Trusted by 10,000+ Businesses

Internal Financial Controls Audit Under Section 143 of the Companies Act, 2013

Reviewed by CA and CS Team, Patron Accounting LLP ICAI & ICSI Registered| 15+ Years Experience| Last Updated: Verify Credentials →

Statutory Authority: Section 143(3)(i) of the Companies Act, 2013 - auditor reports adequacy of IFC with reference to financial statements (IFC-FR) and operating effectiveness.

Coverage: All companies including foreign companies; specific Pvt Ltd exemption notified by MCA on 13 June 2017 conditional on Section 137 and Section 92 filing compliance.

Practitioner Guidance: ICAI Guidance Note on Audit of IFC over Financial Reporting (14 September 2015) with Implementation Guide (Revised 2018); COSO Internal Control Integrated Framework (2013).

Patron Engagement: Bundled within statutory audit; Rs 1.75 lakh starting for threshold-crossing Pvt Ltd; standalone IFC readiness review Rs 1 lakh to Rs 4 lakh.

10,000+ Businesses Served | 4.9 Google Rating | 50,000+ Documents Filed | 15+ Years Experience

Call +91 945 945 6700 Email Us WhatsApp Us

15+ YearsIndustry Experience

CA & CSCertified Experts

4.9

Based on 500+ reviews

Get Free Consultation

Talk to a CA/CS expert today

Full Name

Phone Number

City

Service Needed

Our team will get back to you shortly. No spam.

Real Stories from Real People

Hear how teams across industries use Patron to save time, cut costs, & stay in control.

“

The statutory audit was clean and completed well before deadline. No last-minute rush. Patron's bottom-up RCM approach surfaced two Significant Deficiencies in our procurement cycle early in the audit period - we had time to remediate before year-end. Annexure B came back unmodified.

MD - Trading Firm

Mumbai Rs 110 cr revenue Pvt Ltd

★★★★★

2 months ago

“

First-year IFC audit after crossing the Rs 50 crore turnover threshold - we had no RCM, no ITGC documentation, no fraud risk assessment. Patron's retro-fit approach within the audit period was structured - week-by-week deliverables, clear scope, no surprises on fee. Annexure B closed without Material Weakness.

CFO - D2C Brand

Bangalore first-year IFC retro-fit

★★★★★

3 months ago

“

NBFC Middle Layer lending IT controls - Patron's ITGC depth covered customer onboarding, KYC / AML, IRACP Directions, FLDG co-lending - critical for our NFRA monitoring exposure. Audit Committee under Section 177(4)(vii) got the deficiency dashboard they needed. Professional, knowledgeable, ethical.

CRO - NBFC Middle Layer

Mumbai NBFC - IRACP + ITGC IFC

★★★★★

4 months ago

“

Mid-period ToOE was a revelation. Big Four had given us a black-box year-end audit; Patron's interim ToOE in week 4-5 surfaced a Material Weakness candidate in revenue cut-off. We remediated mid-period - final Annexure B unmodified. Deficiency aggregation per ICAI Guidance Note properly documented. Worth the engagement.

Finance Controller - SaaS

Pune Rs 180 cr revenue - revenue cut-off MW averted

★★★★★

5 months ago

Join 10,000+ Satisfied Businesses

From first-year IFC retro-fits for Pvt Ltd companies crossing the threshold to NBFC Middle Layer lending IT controls and listed-entity KAM disclosure coordination - real Patron clients share how the bottom-up RCM approach, mid-period ToOE rollforward, and ICAI Guidance Note deficiency aggregation logic delivered unmodified Annexure B opinions.

Talk to an Expert

10,000+Businesses ServedGST compliance and litigation support across India.

15+Years ExperienceDeep expertise in IP registration, GST & business compliance.

50,000+Documents FiledReturns, appeals, and filings handled accurately.

4.9★Client RatingTrusted by entrepreneurs, startups, and growing businesses.

ISO CertifiedProfessional standards and documented processes.

SSL SecureYour financial and business data is fully protected.

Overview - Internal Financial Controls Audit

📌 TL;DR - Internal Financial Controls Audit Services at a Glance

Internal Financial Controls (IFC) audit under Section 143(3)(i) of the Companies Act, 2013 is the statutory auditor's assessment of (a) adequacy of internal financial controls with reference to financial statements (IFC-FR) and (b) operating effectiveness of those controls, reported as Annexure B to the main audit report under SA 700. The audit framework follows the COSO Internal Control - Integrated Framework (2013) with five components and seventeen principles, supported by ICAI's Guidance Note (14 September 2015) and Implementation Guide (Revised 2018). Testing comprises Test of Design (ToD) to verify that controls are properly designed and Test of Operating Effectiveness (ToOE) to verify that controls operate as designed throughout the audit period. MCA Notification dated 13 June 2017 exempts OPC, small companies, and qualifying Pvt Ltd companies (turnover under Rs 50 crore OR aggregate borrowings under Rs 25 crore) provided no default in Section 137 or Section 92 ROC filings.

Section 143 of the Companies Act, 2013 deals with the powers and duties of statutory auditors. Sub-section (3) lists ten specific matters on which the auditor is required to report. Clause (i) of sub-section (3) - the IFC clause - was the most significant addition over the predecessor Companies Act 1956. For the first time in Indian audit law, auditors were required to attest to the design and operating effectiveness of management's control system - moving beyond the traditional financial-statement attestation into governance terrain. IFC reporting under Section 143(3)(i) is functionally similar to Section 404 of the US Sarbanes-Oxley Act (SOX) and triggered Indian audit firms to adopt the COSO 2013 framework that anchors most SOX 404 programs globally.

Patron Accounting LLP is a peer-reviewed CA and CS practice handling Internal Financial Controls audit engagements end-to-end - applicability scoping under MCA Notification G.S.R. 583(E) dated 13 June 2017, COSO 2013 framework mapping, bottom-up Risk-Control-Matrix construction, Test of Design and Operating Effectiveness sampling, IT General Controls testing, deficiency aggregation per ICAI Guidance Note and Annexure B drafting integrated with Annexure A CARO 2020 reporting. Verify framework references through the Ministry of Corporate Affairs (MCA21 V3 portal); auditing standards and guidance notes at the Institute of Chartered Accountants of India; NFRA-monitored audit framework at the National Financial Reporting Authority.

Content is reviewed quarterly for accuracy.

What Is Internal Financial Controls Audit

Internal Financial Controls (IFC) audit under Section 143(3)(i) of the Companies Act, 2013 is the statutory auditor's reasoned opinion on whether the company has adequate internal financial controls with reference to financial statements in place and whether such controls are operating effectively. The audit follows the COSO Internal Control - Integrated Framework (2013) and applies Test of Design and Test of Operating Effectiveness procedures throughout the audit period.

Reporting Placement and Opinion Mechanics: The IFC audit is performed concurrently with the financial statement audit and reported as Annexure B to the main audit report (CARO 2020 is Annexure A). The auditor's IFC opinion is a separate opinion - it can be unmodified even where the main financial statement opinion is qualified, or vice versa. An unmodified IFC opinion means the auditor has reasonable assurance that the company has adequate IFC-FR and that such controls operated effectively in all material respects throughout the audit period; a modified opinion identifies specific material weaknesses that warrant disclosure.

