HomeServicesRisk AdvisoryInternal Control Reviews & IFC Evaluation

Risk Advisory · Internal Controls & Process Improvement

Internal Control Reviews & IFC Evaluation

Internal Financial Controls are no longer a checkbox for the audit file — they are a statutory representation your Board and your auditor must make every single year, and a regulator, a lender, or an investor's diligence team can test at any time.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Internal Financial Controls are no longer a checkbox for the audit file — they are a statutory representation your Board and your auditor must make every single year, and a regulator, a lender, or an investor's diligence team can test at any time. At PNPC Global, we have evaluated and documented internal controls for companies across manufacturing, services, trading, and financial businesses since 1986. We do not hand you a generic control matrix downloaded from a template library. We walk your actual processes — procurement, revenue, payroll, closing — and build a control framework that holds up under audit scrutiny, under CARO 2020 reporting, and under your own Board's questions.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Internal Control Reviews & IFC Evaluation is

An Internal Control Review is a structured evaluation of the policies, procedures, and control activities that a company has put in place to ensure the reliability of financial reporting, the safeguarding of assets, the prevention and detection of fraud and error, and adherence to laws and management policies. In India, the concept carries specific statutory weight through Internal Financial Controls (IFC) — defined under Section 134(5)(e) of the Companies Act 2013 (for the Board's responsibility statement) and referenced in Section 143(3)(i), which requires the statutory auditor of every company (other than certain exempted small companies, OPCs, and private companies meeting specified thresholds) to report on whether the company has an adequate internal financial controls system in place and whether such controls were operating effectively.

IFC evaluation is broader than a general 'internal controls' review in common usage — the Institute of Chartered Accountants of India's Guidance Note on Audit of Internal Financial Controls Over Financial Reporting frames it around the globally recognised COSO framework (Committee of Sponsoring Organizations of the Treadway Commission), covering five components: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities. A proper IFC evaluation documents entity-level controls (tone at the top, delegation of authority, IT general controls) as well as process-level controls (procure-to-pay, order-to-cash, record-to-report, payroll, treasury, fixed assets) with defined control objectives, control owners, frequency, and testing evidence.

Beyond the statutory audit requirement, internal control reviews serve a distinct commercial purpose. Lenders increasingly require evidence of control maturity as part of credit appraisal for larger facilities. Private equity and strategic acquirers run control and process diligence before a transaction, and control gaps discovered late in diligence routinely become valuation adjustments or indemnity clauses. The CARO 2020 (Companies Auditor's Report Order) also requires auditors to comment on whether the company has an adequate internal audit system commensurate with its size and nature of business for certain classes of companies — a related but distinct obligation from IFC reporting under Section 143(3)(i).

At PNPC, an internal control review is not a compliance exercise performed once and filed away. It is process work: we map how transactions actually flow through your organisation — not how the process manual says they should flow — identify the points where a control is genuinely needed (segregation of duties, authorisation limits, reconciliation, system-enforced validation), test whether that control operated consistently during the period under review, and document deficiencies with a severity rating and a remediation plan that management and the Audit Committee can act on. Where control gaps are found, we do not simply flag them for the statutory auditor — we help design and implement the fix.

When an internal control review is essential

Your company falls within the scope of Section 143(3)(i) — the statutory auditor is required to report on IFC over financial reporting and you need this evaluated and documented before the audit, not discovered during it

You are a listed company, a large private company, or a company approaching an IPO, where control maturity is scrutinised by SEBI, the Audit Committee, and prospective investors

A recent instance of fraud, error, or a near-miss has exposed that a control assumed to exist either does not exist or is not operating as designed

You are preparing for a private equity round, strategic sale, or debt facility where the counterparty's diligence team will test your control environment as part of financial and operational due diligence

Your business has scaled rapidly — new locations, new business lines, or higher transaction volume — and the controls designed for an earlier, smaller stage of the business no longer match current risk

The Board or Audit Committee has asked for independent assurance on the control environment separate from the statutory audit, or CARO 2020 reporting has raised a qualification on internal audit adequacy

When a lighter-touch approach may be more appropriate

A very early-stage startup with minimal transaction volume and no institutional investors — basic financial hygiene and a simple approval workflow may be sufficient until scale or funding triggers a fuller review

A small private company that is statutorily exempt from Section 143(3)(i) IFC reporting (based on the size and other thresholds prescribed under the Companies Act) and has no lender or investor requirement for one

You need routine bookkeeping accuracy checks rather than a control-design evaluation — a monthly accounting review or reconciliation service may address the immediate need more directly

The organisation already has a mature, in-house internal audit function performing continuous control testing — in this case, PNPC's role may be better positioned as an independent quality review of that function rather than a full ground-up control review

The immediate priority is a statutory or tax audit finding, not a control-design question — in that case, the audit engagement itself, not a separate IFC review, is the right starting point

Structure Comparison

Internal Control Review (IFC Evaluation) vs related assurance and advisory engagements

