SOX-like controls in Indian listed companies: where US framework diverges
Indian listed companies with ADR exposure run dual control frameworks — SOX 404 for US filings and IFC under the Companies Act for India. Most of the work overlaps. The differences are where the engagement effort sits.
There is a finite set of Indian companies that operate under two control frameworks simultaneously. Infosys, Wipro, HDFC, ICICI Bank, Dr Reddy's, Tata Motors, and a handful of others. They are listed in India and have US-listed securities — American Depositary Receipts or otherwise — that bring them under the scope of Sarbanes-Oxley Section 404. They also have to comply with the Internal Financial Controls regime under Section 134 of the Companies Act 2013.
The two frameworks ask for similar things. Both require management to assess internal controls over financial reporting and the external auditor to attest. Both produce a documented control universe, a tested control set, a deficiency register, and a management certification. To an observer, the deliverables look almost identical.
The differences are in the framework specifics — the prescription, the public disclosure, the documentation depth, the materiality calibration. For the dual-listed company, navigating both is a budget item and an operating challenge. For the India-only listed company looking to add a US listing later, understanding the differences before the SOX scope expands is the planning work that prevents a chaotic year of remediation.
What SOX 404 actually requires
Sarbanes-Oxley Section 404 has two sub-sections. Section 404(a) requires management to assess and report on the effectiveness of internal control over financial reporting (ICFR). Section 404(b) requires the external auditor to express an opinion on management's assessment.
The framework is the PCAOB's Auditing Standard 5 (AS5), which prescribes how the auditor evaluates internal controls. The control framework for the management assessment is typically COSO 2013.
The output: the company's annual report on Form 20-F (for foreign private issuers) or 10-K contains a management report on ICFR with a conclusion of 'effective' or 'not effective', plus the auditor's separate attestation report.
What India's IFC regime requires
Section 134(5)(e) of the Companies Act 2013 requires the directors' report of every listed company to state that the directors have laid down internal financial controls to be followed, and that those controls are adequate and operating effectively.
Section 143(3)(i) requires the statutory auditor to report separately on the adequacy and operating effectiveness of the internal financial controls.
The control framework is principles-based, with ICAI's Guidance Note on Audit of Internal Financial Controls Over Financial Reporting (2015, updated) as the operating reference for both management and the auditor.
Where the two converge
Most of the work overlaps.
Both require a documented universe of processes and entity-level controls. Both require risk assessment, control identification, testing, deficiency evaluation, and remediation. Both produce a management certification and an auditor opinion. Both target the same underlying objective: confidence that the financial statements are not materially misstated due to control failures.
A company that runs a quality IFC programme has done 70 to 80% of the work required for SOX 404. The structural elements — the RCM, the testing population, the deficiency framework — are reusable.
Where the two diverge
Six specific differences matter for execution.
One: prescriptive depth of testing
SOX, through PCAOB AS5, is more prescriptive about how testing is performed. Sample sizes, test of operating effectiveness procedures, evaluation of design effectiveness, walkthroughs at the start of every annual cycle — these are detailed in the standard and are expected by the PCAOB-inspected auditor.
India's IFC framework is principles-based. The Guidance Note describes the approach without prescribing sample sizes or specific testing procedures. The auditor exercises professional judgement.
The practical implication: SOX testing produces more documentation per control. For a company with 400 controls, the SOX evidence file is significantly larger than the IFC evidence file. Companies running both frameworks usually adopt the SOX testing approach as the higher standard and use the same documentation for both regimes.
Two: public disclosure of scope and testing
SOX requires public disclosure of the scope of management's assessment, including which subsidiaries and business units were included or excluded, and the basis for exclusion. The auditor's report describes the testing approach in summary.
India's IFC report is less prescriptive about scope disclosure. The directors' report contains the conclusion; the auditor's separate report contains the opinion. Detailed scope and testing description is not required to be public.
For an India-listed-only company, the lower public disclosure threshold is a benefit. For an ADR-listed company, the SOX disclosure obligation is paramount, and the IFC disclosure follows.
Three: definition and treatment of material weakness
Both frameworks use the concept of material weakness. SOX defines it more precisely: a deficiency, or combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis.
When a SOX-reporting company identifies a material weakness, the conclusion of the management report and the auditor's report becomes 'not effective', and this is publicly disclosed in the 20-F or 10-K. The reputational and stock-price impact has historically been significant.
India's IFC framework does not require a 'not effective' conclusion if remediation is ongoing. The disclosure standard in the directors' report is more flexible, and the language is typically negotiated between management and the auditor. A material weakness can be disclosed without the binary 'effective vs not effective' framing.
