the infrastructure sector. However, Railway and
Highway Construction, EHP sub-station (engineering and constructions), and MRTS are the
core competence areas of IRCON.

• IRCON operates not only in a highly competitive environment but also in difficult terrains
and regions in India and abroad and is an active participant in prestigious nation building
projects. IRCON has so far completed more than 300 infrastructure projects in India and
more than 100 projects across the globe in more than 21 countries.

Strictly Private & Confidential


Major Areas Covered - Entity Level Control

Foundation on which an effective system of internal control is built and operated in an organization that
strives to (1) achieve its strategic objectives, (2) provide reliable financial reporting to internal and external
Control
stakeholders, (3) operate its business efficiently and effectively, (4) comply with all applicable laws and
Environment regulations, and (5) safeguard its assets.

Risk Review and monitoring of annual Plan, Existence of Risk Management Policy,
Assessment Appointment of Independent directors

ENTITY
LEVEL Actions taken to minimize risk and it includes policies, procedures,
Control techniques, and mechanisms that helps to ensure management's response to
CONTROLS Activities reduce risks identified during the risk assessment process.

Information
Systems &
Communicati Existence of IT Strategy Committee, Disaster Recovery Plan, Existence of a robust
on Management Information System.

Monitoring
Change Management process. Audit committee reviews the internal audit reports; maintain regular
surveillance over different activities

Strictly Private & Confidential


Major Areas Covered - Process Level Controls
• Compliance of amendments made in Tax • Identification of Business Opportunities
laws • Evaluation of expertise
• Maintenance of Tax Master • Assessment of Risk & Rewards
• Service Tax • Confidentiality of price quotation
• Advance Tax • Analysis of Tender Results
• Corporate Tax • Review of Agreement
• TDS/TCS • Selection Criteria of parties
• VAT • Contingency Plans
• Assessments & Demands • Expenditure Reporting
• Progress Monitoring
• Safety & Insurance
• Requisition • Billing
• Selection • Contract Revenue & Expenses
Taxation • Balance Confirmations
• System Updation
• Leaves • Bank Guarantee
• Salary Processing • Material in Store
• Appraisal • Compliances of Law & Regulations
• Promotion • Review & Follow-up with debtors
• HRD and Training • Feedback of Projects
• Insurance Scheme
• Surplus funds invested on timely basis

Management
• Full and Final Settlement
• Assessment of investment proposal

Treasury
• Approval & Authorization before making
• Authorisation for procurement Investments
• Purchase quotation for fixed • Safe Custody of Investment Related Documents
assets
• Accounting of Investments & its Income
• FAR Maintenance
• Valuation of Investments
• Insurance of Fixed Assets
• Depreciation
• Physical Verification
• Recording of Prepaid Expenses
• Sale/Disposal
• Provisioning
• Chart of Accounts
• Vouchers – preparation and authorisation
• Fund Projection
• Contingent Liability
• Authorisation & Approval of transaction
• Deferred Tax
• MIS reporting to Senior Management
• Related Party Transactions
• Bank Documentation
• Impairment of Fixed Asset
• Bank Payments
• Inter Unit – Reconciliation
• Bank Electronic Payment
• Exchange Fluctuation
• Bank Receipt
• Balance Confirmation
• Bank Reconciliation
• Variance Analysis
• Bank charges
• Consolidation of Projects
• Cash Insurance Policy
• Cash Payments
• Cash Verification
Strictly Private & Confidential
Information Technology General Controls

This head covers the major IT risks. Major components covered are as follows:-

1 2 3 4 5 6 7
Access Backup
Policies, Accountability Safeguarding Uniformity & Network or
Control & and
Procedures & of Action of user Integration of System
Password Monitoring
Data accounts ERP Security &
management
Classification Asset License
Management

In respect of I.T. General Controls, existing controls has been taken as explained by IT team of Ircon International ltd.

Strictly Private & Confidential


Approach & Methodology forPHASE
IFC I PHASE II

Phase 1 Phase 2 Phase 3 Phase 4

Establish Context & Scope Entity Level Controls Test of Design Test of Operating
– Validation of Existing Assessment and Process Effectiveness
Documentation Level Controls
• Interviewed key operating • Agree upon sampling
• Performed account level Circulate questionnaire to personnel & updated the methodology with the
M materiality and chart of evaluate Entity Level existing documentation management
E accounts analysis Controls (ELC) to evaluate • Test control design
T • Reviewed existing following components: effectiveness by conducting • Test Operating
documentation to
H process walkthroughs (TOD) Effectiveness (TOE) for
identify gaps in • Control Environment
O • Identification of control points the key controls
documentation for • Risk Assessment
D with improvement identified, for the agreed
material accounts • Control Activities
O opportunities sample. TOE have been
• Detailed project plan • Information & • Understanding the root cause performed for controls
L prepared and process Communication for the design weakness to the where TOD was
O owners identified • Monitoring extent practical effective.
G • Communication and
• Remedial action
Y reporting protocols
recommended for gaps
identified
identified, in line with leading
practices

