Audit & Assurance · Internal & Operational Audits
Internal Financial Controls (IFC) Review
Internal Financial Controls (IFC) are not a compliance checkbox — they are the operating discipline that keeps your financial statements honest, your fraud risk low, and your auditor's report clean.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Internal Financial Controls (IFC) are not a compliance checkbox — they are the operating discipline that keeps your financial statements honest, your fraud risk low, and your auditor's report clean. Under the Companies Act 2013, your Board must certify that adequate IFC exist and operate effectively, and your statutory auditor must independently report on that same control environment. At PNPC Global, we have supported Boards and audit committees across India and the UAE since 1986 — designing control frameworks that actually work on the shop floor and in the ERP, not just on paper, and standing behind the auditor's opinion that follows.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
Internal Financial Controls, as defined in Section 134(5)(e) read with the Explanation to Section 134 of the Companies Act 2013, are the policies and procedures adopted by a company to ensure orderly and efficient conduct of its business, including adherence to company policies, safeguarding of assets, prevention and detection of frauds and errors, accuracy and completeness of accounting records, and timely preparation of reliable financial information. In practice, an IFC Review is a structured engagement — usually built on the globally recognised COSO 2013 Internal Control – Integrated Framework — that documents your company's key financial processes (revenue, procurement, payroll, treasury, fixed assets, financial close), identifies the controls embedded in each process, tests whether those controls are designed adequately (design effectiveness) and are actually being followed (operating effectiveness), and reports gaps with a remediation roadmap.
The review sits at the intersection of two distinct but related statutory requirements. First, under Section 134(5)(e), the Board of Directors of every listed company must state in the Directors' Responsibility Statement that it has laid down internal financial controls and that such controls are adequate and were operating effectively. Second, under Section 143(3)(i) of the Companies Act 2013 read with the Companies (Audit and Auditors) Rules 2014, the statutory auditor of every company (subject to specified exemptions for smaller companies) must state in the audit report whether the company has an adequate internal financial controls system in place and whether such controls were operating effectively. The auditor's opinion under Section 143(3)(i) is typically supported by a separate Annexure to the Audit Report prepared under the Guidance Note on Audit of Internal Financial Controls Over Financial Reporting issued by the Institute of Chartered Accountants of India (ICAI).
An IFC Review commissioned proactively by management — ahead of the year-end statutory audit — exists to close the gap between what the Board is required to certify and what actually happens in the business. Many mid-sized and growing companies have informal controls: an approval happens because "that's how we've always done it," not because a documented policy requires it and evidence of the approval is retained. When the statutory auditor tests such a control for the first time during the year-end audit, undocumented or inconsistently applied controls generate audit findings, management letter points, and — in more serious cases — a qualified or adverse opinion under Section 143(3)(i) itself, the reporting requirement most directly linked to internal financial controls. CARO 2020 (Companies (Auditor's Report) Order, 2020) is a related but separate reporting order — it does not carry a dedicated internal-financial-controls-adequacy clause, but its clause 3(xi) requires auditors to report on fraud noticed or reported during the year (including frauds detected through weak internal controls) and on whistle-blower complaints, and clause 3(xiv) requires reporting on the adequacy of the company's internal audit system — both of which are frequently triggered by, or symptomatic of, the same control gaps an IFC Review is designed to surface.
For larger and listed entities, IFC failures carry consequences beyond the audit opinion: SEBI's Listing Obligations and Disclosure Requirements (LODR) Regulations require the CEO/CFO certification under Regulation 17(8) confirming the adequacy of internal controls, and any material weakness identified must be disclosed to the Audit Committee. For private and unlisted companies below the exemption thresholds, IFC reporting by the auditor may not be mandatory, but the underlying control discipline remains good governance practice — particularly for companies preparing for a funding round, a statutory audit upgrade, or a group consolidation exercise where the parent's auditor will expect subsidiary-level control assurance.
