Risk Advisory · Internal Controls & Process Improvement
Internal Control Reviews & IFC Evaluation
Internal Financial Controls are no longer a checkbox for the audit file — they are a statutory representation your Board and your auditor must make every single year, and a regulator, a lender, or an investor's diligence team can test at any time.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Internal Financial Controls are no longer a checkbox for the audit file — they are a statutory representation your Board and your auditor must make every single year, and a regulator, a lender, or an investor's diligence team can test at any time. At PNPC Global, we have evaluated and documented internal controls for companies across manufacturing, services, trading, and financial businesses since 1986. We do not hand you a generic control matrix downloaded from a template library. We walk your actual processes — procurement, revenue, payroll, closing — and build a control framework that holds up under audit scrutiny, under CARO 2020 reporting, and under your own Board's questions.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
An Internal Control Review is a structured evaluation of the policies, procedures, and control activities that a company has put in place to ensure the reliability of financial reporting, the safeguarding of assets, the prevention and detection of fraud and error, and adherence to laws and management policies. In India, the concept carries specific statutory weight through Internal Financial Controls (IFC) — defined under Section 134(5)(e) of the Companies Act 2013 (for the Board's responsibility statement) and referenced in Section 143(3)(i), which requires the statutory auditor of every company (other than certain exempted small companies, OPCs, and private companies meeting specified thresholds) to report on whether the company has an adequate internal financial controls system in place and whether such controls were operating effectively.
IFC evaluation is broader than a general 'internal controls' review in common usage — the Institute of Chartered Accountants of India's Guidance Note on Audit of Internal Financial Controls Over Financial Reporting frames it around the globally recognised COSO framework (Committee of Sponsoring Organizations of the Treadway Commission), covering five components: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities. A proper IFC evaluation documents entity-level controls (tone at the top, delegation of authority, IT general controls) as well as process-level controls (procure-to-pay, order-to-cash, record-to-report, payroll, treasury, fixed assets) with defined control objectives, control owners, frequency, and testing evidence.
Beyond the statutory audit requirement, internal control reviews serve a distinct commercial purpose. Lenders increasingly require evidence of control maturity as part of credit appraisal for larger facilities. Private equity and strategic acquirers run control and process diligence before a transaction, and control gaps discovered late in diligence routinely become valuation adjustments or indemnity clauses. The CARO 2020 (Companies Auditor's Report Order) also requires auditors to comment on whether the company has an adequate internal audit system commensurate with its size and nature of business for certain classes of companies — a related but distinct obligation from IFC reporting under Section 143(3)(i).
At PNPC, an internal control review is not a compliance exercise performed once and filed away. It is process work: we map how transactions actually flow through your organisation — not how the process manual says they should flow — identify the points where a control is genuinely needed (segregation of duties, authorisation limits, reconciliation, system-enforced validation), test whether that control operated consistently during the period under review, and document deficiencies with a severity rating and a remediation plan that management and the Audit Committee can act on. Where control gaps are found, we do not simply flag them for the statutory auditor — we help design and implement the fix.
When an internal control review is essential
Your company falls within the scope of Section 143(3)(i) — the statutory auditor is required to report on IFC over financial reporting and you need this evaluated and documented before the audit, not discovered during it
You are a listed company, a large private company, or a company approaching an IPO, where control maturity is scrutinised by SEBI, the Audit Committee, and prospective investors
A recent instance of fraud, error, or a near-miss has exposed that a control assumed to exist either does not exist or is not operating as designed
You are preparing for a private equity round, strategic sale, or debt facility where the counterparty's diligence team will test your control environment as part of financial and operational due diligence
Your business has scaled rapidly — new locations, new business lines, or higher transaction volume — and the controls designed for an earlier, smaller stage of the business no longer match current risk
The Board or Audit Committee has asked for independent assurance on the control environment separate from the statutory audit, or CARO 2020 reporting has raised a qualification on internal audit adequacy
When a lighter-touch approach may be more appropriate
A very early-stage startup with minimal transaction volume and no institutional investors — basic financial hygiene and a simple approval workflow may be sufficient until scale or funding triggers a fuller review
A small private company that is statutorily exempt from Section 143(3)(i) IFC reporting (based on the size and other thresholds prescribed under the Companies Act) and has no lender or investor requirement for one
You need routine bookkeeping accuracy checks rather than a control-design evaluation — a monthly accounting review or reconciliation service may address the immediate need more directly
The organisation already has a mature, in-house internal audit function performing continuous control testing — in this case, PNPC's role may be better positioned as an independent quality review of that function rather than a full ground-up control review