FeatureInternal Control Review / IFC EvaluationStatutory AuditInternal Audit (Outsourced/Co-sourced)Forensic ReviewProcess Re-engineering
Primary objectiveEvaluate design and operating effectiveness of controls over financial reportingExpress opinion on true and fair view of financial statementsOngoing assurance over operations, compliance, and risk on a cyclical basisInvestigate a specific suspected fraud, irregularity, or loss eventRedesign a process for efficiency, with controls as one input
Governing referenceSection 143(3)(i) Companies Act 2013 + ICAI Guidance Note on IFC (COSO-based)Section 139–148 Companies Act 2013, Standards on AuditingSection 138 Companies Act 2013 (where applicable) + Standards on Internal AuditNo single statute — engagement-specific, may feed into legal or regulatory proceedingsNo statutory basis — a management improvement exercise
Mandatory or voluntaryMandatory for companies within Section 143(3)(i) scope; voluntary otherwiseMandatory for all companies under the Companies ActMandatory for specified classes of companies under Section 138 and Rules; voluntary otherwiseVoluntary — triggered by a specific trigger eventVoluntary — a business improvement decision
FrequencyTypically annual, aligned to statutory audit cycle; can be continuous for larger entitiesAnnual, mandatoryContinuous — quarterly or risk-based cyclical coverageOne-time, event-drivenOne-time project, periodically revisited
OutputControl matrix (RCM), deficiency log with severity rating, remediation roadmap, management letterAudit opinion + financial statements + CARO report where applicableInternal audit reports per cycle, presented to Audit CommitteeInvestigation report, evidence trail, quantification of loss, recommendationsRevised SOPs, process maps, efficiency and control recommendations
Who relies on itStatutory auditor (for their own IFC opinion), Board, Audit Committee, investors/lenders in diligenceShareholders, regulators, lenders, public (for listed companies)Audit Committee, Board, managementBoard, legal counsel, sometimes law enforcement or insurersOperations and finance leadership
Typical PNPC engagement basisFixed-fee project, scoped by process and entity coverageStatutory engagement, fee per Companies Act / ICAI normsAnnual retainer or per-cycle feeTime-and-scope fee, engagement letter defines boundariesFixed-fee project

These engagements are complementary, not substitutes for one another — a company may need an IFC evaluation ahead of its statutory audit, an internal audit function for continuous assurance, and a forensic review only if a specific red flag emerges. PNPC scopes each engagement independently based on your regulatory position, size, and risk profile; a scoping conversation is the right first step.

How it works
#Stage & What PNPC DoesWhat Generic Checklists MissTimeline
1Scoping & Entity-Level Risk Assessment — Understanding your business before touching a single controlWe start by understanding your actual risk profile: transaction volume and complexity, number of locations, ERP/accounting system in use, prior audit findings, related-party transactions, and any recent fraud or near-miss incidents. This determines which processes get full walkthroughs versus lighter-touch review — a generic 'test everything equally' approach wastes budget on low-risk areas and under-tests high-risk ones.Week 1
2Process Identification & Materiality MappingWe identify the significant account balances and transaction classes based on your trial balance and business model — typically covering Procure-to-Pay, Order-to-Cash, Record-to-Report (financial close), Payroll, Fixed Assets, Treasury/Banking, and Inventory where applicable — and map which processes are material enough to warrant detailed control testing versus a lighter review.Week 1–2
3Entity-Level Controls (ELC) AssessmentBefore testing any transaction-level control, we assess the control environment itself — tone at the top, delegation of authority matrix, whistleblower mechanism, IT general controls (user access, change management, backup), HR policies, and the Code of Conduct. A weak entity-level environment undermines even well-designed process controls — something checklist-driven reviews frequently skip.Week 2
4Process Walkthroughs — How transactions actually flow, not how the manual says they flowWe sit with the actual process owners — the person who raises a purchase order, the person who approves a payment, the person who posts a journal entry — and walk each transaction cycle end to end. This consistently surfaces gaps between the documented SOP and actual practice: informal workarounds, shared logins, manual overrides of system controls, and approvals happening after the fact rather than before.Week 3–4
5Risk & Control Matrix (RCM) DocumentationFor each process, we document the control objective, the specific risk it addresses, the control activity (preventive or detective), the control owner, the frequency, and whether it is manual, automated, or IT-dependent manual. This RCM becomes the master reference document your statutory auditor will also rely on for their own IFC testing — reducing duplicated effort between PNPC's review and the audit.Week 3–5, run in parallel with walkthroughs
6Design Effectiveness TestingWe assess whether each documented control, if operating as designed, would actually prevent or detect the risk it is meant to address. A control that exists on paper but has a design flaw — for example, an approval limit that has not been updated in years, or a segregation-of-duties gap where the same person can both create and approve a vendor — is flagged here before we even test whether it operated.Week 4–5
7Operating Effectiveness Testing — Sample-based evidence testingFor controls that pass design assessment, we test a sample of actual transactions from the period under review to confirm the control operated consistently — not just once, but throughout the period. Sample sizes are risk-based, following the approach outlined in the ICAI Guidance Note, larger samples for higher-risk, higher-frequency controls.Week 5–7
8Deficiency Identification & Severity RatingEvery gap identified is classified — deficiency, significant deficiency, or material weakness — using the definitions in the ICAI Guidance Note and aligned to how your statutory auditor will classify findings under SA 265. This classification directly affects whether an item needs Audit Committee escalation and whether it could affect the auditor's own IFC opinion.Week 7–8
9Root Cause AnalysisFor each significant deficiency, we go beyond 'the control did not operate' to identify why — inadequate training, system limitation, understaffing, or a genuine design gap. Remediation that addresses the symptom without the root cause tends to recur in the following year's testing, which is a common and avoidable pattern we see in companies that have not had a root-cause-driven review before.Week 8
10Remediation Roadmap & Management Action PlanWe prepare a prioritised remediation plan — what needs to be fixed immediately (material weaknesses), what can be addressed over the next quarter (significant deficiencies), and what is a lower-priority process improvement. Each item is assigned an owner and a target date, so the Audit Committee has a document to track against, not just a list of problems.Week 8–9
11Management Letter & Board / Audit Committee PresentationFindings are presented formally to the Audit Committee or Board, with a walkthrough of the control matrix, the deficiency log, and the remediation plan. We are available to present directly, answer questions, and coordinate messaging with the statutory auditor so there are no surprises when the auditor's own IFC testing concludes.Week 9
12Coordination with Statutory AuditorWe proactively share the RCM and testing evidence with your statutory auditor (with management's consent) to reduce duplicated testing and align on any areas of difference in severity assessment before the audit concludes — this coordination is one of the most valuable and most commonly missing pieces when the IFC review and the statutory audit are run by unconnected parties.Aligned to audit timeline
13Remediation Support & RetestingWhere management requests it, PNPC assists in designing the actual fix — a revised approval workflow, a new reconciliation template, a system configuration change — and retests the control once implemented to confirm the deficiency is closed before the next audit cycle begins.Ongoing, as scoped

A first-time IFC evaluation for a mid-sized company typically takes 8–10 weeks end to end, run in parallel with (and ideally ahead of) the statutory audit fieldwork so findings can be remediated before year-end testing. Subsequent-year reviews are faster, generally 5–6 weeks, since the RCM and process documentation already exist and testing can focus on changes and prior-year remediation follow-up.

