IFC AutoTest — AI-Powered Internal Financial Controls Testing Engine
Author : CA. Prabhava P Hegde
1. Overview
IFC AutoTest is a Python Flask-based, AI-powered audit management platform that digitises the entire Internal Financial Controls (IFC) engagement — from Risk Control Matrix generation to final report — in a single integrated workflow running on a Windows laptop.
| ⚡ | 3 Min | RCM from narrative | 📊 | ICAI SIA 5 | Compliant sampling | 🤖 | AI + Human | Classification control | 📄 | One Click | Consolidated WP & Report |
Under Section 143(3)(i) of the Companies Act 2013, every statutory auditor of a listed company must report on the adequacy and operating effectiveness of Internal Financial Controls. For a company with 8–10 processes, this typically involves 3–4 weeks of manual effort across disconnected Excel files, Word documents, and email threads.
IFC AutoTest eliminates these bottlenecks. It is grounded entirely in Indian standards — ICAI Guidance Note on IFC (September 2015), COSO 2013 Internal Control Framework, and ICAI SIA 5 for sampling — and requires no cloud infrastructure, no database, and no setup beyond a double-click.
2. Problem Statement
Every CA auditing IFC faces the same manual bottlenecks:
- RCM Building: Hours spent translating process narratives into Risk Control Matrices with risks, controls, assertions, and test procedures
- Sampling: Sample sizes computed manually or hardcoded — often not compliant with ICAI SIA 5 frequency tables
- Test Execution: Results recorded in disconnected Excel files with no linkage between sample, exception, and observation
- Observation Drafting: 5C observations written from scratch for each exception, with no automatic pull from the RCM
- Communications: Observations emailed as Word attachments, management responses collected manually, no structured tracking
- Working Papers: Assembled manually from multiple files — no consolidated, engagement-level working paper
- Final Report: Built from scratch in Word for each engagement
IFC AutoTest eliminates all of these bottlenecks in a single integrated platform, with AI handling generation and drafting, and the auditor retaining full control over judgment and classification.
3. Technology Stack
| Layer | Technology | Purpose |
| Backend Framework | Python Flask | Lightweight, auditor-maintainable |
| AI — Generation | Anthropic Claude Sonnet API | RCM, Gap Analysis, Observations, Engagement Summary |
| AI — Classification | Anthropic Claude Haiku API | MW/SD/CD suggestion, control assists — fast + cheap |
| AI Streaming | Server-Sent Events (SSE) | Real-time streaming of AI responses to browser |
| RAG Engine | TF-IDF + Cosine Similarity (scikit-learn) | Grounded on ICAI GN, COSO 2013, Companies Act |
| Data Store | JSON flat files | Zero database dependency — portable, copy-and-run |
| Local Analytics | DuckDB | Tally transaction snapshots (15-min TTL cache) |
| Word Generation | python-docx | Working papers and final report — landscape, formatted |
| Excel Generation | openpyxl | RCM download, WPs, sampling, action tracker |
| PDF Export | Browser print (CSS @media print) | Landscape, no server-side PDF library needed |
| Flowcharts | Mermaid.js | Auto-generated process flowcharts from RCM |
| Markdown Render | marked.js | RAG chatbot and AI responses — no raw symbols |
| Tally Integration | HTTP XML API (port 9000) | Live population pull for sampling |
| Python smtplib + SMTP | Document requests, observations, client communications | |
| Public URLs | ngrok (auto-start) | Token-authenticated response forms for clients |
| Deployment | Windows BAT file | Double-click to start — no server, no cloud |
4. Platform Modules — Complete Overview
IFC AutoTest comprises 12 integrated modules covering the full lifecycle of an IFC engagement:
| # | Module | Key Features |
| 0 | Engagement Setup | Company creation, period (From/To), engagement reference, auditor name. Period shown permanently in header. |
| 1 | IFC Programme (RCM) | AI RCM generation from narrative. Excel import. Inline editor with version history. Process flowchart (Mermaid). Document checklist with receipt tracking and email. |
| 2 | Sampling | ICAI SIA 5 compliant — frequency + risk level table. Multi-population architecture: different controls linked to different populations. Register upload with column mapping. Seed-based, reproducible. Swap with full log. |