The immediate priority is a statutory or tax audit finding, not a control-design question — in that case, the audit engagement itself, not a separate IFC review, is the right starting point
Internal Control Review (IFC Evaluation) vs related assurance and advisory engagements
| Feature | Internal Control Review / IFC Evaluation | Statutory Audit | Internal Audit (Outsourced/Co-sourced) | Forensic Review | Process Re-engineering |
|---|---|---|---|---|---|
| Primary objective | Evaluate design and operating effectiveness of controls over financial reporting | Express opinion on true and fair view of financial statements | Ongoing assurance over operations, compliance, and risk on a cyclical basis | Investigate a specific suspected fraud, irregularity, or loss event | Redesign a process for efficiency, with controls as one input |
| Governing reference | Section 143(3)(i) Companies Act 2013 + ICAI Guidance Note on IFC (COSO-based) | Section 139–148 Companies Act 2013, Standards on Auditing | Section 138 Companies Act 2013 (where applicable) + Standards on Internal Audit | No single statute — engagement-specific, may feed into legal or regulatory proceedings | No statutory basis — a management improvement exercise |
| Mandatory or voluntary | Mandatory for companies within Section 143(3)(i) scope; voluntary otherwise | Mandatory for all companies under the Companies Act | Mandatory for specified classes of companies under Section 138 and Rules; voluntary otherwise | Voluntary — triggered by a specific trigger event | Voluntary — a business improvement decision |
| Frequency | Typically annual, aligned to statutory audit cycle; can be continuous for larger entities | Annual, mandatory | Continuous — quarterly or risk-based cyclical coverage | One-time, event-driven | One-time project, periodically revisited |
| Output | Control matrix (RCM), deficiency log with severity rating, remediation roadmap, management letter | Audit opinion + financial statements + CARO report where applicable | Internal audit reports per cycle, presented to Audit Committee | Investigation report, evidence trail, quantification of loss, recommendations | Revised SOPs, process maps, efficiency and control recommendations |
| Who relies on it | Statutory auditor (for their own IFC opinion), Board, Audit Committee, investors/lenders in diligence | Shareholders, regulators, lenders, public (for listed companies) | Audit Committee, Board, management | Board, legal counsel, sometimes law enforcement or insurers | Operations and finance leadership |
| Typical PNPC engagement basis | Fixed-fee project, scoped by process and entity coverage | Statutory engagement, fee per Companies Act / ICAI norms | Annual retainer or per-cycle fee | Time-and-scope fee, engagement letter defines boundaries | Fixed-fee project |
These engagements are complementary, not substitutes for one another — a company may need an IFC evaluation ahead of its statutory audit, an internal audit function for continuous assurance, and a forensic review only if a specific red flag emerges. PNPC scopes each engagement independently based on your regulatory position, size, and risk profile; a scoping conversation is the right first step.
| # | Stage & What PNPC Does | What Generic Checklists Miss | Timeline |
|---|---|---|---|
| 1 | Scoping & Entity-Level Risk Assessment — Understanding your business before touching a single control | We start by understanding your actual risk profile: transaction volume and complexity, number of locations, ERP/accounting system in use, prior audit findings, related-party transactions, and any recent fraud or near-miss incidents. This determines which processes get full walkthroughs versus lighter-touch review — a generic 'test everything equally' approach wastes budget on low-risk areas and under-tests high-risk ones. | Week 1 |
| 2 | Process Identification & Materiality Mapping | We identify the significant account balances and transaction classes based on your trial balance and business model — typically covering Procure-to-Pay, Order-to-Cash, Record-to-Report (financial close), Payroll, Fixed Assets, Treasury/Banking, and Inventory where applicable — and map which processes are material enough to warrant detailed control testing versus a lighter review. | Week 1–2 |
| 3 | Entity-Level Controls (ELC) Assessment | Before testing any transaction-level control, we assess the control environment itself — tone at the top, delegation of authority matrix, whistleblower mechanism, IT general controls (user access, change management, backup), HR policies, and the Code of Conduct. A weak entity-level environment undermines even well-designed process controls — something checklist-driven reviews frequently skip. | Week 2 |
| 4 | Process Walkthroughs — How transactions actually flow, not how the manual says they flow | We sit with the actual process owners — the person who raises a purchase order, the person who approves a payment, the person who posts a journal entry — and walk each transaction cycle end to end. This consistently surfaces gaps between the documented SOP and actual practice: informal workarounds, shared logins, manual overrides of system controls, and approvals happening after the fact rather than before. | Week 3–4 |
| 5 | Risk & Control Matrix (RCM) Documentation | For each process, we document the control objective, the specific risk it addresses, the control activity (preventive or detective), the control owner, the frequency, and whether it is manual, automated, or IT-dependent manual. This RCM becomes the master reference document your statutory auditor will also rely on for their own IFC testing — reducing duplicated effort between PNPC's review and the audit. | Week 3–5, run in parallel with walkthroughs |
| 6 | Design Effectiveness Testing | We assess whether each documented control, if operating as designed, would actually prevent or detect the risk it is meant to address. A control that exists on paper but has a design flaw — for example, an approval limit that has not been updated in years, or a segregation-of-duties gap where the same person can both create and approve a vendor — is flagged here before we even test whether it operated. | Week 4–5 |
