Applicability Under Law

• Subsidiaries in India are required to establish and maintain adequate internal financial controls as mandated under Section 134(5)(e) and Section 177 of the Companies Act, 2013.
  
• These controls ensure the reliability of financial reporting, operational effectiveness, and compliance with applicable laws and regulations.
  
• For listed companies and their subsidiaries, enhanced controls are required under SEBI (LODR) Regulations.
  
• Internal controls are also evaluated under statutory audits, tax assessments, and group internal audits.
  

Components of the Internal Control System

• Control Environment: Governance structure, code of conduct, roles and responsibilities of the board and audit committee.
  
• Risk Assessment: Identification and analysis of business, financial, compliance, and operational risks.
  
• Control Activities: Policies and procedures for approval, authorization, verification, and reconciliation of transactions.
  
• Information and Communication: Secure and timely flow of information across departments and to the parent company.
  
• Monitoring Activities: Continuous review, internal audit programs, and management oversight to assess control effectiveness.
  

Audit Committee Oversight

• Subsidiaries with an audit committee must ensure that it reviews internal control policies, audit findings, and risk management frameworks.
  
• The committee oversees internal auditors and ensures corrective actions are implemented for control failures.
  
• It reviews significant intercompany transactions and related party transactions for compliance.
  
• The committee reports key observations to the board and, if applicable, to the parent company’s audit body.
  

Documentation and Reporting

• Internal control procedures must be documented, approved, and communicated across departments.
  
• Key areas include procurement, inventory, payroll, financial closure, tax compliance, and IT controls.
  
• Companies must maintain audit trails and records to demonstrate adherence to internal controls.
  
• Internal auditors prepare reports for management review, and external statutory auditors rely on these for their audit opinion.
  
• For companies using Ind AS, disclosures regarding internal financial controls are made in the board’s report.
  

Parent Company Integration

• For subsidiaries of large Indian or foreign groups, internal controls are often aligned with group-wide control frameworks (e.g., COSO or SOX).
  
• The parent may mandate shared policies, standard operating procedures, and technology systems for uniform compliance.
  
• Internal control assessments may be carried out centrally by the parent’s global internal audit team.
  
• Cross-border reporting and compliance dashboards are used to monitor risk and control metrics.
  

IT and Cybersecurity Controls

• Internal controls extend to IT systems, ensuring data integrity, access management, cybersecurity, and backup protocols.
  
• Companies must implement controls over ERP systems, financial software, and document management platforms.
  
• Audit logs, encryption, and user access controls must be in place to prevent data manipulation and fraud.
  
• For subsidiaries handling sensitive financial or customer data, data protection and privacy controls are critical.