D
E
L
I
V ELC Assessment Risk & Control
E
Process Flow Chart Matrix Matrix Report of TOE
R
A
B
L
E
S
Strictly Private & Confidential
ELC Framework

Control Components Principles Points of focus

Control Environment 5 18

Risk Assessment 4 17

Control Activities 3 15

Information & Communication 3 14

Monitoring Activities 2 9

Total 17 73

Organizations Objective

Components of Internal Controls


Strictly Private & Confidential
Testing Controls For Operating Effectiveness:-
T ot a l Desi gn Pa r t l y
RCMs Effect i v e In effect i v e
Con t r ol s Ga p In effect i v e

Pro jec t Operatio ns 18 9 2 5 2


Cash & Bank 12 11 - - 1
Treasury Management 6 6 - - -
Fix ed A ssets 7 7 - - -
FSCP 13 11 - 2 -
H2R 15 12 - 2 1
I TGC 9 5 1 3 -
Tax atio n 13 12 1 - -
Entity Lev el Co ntro l (ELC) 73 67 - 6 -

T otal 166 140 4 18 4

Controls
2.5%
2.5%
11%
Effective
Design Gap
Ineffective
84%
Partly Ineffective

Strictly Private & Confidential


Section – III – KEY
RECOMMENDATIONS

Strictly Private & Confidential


DESIGN FAILURE

Strictly Private & Confidential


Identification of
Risk of Material
Sub Control Misstatement
As Is Control Design Gap Recommendations
Process Objective ("What Could Go
Wrong")
Risk Description
PROJECT OPERATION
To ensure that Non-assessment of The company quotes for The company does It is suggested that the
there is record the same may result the projects after analysis not have any policy failure/ success of tenders
and analysis of in loss of business and taking into or procedure for results should be
applied opportunities and consideration the past identification & evaluated & analysed and
tenders. increase the experience. analysis of tender also same should be put to
Analysis of
chances of price results. management to ensure
tender
leakage in future. Overcosting/Under the confidentiality of bid
results
costing & chances price and correct costing
(PO 5)
of leaking bid price estimates.
may be
unidentified
without analysis of
tender results.

Management Comments: Analysis of participation in tender and results thereof are being carried out by
BD cell. However a record of such analysis shall henceforth be maintained for future reference.

Strictly Private & Confidential


Identification of Risk of
Material Misstatement
Sub Process Control Objective ("What Could Go As Is Control Design Gap Recommendations
Wrong")
Risk Description

PROJECT OPERATION
To ensure that Non establishment The company keep The company does The company should
contingency of contingency plans contingency provision not have any laid formulate Project Specific
plans are well may lead to failure with the main plan of down contingency contingency plans for the
established by of planned execution. Normally, plan. risks associated with its
the company execution of work. company get the work critical functions.
before executed through
execution of subcontractors. In case of
Contingen
work. failure of one
cy Plans
subcontractor, work is
(PO 8)
awarded to other
contractor. In case of
contingency, company
has its own plant &
machinery which can be
deployed at projects at
short notice to execute
the projects.

Management Comments: These have been laid down in the Risk Management Policy of the Company.
The contingency management also includes events like re-tendering, Risk & Cost Tendering and limited
departmental working etc. However, suggestion related to Project Specific contingency plans are noted
for review.

Strictly Private & Confidential


Identification of
Risk of Material
Sub Control Misstatement
As Is Control Design Gap Recommendations
Process Objective ("What Could Go
Wrong")
Risk Description
INFORMATION TECHNOLOGY GENERAL CONTROL (ITGC)
To ensure Creator of Transaction entries are The company has Rights & Responsibilities in
accountability transaction if posted by the authorised not defined any SAP should be clearly
of actions. approves the same person in the SAP ERP criteria of maker & defined for fixing
Accountab
transaction may and approval for the checker responsibility and
ility of
leads to violation of same is taken manually. relationship in the accountability. Also Staff
actions
maker-checker SAP. Accountability Policy
(ITGC 3)
relationship. should be framed to fix the
accountability for any
transaction.

Management Comments: The Right & Responsibilities of the employees in SAP have now been defined to
fix the responsibilities and accountability of each employee.

Strictly Private & Confidential


Identification of
Risk of Material
Sub Control Misstatement
As Is Control Design Gap Recommendations
Process Objective ("What Could Go
Wrong")
Risk Description
TAXATION
To ensure that Possibility of There is no such Tax Tax master is not Tax master should be
there is unauthorized Master implemented in maintained in the implemented by the
Maintenan authorized creation ERP which is being used SAP ERP. Taxes are company for calculation of
ce of Tax creation/ /modification of tax by the company. Taxes being calculated taxes automatically in the
master (TX modification of . are being calculated manually. system to avoid manual
2) tax code in tax manually at the time of errors.
master posting of transaction in
ERP.

Management Comments:It is under implementation with SAP.

