ICFR Assessment and Risk Assessment in India: Framework, Process & Best Practices
In India’s growing governance, environment, financial trust and accountability are important for business sustainability. A well-structured ICFR assessment assures that financial statements are correct, trustworthy and free from material misstatement. At the core of this framework lies a strengthening ICFR risk assessment, which navigates businesses to identify and mitigate financial reporting risks properly
The article explains the ICFR framework, process and legal landscape in India, and why partnering with MBG can strengthen your ICFR implementation.
What Is ICFR Assessment?
An ICFR assessment explains the management’s evaluation of the design and operating effectiveness of Internal Control over Financial Reporting (ICFR)
It involves assessing whether:
- Financial reporting risks are properly addressed through well-designed controls.
- Controls are operated effectively during the reporting period.
- Financial statements are accurately prepared in compliance with applicable standards.
The goal of an ICFR assessment is to protect against material misstatements caused by error or fraud and to ensure the reliability of financial reporting.
Although ICFR assessments can be framework-neutral, most Indian organisations align their approach with the Committee of Sponsoring Organisations of the Treadway Commission (COSO) framework, which provides globally accepted principles for internal control evaluation.
What Is ICFR Risk Assessment?
An ICFR risk assessment is the foundation of the entire ICFR process. It identifies financial reporting risks that could result in material misstatements.
Risk assessment is performed at three levels:
Entity-Level
Covers governance oversight, tone at the top, ethics policies, and overall financial control culture.
Process-Level
Focuses on key financial processes such as revenue, procurement, inventory, payroll, and financial close.
Account & Assertion-Level
Targets specific line items like revenue, receivables, provisions, and fixed assets, along with assertions such as completeness, accuracy, valuation, and cut-off.
The ICFR methodology follows a structured sequence:
- Risks are detected.
- Controls that reduce those risks are mapped.
- Controls are tested for operating effectiveness.
A robust ICFR risk assessment ensures resources are dedicated to high-risk areas rather than adopting a checklist-based approach.
ICFR Framework Commonly Used in India
The most widely adopted framework for ICFR assessment in India is the COSO Internal Control Framework.
The COSO framework is structured around five components:
- The control environment is established to set the tone of governance and ethical conduct within the organisation,
- Risks are identified, analysed, and assessed to determine their potential impact on objectives.
- Control activities are designed and implemented to reduce the detected risks.
- Relevant information is gathered, processed, and communicated to support effective decision-making.
- Monitoring activities are performed to evaluate the effectiveness of internal controls on an ongoing basis.
Indian companies prefer COSO because it:
- Global reporting expectations are aligned with.
- Multinational group audits are supported.
- Investors’ governance standards are met.
- Flexibility is provided for both listed and unlisted entities.
COSO allows organisations to implement a scalable and risk-based ICFR structure without overly complex compliance language.
ICFR Assessment Process
An effective ICFR assessment follows a structured, risk-based approach:
- Scoping & Materiality Assessment : Significant accounts and disclosures are detected based on quantitative and qualitative materiality thresholds
- ICFR Risk Assessment : Entity-level, process-level, and account-level risk are detected. Financial reporting risks are documented and prioritised.
- Control Design Evaluation : Controls are assessed to determine whether they are adequately designed to mitigate the potential risks.
- Operating Effectiveness Testing : Walkthrough, sample-based testing, and documentation reviews are conducted to confirm that controls operated effectively during the period.
- Deficiency Evaluation & Remediation : Evaluate control gaps, classify deficiencies, and implement corrective actions.
A risk-based ICFR assessment improves efficiency, strengthens governance, and supports smoother statutory audits.
ICFR Assessment vs Internal Audit
Although related, ICFR and internal audit serve distinct objectives.
| ICFR Assessment | Internal Audit |
| Financial reporting assurance is focused on | Broader governance and operational assurance |
| A control-centric approach is adopted | Process-centric |
| Financial reporting controls are evaluated | Reviews enterprise-wide risks |
ICFR assessment provides targeted assurance over financial statement reliability, while internal audit offers broader organisational risk insights.
Common ICFR Risks Identified in Indian Companies
Practical ICFR risk assessment exercises often identify recurring risk areas:
- Revenue recognition errors and cut-off issues
- Manual journal entries and management override risks
- IT general control weaknesses (access and change management)
- Related party transaction disclosures
- Consolidation and reporting timeline pressures
Addressing these through a structured ICFR assessment significantly enhances reporting reliability.
Why Choose MBG?
Choosing the right advisory partner is considered important for successful ICFR implementation. Specialised expertise in ICFR assessment and risk evaluation is being provided by MBG Corporate Services across industries. A risk-based approach is adopted, sector – specific risk are understood, legal alignment is ensured, remediation support is provided, and audit- ready documentation is prepared, allowing ICFR to be positioned as a value-enhancing governance approach.





