Get In Touch

Policy and controls setup for founders: Audit-ready in 90 days

Table of Contents

Key takeaways

  • Indian SMEs can operationalize a robust internal control system in 90 days, covering approvals, vendor onboarding, bank ops, audit readiness.
  • A clear approval matrix, a documented expense policy, and disciplined bank reconciliations are the Big Three for immediate risk reduction.
  • Clean vendor master data with PAN, GSTIN, bank verification, plus correct TDS mapping, prevents compliance penalties and payment fraud.
  • Batch payments, maker-checker workflows, and daily reconciliation, supported by an auditable Reconciliation Exception Log, keep cash secure.
  • Automation tools like AI Accountant quietly enforce policies, organize evidence, and speed audit closure.
  • Following COSO-inspired pillars with India-specific tweaks ensures compliance, accountability, and faster audits.
  • Use per diem for travel, classify GST ITC rigorously, and maintain logs for approvals, vendor changes, payments, and overrides.

Table of contents

Policy and Controls Setup in India, why it matters now

Policy and controls setup in India means formal approval workflows, documentation standards, vendor management protocols, and internal financial oversight tailored to Indian regulations. Under Section 134(5) of the Companies Act, 2013, every company must maintain adequate internal financial controls, GST compliance requires invoice matching and ITC documentation, TDS sections 194C, 194J, 194H demand correct vendor classification, e-invoicing thresholds are tightening yearly.

Without deliberate controls, approvals become ad-hoc, reimbursements invite ITC denials, vendor master errors delay payments, then audit season triggers panic. With a practical blueprint, founders, CFOs, and chartered accountants can operationalize controls in 90 days, reduce fraud risk, protect GST credits, and close audits faster.

Controls convert daily discipline into audit ease, they are not optional, they are foundational.

Control framework for Indian SMEs, adapting COSO to your reality

Five pillars underpin strong controls, adapted from COSO for Indian SMEs, balancing rigor with practicality.

Control Environment: tone, roles, segregation of duties

Leadership sets the tone, compliance matters. Define roles clearly, who approves bills, who creates vendors, who reconciles bank. Never allow end-to-end control by one person. Publish a policy, secure sign-offs, make approval rights role-based so controls persist through personnel changes. In a 50–200 employee SME, segregate a finance manager, an AP owner, a bank reconciliation owner, and a compliance lead.

Risk Assessment: payments, vendor fraud, GST mismatches

Prioritize risks by likelihood and impact. Common exposures include unauthorized payments, duplicate vendors, fake invoices, GSTIN mismatches, TDS misclassification, UPI fraud, unreconciled cash. Assign ownership for continuous monitoring.

Control Activities: approvals, reconciliations, master data hygiene

  • Preventive: threshold-based approval matrix, vendor onboarding checklist with GSTIN verification.
  • Detective: daily bank reconciliations, weekly AP aging, monthly vendor master audits.
  • Corrective: dispute incorrect invoices, re-file GST when ITC is wrong, blacklist fraudulent vendors.

Information & Communication: policies and evidence

Share policies widely, attach them to forms, train new hires on day one. Evidence is survival, log every approval, vendor KYC, and reconciliation, date-stamp, store digitally, respond instantly when auditors ask for proof.

Monitoring: internal reviews and audit preparedness

Review approval matrices and logs monthly, reconcile bank daily or weekly, age AP and AR monthly, audit vendor master quarterly, and maintain a steady rhythm that keeps you audit ready. Source

Approval Matrix: design principles and templates

Why approval matrices matter

Without a matrix, approvals become informal, memory-based, and untraceable. With a matrix, transactions are traceable, accountable, and auditable.

Design principles

  • Set risk-based thresholds, a ₹5,000 office supply needs lighter oversight than a ₹2 lakh contractor payment.
  • Reflect departmental budgets and approvers, IT and sales may differ.
  • Define roles, not persons, maintain continuity.
  • Enforce maker-checker, no self-approval.
  • Allow emergency overrides, log them, review patterns monthly.