Document Checklist
Entity & Governance Documents

Latest Memorandum and Articles of Association, and organisation chart showing reporting lines

Delegation of Authority (DOA) matrix — approval limits by role and transaction type

Board and Audit Committee meeting minutes for the period under review

Code of Conduct, whistleblower policy, and related-party transaction policy

Prior year statutory audit report, CARO report, and any management letter or internal audit report from the previous cycle

List of related-party transactions and Board approvals for the period

Financial & Accounting Records

Trial balance and general ledger for the period under review, at the level of detail needed to identify significant accounts

Chart of accounts and accounting policy manual, if formally documented

Bank reconciliation statements for all operating accounts, for each month in the period

Fixed asset register with additions, disposals, and depreciation schedule

List of all bank accounts, authorised signatories, and current signing limits

Process Documentation (Where They Exist)

Standard Operating Procedures for Procure-to-Pay, Order-to-Cash, Record-to-Report, Payroll, and Treasury cycles

Purchase order, goods receipt, and vendor invoice approval workflow documentation

Sales order, dispatch, and customer invoicing workflow documentation

Month-end and year-end financial close checklist

Access rights matrix for the ERP/accounting system — who can create, approve, and post transactions

IT & Systems Information

Name and version of the ERP or accounting software in use (Tally, SAP, Oracle NetSuite, Zoho Books, or other), and whether it is on-premise or cloud-hosted

User access list with roles and privileges for the accounting/ERP system

IT policy covering password requirements, backup frequency, and change management procedures, if formally documented

List of any system-enforced controls currently configured — three-way match, approval workflows, credit limit blocks

HR & Payroll Records

Employee master list with designation, department, and reporting manager

Payroll processing workflow — from attendance/input to bank disbursement

Sample of employee appointment letters and any variable pay or incentive structure documentation

PF, ESI, and Professional Tax registration details and recent compliance filing status

Sample Transactions & Evidence (Provided During Fieldwork)

A sample of purchase orders, invoices, and payment vouchers selected by PNPC for walkthrough and testing

A sample of sales invoices, credit notes, and customer receipts selected for testing

A sample of journal entries, particularly manual/non-system-generated entries, for review

Physical or system access to observe the actual approval and posting workflow, where practical

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Initial IFC EvaluationCompany crosses Section 143(3)(i) threshold, prepares for IPO, or receives investor/lender requirementFull scoping, entity-level control assessment, process walkthroughs, RCM build, design and operating effectiveness testing, deficiency log, and remediation roadmap — the foundational review that all future cycles build on.Statutory auditor identifies material weaknesses during their own testing with no prior warning to management or the Audit Committee, risking a qualified or adverse IFC opinion and a difficult Audit Committee conversation late in the audit cycle.
Pre-Audit CoordinationStatutory audit fieldwork approachingRCM and testing evidence shared with the statutory auditor (with management consent) to reduce duplicated testing effort and align on severity classification of any findings before audit conclusion.Auditor performs independent, duplicated control testing at additional audit fee and time cost, and any disagreement on severity surfaces for the first time in the auditor's report rather than being resolved earlier.
Deficiency RemediationDeficiencies or significant deficiencies identified in reviewRoot cause analysis, design of the specific fix (revised workflow, system configuration, additional review step), implementation support, and retesting to confirm closure before the next testing cycle.Unremediated deficiencies recur in the following year's review and audit, and repeat findings are viewed unfavourably by the Audit Committee, lenders, and investors as evidence of weak governance discipline.
Annual Refresh CycleEach subsequent financial yearUpdate the RCM for any process changes, new business lines, new locations, or system changes since the prior review; retest controls with updated risk-based sampling; confirm prior-year remediation items are closed and operating.Control matrix becomes stale and no longer reflects actual operations — new risks introduced by business growth go untested until they surface as an actual control failure or fraud event.
Scale / New Business Line TriggerNew location, new ERP system, acquisition, or new product lineExtend the RCM to cover the new process or entity, assess entity-level controls at the new location, and identify any integration gaps — particularly around segregation of duties when headcount is initially thin at a new site.New locations or business lines operate with informal or no controls for an extended period before being brought into the review cycle, during which the exposure to error or fraud is highest.
Fraud or Near-Miss EventSuspected irregularity, unexplained variance, or whistleblower reportImmediate assessment of whether the event indicates a control design gap or an operating failure of an existing control; if warranted, PNPC scopes a focused forensic review as a distinct, separately-scoped engagement.Underlying control gap that allowed the event remains unaddressed, and the same exposure persists for other transactions or other periods, compounding potential loss and audit/regulatory exposure.
Transaction / Diligence TriggerPE investment, acquisition, or credit facility diligencePre-diligence readiness review — anticipate the control questions a counterparty's diligence team will raise, close obvious gaps in advance, and prepare a clean RCM and remediation-status document to present during diligence.Control gaps surface for the first time during counterparty diligence, becoming valuation adjustments, indemnity demands, or delays to closing — at a point where remediation under time pressure is far more costly than a planned review.
Frequently asked
What exactly is an Internal Financial Control (IFC) and how is it different from 'internal controls' generally?

Internal controls, in the general sense, is a broad term covering any policy or procedure a business uses to manage risk — operational, compliance, financial, or strategic. Internal Financial Controls (IFC), as used under the Companies Act 2013, is a narrower, statutorily defined concept focused specifically on controls over financial reporting — the policies and procedures that ensure the orderly and efficient conduct of business, adherence to policies, safeguarding of assets, prevention and detection of fraud and error, accuracy and completeness of accounting records, and timely preparation of reliable financial information, as defined in the Explanation to Section 134(5)(e). The ICAI Guidance Note maps IFC evaluation to the COSO framework's five components.

