Introduction: The ₹22 Lakh Fraud That Could Have Been Prevented
Sunil’s story (real case, name changed):
Sunil runs a mid-sized electrical equipment trading business (₹12 crore annual turnover, 25 employees).
One Monday morning, March 2024:
Bank calls: “Sir, your account balance is ₹8 lakhs. But you have ₹35 lakhs worth of cheques bouncing today.”
Sunil: “What?! There should be ₹40 lakhs in the account!”
Panic investigation reveals:
Over the past 8 months, his accountant (trusted for 6 years):
- Created fake vendor invoices (₹18 lakhs)
- Made duplicate payments to real vendors, pocketed second payment (₹9 lakhs)
- Cash withdrawals for “petty expenses” never accounted (₹5 lakhs)
- Total fraud: ₹32 lakhs (₹22L stolen, ₹10L interest/penalties due to compliance mess left behind)
How did it happen?
Sunil had ZERO internal controls:
- ❌ Accountant had sole control: Create invoice, record entry, make payment, reconcile bank (all one person)
- ❌ No payment approval system (accountant could transfer ₹5L without asking Sunil)
- ❌ No monthly review (Sunil checked books only at year-end for tax filing)
- ❌ No vendor verification (fake vendors created with mobile numbers accountant controlled)
- ❌ No bank reconciliation by second person (accountant did it himself—easy to hide)
- ❌ No GST matching (fake purchases claimed ITC—now ₹4L penalty + interest)
The accountant’s method (shockingly simple):
Step 1: Create fake vendor “ABC Traders” (his cousin’s company, shell entity)
Step 2: Generate purchase invoice ₹2L from ABC Traders (fake)
Step 3: Make payment ₹2L to ABC Traders (Tally entry + bank transfer)
Step 4: ABC Traders transfers ₹1.9L back to accountant (keeps ₹10K for “help”)
Step 5: In books, show ₹2L expense (reduces Sunil’s profit, saves tax—Sunil happy with “lower tax”)
Step 6: Repeat 50+ times over 8 months
No one caught it because:
- Sunil never checked vendor list (assumed CA does)
- No dual authorization on payments
- No monthly reconciliation by independent person
- Bank statements never reviewed (accountant said “all fine”)
After fraud discovered:
Financial loss: ₹22 lakhs stolen + ₹3L lawyer fees + ₹4L GST penalty (fake ITC) + ₹2L advance tax underpaid (inflated expenses) = ₹31 lakhs total
Recovery: Police case filed, but accountant absconded. Recovered only ₹4L (from sale of his car, seized). Net loss: ₹27 lakhs.
Business impact:
- Cheques bounced → Reputation damaged with vendors
- Working capital shortage → Took ₹15L emergency loan (@18% interest)
- 6 months rebuilding books (hired forensic accountant—₹5L)
- Lost 2 big orders (couldn’t fulfill due to cash crunch)
Sunil’s realization:
“I thought internal controls are for big companies. I’m just ₹12 crore turnover—I trusted my accountant. That trust cost me ₹27 lakhs.”
This happens to 100+ SMEs every month in India because:
❌ “We’re too small for controls” (No, you’re big enough for fraud)
❌ “I trust my team” (Trust, but verify)
❌ “Controls are expensive/complex” (No, they’re simple, mostly free)
❌ “CA handles everything” (CA prepares books, but founder must CONTROL processes)
❌ “We’ll set up later, when we scale” (Fraudsters don’t wait for you to scale)
The harsh truth:
90% of business fraud in SMEs is preventable with basic internal controls (not expensive software, just simple checks & balances).
Internal controls are not about distrust—they’re about:
- ✅ Protecting honest employees (no temptation, no false accusations)
- ✅ Preventing mistakes (human errors in GST, payments, stock)
- ✅ Creating accountability (everyone knows their role, limits)
- ✅ Building scalable systems (when you grow, controls already in place)
- ✅ Attracting investors/lenders (banks fund only companies with controls)
This comprehensive guide covers:
- What are internal controls (simple definition)
- Why SMEs need them (Indian context—fraud, GST, tax, cash flow)
- Top 15 internal controls every business must implement
- How to set up maker-checker system
- Payment approval workflows
- GST reconciliation controls
- Inventory/stock controls
- Cash & bank controls
- HR/payroll controls
- Documentation controls
- Tools & automation (free + paid)
- 30-day implementation roadmap
- Red flags (signs your controls are weak)
- Real case studies (fraud prevented vs. fraud happened)
1. What Are Internal Controls? (Founder-Friendly Definition)
Simple definition:
Internal Controls = Systems, processes, checks & balances that ensure:
- Financial accuracy (books are correct)
- Fraud prevention (no stealing, no fake bills)
- Compliance hygiene (GST, TDS, labor laws followed)
- Operational efficiency (smooth workflows, no chaos)
- Accountability (everyone knows their responsibility & limits)
Think of internal controls as:
Your business’s immune system.