| 7 | Operating Effectiveness Testing — Sample-based evidence testing | For controls that pass design assessment, we test a sample of actual transactions from the period under review to confirm the control operated consistently — not just once, but throughout the period. Sample sizes are risk-based, following the approach outlined in the ICAI Guidance Note, larger samples for higher-risk, higher-frequency controls. | Week 5–7 |
| 8 | Deficiency Identification & Severity Rating | Every gap identified is classified — deficiency, significant deficiency, or material weakness — using the definitions in the ICAI Guidance Note and aligned to how your statutory auditor will classify findings under SA 265. This classification directly affects whether an item needs Audit Committee escalation and whether it could affect the auditor's own IFC opinion. | Week 7–8 |
| 9 | Root Cause Analysis | For each significant deficiency, we go beyond 'the control did not operate' to identify why — inadequate training, system limitation, understaffing, or a genuine design gap. Remediation that addresses the symptom without the root cause tends to recur in the following year's testing, which is a common and avoidable pattern we see in companies that have not had a root-cause-driven review before. | Week 8 |
| 10 | Remediation Roadmap & Management Action Plan | We prepare a prioritised remediation plan — what needs to be fixed immediately (material weaknesses), what can be addressed over the next quarter (significant deficiencies), and what is a lower-priority process improvement. Each item is assigned an owner and a target date, so the Audit Committee has a document to track against, not just a list of problems. | Week 8–9 |
| 11 | Management Letter & Board / Audit Committee Presentation | Findings are presented formally to the Audit Committee or Board, with a walkthrough of the control matrix, the deficiency log, and the remediation plan. We are available to present directly, answer questions, and coordinate messaging with the statutory auditor so there are no surprises when the auditor's own IFC testing concludes. | Week 9 |
| 12 | Coordination with Statutory Auditor | We proactively share the RCM and testing evidence with your statutory auditor (with management's consent) to reduce duplicated testing and align on any areas of difference in severity assessment before the audit concludes — this coordination is one of the most valuable and most commonly missing pieces when the IFC review and the statutory audit are run by unconnected parties. | Aligned to audit timeline |
| 13 | Remediation Support & Retesting | Where management requests it, PNPC assists in designing the actual fix — a revised approval workflow, a new reconciliation template, a system configuration change — and retests the control once implemented to confirm the deficiency is closed before the next audit cycle begins. | Ongoing, as scoped |
A first-time IFC evaluation for a mid-sized company typically takes 8–10 weeks end to end, run in parallel with (and ideally ahead of) the statutory audit fieldwork so findings can be remediated before year-end testing. Subsequent-year reviews are faster, generally 5–6 weeks, since the RCM and process documentation already exist and testing can focus on changes and prior-year remediation follow-up.
Latest Memorandum and Articles of Association, and organisation chart showing reporting lines
Delegation of Authority (DOA) matrix — approval limits by role and transaction type
Board and Audit Committee meeting minutes for the period under review
Code of Conduct, whistleblower policy, and related-party transaction policy
Prior year statutory audit report, CARO report, and any management letter or internal audit report from the previous cycle
List of related-party transactions and Board approvals for the period
Trial balance and general ledger for the period under review, at the level of detail needed to identify significant accounts
Chart of accounts and accounting policy manual, if formally documented
Bank reconciliation statements for all operating accounts, for each month in the period
Fixed asset register with additions, disposals, and depreciation schedule
List of all bank accounts, authorised signatories, and current signing limits
Standard Operating Procedures for Procure-to-Pay, Order-to-Cash, Record-to-Report, Payroll, and Treasury cycles
Purchase order, goods receipt, and vendor invoice approval workflow documentation
Sales order, dispatch, and customer invoicing workflow documentation
Month-end and year-end financial close checklist
Access rights matrix for the ERP/accounting system — who can create, approve, and post transactions
Name and version of the ERP or accounting software in use (Tally, SAP, Oracle NetSuite, Zoho Books, or other), and whether it is on-premise or cloud-hosted
User access list with roles and privileges for the accounting/ERP system
IT policy covering password requirements, backup frequency, and change management procedures, if formally documented
List of any system-enforced controls currently configured — three-way match, approval workflows, credit limit blocks
Employee master list with designation, department, and reporting manager
Payroll processing workflow — from attendance/input to bank disbursement
Sample of employee appointment letters and any variable pay or incentive structure documentation
PF, ESI, and Professional Tax registration details and recent compliance filing status
A sample of purchase orders, invoices, and payment vouchers selected by PNPC for walkthrough and testing
A sample of sales invoices, credit notes, and customer receipts selected for testing
A sample of journal entries, particularly manual/non-system-generated entries, for review
Physical or system access to observe the actual approval and posting workflow, where practical
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Initial IFC Evaluation | Company crosses Section 143(3)(i) threshold, prepares for IPO, or receives investor/lender requirement | Full scoping, entity-level control assessment, process walkthroughs, RCM build, design and operating effectiveness testing, deficiency log, and remediation roadmap — the foundational review that all future cycles build on. | Statutory auditor identifies material weaknesses during their own testing with no prior warning to management or the Audit Committee, risking a qualified or adverse IFC opinion and a difficult Audit Committee conversation late in the audit cycle. |
