Does ICFR apply to unlisted private companies?

Yes. Section 143(3)(i) of the Companies Act 2013 requires the auditor of every company (listed and unlisted, public and private) to report on whether the company has adequate internal financial controls with reference to financial statements in place and whether such controls are operating effectively. The MCA carved out one-person companies and small companies via Notification dated 13 June 2017, but every other company, including private companies above ₹2 crore paid-up capital or ₹20 crore turnover, is within scope.

What is the difference between ICFR for listed companies and ICFR for unlisted companies?

The statutory wording is identical under Section 143(3)(i); the obligation applies equally. The difference is in audit rigour and documentation depth. Listed companies follow the SOX-aligned framework with extensive control testing, formal management certification, and quarterly walkthroughs. Unlisted companies follow the ICAI Guidance Note 2014 framework, which is principle-based and allows the auditor to scale the work to the size and complexity of the business. The auditor's reporting opinion, however, is the same form of words.

What is the ICAI Guidance Note 2014 on ICFR?

The ICAI Guidance Note on Audit of Internal Financial Controls Over Financial Reporting, issued in September 2014, is the operative framework for ICFR audits in India. It walks the auditor through the planning, risk identification, control identification, testing, and reporting phases. The framework adopts a top-down risk-based approach, identify material accounts and disclosures, identify risks of material misstatement, identify controls that address those risks, and test the operating effectiveness of those controls. The Guidance Note remains in force in 2026 with the original wording.

What is a risk-and-control matrix (RCM) for ICFR?

The RCM is the central documentation deliverable of an ICFR engagement. It is a row-per-control schedule covering: the business cycle (revenue, procurement, payroll, fixed assets, financial close), the specific risk being addressed (e.g., revenue recognised before goods are delivered), the control description (e.g., shipping report reconciled to invoice register weekly), the control owner, the frequency, the type (preventive or detective, manual or automated), and the test of operating effectiveness. KAMRIT maintains the RCM as the bridge between the design assessment and the audit opinion.

What are the most common ICFR gaps in unlisted companies?

Five recurring gaps: (1) no formal segregation of duties between cash-handling and bank reconciliation roles, (2) no documented credit limit policy for customer billing, (3) procurement approval thresholds set at the system level but not periodically reviewed by the board, (4) payroll changes pushed to bank without a second-person review, (5) financial close cycle compressed below 5 working days with no formal review of journal entries above a materiality threshold. Each of these maps to a specific control deficiency under the ICAI framework.

How does KAMRIT scope an ICFR engagement for an unlisted client?

KAMRIT scopes ICFR as a two-phase engagement. Phase 1 (4 to 6 weeks) is the design assessment: walk the auditor through each business cycle, document the existing controls, identify gaps, and produce a draft RCM. Phase 2 (2 to 4 weeks) is the testing phase, where the audit team samples transactions and tests whether the controls operated as designed during the FY. The deliverables are an RCM, a control deficiency memo with management action plan, and the audit opinion language for Section 143(3)(i). Fixed fee from ₹2 lakh for a ₹50 crore turnover unlisted private company.

Internal Financial Controls over Financial Reporting (ICFR) for unlisted companies: what the FY 2025-26 audit cycle needs

The ICFR obligation in 2026

Section 143(3)(i) of the Companies Act 2013 has been in force since 1 April 2015. The wording is short: the auditor's report shall state, among other things, "whether the company has adequate internal financial controls with reference to financial statements in place and the operating effectiveness of such controls." The obligation is on the auditor, but its practical impact falls on the company's finance and operations teams.

Three things have shifted in 2026 to make ICFR more material than it was five years ago. First, the National Financial Reporting Authority (NFRA) has tightened its quality reviews of audit firms, and ICFR audit work is one of the deliverables most-scrutinised in those reviews. Second, the ICAI's peer review board has rolled out a higher bar for ICFR working papers. Third, several recent NCLT and tribunal orders have cited ICFR deficiencies as contributing factors in fraud cases, including the Section 447 actions, which makes board-level attention to ICFR a governance priority and not just an audit deliverable.

The carve-out under Notification dated 13 June 2017 exempts one-person companies (OPCs) and small companies (paid-up below ₹4 crore, turnover below ₹40 crore). Every other Indian company, including the very large unlisted private sector, is within scope.

