IFC testing in India: what design effectiveness actually looks like.
Our practice, in detail.
1. The IFC framework, in one paragraph.
Section 134(5)(e) of the Companies Act, 2013 makes the directors responsible for stating that internal financial controls are adequate and operating effectively. Section 143(3)(i) requires the statutory auditor to opine on the operating effectiveness of those controls for the specified classes of companies. In between sits internal audit, which is the function that actually tests the controls so that both the board and the auditor can stand behind their statements.
The framework recognised in practice is the ICAI Guidance Note on Audit of Internal Financial Controls over Financial Reporting, which substantially aligns with the COSO 2013 framework. Five components (control environment, risk assessment, control activities, information and communication, monitoring) and seventeen principles. That is the architecture. The work is in the testing.
2. Design effectiveness vs operating effectiveness.
The two are routinely confused. They are different questions and they need different evidence.
Design effectiveness asks whether the control, as designed, can prevent or detect the risk it is meant to address. It is answered by a walk-through, by tracing one transaction end to end and seeing whether the control would catch what it is supposed to catch. Design testing produces a yes-or-no opinion per control: does the design address the risk, or does it not?
Operating effectiveness asks whether the control, even though well-designed, actually operates as intended across the period. It is answered by sample-based testing across the year, using attribute sampling. Operating effectiveness produces an exception rate: across our sample of 25 transactions, the control failed twice. Is that acceptable or not?
Both are required. A control that is poorly designed cannot be saved by good operation. A control that is well-designed but seldom operated is not a control.
3. The walk-through that proves design.
A walk-through is a single transaction traced from initiation to recording in the financial statements, with all controls observed in sequence. For a vendor invoice that is what we mean by a walk-through:
- Pick one invoice from the period under review.
- Trace it back to the purchase order, the receipt of goods, the vendor master record, the approval on the invoice, the matching against the PO and the GRN, the posting to the GL, and the eventual payment.
- At each handoff, identify the control that is meant to operate. Document whether it operated for this transaction.
- Document the evidence (system screenshot, signed document, email trail) for each control point.
If at the end of the walk-through every control point has a designed control and the control would have caught the risk, design effectiveness is established. If a control point is missing or the designed control would not have caught the risk, that is a design gap. A design gap is more serious than an operating exception because it means even perfect operation would not protect the company.
4. Sample sizes that survive scrutiny.
Operating effectiveness testing uses attribute sampling, and the sample sizes are smaller than people expect. The AICPA and PCAOB guidance, mirrored in Indian practice, gives a table that most IA functions use:
- Annual control (e.g. annual review of the chart of accounts): sample of 1.
- Quarterly control: sample of 2.
- Monthly control: sample of 2 to 4.
- Weekly control: sample of 5.
- Daily control: sample of 15 to 25.
- Multiple times a day (transaction-level): sample of 25 to 60 depending on volume.
These are minimums for low expected deviation. If we expect one exception in the population, the sample roughly doubles. If we find an exception, we either reach a conclusion on the basis of root-cause analysis (one-off vs systemic) or expand the sample.
5. The gaps we keep finding.
Across our IFC engagements, five categories of gap show up consistently:
- Outdated risk-control matrix. The RCM was set up in the year IFC became mandatory and never refreshed. Controls listed do not match controls that actually exist; new processes (like e-invoicing or digital approvals) have no controls listed at all.
- Single-point approvals. The DOA delegates approval authority to a single position with no escalation matrix. Replacement during leave is informal; segregation of duties is absent.
- System controls without periodic review. A configured ERP control (e.g. mandatory three-way match) is assumed to operate, but no one tests that it has not been overridden or disabled.
- Reconciliation controls without sign-off. The reconciliation happens but the reviewer's evidence is missing. From an auditor's point of view, an unreviewed reconciliation is not a control.
- IT general controls (ITGC) inheritance. Application-level controls rely on ITGCs (access management, change management, computer operations) that are themselves not tested. If the ITGCs fail, the application controls fail with them.
6. The audit committee's three questions.
If an audit committee has thirty minutes for the IFC report, they should ask three things:
"Where is our RCM and when was it last refreshed?"
If the answer is more than 18 months ago, the rest of the testing is on weak ground.
"What design gaps did we find this year and what is the remediation plan?"
Design gaps require remediation, not retesting. The remediation plan should include an owner, a target date and the controls being added or redesigned.
"What exception rate did our operating effectiveness testing produce, and how does it compare to last year?"
A rising exception rate is a leading indicator of control breakdown. A falling rate after design improvements means the design changes worked.
Frequently asked
Which companies must comply with IFC reporting in India?
Section 134(5)(e) of the Companies Act, 2013 applies to all companies, requiring the board's report to include a statement on IFC adequacy and operating effectiveness. The statutory auditor's opinion on operating effectiveness under section 143(3)(i) currently applies to listed companies and to other classes notified by the central government. The applicability has been progressively widened; consult the latest MCA notifications for the threshold applicable to your company.
Is the ICAI Guidance Note mandatory for IFC testing?
Yes, in practice. The ICAI Guidance Note on Audit of Internal Financial Controls over Financial Reporting is the authoritative framework used by Indian statutory auditors. Internal audit functions structuring IFC testing for the company's own representation typically follow the same guidance so that the testing dovetails with the statutory auditor's expectations.
How small can a sample size go for operating-effectiveness testing?
For a control that operates once a year, a sample of one is acceptable provided expected deviation is zero. For more frequent controls, the standard table maps frequency to minimum sample size. Smaller samples require zero observed exceptions to support a conclusion of operating effectively; even one exception in a small sample usually requires sample expansion or a control deficiency conclusion.
What is the difference between a deficiency, a significant deficiency and a material weakness?
A deficiency exists when the design or operation of a control does not allow management or employees to prevent or detect a misstatement in the normal course of their duties. A significant deficiency is one that is less severe than a material weakness but important enough to merit attention by the audit committee. A material weakness is a deficiency, or combination of deficiencies, such that a material misstatement of the financial statements will not be prevented or detected on a timely basis. Classification has direct consequences for the auditor's report.
How long should IFC testing take?
For a mid-sized company, a full annual IFC review (RCM refresh, walk-throughs, design testing and operating effectiveness testing across the in-scope cycles) typically takes 4 to 6 weeks of focused fieldwork, spread across the year. Companies that integrate IFC testing into the quarterly internal-audit cycle distribute the work and avoid a year-end crunch.