Sample approval matrix for a 50–200 employee SME

Vendor Creation
All amounts: Finance Manager + CFO, evidence PAN, GSTIN, bank account, KYC docs.

Bill Payment, local supplier
₹0–50K: Finance Manager, invoice, GRN, GSTIN match.
₹50K–2L: Finance Manager + Department Head, add 3-quote for services.
₹2L–10L: CFO + Department Head, add quote comparison and business case.
Above ₹10L: Board or Audit Committee, add board minutes.

Travel & Expense Reimbursement
₹0–5K: Department Head, receipt, GST invoice if claiming ITC.
₹5K–15K: Department Head + Finance Manager, add pre-approval proof.
Above ₹15K: CFO, add business case.

Bank Transfers, NEFT/RTGS
₹0–2L: Finance Manager if beneficiary whitelisted.
₹2L–10L: Finance Manager + CFO.
Above ₹10L: CFO + Board designate.

Digital approvals and maker-checker

Email chains with formatted approval sheets and timestamps work, accounting software workflows in Tally or Zoho Books add enforcement, a hybrid approach makes routine fast, high value controlled.

Emergency overrides and logging

Enable urgent payments, but record transaction ID, description, amount, approver, reason, date, and follow-up. Review monthly to detect abuse or policy misfit.

Expense policy: the India-specific essentials

An expense policy defines reimbursable items, limits, and documentation, inseparable from GST compliance for ITC claims on employee reimbursements.

Policy categories and limits

Travel
Domestic flights reimbursed at actuals within a cap, for example ₹20K economy. Accommodation via city-based per diem, ₹3K metros, ₹1.5K tier-2, or actuals if below per diem. Local transport reimbursed with GST invoices if claiming ITC. Pre-approval required above ₹10K.

Meals
Daily allowance, for example ₹600 during travel, or actuals with GST invoice for ITC. Client entertainment requires invoice and business purpose memo, office meals need group reimbursement, caterer GST invoice, department head approval.

Office Expenses
Prefer company purchase for stationery, IT, subscriptions, employee advance reimbursed only with GST invoice. WFH equipment cap for example ₹15K per annum per employee.

Documentation required for GST ITC

  • Formal tax invoice per GST rules, not a simple receipt.
  • Supplier GSTIN stated and verified against GST portal.
  • Proof of payment, UTR, card statement, cheque number.
  • Business purpose memo for entertainment or discretionary spends.
  • Flag non-ITC items, for example ride-hailing without GST invoice.

Per diem rules, caps, pre-approval workflow

Per diem simplifies claims, DMA is not subject to ITC, fewer invoices to collect. Define rates, metros ₹750 daily with ₹3,500 accommodation, tier-1 ₹600 with ₹2,500, tier-2 ₹400 with ₹1,500. Enforce email pre-approval above ₹10K, finance confirms budget, post-trip validation against plan, process reimbursement.

Policy violations and corrective actions

  • Minor, missing receipt under ₹5K, finance discretion, log exception.
  • Medium, up to 10% over limit, employee pays difference, approve remainder.
  • Major, falsified receipts or repeat offenses, escalate to HR and CFO.

Reimbursements vs. corporate card spend

Corporate cards reduce friction, statements reviewed monthly, unauthorized charges flagged, reimbursements still needed for advances, manage in weekly cadence, reconcile to budget in week 4.

Vendor onboarding process: building a clean vendor master

A clean vendor master prevents duplicates, enforces TDS, blocks fraud, and speeds payments. Onboarding is the gateway.

Required documents for vendor KYC

  • PAN for tax ID and uniqueness, cross-check on Income Tax or GST portal.
  • GSTIN for registration and tax invoice eligibility, verify legal name and address.
  • MSME certificate if claimed, verify on Ministry portal or request original.
  • Bank account verification, penny-drop or cheque copy, ensure name match.
  • Address proof within last 6 months.
  • Invoice samples with GSTIN, HSN/SAC codes, tax rate.

