Skip to content
A practice anchor at D Somani & Associates

Continuous Control Monitoring & IFC.


At a glance

The five things you need to know.

What it is

A standing programme that tests your key controls on full transaction populations every cycle - monthly or quarterly - so exceptions surface while they are still small.

Who it's for

Entities in IFC scope, listed companies, and promoter-led businesses whose ERP data is mature enough to test - typically ₹100 Cr+ turnover.

How we run it

Each control becomes a data test - three-way match, SoD conflicts, duplicate vendors, off-hours journals - run on the full population every cycle and triaged with process owners.

You walk away with

A cycle-wise exception report, a quantified findings register, and an IFC assertion file (RCMs, design and operating-effectiveness testing) your statutory auditor can rely on.

Typical timeline

4-6 weeks to build the test library and baseline; each monitoring cycle thereafter closes in days, not weeks. Annual IFC review: 4-6 weeks.

What we do.

An annual audit sees a control once a year. Continuous control monitoring watches it every cycle. We codify the controls that matter - procure-to-pay, payroll, revenue, treasury, ITGC - into repeatable data tests, run them on the complete population from your ERP, and bring management a short exception report each cycle instead of a long report once a year.

The monitoring library.

Typical tests include three-way match breaks (PO / GRN / invoice), duplicate or shared vendor bank accounts, contractor rates against current contracts, headcount against gate-pass data, credit notes and price overrides beyond approval limits, segregation-of-duties conflicts in user access, and journal entries posted outside business hours. The library is built for your processes in the first month and refined every cycle.

IFC - design and operating effectiveness.

For companies in IFC scope under the Companies Act, 2013, we prepare and maintain risk-control matrices, walk through design effectiveness, and test operating effectiveness with samples sized to the population. Where a CCM programme is already running, IFC testing largely falls out of it - the same tests, documented to assertion standard, which is what makes the two a natural pair.

How we are different.

  • Full populations, not samples. The tests run on every transaction in the cycle. Sampling risk simply does not arise for the monitored controls.
  • Exceptions triaged, not listed. Every flagged item is validated with the process owner before it reaches management - what you receive is a short list of real issues, not a data dump.
  • ERP-agnostic. We work from standard extracts (SAP, Oracle, Tally, Zoho or otherwise). No software purchase is a precondition.
  • One team, one thread. The same team that monitors your controls runs the annual IFC assertion - nothing is tested twice, and nothing falls between two engagements.

What a monitoring cycle looks like.

Day 1-2: data extracts land, tests run. Day 3-5: exceptions validated with process owners. Day 6-7: a two-page cycle report - what broke, what it cost, what to change - with the quarter's trend. The audit committee sees the trend line, not a stack of annexures.

Related

You might also need.

Talk to us

A short call is the fastest way to scope a control-monitoring programme.

Schedule a call → Read related notes
WhatsApp