ICFR for first-time IPO-bound companies: the 90-day prep checklist

Every IPO-bound founder team we work with hits the same wall in roughly the same week. The merchant banker asks for the draft of management's certification on internal financial controls. The statutory auditor asks for the IFC testing population. The independent director asks who is going to sign the Section 134 statement and what evidence sits behind it. The CFO realises that what the company has — an annual statutory audit, a credit policy, and a vendor list — is not what is being asked for.

What is being asked for is ICFR: a documented universe of processes, identified controls within each process, a test of those controls operating over a reporting period, a remediated set of deficiencies, and a board-level certification supported by evidence the auditor can sign off on. None of that exists by accident. It exists because someone scoped it, built it, tested it, and remediated it.

The companies that come to us with twelve months of runway before filing are usually fine. The companies that come to us with three months are not. Most companies come to us with three months.

What ICFR actually covers

ICFR sits at the intersection of three Indian regulatory requirements. Section 134(5)(e) of the Companies Act 2013 requires management of every listed company to lay down internal financial controls and confirm in the directors' report that they are adequate and operating effectively. Section 143(3)(i) requires the statutory auditor to report separately on those controls. SEBI ICDR Regulation 16 brings the same expectation into the IPO process — the offer document carries management's certification, and the auditor's IFC report is part of the financial statement package.

The framework is principles-based. There is no PCAOB-equivalent prescription on how many controls, what depth of testing, or what materiality threshold applies. ICAI's Guidance Note on Audit of Internal Financial Controls Over Financial Reporting (2015, updated) is the operating reference for both management and the auditor.

In practice, ICFR for a mid-size IPO-bound company means documenting 15 to 20 processes, identifying 300 to 500 controls across them, testing a sample of each, and remediating deficiencies before the financial year in which the IPO is filed begins.

Why most companies start too late

Two reasons, both predictable.

First, ICFR work feels like compliance overhead during a period when the company is sprinting toward operating milestones — revenue, gross margin, customer logos, geographic expansion. The CFO and the audit committee both treat ICFR as something that can wait until the merchant banker is engaged. By the time the merchant banker is engaged, the company is six months from filing, and ICFR work is now on the critical path.

Second, the scale of the work is under-estimated. Process documentation alone, for a 15-process universe, takes a focused team eight to ten weeks if the documentation does not already exist. Control identification adds another three weeks. Testing requires a clean reporting period — usually a calendar quarter — to give the auditor enough population to sample. Remediation can stretch four to twelve weeks depending on the severity of deficiencies. Compress all of this into 90 days and something gives, usually the quality of evidence.

The 15-process universe

The starting point of any ICFR engagement is the process universe. The 15 processes that almost always make it onto an Indian listed company's ICFR map:

Revenue (order-to-cash), Procure-to-Pay, Inventory, Fixed Assets, Payroll, Treasury and cash management, Borrowings and debt covenants, Tax (direct and indirect), ESOP and equity, Financial close and consolidation, Financial reporting and disclosures, IT General Controls, Application controls within the ERP, Statutory compliances, and Related-party transactions.

Specific businesses add to this list. A manufacturer adds Costing and BOM. A SaaS firm adds Subscription billing and Revenue recognition under Ind-AS 115. An NBFC adds Loan origination, Collections, and ECL computation. A pharma firm adds R&D capitalisation and regulatory filings. The base 15 are the floor, not the ceiling.

The 90-day plan

What follows is the plan we run when the company has 90 days before the filing window opens, and ICFR has not been built. It is tight. It assumes the CFO can dedicate a finance director full-time to the engagement, and that the audit committee chair is available for a weekly review.

Days 1 to 15: process documentation

Map every in-scope process end-to-end. For each process, document the activities, the systems involved, the data inputs and outputs, the roles performing each activity, and the points at which a control is applied or is supposed to be applied. The deliverable is a process narrative supported by a flowchart, for each of the 15 processes.

Use the process owners for the documentation, not consultants. The CFO's finance team is too thin to write this in two weeks. The process owner — the head of supply chain for procurement, the head of sales operations for revenue, the IT director for ITGC — has the operational detail. The consultants' job is to challenge the narrative and force it into a usable shape.