When an IFC Review makes sense
Your company is a listed entity, or a subsidiary/associate of one, where Section 143(3)(i) auditor reporting on internal financial controls (alongside related CARO 2020 clause 3(xi) fraud/whistle-blower reporting and clause 3(xiv) internal audit system reporting) is mandatory for the statutory auditor
Revenue, borrowings, or paid-up capital have crossed the thresholds that remove the small/private company exemption from mandatory auditor IFC reporting under the Companies (Audit and Auditors) Rules
You are preparing for a Series A/B funding round or PE investment and investors' due diligence teams will scrutinise the control environment around revenue recognition, related-party transactions, and cash controls
Your statutory auditor has flagged control deficiencies in a prior year's management letter and you want them remediated before the next audit cycle, not discovered again
You are consolidating multiple subsidiaries or business units and need a consistent control framework so the parent auditor can rely on subsidiary-level testing rather than re-performing full substantive procedures
A fraud, misappropriation, or significant accounting error has occurred and the Board or Audit Committee wants an independent assessment of why existing controls failed to prevent or detect it
You are transitioning from a founder-run, informal finance function to a professionalised finance team and want documented SOPs and control matrices as part of that maturity step
When a full IFC Review may be excessive
Very early-stage startups with a handful of transactions a month, no external investors, and no near-term funding plan — a lighter internal control checklist embedded in the accounting engagement is more proportionate than a formal COSO-based review
One Person Companies, small companies, and private companies meeting the Companies (Audit and Auditors) Rules exemption criteria for auditor IFC reporting, with no investor or lender requirement for control assurance — the statutory obligation simply does not attach
Businesses where the immediate priority is a books-and-records clean-up or a first-time statutory audit — in these cases, a basic accounting system review and audit readiness engagement should precede a formal IFC exercise
Companies with fewer than 5–10 finance and operations staff where segregation of duties is physically constrained by headcount — a proportionate compensating-control approach, not a full COSO documentation exercise, is the right fit until the team scales
Entities seeking a one-time certificate for a bank loan or tender that only requires a management representation, not a formal control-testing engagement — a narrower scoped letter may suffice
Internal Financial Controls Review vs related assurance and advisory engagements
| Feature | IFC Review (COSO-based) | Statutory Audit (Sec 143) | Internal Audit | SOC 1 / Process Assurance | Management Self-Assessment |
|---|---|---|---|---|---|
| Primary objective | Assess design & operating effectiveness of controls over financial reporting | Opine on true & fair view of financial statements | Assess efficiency, risk management, governance across all functions | Report on controls at a service organisation for user auditors | Internal, informal confidence-building exercise |
| Governing framework | COSO 2013 Internal Control – Integrated Framework | Standards on Auditing (SAs) issued by ICAI | Standards on Internal Audit (SIA) issued by ICAI | SSAE 18 / ISAE 3402 (international) | No prescribed framework |
| Statutory basis | Section 134(5)(e) — Board certification; Section 143(3)(i) — auditor reporting | Section 139–147, Companies Act 2013 | Section 138, Companies Act 2013 (mandatory for prescribed class of companies) | Not mandated under Indian Companies Act — driven by client/customer requirement | None |
| Who performs it | Independent CA firm or specialised risk advisory team, often distinct from statutory auditor | Independent statutory auditor appointed under Sec 139 | In-house internal audit function or outsourced CA firm reporting to Audit Committee | Independent CA/CPA firm | Internal finance team |
| Output | Control matrix, gap report, Risk Control Matrix (RCM), remediation roadmap, management letter | Audit opinion + CARO report + Annexure on IFC (where applicable) | Internal audit reports to Audit Committee each quarter/half-year | SOC 1 Type I or Type II report | Informal memo or checklist |
| Mandatory for which companies | Effectively mandatory support work for companies where Sec 143(3)(i) applies to the auditor | All companies except specified thresholds for small/OPC audit exemption under other laws | Listed companies, and public companies meeting prescribed capital/turnover/borrowing thresholds under Sec 138 | Not mandatory — market-driven, common for SaaS/BPO/fintech serving regulated clients | Not mandatory — voluntary |
| Timing relative to year-end | Typically conducted pre-audit (Q3/Q4) so gaps are fixed before year-end testing | Post year-end, on completed financial statements | Ongoing, throughout the year | Ongoing, covering a defined review period | Ad hoc, as needed |
| Relationship to statutory audit | Feeds directly into and de-risks the auditor's Sec 143(3)(i) opinion and CARO commentary | The audit itself | Independent function; statutory auditor may place limited reliance on internal audit work | Used by user-entity auditors to reduce their own testing | No formal reliance possible |
| Typical engagement length | 4–10 weeks depending on process scope and entity size | Concurrent with year-end audit — several weeks to months | Continuous / cyclical through the year | 3–12 months observation period for Type II | Days |
This table is directional. Whether your company needs a formal IFC Review, an internal audit function, both, or neither depends on your listing status, turnover/borrowing thresholds, investor requirements, and Board risk appetite. A scoping conversation with a practising CA is the right starting point.
