ZARK & Co. logo
ZARK & Co.
← Back to The ZARK Journal Audit

Internal Financial Controls: Where Audit Committees Are Asking Tougher Questions

CA
CA Kavya Mehrotra
Partner · Assurance
02 April 2026 · 8 min read

Internal Financial Controls reporting under the Companies Act has been around long enough that most listed entities have a routine for it. What has changed in the last two reporting cycles is the depth at which audit committees are now testing the routine — and the questions they are putting to management between meetings.

This is a shift from compliance to assurance, and it has implications for how IFC frameworks are designed, evidenced, and reviewed.

From statutory checkbox to governance lever

Section 143(3)(i) of the Companies Act, read with the ICAI’s Guidance Note on IFC, requires the auditor to express an opinion on the adequacy and operating effectiveness of internal financial controls over financial reporting. For most listed and large unlisted entities, the framework of choice has been the COSO 2013 model, supplemented with risk-control matrices at the process level.

Three years ago, IFC reviews were largely about whether the documentation existed. Today, audit committees we work with are asking three sharper questions:

  • What is the residual risk after controls are applied? Not just whether a control exists, but whether the design is commensurate with the risk it is meant to cover.
  • What did the control miss? A pull of exception logs and override records, particularly in revenue and procure-to-pay cycles.
  • How fast does a deficiency get fixed? Time-to-remediation has become a metric in its own right, and its trend over quarters is being reported up.

The evidence problem

The single most common deficiency we observe in IFC walkthroughs is not the absence of a control — it is the absence of contemporaneous evidence that the control operated.

A reconciliation that is performed but signed off three weeks later, an approval that is on paper but never matched against the supporting voucher, an exception report that is generated but not reviewed for two cycles — these are the gaps that a robust IFC walkthrough now isolates. They are also the gaps that a sharper audit committee will press on.

The remedy is mostly procedural: timestamped evidence, independent review of the review, and a clear escalation path when the control fails. But it requires finance teams to build a discipline around evidence in the same way they build discipline around the close itself.

A control that operates but cannot be evidenced is, for assurance purposes, indistinguishable from a control that does not operate.

Where IT general controls now matter more

Most finance processes today run on systems — ERPs, sub-ledgers, planning tools, and a layer of integrations. The reliability of the financial statements depends on the integrity of those systems, which makes IT general controls (ITGC) a foundational layer for IFC.

The four ITGC areas that audit committees are scrutinising more closely:

  1. Logical access: Who can post to the GL, who can change masters, and how is segregation of duties enforced when a user has multiple roles? The standard report from the ERP often misses cumulative privilege creep.
  2. Change management: A change to a tax-rate master or a TDS-section configuration can have downstream financial-statement impact. Are these changes ticketed, reviewed, and tested before they go live?
  3. Backup and recovery: Documented, tested, and time-stamped. The asks are increasingly about the test, not the policy.
  4. Application controls: Three-way match settings, tolerance limits, and approval matrices coded into the application. These are now expected to be inventoried and re-validated annually.

What strong remediation looks like

Findings will surface. The differentiator now is what the entity does with them.

The IFC frameworks we admire have three things in common:

  • A standing remediation tracker reviewed monthly by the CFO and quarterly by the audit committee, with named owners and target dates.
  • A clear policy on what counts as a ‘significant deficiency’ vs a ‘material weakness’ — and an honest pre-audit assessment by management before the auditor weighs in.
  • A culture where flagging a control gap early is rewarded, not penalised. The opposite culture is the single biggest predictor of an audit-committee surprise.

What audit committees should ask this quarter

  1. How many control deficiencies are open at the end of this quarter, by severity, and what is the average age?
  2. Which IFC findings from the prior auditor’s report have been remediated, and which are still in flight? What is preventing closure?
  3. For the top three risks identified in the entity’s risk register, which controls map to them, and have those controls been tested for operating effectiveness this year?

The bottom line

IFC reporting is not going to get easier. Audit committees, regulators, and investors are converging on a higher standard of evidence and follow-through. For finance teams, the move from compliance to assurance is the unlock — build the discipline once, and the rest of the governance machinery rests on top of it.

This article is for general information only and does not constitute professional advice. For engagement-specific assurance support, please write to contact@zarkca.in.

Continue reading

Direct Tax

Decoding the Latest Amendments to the Finance Act for FY 2026–27

Read more →
Cybersecurity

DPDP Act Readiness: A Controls-Based Roadmap for Indian Enterprises

Read more →