Strictly Private & Confidential


INEFFECTIVE
CONTROLS

Strictly Private & Confidential


Identification of
Risk of Material
Sub Control Misstatement
As Is Control Ineffective Recommendations
Process Objective ("What Could Go
Wrong")
Risk Description
PROJECT OPERATION
To ensure that Price information Price is quoted taking We have observed So it is suggested that an
price is quoted leakage may result into consideration all that for quoting Senior Finance official
with adequate in loss of financial estimated costs. The the price for a bid, having the adequate
margins and is opportunities. direct cost estimates of the direct cost commercial exposure
kept the project is prepared by element consists of should also be associated
confidential. Business Development the major portion with BD cell in
(BD) cell and is checked of the total cost computation of direct cost.
through peer review. The which is being
rate analysis of each computed by the
items of work is carried Business
Confidenti out at the level of Development cell
ality of Mgr./DGM and is of the company.
Price checked at the level of But BD cell doesn’t
Quotation( DGM/AGM. Overhead & have any personnel
PO 4) Indirect costs are also from finance
prepared by BD cell with background and
backup calculations and the direct cost is
are checked by finance not vetted by
department and Finance
approved by DF. The Department.
profit and other factors
to be considered for
arriving at the final bid
prices are decided and
Identification of Risk of
Material Misstatement
Sub
("What Could Go Wrong")
Process Control Objective As Is Control Ineffective Controls Recommendations
Risk Description

PROJECT OPERATION
To ensure that there Selection of the party 1. The company is having a 1. As per agreement with 1. The company must
is proper procedure without evaluation may proper tendering system subcontractors, the company has to evaluate the performance
followed for selection lead to failure of job. for selection of evaluate performance of of such parties on a
of subcontractors, subcontractors, suppliers subcontractors periodically. If the periodic basis and
suppliers and third & third parties. performance is found unsatisfactory accordingly 'Non-Performer
parties. 2. Generally procurement (<85% for Works Contract), as per the Subcontractor' should not
of railway related items parameters set by the company, the be considered for future
are purchased from RDSO subcontractor is liable to be declared contracts.
approved vendor list. In a 'Non-Performer' and will be
some cases, tenders are ineligible for participation in future
invited from the vendor tenders for a period of 2 years from 2. It is suggested that in
list approved by the client. the date of such decision. case of high value tenders,
Generally other However the company has not been where quoted rates are
Selection procurements are made evaluating the performance of such much higher than the
Criteria of after selecting parties from subcontractors periodically. estimated rates, tender
parties pre qualification criteria. committee should also
(PO 7) 2. During our testing we have found consider justification of
some cases where in an open tender, rates quoted against
only single bidder has quoted, inspite estimated cost. Otherwise
of such poor response in high value option of retendering may
tender, tenders have been finalised also be considered except
at much higher rates then the in case of urgency.
estimated cost and option of
retendering was not considered. 3.Negotiation should be
made with the L1 bidder in
3. Also in some of the cases, all cases and same should
negotiation were not made with the be documented in the
L1 bidders. minutes of Tender
Committee.

Strictly Private & Confidential


Identification of Risk of
Material Misstatement
Sub ("What Could Go
Control
Process Wrong") As Is Control Ineffective Controls Recommendations
Objective
Risk Description

PROJECT OPERATION
Management Comments: 1. Guidelines of the company in tendering procedure are properly followed and depending on
the performances of the Agencies, they are declared as a non performer contractor, as per their performance and are
disqualified in the technical qualifying stage in case of future open tenders and are banned from the business as per
company norms. In case of Limited tender the non performer subcontractors are not considered in the shortlisted list of
vendors.

2. Retendering is followed in case of limited tender when the bidder is one but not generally followed in case of open
tender if the quoted rates are well within the estimate & prevailing market rates as well as sanctioned estimate of client.
However recommendation will be considered and examined and will be applied from case to case basis.

3. Regarding negotiations with L-1, instructions of CVC issued vide Circular No. 01/01/10 dated 20.01.2010 are
reproduced below : "it is clarified to all concerned that- there should normally be no post tender negotiations. If at all
negotiations are warranted under exceptional circumstances, then it can be with L-1 (Lowest tenderer) only if the tender
pertains to the award of work/supply orders etc., where the Government or Government company has to make
payment."

Strictly Private & Confidential


Identification of
Risk of Material
Misstatement
Sub
Control ("What Could Go
Process As Is Control Ineffective Controls Recommendations
Objective Wrong")

Risk Description

PROJECT OPERATION
To ensure that Inadequate Bank Guarantees are 1. Bank Guarantee 1. It is suggested that BG
original bank control over bank kept in original at details are not posted in details should be posted
guarantees are guarantees may projects with Finance SAP. This may lead to in SAP on timely basis to
retained in lead to financial Heads under safe. Time chances of errors or have centralised control
records. losses to the to time confirmations omission. over Bank Guarantees.
Bank
company. are received from 2. One original BG for Rs. 2. Also company may use
Guarant
To ensure that issuing bank. Also to 16,44,504/- issued on the SFMS (Structured
ee
bank ensure that validity of behalf of M/s Polycab Financing Messaging
(PO 14)
confirmations BG proper mechanism is Wires Pvt. Ltd. has been System) facility of bank as
are taken. in place for intimation in misplaced at CE-06 bank confirmation to
advance. Project. verify the genuineness of
To ensure the BG.
validity of BG.

