Rajendra Prasad, President & CFO, SRF Ltd says that while the recent spate of controls may seem overwhelming, it is possible to be ‘unbound’ by controls. And ‘common sense’ controls can more than adequately meet legal needs.
The Companies Act, 2013 introduced new provisions or revised old ones to include controls that should exist in a company. Not to be outdone, and maybe later blamed for not having mandated controls in their own domains, various regulators also announced a spate of controls which companies now need to implement. This has forced most of us to take a serious look at the existing control environment in the companies we work in.
At first reading all the controls and measures announced, taken together appear ominous and ‘business crushing’ in cumulative impact. However, a more patient reading, driven more by rational thought than by panic, would put our minds at ease that the situation is not as bad as it seems.
I am inherently weak at absorbing exact regulations word by word, and better at synthesising the drift and intention of the rules. As CFOs we should be able to join the dots of various regulations and arrive at solutions that are optimised to serve and meet all the regulations at the same time. Hence, a look at our company’s control environment all together would be a wiser view than control by control.
Facts & Trivia
Education: Chartered Accountant & Trained Six Sigma Black Belt
Previous Job: American Express, Lead Controller, Director on Board and Chairman – Audit Committee for Indian subsidiaries
Looking at all the regulations together, various regulators are basically emphasising three very valid principles, which none of us in the finance profession can deny or object to. These are:
Controls need to be adequate and be operating effectively to ensure orderly and efficient conduct of business. Financial controls and systems of risk management are robust and defensible. Independence of those who are responsible for confirming the above is maintained at all times. Shorn of the long winded regulatory language, the above seem sensible and obvious.
Not only do we need to look at the ‘control environment’ as a whole, the environment that we mandate for ourselves in our organisation should be ‘best or relevant in context’. The various constituents of the control environment are for us to define in good judgment; those which give us comfort that the house is in order and running in manner which raises our trust in its operations. The household cannot run like an out of control ‘runaway reaction’.
Further, it holds to common sense that to be sure that one is in control of one’s household, we would need to know in advance what risks exist and where, for which we would have certain controls in place, which in turn would be monitored, and communicated to all concerned. These itself, along with the control environment that they form, are the phases of the COSO framework - Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring Activities. Sounds simple.
Once, we set up the above mechanisms which assure us the peace of mind, certain responsibilities need to be assigned – the head of the family (the Board and Audit Committee) should define the direction or set the tone, the key family members to implement the mandate and someone to make sure that things are actually progressing well, as planned.
At the corporate level where activities happen at various locations, by different people, under different circumstances, using different tools, simple looking control directives assume monster like proportions. To handle complex problems, tools best suited to solve complexities should be applied. IT based solutions provide the best option to ensure that the corporate functions as expected.
Knowledge of IT capabilities and their unabashed use would serve us well if we applied them for creating effective controls and monitoring systems. It should be our focus to move controls from being detective and corrective to being preventive. A corollary to this is to move controls upstream in the process so that the chance of an error is checked at the earlier stages itself. The idea being that preventive controls would capture an error before it happens – contradictory as it may sound – would save us rework and wasted effort.
We at SRF are hopeful of managing and meeting the rigorous control related expectation of various regulators with relative ease because we intentionally have stayed ahead of the race. We believe that finance need not be the ogre imposing strangulating shackles on business, but a facilitating partner who can actively assist in meeting regulatory demands with least disruptions to business activity.
With painstaking effort to win the businesses’ trust, multiple training sessions and assistance from external experts, we implemented processes and controls before they were mandated. We implemented Control Manager (CM), a facilitating tool which acts like an alarm clock for all employees to remind them of the actions that need to be taken to meet specific calendarised regulatory deadlines. Combined with CM, Control Self- Assessment forms an all pervasive tool which operates across the company, across geographies, is scalable, system driven, eliminates Excelisation, and yet connects the employee who actually performs the task to the highest authority in the control chain, projecting total transparency. The two together form the bedrock of the control environment.
At first reading all controls taken together appear ‘business crushing.’ More patient scrutiny driven by reason can certainly put our minds at ease.
However, all starts with the ‘tone at the top’ followed by sensible and practical policies which communicate the intention of the company clearly. Segregation of duties and delegation of powers are well thought out, which discourage violations, are now a given in any modern organisation. At SRF we have embedded controls in our ERP systems which identify and flag transactions and activities which require special attention. In most cases we do not stop the transactions, but make the user aware that certain enhanced control or care needs to be ensured. In most cases this is adequate. We increase accountability by increasing traceability, which we have achieved by building appropriately placed activity logs – again keeping in mind utility vs cost (loss of speed etc.). These controls are benign and unobtrusive, working quietly in the background, to an extent that the organisation is hardly aware of their existence.
We have aggressively pursued the principle of ‘multiple views’ from ‘single point of entry’, which has not only eliminated errors but has also done away with the need for reconciliation. All MIS reports are compiled straight ‘off the system’, and all audits are conducted off ERP documents, thus killing the culture of Excelisation, yet once again. ‘Show me what you did’ has replaced ‘tell me how you did it’.
With the above controls in place, implementing which was not a difficult exercise, we now are mapping which of these constituents of the control environment match the regulatory requirement. Basically, we are mapping the common sense controls to the ‘regulatory jargon’ requirements and find that the control environment that we have set up would more than adequately meet the legal needs, and improve business processes and results as well.
Implementing controls looks a lot easier than implementing the changes arising from GST. That is the next challenge ahead for CFOs.