Testing Approach - The Key Distinction: Where IFC audit differs most from financial statement audit is in the testing approach. Financial statement audit can rely on substantive procedures (tracing balances, recalculating amounts, confirming with third parties). IFC audit requires Test of Design AND Test of Operating Effectiveness throughout the year - not just at year-end. The auditor cannot conclude that a control is effective merely because the year-end balance is correct; the control must have been designed appropriately AND must have operated as designed across the period. Sampling is structured around control frequency - daily, weekly, monthly, quarterly controls each demand minimum sample sizes per the ICAI Guidance Note.

Sister Authority Page - CARO 2020: Both CARO 2020 (under Section 143(11)) and IFC audit (under Section 143(3)(i)) constitute the complete Section 143 reporting framework. CARO is Annexure A; IFC is Annexure B. Both are filed together with Form AOC-4 within 30 days of the AGM under a single UDIN. CARO 2020 Clause 3(xiv) requires the statutory auditor to report whether the company has an internal audit system commensurate with size and nature of business and whether reports of internal auditors were considered - a direct cross-link to IFC audit work product.

Key Terms for Internal Financial Controls Audit:

IFC (Section 134(5)(e) definition): Internal Financial Controls means the policies and procedures adopted by the company for ensuring (a) orderly and efficient conduct of business including adherence to company's policies, (b) safeguarding of assets, (c) prevention and detection of frauds and errors, (d) accuracy and completeness of accounting records, and (e) timely preparation of reliable financial information. This wider definition applies to the Director's Responsibility Statement.
IFC-FR (Section 143(3)(i) scope): IFC with reference to financial statements - a narrower scope than Section 134(5)(e). Only controls that have a financial reporting impact are within the audit scope. Business controls without financial reporting impact (e.g. HR onboarding workflow) are outside the auditor's Section 143(3)(i) opinion.
COSO 2013 Framework: Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission, released 14 May 2013 replacing the 1992 framework. Five components - Control Environment, Risk Assessment, Control Activities, Information and Communication, Monitoring Activities; seventeen explicit principles.
Risk-Control-Matrix (RCM): The auditor's working file documenting each significant account balance and disclosure, the related financial-statement risks (existence, completeness, accuracy, valuation, presentation), and the controls management has implemented to address each risk; the audit programme is structured around the RCM.
Test of Design (ToD): Audit procedure to evaluate whether a control is suitably designed to prevent or detect material misstatements - typically through inquiry, observation, walkthrough of one or more transactions, and inspection of supporting evidence.
Test of Operating Effectiveness (ToOE): Audit procedure to evaluate whether the control operated as designed during the audit period - sample testing of multiple transactions across the period; sample size driven by control frequency.
Material Weakness: Deficiency or combination of deficiencies in IFC-FR such that a reasonable possibility exists of a material misstatement of the financial statements not being prevented or detected on a timely basis. Triggers a modified IFC audit opinion.
Significant Deficiency: Deficiency, or combination of deficiencies, that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
ITGC (IT General Controls): Foundational controls over the IT environment - access management, change management, computer operations, backup and recovery, SDLC. COSO Principle 11. Without ITGC, automated controls cannot be relied upon.
Annexure B Report: The auditor's IFC opinion report, separate from the main audit report and Annexure A CARO 2020. Contains scope, management responsibility, auditor responsibility and opinion paragraphs per ICAI Guidance Note format.
MCA Notification 13 June 2017 (G.S.R. 583(E)): The Pvt Ltd IFC exemption - OPC, Small Company, or Pvt Ltd with turnover up to Rs 50 crore OR aggregate borrowings up to Rs 25 crore, conditional on no Section 137 or Section 92 ROC filing default.
UDIN (Unique Document Identification Number): ICAI-mandated unique identifier generated for every signed audit document; covers the complete signed package including main report, Annexure A CARO and Annexure B IFC.

Section 143(3)(i) Annexure B - Statutory Authority

IFC Audit Applicability Matrix

Section 143(3)(i) applies to every company audited under the Companies Act, 2013 - including foreign companies under Section 2(42). The MCA Notification dated 13 June 2017 (G.S.R. 583(E)) carves out specific exemptions for smaller private companies, subject to conditions.

Listed company (NSE / BSE): Mandatory. Section 143(3)(i) reporting standalone and CFS; KAM-level disclosure for material weakness under SA 701.
Unlisted public company: Mandatory. Section 143(3)(i) full reporting.
Pvt Ltd subsidiary or holding of listed company: Mandatory. Full IFC reporting; exemption not available.
Pvt Ltd turnover above Rs 50 crore (latest audited): Mandatory. Threshold-based; latest audited financial statement as reference.
Pvt Ltd aggregate borrowings above Rs 25 crore at any point during FY: Mandatory. Peak test - even a single-day borrowing above Rs 25 crore from banks / FIs / body corporate triggers applicability.
Pvt Ltd turnover up to Rs 50 cr AND borrowings up to Rs 25 cr: Exempt (conditional) - subject to no Section 137 (financials) or Section 92 (annual return) ROC filing default.
OPC under Section 2(62): Exempt - unconditional.
Small Company under Section 2(85): Exempt - unconditional (paid-up up to Rs 4 crore and turnover up to Rs 40 crore from 15 September 2022).
Section 8 company (charitable): Mandatory subject to size - same Pvt Ltd thresholds apply; exemption available if all conditions met.
Foreign company under Section 2(42): Mandatory for Indian financial statements; Section 143(3)(i) applies through the appointed Indian auditor.
Group with CFS under Section 129(4): Mandatory mutatis mutandis - IFC reporting applies to consolidated financial statements for Companies Act components only; LLP and non-Act components outside scope.
NBFC Base Layer / Middle Layer / Upper Layer: Mandatory - NBFC IT controls (lending, IRACP Directions, customer onboarding) require deep ITGC review.

Critical Compliance Trap - Section 137 / Section 92 Default Voids the Exemption: Even where a Pvt Ltd company is otherwise eligible for the Section 143(3)(i) exemption (turnover up to Rs 50 crore AND borrowings up to Rs 25 crore), the exemption stands voided if the company has defaulted in filing its financial statements under Section 137 of the Companies Act, 2013 (Form AOC-4) or its annual return under Section 92 of the Companies Act, 2013 (Form MGT-7) with the Registrar of Companies. The default test is fresh each year - a one-year filing default reopens IFC reporting applicability for that year. Patron's first action on any new engagement is a Section 137 / Section 92 filing-compliance check before relying on the exemption.

Section 134(5)(e) Director Responsibility - Independent of Exemption: The Director Responsibility Statement under Section 134(5)(e) and the Board Report disclosure under Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 apply to every company irrespective of the Section 143(3)(i) auditor exemption. Directors must confirm adequacy of IFC in the Board Report even where the auditor is exempt from Annexure B reporting.