TDS section mapping

Determine applicable TDS section at onboarding, encode in vendor master for automated deduction, common cases include 194C contractors, 194J professional services, 194H commission, 194I rent with thresholds.

E-invoicing applicability checks

Identify vendors above turnover thresholds, expect IRN and QR code, store classification for AP teams.

Vendor master controls

Use unique IDs, check PAN and bank account for duplicates, prevent creation of a new record if an existing one suffices, require Finance Manager approval for GST or bank changes.

Risk rating and blacklist rules

Rate vendors Green, Yellow, Red based on verification and history, set blacklist rules for missing or mismatched GSTIN or PAN, high dispute rates, or portal non-compliance, alert finance and block invoices until cleared.

Bank ops controls: keep cash secure and reconciled

Account signatory rules

Define single signature for routine low value, dual signature for high value or one-off, rotate duties, document via Board Resolution, share with bank, update on change.

Maker-checker for digital payments

Maker prepares payment file, checker verifies amounts, beneficiary legitimacy, and purpose, then approves submission, use email for small, software workflows for large.

UPI spending limits

Set conservative daily limits, for example ₹2 lakh, enforce in the UPI app to prevent rapid drain from compromise.

Payment approval runs

Batch payments, daily for high frequency, weekly for others, whitelist beneficiaries, freeze and verify before account changes, reconcile UTRs against statements.

Daily bank reconciliations

Download statements daily or thrice weekly, match ledger entries, investigate differences, and log exceptions in a Reconciliation Exception Log, detect fraud within hours, not months.

Month-end tie-outs

Prepare bank reconciliation statement, list uncleared cheques and deposits in transit, tie bank balance to ledger, investigate stale items and bank charges, document findings.

Positive pay and cheque controls

Use positive pay for cheques, store blank stock securely, maintain a register, flag unused cheques after 6 months.

Corporate card controls

Set monthly and per-transaction limits, block high-risk merchant categories, review and match statements to receipts and purpose, audit quarterly for proper use.

Audit preparedness: convert daily discipline into audit ease

Evidence readiness

Organize invoices by vendor and month, standardize file naming, keep approval records and software logs, store bank statements, reconciliations, vendor KYC, and travel claims with GST invoices, retrieve any quarter’s expenses in minutes.

Audit schedules

  • AR and AP aging by brackets.
  • GRN reconciliation with PO and invoice.
  • Prepaid and accrual schedules.
  • Fixed Assets Register with depreciation.
  • TDS paid and payable monthly register.
  • GST ITC and output registers aligned to returns.

Audit trail and logs

Maintain approval, vendor master change, payment, reconciliation exception, and override logs, they demonstrate control and accountability.

Pre-audit checklist

  • GL ties to Trial Balance.
  • AP/AR aging reconciled to GL.
  • All bank reconciliations completed.
  • GST returns reconciled to GL.
  • TDS registers tied to deposits and returns.
  • Vendor master cleaned.
  • FAR updated.
  • Approval and exception logs ready.
  • PBC list items compiled.

Frequency of reviews

Monthly bank and GST reconciliations, quarterly sample testing and schedule prep, year-end dry-run audit, detect and fix gaps early.

30-60-90 day implementation plan

Days 0–30: draft policies, set roles, train teams

Week 1, draft approval matrix and secure CFO sign-off. Week 2, draft expense policy and vendor checklist. Week 3, configure roles and digital workflows, test. Week 4, train teams, share documents, capture sign-offs. Deliverables include signed policies and configured roles.

Days 31–60: roll out vendor onboarding and bank ops controls

Week 5, clean vendor master and remove duplicates. Week 6, enforce onboarding checklist and backfill documents. Week 7, implement maker-checker and daily reconciliation. Week 8, document reconciliation procedures and run test cycles. Deliverables include clean KYC, approval logs, stable reconciliations.

Days 61–90: tighten evidence collection, monitoring, audit prep

Week 9, standardize evidence filing. Week 10, set monthly dashboards for AP, AR, TDS, vendor audits. Week 11, prepare audit schedules. Week 12, conduct internal audit and fix gaps. Deliverables include operational filing, dashboards, schedules, and a compliance checklist.

