What Are Internal Controls Over Financial Reporting (ICFR)?
Internal Controls Over Financial Reporting in India refer to a structured set of processes and frameworks that ensure a company prepares its financial statements accurately, adheres to accounting standards, and complies with regulatory requirements such as the Companies Act, 2013. These controls are not only critical for large corporations but also increasingly relevant for mid-sized and growing companies aiming to build trust with stakeholders and avoid regulatory pitfalls.
ICFR helps ensure that a company’s financial records are accurate, complete, and free from fraud. It enables stakeholders, including investors and regulators, to trust that the financial statements truly reflect the company’s financial position.
According to the Companies Act, 2013, “Internal financial controls” include the policies and procedures adopted by a company to: – Ensure the orderly and efficient conduct of business. – Safeguard assets. – Prevent and detect fraud and errors. – Maintain accurate accounting records. – Enable timely preparation of reliable financial information.
Interpretation: With increasing corporate fraud cases in India (e.g., DHFL, IL&FS), regulators and investors demand tighter financial controls. A robust ICFR framework isn’t just a compliance tick-box but a business imperative
Why Is ICFR So Important in the Indian Regulatory Environment?
From an expert’s lens, ICFR matters because it: 1. Builds investor and stakeholder confidence. 2. Reduces the risk of financial misstatements or manipulation. 3. Enhances operational efficiency by enforcing standardized processes. 4. Strengthens corporate governance and accountability.
In 2022, the ICAI’s guidance note on ICFR reported that companies with effective ICFR mechanisms were 60% less likely to be flagged for material misstatements during audits.
Moreover, in the wake of rising investor activism and regulatory crackdowns by SEBI and the MCA, companies with robust ICFR systems experience fewer litigations and better long-term valuations.
Applicability of ICFR Under Companies Act, 2013
Who Is Required to Comply?
Under the Companies Act, 2013, ICFR is mandatorily applicable to all listed companies.
Certain private companies are also covered, depending on size and financial thresholds.
Statutory Exemptions (MCA Notification – 13 June 2017)
The Ministry of Corporate Affairs (MCA) has exempted the following entities from ICFR applicability:
One Person Companies (OPCs)
Small Companies
Private companies with:
Turnover below ₹50 crore (as per the latest audited financials), and
Aggregate borrowings below ₹25 crore at any point during the financial year.
However, these exemptions apply only if the company has not defaulted in filing:
Financial statements under Section 137
Annual returns under Section 92
Revised Definition of “Small Company”: What Changed in 2025?
Effective 1 December 2025, MCA revised the thresholds for small companies:
| Criteria | Earlier Limit | Revised Limit |
|---|---|---|
| Paid-up Capital | < ₹4 crore | < ₹10 crore |
| Turnover | < ₹40 crore | < ₹100 crore |
This revision brings many growing private companies within the ICFR compliance net, making proactive preparedness essential.
Management’s Responsibility for ICFR
ICFR is not an auditor-driven exercise. The primary responsibility lies with management and the board.
Key Responsibilities Include:
Designing and implementing adequate internal financial controls
Ensuring controls operate effectively throughout the year
Maintaining accurate accounting records
Preventing and detecting fraud and irregularities
Statutory Backing:
Section 134(5)(e) – Directors must confirm the existence and effectiveness of IFC
Rule 8(5)(viii) of Companies (Accounts) Rules, 2014 – Board’s Report must comment on adequacy of ICFR
Directors must confirm due care in safeguarding assets and maintaining records.
This makes ICFR a governance obligation, not just a finance function.
Auditor’s Responsibility under ICFR
Auditors play an independent assurance role under Section 143(3)(i) of the Companies Act, 2013.
Their responsibility is to:
Evaluate the adequacy of ICFR
Test whether controls operated effectively during the period
Obtain sufficient and appropriate audit evidence
Express an opinion on ICFR along with the financial statements
Auditors follow SA 315 (risk identification) and SA 330 (responses to assessed risks) while performing ICFR audits.
Our ICFR Engagement Approach at MSNA
At MSNA, we approach ICFR not just from a checklist mindset, but as a transformation enabler for financial integrity. Here’s how we do it:
- Business Understanding: We begin by understanding your company’s operations and risk landscape.
- Process Walkthroughs: We map your transaction journey from initiation to accounting.
- SOP Drafting: We prepare Standard Operating Procedures that document business flows clearly.
- Process Flow Diagrams: Using BPMN, we present complex flows visually.
- Risk Control Matrix (RCM): For each process, we map out the associated risks and required controls.
- Control Testing: We sample-check documents like invoices and approvals to validate control adherence.
- Reporting: Finally, we deliver a clear opinion on your ICFR design and effectiveness.
This end-to-end model helps clients not only achieve compliance but also build more accountable and efficient systems.
Real-World Example: ICFR in Action
Case Study: A mid-sized manufacturing firm in Pune approached us after their statutory audit flagged weak controls in purchase and inventory processes.
Our ICFR implementation uncovered: – Inadequate approval matrices. – Lack of segregation of duties. – Absence of documented SOPs.
Results post-implementation: – 40% reduction in audit observations. – Better vendor management. – Improved investor confidence in financial disclosures.
This case underscores how tailored ICFR implementation can address critical pain points and foster trust
Common ICFR Pitfalls That Can Undermine Compliance and Control Effectiveness
- Treating ICFR as a one-time compliance exercise.
- Not involving process owners in risk control design.
- Inadequate documentation – “If it’s not documented, it didn’t happen.”
- Using boilerplate control matrices not aligned to actual business processes
Final Thoughts on Applicability of Internal Controls in India
If you’re unsure whether your internal financial controls are audit-ready or compliant, it might be time to assess them with a fresh, expert perspective.
Disclaimer: This article is for educational purposes only and does not constitute legal or audit advice. Consult your statutory auditor or legal advisor for specific guidance.
Need help with ICFR implementation or audit-readiness?
Discover more from MSNA & Associates LLP
Subscribe to get the latest posts sent to your email.