Management Comments:The suggestions are noted for implementation.

Strictly Private & Confidential


Identification of
Risk of Material
Misstatement
Sub
Control ("What Could Go
Process As Is Control Ineffective Controls Recommendations
Objective Wrong")

Risk Description

PROJECT OPERATION
To ensure Excess/shortage of The company 1. The company does not 1. It is suggested that inventory should be
that stock is stock may leads procured the maintain its stock details in maintained in the accounting software to
maintained fund blockage or material as per the the accounting system. The have better control.
properly. delay in work. agreement and work stocks are maintained 2. Inventory should be verified on
progress. Also all manually. quarterly basis instead of annual basis.
stock are kept as 2. Stock is physically verified 3. For Inventory of more than 3 years,
secure. on annual basis instead of expert advice needs to be taken for their
quarterly basis. further use and accordingly valuation
3. During our testing at should be made in the books. And in
Material Benihal Project, we have future proper care should be taken at the
in Store found that more than 3years time of purchase of materials to avoid
(PO 15) stock of amounting Rs 4.43 further blockage of funds. If possible,
crores is maintained by the minimum or maximum level should be
project. fixed for the inventory.
4. More than half of the 4. Inventory should be kept under shed in
stocks are kept in open area secure environment.
at Benihal (Jammu) and 5. It is suggested that on periodical basis
RAPDRL (Jammu) Project. physical verification should be conducted
of the materials held with sub contractor
and confirmation for the same should also
be taken.
Management Comments:Implementation of Material module in SAP is under consideration. taking into account the
nature of the business, materials are periodically reviewed by the project authorities . The items which are fixed at open
area like sleepers, rails, transformer etc are kept in open area only. However their proper records are maintained.

Strictly Private & Confidential


Identification of
Risk of Material
Misstatement
Sub
Control ("What Could Go
Process As Is Control Ineffective Controls Recommendations
Objective Wrong")

Risk Description

PROJECT OPERATION
To ensure that Incompliance of law The company are doing work 1. As per the agreement with 1. The company should take
labour laws, local and regulation may in compliance with laws and the client, it is the company attendance sheet of the sub
laws or other leads to legal regulations. liability to comply with the contractor labours to verify
applicable laws disputes or labour laws. But we have their overtime wages.
are being penalties. found the cases where sub
Complian
implemented by contractor labours are 2. Electronic Challan Cum
ces of Law
the subcontractor working for more than 12 Return (ECR) should be taken
&
properly. hours per day (normal by the company from every
Regulatio
working hours 9 hours) and sub contractor to verify the
ns
no overtime wages are paid status of PF of the labours as
(PO 16)
to them for extra 3 hours. company is the ultimate
principal of the labours
2. Also the company has no working on the projects.
control over the PF of the
subcontractors labours.

Management Comments: 1. To develop an effective mechanism for ensuring compliance of labour laws, Project Head and Coordinating
Head at Corporate Office have been made responsible.
2. A list of labour laws applicable to Ircon's projects is attached herewith.
3. HRM Deptt. has already written various letters to Project-Heads for taking copy of pay-roll of every sub-contractor before releasing their
payments.
4. The Consultant has passed remarks that the Company has no control over the PF of the sub-contractors' labour. As per the provisions of
the Employees' Provident Fund Act, each establishment having 10 and more employees in a calendar year has to get itself registered with
EPF authorities and the establishment itself will be responsible for timely deduction of PF from the wages of its employees and depositing
the same with EPF authorities, along with matching contribution of the employer. Suggestion are noted for compliance as per Labour Laws.
Identification of Risk of
Material Misstatement
Sub
Control ("What Could Go Wrong")
Process As Is Control Ineffective Controls Recommendations
Objective
Risk Description

FINANCIAL STATEMENT CLSOSURE PROCEDURE (FSCP)


To ensure that Unreconciled balances Inter-unit Reconciliation is Inter-Unit Inter-Unit
all inter-unit of inter-unit projects, made by AO (Compilation) Reconciliation is made Reconciliation
Inter-
balances are branches etc. leading to at regular intervals. only on annual basis should be made on
unit
reconciled mismatch of balances rather than on quarterly intervals.
Reconcili
properly. further leading to periodic intervals. The transactions
ation
misstatement in should be recorded
(FSCP 9)
financial statements on real time basis.

Management Comments:Inter unit reconciliation is being done on a regular basis. However, figures are not being frozen
at the end of each quarter. The same will be taken care of in FICO module implementation.