How AI Accountant and automation support this quietly

Policies are the blueprint, automation enforces them with less effort. Consider AI Accountant for Indian SMEs, QuickBooks, Xero, FreshBooks, Zoho Books, and Tally Prime for various needs.

Bills module: capture and approve bills fast

AI extracts vendor details, invoice data, and GST fields, auto-matches PO or GRN, routes per matrix, and stores evidence, invoices processed in hours, approvers review without chasing paperwork.

Transaction module: structure bank data

Automatically ingest statements, classify transactions, match UTRs, flag unmatched items and non-whitelisted beneficiaries, produce daily reconciliation summaries.

Ledger mapping & posting

Auto-assign correct GL accounts, block non-approved postings, maintain audit trails linking approvals to ledger entries.

One-click sync with Tally/Zoho

Sync approved transactions, keep GST and TDS classifications accurate, avoid double entry, keep books current.

AP/AR automation and dashboards

Live AP and AR aging, cash forecasts, budget vs. expense summaries, and policy violation flags, act monthly, not annually.

Audit trail features

Log every approval, edit, and high value transaction, make fraud harder, accountability clear, and audit responses instant.

India-specific compliance references

  • Companies Act, 2013, Section 134(5), mandates internal financial controls.
  • GST compliance requires verified GSTIN, valid invoices, e-invoicing under thresholds, monthly returns, and GL reconciliation.
  • TDS requirements for contractors, professionals, rent, commission, deduct, deposit, and file quarterly, PAN and GSTIN mismatches are red flags.
  • RBI guidance for digital payments, implement maker-checker, beneficiary whitelisting, conservative UPI limits.
  • MSME verification for claimed benefits via Ministry portal or valid certificate.

Implementation case examples: Indian SME scenarios

Case 1, services startup, 20 employees, ₹2 crore turnover
Problem, ad-hoc travel claims, missing receipts, inconsistent GST ITC. Solution, documented expense policy with per diem and GST requirements, pre-approval for travel above ₹10K, reimbursement checklist and training. Result, 15% decline in travel claims, stable ITC, clean audit sign-off.

Case 2, manufacturing SME, 150 employees, ₹10 crore turnover
Problem, messy vendor master and inflated invoices. Solution, cleanup with PAN/GSTIN re-verification, onboarding checklist, risk ratings, maker-checker for changes, audit log. Result, fraud caught at onboarding, vendor audit in 1 day.

Conclusion: your path to audit-ready controls

Controls are a business capability, not a checkbox. With approval matrices, expense policies, vendor onboarding, bank ops, and audit readiness, SMEs reduce fraud, protect cash, and close audits in days. Start with the Big Three, layer complexity as you grow, let automation carry the burden while your team focuses on judgment.

Next steps
Download templates, assign ownership to Finance Manager or CFO, implement one template in 2 weeks, review quarterly, and run an annual dry-run audit, your auditor will notice, your books will be accurate, your cash will be safe.

FAQ

How should a CA draft an approval matrix for a 20-person company to satisfy Section 134(5) while keeping operations lean?

Set three tiers, under ₹50K approved by Finance Manager, ₹50K–₹2L by Finance Manager plus Department Head, above ₹2L by CFO. Enforce maker-checker and role-based rights. Use AI Accountant to route approvals, capture evidence, and block ledger posting until approvals are complete.

What practical GST ITC documentation must I enforce on employee reimbursements to avoid disallowances during audit?

Require formal tax invoices with supplier GSTIN, HSN/SAC, tax rate, match GSTIN to portal, attach proof of payment, and a business purpose memo for entertainment. Where per diem applies, do not attempt ITC. AI Accountant can tag non-ITC items automatically and maintain a clean ITC register.

How do I map TDS sections when a single vendor provides both contractor and consulting services, 194C vs 194J?