| 3 | Gap Analysis | AI gap identification from walkthrough notes. History saved per run. Send to client with token-based response form. Include-in-report toggle per gap. AI disclaimer. |
| 4 | Test of Design (TOD) | Walkthrough per control. PASS/FAIL/NA. TOD FAIL creates observation pre-filled from RCM. AI suggests classification — auditor must confirm. |
| 5 | Test of Effectiveness (TOE) | Multi-population execution matrix. Grouped by population block. Deviation rates auto-computed. Exception creates pre-filled observation. Progress counter shows cells-tested / total-cells. |
| 6 | Audit Observations | Three tabs: Gap / TOD / TOE observations. KC/NKC + assertions auto-populated from RCM. Classification AI-suggested, amber label until auditor confirms. Batch upload supported. |
| 7 | Communications | Multi-select processes and batches. Email with three sections (Gap / TOD / TOE). Token-authenticated response form — no login for client. Auto-populates management comments. |
| 8 | Action Tracker | Auto-created from non-Pass observations. Status lifecycle: Open → In Progress → Implemented → Verified. Overdue auto-flagged. Comments thread. Excel export. |
| 9 | Final Report | 7-section structured editor. Cover page, Read-Through, Summary Table, Recommendations, Gap Obs, Failed Controls, RCM+TOD+TOE per process. Word (landscape) + PDF export. |
| 10 | Engagement Summary | Process-wise health scores. Expandable observations. Gap summary. Action tracker status. Token-based client share. Email with top-3 observations inline. |
| 11 | RAG Chatbot | Indexed on ICAI GN, COSO 2013, Companies Act s.134/143, SA 300/315/320/330. TF-IDF + cosine similarity. Control ID hyperlinks in responses. Required-doc status check. |
5. End-to-End Workflow
The platform follows the exact sequence of an IFC engagement as mandated by ICAI:
| 01 | Engagement | Setup | → | 02 | RCM | Generation | → | 03 | Document | Checklist | → | 04 | Sampling | (ICAI SIA 5) | → | 05 | Test of | Design | → | 06 | Test of | Effectiveness |
| 07 | Audit | Observations | → | 08 | Communications | & Responses | → | 09 | Action | Tracker | → | 10 | Final | Report | → | 11 | Engagement | Summary | → | 12 | RAG | Chatbot |
6. Key Module Deep Dives
6.1 IFC Programme — AI-Powered RCM Generation
Paste a plain-language process narrative. Claude Sonnet generates a complete, ICAI-compliant Risk Control Matrix in under 3 minutes — streaming in real time.
| Output Field | Generated Content |
| Sub Process | Auto-grouped from narrative — e.g. Invoice Processing, Payment Authorisation, Reconciliation |
| Risk ID + Description | Unique risk per sub-process with Fraud Risk flag and Risk Level (H/M/L) |
| Control ID + Description | Detailed control description with named process owner and threshold amounts |
| KC / NKC | Key Control classification with yellow highlight on KC rows |
| Assertions | CO / EO / AV / CT / RO / PD — mapped per control |
| Frequency + Nature | Daily/Weekly/Monthly/etc. + Manual/Automated/IT-Dependent |
| TOD Steps + Documents | Specific walkthrough procedures and documents to inspect |
| TOE Steps + Documents | Sample execution procedures and evidence documents |
6.2 Sampling — ICAI SIA 5 Compliance
Sample sizes are derived from a hard-coded ICAI SIA 5 frequency table — never AI-guessed. The basis is always displayed to the auditor.
| Control Frequency | Higher Risk | Moderate Risk | Lower Risk |
| Annual | 2 | 1 | 1 |
| Quarterly | 3 | 2 | 2 |
| Monthly | 5 | 3 | 2 |
| Weekly | 15 | 10 | 5 |
| Daily | 30 | 20 | 15 |
| As and when | 10 | 5 | 3 |
Example display: "30 items — Daily frequency, Higher risk — ICAI SIA 5"
Multi-Population Architecture (Key Innovation)
Different controls within the same process test different populations. IFC AutoTest supports control-level sampling assignment:
- Purchase Register (500 rows) → assigned to transactional controls (daily/weekly frequency)
- Vendor Master → assigned to onboarding/event controls (as and when frequency)
- Reconciliation Workings → assigned to periodic controls (monthly frequency)
The execution matrix automatically groups controls by their assigned population — the only IFC tool that correctly models this real-world audit reality.