- Without it: Any virus (fraud, error, compliance gap) can kill the business
- With it: Business stays healthy, grows sustainably
What internal controls are NOT:
❌ Surveillance/spying (it’s not about watching employees like Big Brother)
❌ Distrust (it’s about protecting everyone—including honest employees)
❌ Bureaucracy (simple controls take 5 mins/day, not hours)
❌ Expensive (most controls are free—just process changes)
What internal controls DO:
✅ Separate duties (one person can’t do everything—create invoice + approve payment + reconcile bank)
✅ Require approvals (payments >₹X need founder’s okay)
✅ Create audit trail (who did what, when—traceable)
✅ Force reconciliation (books vs. bank vs. GST—monthly matching)
✅ Document everything (invoices, GRN, approvals—evidence)
2. Why Indian SMEs MUST Implement Internal Controls (2025 Reality)
Problem 1: Employee Fraud (Extremely Common)
Statistics (our experience across 200+ SME clients):
- 35% of SMEs face employee fraud at some point (petty or major)
- Average fraud amount: ₹3-15 lakhs (before detection)
- Detection time: 8-18 months (by then, employee gone/money spent)
- Recovery rate: <20% (even with police case)
Common fraud types:
- Fake vendor invoices (like Sunil’s case)
- Duplicate payments (pay vendor twice, pocket second payment)
- Cash theft (petty cash, unrecorded sales)
- Inventory theft (steal stock, show as “damaged/expired”)
- Payroll fraud (ghost employees, inflated salaries)
Controls prevent: 90%+ of these frauds (dual authorization, reconciliation, verification).
Problem 2: GST Notices Due to Weak Controls
Why GST notices happen:
- ❌ No 2B reconciliation (claim ITC without checking if vendor filed)
- ❌ No vendor compliance tracking (vendor stops filing, your ITC disallowed)
- ❌ Wrong HSN codes (mismatch between purchase & sales)
- ❌ E-way bill gaps (goods moved without EWB, or EWB doesn’t match invoice)
- ❌ Late GSTR-3B filing (interest + late fees)
With controls: Monthly 2B match, vendor filing tracker, HSN validation = Zero GST notices.
Problem 3: Cash Flow Crisis
Root cause (80% cases): Not revenue, but lack of controls on:
- Debtors: No credit limit, no collection follow-up (₹50L stuck with customers)
- Creditors: Paying too early (vendors on 30-day credit, you pay in 15 days—cash gone)
- Inventory: Overstocking (₹20L cash stuck in unsold stock)
- Expenses: Uncontrolled spending (marketing, travel, “business development”)
With controls: Credit policy, payment scheduling, stock optimization = Healthy cash flow.
Problem 4: Year-End Chaos (Tax Shock)
Common scenario:
March 15: CA: “Your advance tax due: ₹18 lakhs. Pay by March 15.”
Founder: “What?! From where? I don’t have ₹18L!”
Why it happens: No monthly books closing, no quarterly advance tax calculation.
With controls: Monthly P&L, quarterly tax planning = No surprises.
Problem 5: Investor/Bank Rejection
When you approach bank for loan or investor for funding:
They ask: “Show me last 2 years’ audited financials, monthly MIS, GST reconciliation, stock reports.”
If you don’t have: Application rejected (even if business is profitable).
With controls: Audit-ready books, monthly reports, clean reconciliations = Loan approved, investor interested.
3. Top 15 Internal Controls Every Business Must Implement
Applicable to: Manufacturing, Trading, Services, Startups, E-commerce (any business with ₹50L+ turnover or 5+ employees).