| # | Stage & What PNPC Does | CA Advice Portals Never Give | Timeline |
|---|---|---|---|
| 1 | Scoping & Materiality Discussion — understanding your business before opening a single file | We ask what a checklist vendor never asks: which processes actually move the needle on your financial statements? Revenue recognition on long-term contracts carries far more control risk than petty cash. We scope the review around materiality and fraud risk — not a generic 40-process template applied uniformly regardless of your business. | Week 1 |
| 2 | Entity-Level Controls (ELC) Assessment — tone at the top, governance, IT general controls overview | Entity-level controls are the foundation the COSO framework is built on — control environment, risk assessment process, information & communication, and monitoring activities. A process-level control matrix built on a weak ELC foundation gives false comfort. We assess ELCs first because they determine how much reliance can be placed on everything documented afterward. | Week 1–2 |
| 3 | Process Walkthroughs — revenue, procure-to-pay, payroll, treasury, fixed assets, financial close | We walk the transaction end-to-end with the actual process owner — not just review a policy document. Walkthroughs reveal the gap between the documented SOP and what genuinely happens: the approval that is emailed instead of logged in the ERP workflow, the three-way match that is skipped for "trusted" vendors, the bank reconciliation prepared but never reviewed. | Week 2–3 |
| 4 | Risk & Control Matrix (RCM) Documentation — mapping each financial statement assertion to a specific control | A generic RCM downloaded from a template site does not map to your actual chart of accounts, your ERP's approval workflow, or your specific fraud risk profile. We build the RCM against your general ledger structure and assertions (existence, completeness, accuracy, valuation, rights & obligations, presentation) so the auditor can trace it directly to your financial statements. | Week 3–4 |
| 5 | Design Effectiveness Testing — is the control, as designed, actually capable of preventing or detecting the risk? | A control can exist on paper and still be poorly designed — an approval limit set so high that it never triggers a second signature, or a reconciliation performed by the same person who posts the entries (no segregation of duties). We flag design gaps before testing operating effectiveness, because a well-operated but poorly designed control still fails. | Week 4–5 |
| 6 | Operating Effectiveness Testing — sample-based testing across the review period | We test a representative sample of transactions against each control — not a token 2–3 instances. Sample sizes follow professional testing standards based on control frequency (daily controls need larger samples than annual controls) and are documented so the statutory auditor can assess whether to place reliance on our work. | Week 5–6 |
| 7 | IT General Controls (ITGC) Review — access management, change management, backup and recovery | Financial controls increasingly depend on system controls — a well-designed approval matrix is meaningless if the ERP allows a junior accountant to override it with admin access. We review user access provisioning/de-provisioning, segregation of duties within the ERP roles, change management for system configuration changes, and backup/recovery discipline. | Week 5–6 — parallel with #6 |
| 8 | Gap Classification — Material Weakness, Significant Deficiency, or Control Deficiency | Not every finding is equal. We classify each gap using the same severity framework the statutory auditor will apply — a Material Weakness (reasonable possibility of a material misstatement not being prevented or detected), Significant Deficiency (less severe but merits attention), or Control Deficiency (design or operation does not allow timely prevention/detection, lower severity). This classification determines what must be escalated to the Audit Committee. | Week 6–7 |
| 9 | Draft Report & Management Discussion — walking findings through with process owners before finalising | We do not deliver a surprise report. Each finding is discussed with the relevant process owner and finance leadership before finalisation — both to validate facts and to begin remediation planning immediately, rather than after a report lands on the CFO's desk. | Week 7 |
| 10 | Remediation Roadmap — prioritised, owner-assigned, dated action plan | A list of gaps without a remediation plan is an audit finding waiting to recur next year. We build a roadmap with named owners, target dates, and — for material weaknesses — interim compensating controls the Board and auditor can rely on until the permanent fix is implemented. | Week 7–8 |
| 11 | Audit Committee / Board Presentation — findings, remediation status, and Sec 134(5)(e) support | The Board's Directors' Responsibility Statement under Section 134(5)(e) needs a documented basis. We present our findings directly to the Audit Committee or Board, giving directors the evidentiary basis to make their IFC certification with genuine comfort rather than a rubber-stamp confirmation from management. | Week 8 |
| 12 | Handover to Statutory Auditor — coordination pack for Sec 143(3)(i) reliance | Where permitted under the Standards on Auditing, we prepare our RCM, testing evidence, and gap report in a format the statutory auditor can review to determine the extent of reliance they can place on our work — reducing duplicate testing effort and audit fees, and accelerating the year-end audit timeline. | Week 8–9 |
| 13 | Post-Remediation Verification — confirming fixes actually took effect before year-end testing | A remediation marked "complete" by a process owner is not the same as a remediation verified as operating. We re-test a sample of remediated controls closer to year-end to confirm the fix is embedded in practice — not just documented in an email confirming closure. | 4–8 weeks before year-end, timed to the audit calendar |
A first-time IFC Review for a mid-sized company with 4–6 significant processes typically takes 8–10 weeks end-to-end. Subsequent-year reviews, building on an existing RCM, are materially faster — often 4–6 weeks — since the framework only needs updating for process changes, not ground-up documentation.
Certificate of Incorporation, Memorandum & Articles of Association — to understand corporate structure and any control-relevant provisions
Board and Audit Committee meeting minutes for the review period — to identify any control-related discussions, fraud incidents, or Board directions
Organisation chart for the finance and operations functions, with reporting lines — to assess segregation of duties at a structural level
Delegation of Authority (DoA) matrix or equivalent approval-limit policy, if one exists — this is often the single most revealing document about how formal the control environment actually is
Prior year's statutory audit report, CARO report, and any management letter or Letter of Weakness issued by the outgoing auditor
Standard Operating Procedures for revenue/order-to-cash, procure-to-pay, payroll, treasury, fixed assets, and financial close — where documented; where undocumented, we build these as part of the engagement
Chart of accounts and general ledger structure
ERP/accounting system configuration overview — modules in use, approval workflows configured, user roles defined
List of key vendors, customers, and related parties above a materiality threshold — to scope walkthrough and testing samples
