IFC testing: what the auditor will actually test and what they'll skip

Internal Financial Controls (IFC) reporting under Section 143(3)(i) of the Companies Act has been mandatory for Indian companies for nearly a decade. The auditor is required to opine on whether the company has adequate internal financial controls with reference to financial statements and whether those controls were operating effectively during the year.

The opinion is binary. Either the controls are adequate and operating, or they are not. The audit work behind that opinion is structured, but most CFOs we work with have never been given a clear view of what the auditor is actually doing — and skipping — to reach it.

The framework

IFC reporting in India is mapped to the COSO framework. Five components: control environment, risk assessment, control activities, information and communication, monitoring. Each component has principles underneath it — 17 in total under the 2013 COSO framework.

Indian auditors test IFC under the Guidance Note on Audit of Internal Financial Controls Over Financial Reporting issued by ICAI in 2014. The guidance note tracks the AICPA's AS 5 standard fairly closely, with adjustments for the Indian regulatory context.

The audit work happens at two levels — entity-level controls and process-level controls.

Entity-level controls

Entity-level controls are the controls that operate company-wide. They are not specific to a process. They include the tone-from-the-top, the board's oversight of financial reporting, the code of conduct, whistleblower mechanisms, the risk-management framework, the budgeting and forecasting process, period-end financial reporting close controls, and the company's overall control consciousness.

Entity-level control testing is largely interview-based. The auditor talks to the CFO, the head of internal audit, the audit committee chair, and other senior people. Documentation comes from board minutes, audit committee minutes, the risk register, the internal audit annual plan and findings, and the financial-reporting close calendar.

This part of the audit is often perceived by management as light. It feels like a conversation, not testing. The documentation lands as memos rather than spreadsheets. But entity-level conclusions matter — if the auditor concludes that the control environment is weak, the level of process-level testing increases significantly. A strong entity-level conclusion can reduce the depth of process-level work.

Process-level controls

The substantive work happens at the process level. The auditor identifies the significant business processes for the company — typically revenue, procurement to pay, payroll, treasury, inventory and fixed assets, taxation, and financial close — and works through each one.

For each process, the auditor performs four steps.

Walkthrough. A single transaction is traced from initiation to financial-statement effect. The auditor confirms how the process is supposed to work and whether the documentation matches.

Identification of key controls. Out of all the activities in the process, the auditor identifies which ones are the key controls — the controls that address material risks. For a typical revenue process there might be 30 activities and 10 key controls. The rest are documented but not separately tested.

Design assessment. For each key control, the auditor evaluates whether the design of the control is adequate to address the risk. A control that requires manager approval for invoices over ₹5 lakh, where the manager has no visibility into the supporting documentation, has design weakness regardless of whether the approval was given.

Operating effectiveness testing. For each key control where the design is adequate, the auditor selects a sample of instances where the control should have operated and tests whether it did. Sample sizes depend on the frequency of the control. A monthly control is typically tested for 2-3 months. A daily control for 25-40 instances.

Where the 80/20 happens

Across an IFC audit, roughly 80% of the time goes into design walkthroughs and only 20% into operating-effectiveness testing.

This surprises management when we explain it. The intuition is that the audit should spend most of its time on testing whether controls actually worked. The reality is that the audit team has to first understand what the controls are, identify which are key, and confirm the design. That understanding takes weeks. Once it is in place, operating-effectiveness testing is mechanical — pull samples, check evidence, document results.

The implication for management is that the audit's view of the company's controls is largely formed during the walkthrough phase, not during testing. If the walkthroughs reveal that the company does not actually have certain controls that the documentation suggests it has, the audit conclusions are set before testing begins.

What auditors test

The key controls that get tested in most Indian audits cluster around a predictable list.

Revenue. Customer master maintenance with segregation between credit-approval and order-booking. Order-to-invoice match. Invoice approval workflow. Credit-note approval matrix. Reconciliation of revenue from sub-ledger to general ledger. Bad-debt provisioning and write-off approvals.