Control #1: Maker-Checker System (MOST CRITICAL) ⭐
Principle: No single person should have end-to-end control of any transaction.
Segregation of Duties:
| Activity | Maker (Person A) | Checker (Person B) |
|---|---|---|
| Purchase | Junior accountant creates PO | Manager approves PO |
| Receipt | Store keeper receives goods, signs GRN | Accountant verifies GRN vs. PO |
| Invoice | Vendor sends invoice | Accountant enters, manager verifies |
| Payment | Accountant prepares payment | Founder/CFO approves, releases payment |
| Reconciliation | Accountant reconciles bank | Founder/manager reviews reconciliation |
Example implementation (even 2-person setup):
Scenario: You + 1 accountant.
Process:
- Accountant: Creates invoice, enters in Tally, prepares payment list
- You (Founder): Review payment list daily (5 mins), approve via banking app (dual auth), cross-check 5 random invoices/week
Result: Accountant can’t make fake payment (you’ll see it in approval list).
For larger teams (10+ employees):
Layer 1: Junior (data entry)
Layer 2: Senior (verification)
Layer 3: Manager (approval)
Layer 4: Founder/CFO (sign-off on >₹X payments)
Control #2: Payment Approval Workflow
Rule: All payments above threshold need founder/senior approval.
Set limits:
| Amount | Approval Required |
|---|---|
| ₹0 – ₹10,000 | Accountant (but with supporting docs) |
| ₹10,000 – ₹50,000 | Manager approval |
| ₹50,000 – ₹2,00,000 | Founder approval |
| >₹2,00,000 | Founder + CFO/Partner dual approval |
How to implement:
Option 1: Manual (Small business)
- Accountant prepares payment Excel sheet daily
- Emails to founder
- Founder approves via email (“Approved—proceed”)
- Accountant makes payment, forwards bank confirmation
Option 2: Tally/Accounting Software
- Set user roles (Junior = data entry only, Senior = approve <₹50K, Admin = approve all)
- Payment vouchers go to “Pending Approval” queue
- Approver logs in, reviews, approves/rejects
Option 3: Banking App Dual Auth
- Most banks offer “Maker-Checker” in net banking
- Accountant initiates payment (can’t complete)
- Founder logs in, reviews, approves (then payment executes)
Control #3: Monthly Books Closing Calendar (Financial Discipline)
Problem: Most SMEs don’t close books monthly (wait until year-end for tax).
Result: Errors accumulate, GST mismatches unnoticed, no monthly P&L = Flying blind.
Solution: Fixed monthly calendar.
Sample Calendar:
| Date | Activity | Responsible |
|---|---|---|
| 1-5 | Enter all purchase invoices (last month) | Junior Accountant |
| 1-5 | Enter all sales invoices | Sales Coordinator |
| 3-7 | Enter all expenses (rent, salary, utilities) | Accountant |
| 5-8 | Bank reconciliation (last month) | Accountant |
| 8-10 | GST 2B vs. Purchase reconciliation | Senior Accountant |
| 8-10 | GSTR-1 vs. Sales reconciliation | Accountant |
| 10-12 | Review GSTR-1 (before filing on 11th) | Manager + Founder |
| 11 | File GSTR-1 | Accountant |
| 15-18 | Review GSTR-3B draft | Manager |
| 18-20 | File GSTR-3B (by 20th) | Accountant |
| 20-25 | Close books (all ledgers finalized) | Accountant |
| 25-28 | Prepare monthly P&L, Balance Sheet | Senior Accountant |
| 28-30 | Founder Review Meeting (MIS presentation) | Founder + Finance Team |
Benefits:
- ✅ Monthly P&L (see profit/loss trends, not just year-end)
- ✅ GST filed on time (no late fees, no interest)
- ✅ Errors caught early (not after 6 months)
- ✅ Audit-ready (anytime auditor comes, books are ready)
Control #4: GST Reconciliation Controls (Compliance Safety)
GST is the #1 notice trigger. Controls prevent 95% of GST issues.