Bank reconciliation process documentation and sample reconciliations from the review period
User access list for the ERP/accounting system with role assignments — current as of the review date
Joiner/mover/leaver access provisioning and de-provisioning records for the review period
Change management log for any system configuration or workflow changes made during the review period
Backup and disaster recovery policy and evidence of periodic backup testing
IT security policy covering password controls, admin access restrictions, and segregation between development/production environments where applicable
Financial close checklist or calendar showing the monthly/quarterly close process and review sign-offs
Trial balance and financial statements for the review period, with supporting schedules for significant account balances
Journal entry approval policy — particularly for manual/non-system-generated journal entries, a classic fraud and error risk area
Related-party transaction register and Board/Audit Committee approvals under Section 188 of the Companies Act
Fixed asset register with capitalisation policy and physical verification records
Employee master data and payroll approval workflow — new joiner, exit, and salary change approval trail
Sample payroll register with statutory deduction reconciliation (PF, ESI, TDS, Professional Tax)
Reimbursement and expense claim policy with approval thresholds
Segregation confirmation between the person who maintains employee master data and the person who processes payroll disbursement
Sample of sales invoices with corresponding purchase orders/contracts, delivery evidence, and approval trail — as selected for testing based on the agreed sample methodology
Sample of vendor payments with three-way match evidence (purchase order, goods receipt, invoice) and approval signatures
Sample of bank payment vouchers with dual-authorisation evidence where applicable
Sample of manual journal entries with supporting rationale and approval
Evidence of periodic stock/inventory verification and reconciliation to books, where applicable to the business
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Pre-Review Scoping | Decision to commission IFC Review — Board direction, investor requirement, or auditor recommendation | Materiality-based scoping of significant processes and locations. Agreement on framework (COSO), review period, and reporting format expected by the statutory auditor. Resourcing plan matched to entity complexity. | Scoping too broad wastes budget on immaterial processes; scoping too narrow misses the process that actually drives the auditor's qualification risk. |
| Documentation & Walkthroughs | Engagement kickoff | Entity-level control assessment, process walkthroughs with actual owners (not policy documents alone), and Risk Control Matrix build mapped to financial statement assertions and your actual chart of accounts. | A control matrix built from templates rather than actual walkthroughs misses the controls unique to your business and gives false assurance to the Board. |
| Testing (Design & Operating Effectiveness) | RCM finalised | Sample-based testing following standard sample-sizing conventions tied to control frequency. IT general controls reviewed in parallel — access management, change management, segregation of duties within the ERP. | Under-sampled or superficial testing produces a clean report that the statutory auditor cannot rely on — forcing them to re-perform full substantive testing, at your cost, closer to year-end. |
| Gap Reporting & Classification | Testing complete | Findings classified as Material Weakness, Significant Deficiency, or Control Deficiency using the same severity lens the statutory auditor applies. Each finding validated with process owners before finalisation. | Findings not properly classified either alarm the Board unnecessarily over minor items or, worse, under-report a genuine material weakness that surfaces during the statutory audit instead. |
| Remediation | Report issued | Prioritised, owner-assigned remediation roadmap with target dates. Interim compensating controls identified for material weaknesses that cannot be fixed before year-end. PNPC tracks remediation status through to closure. | Unremediated findings recur in the statutory audit report and CARO commentary — and repeat findings across consecutive years attract heightened scrutiny from the Audit Committee, lenders, and investors. |
| Board & Audit Committee Reporting | Prior to Board sign-off on financial statements | Findings and remediation status presented directly to the Audit Committee/Board, giving directors a documented, evidentiary basis for the Section 134(5)(e) certification in the Directors' Responsibility Statement. | A Board certification made without genuine underlying assurance is a personal exposure for directors if a control failure later causes a material misstatement or fraud. |
| Statutory Audit Coordination | Year-end audit fieldwork begins | RCM, testing evidence, and gap reports shared with the statutory auditor (subject to independence and Standards on Auditing considerations) to support their Section 143(3)(i) opinion and reduce duplicate testing. | No coordination means the statutory auditor re-tests controls from scratch, extending audit timelines, increasing audit fees, and raising the risk of last-minute qualification if gaps surface late. |
| Post-Audit Follow-Through | Audit report issued, any management letter received | Any new findings from the statutory audit are folded into next year's remediation roadmap. PNPC maintains the RCM as a living document, updated for process or system changes through the year rather than rebuilt annually. | Treating IFC as an annual one-off project rather than a maintained framework means next year's review starts from zero, doubling the cost and effort every cycle. |
IFC is a continuous discipline, not a once-a-year audit-season exercise. Companies that treat each phase above as a recurring cycle — rather than restarting from scratch every year — spend materially less on remediation and carry lower audit-qualification risk over time.
What exactly are Internal Financial Controls (IFC) under the Companies Act 2013?
IFC are defined in the Explanation to Section 134(5)(e) as the policies and procedures adopted by a company to ensure orderly and efficient conduct of its business, adherence to company policies, safeguarding of assets, prevention and detection of frauds and errors, accuracy and completeness of accounting records, and timely preparation of reliable financial information. In simpler terms: the system of approvals, reconciliations, segregation of duties, and checks that stand between an ordinary business transaction and a misstated financial statement.
Is an IFC Review legally mandatory for my company?
It depends on your company's category. Under Section 143(3)(i) of the Companies Act 2013 read with the Companies (Audit and Auditors) Rules 2014, the statutory auditor's requirement to report on IFC operating effectiveness carries an exemption for certain smaller/private companies meeting prescribed turnover, borrowing, and paid-up capital thresholds. If your company does not meet the exemption, your statutory auditor must report on IFC — and a proactive IFC Review by an independent team ahead of the audit substantially de-risks that opinion. Listed companies and their subsidiaries do not get this exemption and must additionally satisfy Section 134(5)(e) Board certification and SEBI LODR CEO/CFO certification requirements.
