Internal Financial Controls (IFC): Framework, Requirements & Reporting Under Companies Act

The internal financial controls or IFC framework for businesses has seen a tremendous change over the last few years owing mainly to increasing scrutiny from auditors both internal and statutory. 

So, understanding what includes strong controls, how to document them, and how to prepare for an IFC audit is now an essential part of corporate governance in India.

This guide breaks down the requirements, the practical steps to build a financial internal control framework, and the common problems that impact compliance and their fix.

What Are Internal Financial Controls (IFC)?

Internal financial controls are a group of policies, procedures, and mechanisms that a company puts in place to ensure three things: 

• reliability of financial reporting
• efficiency of operations
• compliance with applicable laws

Officially, the definition of IFC is provided by The Companies Act, 2013 as

“the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to its policies, safeguarding of its assets, prevention and detection of fraud and error, accuracy and completeness of the accounting records, and timely preparation of reliable financial information.”

Simply put, IFC acts like an immune system for your finance function. When the system works well, errors are caught before they become misstatements. 

Fraud is deterred because segregation of duties makes collusion necessary for success. Operational bottlenecks become visible through control dashboards.

What IFC Covers & What It Does Not

A well-designed IFC framework typically covers:

• Financial close and reporting processes: how books are closed, reviewed, and finalised each period
• Revenue recognition and accounts receivable: ensuring revenue is recorded when earned, not when convenient
• Procurement and accounts payable: authorisation of purchases, vendor verification, three-way matching of PO, GRN, and invoice
• Payroll: authorisation of headcount, salary changes, and disbursements
• Fixed assets: capitalisation policies, depreciation, physical verification
• Treasury and cash management: bank reconciliations, authorisation limits, fund transfers
• Tax compliance: accurate computation and timely payment of direct and indirect taxes
• IT general controls: access management, change control, data integrity across financial systems

IFC does not cover: operational risk management, strategic decision-making, or non-financial compliance. 

Those fall under broader enterprise risk frameworks. IFC is specifically anchored to financial reporting and the safeguarding of assets.

IFC Requirements Under Companies Act 2013 (Section 134(5)(e))

Several provisions under the Companies Act, 2013 define IFC requirements. These include:

Section 134(5)(e): The Board’s Responsibility

Requires the Board of Directors to include a Directors’ Responsibility Statement in their report. Clause (e) specifically asks them to confirm that:

1. Internal financial controls are established. Informal practices or undocumented procedures do not satisfy this requirement. Controls need to be designed, documented, and communicated.
2. Controls are adequate: They should suit the size and complexity of the company. A large manufacturing firm has different standards than a small service company. Guidance from the ICAI provides a framework that helps auditors judge this.
3. Controls are working effectively:  good design alone isn’t enough;  A control can be well-designed but inconsistently applied, which constitutes an operating deficiency. Both must be confirmed.

This confirmation is a collective responsibility of the board, not just the CFO or finance team. 

By signing, the board is assuring shareholders, regulators, and the public that the company’s financial controls are in place and functioning properly.

Section 143(3)(i): The Auditor’s Reporting Obligation

This section governs what the statutory auditor must independently verify and report. The auditor must report whether the company’s internal financial controls are adequate and working effectively.

This is an independent assessment.  The auditor doesn’t just rely on what management says. They test controls, evaluate any deficiencies, and form their own opinion.

A 2019 MCA amendment limited this reporting requirement to companies other than one-person companies (OPCs) and small companies. Small companies (per Section 2(85)) are those with paid-up capital ≤ ₹4 crore and turnover ≤ ₹40 crore.

So, smaller private companies still need the board to confirm internal controls in their Directors’ Responsibility Statement, but auditors are not required to report separately on these controls.

Section 177: Audit Committee’s Role

For companies required to have an audit committee  under Section 177 including all listed companies and certain public companies,  the committee has key responsibilities related to internal financial controls (IFC):

• Reviewing the adequacy of internal control systems.
• Reviewing financial statements before they go to the board.
• Overseeing the internal audit function.

The audit committee is the main body that monitors IFC throughout the year. It reviews internal audit reports, checks how management addresses any issues, and ensures corrective actions are implemented.

 The board’s ability to confirm that controls are adequate and effective under Section 134(5)(e) depends heavily on the audit committee’s work.

CEO/CFO Certification for Listed Companies

Listed companies have an extra layer of accountability under Regulation 17(8) and Schedule II, Part B of SEBI’s LODR Regulations. 