4A: GSTR-2B vs. Purchase Register Reconciliation (MONTHLY)
Process:
Step 1: Download GSTR-2B from GST portal (available from 14th of month)
Step 2: Export purchase register from Tally/accounting software
Step 3: Match invoice-wise:
| Our Books | GSTR-2B | Status | Action |
|---|---|---|---|
| Vendor A, Inv 101, ₹1L | Present | ✅ Matched | Claim ITC |
| Vendor B, Inv 202, ₹50K | NOT present | ❌ Mismatch | Vendor didn’t file GSTR-1; follow up, don’t claim ITC yet |
| Vendor C, Inv 303, ₹80K | Present, but ₹78K | ⚠️ Amount diff | Check invoice, contact vendor for correction |
Step 4: Create mismatch report, share with founder
Step 5: Follow up with vendors (get them to file/correct)
Step 6: Claim ITC only on matched invoices (in GSTR-3B)
4B: Vendor Compliance Tracker
Maintain Excel:
| Vendor Name | GSTIN | Jan Filed? | Feb Filed? | Mar Filed? | Risk Level |
|---|---|---|---|---|---|
| ABC Pvt Ltd | 29XXX | ✅ Yes | ✅ Yes | ✅ Yes | 🟢 Low |
| XYZ Traders | 27YYY | ✅ Yes | ❌ No | ❌ No | 🔴 High (stop purchases) |
Action: If vendor doesn’t file for 2+ months → Stop new orders, don’t claim ITC from them.
4C: GSTR-1 vs. Sales Register
Match: Sales declared in GSTR-1 = Sales in books.
If mismatch: Investigate (missing invoices? wrong period? credit notes not adjusted?).
4D: E-way Bill vs. Invoice Matching
For goods movement >₹50K:
Ensure: E-way bill generated, vehicle number correct, destination matches invoice.
Monthly check: E-way bill register vs. Sales invoices (all covered?).
Control #5: Inventory/Stock Controls (Prevent Theft & Wastage)
Inventory fraud/wastage is HUGE in manufacturing/trading.
5A: GRN (Goods Receipt Note) System
Process:
When goods arrive:
Step 1: Store keeper physically receives goods, counts quantity, checks quality
Step 2: Fills GRN (on paper or system):
- Date, time
- Vendor name, invoice number
- Items received (description, quantity, batch/serial numbers if any)
- Condition (OK / Damaged / Partial)
- Store keeper signature
Step 3: GRN sent to accounts (to match with invoice before payment)
Step 4: Accounts matches: PO → Invoice → GRN (all three align? Then approve payment)
Why critical: Without GRN, vendor can invoice you for 100 units, send only 80, pocket money for 20 (you pay for 100 because no physical verification).
5B: Monthly Physical Stock Verification
At month-end:
Step 1: Store keeper counts actual stock (physically)
Step 2: Compares with stock register (in system/books)
Step 3: Reports discrepancies:
| Item | As per System | Physical Count | Difference | Reason |
|---|---|---|---|---|
| Product A | 500 units | 480 units | -20 | Damaged (not recorded) |
| Product B | 200 units | 220 units | +20 | Purchase entry pending |
Step 4: Investigate differences, adjust books (with proper documentation—damage certificate, sale not entered, etc.)
5C: Slow-Moving & Obsolete Stock Review
Quarterly: Identify stock not sold in 6+ months.
Action: Discount sale, liquidate (before it becomes worthless).
Prevents: ₹10L cash stuck in unsold stock.
5D: Scrap & Waste Control
In manufacturing: Scrap has value (sell to scrap dealers).
Control: Weigh scrap, maintain scrap register, sell via invoice (declare in GST), account for scrap revenue.
Without control: Workers steal scrap, sell privately (business loses ₹50K-2L/year).
Control #6: Customer Credit Policy (Cash Flow Control)
80% of cash flow problems = Poor credit control.
6A: Set Credit Limits
Rule: No customer gets unlimited credit.
Set limits:
| Customer Type | Credit Limit | Credit Period |
|---|---|---|
| New customer | ₹50,000 | 15 days (or advance) |
| Regular (6+ months) | ₹2,00,000 | 30 days |
| Large/trusted (2+ years) | ₹5,00,000 | 45 days |
In system: Tally/ERP can block new order if limit exceeded (auto-control).
6B: Credit Approval Process
Before dispatching goods:
Step 1: Sales team checks: Outstanding dues from this customer?