| Pre-Audit Coordination | Statutory audit fieldwork approaching | RCM and testing evidence shared with the statutory auditor (with management consent) to reduce duplicated testing effort and align on severity classification of any findings before audit conclusion. | Auditor performs independent, duplicated control testing at additional audit fee and time cost, and any disagreement on severity surfaces for the first time in the auditor's report rather than being resolved earlier. |
| Deficiency Remediation | Deficiencies or significant deficiencies identified in review | Root cause analysis, design of the specific fix (revised workflow, system configuration, additional review step), implementation support, and retesting to confirm closure before the next testing cycle. | Unremediated deficiencies recur in the following year's review and audit, and repeat findings are viewed unfavourably by the Audit Committee, lenders, and investors as evidence of weak governance discipline. |
| Annual Refresh Cycle | Each subsequent financial year | Update the RCM for any process changes, new business lines, new locations, or system changes since the prior review; retest controls with updated risk-based sampling; confirm prior-year remediation items are closed and operating. | Control matrix becomes stale and no longer reflects actual operations — new risks introduced by business growth go untested until they surface as an actual control failure or fraud event. |
| Scale / New Business Line Trigger | New location, new ERP system, acquisition, or new product line | Extend the RCM to cover the new process or entity, assess entity-level controls at the new location, and identify any integration gaps — particularly around segregation of duties when headcount is initially thin at a new site. | New locations or business lines operate with informal or no controls for an extended period before being brought into the review cycle, during which the exposure to error or fraud is highest. |
| Fraud or Near-Miss Event | Suspected irregularity, unexplained variance, or whistleblower report | Immediate assessment of whether the event indicates a control design gap or an operating failure of an existing control; if warranted, PNPC scopes a focused forensic review as a distinct, separately-scoped engagement. | Underlying control gap that allowed the event remains unaddressed, and the same exposure persists for other transactions or other periods, compounding potential loss and audit/regulatory exposure. |
| Transaction / Diligence Trigger | PE investment, acquisition, or credit facility diligence | Pre-diligence readiness review — anticipate the control questions a counterparty's diligence team will raise, close obvious gaps in advance, and prepare a clean RCM and remediation-status document to present during diligence. | Control gaps surface for the first time during counterparty diligence, becoming valuation adjustments, indemnity demands, or delays to closing — at a point where remediation under time pressure is far more costly than a planned review. |
What exactly is an Internal Financial Control (IFC) and how is it different from 'internal controls' generally?
Internal controls, in the general sense, is a broad term covering any policy or procedure a business uses to manage risk — operational, compliance, financial, or strategic. Internal Financial Controls (IFC), as used under the Companies Act 2013, is a narrower, statutorily defined concept focused specifically on controls over financial reporting — the policies and procedures that ensure the orderly and efficient conduct of business, adherence to policies, safeguarding of assets, prevention and detection of fraud and error, accuracy and completeness of accounting records, and timely preparation of reliable financial information, as defined in the Explanation to Section 134(5)(e). The ICAI Guidance Note maps IFC evaluation to the COSO framework's five components.
Is Internal Financial Controls reporting mandatory for every company?
The statutory auditor's obligation to report on IFC over financial reporting under Section 143(3)(i) applies broadly, but the Companies (Audit and Auditors) Rules, 2014 carve out a specific exemption from this clause for certain categories — including One Person Companies, small companies, and private companies meeting prescribed thresholds on turnover and borrowings. Whether your company is within or outside this exemption depends on your specific financials for the year and should be confirmed with your statutory auditor for the applicable financial year, since the exemption thresholds and criteria are prescribed by rule and can be amended.
What is CARO 2020 and how does it relate to internal controls?
The Companies (Auditor's Report) Order, 2020 (CARO 2020) is a separate reporting requirement issued under Section 143(11) that requires statutory auditors of specified classes of companies to comment on a defined list of matters in their audit report — including, among many other clauses, whether the company has an internal audit system commensurate with the size and nature of its business. CARO 2020's internal audit commentary and Section 143(3)(i)'s IFC opinion are related but distinct reporting obligations — a company can have adequate IFC over financial reporting while still needing to strengthen its internal audit function, or vice versa.
What is the COSO framework and why does PNPC use it?
COSO (Committee of Sponsoring Organizations of the Treadway Commission) is an internationally recognised internal control framework built around five integrated components: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities. The ICAI's Guidance Note on Audit of Internal Financial Controls Over Financial Reporting explicitly references COSO (or an equivalent recognised framework) as the basis against which management should evaluate and auditors should assess IFC. Using a recognised framework, rather than an ad hoc checklist, ensures the evaluation is defensible, comprehensive, and directly usable by your statutory auditor.