Each year, the CEO and CFO must certify to the board that:

• They have reviewed the financial statements and believe they give a true and fair view.
• There are no materially false or misleading statements.
• Internal financial controls over reporting are adequate and operating effectively.
• They have disclosed to the auditors and audit committee any significant control weaknesses or fraud involving management or key employees.

This certification carries personal accountability. A CFO or CEO who falsely certifies adequacy when serious deficiencies exist  or conceals fraud, can face regulatory action by SEBI and potential legal liability under the Companies Act.

Penalties for Non-Compliance

The Companies Act does not have a specific penalty just for IFC failures. 

However, a materially false Directors’ Responsibility Statement, which includes the IFC confirmation, can lead to liability under Section 448 (false statements) and Section 449 (false evidence),  including potential imprisonment.

Also, SEBI can take action against management of listed companies if IFC failures contribute to fraud or misstatements.

Even without formal penalties, the reputational and financial impact of IFC non compliance is serious. 

A qualified IFC opinion in the audit report is seen as a red flag by investors, lenders, and shareholders, affecting trust, credit, and business opportunities. In today’s stricter governance environment, these consequences can be far-reaching.

IFC vs ICFR — Are They the Same?

This is a common source of confusion. The terms internal financial controls (IFC) and internal controls over financial reporting (ICFR) are used interchangeably, but they are not identical.

Internal Financial Controls (IFC) is the broader term that covers policies and procedures that ensure orderly business conduct, asset safeguarding, fraud prevention and detection, accurate accounting records, and timely preparation of reliable financial information. IFC covers both operational controls and financial reporting controls.

Internal Controls over Financial Reporting (ICFR) is a subset of IFC. It refers specifically to controls that relate to the preparation and presentation of financial statements. It ensures that what gets reported externally is accurate, complete, and free from material misstatement, whether due to error or fraud.

So, all ICFR is IFC, but not all IFC is ICFR

The difference between the two becomes clearer when you map specific controls to each category.

Control Area	IFC	ICFR
Financial close and reporting process	✓	✓
Revenue recognition accuracy	✓	✓
Bank reconciliations	✓	✓
Accounts payable, three-way matching	✓	✓
Physical verification of fixed assets	✓	Partially
Payroll disbursement authorisation	✓	✓
Vendor onboarding and KYC	✓	✗
Procurement approval workflows	✓	✗
Employee code of conduct compliance	✓	✗
IT access controls over financial systems	✓	✓
Inventory management procedures	✓	Partially
Whistleblower mechanism	✓	✗

Why the Difference Between IFC & ICFR is Important 

The ICAI’s Guidance Note on Audit of Internal Financial Controls Over Financial Reporting (2015, updated later) uses ICFR as the key term and is the main reference for statutory auditors under Section 143(3)(i). 

When your auditor reports on internal financial controls, they are effectively reporting on ICFR, the subset of IFC that directly affects financial reporting. 

Their work focuses on financial‑statement assertions (existence, completeness, accuracy, valuation, rights and obligations, presentation) through risk assessment, control testing, and walk‑throughs.

This does not mean they ignore broader IFC. Operational controls that affect financial reporting (e.g., procurement approvals for legitimate expenses) are in scope. Purely operational controls with no impact on financial‑statement accuracy are outside the ICFR assessment.

Practical Implication for Companies

Many Indian companies centre their IFC design on financial‑reporting controls, mainly because that is what auditors test. This leaves operational controls ignored, creating a compliance blind spot. 

The board’s confirmation under Section 134(5)(e) covers the full IFC framework, not just ICFR. A company with strong revenue‑recognition controls but weak vendor onboarding, poor asset safeguarding, or no fraud‑detection mechanism still has an IFC gap,  even if the ICFR report is clean.

Conversely, some firms over‑document operational controls with no financial‑reporting impact, creating bulky IFC files that do not reduce audit risk or improve governance. This is a resource‑allocation problem, not a compliance fix.

Designing an IFC Framework — 6-Step Process

Building an IFC framework from scratch for your business needs a structured, phased approach: 

Step 1: Define the Scope

Before identifying or documenting controls, define the scope at two levels:

Entity-level: Decide which legal entities, subsidiaries, branches, or divisions are included. For a standalone company, this is simple, but for a group with multiple (including foreign) subsidiaries consolidated into Indian financials, judgment is required. Material entities must be included; immaterial ones can be scoped out, but the decision must be documented and defensible.

