Contact now
Call For Business Enquiries :
+91 9819 000 511
+91 916 7058 000
+91 9819 000 445
Contact now
ICFR Audit and IFC Support Services – N D Savla & Associates
Audit & Assurance

ICFR Audit & IFC Support Services –
Section 134(5)(e) and 143(3)(i) Compliance, COSO Framework, RCM Design & TOD / TOE Testing

ICFR audit and IFC support together meet the Companies Act 2013's mandate for robust internal financial controls. Section 134(5)(e) requires the Director's Responsibility Statement to confirm that internal financial controls are adequate and operating effectively, and Section 143(3)(i) requires the statutory auditor to report on ICFR adequacy and operating effectiveness. Every covered company must build, document, test, and report on its IFC system each year.

Related services: Statutory Audit Internal Audit Tax Health Check Business Tax Filing

Overview

End-to-End ICFR Audit & IFC Implementation

N D Savla & Associates handles complete ICFR audit and IFC support engagements for listed companies, large private companies, public companies, and group entities across Maharashtra and pan-India. We design Risk Control Matrices (RCMs), conduct Test of Design (TOD) and Test of Operating Effectiveness (TOE), document deficiencies across the three-tier ICAI framework, and certify compliance for management and statutory auditors.

Our service connects with our Statutory Audit, Internal Audit, Tax Health Check, and Business Tax Filing practices.

The Framework

The ICFR & IFC Statutory Framework

Four Companies Act provisions, the ICAI Guidance Note, and the COSO 2013 framework together build the ICFR architecture in India. The framework involves multiple layers of corporate governance accountability — Board, Audit Committee, independent directors, and statutory auditor each carry distinct ICFR responsibilities:

  • Section 134(5)(e) — Director's Responsibility Statement on adequacy and operating effectiveness of internal financial controls
  • Section 143(3)(i) — statutory auditor's certification on ICFR adequacy and operating effectiveness
  • Section 177(4)(vii) — Audit Committee oversight responsibility over internal financial controls
  • Schedule IV — independent directors' duty to verify the integrity of financial information
  • ICAI Guidance Note — Audit of Internal Financial Controls Over Financial Reporting (September 2015, revised) — the technical standard
  • COSO 2013 framework — five components and seventeen principles forming the design backbone for every ICFR engagement
  • MCA notification GSR 583(E) dated 13 June 2017 — the private company exemption framework
IFC and ICFR are related but distinct. IFC under Section 134(5)(e) covers all internal financial controls — business operations, asset safeguarding, fraud prevention, and accounting accuracy. ICFR is the narrower subset focused only on financial reporting reliability under Section 143(3)(i). The Director's Responsibility Statement covers the wider IFC; the auditor's report covers ICFR alone.

Applicability

Who Needs ICFR Audit?

ICFR audit applicability depends on company type, size, and filing compliance. Listed companies always fall within the audit net while private companies enjoy threshold-based exemptions under the GSR 583(E) framework — but the exemption is conditional, and a single MCA filing default forfeits it:

  • Listed companies — always applicable; both Section 134(5)(e) IFC reporting and Section 143(3)(i) auditor certification apply, with continuous Audit Committee oversight
  • Unlisted public companies with paid-up capital ≥ ₹25 crore — full ICFR audit applies
  • Other unlisted public companies — standard ICFR audit applies under Section 143(3)(i)
  • One Person Companies (OPCs) — automatic exemption under GSR 583(E)
  • Small companies — automatic exemption under GSR 583(E)
  • Other private companies — exempt only if turnover < ₹50 crore AND borrowings < ₹25 crore (conjunctive test)
  • Private companies crossing either threshold — full ICFR audit applies
  • Section 137 / 92 default — exemption forfeited; ICFR audit becomes mandatory regardless of size

MCA filing discipline directly drives ICFR audit applicability for private companies — a single default in financial statement filing under Section 137 or annual return under Section 92 brings the company back into full ICFR scope.

Core Audit Pillars

Risk Control Matrix & TOD / TOE Testing

Every ICFR audit revolves around two technical pillars — the Risk Control Matrix that maps risks to controls, and the two-layer testing process that evaluates whether those controls are properly designed and actually working.

