The Group has created an Internal Control manual for designing and performing internal control testing to provide assurance to the Board and Audit Committee on effectiveness of controls within the organization.
To assess the effectiveness of controls, management and external auditors obtain evidence that internal controls has been design and are operating effectively.
For effective risk management, the organization prepares Risk and Control matrices to identify key controls to mitigate risks. Periodic control testing is done to provide assurance on the effectiveness of controls. The key objectives can be broadly illustrated as follows:
- To ensure management’s responsibility on internal controls is established, properly documented, maintained, and followed by everyone
- Understanding of the responsibility for compliance with the internal controls
- Provide a structured framework of Internal Controls
- Enhance transparency and completeness of financial statements and disclosures
- Periodic reporting system for compliance with the internal control system
APPLICABILITY AND SCOPING
This Internal Control manual is applicable to all group entities. Scoping of business units and processes is performed and aligned with external auditors to capture changes in the business scenarios.
Based on risk assessment and materiality, the following parameters are assessed to identify the entities and processes under scope:
- Full scope entity: Entity with revenue, assets, or profit before taxes of more than 3.75% of the total groups consolidated revenue, assets, or profit before taxes
- Balance entities: Key ledgers with significant risk would be identified. Entity with significant risk (receivables, cash & bank balances, loans, and finance costs) above 4% of the group’s revenue, assets, or profit before taxes
- Additionally, based on the internal audit and other reviews which may be taken by the Risk and Compliance Team, any other key ledgers or account with reasonable possibility of a risk of material misstatement
Following are the key stakeholders along with their roles and responsibilities:
- Audit and Risk Committee: The Audit and Risk Committee is responsible to oversee the process of Internal Controls and its effectiveness.
- Risk and Compliance team: The Risk and Compliance team is required to manage the Internal Control testing based on the defined frequency and sampling methodology. Periodic reporting to Audit and Risk Committee should be done on the status of Control gaps, if any.
- Head of Departments (HoDs): As a part of the control self-assessment (CSA) process, the Head of departments are required to evaluate and manage the controls. In case of ineffective controls, initiate adequate measures to fix the control gaps.
CONTROL TESTING METHODOLOGY
Frequency and Sampling Size
Internal control testing is done as per the following:
- Key controls: To be tested yearly
- Non-key controls: To be tested once every two years
The Risk and Compliance team will determine the appropriate number of control occurrences to test based on the defined sampling method
Test of Design (TOD) / Test of Effectiveness (TOE):
- Perform Test of Design by verifying ‘one sample’ of each control documented in the Risk and Control Matrix
- Perform a Test of Effectiveness on the samples selected as per the defined sampling methodology
- Prepare testing template with control testing parameters and update testing results
- Submission of testing results to the management
FIVE shall present the results of control testing in the form of a presentation as an outcome of the completed testing annually.
- Summary of control framework of the organization in the form of manual and automated controls
- Test results of TOD and TOE along with the list of gaps and improvement opportunities
- Remediation plan for all identified gaps and improvements along with timelines
Any colleague who has questions or concerns about this policy should speak with the Risk and Compliance