Process-level: Identify business processes based on their impact on financial statements. Map each significant line item such revenue, receivables, inventory, fixed assets, borrowings, payroll, taxes, to the underlying processes. Only processes with material impact are in scope, with an explicitly set materiality threshold.

Correct scoping avoids unnecessary documentation from over-scoping and reduces audit risk or gaps from under-scoping.

Step 2: Document Business Processes 

After defining scope, each in-scope process should be documented to identify financial risks and existing or needed controls.

Process documentation can take two forms:

• Process narrative: Describes the sequence of activities, systems, personnel, and authorization structure.
• Process flowchart: Visualizes the same information, highlighting decision points, handoffs, and control gaps.

Both should reflect how the process actually operates, not how it is supposed to work on paper.

For example, if invoices above ₹5 lakh are supposed to require CFO approval but are approved by the accounts manager in practice, the documentation misrepresents the control environment.

Gathering input through interviews, transaction walkthroughs, and system reviews is essential. Finance-only documentation is rarely reliable.

Step 3: Identify Financial Reporting Risks

With processes documented, the next step is to identify risks within each process that could lead to material misstatements in the financial statements. 

Risks are assessed against financial statement assertions:

• Existence/Occurrence: Do recorded transactions and balances exist?
• Completeness: Are all required transactions recorded?
• Accuracy/Valuation: Are amounts recorded correctly?
• Cut-off: Are transactions in the correct period?
• Rights and Obligations: Does the company own recorded assets and owe recorded liabilities?
• Presentation and Disclosure: Are items properly classified and disclosed?

Each risk should include its likelihood and potential financial impact: 

High-likelihood, high-impact risks need strong, tested controls; 

lower-risk areas can be managed through monitoring or review

In India, certain risks require extra attention: revenue cut-off manipulation, procurement vendor fraud, payroll ghost employees, related-party transactions bypassing authorization, and GST input credit accuracy which are common findings in IFC assessments.

Step 4: Identify and Map Controls to Risks

For each identified risk, one or more controls must be identified that mitigate that risk to an acceptable level. This risk-to-control mapping forms the basis of the Risk and Control Matrix (RCM).

At the design stage, each control should specify:

• Control type: Preventive (stops the risk) or detective (detects issues). A strong framework uses both.
• Control nature: Manual, automated, or hybrid. Automated ERP controls are more reliable if IT general controls are effective.
• Control frequency: Every transaction, daily, monthly, or periodic. Higher-risk processes need more frequent controls.
• Control owner: The person or role responsible for performing and evidencing the control.

Segregation of duties deserves specific attention at this stage. Many Indian companies assign incompatible functions to one individual (e.g., creating a vendor and approving invoices), which is a design deficiency even if unused. 

Where full SoD isn’t feasible, compensating controls like management review, exception reporting, or periodic reconciliations, must be documented.

Step 5: Assess Control Design Adequacy

Once controls are identified, assess whether their design is sufficient to address the associated risk. A control is adequately designed if (assuming it operates as intended) it would prevent or detect a material misstatement. 

Common design deficiencies in Indian companies include:

• Approval controls with no verification of supporting documents
• Reconciliations performed by the same person making the underlying entries
• System access allowing single-user end-to-end processing
• Period-end journal entry controls lacking independent review or documentation
• Disclosure checklists completed without referencing actual transactions

Each deficiency should be documented with a recommendation for resolving it. Addressing design issues proactively, before auditor testing, is far easier than correcting them during an audit.

Step 6: Document the IFC Framework and Assign Ownership

The outcome of the design process is a documented IFC framework: process narratives, flowcharts, the RCM, control descriptions, and assigned ownership. 

This documentation supports board confirmation, provides a basis for audits, and serves as a reference for ongoing monitoring.

The framework must be kept current. A document from 2022, untouched through acquisitions, system migrations, or CFO changes, no longer reflects the control environment. Frameworks should be reviewed and updated annually or whenever significant business or system changes occur.

Ownership is critical. Every control must have a named individual (not just a department) responsible for performing it, maintaining evidence, and escalating exceptions. Without clear ownership, monitoring fails and accountability becomes diffuse.

Risk & Control Matrix (RCM) — How to Build One

The Risk and Control Matrix is the operational core of an IFC framework. 

It turns process documentation, risk identification, and control mapping into a structured reference that auditors test, management monitors, and the board uses to confirm adequacy.