What Patron's IFC Audit Engagement Delivers

Service	What We Do
Applicability Determination and Exemption Check	Section 143(3)(i) applicability test under MCA Notification G.S.R. 583(E) dated 13 June 2017 - turnover Rs 50 crore (latest audited) and aggregate borrowings Rs 25 crore peak test for the year. Section 137 (AOC-4) and Section 92 (MGT-7) ROC filing compliance check to confirm exemption is not voided.	Engagement Start
Entity-Level Controls (ELC) Evaluation	Board composition and oversight (COSO Principle 2); tone-at-the-top assessment (Principle 1); organisational structure and authority matrix (Principle 3); HR competency framework (Principle 4); accountability mechanism (Principle 5). ELC sets the foundation for transaction-level testing.	All Tiers
Risk-Control-Matrix (RCM) Construction	Bottom-up RCM build per significant account balance and disclosure; mapping to financial-statement assertions (existence, completeness, accuracy, valuation, rights and obligations, presentation); risk identification per assertion; management-implemented controls catalogued with descriptor, owner, frequency, evidence type. Not a templated checklist - each company's RCM is unique to its transaction cycles.	All Tiers
Test of Design (ToD) Through Walkthrough	For each significant control, inquiry of control owner, observation of control operation, walkthrough of one or more transactions, and inspection of supporting evidence. ToD conclusion - control is suitably designed to prevent or detect material misstatement.	All Tiers
Test of Operating Effectiveness (ToOE) Sampling	Period-spread sample testing per ICAI Guidance Note sample sizes - daily manual controls 25-60; weekly 12-25; monthly 5-15; quarterly 3; annual 1. Automated controls require smaller samples once ITGCs are tested. Sample selection covers the full audit period including before any control change.	All Tiers
IT General Controls (ITGC) Audit	Access management (user provisioning, periodic access review, dormant account lockout, SoD enforcement); change management (production deploy approval, version control); computer operations (job scheduling, batch monitoring, incident management); backup and recovery (BCP / DR testing); SDLC; data centre security. ITGC failure breaks reliance on all automated application controls.	All Tiers
Fraud Risk Assessment Review (COSO Principle 8)	Annual fraud risk assessment review per business cycle covering management override, asset misappropriation, financial reporting fraud - the COSO fraud triangle (opportunity, pressure, rationalisation). Cross-reference to CARO 2020 Clause 3(xi) fraud reporting and Section 143(12) ADT-4 filing threshold.	Standard / Complex
Deficiency Evaluation and Aggregation	Per ICAI Guidance Note three-tier classification - Inconsequential, Significant Deficiency, Material Weakness. Deficiency aggregation - multiple Significant Deficiencies in the same process may aggregate to a Material Weakness; Patron's audit working file documents the aggregation analysis explicitly.	All Tiers
CFS IFC Mutatis Mutandis (Section 129(4))	For groups - parent IFC, consolidation controls, and component-auditor coordination under SA 600 for Companies Act subsidiaries. Non-Act components (LLPs, foreign entities) excluded from CFS IFC scope but parent-level mapping controls in scope.	Group / Listed
KAM Disclosure Coordination (SA 701)	For listed entities and large unlisted entities - Material Weakness in IFC translates into Key Audit Matter (KAM) disclosure under SA 701. Patron coordinates KAM wording with main audit report partner and Audit Committee.	Listed / Large
Annexure B Drafting, UDIN and AOC-4 Filing	Annexure B drafted in ICAI Guidance Note format - title, audited entity identification, scope, management responsibility, auditor responsibility, opinion (unmodified or with material weakness paragraph), basis for opinion, management response. UDIN generated covering the complete signed package; Form AOC-4 filed on MCA21 V3 within 30 days of AGM.	All Tiers
Year-on-Year Remediation Tracking	Prior-year management letter deficiency tracking; current-year remediation status verification; deficiency trending across multiple audit periods; Audit Committee remediation calendar coordination under Section 177(4)(vii).	Mid-size+

Our Process

6-Step IFC Audit Methodology

A structured workflow from applicability scoping through Annexure B filing - COSO 2013 mapping, bottom-up Risk-Control-Matrix construction, walkthrough-based Test of Design, period-spread Test of Operating Effectiveness with ICAI sample sizes, deficiency evaluation per the ICAI Guidance Note classification framework, and integrated Annexure B drafting with UDIN and MCA21 V3 AOC-4 filing.

Step 1

Applicability Scoping and Engagement Setup

Week 1. Section 143(3)(i) applicability test using turnover Rs 50 crore (latest audited) and aggregate borrowings Rs 25 crore peak test. MCA Notification G.S.R. 583(E) 13 June 2017 exemption check including Section 137 (AOC-4) and Section 92 (MGT-7) filing-compliance verification. Engagement letter signed; significant account scoping; entity-level controls walkthrough.

Applicability locked Significant accounts scoped

Scoping 01

Step 2

COSO 2013 Mapping Across 5 Components and 17 Principles

Weeks 1-2. Map company's control structure to the COSO 2013 framework - Control Environment (5 Principles), Risk Assessment (4 Principles), Control Activities (3 Principles), Information and Communication (3 Principles), Monitoring Activities (2 Principles). Each Principle is tested for "present and functioning" status. Principle 8 (fraud) and Principle 11 (ITGC) get extra depth.

5 components mapped 17 principles checked

Framework 02

Step 3

Risk-Control-Matrix Construction and Walkthrough

Weeks 2-4. For each significant account, decompose the relevant transaction cycle into process steps and identify controls at each step. Classify as Key, Process, or ITGC. Populate RCM with control descriptor, owner, frequency (daily / weekly / monthly / quarterly / event-driven), evidence type, and risk-assertion mapping. Walkthrough of one transaction per significant control completes Test of Design.

RCM populated ToD complete

RCM Built 03

Step 4

Test of Operating Effectiveness Sampling

Weeks 4-7. Statistically defensible sample of control operations across the audit period - not just at year-end. Sample sizes per ICAI Guidance Note - daily manual controls 25-60; weekly 12-25; monthly 5-15; quarterly 3; annual 1. Automated controls require smaller samples once ITGCs are tested. ToOE exceptions trigger root-cause analysis - was the exception isolated or systemic?

Period-spread sampling Root cause analysed

ToOE Done 04

Step 5

Deficiency Evaluation and Aggregation

Week 7. Each ToD or ToOE deficiency classified per ICAI Guidance Note - Inconsequential (not severe enough), Significant Deficiency (merits attention by board), Material Weakness (reasonable possibility of material misstatement; triggers modified Annexure B opinion). Deficiencies aggregated across controls - multiple Significant Deficiencies in the same process may aggregate to a Material Weakness.

Tiered classification Aggregation analysed

Classified 05

Step 6

Annexure B Drafting, UDIN and AOC-4 Filing

Weeks 8 + 30-day AGM window. Annexure B drafted in ICAI prescribed format - title, audited entity identification, scope, management responsibility, auditor responsibility, opinion (unmodified or with material weakness paragraph), basis for opinion, management response. UDIN generated covering complete signed package (main report + Annexure A CARO + Annexure B IFC). Form AOC-4 filed on MCA21 V3 within 30 days of AGM.

Annexure B signed AOC-4 filed

Filed 06

Step 7

ITGC Concurrent Testing (Cross-Cutting)

Concurrent with Steps 3-4. Access management (provisioning, periodic review, dormant lockout, SoD); change management (deploy approval, version control); computer operations (job scheduling, batch monitoring); backup and recovery (BCP / DR testing); SDLC; data centre security. ITGC failure breaks reliance on all automated application controls - so this stream runs alongside RCM-based testing.