What is the difference between a deficiency, a significant deficiency, and a material weakness?
These are graded severity classifications used under the ICAI Guidance Note (aligned with Standard on Auditing SA 265 concepts). A deficiency exists when a control is designed, implemented, or operated in a way that does not allow management or employees to prevent or detect misstatements on a timely basis, or when a necessary control is missing. A significant deficiency is a deficiency, or combination of deficiencies, important enough to merit attention by those charged with governance (typically the Audit Committee). A material weakness is a deficiency, or combination of deficiencies, that creates a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis — the most severe classification, and one that can affect the statutory auditor's own IFC opinion.
How long does a full internal control review take?
For a first-time evaluation of a mid-sized company with a handful of significant processes and one or two locations, PNPC typically scopes 8–10 weeks end to end — scoping, entity-level assessment, process walkthroughs, control matrix documentation, design and operating effectiveness testing, deficiency reporting, and remediation planning. Larger, multi-location, or multi-entity groups take longer, scoped based on the number of significant processes and locations in coverage. Subsequent-year reviews, once the control matrix already exists, are typically faster — around 5–6 weeks — since testing can focus on process changes and prior-year remediation follow-up rather than rebuilding documentation from scratch.
What does an Internal Control Review cost?
The fee depends directly on scope — the number of significant processes covered, the number of locations or business units, the complexity of the ERP/IT environment, and whether it is a first-time evaluation (requiring full documentation build) or a subsequent-year refresh (updating an existing control matrix). PNPC provides a written, fixed-fee proposal after an initial scoping conversation, so there is no ambiguity about what is covered before the engagement begins.
Who typically needs to commission an internal control review — the CFO, the Audit Committee, or the statutory auditor?
The engagement is typically commissioned by management (often the CFO) or directly by the Audit Committee, as a management or governance initiative — distinct from the statutory audit itself, which is commissioned by shareholders through the auditor appointment process. Some companies with an in-house internal audit function have that function perform the review; others engage an external firm like PNPC either because they lack an internal audit function of sufficient scale, or because they want an independent, external perspective distinct from both internal audit and the statutory auditor.
Can PNPC also be our statutory auditor and perform our internal control review?
Independence requirements under the Companies Act and the ICAI Code of Ethics restrict a statutory auditor from performing certain non-audit services for the same client, and specific restrictions apply depending on the nature and scale of the engagement and the class of company involved. Where PNPC is the statutory auditor for a company, we assess independence requirements carefully before accepting any related internal control review engagement, and in situations where independence rules restrict us from performing both roles for the same entity, we will say so directly rather than take on a conflicted engagement.
What is a Risk and Control Matrix (RCM) and why does it matter?
A Risk and Control Matrix is the core working document of an IFC evaluation — for each significant process, it lists the specific financial reporting risk, the control activity designed to address that risk, whether the control is preventive or detective, whether it is manual, automated, or IT-dependent manual, the control owner, the frequency of operation, and the testing evidence gathered. The RCM is the document your statutory auditor will most directly rely on when performing their own IFC testing, and it becomes the baseline that subsequent-year reviews update rather than rebuild.
What is a walkthrough, and why can't the review just rely on the process manual?
A walkthrough is a step-by-step trace of an actual transaction from initiation through recording in the financial statements, performed by observing the process and interviewing the people who actually perform it — not by reading the documented SOP. Walkthroughs consistently surface gaps between documented procedure and actual practice: a manual says a purchase order requires two approvals, but in practice a shared login means one person effectively approves both stages; a reconciliation is supposed to happen weekly but is actually done once a quarter under time pressure. These gaps are invisible if the review relies only on the written policy.
What is Information Technology General Controls (ITGC) and does PNPC review it as part of an IFC engagement?
IT General Controls are the controls over the IT environment that support the reliable operation of application-level (automated) controls — covering areas like user access management, segregation of duties within the ERP system, change management for system modifications, backup and disaster recovery, and physical/logical security. Where a company's financial processes rely on automated or IT-dependent manual controls (which is the case for nearly every company using an ERP or accounting system), a proper IFC evaluation must assess the underlying ITGC — because an automated control is only as reliable as the IT environment supporting it.
What happens after the review — does PNPC just hand over a report, or help fix the gaps too?
The core deliverable is the RCM, the deficiency log with severity ratings, and the remediation roadmap — presented to management and, where relevant, the Audit Committee or Board. Beyond that, PNPC offers remediation support as a separately scoped follow-on engagement: designing the specific fix for a control gap (a revised approval workflow, a new reconciliation template, a system configuration change), assisting implementation, and retesting the control once implemented to confirm the deficiency is closed.
How does sampling work in operating effectiveness testing — do you test every transaction?