The implication for dual-listed companies: a finding that would force a 'not effective' SOX conclusion has to be disclosed in the 20-F, even if the equivalent IFC disclosure could be softer. The two regimes do not let the company pick the softer disclosure.
Four: walkthrough requirements
SOX, through AS5, expects the external auditor to perform a walkthrough of each major class of transactions in each annual cycle. The walkthrough confirms the auditor's understanding of the process and the control points.
IFC under the ICAI Guidance Note does not require an annual walkthrough as a standalone procedure; the auditor's understanding of the process can be carried forward across years with updates for changes.
The implication: for a SOX engagement, the auditor's annual walkthrough is a workload item that has to be planned and managed. For an IFC-only engagement, the walkthroughs are typically performed in the first year and updated thereafter.
Five: COSO 2013 vs principles-based framework
SOX-compliant companies almost universally use COSO 2013 as the underlying control framework. COSO 2013 has 17 principles across 5 components — control environment, risk assessment, control activities, information and communication, monitoring activities — and the management assessment maps controls to principles.
IFC under Indian standards does not mandate COSO. The Guidance Note refers to ICAI's framework for evaluation of internal controls, which is broadly principles-aligned but not identical to COSO. Many large Indian companies adopt COSO voluntarily because it is more rigorous, but the choice is not regulatory.
Dual-listed companies adopt COSO 2013 for both frameworks because COSO satisfies SOX and is acceptable for IFC. India-listed-only companies have the choice; smaller listed companies often use the ICAI framework directly.
Six: financial statement and process scope
SOX scopes ICFR over financial reporting in the formal sense — controls relevant to producing financial statements that comply with US GAAP or IFRS (depending on the filer's reporting framework). The scope is anchored to the financial reporting objective.
IFC has a broader scope. The Companies Act language refers to 'internal financial controls' generally, which the ICAI Guidance Note interprets as covering not only financial reporting but also operational and compliance controls relevant to safeguarding assets, preventing fraud, and ensuring orderly conduct of business.
The practical implication: IFC scope is broader than SOX scope. A company running both regimes typically scopes SOX narrowly (financial reporting controls) and IFC more broadly (financial reporting + operational + compliance). The IFC RCM has more controls than the SOX RCM.
What dual-framework companies actually do
From observation of the publicly disclosed reports of Infosys, Wipro, and HDFC, the operating pattern is consistent.
Single RCM, dual scope. One Risk and Control Matrix that includes all controls. A scope-flag indicates which controls are in SOX scope (the financial reporting subset) and which are IFC-only (the broader operational and compliance set).
SOX-level testing depth, IFC-level scope. Testing is performed to the more rigorous SOX standard, but applied across the broader IFC scope. The SOX-in-scope controls are documented to the PCAOB expectation; the IFC-only controls are documented to a lighter but still rigorous standard.
COSO 2013 as the unified framework. Both regimes use COSO. The control environment, risk assessment, and monitoring components serve both.
Coordinated remediation. A deficiency identified in either regime is tracked in the same register. Remediation is prioritised against the harder disclosure standard, which is usually SOX.
What India-only companies sometimes get wrong
Two patterns we have seen.
Adopting SOX-level testing without the corresponding management framework. Some Indian companies, particularly those aspiring to a future US listing, implement SOX-style testing depth without first building the management oversight framework that SOX assumes. The result is a heavy testing programme that does not produce a useful management certification, because the certification framework was not built.
Treating IFC as a checkbox. The opposite pattern. The directors' report contains the IFC certification language, but the underlying RCM, testing, and deficiency tracking are perfunctory. This passes the immediate audit cycle but creates problems if the company later acquires US listing or is acquired by a SOX-reporting entity.
What we recommend
Three things.
For pure India-listed companies with no US listing plans: run IFC rigorously, using COSO 2013 as the underlying framework even though it is not mandated. The investment in COSO discipline pays off across multiple dimensions, including ICFR for IPO-bound subsidiaries and PE diligence readiness.
For India-listed companies planning a US listing within 24 months: start the SOX uplift now. The runway to SOX-readiness from a quality IFC programme is 12 to 18 months. From a perfunctory IFC programme it is 24 to 36 months. The lead time matters.
For dual-listed companies: unify the RCM, use COSO 2013, apply SOX-level testing depth, and coordinate remediation. The cost saving from running one programme that satisfies both regimes is material.
The two frameworks are not in conflict. They are differently calibrated views of the same underlying objective. The work of running both well is mostly the work of running one well, with the documentation depth and disclosure discipline tuned to the harder standard.
References
