"Internal Financial Controls" sounds like a Big 4 deliverable with a six-figure price tag โ but at its core, IFC is just documenting the checks that already prevent your invoices from being paid twice, your payroll from including ghost employees, and your bank reconciliations from hiding errors.
What the Companies Act Actually Requires
| Provision | Who It Applies To | What It Requires |
|---|
| Section 134(5)(e) | Listed companies (and others to which the provision applies) | Board's report must state that IFC have been laid down and are adequate and operating effectively |
| Section 143(3)(i) | Companies not specifically exempted | Statutory auditor must report on adequacy and operating effectiveness of IFC with reference to financial statements |
โ Exemptions exist but are conditional. One-person companies, small companies, and certain private companies meeting prescribed turnover/borrowing thresholds (and not being a holding/subsidiary of a public company) are exempt from the auditor IFC reporting requirement. These thresholds change periodically โ always verify current applicability with your auditor rather than assuming last year's exemption still applies, especially after a funding round that may change the company's classification.
The COSO Framework: Five Components
Most IFC documentation in India references the COSO Internal Control โ Integrated Framework, which organises controls into five interlocking components:
- Control Environment: Tone at the top โ does management demonstrate commitment to integrity and ethical values, and is there a clear organisational structure with defined authority and responsibility?
- Risk Assessment: Has the company identified the risks to achieving its financial reporting objectives (e.g., revenue recognition errors, inventory misstatement)?
- Control Activities: The actual policies and procedures โ approval matrices, reconciliations, segregation of duties, system access controls
- Information & Communication: Are financial information systems reliable, and is relevant information communicated to the right people in time?
- Monitoring Activities: Ongoing or periodic evaluations to confirm controls are present and functioning (internal audit, self-assessment, management review)
Building IFC Documentation Without a Big 4 Budget
| Step | What It Involves | Typical Output |
|---|
| 1. Map key processes | Document the major financial processes: revenue/order-to-cash, procurement-to-pay, payroll, fixed assets, treasury, financial close | Simple flowcharts or narrative process descriptions (1-2 pages each) |
| 2. Identify key controls | Within each process, identify the controls that prevent or detect material errors โ e.g., three-way match for purchase orders, dual authorisation for bank transfers, monthly bank reconciliation | Risk-and-control matrix (RCM) per process |
| 3. Test design | Confirm each control, as designed, would actually prevent or detect the risk it's meant to address | Gap list where design is inadequate |
| 4. Test operation | Sample-check that controls are actually being performed as documented (e.g., pull 10 purchase orders and check three-way match evidence) | Testing workpapers, exception log |
| 5. Remediate and re-test | Fix gaps identified, then re-test to confirm closure | Updated RCM, closure evidence |
Common Control Gaps in Growing Companies
- Segregation of duties: The same person who raises a payment also approves it โ common in small finance teams but a fundamental control weakness
- System access not reviewed: ERP/accounting software access rights granted during onboarding but never reviewed as roles change
- Manual journal entries: No review/approval workflow for journal entries posted directly by finance staff, especially around month-end
- Related party transaction identification: No formal process to flag transactions with related parties at the point of approval โ a gap that connects directly to the related party disclosure requirements
- Bank reconciliation timeliness: Reconciliations performed monthly at best, sometimes with a multi-month lag, masking errors or fraud for extended periods
Why This Matters Beyond Compliance
Beyond satisfying Section 143(3)(i), a documented IFC framework pays off when the company prepares for statutory audit โ auditors spend less time understanding processes from scratch, and management has a ready answer when asked "how do you know your numbers are right?" It's also a standard diligence item for fundraising, M&A, and IPO readiness โ investors increasingly expect to see at least a basic risk-and-control matrix even from pre-IPO companies.
Frequently Asked Questions
What are Internal Financial Controls (IFC) under the Companies Act, 2013? โผ
IFC are the policies and procedures ensuring orderly business conduct, asset safeguarding, fraud/error prevention and detection, accurate accounting records, and timely reliable financial information. Section 134(5)(e) requires certain boards to confirm IFC are adequate and operating effectively, while Section 143(3)(i) requires auditors to report on this for non-exempt companies.
Are all private companies required to report on Internal Financial Controls? โผ
No. One-person companies, small companies, and certain private companies meeting prescribed turnover/borrowing thresholds (and not a holding/subsidiary of a public company) are exempt from the auditor IFC reporting requirement, subject to current notification thresholds. Even exempt companies often benefit from basic IFC documentation for governance and fundraising readiness.
What does a practical IFC framework look like for a mid-sized private company? โผ
A practical framework documents key financial processes as flowcharts/narratives, identifies key controls (approvals, reconciliations, segregation of duties, access controls) in a risk-and-control matrix, and establishes a testing cadence to confirm controls operate as designed. The COSO Internal Control โ Integrated Framework (control environment, risk assessment, control activities, information & communication, monitoring) is the common reference structure.