An RCM shows, for each in-scope process, how financial reporting risks link to the controls that mitigate them. Each row in the matrix typically captures:

Column	Description
Process / Sub-process	Business process and specific activity
Financial Statement Line Item	Affected account or disclosure
Risk Description	Specific risk, what could go wrong
Financial Statement Assertion	Assertion at risk (existence, completeness, accuracy, cut-off, etc.)
Risk Rating	Likelihood and impact (High / Medium / Low)
Control Description	What the control does, how it works, and frequency
Control Type	Preventive or detective
Control Nature	Manual, automated, or IT-dependent manual
Control Frequency	Per transaction, daily, weekly, monthly, quarterly
Control Owner	Individual responsible for the control
Key Control	Yes / No, selected for auditor testing
Evidence of Operation	Documentation proving the control was performed

Building the RCM: Process by Process

The RCM is built process by process, not account by account. 

A standard IFC framework for a mid-sized Indian manufacturing or services company usually covers the following process areas:

• Financial Close and Reporting: journal entry controls, period-end cut-off, financial statement preparation and review, disclosure checklist
• Revenue and Accounts Receivable: order to cash cycle, revenue recognition, credit approval, collections, bad debt provisioning
• Procurement and Accounts Payable: purchase to pay cycle, vendor master management, three-way matching, payment authorisation
• Payroll and Human Resources: headcount authorisation, salary master changes, payroll processing, disbursement, statutory deductions (PF, ESI, TDS)
• Fixed Assets: capitalisation, depreciation, disposals, physical verification, impairment assessment
• Inventory: goods receipt, valuation, physical counts, write-offs
• Treasury and Cash Management: bank account management, fund transfers, bank reconciliations, borrowing authorisations
• Taxation: direct tax computation and payment, GST returns and reconciliation, TDS compliance
• IT General Controls: user access management, change management, backup and recovery, system availability

For each process, risks are identified at the sub-process or activity level. 

Example: “Revenue recognition risk” is not a usable risk statement. “Revenue recorded in March for services to be delivered in April, resulting in overstatement of revenue and understatement of deferred income” is.

Writing Risk Statements Correctly

This is where many RCMs fall short. 

A well-written risk statement follows a consistent structure: what could happen + in which process or activity + resulting in what financial statement impact. 

For example:

• Vendor invoices may be processed without verification against purchase orders and goods receipt notes, resulting in payment for goods not received and overstatement of expenses.
• Fixed assets may be expensed rather than capitalised, resulting in understatement of assets and overstatement of operating expenses in the period.

Each of these risk statements maps directly to a control response and a financial statement assertion. The control designed to address the first risk ( three-way matching of PO, GRN, and invoice before payment) directly reduces the completeness and occurrence assertions for expenses.

Key Controls Vs Non-Key Controls

For a reasonably complex Indian company, an IFC framework often includes several hundred controls across all in-scope processes. Auditors cannot test all controls, as doing so would make the audit disproportionately expensive and time-consuming.

Key controls are selected based on two criteria: the significance of the risk they address, and whether their failure would result in a material misstatement. 

As a general principle:

• Controls that address high-rated risks over material financial statement line items are key controls
• Controls that provide the primary, rather than redundant, mitigation for a risk are key controls
• Automated controls embedded in the ERP are often designated as key controls because of their reliability, subject to IT general controls operating effectively
• Manual controls that operate frequently daily or per-transaction over high-value processes are typically key controls
• Monitoring controls and management reviews can be key controls if they are the primary mechanism for detecting errors or fraud

Maintaining the RCM

An RCM that is created once and never updated becomes a liability. Business processes evolve: ERP upgrades, reorganizations, acquisitions, and regulatory changes all affect controls.

The RCM should be reviewed at least annually and also when:

• Major system changes or ERP upgrades occur
• Mergers, acquisitions, or divestitures happen
• New business lines or products are launched
• Auditors identify a control gap
• Fraud or control failures expose weaknesses

Maintaining the RCM should be the responsibility of the CFO’s office or internal audit, not external consultants. A regularly updated RCM, managed by those who know the business, is far more valuable than a static document prepared just for audits.

Testing IFC — Walk-Throughs, Sample Testing & Reporting

Documentation is not enough. To claim that controls are “operating effectively,” you must test them.

In an IFC audit, the auditor will perform these tests to form their opinion. Management should perform their own testing before the auditor arrives.