What is the difference between IFC and Internal Financial Controls over Financial Reporting (IFCoFR)?
IFC under Section 134(5)(e) is broadly defined and covers the full range of policies and procedures described above — including operational efficiency and asset safeguarding, not just financial reporting accuracy. IFCoFR — the term used in ICAI's Guidance Note that auditors apply under Section 143(3)(i) — is more narrowly scoped to controls that provide reasonable assurance regarding the reliability of financial reporting specifically. In practice, most engagements (including a PNPC IFC Review) are scoped around IFCoFR because that is what the statutory auditor's opinion actually addresses, while flagging any broader operational control gap observed along the way.
What framework do you use to conduct the review — is COSO mandatory?
ICAI's Guidance Note on Audit of Internal Financial Controls Over Financial Reporting recommends the COSO 2013 Internal Control – Integrated Framework as a suitable framework, and it is the framework most Indian companies and auditors use in practice, given its widespread international recognition. It is not the only permissible framework, but using an unfamiliar or internally developed framework creates friction when the statutory auditor evaluates your control documentation. PNPC builds every IFC engagement on the five COSO components: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities.
How is an IFC Review different from an internal audit under Section 138?
Section 138 mandates an internal audit function for listed companies and for public companies and certain private companies meeting prescribed turnover, borrowing, or paid-up capital thresholds. Internal audit is a broader, ongoing function covering operational efficiency, risk management, and governance across the entire business — not just financial reporting controls — and typically reports to the Audit Committee on a quarterly or half-yearly cycle. An IFC Review is narrower and more focused: a point-in-time (or periodic) assessment of the design and operating effectiveness of controls specifically over financial reporting, usually timed to support the year-end statutory audit. Many companies that have an internal audit function still commission a distinct, more technically focused IFC Review — sometimes performed by the same firm, sometimes by a different one for independence reasons.
Can PNPC be my statutory auditor and also perform my IFC Review in the same year?
This depends on the nature and extent of the work and applicable independence requirements under the Standards on Auditing and the ICAI Code of Ethics. Where PNPC is the statutory auditor, IFC testing performed as part of the audit itself is standard auditor work under Section 143(3)(i) — that is simply part of the audit. Where a company wants a separate, proactive, pre-audit IFC Review distinct from the audit engagement, we generally recommend this be performed by a team independent of the statutory audit engagement team, or in some cases by a different PNPC office/team with appropriate safeguards, to preserve independence and to give the Board a genuinely separate line of assurance rather than the auditor reviewing their own upcoming audit work.
What is a Material Weakness versus a Significant Deficiency versus a Control Deficiency?
These are severity classifications used in IFC reporting, aligned to how auditors classify findings. A Control Deficiency exists when a control is designed, implemented, or operated in a way that does not allow timely prevention or detection of a misstatement — the mildest category. A Significant Deficiency is a deficiency, or combination of deficiencies, that is less severe than a material weakness but important enough to merit the attention of those responsible for financial reporting oversight (typically the Audit Committee). A Material Weakness is a deficiency, or combination of deficiencies, such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis — the most severe category, and one that a statutory auditor is required to specifically report.
What happens if the statutory auditor reports a material weakness in our IFC?
Under Section 143(3)(i), if the auditor identifies that IFC are not adequate or not operating effectively, this is reported in the audit report itself and typically elaborated in the Annexure on Internal Financial Controls. A material weakness reported by the auditor is a serious governance signal — it can affect lender covenants, investor confidence, and in the case of listed companies, may need specific disclosure to the stock exchanges and the Audit Committee under SEBI LODR requirements. It does not automatically mean the auditor gives an adverse opinion on the financial statements themselves (that is a separate assessment), but it is a red flag that the Board is expected to act on with a documented remediation plan.
Our company is a private, unlisted company below the audit exemption thresholds. Do we still benefit from an IFC Review?
If your statutory auditor is not required to report on IFC under Section 143(3)(i) because you meet the exemption criteria, there is no strict legal mandate for a formal IFC Review. That said, many such companies commission a lighter-touch review anyway — particularly ahead of a funding round, where investor due diligence teams routinely assess control maturity around revenue recognition, cash handling, and related-party transactions regardless of statutory exemption status, or ahead of crossing the exemption thresholds as the business scales, so the control framework is already in place rather than built under time pressure.
How long does a first-time IFC Review take?
For a mid-sized company with 4–6 significant financial processes and a single location, a first-time review — from scoping through final report and Board presentation — typically takes 8–10 weeks. Multi-location or multi-subsidiary groups take longer, as walkthroughs and testing must be repeated (or appropriately sampled) across each significant location. Subsequent-year reviews, building on an existing Risk Control Matrix, are meaningfully faster because the documentation baseline already exists and only needs updating for process or system changes.
What does an IFC Review typically cost?
Fees depend on the number of significant processes in scope, the number of locations/subsidiaries, the maturity of existing documentation (a company with no SOPs costs more to review than one with well-maintained process documentation), and whether ITGC review is included. PNPC provides a fixed, written scope and fee proposal after an initial scoping conversation — we do not price blind. As a general principle, the cost of a proactive IFC Review is consistently lower than the combined cost of an extended year-end audit (caused by the auditor discovering control gaps for the first time) plus the professional and reputational cost of a qualified audit opinion or CARO adverse remark.