Practitioner noteWe are frequently asked to do a 'quick internal controls check' when what the client actually needs — because their auditor will be reporting under Section 143(3)(i) — is a properly scoped IFC evaluation against the COSO framework. Getting the scope right at the outset avoids a mismatch between what was reviewed and what the auditor needs to rely on.
Is Internal Financial Controls reporting mandatory for every company?

The statutory auditor's obligation to report on IFC over financial reporting under Section 143(3)(i) applies broadly, but the Companies (Audit and Auditors) Rules, 2014 carve out a specific exemption from this clause for certain categories — including One Person Companies, small companies, and private companies meeting prescribed thresholds on turnover and borrowings. Whether your company is within or outside this exemption depends on your specific financials for the year and should be confirmed with your statutory auditor for the applicable financial year, since the exemption thresholds and criteria are prescribed by rule and can be amended.

Practitioner noteDo not assume exemption based on last year's status — a company that grows past the turnover or borrowing threshold during the year moves into scope for that year's audit. We check this as part of our annual audit planning for every client, not just once.
What is CARO 2020 and how does it relate to internal controls?

The Companies (Auditor's Report) Order, 2020 (CARO 2020) is a separate reporting requirement issued under Section 143(11) that requires statutory auditors of specified classes of companies to comment on a defined list of matters in their audit report — including, among many other clauses, whether the company has an internal audit system commensurate with the size and nature of its business. CARO 2020's internal audit commentary and Section 143(3)(i)'s IFC opinion are related but distinct reporting obligations — a company can have adequate IFC over financial reporting while still needing to strengthen its internal audit function, or vice versa.

Practitioner noteWe map both requirements together during planning so management understands which finding feeds into which paragraph of the auditor's report — clients are often surprised these are two separate clauses with two separate tests.
What is the COSO framework and why does PNPC use it?

COSO (Committee of Sponsoring Organizations of the Treadway Commission) is an internationally recognised internal control framework built around five integrated components: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities. The ICAI's Guidance Note on Audit of Internal Financial Controls Over Financial Reporting explicitly references COSO (or an equivalent recognised framework) as the basis against which management should evaluate and auditors should assess IFC. Using a recognised framework, rather than an ad hoc checklist, ensures the evaluation is defensible, comprehensive, and directly usable by your statutory auditor.

Practitioner noteSome smaller firms substitute a generic checklist for a proper COSO-mapped evaluation to save time. It usually shows during the statutory audit, when the auditor's own testing does not align with what was 'reviewed' earlier. We map every finding back to the specific COSO component and control objective it addresses.
What is the difference between a deficiency, a significant deficiency, and a material weakness?

These are graded severity classifications used under the ICAI Guidance Note (aligned with Standard on Auditing SA 265 concepts). A deficiency exists when a control is designed, implemented, or operated in a way that does not allow management or employees to prevent or detect misstatements on a timely basis, or when a necessary control is missing. A significant deficiency is a deficiency, or combination of deficiencies, important enough to merit attention by those charged with governance (typically the Audit Committee). A material weakness is a deficiency, or combination of deficiencies, that creates a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis — the most severe classification, and one that can affect the statutory auditor's own IFC opinion.

Practitioner noteWe deliberately grade every finding rather than presenting a flat list of 'issues' — the Audit Committee needs to know which three items require board-level escalation this quarter and which twelve are lower-priority process improvements that can be scheduled over the year.
How long does a full internal control review take?

For a first-time evaluation of a mid-sized company with a handful of significant processes and one or two locations, PNPC typically scopes 8–10 weeks end to end — scoping, entity-level assessment, process walkthroughs, control matrix documentation, design and operating effectiveness testing, deficiency reporting, and remediation planning. Larger, multi-location, or multi-entity groups take longer, scoped based on the number of significant processes and locations in coverage. Subsequent-year reviews, once the control matrix already exists, are typically faster — around 5–6 weeks — since testing can focus on process changes and prior-year remediation follow-up rather than rebuilding documentation from scratch.

Practitioner noteWe recommend starting the IFC review well before statutory audit fieldwork begins — ideally 6–8 weeks ahead — so any material weaknesses identified can be remediated, or at minimum have a credible remediation plan in place, before the auditor forms their own opinion.
What does an Internal Control Review cost?

The fee depends directly on scope — the number of significant processes covered, the number of locations or business units, the complexity of the ERP/IT environment, and whether it is a first-time evaluation (requiring full documentation build) or a subsequent-year refresh (updating an existing control matrix). PNPC provides a written, fixed-fee proposal after an initial scoping conversation, so there is no ambiguity about what is covered before the engagement begins.

Practitioner noteWe deliberately avoid a one-size-fits-all package for this service — a single-location trading company and a multi-plant manufacturing group with an ERP rollout in progress have fundamentally different scopes, and pricing them identically would either overcharge the smaller company or under-scope the larger one.
Who typically needs to commission an internal control review — the CFO, the Audit Committee, or the statutory auditor?

The engagement is typically commissioned by management (often the CFO) or directly by the Audit Committee, as a management or governance initiative — distinct from the statutory audit itself, which is commissioned by shareholders through the auditor appointment process. Some companies with an in-house internal audit function have that function perform the review; others engage an external firm like PNPC either because they lack an internal audit function of sufficient scale, or because they want an independent, external perspective distinct from both internal audit and the statutory auditor.

Practitioner noteWe are sometimes engaged directly by the Audit Committee, separately from management, specifically because the Committee wants a review that reports independently to them rather than through the CFO's office. We are comfortable structuring the engagement and reporting line either way — the mandate should match the governance need.
Can PNPC also be our statutory auditor and perform our internal control review?