Procurement to pay. Vendor master maintenance with KYC documentation. Purchase requisition approval matrix. Three-way match (PO, GRN, invoice). Payment approval authorities. Vendor reconciliations. Duplicate-payment controls.

Payroll. Master-data changes (joiner, leaver, salary revision) with HR and finance segregation. Approval of monthly payroll. TDS calculation and deposit. Reconciliation of payroll cost to general ledger.

Treasury. Bank reconciliations (monthly). FD investment authorization. Maker-checker controls on payment release. Foreign currency hedging approvals where applicable.

Financial close and reporting. Trial-balance review controls. Journal-entry approval — particularly for non-recurring entries. Reconciliations between sub-ledgers and the general ledger. Provision and accrual review controls. Disclosure-checklist controls.

Information technology general controls (ITGC). Access management for the ERP. Change management for system changes. IT operations covering backups and recovery. ITGC failure has a multiplier effect — if the underlying system controls are weak, every application-level control sitting on the system is undermined.

What auditors skip

IFC audits skip operational controls that do not directly affect financial reporting. The control over a marketing-team budget approval is not an IFC matter unless the marketing spend is material to the financial statements and material misstatement risk exists there. The control over employee attendance is not an IFC matter except where attendance feeds into payroll cost or revenue calculation.

Auditors also skip the testing of low-risk controls that have many compensating controls. A daily cash count in a single petty-cash drawer with ₹50,000 limit is a control, but no auditor will spend testing time on it.

Operating-effectiveness testing is risk-weighted. Controls in revenue and treasury are tested more heavily. Controls in lower-risk areas may be tested with smaller samples or, in some cases, only the design is confirmed.

Common deficiencies

Three deficiencies surface repeatedly in Indian IFC audits.

Segregation of duties. Same person can initiate a payment and approve it. Same person maintains the vendor master and approves vendor invoices. Same person posts journal entries and reviews trial balances. SOD failures are particularly common in growing companies where headcount lags transaction growth.

Journal-entry controls. Non-recurring journal entries — provisions, reclassifications, fair-value adjustments — are posted by senior finance team members without an approval workflow. Under IFC, journal entries especially at period-end need an approval trail.

ITGC weaknesses. Access to the ERP is granted broadly. Privileged user activity is not logged or reviewed. System changes are made without a change-management process. ITGC weaknesses cascade through every other process control because the system is the control's enforcement mechanism.

The IFC opinion

If the audit identifies material weaknesses, the IFC opinion gets modified. A 'material weakness' is a deficiency or combination of deficiencies in IFC such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis.

Material weaknesses go into the audit report and the disclosure has visible commercial consequences. Investors read them. Acquirers read them. Lenders read them. For listed companies, the disclosure is on the public record.

The way to avoid a material-weakness disclosure is to remediate identified deficiencies before the audit concludes. The auditor's report covers the year. If a control deficiency existed during the year but was remediated before the report date, the auditor will document the deficiency and the remediation, but the opinion can still be unmodified provided the remediation is solid and the timing is reasonable.

What CFOs should ask their auditor about IFC

Before fieldwork, ask for the auditor's IFC scoping memo. The memo identifies the processes the auditor considers significant, the key controls within each process, and the audit's planned approach (design walkthrough plus operating-effectiveness testing, or design walkthrough only).

Read the memo. If a process you consider material is missing, raise it. If key controls you rely on are not on the list, raise it. The scoping memo is the auditor's view of your control environment as of the start of the audit. If it differs from your view, that is itself a sign that your control documentation and the auditor's understanding are out of alignment.

Finally, ask for the list of likely IFC deficiencies the auditor expects to identify based on prior years and current observations. Most audit firms will share a working draft halfway through fieldwork. Remediate what you can in the time remaining. The deficiencies that get remediated before year-end do not become disclosures. The ones that linger to the report date do.