1

Risk Control Matrix (RCM) — The Core Document

The RCM is the single source of truth for the entire engagement. Construction starts with process-level risk identification across procure-to-pay, order-to-cash, hire-to-retire, record-to-report, fixed assets, treasury, and tax. Every process generates risks at the financial-statement-assertion level. The matrix lists each risk alongside the control owner, control description, frequency, control type, and assertion mapping. A well-built RCM doubles as both management's self-assessment tool and the statutory auditor's testing reference.

2

Test of Design & Operating Effectiveness

TOD checks whether the control is logically capable of preventing or detecting material misstatement — verified through one walkthrough per control. Design failures call for control redesign before any TOE work begins. TOE then verifies actual control operation through sample-based attribute testing aligned to control frequency — typically 25 samples for daily controls, with smaller samples for less frequent controls per ICAI Guidance Note norms. Exceptions trigger root-cause analysis and remediation before the audit conclusion is finalised.

COSO 2013 Components

The Five COSO Components Plus IT General Controls

The COSO 2013 framework anchors every ICFR audit in India. The framework defines five integrated components — and IT General Controls underpin the automated portions of all five. Every ICFR audit tests these areas in an integrated assessment.

Control Environment

Tone at the top — integrity, ethics, governance oversight, management philosophy, organisation structure, authority delegation, and HR policies.

Risk Assessment

Identification and analysis of financial-reporting risks at the assertion level for each significant account and process.

Control Activities

Policies and procedures that mitigate identified risks — preventive and detective controls across business processes.

Information & Communication

Flow of relevant, timely information to control owners, management, and the Audit Committee — internal and external reporting channels.

Monitoring Activities

Ongoing assessment of control effectiveness through management review, internal audit, and continuous monitoring tools.

IT General Controls (ITGCs)

Access management, change management, backup procedures — underpinning every automated business control across all five COSO components.

Control environment failures often produce cascading control breakdowns elsewhere — fixing control environment gaps usually has the highest leverage on overall control health. Weak ITGCs frequently trigger material weakness conclusions across multiple processes, so ITGC remediation typically delivers the strongest improvement in the overall ICFR opinion.

Our Methodology

Deficiency Classification & Common Problem Areas

Every control deficiency identified during ICFR audit needs proper classification — the ICAI Guidance Note recognises three deficiency tiers, and classification accuracy directly drives the Section 143(3)(i) auditor's report. Our methodology is built around the five anchors below.

Three-Tier Deficiency Classification

Control deficiency (lowest — single-instance failures, management letter); significant deficiency (communicated to Audit Committee in writing); material weakness (highest — reasonable possibility of material misstatement, triggers adverse Section 143(3)(i) opinion).

Segregation of Duties & Journal Entry Controls

The most frequently flagged ICFR deficiency — conflicts arise when one person both initiates and approves transactions. Manual journal entries posted at period-end are particularly susceptible. Strong review controls and ERP-based approval workflows mitigate both risks.

IT General Controls & Access Management

ITGCs underpin every automated business control — weak access management, change management, or backup procedures undermine all dependent controls. ITGC testing always runs alongside business-process controls; remediation typically delivers the highest leverage on overall ICFR strength.

Reconciliation, Estimation & Period-End Controls

Bank, vendor, and intercompany reconciliations carry high financial-reporting risk. Accounting estimates require management judgment that controls must moderate. Reconciliation discipline supports both audit and tax compliance — period-end is where most material weaknesses surface.

Statutory Auditor & Audit Committee Coordination

Every engagement is calendared against the statutory audit timeline — early kickoff in Q3 of the financial year is the standard timeline anchor. Outputs feed Section 134(5)(e) Director's Responsibility Statement and Section 143(3)(i) auditor reporting; deficiencies are briefed to the Audit Committee under Section 177(4)(vii).