Days 16 to 30: control identification and the RCM

From the process narratives, identify the controls. A Risk and Control Matrix (RCM) for each process lists the risks, the controls mitigating each risk, the control owner, the frequency, the type (preventive or detective, manual or automated), and the financial statement assertion the control addresses (existence, completeness, valuation, rights and obligations, presentation).

Expect 20 to 35 controls per process. For a 15-process universe that is 300 to 525 controls. Many of these are entity-level controls that span multiple processes (segregation of duties, approval matrix, period-end close calendar). Some are application controls embedded in the ERP. Some are manual reconciliations performed monthly.

The mistake most companies make at this stage is identifying too many controls. Every activity is not a control. A control is something that, if it failed, would result in a material financial statement error. If you cannot articulate the failure scenario in one sentence, it is probably not a control. It is an operating step. Strip the RCM down to the controls that actually matter.

Days 31 to 60: testing

Pick a clean reporting period — typically the most recently closed quarter — and test the controls. For each control, sample a population, perform the test, document the result, and conclude on operating effectiveness.

Sample sizes follow the AICPA-and-ICAI convention. For controls that operate many times per day (e.g., three-way match on invoices), sample 25 to 60 transactions depending on frequency. For monthly controls (e.g., bank reconciliation review), sample two or three months. For quarterly controls, test the full population.

Document the test, the evidence reviewed, the conclusion, and any deficiencies identified. The documentation is what the auditor will read. If a test is not documented, it did not happen.

Days 61 to 75: deficiency assessment and remediation

Every ICFR test will surface deficiencies. The question is whether they are control deficiencies, significant deficiencies, or material weaknesses. The categorisation drives the remediation plan and the management certification language.

Control deficiency is a single failure with limited financial-statement implication. Remediate by retraining the control operator and re-testing.

Significant deficiency is a failure that, individually or in aggregate, could result in a misstatement that is more than inconsequential but less than material. Remediate before the certification period and document the remediation evidence.

Material weakness is a failure that creates a reasonable possibility of a material misstatement not being prevented or detected. A material weakness has to be disclosed in the directors' report. For an IPO-bound company, a material weakness in the financial statement period being filed is a structural problem with the offer document.

Most companies in the first ICFR cycle have between 8 and 20 significant deficiencies. We have not seen a company finish its first ICFR cycle with zero. The remediation work is concentrated in IT general controls, related-party transaction documentation, segregation of duties in the ERP, and period-end close discipline.

Days 76 to 90: management certification and auditor handoff

Draft the Section 134 certification, supported by the RCM evidence file, the testing documentation, the deficiency log, and the remediation evidence. Walk the audit committee through it. Hand it to the statutory auditor for the Section 143(3)(i) report.

The auditor will retest a sample of the controls and may identify deficiencies the company's testing did not surface. Build in a two-week buffer for auditor queries.

What we tell first-time CFOs

Three things, before the engagement starts.

First, ICFR is not a project. It is an operating system that has to continue running after the IPO. Build the documentation and the testing cadence so the second-year cycle is a refresh, not a rebuild.

Second, the audit committee chair has to be a working partner, not a quarterly attendee. The chair is signing the certification alongside management. They need to know what the deficiency log looks like, what the remediation plan is, and where the residual risks sit.

Third, ITGC and segregation of duties are where most first-cycle deficiencies cluster. Plan for an IT access review and a role redesign in the ERP. This is often the single longest line item in the remediation plan.

The question for the CFO is not whether the company can pass ICFR. It is whether the company can pass ICFR with the evidence file the auditor expects, in the time available, without surfacing a material weakness in the disclosure document. The gap between those two is where most engagements end up.

The cost of starting late

We have seen two patterns when a company arrives with less than 90 days. First, the company files with a qualified IFC report from the auditor. This is survivable but it creates a question in the offer document that institutional investors will read carefully. Second, the company defers the filing by a quarter or two to clean up the ICFR work. The deferral is more common than the qualification, and it is usually the right answer.

The companies that arrive twelve months early are not doing anything more sophisticated than the companies that arrive three months early. They are doing the same work, in the right order, with enough time for the auditor to test and for management to remediate. That is the entire difference.