What is CARO 2020 and how does it relate to IFC?
The Companies (Auditor's Report) Order, 2020 (CARO 2020) requires statutory auditors of specified companies to comment on a detailed list of 21 matters in their audit report under clauses 3(i) to 3(xxi) — covering fixed assets, inventory, loans, deposits, statutory dues, and more. The auditor's opinion on whether the company has an adequate internal financial controls system that is operating effectively is reported separately, under Section 143(3)(i) of the Companies Act itself — CARO 2020 does not contain a dedicated IFC-adequacy clause. What CARO 2020 does contain, and what is closely linked to IFC, is clause 3(xi) (whether any fraud has been noticed or reported during the year, including fraud enabled by control weaknesses, plus whistle-blower complaints) and clause 3(xiv) (whether the company has an internal audit system commensurate with its size and nature of business). Findings from an IFC Review commonly inform the auditor's position on all of these — the Section 143(3)(i) opinion and the related CARO clauses.
What is the CEO/CFO certification under SEBI LODR and how does IFC feed into it?
Regulation 17(8) of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 requires the CEO and CFO of a listed company to certify to the Board, among other matters, that they have evaluated the effectiveness of internal control systems and disclosed to the Auditors and the Audit Committee any deficiencies in the design or operation of internal controls, along with steps taken to rectify these deficiencies. An IFC Review gives the CEO and CFO the substantive testing evidence needed to make this certification with genuine confidence rather than as a formality.
Do you test 100% of transactions or a sample?
Sample-based testing, consistent with professional auditing and internal control testing conventions. Sample sizes are determined by the frequency of the control — a control that operates daily (like a bank reconciliation review) requires a larger sample than one that operates annually (like a year-end impairment assessment). We document the sample-sizing rationale so that if your statutory auditor wants to place reliance on our work, they can assess the sufficiency of our testing methodology against their own standards.
What are IT General Controls (ITGC) and why are they part of an IFC Review?
ITGC are controls over the IT environment that support the reliable operation of application-level (financial) controls — primarily access management (who can create, approve, and post transactions in the ERP), change management (how changes to system configuration, approval workflows, and reports are authorised and tested), and backup/recovery (ensuring financial data integrity and availability). If ITGC are weak — for example, a user has both data-entry and approval rights in the ERP — then an application control that looks well-designed on paper (a two-step approval workflow) is not actually effective in practice, because the segregation it depends on can be bypassed.
Our finance team is small — 4 people handling everything. Can we still have adequate IFC?
Yes, though the approach differs from a large finance function. Where headcount genuinely constrains full segregation of duties, the review focuses on identifying compensating controls — for example, independent Board or owner-level review of bank statements and large payments, mandatory dual authorisation for payments above a threshold even without full functional segregation, and periodic surprise reconciliation reviews by someone outside the day-to-day processing team. Adequate does not mean elaborate; it means proportionate to your risk and genuinely operating, not merely documented.
How does an IFC Review differ across a manufacturing company versus a services/SaaS company?
The COSO framework and testing methodology are the same, but the significant processes and highest-risk areas differ substantially. Manufacturing entities typically carry higher inherent risk in inventory valuation, fixed asset capitalisation, and procure-to-pay given physical goods movement. Services and SaaS businesses typically carry higher inherent risk in revenue recognition (particularly around multi-element arrangements, subscription revenue recognition under Ind AS 115, and deferred revenue), accounts receivable, and — increasingly — data security controls that intersect with financial reporting (customer billing data integrity). PNPC scopes the RCM to your actual business model rather than applying a generic manufacturing-oriented template to a software company, or vice versa.
What is Ind AS 115 and why does it matter for the IFC Review?
Ind AS 115 (Revenue from Contracts with Customers) is the accounting standard governing when and how much revenue a company recognises, based on a five-step model tied to the transfer of control of goods or services to the customer. For companies with complex arrangements — subscription pricing, bundled products and services, milestone-based contracts, variable consideration — the judgement involved in applying Ind AS 115 creates specific control risk: are contracts reviewed consistently for the correct recognition pattern, and is that judgement documented and approved rather than applied inconsistently by whoever processes the invoice that month?
Does the IFC Review cover fraud risk specifically, or only general control weaknesses?
Fraud risk is an explicit part of the scope. IFC, by definition under Section 134(5)(e), includes controls for the prevention and detection of frauds and errors. Our review specifically considers fraud risk factors — opportunity (weak segregation, unmonitored access), pressure (aggressive targets, cash flow stress), and rationalisation risk indicators — alongside standard error-prevention controls, and we test controls specifically designed to detect fraud (unusual journal entry review, vendor master data change monitoring, whistle-blower mechanism functioning) as a distinct thread within the broader review.
What is a Whistle Blower Policy and is it part of the IFC scope?
A Vigil Mechanism / Whistle Blower Policy is mandatory under Section 177(9) of the Companies Act for listed companies and companies that accept deposits or have borrowed money from banks and public financial institutions above prescribed thresholds, and separately required under SEBI LODR for listed companies. While it is a governance mechanism rather than a financial reporting control in the narrow sense, we assess whether it is functioning — is it genuinely accessible to employees, are complaints logged and investigated, does the Audit Committee receive reports — because it is a key fraud detection control that intersects directly with financial reporting integrity.