Independence requirements under the Companies Act and the ICAI Code of Ethics restrict a statutory auditor from performing certain non-audit services for the same client, and specific restrictions apply depending on the nature and scale of the engagement and the class of company involved. Where PNPC is the statutory auditor for a company, we assess independence requirements carefully before accepting any related internal control review engagement, and in situations where independence rules restrict us from performing both roles for the same entity, we will say so directly rather than take on a conflicted engagement.

Practitioner noteWe would rather lose an engagement than compromise independence — this is a decades-old firm reputation we protect deliberately. If we cannot do both roles for you, we will tell you upfront and, where useful, help you find the right alternative arrangement.
What is a Risk and Control Matrix (RCM) and why does it matter?

A Risk and Control Matrix is the core working document of an IFC evaluation — for each significant process, it lists the specific financial reporting risk, the control activity designed to address that risk, whether the control is preventive or detective, whether it is manual, automated, or IT-dependent manual, the control owner, the frequency of operation, and the testing evidence gathered. The RCM is the document your statutory auditor will most directly rely on when performing their own IFC testing, and it becomes the baseline that subsequent-year reviews update rather than rebuild.

Practitioner noteA well-built RCM is reusable, living documentation — not a one-time deliverable that gets filed away. We hand over the RCM in an editable format specifically so your finance team can maintain and update it as processes change during the year.
What is a walkthrough, and why can't the review just rely on the process manual?

A walkthrough is a step-by-step trace of an actual transaction from initiation through recording in the financial statements, performed by observing the process and interviewing the people who actually perform it — not by reading the documented SOP. Walkthroughs consistently surface gaps between documented procedure and actual practice: a manual says a purchase order requires two approvals, but in practice a shared login means one person effectively approves both stages; a reconciliation is supposed to happen weekly but is actually done once a quarter under time pressure. These gaps are invisible if the review relies only on the written policy.

Practitioner noteThe single most common finding we encounter in first-time reviews is a documented control that has quietly stopped being followed in practice, often because of staff turnover or system changes that were never reflected back into the SOP. Walkthroughs are non-negotiable — a desk review of policy documents alone is not an IFC evaluation.
What is Information Technology General Controls (ITGC) and does PNPC review it as part of an IFC engagement?

IT General Controls are the controls over the IT environment that support the reliable operation of application-level (automated) controls — covering areas like user access management, segregation of duties within the ERP system, change management for system modifications, backup and disaster recovery, and physical/logical security. Where a company's financial processes rely on automated or IT-dependent manual controls (which is the case for nearly every company using an ERP or accounting system), a proper IFC evaluation must assess the underlying ITGC — because an automated control is only as reliable as the IT environment supporting it.

Practitioner noteWe scope ITGC review proportionate to the complexity of the client's IT environment — a company on a simple, well-configured accounting package needs a lighter ITGC review than one running a customised ERP with multiple integrations. We calibrate this at the scoping stage rather than applying a one-size-fits-all IT audit.
What happens after the review — does PNPC just hand over a report, or help fix the gaps too?

The core deliverable is the RCM, the deficiency log with severity ratings, and the remediation roadmap — presented to management and, where relevant, the Audit Committee or Board. Beyond that, PNPC offers remediation support as a separately scoped follow-on engagement: designing the specific fix for a control gap (a revised approval workflow, a new reconciliation template, a system configuration change), assisting implementation, and retesting the control once implemented to confirm the deficiency is closed.

Practitioner noteA report that lists problems without a credible path to fixing them is of limited value to a CFO under time pressure. We structure our engagements so the remediation conversation happens as part of the same relationship, not as a separate sales process months later.
How does sampling work in operating effectiveness testing — do you test every transaction?

No — testing every transaction in every process would be neither practical nor necessary. PNPC applies risk-based sampling consistent with the approach described in the ICAI Guidance Note: sample sizes are calibrated to the frequency of the control (a control operating hundreds of times a month needs a larger sample than one operating monthly), the risk associated with the underlying transaction class, and whether the control is manual (requiring a larger sample to establish consistency) or automated (where testing the system configuration once, plus a smaller sample of transactions, is generally sufficient once the control is confirmed to be functioning as configured).

Practitioner noteClients sometimes expect either '100% testing' or a token handful of samples — neither is right. We explain our sampling rationale for each control category upfront so there is no surprise about what 'tested' actually means when the report is delivered.
We are a private company planning an IPO in the next 2–3 years. Should we start IFC evaluation now?

Yes — this is one of the most common and highest-value triggers for engaging PNPC. SEBI's disclosure and governance expectations for listed companies, combined with heightened Audit Committee, merchant banker, and investor scrutiny during the IPO process, mean that control gaps discovered during IPO readiness diligence are far more costly to fix under time pressure than gaps identified and remediated over one or two review cycles well in advance. Starting 18–24 months ahead allows deficiencies to be remediated and retested before they become a diligence finding.

Practitioner noteWe have seen IPO timelines slip specifically because control remediation — segregation of duties fixes, ERP access clean-up, formalising an informal approval process — takes longer to genuinely embed than founders expect. Two review cycles before the IPO process begins is a realistic minimum runway.
Does a control review cover fraud detection, or is that a separate service?

An internal control review evaluates whether controls that are reasonably designed to prevent or detect fraud and error are in place and operating — for example, segregation of duties, authorisation limits, and reconciliation controls. It is a forward-looking, process-level evaluation, not an investigation into a specific suspected event. If a review or a whistleblower report raises a specific red flag — an unexplained variance, a suspicious vendor relationship, a pattern inconsistent with normal business activity — that warrants a separately scoped forensic review, which follows a different methodology (evidence preservation, targeted investigation techniques, and often legal coordination) distinct from a control-design evaluation.

Practitioner noteWe are explicit with clients about this boundary. If something surfaces during a control review that looks like an actual irregularity rather than a design gap, we pause and recommend a properly scoped forensic engagement rather than trying to investigate it within the control review's methodology and evidentiary standard.
What is segregation of duties and why does it come up in almost every finding?