Step 2: If dues <credit limit → Approve dispatch
Step 3: If dues >limit → Needs founder approval (email approval with reason)
Step 4: If >30 days overdue → Block (no new dispatch until old dues paid)
6C: Debtor Aging Report (Weekly Review)
Generate report:
| Customer | 0-30 days | 31-60 days | 61-90 days | >90 days | Total Due |
|---|---|---|---|---|---|
| Customer A | ₹1,00,000 | ₹50,000 | ₹0 | ₹0 | ₹1,50,000 |
| Customer B | ₹0 | ₹80,000 | ₹1,20,000 | ₹50,000 | ₹2,50,000 🚩 |
Action:
- 0-30 days: Normal (send reminder on day 25)
- 31-60 days: Follow-up call, email
- 61-90 days: Legal notice
- >90 days: Legal action / Provision for bad debt
Control #7: Bank Reconciliation (Monthly, By Independent Person)
Critical control (Sunil’s fraud happened because accountant reconciled his own fake payments).
Process:
Step 1: Download bank statement (month-end)
Step 2: Compare with cash book (book balance vs. bank balance)
Step 3: Identify differences:
Common differences:
- Cheques issued but not yet presented (book shows payment, bank doesn’t)
- Direct debits (bank charged, not yet entered in books—EMI, bank charges)
- Direct credits (customer directly deposited, not yet entered in books)
- Errors (wrong entry amount, duplicate entry)
Step 4: Adjust books for bank charges, direct entries
Step 5: Prepare Bank Reconciliation Statement (BRS)
Step 6: Founder reviews BRS (spot-check: Are cheques >₹50K genuine? Call 2-3 vendors randomly to confirm payment received)
Red flags in BRS:
- 🚩 Too many “uncleared cheques” (fake cheques issued to adjust books)
- 🚩 Round-figure cash withdrawals (₹50K, ₹1L—suspicious, what’s it for?)
- 🚩 Payments to unknown vendors (verify)
Control #8: Expense Approval & Documentation
Prevent: Uncontrolled spending, fake expense bills.
8A: Petty Cash Control
Petty cash = Small daily expenses (stationery, tea, courier, etc.)
Control:
Step 1: Fix petty cash limit (₹10,000 or ₹20,000/month)
Step 2: Appoint petty cash custodian (office admin)
Step 3: Custodian maintains Petty Cash Register:
| Date | Expense | Bill No. | Amount | Balance |
|---|---|---|---|---|
| 1-Jan | Opening | – | – | ₹10,000 |
| 2-Jan | Courier | Bill#101 | ₹150 | ₹9,850 |
| 3-Jan | Stationery | Bill#205 | ₹500 | ₹9,350 |
Step 4: Month-end: Custodian submits bills to accounts, gets reimbursement
Step 5: Accounts verifies bills (genuine? rates reasonable?) before reimbursing
8B: Travel & Conveyance Policy
Set limits:
- Local travel: ₹500/day (or actuals with bills)
- Outstation: Flight economy class, hotel max ₹3,000/night
- Food: ₹1,000/day
Process: Submit travel advance request (pre-approved) → Travel → Submit bills → Settle advance.
Without policy: Employees claim ₹5K/day, no bills (bleeding cash).
8C: Marketing & Business Development Expenses
Control: Pre-approved budget (₹50K/month marketing).
Before spending: Get founder approval (what campaign? expected ROI?).
After spending: Submit invoices, campaign report (leads generated, conversions).
Without control: Marketing head spends ₹2L/month on “ads” (no results, no bills—possible kickback).
Control #9: HR & Payroll Controls (Prevent Ghost Employees)
Common payroll frauds:
- Ghost employees (fake names on payroll, HR pockets salary)
- Inflated salaries (HR increases employee’s salary without approval, gets kickback)
- Fake reimbursements (medical, travel claims without bills)
9A: Appointment Letter & Employee Master
For every employee:
- Appointment letter (designation, salary, benefits, signed)
- PAN, Aadhaar, bank details on record
- Employee code (unique ID)
Maintained in: HRMS software or Excel (with photo, joining date, reporting manager)
9B: Attendance Integration with Payroll
Link: Biometric/attendance system → Payroll software.
Auto-calculate: Present days, leaves, late marks → Salary computation.
Manual override: Needs approval (with reason).
Prevents: Paying for absent days, fake attendance.