No — testing every transaction in every process would be neither practical nor necessary. PNPC applies risk-based sampling consistent with the approach described in the ICAI Guidance Note: sample sizes are calibrated to the frequency of the control (a control operating hundreds of times a month needs a larger sample than one operating monthly), the risk associated with the underlying transaction class, and whether the control is manual (requiring a larger sample to establish consistency) or automated (where testing the system configuration once, plus a smaller sample of transactions, is generally sufficient once the control is confirmed to be functioning as configured).
We are a private company planning an IPO in the next 2–3 years. Should we start IFC evaluation now?
Yes — this is one of the most common and highest-value triggers for engaging PNPC. SEBI's disclosure and governance expectations for listed companies, combined with heightened Audit Committee, merchant banker, and investor scrutiny during the IPO process, mean that control gaps discovered during IPO readiness diligence are far more costly to fix under time pressure than gaps identified and remediated over one or two review cycles well in advance. Starting 18–24 months ahead allows deficiencies to be remediated and retested before they become a diligence finding.
Does a control review cover fraud detection, or is that a separate service?
An internal control review evaluates whether controls that are reasonably designed to prevent or detect fraud and error are in place and operating — for example, segregation of duties, authorisation limits, and reconciliation controls. It is a forward-looking, process-level evaluation, not an investigation into a specific suspected event. If a review or a whistleblower report raises a specific red flag — an unexplained variance, a suspicious vendor relationship, a pattern inconsistent with normal business activity — that warrants a separately scoped forensic review, which follows a different methodology (evidence preservation, targeted investigation techniques, and often legal coordination) distinct from a control-design evaluation.
What is segregation of duties and why does it come up in almost every finding?
Segregation of duties is the principle that no single individual should control all key stages of a transaction — initiation, approval, custody of the related asset, and recording in the books. When one person controls multiple stages, the natural cross-check that catches both error and fraud disappears. In smaller and mid-sized Indian companies, segregation of duties gaps are extremely common, particularly in finance teams that have not scaled headcount at the same pace as transaction volume — the same person who creates a vendor in the ERP also approves payments to that vendor, for example.
Our company uses Tally / Zoho Books rather than a large ERP. Is a full IFC evaluation still relevant?
Yes, though the scope and depth of testing will differ. Smaller accounting systems generally have fewer built-in, system-enforced controls than a large ERP (like SAP or Oracle), which means more of the control burden sits on manual review, approval workflows outside the system, and reconciliation discipline. The evaluation approach adapts accordingly — more emphasis on manual control testing and process discipline, proportionately less on system configuration testing — but the underlying COSO framework and the need for a documented RCM apply regardless of which accounting platform you use.
What is a management letter and who receives it?
A management letter (sometimes called a report to those charged with governance) is the formal written communication of findings from the internal control review — typically addressed to the CFO or management team, with a summary version presented to the Audit Committee or Board. It documents the scope of the review, the significant deficiencies and material weaknesses identified, management's response to each finding, and the agreed remediation timeline. This is distinct from, though often coordinated with, any management letter your statutory auditor separately issues as part of the audit.
How does an internal control review interact with our internal audit function, if we have one?
Where a company already has an in-house or co-sourced internal audit function operating under Section 138, that function typically performs ongoing, cyclical assurance across operational and compliance areas as well as financial controls. An IFC evaluation can either be performed by that internal audit function directly (if it has the requisite expertise in the COSO/IFC methodology) or by an independent external party like PNPC, whose findings then feed into or complement the internal audit's broader risk-based plan. We coordinate scope explicitly with any existing internal audit function to avoid duplicated testing and ensure clear ownership of each control area.
What triggers a company to fall under the internal audit requirement of Section 138?
Section 138 of the Companies Act 2013, read with the Companies (Accounts) Rules 2014, prescribes specific thresholds — based on criteria such as paid-up share capital, turnover, outstanding loans/borrowings, and outstanding deposits — above which every listed company and certain classes of unlisted public companies and private companies are required to appoint an internal auditor. Whether your company currently meets or is approaching these thresholds should be checked against the current Rules for your specific financial figures, since the applicable thresholds are prescribed by rule and should be verified for the relevant year rather than assumed.
Can a small or mid-sized private company request an internal control review even if it is not statutorily required?
Yes, and many do — most commonly ahead of a fundraise, a bank credit facility renewal, or simply as a governance discipline exercise once the founders recognise the business has scaled past the point where informal, trust-based controls are adequate. A voluntary review can be scoped more lightly than a full statutory-grade IFC evaluation if there is no auditor reliance requirement — for example, focused only on the two or three highest-risk processes rather than the full COSO-mapped scope.
What are the most common material weaknesses PNPC finds in first-time reviews?
Recurring patterns across first-time reviews include: absence of a formal, board-approved delegation of authority matrix (approvals happening on an informal, unwritten basis); inadequate segregation of duties in the procure-to-pay and payroll cycles; bank reconciliations performed inconsistently or with significant unreconciled items outstanding for extended periods; manual journal entries posted without a documented review and approval trail; and IT user access rights that have not been reviewed since the ERP was first configured, often still granting former employees or over-privileged current employees access well beyond their role.