Strictly Private & Confidential


Identification of Risk of
Material Misstatement
Sub
Control ("What Could Go Wrong")
Process As Is Control Ineffective Controls Recommendations
Objective
Risk Description

FINANCIAL STATEMENT CLSOSURE PROCEDURE (FSCP)


To ensure that Unreconciled debit and 1. Projects obtain 1. Wrong outstanding 1. Balance
outstanding credit balances in books confirmation letter from balance for Confirmations
receivables of accounts leading to parties as per Annual Confirmations are sent should be sent to
and payables misstatement in Closing Guidelines. Also, to parties without the parties on the
are reconciled financial statements. they send the summary of updation of books of basis of updated
Balance with the clients confirmations to accounts in SAP. books.
Confirm as per the Corporate Office. 2. Few Balance 2. It is suggested
ation prescribed 2. At Corporate Office, Confirmations letters necessary follow-
(FSCP time limits. confirmation from parties are returned back as up action should
11) is taken by DM (Finance). undelivered. be taken timely in
case where
confirmations are
not received or
returned back as
undelivered.
Management Comments:For balance confirmation letter is being issued to the parties during the preparation of
accounts. In the letter it is mentioned that to confirm the balance and if there is any difference the firm are informing
difference. In case the balance is changed after adjustment/payment during that period then difference appears,
however, parties are requested to confirm their balance as per their accounts. The suggestion is noted for future.

IFC Consultant Further Comments : Balance Confirmation letters which are undelivered needs to be examined.

Strictly Private & Confidential


Identification of Risk
of Material
Misstatement
Sub
Control ("What Could Go
Process As Is Control Ineffective Controls Recommendations
Objective Wrong")

Risk Description

HIRE TO RETIRE (H2R)


To ensure that Failure to have Salary of Corporate Office, Projects Salary is processed Salary should be
there is a proper system in and Foreign Offices is processed at from SQL Server processed from
adequate salary processing Corporate Office only. DGM rather than SAP. SAP to have better
system might result in (Payroll) is the authorised personnel All details are control.
mechanism to excess or short to process the payroll through SQL being manually
process the payment to the Server. Details of new joinings, entered into the
Salary payroll employees. promotion, resignation of server for salary
Processi employees etc. is informed by HR processing.
ng Department to DGM (Payroll).
(H2R 7) Details of deductions from
employee's salary is intimated by
the concerned department to DGM
(Payroll) in HO. Similarly, deduction
from employees salaries is
intimated by projects to DM
(Payroll).

Management Comments: Will be taken up in the forth coming HCM module of ERP implementation.

Strictly Private & Confidential


Identification of Risk of
Material Misstatement
Sub
Control ("What Could Go Wrong")
Process As Is Control Ineffective Controls Recommendations
Objective
Risk Description

HIRE TO RETIRE (H2R)


To ensure that Employees Insurance 1. Company has taken Employees who have All the employees
insurance not taken may cause insurance of different joined after should be covered
scheme has financial loss to the grades of employees. 01.09.2013 are not in the Insurance
been taken for company in case of any 2. The premium for the enrolled under Scheme.
Insuranc all the mishappening with same is paid on monthly Insurance Scheme. Employees must be
e employees. employee. basis to LIC. Hence, insurance enrolled in any new
Scheme 3. Further a note is put premium is not being scheme.
(H2R 14) forward by DM (HR) which deposited of the said
is checked by JGM (HRM) employees.
and then it is finally
reviewed by DGM
(Payroll) to make the final
payment.
Management Comments:
1. Ircon has taken Group Saving Linked Insurance (GSLI) of different grades of employees in May 1988. The premium
of the same is paid on monthly basis to LIC.
2. As per IRDA guidelines LIC cannot enrol new employees under existing schemes of GSLI after falling ARD
01.08.2013. As per ARD of IRCON LIC have enrolled all employees upto ARD 20.05.2014.
Employee who have joined after 20.5.2014 are not enrolled under Insurance Scheme. Hence, insurance premium is
not being deposited of the employees.
3. New Accidental Insurance Scheme is under process to cover upto Rs.25 lakh for different categories of all regular
employees & deputationist.
Strictly Private & Confidential
Identification of Risk of
Material Misstatement
Sub ("What Could Go
Process Control Objective Wrong") As Is Control Ineffective Controls Recommendations

Risk Description

INFORMATION TECHNOLOGY GENERAL CONTROL (ITGC)


To ensure access to Unauthorised access to For any authorisation to be A list of all SAP ERPs IDs Approved list of all SAP
system is provided system resulting in key given to the user, proper noting provided to employees ERP IDs should be
only to authorised financial information sheet is prepared regarding the was provided to us but the clearly communicated
personnel as per being compromised. same which is approved by the authenticity could not be to all the employees.
policy. concerned department head established.
which further get approved For instance, SAP ID
Access to
from GM (IT). FINHQ03 is allotted to Ms.
Authorize
Rachna Tomar
d
(DM/Finance), but there is
Personnel
no communication to her
regarding the same. Rather
SAP ID FINHQ04 is
communicated to her vide
Email by Ms. Chitra Prasad
(Manager/IT).

Management Comments: It has been implemented in IRCON.