Access / change / ops ITGC integrated

IT Controls 07

Step 8

KAM Coordination for Listed Entities (SA 701)

Week 8. For listed entities and large unlisted entities - any Material Weakness in IFC translates into Key Audit Matter (KAM) disclosure under SA 701 in the main audit report. Patron coordinates KAM wording with main audit report partner, the Audit Committee under Section 177(4)(vii), Independent Directors (Schedule IV(ii)(4)), and NFRA where applicable.

SA 701 KAM Audit Committee

SA 701 08

Documents Checklist for IFC Audit Engagement

For an effective IFC audit engagement, the following documents should be shared. Patron accepts via WhatsApp +91 945 945 6700, secure file transfer, e-mail or in-person at Pune / Mumbai / Delhi / Gurugram offices.

Section 134(5)(e) Board IFC Statement: Director Responsibility Statement confirming adequacy and operating effectiveness of IFC; signed by board.
Section 177(4)(vii) Audit Committee Evaluation: Audit Committee minutes evaluating IFC; periodic IFC dashboard.
Section 149(8) Independent Director Affirmations: Independent Director self-certification on integrity of financial information and robustness of controls per Schedule IV(ii)(4).
Process Documentation (SOPs): Standard Operating Procedures for each significant business process - revenue, procurement, payroll, treasury, inventory, fixed assets, financial close, IT operations.
Authority Matrix and Delegation: Approvals matrix - who can approve what; delegation of authority documentation.
Risk Register: Enterprise risk register with financial-reporting risks identified.
Fraud Risk Assessment: COSO Principle 8 - fraud risk identification per business cycle covering management override, asset misappropriation and financial reporting fraud.
Internal Audit Reports (Section 138): Internal audit reports for the audit period; CARO 2020 Clause 3(xiv) cross-reference.
ITGC Documentation: Access control policy, change management policy, system development life cycle (SDLC) documents, backup and recovery procedures, business continuity plan.
ERP and Finance System Configuration: User access list with role assignments, segregation-of-duties matrix, system access logs, change history.
Reconciliation Logs: Bank, GST, TDS, vendor, customer, inter-company, payroll, fixed-asset reconciliations - monthly with sign-offs.
Period-End Close Calendar: Day-by-day close timeline; control sign-offs at each step; consolidation flow.
Whistleblower Mechanism: Whistleblower policy; complaints register; investigation outcomes.
Prior-Year Management Letter: Previous auditor's management letter with deficiencies; current-year remediation status.
Section 137 / Section 92 Filing Compliance Proof: AOC-4 and MGT-7 filing acknowledgements for prior years (mandatory for any Pvt Ltd relying on MCA 13 June 2017 exemption).

Verify framework references through the Ministry of Corporate Affairs (MCA21 V3 portal); auditing standards and guidance notes at the Institute of Chartered Accountants of India; NFRA-monitored audit framework at the National Financial Reporting Authority.

Common IFC Deficiencies and Remediation Patterns

Challenge	Impact	How Patron Accounting Solves It
Inadequate Segregation of Duties (SoD)	Most-common Significant Deficiency in mid-size Pvt Ltd companies. Same person initiates, approves and records transactions - typical in lean finance teams of 3 to 5 people. COSO Principle 10 violation.	Implement two-person rule for high-value transactions; configure ERP roles to enforce SoD; introduce compensating monthly review by CFO or external accountant; document compensating control in the RCM. Where team is too small for full SoD, auditor accepts compensating controls but reports any control failure as Significant Deficiency.
Manual Revenue Cut-Off Failures	Material Weakness pattern - revenue recognised after performance obligation but invoiced and recorded in the wrong period. Common at the March-31 boundary where ERP customisations are imperfect. COSO Principle 12 (deploy controls through policies and procedures) and Principle 16 (monitoring) violation.	Implement automated revenue cut-off control in ERP using delivery confirmation date; introduce period-end revenue accrual review by CFO; reconcile sales register, delivery register and invoice register on cut-off date.
ITGC Weakness - Excessive Access	Frequent finding in growing companies that have not periodically reviewed user access. Former employees with active credentials, finance staff with developer access to production ERP, lack of segregation between IT support and IT change. COSO Principle 11 (technology controls) violation.	Quarterly access review by data owner; automated dormant-account lockout; production access change-control workflow with management approval; review IT support tickets touching financial data.
Bank Reconciliation Inadequacy	Monthly bank reconciliation prepared late, or prepared by the same person who records bank transactions. COSO Principle 12 violation.	Automate bank statement import via banking API or MT940 file; configure reconciliation in ERP with independent reviewer; introduce monthly reconciliation sign-off by CFO; review aged un-reconciled items above materiality threshold each month.
GST Reconciliation Gaps	Variations between books, GSTR-1, GSTR-3B, and GSTR-2A / 2B left unreconciled. COSO Principle 10 (control activities for tax) and Principle 16 (monitoring) violation. Material from FY 2024-25 onwards as GST scrutiny tightens.	Monthly automated reconciliation between books and GSTR with documented sign-off; ageing of unmatched items; quarterly review by CFO; cross-reference to CARO 2020 Clause 3(vii) on statutory dues.
Fraud Risk Assessment Missing	COSO Principle 8 - the entity considers the potential for fraud in assessing risks. Many Pvt Ltd companies have no documented fraud risk assessment.	Prepare annual fraud risk assessment per business cycle covering management override, asset misappropriation, financial reporting fraud (the COSO fraud triangle - opportunity, pressure, rationalisation); document anti-fraud controls; cross-reference with CARO 2020 Clause 3(xi) fraud reporting and Section 143(12) ADT-4 filing threshold.