6.3 AI Classification — Human in the Loop
IFC AutoTest uses a strict Human-in-the-Loop approach for deficiency classification:
| Code | Classification | Definition (ICAI IFC Guidance Note) |
| MW | Material Weakness | Reasonable possibility that a material misstatement will not be prevented or detected on a timely basis. |
| SD | Significant Deficiency | Deficiency or combination of deficiencies that is less severe than a material weakness but merits attention. |
| CD | Control Deficiency | Design or operating deficiency that does not meet the threshold of SD or MW. |
| ✓ | Pass | Control is designed adequately and operating effectively. No deficiency noted. |
6.4 Final Report — 7-Section Structured Output
The Final Report module assembles all engagement data into a submission-ready document. No AI is used in report generation — it is pure data assembly from the engagement record.
| § | Section | Content |
| 1 | Cover Page | Firm/Auditor Name, Report Title (REVIEW OF INTERNAL FINANCIAL CONTROLS OVER FINANCIAL REPORTING), Period, Company Name |
| 2 | Read Through Document | Static ICAI-standard explanatory tables: Contents of RCM, Contents of Test of Design — same in every report |
| 3 | Summary Table | One row per process: Sub Processes | Risks | Controls | KCs | Recommendations | Failures | Untested |
| 4 | Recommendations | Manually added by auditor: Process, Sub Process, Risk, Control, Risk Level, Recommendation Text |
| 5 | Gap Observations | Auto-populated from gaps toggled 'Include in Final Report' in Gap Analysis module |
| 6 | Failed/Untested Controls | All TOD FAILs and untested controls — remarks required before generation; writes back to source records |
| 7 | RCM + TOD + TOE | Per process: Full RCM (Part A) → TOD results (Part B) → TOE results aggregated (Part C). New page per process. |
Output: Landscape Word (.docx) with 1.5cm margins, 8pt font in RCM tables, navy headers, page break per process, Prepared By / Approved By in footer. PDF via browser print (landscape).
7. Key Design Principles
| 1 | ICAI Standards as Hard Code | Sample sizes from a hard-coded ICAI SIA 5 table — not AI estimation. Basis always shown: "30 items — Daily, Higher Risk — ICAI SIA 5". |
| 2 | AI Suggests, Auditor Confirms | Classification (MW/SD/CD) is AI-suggested but blocked from saving until the auditor explicitly confirms. Amber label visible until confirmed. No AI output accepted without human sign-off. |
| 3 | Zero AI Dependency for Core Logic | Sampling, deviation rate, KC escalation rules, progress tracking — all pure Python. AI used only where reasoning and drafting add value. |
| 4 | Runs Without Internet (except API calls) | No database, no cloud storage, no external dependencies beyond the Claude API. Portable — copy folder, double-click BAT, run. |
| 5 | Multi-Population Sampling Architecture | Different controls test different populations. Control-level population assignment — the only IFC tool that correctly models real-world audit reality. |
8. Platform Architecture
| IFC AutoTest — Architecture | Single Flask app (app.py) | ├── 22 Python modules in src/ | ├── JSON flat-file data store (no database dependency) | ├── Claude API via SSE streaming (Sonnet + Haiku) | ├── python-docx + openpyxl for document generation | ├── DuckDB for Tally transaction snapshots | ├── TF-IDF RAG engine over ICAI reference documents | ├── ngrok integration for public token-based email links | └── Windows BAT launcher — double-click to start |
9. Conclusion
IFC AutoTest is not a generic AI tool applied to auditing. It is an audit workflow built ground-up for IFC engagements under Indian standards — ICAI Guidance Note, COSO 2013, Companies Act 2013, ICAI SIA 5. Every design decision reflects the real-world workflow of a CA firm conducting an IFC engagement.
The platform demonstrates that AI in professional accounting is most powerful not when it replaces auditor judgment — but when it eliminates the documentation burden so the auditor can focus entirely on judgment.
