IFC Testing Checklist & Templates
Generate Your IFC Testing Plan
Select your entity profile and the processes in scope. The tool checks applicability under Section 143(3)(i) and generates a testing checklist with key controls, recommended test methods and sample sizes for each selected process.
How This Tool Works
The tool runs your entity profile through the IFC reporting applicability test under Section 143(3)(i) of the Companies Act, 2013 read with MCA notification G.S.R. 583(E) dated 13 June 2017, then generates the process-wise testing checklist based on the ICAI Guidance Note on Audit of Internal Financial Controls Over Financial Reporting.
Step 1 — Applicability Cascade
For listed and public unlisted companies, IFC auditor reporting under Section 143(3)(i) is mandatory with no size-based exemption. For private companies, the tool checks the four exemption gateways: OPC, Small Company, turnover below ₹50 crore, or aggregate borrowings below ₹25 crore — meeting any one of these qualifies for exemption, provided no default exists in Section 137 or Section 92 filings.
Step 2 — Process Selection
Pick the processes in scope for your audit. The tool offers 12 standard processes covering most Indian companies: Procure-to-Pay, Order-to-Cash, Record-to-Report, Inventory, Fixed Assets, Payroll, Treasury, Direct Tax, GST, Statutory Compliance, Revenue Recognition under Ind AS 115, and IT General Controls (ITGC). A "Core 6" preset covers the most common processes.
Step 3 — Testing Checklist Generation
For each selected process, the tool generates a structured checklist containing significant financial statement accounts impacted, key risks of material misstatement, 5 to 7 key controls with control objectives, recommended test method per control (walkthrough, inquiry, observation, inspection or reperformance), and ICAI-aligned sample size based on control frequency.
Step 4 — Documentation
The output gives you a working paper-ready outline. Combine it with your entity-level controls assessment, fraud risk assessment, materiality determination and audit response strategy under SA 315 (Identifying and Assessing the Risks of Material Misstatement) and SA 330 (The Auditor's Responses to Assessed Risks) to complete the IFC audit file.
Applicability Decoded — Sec 134(5)(e) vs Sec 143(3)(i)
The Companies Act, 2013 deals with Internal Financial Controls in two distinct provisions that are often confused. Understanding the difference is essential to scoping the audit correctly.
Section 134(5)(e) — Director's Responsibility
Section 134(5)(e) requires the directors of every listed company to state in the Director's Responsibility Statement that they have laid down internal financial controls and that such controls are adequate and operating effectively. Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 extends a similar disclosure to the Board's Report of all companies — meaning every company's Board's Report must comment on adequacy of IFC with reference to financial statements.
Section 143(3)(i) — Auditor's Reporting
Section 143(3)(i) is narrower in scope. It requires the statutory auditor to report on adequacy and operating effectiveness of Internal Financial Controls Over Financial Reporting (ICFR), not the entire IFC framework. Originally applicable to all companies, MCA exempted certain private companies via notification G.S.R. 583(E) dated 13 June 2017.
Auditor IFC Reporting — Applicability Matrix
| Entity Type | Applicability | Basis |
|---|---|---|
| Listed Company | Mandatory | Sec 143(3)(i) — no exemption |
| Public Unlisted Company | Mandatory | Sec 143(3)(i) — no size carve-out |
| OPC | Exempt | G.S.R. 583(E) dated 13.06.2017 |
| Small Company | Exempt | G.S.R. 583(E) dated 13.06.2017 |
| Pvt Ltd — turnover < ₹50 cr | Exempt | G.S.R. 583(E) — turnover threshold |
| Pvt Ltd — borrowings < ₹25 cr | Exempt | G.S.R. 583(E) — borrowings threshold |
| Pvt Ltd — defaulted in Sec 137 / 92 | Mandatory | Exemption forfeited on default |
Common misinterpretation: The exemption test for private companies uses OR between turnover and borrowings — meeting either threshold is sufficient. Some practitioners read it as AND, which is more restrictive. The literal text of G.S.R. 583(E) supports the OR reading, but the Board's Report disclosure under Rule 8(5)(viii) still applies regardless.
The Institute of Chartered Accountants of India has published a Guidance Note on Audit of Internal Financial Controls Over Financial Reporting with detailed methodology, illustrative tests of controls, and documentation templates. The Guidance Note draws heavily on the COSO 2013 Internal Control Integrated Framework and is the primary standard for IFC audits in India. For listed companies, additional governance requirements flow from the SEBI Listing Obligations and Disclosure Requirements (LODR) Regulations 2015.
Refer to the official notification at MCA portal and the underlying Companies Act provisions on India Code.
Sample Size Guidance — ICAI Framework
The ICAI Guidance Note on Audit of Internal Financial Controls Over Financial Reporting prescribes sample sizes for testing operating effectiveness based on control frequency. These are minimum guidelines — increase sample size for higher-risk controls, controls reliant on judgment, or first-year testing.
| Control Frequency | Population per Year | Recommended Sample Size |
|---|---|---|
| Multiple times per day / Daily | 250+ | 25 to 40 |
| Weekly | 52 | 8 to 15 |
| Monthly | 12 | 2 to 5 |
| Quarterly | 4 | 2 |
| Semi-Annually | 2 | 1 to 2 |
| Annually / Ad-hoc | 1 | 1 (whole population) |
Factors That Increase Sample Size
- First year of testing the control or after a significant process change
- Control involves significant management judgment or estimation
- Higher inherent risk of fraud or error in the underlying transaction
- Past audit findings of control failure or deficiency
- Automated controls in IT environments with weak ITGCs
- Period of operation less than full year (e.g., new entity, acquisition mid-year)
Sample sizes apply to operating effectiveness testing only. Design effectiveness is typically assessed through one walkthrough per process per audit period, supplemented by inquiry of personnel responsible for each control activity.
Need Help Setting Up Your IFC Framework?
Patron Accounting LLP designs IFC frameworks aligned to the ICAI Guidance Note and COSO 2013 — risk and control matrices, walkthrough documentation, testing programs and remediation roadmaps for Pune, Mumbai, Delhi, Gurugram and pan-India clients.
Talk to a CA on WhatsAppThe Five Test Methods
The ICAI Guidance Note recognises five test methods for IFC audit. Selection depends on control type, risk, and the nature of evidence required.
| Method | Description | Best For |
|---|---|---|
| Inquiry | Asking personnel about control performance | Understanding the process; corroborative evidence only — never sufficient alone |
| Observation | Watching a control activity being performed | Cycle counts, segregation of duties verification, physical security checks |
| Inspection | Examining documents, reports or system evidence | Approval signatures, reconciliations, exception reports — most common method |
| Reperformance | Auditor independently performs the control | Three-way matches, recalculations, system access reviews — strongest evidence |
| Walkthrough | Trace one transaction end-to-end through all controls | Design effectiveness — combines inquiry, observation and inspection |
For high-risk controls and key automated controls, inspection or reperformance is the primary method. Inquiry is used as a secondary or corroborative procedure. Observation is appropriate only for controls that occur during the testing window. Refer to ICAI's Standards on Auditing — particularly SA 315 and SA 330 — for the framework on linking risks to test responses.
Audit quality note: The NFRA inspection reports for listed company audits routinely flag over-reliance on inquiry without corroborating inspection or reperformance as a serious deficiency. Always pair inquiry with at least one evidence-based procedure.