Strictly Private & Confidential


Identification of Risk of
Material Misstatement
("What Could Go
Sub Process Control
Wrong") As Is Control Ineffective Controls Recommendations
Objective
Risk Description

INFORMATION TECHNOLOGY GENERAL CONTROL (ITGC)


To ensure Inadequate processes 1. For every new joining, IT During our testing we Employee E-mail ID
procedures for deletion of access Department create a new have found some of should be
have been for users who have Email ID for the employee the cases where there immediately
established resigned may result in and at the time of leaving, are substantial delay in suspended or
so that user misuse of access rights the same are deleted. deleting the E-mail of deleted after his
Safeguarding accounts for to applications 2. SAP ID are created by employee after his/her resignation/
of user systems and impacting financial the IT department as per resignation. retirement.
accounts applications data by unauthorized the requirement of the
are added, personnel. concerned department.
modified and 3. At the time of leaving
deleted in a the company the SAP ID of
timely the employee are freezed.
manner.
Management Comments: It has been implemented in IRCON as suggested by IFC Consultant. This has also been included
in the NOC which is to be taken by every employee when they leave the organization or goes on transfer. email id is
being deactivated at the end of the last working day of the employee.

Strictly Private & Confidential


Identification of Risk of
Material Misstatement
Sub ("What Could Go
Process Control Objective Wrong") As Is Control Ineffective Controls Recommendations

Risk Description

INFORMATION TECHNOLOGY GENERAL CONTROL (ITGC)


To ensure that Non-integration of 1. Different projects of the 1. There is no data Data should be
there is data may lead to data company are being integrated software integrated through
integration of manipulation. executed at various implemented in the a software to avoid
data at all locations. Softwares like company. manual errors or
operating units. SAP, Tally, SQL (RITES) are 2. SAP is not able to intervention. Also
Uniformi
being used for execution of extract the Financials accounting
ty &
transactions at different of the company. software should be
Integrati
projects of the company. 3. Different software able to extract
on of
2. SAP is not yet able to packages are used by consolidated
ERP
generate Balance sheet the company for financial of the
and P&L from GL Codes. functioning of the company.
The Corporate Office is company.
using Fox-Pro Software for
consolidation of accounts.

Management Comments: Implemented for FICO module in SAP. When all other modules like PS, HCM, MM etc are
implemented the entire system will be integrated.

Strictly Private & Confidential


Princi
Comp Focus
ple Principle Point of Focus Entity Actual Control Remarks Recommendation
onent No.
No.

ENTITY LEVEL CONTROL (ELC)


6 The 6.1 Financial Senior Management The unaudited The books of accounts
organizatio reporting reviews application of quarterly results are should have been prepared
n specifies objectives are accounting principles not prepared as per according to Ind-AS as
objectives consistent with annually. Further, Ind AS. applicable to the company.
with accounting financial statements for
sufficient principles external purposes are
Risk
clarity to suitable and prepared in accordance
Asse
enable the available for with applicable
ssm
identificati the entity. The accounting standards,
ent
on and accounting rules, and regulations.
assessmen principles Any deviation from
t of risks selected are accounting policies are
relating to appropriate in reported to Audit
objectives. the Committee.
circumstances.

Management Comments: As regards preparation of unaudited results as per Ind AS, this being first year of
implementation of Ind AS, full fledged unaudited accounts could not be prepared as per Ind AS. However, we have
attempted to prepare unaudited results for the quarter ending December 16 and put up to Audit Committee. Annual
Accounts are prepared as per Ind AS. In view of above, this may not be treated as weakness in the system.

Strictly Private & Confidential


Princi
Comp Focus
ple Principle Point of Focus Entity Actual Control Remarks Recommendation
onent No.
No.

ENTITY LEVEL CONTROL (ELC)


7 The 7.5 Risk The company has Mitigation plan of the For all projects the revolving
organizatio assessment started the process of identified risk are not risks along with their
n identifies includes chalking out response yet implemented mitigation plans should be
risks to the considering strategy to the throughout the identified. And These should
achieveme how the risk identified risks. organization. be sent to Corporate Office
nt of its should be However, the process at prescribed intervals so
objectives managed and is still in mid stage and that RMC & RAC can take
Risk
across the whether to likely to be completed actions, as they deem fit.
Asse
entity and accept, avoid, in a quarter .
ssm
analyses reduce, or Thereafter, regularity
ent
risks as a share the risk. will be ensured in this
basis for regard.
determinin
g how the
risks
should be
managed.
Management Comments: Risk Management Policy is already in place and implemented.
Quarterly Report is collected from various business units for further analysis. Suggestion noted and will be considered.

IFC Consultant Further Comments : Mitigation plan of the identified risk are not yet implemented throughout the
organization.

Strictly Private & Confidential


Princi
Comp Focus
ple Principle Point of Focus Entity Actual Control Remarks Recommendation
onent No.
No.