Segregation of duties is the principle that no single individual should control all key stages of a transaction — initiation, approval, custody of the related asset, and recording in the books. When one person controls multiple stages, the natural cross-check that catches both error and fraud disappears. In smaller and mid-sized Indian companies, segregation of duties gaps are extremely common, particularly in finance teams that have not scaled headcount at the same pace as transaction volume — the same person who creates a vendor in the ERP also approves payments to that vendor, for example.

Practitioner noteWe do not treat every segregation-of-duties gap as equally severe — a small team genuinely cannot achieve textbook segregation everywhere. Where full segregation is not practical due to team size, we recommend compensating controls, typically a second-level review or an independent reconciliation, rather than an unrealistic staffing recommendation.
Our company uses Tally / Zoho Books rather than a large ERP. Is a full IFC evaluation still relevant?

Yes, though the scope and depth of testing will differ. Smaller accounting systems generally have fewer built-in, system-enforced controls than a large ERP (like SAP or Oracle), which means more of the control burden sits on manual review, approval workflows outside the system, and reconciliation discipline. The evaluation approach adapts accordingly — more emphasis on manual control testing and process discipline, proportionately less on system configuration testing — but the underlying COSO framework and the need for a documented RCM apply regardless of which accounting platform you use.

Practitioner noteWe calibrate scope to your actual systems rather than applying a large-ERP-oriented checklist to a Tally-based business, which produces irrelevant findings and an inflated fee for the size of the operation.
What is a management letter and who receives it?

A management letter (sometimes called a report to those charged with governance) is the formal written communication of findings from the internal control review — typically addressed to the CFO or management team, with a summary version presented to the Audit Committee or Board. It documents the scope of the review, the significant deficiencies and material weaknesses identified, management's response to each finding, and the agreed remediation timeline. This is distinct from, though often coordinated with, any management letter your statutory auditor separately issues as part of the audit.

Practitioner noteWe draft the management letter to be genuinely useful as a working document — action items with named owners and dates — rather than a formal but static compliance artefact that gets filed and not acted upon.
How does an internal control review interact with our internal audit function, if we have one?

Where a company already has an in-house or co-sourced internal audit function operating under Section 138, that function typically performs ongoing, cyclical assurance across operational and compliance areas as well as financial controls. An IFC evaluation can either be performed by that internal audit function directly (if it has the requisite expertise in the COSO/IFC methodology) or by an independent external party like PNPC, whose findings then feed into or complement the internal audit's broader risk-based plan. We coordinate scope explicitly with any existing internal audit function to avoid duplicated testing and ensure clear ownership of each control area.

Practitioner noteWe have worked in both models — as the sole reviewer, and as a specialist IFC-and-COSO overlay working alongside a client's existing internal audit team on operational areas. Either works well as long as the division of scope is agreed and documented upfront.
What triggers a company to fall under the internal audit requirement of Section 138?

Section 138 of the Companies Act 2013, read with the Companies (Accounts) Rules 2014, prescribes specific thresholds — based on criteria such as paid-up share capital, turnover, outstanding loans/borrowings, and outstanding deposits — above which every listed company and certain classes of unlisted public companies and private companies are required to appoint an internal auditor. Whether your company currently meets or is approaching these thresholds should be checked against the current Rules for your specific financial figures, since the applicable thresholds are prescribed by rule and should be verified for the relevant year rather than assumed.

Practitioner noteWe check Section 138 applicability as part of our annual compliance review for every corporate client — a company that grows past the threshold mid-year needs to appoint an internal auditor for that year, and this is easy to miss if nobody is actively tracking it against current financials.
Can a small or mid-sized private company request an internal control review even if it is not statutorily required?

Yes, and many do — most commonly ahead of a fundraise, a bank credit facility renewal, or simply as a governance discipline exercise once the founders recognise the business has scaled past the point where informal, trust-based controls are adequate. A voluntary review can be scoped more lightly than a full statutory-grade IFC evaluation if there is no auditor reliance requirement — for example, focused only on the two or three highest-risk processes rather than the full COSO-mapped scope.

Practitioner noteWe regularly scope a lighter 'control health check' for smaller companies that want direction without the full cost of a statutory-grade evaluation — it is a legitimate and common starting point, and can be expanded into a full IFC evaluation later as the company scales.
What are the most common material weaknesses PNPC finds in first-time reviews?

Recurring patterns across first-time reviews include: absence of a formal, board-approved delegation of authority matrix (approvals happening on an informal, unwritten basis); inadequate segregation of duties in the procure-to-pay and payroll cycles; bank reconciliations performed inconsistently or with significant unreconciled items outstanding for extended periods; manual journal entries posted without a documented review and approval trail; and IT user access rights that have not been reviewed since the ERP was first configured, often still granting former employees or over-privileged current employees access well beyond their role.

Practitioner noteNone of these are unusual or reflect poorly on a management team — they are the natural result of a business scaling faster than its back-office processes. The point of the review is to catch and fix them proactively, not to treat their existence as a failure.
Does the review look at fraud risk factors specifically, like the fraud triangle?

As part of the risk assessment component of the COSO framework, we do consider fraud risk factors — incentive/pressure, opportunity, and rationalisation, the three elements of the classic fraud triangle — particularly when assessing entity-level controls like the whistleblower mechanism, the tone at the top, and management override risk. This is a risk-assessment lens applied within the control review, not a full forensic fraud risk assessment, which is typically a more detailed, separately scoped exercise if a company wants a dedicated fraud risk assessment rather than a general control review.

Practitioner noteWe flag areas of elevated fraud risk — for example, concentration of authority in a single individual with no compensating oversight — even where no actual irregularity is suspected, because this is exactly the kind of structural risk that later becomes a real incident if left unaddressed.
What is 'management override of controls' and why is it treated as a distinct risk?