Does the review look at fraud risk factors specifically, like the fraud triangle?
As part of the risk assessment component of the COSO framework, we do consider fraud risk factors — incentive/pressure, opportunity, and rationalisation, the three elements of the classic fraud triangle — particularly when assessing entity-level controls like the whistleblower mechanism, the tone at the top, and management override risk. This is a risk-assessment lens applied within the control review, not a full forensic fraud risk assessment, which is typically a more detailed, separately scoped exercise if a company wants a dedicated fraud risk assessment rather than a general control review.
What is 'management override of controls' and why is it treated as a distinct risk?
Management override refers to the risk that a person in a position of authority — typically someone senior enough to bypass a control that would stop others — deliberately circumvents an otherwise well-designed control, for example approving a transaction outside normal authorisation limits or instructing an accounting entry that does not reflect the underlying transaction. Standards on Auditing and the COSO framework treat this as a distinct, elevated risk category precisely because a control that relies on the same person it is meant to constrain provides no real protection. We specifically assess whether compensating controls — such as Audit Committee oversight of related-party transactions or a whistleblower channel independent of management — exist to address this risk.
Will the findings from our internal control review be shared with regulators or made public?
No. The internal control review is a private engagement between PNPC and the company (or, where scoped that way, the Audit Committee). Findings are not filed with MCA, SEBI, or any regulator, and are not made public. The exception is your own statutory auditor, with whom we share findings only with management's consent, specifically to support their independent IFC opinion under Section 143(3)(i) — the auditor's own report (which may reference IFC adequacy) is what becomes part of the public financial statements filed with MCA, not PNPC's underlying working papers.
How does PNPC handle a company with multiple locations or subsidiaries?
For multi-location or multi-entity groups, we scope coverage based on materiality and risk — typically prioritising locations or subsidiaries that represent the largest share of consolidated revenue or assets, or that carry elevated risk factors (a newly acquired entity, a location with a recent history of control issues, or one with a thinner finance team). Entity-level controls are assessed at the parent/group level as well as locally, since group-wide policies (delegation of authority, whistleblower mechanism, code of conduct) need to be consistently cascaded and actually followed at each location, not merely exist on paper at head office.
What is the difference between 'preventive' and 'detective' controls, and does it matter which we have?
A preventive control is designed to stop an error or irregularity from occurring in the first place — for example, a system-enforced credit limit that blocks an order exceeding a customer's approved credit. A detective control identifies an error or irregularity after it has occurred — for example, a monthly reconciliation that surfaces a discrepancy. Both are legitimate and necessary; a well-designed control environment uses a mix, since preventive controls alone are rarely sufficient (they can be bypassed or may not cover every scenario) and relying solely on detective controls means errors are caught late, after they may already have caused financial or operational impact.
Do you provide training for our finance team as part of the engagement?
Control awareness and process-owner training is not a default inclusion in the base IFC evaluation scope, but it is a common and valuable add-on, particularly after significant remediation — helping the process owners who will actually operate a newly redesigned control understand not just the mechanics but the underlying risk it addresses, which improves consistency of operation over time. We can scope this as part of the remediation phase if management wants it.
How does PNPC's IFC evaluation differ from what a Big 4 firm would deliver?
The underlying methodology — COSO framework, RCM documentation, design and operating effectiveness testing, severity-graded findings — follows the same recognised professional standards regardless of firm size, since these are set by ICAI guidance and Standards on Auditing, not by firm brand. Where PNPC differentiates is in continuity and accessibility: the same senior CA team that performs your review is available for the remediation conversation afterward, for your statutory audit coordination, and for the following year's refresh — rather than a large engagement team that rotates and requires re-briefing each cycle. We also scope fees proportionate to genuine mid-market company needs, without the overhead structure of a large multinational firm.
What if our statutory auditor disagrees with a severity rating PNPC has assigned to a finding?
This can happen, since professional judgement is inherently involved in severity classification, and the statutory auditor is required to form their own independent opinion regardless of PNPC's assessment. Where this arises, we proactively engage with the auditor to walk through our testing evidence and rationale — often the disagreement resolves once the underlying evidence and context are compared, and where it does not fully resolve, the auditor's opinion is the one that governs the statutory audit report, since that is their independent statutory responsibility, not PNPC's.
Can this review help us get better terms on a bank loan or credit facility?
A documented, independently reviewed control environment can support a stronger credit conversation, since lenders assessing larger facilities increasingly factor in governance and control maturity as part of qualitative credit risk assessment, alongside the financial ratios. It is not a guaranteed mechanism for better pricing or terms — that ultimately depends on the lender's own credit policy and your overall financial profile — but a company that can produce a clean RCM and a track record of proactive remediation presents a materially stronger governance picture than one that cannot.
What is PNPC's approach if we are a UAE-based group with an Indian subsidiary — does the review cover both jurisdictions?