What "adequate internal financial controls" actually means

The Companies Act does not define "adequate internal financial controls", but the Explanation under Section 134(5)(e) lists what management must consider: policies and procedures adopted by the company for the orderly and efficient conduct of business, the safeguarding of assets, the prevention and detection of fraud and errors, the accuracy and completeness of accounting records, and the timely preparation of reliable financial information.

The ICAI Guidance Note 2014 operationalises this into five interrelated components, aligned with the COSO Internal Control Framework: control environment, risk assessment, control activities, information and communication, monitoring activities. The auditor evaluates each of these components at the entity level and supplements with process-level testing for the material business cycles.

In practice, the entity-level controls assessment is a 2 to 3 day exercise (tone at the top, segregation of duties at the board level, whistleblower mechanism, code of conduct, IT general controls). The process-level testing is the bulk of the work, typically covering the revenue cycle, procurement cycle, payroll cycle, fixed assets cycle, treasury cycle, and financial close cycle.

The top-down risk-based approach

The ICAI Guidance Note prescribes a top-down approach that mirrors the SOX 404 methodology but is scaled for Indian unlisted entities.

Step 1: Material accounts and disclosures. Identify the line items in the balance sheet and P&L that are individually material or that are sensitive even at sub-materiality (related-party transactions, deferred tax, contingent liabilities).

Step 2: Significant accounts and processes. Map each material account to the underlying business process(es). Revenue maps to the revenue cycle; trade payables maps to the procurement cycle; employee benefits maps to the payroll cycle; tax expense maps to the financial close cycle.

Step 3: Risks of material misstatement. For each significant account, identify the specific risks. For revenue: revenue recognised before performance obligation is satisfied (Ind AS 115); revenue recognised for cancelled orders; cut-off errors at year-end.

Step 4: Controls that address those risks. For each risk, identify one or more controls. The control is the specific procedure that prevents or detects the misstatement.

Step 5: Testing of operating effectiveness. For each control identified in Step 4, design and execute a test of operating effectiveness over the financial year.

The risk-and-control matrix

The RCM is the documentation backbone. A well-built RCM has one row per control with the following columns: control ID, cycle, sub-process, risk addressed, control description, control owner role, frequency (daily, weekly, monthly, quarterly), control type (preventive or detective, manual or automated), test procedure, sample size, test results, and conclusion.

A typical unlisted manufacturing company at ₹200 crore turnover will have 80 to 120 controls in the RCM. A SaaS company at ₹100 crore turnover will have 50 to 70 controls. A real estate developer at ₹500 crore turnover with project-level accounting can have 200-plus controls.

The RCM is built jointly by the audit team and the company's finance and operations leadership in the design phase. It is then frozen for the testing phase. Changes to the RCM mid-year (because a new process is rolled out, a system migration happens, or a control is redesigned) are documented with effective-dates.

Sample controls: the revenue cycle

The revenue cycle is typically the highest-risk cycle and the most-tested. Sample controls for an unlisted SaaS company:

Order acceptance. Customer purchase order matched to approved price list; new customers cleared through credit policy with finance head sign-off; orders above ₹10 lakh approved by CFO via DocuSign with timestamped audit trail.

Performance obligation tracking. SaaS contracts loaded into Salesforce with start date, term, and committed deliverables; monthly review of unfulfilled deliverables by Customer Success Head; contracts with non-standard terms (any non-templated clause) flagged for revenue ops review.

Invoice generation. Invoices generated from billing system based on contract milestones; weekly reconciliation between Salesforce milestone log and invoice register by Revenue Ops; invoice batch authorised by Revenue Controller before email despatch.

Revenue recognition. Monthly revenue close run on day 5 by Senior Manager Finance; Ind AS 115 over-time versus point-in-time treatment reviewed against contract terms by Finance Controller; deferred revenue waterfall reconciled to total contract value monthly.

Cut-off. Year-end revenue recognition reviewed by external auditor walkthrough for the last 2 weeks of FY; bilateral confirmation of deliverables sent to top 10 customers as part of audit; subsequent receipts post year-end reviewed for goods or services delivered in the preceding period.