Patron IFC Audit Engagement - Scope and Fees

Fee Component	Amount
Free IFC Applicability Consultation	Free - 30-minute applicability scoping with Section 143(3)(i) trigger test and MCA 13 June 2017 exemption check; in-person at any Patron office or by phone / video
Patron Accounting Professional Fees (entry-level diagnostic add-on)	Starting from INR 2,999 (Exl GST and Govt. Charges) for initial scoping document with applicability indication and exemption status; credited if statutory audit engagement signed within 30 days
Tier 1 - Pvt Ltd Just Crossing Threshold (Rs 50 cr turnover / Rs 25 cr borrowing)	Rs 1,75,000 to Rs 4,00,000 (excl. GST) - bundled statutory audit + CARO 2020 Annexure A + IFC Section 143(3)(i) Annexure B; 5 to 6 weeks engagement; first-year IFC retro-fit including RCM construction, ITGC documentation, fraud risk assessment
Tier 2 - Mid-size Pvt Ltd (Rs 50 to 100 crore revenue)	Rs 4,50,000 to Rs 9,00,000 (excl. GST) - full IFC audit with bottom-up RCM construction, period-spread ToOE sampling, comprehensive ITGC testing, deficiency aggregation per ICAI Guidance Note; 6 to 7 weeks engagement
Tier 3 - Large Unlisted Pvt Ltd (Rs 100 to 500 crore revenue)	Rs 9,50,000 to Rs 22,00,000 (excl. GST) - comprehensive IFC audit with CFS IFC mutatis mutandis under Section 129(4), SA 600 component auditor coordination, multi-process RCM, year-round engagement; 7 to 10 weeks
Tier 4 - Listed Entity with KAM Disclosure	From Rs 25,00,000 (excl. GST) - NFRA-monitored audit with Material Weakness Key Audit Matter under SA 701, NSE / BSE Listing Regulations compliance, SA 600 group audit, Audit Committee coordination under Section 177(4)(vii); 10 to 14 weeks engagement
NBFC / Fintech (Lending IT Controls Deep Dive)	From Rs 4,00,000 (excl. GST) - NBFC Base Layer / Middle Layer ITGC depth covering lending application, customer onboarding, KYC / AML, IRACP Directions, FLDG / co-lending; 7 to 11 weeks
Group with CFS IFC Mutatis Mutandis Component Add-On	Rs 75,000 to Rs 3,00,000 per component (Companies Act entity only) - additional per-component fee on top of Tier 1-4 parent fee; LLP and non-Act components excluded from scope
IFC Readiness Assessment (Standalone Advisory)	Rs 1,00,000 to Rs 4,00,000 (excl. GST) - pre-audit-period gap assessment for companies anticipating first-year IFC reporting; not a statutory audit; 3 to 5 weeks engagement; deficiency roadmap delivered
Manufacturing IFC (Inventory + Cost Records)	Bundled in Tier 1-4 fee - inventory cycle controls under COSO Principle 10, cost records under Section 148 cross-reference, perpetual / periodic inventory reconciliation; see statutory audit for manufacturing
E-commerce IFC (Revenue Cycle ITGC)	Bundled in Tier 1-4 fee - revenue cycle controls covering marketplace reconciliation, payment gateway settlement, returns and refunds; see statutory audit for e-commerce

All fees and charges listed are indicative only and do not constitute a binding offer. Final amounts may vary depending on the volume of work and the complexity involved.

Professional service charges for drafting, filing, and representation are separate from the statutory fees. The exact fee depends on the complexity of the case, disputed amount, and number of hearings required. Contact us for a detailed quote.

Get a free Internal Financial Controls Audit consultation - Call +91 945 945 6700 or WhatsApp us. No-obligation assessment.

IFC in the Statutory Audit Cycle - Stage-Wise Timeline

Stage	Estimated Timeline
Engagement and Planning	Week 1 - applicability test under MCA G.S.R. 583(E); significant account scoping; entity-level controls walkthrough; engagement letter; significant account scoping
COSO 2013 Framework Mapping	Weeks 1 to 2 - mapping company control structure to 5 components and 17 principles; Principle 8 fraud and Principle 11 ITGC depth coverage
Pre-Year-End Interim Audit	Weeks 2 to 4 - RCM construction; walkthrough of each significant control; Test of Design conclusions per significant account
Mid-Period Test of Operating Effectiveness	Weeks 4 to 5 - sample testing across the first 8 to 9 months of audit period; reduces audit-evidence concentration risk
ITGC Audit (Concurrent)	Concurrent with ToOE - access, change, operations, backup and recovery testing; SDLC review; data centre security walkthrough
Year-End ToOE Rollforward	Weeks 5 to 7 - sample testing rollforward to year-end; remediation testing for re-implemented controls; period-end close calendar walkthrough
Deficiency Aggregation and Evaluation	Week 7 - Inconsequential / Significant Deficiency / Material Weakness classification per ICAI Guidance Note; aggregation analysis where multiple Significant Deficiencies relate to the same process
Management Response and Remediation Memo	Weeks 7 to 8 - management response on each deficiency; remediation roadmap with calendar; Audit Committee deficiency reporting under Section 177(4)(vii)
Annexure B Drafting and Partner Review	Week 8 - SA 220 quality review; KAM coordination if Material Weakness for listed / large entities under SA 701
UDIN Generation	Week 8 - UDIN generated covering complete signed package (main audit report + Annexure A CARO 2020 + Annexure B IFC + Section 143(3) reporting)
AOC-4 Filing on MCA21 V3	Within 30 days of AGM - MCA21 V3 with Annexure A (CARO) + Annexure B (IFC) attached; delay attracts Rs 100 per day MCA additional fees plus Section 147 penalty Rs 25,000 to Rs 5,00,000
Section 137 (AOC-4) / Section 92 (MGT-7) Filing Compliance Audit	Ongoing - critical for Pvt Ltd companies relying on MCA 13 June 2017 exemption; any year's filing default reopens IFC applicability for that year
Year-on-Year Remediation Tracking	Continuous - prior-year management letter deficiency tracking; current-year remediation status verification; Audit Committee remediation calendar review

Section 137 Filing Compliance - The Exemption Trap: Pvt Ltd companies relying on the MCA 13 June 2017 exemption must re-test their Section 137 (AOC-4) and Section 92 (MGT-7) ROC filing-compliance status before each year's audit. A single year's filing default reopens IFC reporting applicability for that year - the exemption is not "once exempt, always exempt." This is the most commonly overlooked compliance trap. First-Year IFC Audit Burden: Pvt Ltd companies crossing either the Rs 50 crore turnover threshold or the Rs 25 crore borrowing threshold for the first time face a heavier first-year IFC audit - RCM construction, ITGC documentation, fraud risk assessment, and COSO mapping must all be retro-fitted within the audit period. Material Weakness Consequences: A Material Weakness in IFC carries compounding consequences - investor due-diligence red flag, lender covenant trigger, KAM disclosure under SA 701 (for listed entities and large unlisted ones), NFRA monitoring trigger, and reputational risk in public-domain filings.

Key Benefits

Why Patron's IFC Audit Approach Differs

Year-Round Engagement, Not Year-End Exercise

Patron treats IFC audit as a year-round engagement rather than a year-end exercise. Pre-year-end interim audit covers RCM construction and Test of Design; mid-period ToOE covers the first 8-9 months; year-end rollforward closes the period. This compresses year-end audit risk and delivers earlier signals on the likely Annexure B opinion.

Bottom-Up Risk-Control-Matrix Build

RCM built bottom-up from significant accounts and assertions - not a templated checklist. Each company's RCM is unique to its transaction cycles and control environment. Controls classified as Key, Process, or ITGC with descriptor, owner, frequency and evidence type. Audit programme is structured around the RCM.

Mid-Period ToOE Rollforward (Not Year-End-Only)

Mid-period Test of Operating Effectiveness rather than year-end-only - reduces audit-evidence concentration risk, allows remediation within the audit period if deficiencies surface early, and delivers earlier signals on the likely Annexure B opinion. ICAI Guidance Note sample sizes - daily 25-60, weekly 12-25, monthly 5-15, quarterly 3, annual 1.

Deficiency Aggregation Logic per ICAI GN

Per ICAI Guidance Note three-tier classification - Inconsequential, Significant Deficiency, Material Weakness. Multiple Significant Deficiencies in the same process can aggregate to a Material Weakness; Patron's audit working file documents the aggregation analysis explicitly. This is critical for KAM disclosure decisions for listed entities.

ITGC Integrated with RCM (Not Bolt-On)

IT General Controls (access, change, operations, backup and recovery) integrated with RCM rather than treated as a bolt-on stream. COSO Principle 11 coverage. ITGC failure breaks reliance on all automated application controls - Patron's audit working file maps each automated control to its underlying ITGC dependencies.