Walk-Throughs

Before testing begins, perform a walk-through. This involves tracing one transaction from initiation to completion through the entire process. 

If you are testing the procure-to-pay cycle, pick one vendor invoice. Follow it from the purchase requisition to the payment entry in the bank statement. 

The purpose is to verify that the controls documented in the RCM are actually being performed in reality. Walk-throughs often reveal that control owners have changed, or that the system logic has been modified without updating documentation.

Sample Testing

Once walk-throughs confirm design effectiveness, test operating effectiveness using sampling. The sample size depends on the frequency of the control:

• Daily controls: Test 20-25 instances.
• Monthly controls: Test 2-3 instances (depending on the period).
• Quarterly/Annual: Test the one or two instances available.

For Indian entities with high transaction volumes, automated controls (system reports, segregation of duties in ERP) require testing of the underlying IT application controls (ITACs). 

If you rely on an exception report that flags invoices without goods receipt notes, you must test that the report logic is accurate and that access to modify the report is restricted.

Reporting and Remediation

Testing invariably uncovers exceptions. A single deviation does not necessarily mean a control failure, but a pattern of deviations indicates the control is not operating effectively. 

The approach is to:

1. Identify the root cause: Is it a lack of training, a system glitch, or deliberate override?
2. Remediate: Implement a compensating control immediately. For example, if a control requiring monthly reconciliation is failing because of staff shortage, implement a temporary review by a senior manager while hiring is completed.
3. Document: Maintain a log of testing results and remediation actions. Auditors will scrutinize how management responded to failures. Ignoring a failed control is a red flag.

Auditor’s Responsibility — Reporting on IFC

Under the Companies Act, 2013, the statutory auditor has a clearly defined responsibility. Section 143(3)(i) requires the auditor to report on whether the company has adequate internal financial controls (IFC) and whether they operate effectively.

This is a mandatory reporting requirement that applies to companies required to have an audit committee, excluding One Person Companies and small companies.

If controls are weak or ineffective, the auditor must state this in the report. The IFC opinion is presented separately from the financial statement opinion.

Auditors follow ICAI’s Guidance Note on IFC (2015, updated), based on COSO principles and adapted global practices.

Integrated Audit vs Standalone IFC Audit

In practice, IFC audits and financial statement audits are done together by the same team (an “integrated audit”). They support each other.

• Financial audit evidence helps assess whether controls work.
• Control testing affects how much detailed financial testing is needed.

The integrated nature of the audit means that a clean IFC opinion and a clean financial statement opinion reinforce each other.

If controls are strong, less detailed testing is needed; if weak, more testing is done.

A clean opinion on both is ideal. A clean financial opinion but weak controls is unusual and signals future risk.

What the Auditor Actually Does

The auditor’s IFC assessment involves three phases:

• Risk assessment & scoping: The auditor identifies key entities, processes, and accounts relevant to the financial statements. This is done independently of management’s IFC scoping, and any gaps in management’s scope may be expanded by the auditor.
• Understanding & walkthroughs: The auditor studies each key process through inquiry, observation, and document review. Walkthroughs (tracing transactions end-to-end) verify that controls actually exist and work as described, rather than relying only on management’s documentation.
• Testing effectiveness: The auditor tests key controls using appropriate sample sizes. Any issues found are evaluated and classified (deficiency, significant deficiency, or material weakness) to form an overall opinion on IFC.

Throughout this process, the auditor maintains professional scepticism. The auditor does not rely solely on management’s claims and gathers independent evidence. 

Evaluating and Classifying Deficiencies

When control failures are found, the auditor evaluates their significance. This judgment is based on:

Magnitude: The key question is how large a misstatement could occur if the control fails (e.g., large receivables vs small prepaid expenses).

Likelihood: The auditor considers how likely it is that a material error could go undetected. Some risks are reduced by other controls; others are not.

Compensating controls: Other controls may offset the risk, but only if they are actually performed and evidenced—not just documented.

The auditor also considers whether multiple small deficiencies may together become a significant deficiency or material weakness. This  aggregation judgment is among the more demanding aspects of IFC reporting.

Communication Obligations

Apart from the public audit report, the auditor is required to communicate identified deficiencies to management and the audit committee in a timely manner, not just at the end of the audit.

Material weaknesses: Must be communicated in writing before the audit report is issued. The communication should explain the issue, why it is a material weakness, and its potential financial impact.

