Internal Controls

Overview

The Group has created an Internal Control manual for designing and performing internal control testing to provide assurance to the Board and Audit Committee on effectiveness of controls within the organization.

To assess the effectiveness of controls, management and external auditors obtain evidence that internal controls has been design and are operating effectively.

OBJECTIVE

For effective risk management, the organization prepares Risk and Control matrices to identify key controls to mitigate risks. Periodic control testing is done to provide assurance on the effectiveness of controls. The key objectives can be broadly illustrated as follows:

To ensure management’s responsibility on internal controls is established, properly documented, maintained, and followed by everyone
Understanding of the responsibility for compliance with the internal controls
Provide a structured framework of Internal Controls
Enhance transparency and completeness of financial statements and disclosures
Periodic reporting system for compliance with the internal control system

APPLICABILITY AND SCOPING

This Internal Control manual is applicable to all group entities. Scoping of business units and processes is performed and aligned with external auditors to capture changes in the business scenarios.

Based on risk assessment and materiality, the following parameters are assessed to identify the entities and processes under scope:

Full scope entity: Entity with revenue, assets, or profit before taxes of more than 3.75% of the total groups consolidated revenue, assets, or profit before taxes
Balance entities: Key ledgers with significant risk would be identified. Entity with significant risk (receivables, cash & bank balances, loans, and finance costs) above 4% of the group’s revenue, assets, or profit before taxes
Additionally, based on the internal audit and other reviews which may be taken by the Risk and Compliance Team, any other key ledgers or account with reasonable possibility of a risk of material misstatement

RESPONSIBILITIES

Following are the key stakeholders along with their roles and responsibilities:

Audit and Risk Committee: The Audit and Risk Committee is responsible to oversee the process of Internal Controls and its effectiveness.
Risk and Compliance team: The Risk and Compliance team is required to manage the Internal Control testing based on the defined frequency and sampling methodology. Periodic reporting to Audit and Risk Committee should be done on the status of Control gaps, if any.
Head of Departments (HoDs): As a part of the control self-assessment (CSA) process, the Head of departments are required to evaluate and manage the controls. In case of ineffective controls, initiate adequate measures to fix the control gaps.

CONTROL TESTING METHODOLOGY

Frequency and Sampling Size

Internal control testing is done as per the following:

Key controls: To be tested yearly
Non-key controls: To be tested once every two years

The Risk and Compliance team will determine the appropriate number of control occurrences to test based on the defined sampling method

Methodology

Test of Design (TOD) / Test of Effectiveness (TOE):

Perform Test of Design by verifying ‘one sample’ of each control documented in the Risk and Control Matrix
Perform a Test of Effectiveness on the samples selected as per the defined sampling methodology
Prepare testing template with control testing parameters and update testing results
Submission of testing results to the management

REPORTING FRAMEWORK

FIVE shall present the results of control testing in the form of a presentation as an outcome of the completed testing annually.

Summary of control framework of the organization in the form of manual and automated controls
Test results of TOD and TOE along with the list of gaps and improvement opportunities
Remediation plan for all identified gaps and improvements along with timelines

Any colleague who has questions or concerns about this policy should speak with the Risk and Compliance