Sister Page Integration with CARO 2020

Patron's IFC engagement is integrated with Annexure A CARO 2020 reporting - together they form the complete Section 143 reporting framework. CARO 2020 Clause 3(xiv) on internal audit consideration is directly informed by IFC audit work product. UDIN covers the complete signed package.

Trusted by Pvt Ltd Companies Crossing the Threshold, NBFCs, SaaS, Listed Entities

Trust Banner: 10,000+ Businesses Served | 4.9 Google Rating | 50,000+ Documents Filed | 15+ Years in Practice

"The statutory audit was clean and completed well before deadline. No last-minute rush."

- MD, Trading Firm, Mumbai

"First-year IFC retro-fit was structured - week-by-week deliverables, clear scope, no surprises on fee. Annexure B closed without Material Weakness."

- CFO, D2C Brand, Bangalore

Client Coverage: Trusted by a growing roster of Pvt Ltd companies crossing the IFC threshold across manufacturing, financial services, real estate, e-commerce and SaaS, NBFC Base Layer and Middle Layer for lending IT controls and IRACP Directions IFC, family-owned business groups for CFS IFC under Section 129(4) mutatis mutandis, India subsidiaries of foreign parents for SA 600 component auditor coordination, and listed entities for NFRA-monitored audits with Material Weakness Key Audit Matter disclosures under SA 701.

4-Office Trust Signal: With offices in Pune, Mumbai, Delhi and Gurugram, Patron services IFC-applicable Pvt Ltd companies, mid-size groups, and listed entities across India. Engagement options - in-person at any office, hybrid in-person plus remote portal-based deliverables, or full-remote secure file transfer with VC walkthroughs.

DIY / In-House vs Big-Four vs Patron-Led IFC Audit

Factor	DIY / In-House	Big-Four (BSR / Deloitte / SRBC / Walker)	Patron-Led
Statutory authority to sign Annexure B	Section 141 disqualification - cannot sign	Qualified - signed by audit partner	Qualified - signed by audit partner
COSO 2013 mapping (5 components, 17 principles)	Not signable - cannot self-audit	Heavy template-driven approach	Bottom-up from company facts
Risk-Control-Matrix build	N/A	Centralised technical team templates	Per significant account, partner-led
Mid-period ToOE rollforward	N/A	Standard procedure on listed audits; less common on mid-size	Standard procedure across all engagement tiers
Deficiency aggregation analysis	N/A	Heavy multi-layer review	ICAI Guidance Note aggregation logic explicitly documented in working file
ITGC access / change / operations	N/A	IT audit specialist team (separate billing)	ITGC integrated with RCM in single team
KAM disclosure coordination (SA 701)	N/A	Heavy partner / quality reviewer involvement	Partner-led KAM drafting and Audit Committee coordination
CFS IFC mutatis mutandis (Section 129(4))	N/A	SA 600 group audit infrastructure	SA 600 component auditor coordination with documented reliance
NFRA monitoring trigger management	N/A	Direct NFRA liaison capability	NFRA-monitored audit experience; quality control under SA 220
Cost (mid-size Pvt Ltd Rs 100 cr revenue)	Apparent zero - unsignable	Rs 18 to 35 lakh	Rs 4.5 to 9 lakh

Related Patron Services and Industry IFC Pages

Internal Financial Controls audit links to several adjacent Section 143 reporting and compliance workflows - all delivered by Patron's audit partner team for a single signed package and UDIN.

Parent service: Statutory Audit in India - the parent India page covering the complete Section 143 statutory audit framework.
Sister authority page: CARO 2020 Reporting - the parallel Section 143 reporting framework (CARO under Section 143(11); IFC under Section 143(3)(i)). Together CARO and IFC form the complete Section 143 reporting framework.
Industry IFC depth pages (process-level IFC application):
- Statutory Audit for Manufacturing Companies - inventory cycle IFC + cost records under Section 148 cross-reference.
- Statutory Audit for Financial Services - lending IT controls + IRACP Directions IFC for NBFCs.
- Statutory Audit for E-commerce Companies - revenue cycle ITGC + marketplace reconciliation.
Internal Audit (Section 138) - separate from IFC; complementary. Internal audit covers management's own controls; IFC audit is the statutory auditor's separate opinion.
Tax Audit (Section 44AB) - typically engaged alongside statutory audit and IFC.
Private Limited Compliance - ROC filings including ADT-1, AOC-4 (with Annexure A CARO and Annexure B IFC), MGT-7.
Appointment of Auditor - first auditor and AGM appointment.
Change of Auditor - Section 140 resignation with Section 140(2) statement.

Legal and Compliance Framework - Section 143 Reporting

Governing Statutes and Regulations: Companies Act 2013; Companies (Accounts) Rules 2014; Companies (Audit and Auditors) Rules 2014; MCA Notification G.S.R. 583(E) dated 13 June 2017; ICAI Guidance Note on Audit of IFC over Financial Reporting (14 September 2015) and Implementation Guide (Revised 2018); COSO Internal Control - Integrated Framework (2013); ICAI Standards on Auditing (SAs).

Section 143(3)(i) Companies Act 2013: Auditor's report shall state whether the company has adequate internal financial controls with reference to financial statements in place and the operating effectiveness of such controls.
Section 134(5)(e) Companies Act 2013: Director Responsibility Statement - directors had laid down internal financial controls and such controls are adequate and operating effectively. Wider IFC definition than Section 143(3)(i).
Section 134(3)(q) Companies Act 2013: Board Report content - details of adequacy of IFC with reference to financial statements.
Rule 8(5)(viii) Companies (Accounts) Rules 2014: Board Report of every company must state details of adequacy of IFC with reference to financial statements - mandatory irrespective of IFC audit exemption.
Section 177(4)(vii) Companies Act 2013: Audit Committee terms of reference - evaluation of internal financial controls and risk management systems.
Section 149(8) and Schedule IV(ii)(4) Companies Act 2013: Independent Directors shall satisfy themselves on integrity of financial information and that financial controls and systems of risk management are robust and defensible.
Section 138 and Rule 13 Companies (Accounts) Rules 2014: Internal audit requirement - separate from IFC audit but provides input to it; CARO 2020 Clause 3(xiv) cross-reference.
Section 129(4) Companies Act 2013: Provisions applicable to financial statements of holding company apply mutatis mutandis to CFS - IFC reporting applies to CFS for Companies Act components only.
MCA Notification G.S.R. 583(E) dated 13 June 2017: Pvt Ltd exemption from Section 143(3)(i) - OPC, Small Company, or Pvt Ltd with turnover up to Rs 50 crore OR aggregate borrowings up to Rs 25 crore conditional on no Section 137 (AOC-4) or Section 92 (MGT-7) default.
Section 137 Companies Act 2013: Filing of financial statements with ROC in Form AOC-4 within 30 days of AGM. Default voids the MCA 13 June 2017 IFC exemption.
Section 92 Companies Act 2013: Filing of annual return with ROC in Form MGT-7 within 60 days of AGM. Default voids the MCA 13 June 2017 IFC exemption.
Section 143(11) Companies Act 2013: CARO 2020 reporting - Annexure A to main audit report; sister provision to Section 143(3)(i).
Section 143(12) Companies Act 2013: Fraud reporting by auditor - ADT-4 filing threshold for fraud above Rs 1 crore.
Section 147 Companies Act 2013: Penalty for contraventions including Section 137 / 143 default - Rs 25,000 to Rs 5,00,000.
ICAI Guidance Note on Audit of IFC over Financial Reporting (14 September 2015): The primary practitioner manual for Section 143(3)(i) audit work.
ICAI Implementation Guide on Audit of IFC (Revised 2018): Illustrative wordings, sample sizes, deficiency evaluation framework.
COSO Internal Control - Integrated Framework (2013): Released 14 May 2013 by the Committee of Sponsoring Organizations - 5 components, 17 principles; foundation framework for IFC reporting.
SA 200 (Overall Objectives): Independent auditor's overall responsibilities including planning and performance.
SA 220 (Quality Control for Audit): Engagement quality review including IFC working file review.
SA 240 (Fraud): Auditor's responsibility for fraud risk including COSO Principle 8 cross-reference.
SA 315 (Risk Assessment - including Internal Control component): Foundational for IFC scoping.
SA 330 (Auditor Response to Assessed Risks): Procedures responsive to identified risks.
SA 600 (Using Work of Component Auditors): For CFS IFC under Section 129(4).
SA 700 / 701 / 705 (Audit Report and KAM): Main audit report structure; Key Audit Matter disclosure including Material Weakness in IFC.
CARO 2020 Clause 3(xiv): Auditor to report whether company has internal audit system commensurate with size and nature of business and whether reports of internal auditors were considered by statutory auditor - direct cross-link to IFC audit work.