Management override refers to the risk that a person in a position of authority — typically someone senior enough to bypass a control that would stop others — deliberately circumvents an otherwise well-designed control, for example approving a transaction outside normal authorisation limits or instructing an accounting entry that does not reflect the underlying transaction. Standards on Auditing and the COSO framework treat this as a distinct, elevated risk category precisely because a control that relies on the same person it is meant to constrain provides no real protection. We specifically assess whether compensating controls — such as Audit Committee oversight of related-party transactions or a whistleblower channel independent of management — exist to address this risk.

Practitioner noteThis is a sensitive area to raise with founder-led or family-owned businesses, where the person with override capability is often also the majority owner. We frame it factually — as a structural governance question relevant to investors and lenders — rather than as an accusation, which is how it should be understood.
Will the findings from our internal control review be shared with regulators or made public?

No. The internal control review is a private engagement between PNPC and the company (or, where scoped that way, the Audit Committee). Findings are not filed with MCA, SEBI, or any regulator, and are not made public. The exception is your own statutory auditor, with whom we share findings only with management's consent, specifically to support their independent IFC opinion under Section 143(3)(i) — the auditor's own report (which may reference IFC adequacy) is what becomes part of the public financial statements filed with MCA, not PNPC's underlying working papers.

Practitioner noteWe are explicit about this distinction upfront because it is a common source of hesitation — some management teams worry that commissioning a control review creates a paper trail of problems that becomes public. It does not; it is confidential management information unless management chooses to escalate or share it further.
How does PNPC handle a company with multiple locations or subsidiaries?

For multi-location or multi-entity groups, we scope coverage based on materiality and risk — typically prioritising locations or subsidiaries that represent the largest share of consolidated revenue or assets, or that carry elevated risk factors (a newly acquired entity, a location with a recent history of control issues, or one with a thinner finance team). Entity-level controls are assessed at the parent/group level as well as locally, since group-wide policies (delegation of authority, whistleblower mechanism, code of conduct) need to be consistently cascaded and actually followed at each location, not merely exist on paper at head office.

Practitioner noteA very common gap in group structures is a well-designed policy at the parent level that was never properly rolled out, translated for local practice, or enforced at a newly acquired or newly opened location. We test for this specifically rather than assuming group policy equals local practice.
What is the difference between 'preventive' and 'detective' controls, and does it matter which we have?

A preventive control is designed to stop an error or irregularity from occurring in the first place — for example, a system-enforced credit limit that blocks an order exceeding a customer's approved credit. A detective control identifies an error or irregularity after it has occurred — for example, a monthly reconciliation that surfaces a discrepancy. Both are legitimate and necessary; a well-designed control environment uses a mix, since preventive controls alone are rarely sufficient (they can be bypassed or may not cover every scenario) and relying solely on detective controls means errors are caught late, after they may already have caused financial or operational impact.

Practitioner noteA frequent finding is a control environment that is almost entirely detective — heavy reliance on monthly or quarterly reconciliations to catch problems, with very few preventive, system-enforced controls upstream. We flag this balance explicitly since shifting some detective effort to preventive design (tightening system configuration, for instance) is often the most cost-effective remediation available.
Do you provide training for our finance team as part of the engagement?

Control awareness and process-owner training is not a default inclusion in the base IFC evaluation scope, but it is a common and valuable add-on, particularly after significant remediation — helping the process owners who will actually operate a newly redesigned control understand not just the mechanics but the underlying risk it addresses, which improves consistency of operation over time. We can scope this as part of the remediation phase if management wants it.

Practitioner noteControls that process owners understand the purpose of — not just the mechanical steps of — are consistently operated more reliably in our experience than controls imposed without context. We recommend at least a short briefing session for key process owners whenever a control is materially redesigned.
How does PNPC's IFC evaluation differ from what a Big 4 firm would deliver?

The underlying methodology — COSO framework, RCM documentation, design and operating effectiveness testing, severity-graded findings — follows the same recognised professional standards regardless of firm size, since these are set by ICAI guidance and Standards on Auditing, not by firm brand. Where PNPC differentiates is in continuity and accessibility: the same senior CA team that performs your review is available for the remediation conversation afterward, for your statutory audit coordination, and for the following year's refresh — rather than a large engagement team that rotates and requires re-briefing each cycle. We also scope fees proportionate to genuine mid-market company needs, without the overhead structure of a large multinational firm.

Practitioner noteWe have taken on several clients transitioning from a large firm specifically because they wanted a smaller, more senior, more continuous team relationship for a process that genuinely benefits from institutional memory of the business year over year.
What if our statutory auditor disagrees with a severity rating PNPC has assigned to a finding?

This can happen, since professional judgement is inherently involved in severity classification, and the statutory auditor is required to form their own independent opinion regardless of PNPC's assessment. Where this arises, we proactively engage with the auditor to walk through our testing evidence and rationale — often the disagreement resolves once the underlying evidence and context are compared, and where it does not fully resolve, the auditor's opinion is the one that governs the statutory audit report, since that is their independent statutory responsibility, not PNPC's.

Practitioner noteWe would rather have this conversation directly and early with your auditor than have management caught between two conflicting professional opinions with no resolution path. Proactive coordination during the review — not after both reports are finalised — avoids most of these situations entirely.
Can this review help us get better terms on a bank loan or credit facility?

A documented, independently reviewed control environment can support a stronger credit conversation, since lenders assessing larger facilities increasingly factor in governance and control maturity as part of qualitative credit risk assessment, alongside the financial ratios. It is not a guaranteed mechanism for better pricing or terms — that ultimately depends on the lender's own credit policy and your overall financial profile — but a company that can produce a clean RCM and a track record of proactive remediation presents a materially stronger governance picture than one that cannot.

Practitioner noteWe have had clients specifically request an internal control review ahead of a working capital facility renewal, at the relationship manager's suggestion, because the bank's credit committee had asked governance-related questions the client could not immediately answer. Being prepared for that conversation in advance changes its tone considerably.
What is PNPC's approach if we are a UAE-based group with an Indian subsidiary — does the review cover both jurisdictions?