Frequently Asked Questions

ICFR Audit & IFC Support – FAQs

Q
What is the difference between IFC and ICFR?
IFC and ICFR are related but distinct concepts. IFC under Section 134(5)(e) covers all internal financial controls including business operations, asset safeguarding, fraud prevention, and accounting accuracy. ICFR is the narrower subset focused only on financial reporting reliability under Section 143(3)(i). The ICAI Guidance Note restricts the auditor's reporting to ICFR — not the wider IFC scope. The Director's Responsibility Statement covers IFC, while the auditor's report covers ICFR.
Q
Is ICFR audit mandatory for my private company?
ICFR audit applicability depends on threshold tests. MCA notification GSR 583(E) dated 13 June 2017 exempts One Person Companies, small companies, and private companies with turnover below ₹50 crore AND borrowings below ₹25 crore. The exemption falls away if the company defaults in filing financial statements under Section 137 or annual return under Section 92. Listed and most public companies always face ICFR audit, so the conjunctive turnover-and-borrowing test drives every applicability decision for private companies.
Q
What is the COSO framework and why does it matter?
COSO 2013 is the global internal control framework adopted by the ICAI Guidance Note on ICFR. COSO defines five components — control environment, risk assessment, control activities, information and communication, and monitoring — supported by seventeen underlying principles. Every ICFR audit in India aligns design and testing to these five components. COSO compliance is treated as the technical baseline for management's ICFR self-assessment, so COSO mastery underpins every effective ICFR engagement.
Q
What is a Risk Control Matrix (RCM)?
An RCM is the central ICFR audit working document mapping risks to controls. It lists each financial-reporting risk alongside the mitigating control, owner, frequency, and assertion coverage, organised by process — procure-to-pay, order-to-cash, hire-to-retire, record-to-report, fixed assets, treasury, and tax. Every Test of Design and Test of Operating Effectiveness flows from the RCM, so a well-built RCM is the single most leveraged document for both management self-assessment and statutory auditor testing.
Q
What are TOD and TOE in ICFR audit?
TOD (Test of Design) and TOE (Test of Operating Effectiveness) are the two testing layers of ICFR audit. TOD evaluates whether the control is logically capable of preventing or detecting misstatement — typically through one walkthrough per control. TOE verifies actual control operation through sample-based attribute testing. Sample sizes follow ICAI Guidance Note norms — typically 25 samples for daily controls. Exceptions identified during TOE trigger root-cause analysis. Both TOD and TOE together drive the audit conclusion on each control.
Q
What is a material weakness in ICFR?
Material weakness is the highest severity ICFR deficiency tier. It represents a deficiency or combination giving reasonable possibility of material misstatement of the financial statements. Material weaknesses trigger an adverse ICFR opinion in the auditor's Section 143(3)(i) report. This stands distinct from significant deficiencies (communicated to Audit Committee in writing) and control deficiencies (lowest severity, often included in the management letter). Early identification matters most for protecting the audit opinion.
Q
How long does an ICFR audit engagement take?
ICFR audit timing depends on company size, process complexity, and existing documentation maturity. First-year ICFR engagements at large companies typically span 3–4 months across scoping, RCM design, walkthrough, TOD, TOE, and reporting phases. Repeat engagements run faster — often 2–3 months — because RCMs are pre-built. Parallel internal audit engagements often share testing work and shorten ICFR timelines. Early kickoff in Q3 of the financial year is the standard timeline anchor.

ICFR Audit on the Calendar? Run RCM Design, TOD & TOE Under One Coordinated Team.

N D Savla & Associates handles applicability scoping, COSO 2013 implementation, RCM design, Test of Design and Operating Effectiveness, deficiency classification, and Section 143(3)(i) reporting support — all aligned to your statutory audit calendar. Reach out to discuss your ICFR engagement.

+91 98190 00511  |  +91 91670 58000  |  +91 98190 00445
nainitsavla@savlagroup.in  |  natasha@savlagroup.in
ndsavlaa.com/icfr-audit-ifc-support

Ready to scope your ICFR audit engagement?

Talk to our team about applicability mapping, COSO 2013 implementation, RCM design, TOD/TOE testing, and Section 143(3)(i) reporting support — under one coordinated workplan.

Get in Touch

Popular Cities

Popular Cities

Popular Cities

Popular Cities

©2025.  ND Savla & Associates. All Rights Reserved.

Privacy Policy

WhatsApp Call Email