ENTITY LEVEL CONTROL (ELC)


10 The 10.1 Control activities 1. Risk Management Policy Mitigation plan of For all projects the
organization help ensure that specifying the business the identified risk revolving risks along
selects and risk responses and risks and action to be are not yet with their mitigation
develops mitigation of risks taken for mitigation of implemented plans should be
control are carried out. such risks. throughout the identified. And These
activities that 2. The company has organization. should be sent to
Cont
contribute to started implementing the Corporate Office at
rol
the Risk Assessment & their prescribed intervals
Activ
mitigation of mitigation through so that RMC & RAC
ities
risks to the conducting periodical can take actions, as
achievement meeting on the subject they deem fit.
of objectives matter. Various meetings
to acceptable have been held within last
levels two quarters at Corporate
Office.
Management Comments: After identification of risk the same is thoroughly reviewed by the Management and
corrective action to be taken to mitigate the risk is communicated to the concerned department/project. Suggestion
noted and will be considered.

IFC Consultant Further Comments : Mitigation plan of the identified risk are not yet implemented throughout the
organization.

Strictly Private & Confidential


Princi
Comp Focus
ple Principle Point of Focus Entity Actual Control Remarks Recommendation
onent No.
No.

ENTITY LEVEL CONTROL (ELC)


10 The 10.4 Control activities A variety of transaction 'Rights and Rights & Responsibilities
organization include a range and controls have been developed responsibilities of the in SAP should be clearly
selects and variety of controls and in the organization which employees are not defined for fixing
develops may include a balance includes the following:- properly defined or responsibility and
control of approaches to 1. ERP system access rights fixed in the system accountability. Also Staff
activities that mitigate risks, prevent unauthorized users (ERP). Accountability Policy
contribute to considering both from transacting or viewing should be formed to fix
the mitigation manual and automated outside the designated job the accountability for
of risks to the controls, and requirements, roles and any transaction.
achievement of preventive and responsibilities.
Contr objectives to detective controls. 2. Verification of transactions
ol acceptable through authorizations and
Activi levels approvals.
ties 3. Physical verification
conducted for fixed assets,
cash and compared with
records.
4. Further, reconciliation of
balances are done for
completeness/ accuracy of
processing transactions.
Mix of manual/ automated
control activities has been
established in the company.

Management Comments: The Right & Responsibilities of the employees in SAP have been defined now to fix the
responsibilities and accountability of each employee.
Strictly Private & Confidential
Princi
Comp Focus
ple Principle Point of Focus Entity Actual Control Remarks Recommendation
onent No.
No.

ENTITY LEVEL CONTROL (ELC)


11 The 11.1 Management Management assesses the 1. SAP ERP is not yet It is suggested that
organization understands and technology related controls (IT able to extract Balance company should use
selects and determines the General Controls) for its Sheet and P&L of the such software which is
Contr develops dependency and technology enabled business company. able to extract the
ol general control linkage between processes through its inhouse 2. SQL Software is being consolidated financials
Activi activities over business processes, assessment processes. used by the company of the company for
ties technology to automated control for processing of better internal controls.
support the activities, and payroll.
achievement of technology general Integrated ERP is not
objectives. controls. implemented in the
11 The 11.2 Management selects There is proper documented IT company.
organization and develops control Policy. Following policies are
selects and activities over the part of IT Policy:-
develops technology 1. Data security policy
Contr general control infrastructure, which 2. System Usage policy
ol activities over are designed and 3. Network Usage policy
Activi technology to implemented to help 4. Anti Virus policy
ties support the ensure the 5. Internet Usage/surfing policy
achievement of completeness, 6. Mail Usage policy
objectives. accuracy, and
availability of
technology processing.

Management Comments: It has been implemented for FI module and P&L Account and Balance Sheet is being generated
through SAP . Payroll will be integrated with the SAP in 2017-18.

Strictly Private & Confidential


PARTIALLY
INEFFECTIVE
CONTROLS

Strictly Private & Confidential


Identification of
Risk of Material
Misstatement
Sub Control Partially Ineffective
("What Could Go As Is Control Recommendations
Process( Objective
Wrong")

Risk Description

HIRE TO RETIRE
To ensure that Leaves not properly 1. Concerned Departments send 1. Biometric system is not 1.To have better control
posting of leaves recorded may lead the leave of their personnel to AO followed at the projects. over attendance
is accurately done to financial losses to (HR) on monthly basis. These 2. CL and RH are maintained biometric system should
in system the company. details include only Earned Leave manually by department be installed at projects
(EL), Leave Half Pay (LHP), Leave instead of record in SAP. and accordingly salary
Without Pay (LWP) only. AO (HR) would be processed.
record the leaves in SAP & further 2. CL and RH should also
Leave send it to DGM (Payroll) for salary be maintained in SAP for
Record processing. proper control.
(H2R 6) 2. The details of Casual Leave (CL),
Restricted Holiday (RH) are not
being recorded in SAP and the data
is maintained at department level
only.
3. The leave records of project
employees are not being recorded
in SAP on timely basis.

Management Comments
1. Leave Record can be maintained with timely update in IRCON's Intranet also as all employees have access to
Intranet. This will be examined and taken up during the forthcoming implementation of HCM module.
2. It is not practical to install biometric system at projects as project officials go to their respective sites instead of
reporting at project office. However, possibility of biometric attendance at project offices will be explored.