Sample controls: the procurement cycle

Vendor onboarding. Vendor empanelment requires KYC pack (PAN, GST, MSME, ownership pattern); vendor master changes routed through 2-person workflow (creator + approver) in ERP.

Purchase requisition. PR raised by line manager up to ₹50,000; ₹50,000 to ₹5,00,000 approved by head of department; above ₹5,00,000 approved by CFO; above ₹50,00,000 approved by managing director.

Purchase order. PO matched to PR in ERP; PR-PO mismatch held in exception queue and cleared by Procurement Head weekly; PO above ₹10 lakh issued only after vendor MSME / non-MSME classification is on file.

Goods receipt and three-way match. Goods received note matched to PO quantity and to invoice quantity in ERP; three-way match exceptions flagged daily; payment held until exceptions are resolved.

Vendor payment. Payment batch prepared by AP Executive; reviewed by AP Manager; released by CFO or Finance Controller; bank file uploaded to net banking by treasury team with maker-checker.

Sample controls: the payroll cycle

Onboarding. New hire master loaded by HR Ops with offer letter, joining letter, Aadhaar, PAN, and bank account; master change requires manager approval workflow; master change log reviewed monthly by Payroll Manager.

Monthly payroll. Time and attendance pulled from HRMS; variable pay loaded from approved performance tracker; payroll register reconciled to prior month with variance explanations for any change above 5 percent at line-item level; payroll register reviewed by Payroll Manager and signed by HR Head before bank upload.

Statutory deductions. TDS computed by HRMS payroll engine; PF, ESI, PT, LWF deducted per state; statutory deposit challans generated and paid by due dates; quarterly reconciliation of TDS register to Form 24Q filed.

Full and final settlement. F&F triggered by HR on resignation acceptance; clearance from manager, IT, admin, and finance routed through HRMS workflow; F&F calculation reviewed by Payroll Manager; gratuity and leave encashment approved by Finance Controller.

The common gaps the FY 2025-26 audit will surface

KAMRIT's audit desk has been running ICFR engagements for unlisted clients for 10 years. The recurring gap patterns:

No formal segregation of duties. A single accountant raises invoices, posts them, and reconciles the bank. The board has never sat down with a SoD matrix.

Vendor master changes without dual control. Single user in the ERP can add a new vendor, change bank details, and approve the next payment.

Bank reconciliation done by the same person who handles cash. A single treasury executive both reconciles and pays.

Credit limits set at customer onboarding and never revisited. A customer with a ₹50 lakh credit limit, set in 2019, still has that limit in 2026 despite changed risk profile.

No documented financial close calendar. Monthly close is "by the 10th" but nobody can produce a journal entry log with approvals for the last 6 months.

Each of these maps to a deficiency in the ICAI framework. None is by itself a "material weakness" under the Guidance Note, but in combination they support a qualified opinion on Section 143(3)(i).

Where KAMRIT positions the ICFR engagement

KAMRIT runs ICFR as an integrated engagement with the statutory audit, with a designated ICFR partner separate from the statutory audit signing partner. The design assessment is conducted in the first half of the FY (July to October), and the testing is conducted in the second half (January to April). The opinion is issued together with the statutory audit report.

For clients that have never done a formal ICFR engagement (typically family-owned businesses that grew past ₹100 crore turnover), KAMRIT runs a one-time foundational engagement to set up the RCM and the entity-level controls; subsequent years are maintenance-only.

Comparable platform-style ICFR offerings include the Big 4 firms at the upper price band (₹15 to ₹50 lakh for a mid-sized unlisted) and smaller boutiques at ₹3 to ₹10 lakh. The CAclubindia and TaxGuru editorial coverage is good on the framework but does not replace a working RCM. The KAMRIT positioning is on the mid-market unlisted: ₹2 to ₹6 lakh fee, with the RCM kept under version control and the testing evidence retained for NFRA review.

If your unlisted company is preparing for the FY 2025-26 audit and the ICFR opinion has historically been generic, talk to KAMRIT about a foundational engagement this quarter. The intake-to-design cycle is 6 weeks; testing runs alongside the statutory audit. Send a brief to the Statutory Audit page or start a conversation with a senior partner.