Internal Financial Controls reporting under the Companies Act has been around long enough that most listed entities have a routine for it. What has changed in the last two reporting cycles is the depth at which audit committees are now testing the routine - and the questions they are putting to management between meetings.
This is a shift from compliance to assurance, and it has implications for how IFC frameworks are designed, evidenced, and reviewed.
From statutory checkbox to governance lever
Section 143(3)(i) of the Companies Act, read with the ICAI's Guidance Note on IFC, requires the auditor to express an opinion on the adequacy and operating effectiveness of internal financial controls over financial reporting. For most listed and large unlisted entities, the framework of choice has been the COSO 2013 model, supplemented with risk-control matrices at the process level.
What we are seeing now is the audit committee using the IFC report as a governance instrument rather than a closing checklist. The questions have evolved from "is the framework in place?" to "what is the residual risk after controls are applied? what did the control miss? how fast does a deficiency get fixed?"
The evidence problem
The single most common deficiency we observe in IFC walkthroughs is not the absence of a control - it is the absence of contemporaneous evidence that the control operated. A reconciliation that is performed but signed off three weeks later, an approval that is on paper but never matched against the supporting voucher, an exception report that is generated but not reviewed for two cycles - these are the gaps that a robust IFC walkthrough now isolates.
The remedy is mostly procedural: timestamped evidence, independent review of the review, and a clear escalation path when the control fails.
Where IT general controls now matter more
Most finance processes today run on systems - ERPs, sub-ledgers, planning tools, and a layer of integrations. The reliability of the financial statements depends on the integrity of those systems, which makes IT general controls (ITGC) a foundational layer for IFC. Four ITGC areas are being scrutinised more closely:
- Access management - joiner/mover/leaver discipline, segregation-of-duties matrices and privileged-access reviews.
- Change management - testing protocols, approval trails and segregation between developers and migrators.
- Computer operations - backup integrity, batch-job monitoring and incident-handling logs.
- System interfaces - completeness and accuracy of data flowing between sub-systems and the GL.
What strong remediation looks like
Findings will surface. The differentiator now is what the entity does with them. The IFC frameworks we admire have three things in common: clear ownership of every deficiency at named-person level; a remediation timeline tracked against the next reporting cycle, not the next audit; and a re-test protocol that closes the loop with evidence rather than assertion.
What audit committees should ask this quarter
- What deficiencies were identified in the last cycle, and where do they stand on remediation?
- For the highest-risk processes, can management produce contemporaneous evidence of control operation?
- What did the ITGC review reveal, and have the access and change-management findings been actioned?
- Where automated controls have been introduced, has the design effectiveness been independently tested?
The bottom line
IFC reporting is not going to get easier. Audit committees, regulators, and investors are converging on a higher standard of evidence and follow-through. For finance teams, the move from compliance to assurance is the unlock - build the discipline once, and the rest of the governance machinery rests on top of it.
This article is for general information only and does not constitute professional advice. For engagement-specific assurance support, please write to contact@zarkca.in.