Create separate vendor service lines or distinct vendor codes if systems allow, apply 194C to execution contracts and 194J to professional services, verify scope per PO or SOW. Configure rules in AI Accountant so invoices get the correct TDS rate at posting, and reconcile monthly TDS registers to deposits.

What maker-checker control is sufficient for NEFT batches in SMEs that do not use complex treasury systems?

Use a payment file prepared by the maker, verified by the checker against invoices, beneficiary whitelist, and approval matrix. Approve via email for low value, use software workflow for high value. AI Accountant can generate batch files, enforce approvals, and attach UTRs for reconciliation.

How frequently should bank reconciliations be performed to detect UPI or unauthorized transfers promptly?

Daily is ideal, thrice weekly minimum. Maintain a Reconciliation Exception Log, investigate unmatched items within 24 hours, and escalate anomalies. AI Accountant automates statement ingestion and flags exceptions for same-day review.

What vendor KYC checklist items are non-negotiable for clean master data and TDS/GST compliance?

PAN, GSTIN verification against portal, bank account name match via penny-drop or cheque, recent address proof, MSME certificate if claimed, and sample invoices. AI Accountant can enforce mandatory fields and block creation until KYC is complete.

How do I structure per diem and pre-approval flows so auditors accept travel claims without extensive sampling?

Publish city-tiered per diem rates, cap accommodation per night, and require email pre-approval above ₹10K. Post-trip, validate itinerary and attach approval email. Auditors accept standardized flows when evidence is consistent, AI Accountant stores the chain end-to-end for quick retrieval.

What minimal audit schedules should I prepare monthly to avoid year-end fire drills?

Prepare AR aging, AP aging, bank reconciliation statements, GST ITC and output registers, TDS paid/payable, and a Fixed Assets Register. AI Accountant can refresh dashboards and export audit-ready schedules, reducing manual prep time during audit.

How can I prevent duplicate vendors and fraudulent bank changes in the vendor master?

Search by PAN and bank account before creation, use unique vendor IDs, enforce Finance Manager approval on GST or bank updates, and maintain a vendor change log. AI Accountant can block duplicates algorithmically and require approvals for master data edits.

What practical thresholds and workflows should I set for corporate card controls to keep spend clean?

Set ₹50K monthly and ₹25K per transaction limits, block risky merchant categories, require receipt and business purpose tagging within 5 days, and run a monthly review cycle. AI Accountant can ingest statements, auto-categorize, and flag policy violations for quick manager review.

How do I evidence internal controls for auditors without drowning in paperwork?

Maintain approval logs, vendor KYC folders, payment logs with UTRs, bank reconciliations, and override logs, all date-stamped. AI Accountant centralizes documents and logs, enabling auditors to test samples and trace to source in minutes.

What is a pragmatic 30-60-90 day plan for an SME that uses Tally and wants audit-ready books?

Days 0–30, draft approval matrix and expense policy, configure roles. Days 31–60, clean vendor master and implement maker-checker, start daily reconciliations. Days 61–90, standardize evidence filing, set dashboards, prep audit schedules, run an internal audit. Use AI Accountant to automate ingestion, approvals, and one-click sync with Tally for current books.

Explore More Topics

Discover insights across different areas of accounting and financial management

Treasury Secrets: Short Term Investments Indian SMBs Can’t Ignore

Read Articles

Monthly close service playbook: India’s 5-Day Close Secrets

Read Articles

Investor Reporting as a Service: The 10-Day India Blueprint

Read Articles

Finance health check for smes: Audit-ready books, faster cashflow

Read Articles

Policy and controls setup for founders: Audit-ready in 90 days

Read Articles

Virtual cfo offering and pricing guide: Unlock Indian startup growth

Read Articles

Client Communication Cadence and NPS: Stop Churn, Boost Renewals

Read Articles

Data Security and Client Confidentiality: CA Firms’ 2025 Playbook

Read Articles

Task management for bookkeeping teams: Stop deadline chaos now

Read Articles

Discover more from AI Accountant

Subscribe now to keep reading and get access to the full archive.

Continue reading

Get in Touch

Heading Text

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries.

Start Your Free Trial