Significant deficiencies: Also communicated in writing to the audit committee. They don’t automatically lead to an adverse IFC opinion but require formal acknowledgment and response.

Other deficiencies: Less serious issues are shared with management through a management letter and help guide remediation priorities.

The Audit Report: What Each Opinion Means

The IFC report is usually shown as Annexure B to the main audit report for listed companies. It takes one of three forms.

• Unmodified opinion: Controls are adequate and working effectively in all material respects. This is the desired outcome.
• Qualified opinion: Controls are generally adequate, except for specific identified issues. These are clearly described and closely scrutinised by investors and stakeholders.
• Adverse opinion: A material weakness exists, meaning controls are inadequate or ineffective. This is serious, leading to disclosures, board attention, and possible regulatory action. 

Reliance on Internal Audit

The statutory auditor may rely on internal audit work in forming their IFC opinion, but only after assessing its competence, independence, and quality.

Even when relying on it, the auditor performs their own testing on selected areas to confirm reliability and meet their independent responsibility.

The extent of reliance vs. independent testing is based on professional judgment and documented in the audit file.

A well-structured internal audit function improves efficiency, reduces risk of adverse findings, and serves as a key input to the external audit process.

Common IFC Gaps in Indian Companies & How to Fix Them

Despite the maturity of the regulatory framework, at PKC Management Consulting, our experts  have found the same gaps recurring across companies during audits, whether they are family-owned businesses or MNC subsidiaries: 

1. Controls Exist on Paper but Not in Practice

Many companies document controls, for example, requiring the CFO to review journal entries above ₹10 lakh, but in practice, there’s no proof the control was actually performed. 

This may be because controls were copied from templates without input from those performing them, or because evidence requirements weren’t clearly communicated.

Fix: Define evidence for every control: what, where, and how it’s stored. Educate control owners on why documentation matters. Use checklists, spot checks, and quarterly reminders to ensure controls are consistently applied.

2. Inadequate Segregation of Duties (SoD)

SoD failures are common, especially in mid-sized or fast-growing companies.

 Examples: the same person adds vendors and approves payments; one employee posts journals and reconciles accounts; someone manages payroll data and runs payroll. 

These usually happen because the team is too small to split responsibilities properly.

Fix: Map ERP access to an SoD matrix, identify high-risk conflicts (payment initiation, payroll, vendor management), and implement compensating controls such as management review with documented evidence where full segregation is infeasible.

3. Weak or Untested IT General Controls (ITGCs)

Automated controls like system-enforced payment approvals, are reliable only if the IT environment is secure. 

Frequent issues: unrestricted admin access, no change management, shared user IDs, former employees retaining access, and no periodic access reviews.

Fix: Focus on access management (who can do what), change management (approvals for system changes), and monitoring (logging unusual activity). Most ERPs have features for these; the problem is often poor governance rather than technology.

4. Insufficient Period-End Journal Entry Controls

Manual journal entries at month-end are high-risk  areas in financial reporting. 

Journal entry manipulation occurs regularly in smaller companies where month-end adjustments are made without adequate review.

Common problems: entries posted without support, no independent review, backdated entries, superuser bypass, or no analytics to detect unusual patterns.

Fix: Define who can post journals, required documentation, approval thresholds, and escalation rules. Use data analytics to flag unusual entries, such as postings outside business hours or by superusers.

5. Weak Related-Party Transaction Controls

In family-owned or group companies, related-party transactions are frequent. 

Failures include outdated registers, normal workflows bypassing review, retrospective audit committee approvals, and unbenchmarked pricing.

Fix: Maintain a complete, up-to-date related-party register. Flag transactions in the ERP for review before execution, and ensure audit committee approval is obtained in advance.

6. Vendor Master and Customer Master Controls Are Weak

Fraud risk arises when vendor/customer information is poorly controlled. 

Common issues: no formal onboarding, unverified PAN/GST/bank accounts, duplicate accounts, dormant accounts still active.

Fix: Segregate master data management from payment processing, verify all new vendors with independent checks, maintain approval workflows, and regularly review duplicates and inactive accounts.

7. IFC Framework Not Updated After Business Changes

Mergers, ERP migrations, new product lines, or restructuring often leave controls outdated, making them unreliable and creating gaps.

Fix: Embed IFC updates into change management. Internal audit should trigger reviews and escalate updates to the CFO and audit committee. Conduct quarterly reviews instead of only updating before audits.

FAQs