9C: Salary Approval Process
Monthly:
Step 1: HR prepares salary sheet (employee-wise, with attendance, deductions)
Step 2: Manager reviews (any new joiners? any salary changes?)
Step 3: Founder approves (signature on salary sheet)
Step 4: Accounts processes payment (via bank—NOT cash for >₹10K)
Step 5: Salary slip issued to employee (email/print)
9D: Increment & Bonus Approval
Rule: No HR can give increment/bonus without founder approval.
Process: Annual appraisal → Manager recommends increment % → Founder approves → HR updates master → New salary effective next month.
9E: Exit Process (Full & Final Settlement)
When employee resigns/terminated:
Step 1: Manager accepts resignation, informs HR
Step 2: HR calculates F&F: Last salary + leave encashment – notice period shortfall – any dues
Step 3: IT head revokes access (email, ERP, server, office keys—SAME DAY)
Step 4: Accounts processes F&F payment (after clearance from all departments)
Critical: Revoke system access immediately (prevent data theft, sabotage).
Control #10: Documentation & Filing System
Audit-ready business = All documents organized.
10A: Vendor File (Physical or Digital)
For each vendor, maintain:
- GST certificate copy
- PAN copy
- Bank details (cancelled cheque)
- Agreement (if any—supply agreement, rate contract)
- All invoices (chronological)
- Payment advices
- Correspondence (emails, letters)
Organized by: Vendor name → Year → Month.
10B: Customer File
- Order confirmations
- Invoices
- Delivery challans
- Payment receipts
- Agreements (credit terms, AMC, etc.)
10C: Tax Compliance File
GST:
- Monthly GSTR-1, GSTR-3B acknowledgments
- 2B downloads
- Annual return GSTR-9
- Reconciliation reports
- Payment challans
Income Tax:
- ITR acknowledgments
- Form 26AS
- Advance tax challans
- TDS returns (24Q, 26Q)
- Tax audit report (if applicable)
Digital storage: Google Drive, Dropbox (organized folders, backed up).
Retention: Minimum 6 years (10 years safer).
Control #11: Access Control (System Security)
Who has access to critical systems?
11A: User Roles in Accounting Software
Tally/QuickBooks/Zoho Books:
| User | Role | Permissions |
|---|---|---|
| Junior Accountant | Data Entry | Create vouchers (can’t delete/alter) |
| Senior Accountant | Verification | Approve vouchers, view reports |
| Founder/CFO | Admin | Full access (create, edit, delete, view all) |
Key: No one (except founder) should have “Admin” rights.
11B: Banking Access
Net banking:
Maker: Accountant (can initiate payment, but can’t approve)
Checker: Founder (can approve/reject payment)
View-only access: Senior accountant (can view statements, balances, but can’t transact)
11C: ERP/CRM Access
Revoke immediately:
- When employee leaves
- When role changes (promoted/demoted—adjust access)
Audit logs: Check who accessed what, when (monthly random check).
Control #12: Vendor Onboarding KYC
Before adding new vendor:
Verify:
- ✅ GST registration (check on GST portal—active? filing regularly?)
- ✅ PAN
- ✅ Bank details (IFSC code valid? Account name matches vendor name?)
- ✅ Physical address (if high-value vendor, site visit or Google Street View check)
- ✅ References (2-3 other clients they supply to—call them)
Red flags:
- 🚩 GST registration <6 months old (new entity—risky)
- 🚩 Never filed GSTR-3B (shell company?)
- 🚩 Residential address (not commercial premises)
- 🚩 Bank account in individual name (not company name)
If red flags: Demand advance payment OR avoid (high fraud risk).
Control #13: Customer Onboarding KYC
For B2B customers (especially credit sales):
Collect:
- ✅ GST certificate
- ✅ PAN
- ✅ Proof of business (registration, website, references)
- ✅ Financial strength (if large orders—ask for bank statement or credit report)
Set credit limit based on KYC (new/unverified = low/no credit).
Control #14: Internal Audit (Quarterly Review)
Self-audit (or hire external auditor—₹15K-50K/quarter).
Checklist:
Financial:
- ✅ Bank reconciliation done monthly? (spot-check 2 months)
- ✅ GSTR-2B reconciliation done? (check last quarter)
- ✅ Payment vouchers have supporting docs? (sample 20 payments)
- ✅ Stock verification report on file? (last quarter)
Compliance:
- ✅ GST filed on time? (check portal—no late fees?)