Section 143(3)(i) IFC reporting and the COSO-based methodology described here apply specifically to Indian company law requirements for the Indian entity. For the UAE parent or affiliate entities, control review would follow UAE regulatory and governance expectations rather than the Companies Act 2013 framework — these are distinct regulatory regimes and should not be conflated. With operating offices in Chennai, Bangalore, Hyderabad, and Dubai, PNPC can coordinate a control review across both the Indian subsidiary (under the IFC/COSO methodology described here) and UAE group entities (scoped to UAE-specific requirements) under a single coordinated engagement, so group management gets one consistent view rather than two disconnected reports from separate advisors.
How often should the review be refreshed once the initial evaluation is complete?
For companies within the Section 143(3)(i) reporting scope, an annual refresh aligned to the statutory audit cycle is the practical minimum, since the auditor forms a fresh IFC opinion every year and needs current-year evidence, not an evaluation from several years prior. Companies undergoing significant change — a new ERP implementation, a major acquisition, rapid headcount growth, or entry into a new business line — should consider a more frequent, targeted refresh of the specific affected processes rather than waiting for the next annual cycle, since these events are exactly when control gaps are most likely to be introduced.
Does PNPC only work with companies that already have an Audit Committee, or can you support smaller boards too?
An Audit Committee is only mandatory under the Companies Act for specified classes of listed and larger public companies; the majority of private companies PNPC works with do not have one and are not required to. For those companies, findings and the remediation roadmap are presented directly to the Board or to the promoter-management team, structured with the same rigour and severity grading as a formal Audit Committee presentation, simply addressed to whichever governance body actually exists and makes decisions in your company.
What is a control self-assessment (CSA) and does PNPC use it as part of the methodology?
A Control Self-Assessment is a technique where process owners themselves evaluate and document the effectiveness of the controls they operate, typically using a structured questionnaire, before or alongside an independent review. PNPC sometimes uses a light CSA exercise as an efficient way to gather initial process information and surface areas the process owner themselves already recognises as weak — but a CSA on its own is not a substitute for independent walkthrough and testing, since self-assessed control effectiveness tends to be more favourable than what independent testing subsequently confirms, a well-documented bias in practice.
PNPC Internal Control Review vs typical alternatives
| What You Need | Generic Checklist / Template Service | Large Multinational Firm | In-House Only | PNPC Global |
|---|---|---|---|---|
| COSO-based methodology aligned to ICAI Guidance Note | Rarely — often a generic checklist unrelated to COSO | Yes, but delivered by a large, rotating engagement team | Depends entirely on in-house expertise and bandwidth | Yes — every review mapped to COSO components and ICAI Guidance Note |
| Actual process walkthroughs, not desk review of policy documents | No — typically a document review only | Yes, standard practice | Varies — often skipped under time pressure | Yes — walkthroughs are non-negotiable in every engagement |
| Coordination with your statutory auditor to avoid duplicated testing | No structured coordination | Sometimes, if same firm; complicated if different firm | Ad hoc, depends on relationship | Yes — proactive, structured coordination with your auditor regardless of who they are |
| Remediation support, not just a findings report | Rarely included | Available, often as a separate, costly engagement | Depends on internal capacity to design fixes | Included as a scoped follow-on — same senior team, no re-briefing |
| Continuity — same senior team year over year | No relationship continuity | Engagement teams frequently rotate | N/A | Same senior CA team across review cycles |
| Fee proportionate to mid-market company size | Low cost but low assurance value | Premium pricing, often disproportionate for mid-market scope | No external fee, but real internal cost and expertise gap | Fixed, scoped fee proportionate to your actual size and risk |
| India-UAE cross-border coordination | Not applicable | Possible through international network, but often loses context in handoff | Not applicable unless in-house team spans both | Direct — Chennai/Bangalore/Hyderabad/Dubai offices, one coordinated engagement |
What the PNPC package includes
- 01
Entity-level control assessment covering governance, delegation of authority, IT general controls, and whistleblower mechanism
- 02
Process walkthroughs for all significant financial reporting cycles — Procure-to-Pay, Order-to-Cash, Record-to-Report, Payroll, Fixed Assets, Treasury
- 03
Risk and Control Matrix (RCM) documentation, delivered in an editable format for ongoing use by your finance team
- 04
Design effectiveness assessment for every documented control
- 05
Risk-based operating effectiveness testing with sample-based evidence
- 06
Deficiency log with severity grading — deficiency, significant deficiency, material weakness — consistent with ICAI Guidance Note definitions
- 07
Root cause analysis for every significant deficiency, not just a description of the symptom
- 08
Prioritised remediation roadmap with named owners and target dates
- 09
Formal management letter and, where relevant, a direct presentation to your Audit Committee or Board
- 10
Proactive coordination with your statutory auditor to align on findings and reduce duplicated testing
- 11
Optional remediation implementation support and control retesting once fixes are in place
Talk to a senior PNPC CA about scoping your Internal Financial Controls evaluation before your next statutory audit cycle — not after your auditor raises a finding you did not see coming.