Section 143(3)(i) IFC reporting and the COSO-based methodology described here apply specifically to Indian company law requirements for the Indian entity. For the UAE parent or affiliate entities, control review would follow UAE regulatory and governance expectations rather than the Companies Act 2013 framework — these are distinct regulatory regimes and should not be conflated. With operating offices in Chennai, Bangalore, Hyderabad, and Dubai, PNPC can coordinate a control review across both the Indian subsidiary (under the IFC/COSO methodology described here) and UAE group entities (scoped to UAE-specific requirements) under a single coordinated engagement, so group management gets one consistent view rather than two disconnected reports from separate advisors.

Practitioner noteWe are explicit with India-UAE groups that the Indian subsidiary's IFC obligations are a distinct statutory requirement from anything applicable at the UAE parent level — treating them as the same exercise under one framework would be a factual error we are careful never to make.
How often should the review be refreshed once the initial evaluation is complete?

For companies within the Section 143(3)(i) reporting scope, an annual refresh aligned to the statutory audit cycle is the practical minimum, since the auditor forms a fresh IFC opinion every year and needs current-year evidence, not an evaluation from several years prior. Companies undergoing significant change — a new ERP implementation, a major acquisition, rapid headcount growth, or entry into a new business line — should consider a more frequent, targeted refresh of the specific affected processes rather than waiting for the next annual cycle, since these events are exactly when control gaps are most likely to be introduced.

Practitioner noteWe build the annual refresh into our retainer relationships with corporate clients specifically so it becomes a routine part of the audit calendar rather than a decision that has to be re-justified and re-scoped from scratch every single year.
Does PNPC only work with companies that already have an Audit Committee, or can you support smaller boards too?

An Audit Committee is only mandatory under the Companies Act for specified classes of listed and larger public companies; the majority of private companies PNPC works with do not have one and are not required to. For those companies, findings and the remediation roadmap are presented directly to the Board or to the promoter-management team, structured with the same rigour and severity grading as a formal Audit Committee presentation, simply addressed to whichever governance body actually exists and makes decisions in your company.

Practitioner noteThe absence of a formal Audit Committee does not mean control discipline is unimportant — if anything, in a founder-managed company without that additional layer of independent oversight, a periodic external control review does some of the work an Audit Committee would otherwise provide.
What is a control self-assessment (CSA) and does PNPC use it as part of the methodology?

A Control Self-Assessment is a technique where process owners themselves evaluate and document the effectiveness of the controls they operate, typically using a structured questionnaire, before or alongside an independent review. PNPC sometimes uses a light CSA exercise as an efficient way to gather initial process information and surface areas the process owner themselves already recognises as weak — but a CSA on its own is not a substitute for independent walkthrough and testing, since self-assessed control effectiveness tends to be more favourable than what independent testing subsequently confirms, a well-documented bias in practice.

Practitioner noteWe use CSA as a useful starting input, never as the sole basis for a conclusion — every control rated 'effective' in a self-assessment still goes through independent walkthrough and sample testing before we rely on that rating in our own reporting.
Why PNPC Global

PNPC Internal Control Review vs typical alternatives

What You NeedGeneric Checklist / Template ServiceLarge Multinational FirmIn-House OnlyPNPC Global
COSO-based methodology aligned to ICAI Guidance NoteRarely — often a generic checklist unrelated to COSOYes, but delivered by a large, rotating engagement teamDepends entirely on in-house expertise and bandwidthYes — every review mapped to COSO components and ICAI Guidance Note
Actual process walkthroughs, not desk review of policy documentsNo — typically a document review onlyYes, standard practiceVaries — often skipped under time pressureYes — walkthroughs are non-negotiable in every engagement
Coordination with your statutory auditor to avoid duplicated testingNo structured coordinationSometimes, if same firm; complicated if different firmAd hoc, depends on relationshipYes — proactive, structured coordination with your auditor regardless of who they are
Remediation support, not just a findings reportRarely includedAvailable, often as a separate, costly engagementDepends on internal capacity to design fixesIncluded as a scoped follow-on — same senior team, no re-briefing
Continuity — same senior team year over yearNo relationship continuityEngagement teams frequently rotateN/ASame senior CA team across review cycles
Fee proportionate to mid-market company sizeLow cost but low assurance valuePremium pricing, often disproportionate for mid-market scopeNo external fee, but real internal cost and expertise gapFixed, scoped fee proportionate to your actual size and risk
India-UAE cross-border coordinationNot applicablePossible through international network, but often loses context in handoffNot applicable unless in-house team spans bothDirect — Chennai/Bangalore/Hyderabad/Dubai offices, one coordinated engagement

What the PNPC package includes

  1. 01

    Entity-level control assessment covering governance, delegation of authority, IT general controls, and whistleblower mechanism

  2. 02

    Process walkthroughs for all significant financial reporting cycles — Procure-to-Pay, Order-to-Cash, Record-to-Report, Payroll, Fixed Assets, Treasury

  3. 03

    Risk and Control Matrix (RCM) documentation, delivered in an editable format for ongoing use by your finance team

  4. 04

    Design effectiveness assessment for every documented control

  5. 05

    Risk-based operating effectiveness testing with sample-based evidence

  6. 06

    Deficiency log with severity grading — deficiency, significant deficiency, material weakness — consistent with ICAI Guidance Note definitions

  7. 07

    Root cause analysis for every significant deficiency, not just a description of the symptom

  8. 08

    Prioritised remediation roadmap with named owners and target dates

  9. 09

    Formal management letter and, where relevant, a direct presentation to your Audit Committee or Board

  10. 10

    Proactive coordination with your statutory auditor to align on findings and reduce duplicated testing

  11. 11

    Optional remediation implementation support and control retesting once fixes are in place

Talk to a senior PNPC CA about scoping your Internal Financial Controls evaluation before your next statutory audit cycle — not after your auditor raises a finding you did not see coming.

← Back to Risk Advisory
Talk to a CA