IFC Framework Readiness Tool — Section 143(3)(i) ICFR Applicability & Control Readiness
This free tool answers two questions for any company: does auditor reporting on internal financial controls under Section 143(3)(i) apply to you, and how ready is your ICFR framework? Step 1 runs the MCA 13 June 2017 exemption test — entity type, the turnover-and-borrowings conditions, and the Section 137/92 default check. Step 2 lets you tick off readiness across 14 core ICFR framework components and gives a preparedness score. Built and reviewed by Chartered Accountants at Patron Accounting LLP, it runs entirely in your browser so your company data never leaves your device.
IFC / ICFR Applicability & Readiness Check
Tick each ICFR component your company has designed, documented and tested. Then score readiness.
How to Use the IFC Framework Readiness Tool
This tool is built for directors, finance teams and auditors of Indian companies who need a quick read on whether the statutory auditor must report on internal financial controls, and how prepared the company's ICFR framework is before the audit begins.
- Select your entity type. Listed and public companies always attract auditor IFC reporting; OPCs and small companies are exempt; private companies depend on the threshold test.
- Set the Section 137/92 default status. A filing default removes the private company exemption even when the size thresholds are met.
- Enter turnover and maximum borrowings. For a private company that is not an OPC or small company, the tool applies the MCA "turnover below ₹50 crore AND borrowings below ₹25 crore" test.
- Score framework readiness. Tick the ICFR components your company has designed, documented and tested, then generate a readiness percentage and band.
CA Tip: Even if the auditor reporting exemption applies, the board's duty under Section 134(5)(e) to maintain adequate controls is absolute. Use Step 2 every year regardless of the Step 1 verdict — a documented framework protects directors and improves funding and audit outcomes.
IFC / ICFR Applicability Rules
Two distinct obligations operate in parallel. Under Section 134(5)(e) of the Companies Act 2013, the board of every company must lay down internal financial controls and confirm they were adequate and operating effectively — there is no exemption. Under Section 143(3)(i), the statutory auditor must additionally report on the adequacy and operating effectiveness of internal financial controls over financial reporting, unless an MCA exemption applies.
The auditor reporting exemption comes from the MCA notification dated 13 June 2017 (G.S.R. 583(E)), as clarified by Notification 2218(E) dated 13 July 2017.
| Category | Auditor IFC Reporting (Sec 143(3)(i)) |
|---|---|
| Listed company | Applicable — no exemption |
| Public company | Applicable — no exemption |
| One Person Company (OPC) | Exempt |
| Small company (Sec 2(85)) | Exempt |
| Private company within thresholds, no default | Exempt |
| Private company breaching a threshold or in default | Applicable |
The Private Company Exemption Test
A private company (not an OPC or small company) is exempt from auditor IFC reporting only if it satisfies both thresholds and has no filing default:
Condition B: Aggregate borrowings < ₹25 crore (any point in FY)
Condition C: No default in filing under Sec 137 or Sec 92
Exempt only if A AND B AND C — breach any one ⇒ Sec 143(3)(i) reporting applies
The "AND" between turnover and borrowings was clarified by MCA Notification 2218(E); the conditions are cumulative, not alternative. Source references: the notifications are issued by the Ministry of Corporate Affairs under the Companies Act 2013, available via India Code, and the ICAI has published a Guidance Note on auditing internal financial controls.
IFC vs ICFR — Why the Distinction Matters
The terms are often used interchangeably but are not identical, and the difference drives what the auditor actually reports on.
| Aspect | IFC (Sec 134(5)(e)) | ICFR (Sec 143(3)(i)) |
|---|---|---|
| Scope | All controls: operations, compliance, reporting | Only controls over financial reporting |
| Owner | Board of directors | Management designs; auditor reports |
| Obligation | Absolute — every company | Subject to MCA exemption |
| Output | Directors' Responsibility Statement | Auditor's opinion in audit report |
The ICAI Guidance Note clarifies that "internal financial controls" in Section 143(3)(i) means internal financial controls over financial reporting — a narrower, reporting-focused subset of the wider Section 134 concept. This is why a company can be exempt from auditor ICFR reporting yet still carry an absolute board-level IFC duty.
Note: The exemption is from auditor reporting only. It does not dilute director responsibility, and it does not stop investors, lenders or acquirers from expecting a documented control framework during due diligence.
Core ICFR Framework Components
A defensible ICFR framework is built process by process. Auditors following SA 315 (risk identification) and SA 330 (responses to assessed risks) expect each significant financial process to be documented, risk-mapped and tested. The readiness checklist in this tool covers the 14 components below.
| # | Framework Component |
|---|---|
| 1 | Entity-level controls & control environment |
| 2 | Risk assessment & fraud risk register |
| 3 | Process narratives / flowcharts (P2P, O2C, etc.) |
| 4 | Risk Control Matrix (RCM) per process |
| 5 | Revenue & receivables controls |
| 6 | Procurement & payables controls |
| 7 | Payroll & HR controls |
| 8 | Fixed assets & inventory controls |
| 9 | Treasury, borrowings & cash controls |
| 10 | Financial close & reporting controls |
| 11 | IT general controls (access, change, backup) |
| 12 | Segregation of duties & authorisation matrix |
| 13 | Control operating-effectiveness testing & sampling |
| 14 | Deficiency log & remediation tracking |
CA Tip: The single most common audit gap is a Risk Control Matrix copied from a template that does not reflect the company's actual processes. Auditors test controls as operated, not as written — an RCM must be walked through and validated against real transactions.
The ICFR Audit Process and Director Duty
An ICFR audit is an objective examination of whether controls over financial reporting are properly designed and operated effectively throughout the reporting period. Through walkthroughs and sample testing, the auditor forms an opinion and flags deficiencies that could cause a material misstatement. Audit quality in this area is overseen by the NFRA, and auditors apply the Standards on Auditing issued by the ICAI.
Typical Audit Steps
- Business and risk understanding, then process walkthroughs from transaction initiation to accounting.
- Standard operating procedures and process flow diagrams documented.
- Risk Control Matrix built per process, mapping risks to controls.
- Control design assessment, then operating-effectiveness testing on sampled documents.
- Deficiency evaluation and reporting; an unqualified ICFR opinion strengthens stakeholder confidence.
Director Responsibility Is Absolute
Section 134(5)(e) requires the Directors' Responsibility Statement to confirm that adequate internal financial controls were laid down and operated effectively. Rule 8(5)(viii) of the Companies (Accounts) Rules 2014 requires the Board's Report of all companies to comment on the adequacy of internal financial controls with reference to the financial statements. This duty does not disappear when the auditor reporting exemption applies. For implementation support, see our internal audit and statutory audit services.
CA Tip: Build the ICFR file alongside the financial statements — entity-level controls, process RCMs, test evidence and a deficiency tracker. Companies that do this shorten the audit, reduce qualification risk and are materially more credible in fundraising due diligence. Patron's team conducts statutory audits for private limited companies with full ICFR documentation.
Note: This tool gives an indicative assessment for planning only. The binding determination of Section 143(3)(i) applicability and the ICFR audit opinion rest with the statutory auditor, based on the company's actual facts, group structure, filing history and the rules for the specific financial year. Confirm with a Chartered Accountant.
Need an ICFR Design & Operating Effectiveness Review?
Patron Accounting LLP builds Risk Control Matrices and tests ICFR for statutory audit readiness — for Pune, Mumbai, Delhi, Gurugram and pan-India clients.