How do you handle related-party transaction controls in the review?
Related-party transactions carry elevated fraud and misstatement risk precisely because normal arm's-length commercial controls (competitive procurement, independent price benchmarking) may not naturally apply. We review whether related-party transactions are identified and flagged before execution (not just at year-end for disclosure purposes), whether they receive the Audit Committee and/or Board approval required under Section 188 of the Companies Act, and whether pricing is benchmarked and documented as being on an arm's-length basis where required.
Can the IFC Review be conducted remotely, or does someone need to be on-site?
A hybrid approach works well for most engagements — process walkthrough interviews and document review can be conducted remotely via video call and secure document sharing, but certain elements benefit from on-site presence: observing physical controls (cash handling, inventory verification, access card/biometric controls at the registered office or warehouse), and building direct rapport with process owners during walkthroughs. For clients with operations across Chennai, Bangalore, Hyderabad, and Dubai, PNPC coordinates across our offices so on-site elements are handled locally without requiring travel from a single central team.
What deliverables do we actually receive at the end of the engagement?
A complete IFC engagement delivers: the Risk Control Matrix (RCM) mapping key controls to financial statement assertions and risks; a walkthrough documentation set for each significant process; the testing evidence and results for both design and operating effectiveness; a classified gap/findings report (material weakness, significant deficiency, control deficiency); a prioritised remediation roadmap with named owners and target dates; an ITGC review summary; and a Board/Audit Committee presentation deck summarising the overall assessment and the basis for the Section 134(5)(e) certification.
How does IFC Review interact with our statutory auditor's independence requirements?
If PNPC is not your statutory auditor, there is no independence constraint — we can perform the IFC Review as an independent advisory engagement and share our work product with your statutory auditor for their consideration under the applicable Standards on Auditing (which govern how and to what extent an auditor may rely on the work of others). If PNPC is your statutory auditor, IFC testing performed as part of the audit itself is standard practice; a separately branded, additional advisory-style IFC review by the same engagement team raises independence and self-review considerations we assess and structure around case by case, consistent with the ICAI Code of Ethics.
What if the review finds a serious issue — like evidence of actual fraud, not just a control gap?
If testing uncovers evidence suggestive of actual fraud (as opposed to a control weakness that merely creates the opportunity for fraud), our engagement protocol requires immediate escalation to the Audit Committee Chair or the Board, generally before the standard review report is finalised, given the statutory reporting obligations that may be triggered (including the auditor's own fraud-reporting duties under Section 143(12) of the Companies Act if a statutory auditor is separately involved). We do not sit on a live fraud indicator until the scheduled report date.
We are a subsidiary of a foreign (UAE / Singapore / US) parent. Does the parent's control framework apply to us?
Often, yes, in substance if not in exact statutory form. Many multinational parent groups — particularly those with a US-listed parent subject to Sarbanes-Oxley (SOX) — expect Indian subsidiaries to operate under a group-wide control framework consistent with the parent's requirements, even where the Indian entity itself would be exempt from Section 143(3)(i) reporting on a standalone basis. PNPC scopes the review to satisfy both the Indian statutory requirement (where applicable) and the parent group's control framework expectations, avoiding duplicate documentation for two different frameworks.
How often should an IFC Review be repeated — every year, or periodically?
For companies where auditor IFC reporting under Section 143(3)(i) is mandatory, we recommend annual refresh testing at minimum — even if the RCM itself does not need to be rebuilt from scratch, the operating effectiveness testing should be performed each year since a control that operated effectively last year is not automatically assumed to operate effectively this year. A full re-walkthrough and RCM rebuild is generally warranted every 2–3 years, or immediately upon a significant process change, ERP migration, business restructuring, or new business line launch.
What is the ICAI Guidance Note on Audit of IFCoFR and does it apply to a management-commissioned review too?
The Guidance Note on Audit of Internal Financial Controls Over Financial Reporting, issued by ICAI, is written primarily to guide statutory auditors in forming their Section 143(3)(i) opinion. It is not a mandatory framework for a management-commissioned IFC Review in the same binding sense, but it is the most authoritative and widely accepted reference point in India for what "adequate" and "operating effectively" mean in this context — so PNPC aligns its review methodology to the Guidance Note's principles, ensuring our findings and terminology speak the same language the statutory auditor will use.
Is there a difference in IFC requirements between an Indian company and one of PNPC's UAE clients?
Yes, materially. The Companies Act 2013 IFC framework described throughout is an India-specific statutory requirement. UAE entities are governed by the UAE Commercial Companies Law and, for listed/regulated entities, by the relevant UAE securities or free-zone authority requirements, which do not carry an identical IFC reporting mandate structured around Section 134(5)(e)/143(3)(i). That said, UAE Corporate Tax compliance, VAT controls, and increasingly ESR (Economic Substance Regulations) documentation create their own control-discipline expectations. PNPC's Dubai office scopes UAE engagements against the correct UAE regulatory framework rather than importing Indian Companies Act requirements where they do not apply.
Our company had a clean IFC opinion last year. Why would we need a review again this year?