All fees and charges listed are indicative only and do not constitute a binding offer. Final amounts may vary depending on company size, turnover and borrowings tier, control maturity, ITGC environment complexity, number of significant accounts, group structure under Section 129(4), KAM disclosure requirements for listed entities, NFRA monitoring exposure, and statutory pass-through fees. Companies Act 2013 amendments may affect specific section mapping.

Frequently Asked Questions - IFC Audit

Answers to the most common questions on Internal Financial Controls audit under Section 143(3)(i) of the Companies Act 2013 - statutory authority, COSO 2013 framework, Pvt Ltd exemption mechanics, Risk-Control-Matrix, Test of Design and Operating Effectiveness, CFS IFC mutatis mutandis, and Annexure B reporting.

What is internal financial controls audit?

Internal Financial Controls (IFC) audit under Section 143(3)(i) of the Companies Act, 2013 is the statutory auditor's reasoned opinion on whether the company has adequate internal financial controls with reference to financial statements in place and whether such controls are operating effectively. The audit follows the COSO Internal Control - Integrated Framework (2013) with five components and seventeen principles, supported by ICAI's Guidance Note on Audit of IFC over Financial Reporting (14 September 2015) and Implementation Guide (Revised 2018). The IFC audit report is Annexure B to the main audit report and is filed with Form AOC-4.

What is Section 143(3)(i) of the Companies Act?

Section 143(3)(i) of the Companies Act, 2013 is the statutory provision requiring the auditor to state in the audit report whether the company has adequate internal financial controls with reference to financial statements (IFC-FR) in place and the operating effectiveness of such controls. Effective for audits of financial years commencing on or after 1 April 2015 (deferred to FY ending 31 March 2016). The scope is narrower than Section 134(5)(e) which covers a wider IFC definition including business controls; Section 143(3)(i) is restricted to controls with financial reporting impact only.

Is IFC applicable to private limited companies?

Yes, with a conditional exemption. MCA Notification G.S.R. 583(E) dated 13 June 2017 exempts Pvt Ltd companies from Section 143(3)(i) reporting if they meet one of the following - (a) OPC under Section 2(62), (b) Small Company under Section 2(85), (c) turnover does not exceed Rs 50 crore as per the latest audited financial statement, or (d) aggregate borrowings from banks, financial institutions, or any body corporate do not exceed Rs 25 crore at any point during the financial year. Critically, the exemption stands voided if the company has defaulted in filing its financial statements under Section 137 (AOC-4) or annual return under Section 92 (MGT-7) with the Registrar of Companies.

What is the COSO framework?

The COSO Internal Control - Integrated Framework (2013) is the globally adopted framework for designing and evaluating internal control systems, published by the Committee of Sponsoring Organizations of the Treadway Commission on 14 May 2013 (replacing the 1992 framework). It contains five components - Control Environment, Risk Assessment, Control Activities, Information and Communication, Monitoring Activities - and seventeen explicit principles. For an internal control system to be effective under COSO 2013, each principle must be "present and functioning" and the five components must operate in an integrated manner. COSO is the foundation framework adopted in India for IFC reporting under Section 143(3)(i).

What is the difference between Section 143(3)(i) and Section 134(5)(e)?

Section 143(3)(i) is the auditor's reporting requirement - restricted to IFC with reference to financial statements (IFC-FR), i.e. controls that have a financial reporting impact. Section 134(5)(e) is the Director Responsibility Statement requirement - covering a wider IFC definition including both business and financial controls (orderly and efficient conduct of business, safeguarding of assets, prevention and detection of frauds and errors, accuracy and completeness of accounting records, timely preparation of reliable financial information). The director's responsibility under Section 134(5)(e) applies even where the auditor's Section 143(3)(i) reporting is exempt; Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 makes the Board Report disclosure mandatory for all companies.

What is a Risk-Control-Matrix?

A Risk-Control-Matrix (RCM) is the auditor's structured working file that maps each significant account balance and disclosure to (a) the related financial-statement assertions (existence, completeness, accuracy, valuation, rights and obligations, presentation), (b) the financial-reporting risks per assertion, and (c) the management-implemented controls that address each risk. The RCM is the single source of truth for both Test of Design (verifying control design adequacy) and Test of Operating Effectiveness (verifying control performance across the audit period). The audit program is structured around the RCM, with sample sizes calibrated to control frequency.

What is Test of Design and Test of Operating Effectiveness?

Test of Design (ToD) is the audit procedure to evaluate whether a control is suitably designed to prevent or detect material misstatements - typically performed through inquiry, observation, walkthrough of one or more transactions, and inspection of supporting evidence. Test of Operating Effectiveness (ToOE) is the audit procedure to evaluate whether the control operated as designed during the audit period - sample testing of multiple transactions across the period with sample size driven by control frequency (daily controls 25-60 samples; weekly 12-25; monthly 5-15; quarterly 3; annual 1 per ICAI Guidance Note). A control must pass both ToD and ToOE to be relied upon for the IFC opinion.

Does IFC reporting apply to consolidated financial statements?

Yes - Section 129(4) of the Companies Act, 2013 provides that provisions applicable to financial statements of a holding company apply mutatis mutandis to consolidated financial statements. IFC reporting under Section 143(3)(i) therefore applies to CFS as well. However, it applies only for components that are companies under the Companies Act, 2013. Where a component is an LLP, a foreign entity not subject to the Companies Act, or another vehicle, the parent auditor's CFS IFC opinion is limited to (a) the parent-level entity controls, (b) the consolidation controls, and (c) the IFC of Companies Act component subsidiaries (relying on component auditors per SA 600 where applicable). Non-Act components are outside the CFS IFC scope.

