Content authored by practitioners with experience at Amazon India, Intuit QuickBooks, and the Tata Group. Meet the team →
Section 143(3)(i) of the Companies Act 2013 requires statutory auditors to opine on ICFR adequacy and operating effectiveness, mapped to the COSO 2013 framework via the ICAI Guidance Note. Reconciliation is the largest ICFR control domain — persistent unreconciled bank items past 90 days or GST ITC gaps above ₹10 lakh are the two most common material-weakness findings.
Each reconciliation is elevated to a documented ICFR control with objective, risk statement, preparer, reviewer, frequency, and aging threshold (typically 15 days to complete, 90 days to resolve exceptions). SA 330 dual-purpose testing selects 25-60 reconciliations per period and verifies on-time preparation, review sign-off, and exception resolution; failure rate above 10% indicates the control is not operating effectively.
ICFR control register linking each reconciliation to COSO component, preparer or reviewer role matrix, aging threshold configuration (15 days preparation, 90 days resolution), and evidence-vault for SA 330 testing.
ICFR-ready reconciliation control documentation, operating-effectiveness evidence for every period, deficiency log tied to material-weakness definitions, and Board-report and AOC-4 disclosure inputs.
A ₹600 crore turnover auto components manufacturer filed its annual report in September with an ICFR opinion that included a paragraph on “deficiency in bank reconciliation control operating effectiveness”. The deficiency was narrow: three branches had failed to close BRS within 15 days of month-end for two consecutive quarters. The consequence was not narrow — the company’s lead lender triggered a covenant review and reduced the sanctioned working capital limit by ₹50 crore. This guide covers what ICFR reconciliation controls look like, how they are tested, and where they fail.
What ICFR Reconciliation Controls Are
ICFR — Internal Financial Controls over Financial Reporting — is the Indian equivalent of a US SOX Section 404 control framework, introduced under the Companies Act, 2013. Section 143(3)(i) requires the statutory auditor to state whether the company has adequate internal financial controls with reference to financial statements, and whether such controls are operating effectively.
Reconciliation is the single largest ICFR control domain for most companies. It spans bank reconciliation, intercompany balances, TDS receivable reconciliation with Form 26AS, GST input credit reconciliation with GSTR-2B, statutory dues (PF, ESI, professional tax), fixed asset reconciliation between FAR and GL, and party balance confirmations. Each is a process-level control under the ICAI Guidance Note on Audit of Internal Financial Controls.
Designing a Reconciliation Control for ICFR
Control Objective Definition
Every reconciliation control must have a documented objective, risk statement, and control description. For bank reconciliation, the objective is “completeness and accuracy of cash and bank balances in financial statements”; the risk is “cash and bank balances are overstated or understated due to unreconciled items”; the control description specifies preparer, reviewer, frequency, and aging threshold.
Segregation of Duties
The preparer cannot be the reviewer. A typical design assigns preparation to a finance executive at the transactional level and review to the finance manager at the policy level, with escalation to the CFO for exceptions exceeding a defined materiality (commonly 0.5% of revenue or ₹25 lakh, whichever is lower).
Timeliness and Evidence
The control must operate within a defined timeline — typically 15 days post month-end for bank reconciliation, 20 days for GST, and 30 days for TDS receivable. Evidence of operation includes the signed reconciliation, the exception log with aging, and the review sign-off. Missing any one of these means the control did not operate for that period.
ICFR Reconciliation Control Testing Matrix
| Reconciliation Area | Control Type | Test Method | Failure Threshold |
|---|---|---|---|
| Bank reconciliation | Detective | Re-perform 20 BRS from period | Over 10% missed aging policy |
| TDS receivable vs Form 26AS | Detective | Sample 25 parties, verify match | Over 15% unreconciled beyond 90 days |
| GST ITC vs GSTR-2B | Preventive + Detective | Compare ITC claimed vs 2B for 3 months | Variance above ₹10 lakh unexplained |
| Intercompany balances | Detective | Confirm 100% of group balances | Any unreconciled over ₹5 lakh |
| Fixed asset register vs GL | Detective | Full reconciliation annually | Any variance without journal support |
| Statutory dues (PF/ESI/PT) | Preventive | Match challan to liability ledger | Any challan not matched within month |
Where ICFR Reconciliation Controls Fail in India
Three failure patterns drive most ICFR qualifications for Indian companies. First, bank reconciliation preparation happens but review is delayed — a preparer sign-off without a reviewer sign-off within the policy window counts as a control failure. Second, TDS receivable reconciliation with Form 26AS is run quarterly rather than monthly, so mismatches age past the correction return window and become writebacks at year-end, which the auditor classifies as a material weakness. Third, GST input credit reconciliation is done at the summary level (total ITC claimed vs total ITC in 2B) rather than at the line level, which hides offsetting errors that surface during GST scrutiny under Section 65 of the CGST Act.
The ICAI Guidance Note explicitly requires line-level testing for high-risk controls. A reconciliation audit trail with time-stamped preparer and reviewer sign-offs, exception logs with aging, and evidence of escalation is the documentation standard the statutory auditor will request during ICFR testing.
For companies running high-volume reconciliation — typically 1,000+ monthly bank transactions, 200+ TDS deductor relationships, or 500+ GST vendor invoices — manual reconciliation cannot meet the ICFR timeliness and evidence standard consistently. TransactIG’s reconciliation infrastructure generates the control evidence (preparer, reviewer, aging, exception log) automatically, which converts ICFR testing from a documentation reconstruction exercise into a query of the system log. For TDS-specific ICFR testing, TDS reconciliation software that continuously syncs with Form 26AS removes the quarterly-backlog pattern that most commonly triggers a material weakness. The Companies Act framework and current ICFR notifications are published on the Ministry of Corporate Affairs website.
The FAQs below address the most common questions raised by audit committees and CFOs during ICFR readiness reviews.