Content authored by practitioners with experience at Amazon India, Intuit QuickBooks, and the Tata Group. Meet the team →
Indian subsidiaries of US-listed parents sit inside both SOX Section 404 (PCAOB AS 2201) and ICFR Section 143(3)(i), with material-subsidiary scope at 5% of consolidated revenue or assets. SOX demands quarterly CEO/CFO sub-certifications while ICFR is annual — reconciliation key controls (bank, intercompany, GSTR-2B, Form 26AS, payroll gross-to-net) are tested under both.
Each reconciliation is documented as a SOX Key Control with assertion mapping (existence, completeness, accuracy, valuation, rights, presentation). Testing runs dual-purpose under PCAOB AS 2201: preparer plus reviewer plus sign-off-date verified for 30-80 key controls, with exception tracking aligned to material-weakness thresholds. The same controls are cross-referenced to ICAI SA 610 evidence for ICFR reporting to minimise duplicate testing.
Key Control register mapped to financial-statement assertions, quarterly sub-certification cadence, PCAOB plus ICAI evidence-vault integration, and US-IST sign-off timing rules.
Quarterly SOX sub-certification evidence pack, annual ICFR operating-effectiveness testing output, material-weakness tracker with remediation plan, and dual-framework audit trail for parent 10-K plus Indian Board Report.
A ₹1,200 crore turnover Indian IT services subsidiary of a Nasdaq-listed parent closed its books on the 5th of each month. The parent’s SOX framework required quarterly management sub-certification. In one quarter, the subsidiary’s GSTR-2B reconciliation showed a ₹3.2 crore variance that was not closed within the SOX documentation window. The Indian CFO signed the sub-certification with a disclosed exception. The parent reported a significant deficiency in the 10-K. This guide covers what SOX reconciliation testing looks like for Indian subsidiaries and how it overlaps with ICFR.
What SOX Compliance Is for Indian Subsidiaries
Sarbanes-Oxley (SOX) is the US law enacted in 2002 that requires public companies listed on US exchanges to certify the effectiveness of internal controls over financial reporting. Section 404 mandates an annual opinion by management and by the external auditor. PCAOB Auditing Standard 2201 (An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements) governs the external auditor’s work.
For an Indian subsidiary of a US-listed parent, the parent’s PCAOB-registered auditor extends testing to the subsidiary if it is material to consolidated financial statements. Materiality thresholds are typically 5% of consolidated revenue or total assets, though qualitative factors (regulatory exposure, new acquisitions, significant transactions) can bring a smaller subsidiary into scope.
How SOX Reconciliation Testing Works
Scoping and Risk Assessment
The group auditor identifies significant accounts (cash, accounts receivable, revenue, intercompany, tax, inventory) at the consolidated level and traces them back to the subsidiaries where they originate. Key controls are selected by mapping significant accounts to process-level controls. Reconciliation controls almost always qualify as key controls because they address multiple assertions simultaneously (completeness, accuracy, existence).
Design Effectiveness Testing
For each key control, the auditor performs a walkthrough to verify the control is designed to achieve its objective. A bank reconciliation walkthrough confirms that the control description matches actual operation: preparer identified, reviewer identified, aging threshold defined, exception escalation path documented. A missing element constitutes a design deficiency.
Operating Effectiveness Testing
For controls that pass design testing, the auditor selects a sample (typically 25 to 60 operations per year depending on control frequency) and re-performs each. For a monthly bank reconciliation, this usually means 3 to 4 samples out of 12 monthly operations for a low-risk account and 12 out of 12 (population testing) for a high-risk account.
SOX vs ICFR Reconciliation Testing Comparison
| Dimension | SOX Section 404 | ICFR Section 143(3)(i) |
|---|---|---|
| Governing standard | PCAOB AS 2201 | SA 610 + ICAI Guidance Note |
| Materiality level | Consolidated group | Individual company |
| Management certification frequency | Quarterly (CEO/CFO sub-cert) | Annual (Board opinion) |
| External auditor qualification | PCAOB-registered firm | ICAI-registered CA firm |
| Key control population | 30 to 80 at subsidiary | All reconciliation controls testable |
| Material weakness disclosure | 10-K filing + 8-K event | Audit report + MCA filings |
| Documentation standard | PCAOB-defined evidence test | ICAI evidence requirements |
Where Indian Subsidiaries Fail SOX Reconciliation Testing
Three failure patterns dominate SOX findings at Indian subsidiaries. First, intercompany balance reconciliation with the US parent is run monthly at the subsidiary but consolidated quarterly at the parent — timing mismatches that rise above the materiality threshold trigger a significant deficiency. Second, GST input credit reconciliation is an India-specific control that the US parent auditor does not always scope correctly; a ₹5 to ₹25 crore ITC exposure at an Indian subsidiary can escalate to a group-level material weakness if the control is undocumented. Third, TDS receivable reconciliation with Form 26AS has no US analogue, so the PCAOB auditor often defers to the local ICFR testing — any ICFR qualification automatically affects the SOX opinion.
The resolution is to treat India-specific reconciliations (TDS with Form 26AS, GST ITC with GSTR-2B, NACH returns if the subsidiary has lending operations) as SOX-in-scope by default and document them with the same evidence standard as cash reconciliation. A reconciliation audit trail with time-stamped preparer and reviewer sign-offs, exception aging, and escalation records is what the PCAOB audit team will request during subsidiary fieldwork.
High-volume Indian subsidiaries — those processing 2,000+ monthly bank transactions or 500+ GST vendor invoices — consistently find that manual reconciliation does not meet the SOX evidence standard. TransactIG’s reconciliation infrastructure produces the preparer, reviewer, and aging evidence automatically, and is configured for Indian statutory reconciliations that the global parent’s control framework often does not cover. For GST-specific SOX testing, purpose-built GST reconciliation software closes the documentation gap that typically surfaces during quarterly sub-certifications. The ICAI Guidance Note on ICFR, which aligns closely with COSO 2013, is the primary technical reference for Indian SOX testing and is published by the Institute of Chartered Accountants of India.
The FAQs below cover the most common scoping and testing questions raised by Indian CFOs and US group controllers during SOX readiness reviews.