Strictly Private & Confidential


Identification of
Risk of Material
Misstatement
Sub Control Partially Ineffective
("What Could Go As Is Control Recommendations
Process( Objective
Wrong")

Risk Description

CASH & BANK


1. To ensure Electronic 1. Cancelled cheques are All details of cheques are Cheques details
that there is an payments made taken from the vendors and recorded in a master sheet should be uploaded
appropriate without data is posted in SAP for of excel. RTGS/NEFT is in SAP with due
procedure for appropriate records. being done by taking data approval. RTGS/NEFT
receiving details of the 2. The internet banking from master record. There should be made after
details from payee may lead password is with inputters of can be chances of exporting from SAP
Bank the payee in to wrong payment and all authorized manipulation/misappropri only.
electroni case of payment to signatories. ation of data.
c electronic resulting in
payment payments. financial losses.
(CB 6) 2. Adequate
control over
internet
banking
password and
user name.

Management Comments Will be looked into during forthcoming implementation.

Strictly Private & Confidential


Identification of
Risk of Material
Misstatement
Sub Control Partially Ineffective
("What Could Go As Is Control Recommendations
Process( Objective
Wrong")

Risk Description

PROJECT OPERATION
To ensure that Uninsured assets 1. There are safety manuals During out visit to Tunnel 1. The number of fire
project has may lead to and policies in the company. T-49 (Jammu Banihal extinguisher and
safety financial losses 2. Assets are adequately Project), we have found sand buckets needs
measures and to the company. insured at projects. less no. of fire extinguisher to be increased.
Safety & its assets are 3. There are adequate safety and sand buckets. 2. Labours should use
Insuranc adequately measures at project locations. safety helmets with
e insured. helmet lamps.
(PO 11) 3. Entry register
should be properly
maintained at each
tunnels and site
offices.

Management Comments
1. Sufficient no. of fire extinguisher are available as per requirement. However as suggested adequacy of number of fire
extinguisher will be explored.

2. Helmet is used by all who enters in tunnel. Tunnel is always illuminated so helmet torch is not required. And there is
power back also in case of electricity failure.

3. Entry register is available. However it will be ensured that there is no lapse.

Strictly Private & Confidential


Identification of
Risk of Material
Misstatement
Sub Control Partially Ineffective
("What Could Go As Is Control Recommendations
Process( Objective
Wrong")

Risk Description

PROJECT OPERATION
To ensure that Incorrect billing Billing is being done to the In Item Rate Contracts, It is recommended
billing for the or billing not client as per defined Billing is made to the client that projects should
work to the done on time will schedules in the project on the basis of In-house ensure that work
client is made lead to loss of agreement. Engineer's Report. In CE- should be certified
Billing properly and revenue and 06 project, it was observed properly before
(PO 12) on timely opportunity cost. that there was a huge raising bill to the
basis. difference in proforma bill client.
raised to the client and
amount approved by the
client for payment.

Management Comments : The same is being followed in the projects. Further, IRCON functions as “Engineer” in the cost
plus projects and are authorized for certification as per MOU with client and bill to client. Clients recoup the bill only in
terms of MOU.
In the Item Rate contracts the bills are being raised by IRCON as per IRCON's measurement. The client re-checks the
measurements and certify the bills as per BOQ/Drawing and sometimes the difference arises due to different reasons.
After deductions the matter is taken up with the client and reconciled with reasons for deductions. After approval of the
deviation etc. by the competent authority the balance amount is released. However measures will be taken to minimise
the difference between bill raised and accepted.

Strictly Private & Confidential


Comments on Whistle Blower Policy

The company is having the Whistle Blower Policy for their employees to report to
the Management, concerns about unethical behaviour, actual or suspected fraud,
or violation of the company’s code of conduct or ethical policy and to provide the
necessary safeguards against victimisation of employees.

There are no cases which are registered under Whistle Blower Policy in past three
years.

Strictly Private & Confidential


Section – IV LIMITATIONS

OF INTERNAL CONTROL

Strictly Private & Confidential


Internal Control can only provide only reasonable assurance and not
absolute assurance about entity’s financial reporting , operating and
compliance objectives

Some inherent limitations of internal control are:-

Management consideration of cost vis-à-vis benefits.

Possibility of collusion with employees.

Person abusing the responsibility for exercising internal control.

Manipulation by management in preparation of Financial Statements.

Strictly Private & Confidential


Section – V – WAY
– FORWARD

Strictly Private & Confidential


• † Control Assessment procedures shall be conducted on periodic basis.

• † Internal Audit to test for operating effectiveness of controls within scope


processes.

• † Test for design effectiveness to be performed for new / amended in scope


Future roadmap -

processes.
FY 2017-18 and

• † Report reasons for control failure for design/operating effectiveness in the


onwards….

test result summary.

• †Document remediation plan for controls failing the test of design effectiveness

• †Communicate the remediation plan to all concerned process owners for action

• †Take remedial action as per the agreed plan.

• † Test result summary to be prepared and submitted to Steering Committee


along with the test documentation.

Strictly Private & Confidential


Strictly Private & Confidential

Anda mungkin juga menyukai