A prior clean opinion reflects the control environment as it existed and was tested at that time — it is not a permanent certification. New employees, system changes, new product lines, new related-party arrangements, and evolving fraud schemes all change the risk profile year to year. Auditors and Audit Committees expect operating effectiveness to be re-demonstrated each year, not assumed to continue automatically. A lighter refresh review (rather than a full ground-up rebuild) is usually appropriate where the business has been stable, but skipping the year entirely leaves the Board's certification unsupported for that year.
What is the practical difference between a 'clean' IFC opinion and a qualified one in the audit report?
A clean (unmodified) opinion under Section 143(3)(i) states that the company has, in all material respects, an adequate internal financial controls system and that such controls were operating effectively as at the balance sheet date. A qualified opinion means the auditor identified one or more material weaknesses and could not conclude that controls were adequate and effective — this is disclosed prominently in the audit report and is visible to lenders, investors, and regulators reviewing the filed financial statements. It does not automatically mean the financial statements themselves are misstated, but it signals elevated risk that requires explanation to stakeholders.
Do you provide a written engagement letter and fixed scope before starting?
Yes, always. Every PNPC IFC Review begins with a scoping discussion followed by a written engagement letter setting out the processes and locations in scope, the framework applied, the testing approach, deliverables, timeline, and fee — agreed and signed before any fieldwork begins. We do not commence testing on an undefined or open-ended scope.
Why should we engage PNPC rather than a generic risk advisory firm for this review?
A pure risk advisory firm can document a COSO-aligned RCM competently, but often lacks the depth of Indian statutory context — Companies Act nuances, CARO applicability tests, TDS and GST control interlinkages, Ind AS interpretation — that a practising CA firm brings as a matter of course. PNPC has been practising Indian company and tax law since 1986, with offices across Chennai, Bangalore, Hyderabad, and Dubai. We build the IFC Review to genuinely serve your statutory auditor's reliance decision and your Board's certification needs — not as a generic risk-consulting deliverable disconnected from the actual regulatory framework your company operates under.
| Feature | Generic Risk Consultancy | Statutory Auditor's Own IFC Testing | PNPC Global |
|---|---|---|---|
| Indian statutory grounding | COSO methodology strong, Companies Act/CARO context often thin | Deep — but scoped to audit opinion needs, not proactive remediation | COSO methodology combined with Companies Act, CARO 2020, Ind AS, and FEMA/tax-control context since 1986 |
| Timing relative to audit | Often runs on its own calendar, disconnected from audit fieldwork | Happens during year-end audit — findings surface late, little time to fix | Timed deliberately 3–4 months ahead of audit fieldwork so findings can be genuinely remediated, not just documented |
| Coordination with statutory auditor | Limited — deliverable handed over with no reliance discussion | Is the audit itself | RCM and testing evidence structured for auditor reliance under Standards on Auditing — reduces duplicate testing and audit fees |
| Remediation support | Report delivered; remediation left to client | Not in scope — audit reports the gap, does not fix it | Named-owner, dated remediation roadmap with post-remediation re-verification before year-end |
| Board / Audit Committee engagement | Slide deck emailed, limited direct interaction | Discussed as part of audit closing meeting | Direct presentation to Audit Committee/Board, supporting the Section 134(5)(e) certification with real evidentiary basis |
| Cross-border (India-UAE) capability | Rare — most risk consultancies are India-only or global-only with no local nuance | Limited to the entity actually being audited | Chennai, Bangalore, Hyderabad, and Dubai offices — one coordinated team for India-UAE group structures |
| Continuity year to year | Each engagement often re-scoped from zero by a rotating consulting team | Tied to audit tenure and rotation requirements | RCM maintained as a living document; refresh reviews build on prior year's baseline, reducing cost and effort over time |
| Access to a practising CA for follow-up questions | Project-based access, ends at report delivery | Available during audit engagement only | Direct engagement CA contact by phone and WhatsApp, year-round — not a support ticket queue |
What the PNPC package includes
- 01
Scoping and materiality assessment aligned to your actual business model, not a generic template
- 02
Entity-level control (tone at the top, governance, risk assessment process) evaluation
- 03
Process walkthroughs with actual process owners across revenue, procure-to-pay, payroll, treasury, fixed assets, and financial close
- 04
Risk Control Matrix (RCM) built against your chart of accounts and financial statement assertions
- 05
Design and operating effectiveness testing using proper sample-sizing methodology tied to control frequency
- 06
IT General Controls (ITGC) review covering access management, change management, and backup/recovery
- 07
Findings classified as Material Weakness, Significant Deficiency, or Control Deficiency, using the same severity lens statutory auditors apply
- 08
Prioritised, owner-assigned remediation roadmap with target dates and interim compensating controls where needed
- 09
Post-remediation re-verification testing before year-end audit fieldwork begins
- 10
Direct Board / Audit Committee presentation supporting the Section 134(5)(e) Directors' Responsibility Statement
- 11
Coordination pack prepared for your statutory auditor's Section 143(3)(i) reliance assessment
- 12
Cross-border coordination for India-UAE group structures from our Chennai, Bangalore, Hyderabad, and Dubai offices
Speak directly with a PNPC Chartered Accountant before your next audit cycle begins. Not a generic risk-consulting deck — a practising CA firm that has stood behind Board certifications and auditor opinions across India and the UAE since 1986, and that stays engaged long after the report is delivered.