Quick Answers

IFC audit kya hota hai? Section 143(3)(i) Companies Act ke under statutory auditor ka opinion - company ka Internal Financial Controls financial statements ke saath adequately designed hai aur operating effectively hai ya nahi. COSO 2013 framework ka use hota hai with 5 components aur 17 principles.
Pvt Ltd ko IFC reporting karni padti hai? Generally haan, lekin MCA Notification 13 June 2017 ke under exemption hai - OPC, Small Company, ya turnover Rs 50 cr tak / borrowings Rs 25 cr tak vali Pvt Ltd. Exemption ke liye Section 137 aur 92 ROC filings mein default nahi hona chahiye.
Section 134(5)(e) aur 143(3)(i) mein kya farak hai? 134(5)(e) Director ki responsibility hai - wider definition with business + financial controls. 143(3)(i) Auditor ki reporting hai - narrower scope (only IFC-FR). Director ka statement har company ko dena padta hai per Rule 8(5)(viii).
COSO framework mein kitne principles hain? 17 principles across 5 components - Control Environment (5), Risk Assessment (4), Control Activities (3), Information and Communication (3), Monitoring Activities (2). 2013 mein 1992 framework replace hua.
Test of Design aur Test of Operating Effectiveness mein kya farak hai? Test of Design - control properly designed hai ya nahi (inquiry, walkthrough). Test of Operating Effectiveness - control year-bhar properly operate hua ya nahi (sample testing). Dono pass karne padte hain reliance ke liye.
IFC report kahan jaata hai? Annexure B as part of main audit report. CARO 2020 Annexure A hota hai. Dono AOC-4 ke saath MCA21 V3 pe file hote hain, AGM ke 30 din ke andar.
ITAT Mumbai / Delhi / Pune? IFC audit ka ITAT se direct connection nahi - IFC ek audit reporting hai, dispute resolution forum nahi. Material Weakness ka effect tax / SEBI / NFRA proceedings mein zaroor padta hai. Call +91 945 945 6700.

Three Time-Critical Reasons to Engage Early on IFC Audit

IFC audit reporting under Section 143(3)(i) is mandatory for every statutory audit of every applicable company. Three time-critical reasons make early engagement essential.

First, AOC-4 Filing Window 30 Days of AGM: The Annexure B IFC report is filed with AOC-4 within 30 days of the AGM - delay attracts Rs 100 per day MCA additional fees plus Section 147 penalty of Rs 25,000 to Rs 5,00,000.

Second, Material Weakness Compounding Consequences: A Material Weakness in IFC carries compounding consequences - investor due-diligence red flag, lender covenant trigger, KAM disclosure under SA 701 (for listed entities and large unlisted ones), NFRA monitoring trigger, and reputational risk in public-domain filings. Mid-period ToOE rather than year-end testing allows remediation within the audit period if deficiencies surface early.

Third, MCA 13 June 2017 Exemption is Conditional on Filing Compliance: The exemption is conditional on Section 137 (AOC-4) and Section 92 (MGT-7) ROC filing compliance - any Pvt Ltd company that was relying on the exemption should re-test its filing-compliance status before each year's audit; a single year's filing default reopens IFC reporting applicability for that year. Pvt Ltd companies crossing either the Rs 50 crore turnover threshold or the Rs 25 crore borrowing threshold for the first time face a heavier first-year IFC audit - RCM construction, ITGC documentation, fraud risk assessment, and COSO mapping must all be retro-fitted within the audit period.

Action Now: Engage Patron for an IFC-compliant statutory audit under Section 143(3)(i) - call +91 945 945 6700, WhatsApp, or visit any Patron office (Pune, Mumbai, Delhi, Gurugram). Free 30-minute applicability consultation - in-person, by phone or video. Patron's bundled statutory audit + CARO 2020 + IFC fee starts at Rs 1.75 lakh for Pvt Ltd just crossing the threshold.

Engage Patron for IFC-Compliant Statutory Audit

Internal Financial Controls audit under Section 143(3)(i) of the Companies Act, 2013 is the most demanding disclosure framework in Indian audit practice - the COSO 2013 framework with five components and seventeen principles, supported by ICAI's Guidance Note (14 September 2015) and Implementation Guide (Revised 2018), demands not just attestation of year-end financial balances but year-long evaluation of control design and operating effectiveness. The framework is functionally similar to US Section 404 SOX reporting and triggered Indian audit firms to adopt the COSO 2013 framework that anchors most SOX 404 programs globally.

Applicability is broad - every company except OPC, Small Companies, and qualifying Pvt Ltd companies (turnover up to Rs 50 crore OR borrowings up to Rs 25 crore) - and the conditional MCA 13 June 2017 exemption stands voided by any Section 137 or Section 92 ROC filing default. Patron handles IFC as a year-round engagement with bottom-up Risk-Control-Matrix build, mid-period Test of Operating Effectiveness rollforward rather than year-end concentration, deficiency aggregation per the ICAI Guidance Note logic, and integrated ITGC capability covering ERP access, change management, and computer operations.

Patron Accounting LLP - a peer-reviewed CA and CS practice with offices in Pune, Mumbai, Delhi and Gurugram - brings 15+ years of practice depth from first-year-of-applicability Pvt Ltd companies crossing the threshold to listed-entity NFRA-monitored audits with Material Weakness KAM disclosures. Together with our sister authority page on CARO 2020 reporting, IFC audit forms the complete Section 143 reporting framework on the site. Pricing Rs 1.75 lakh starting for threshold-crossing Pvt Ltd up to Rs 25 lakh+ for listed entities with KAM disclosure; IFC readiness standalone advisory Rs 1 lakh to Rs 4 lakh. Single UDIN, single signed package covering main audit report + Annexure A CARO + Annexure B IFC.

📞 Call +91 945 945 6700 💬 WhatsApp Us ✉️ Email Us

Book a Free Consultation - No Obligation.

Section 143 Reporting Framework - Related Pages

Parent statutory audit hub, sister CARO 2020 authority page (Annexure A), industry IFC depth pages for manufacturing, financial services and e-commerce, internal audit (Section 138), tax audit (Section 44AB), and Pvt Ltd compliance services.

Section 143 Reporting Framework - Related Pages

Parent statutory audit hub, sister CARO 2020 authority page, industry IFC depth pages and related compliance services

Financial Services Audit

NBFC ITGC depth

Manufacturing Audit

Inventory + cost records

Patron Offices

4-office network with pan-India IFC audit engagement

Content Created: 13 May 2026 | Last Updated: 13 May 2026 | Next Review: 13 August 2026 | Reviewed By: CA & CS Team, Patron Accounting LLP

This authority page is reviewed quarterly (Tier 1 - 3 months) and immediately on MCA notification updates affecting Section 143(3)(i) applicability or exemption thresholds, ICAI Guidance Note or Implementation Guide revisions, COSO framework updates, Standards on Auditing amendments (SA 200 / 220 / 240 / 315 / 330 / 600 / 700 / 701 / 705), CARO 2020 amendments, and NFRA monitoring circulars.