- ✅ TDS deducted & deposited? (check 26AS vs. books)
- ✅ PF, ESI paid? (download govt portal statements)
Operations:
- ✅ Purchase orders on file for all purchases?
- ✅ GRN for all receipts?
- ✅ Attendance system working?
Output: Audit report (issues found + recommendations) → Founder reviews → Action plan.
Control #15: Founder’s Monthly Dashboard (CEO View)
Founder must review these metrics monthly (not just year-end):
Financial Metrics:
- ✅ Revenue (vs. last month, vs. budget)
- ✅ Gross margin % (shrinking? investigate)
- ✅ Operating expenses (increasing faster than revenue? red flag)
- ✅ EBITDA (positive? target ₹X?)
- ✅ Net profit
Cash Flow:
- ✅ Cash balance (sufficient for 2 months’ expenses?)
- ✅ Debtors aging (>90 days aging increasing?)
- ✅ Creditors aging (paying too early/too late?)
Compliance:
- ✅ GST filed? (on time?)
- ✅ TDS deposited?
- ✅ Any notices pending?
Operations:
- ✅ Inventory level (overstocked? understocked?)
- ✅ Stock turnover (improving/worsening?)
HR:
- ✅ Headcount (planned vs. actual)
- ✅ Attrition (resignations this month?)
Dashboard tool: Excel (simple), Google Data Studio (free), Zoho Analytics (₹5K/month), Power BI.
Review time: 30 minutes/month (scheduled meeting with finance/operations heads).
4. Tools to Automate Internal Controls (Free + Paid)
You don’t need expensive software—start with basics.
Free/Low-Cost Tools:
1. Google Sheets (₹0)
- Vendor tracker
- Debtor aging
- Payment approval list
- Expense tracker
- Monthly calendar
2. Tally Prime (₹18K/year—most SMEs already have)
- User roles (maker-checker)
- Bank reconciliation
- Stock management
- GST reconciliation tools
3. Zoho Books (₹1,500/month)
- Multi-user access
- Payment approval workflow
- Auto bank reconciliation
- Reports
4. Google Drive / Dropbox (₹500/month—100GB)
- Document storage (invoices, agreements, compliance files)
- Shared folders (organized)
5. RazorpayX / PayTM Business (Free + transaction fees)
- Maker-checker for payments
- Bulk payment upload (with approval)
- Payment tracking
Paid Tools (For Scaling Businesses):
6. Zoho People (₹2,000/month—50 employees)
- HRMS (attendance, leave, payroll integration)
- Employee master
7. QuickBooks (₹3,000/month)
- Advanced features (inventory, project tracking, multi-currency)
8. ERPNext (Open-source—₹10K-50K setup, ₹5K/month hosting)
- Complete ERP (purchase, sales, inventory, HR, accounts)
- Customizable
5. 30-Day Internal Controls Implementation Roadmap
How to set up controls step-by-step (even while running business):
Week 1: Foundation (Setup)
Day 1-2: Define roles
- Who’s “maker” (data entry)?
- Who’s “checker” (approval)?
- Create user roles in Tally/software
Day 3-4: Set payment approval limits
- <₹10K: Auto
- ₹10K-50K: Manager
- ₹50K: Founder
- Update in system + inform team
Day 5: Create monthly calendar (Google Sheet)
- Share with finance team
- Set reminders
Week 2: Documentation & Processes
Day 6-7: Create GRN format (Excel/printed form)
- Train store keeper
Day 8-9: Create vendor KYC checklist
- Collect pending docs from existing vendors (GST, PAN, bank)
Day 10: Set credit policy (customer-wise limits)
- Update in system
Week 3: Reconciliations & Reviews
Day 11-13: Bank reconciliation (last 3 months—catch up)
- Fix discrepancies
- Going forward: Monthly
Day 14-16: GST 2B reconciliation (last 3 months)
- Identify mismatches
- Follow up vendors
Day 17: Debtor aging report
- Send reminders to >60 day overdue
Week 4: Systems & Training
Day 18-20: Setup Google Drive folders
- Upload past year’s invoices, agreements
- Organize by vendor/customer/month
Day 21-22: Train team
- 1-hour session: Explain controls, why they matter
- Answer questions, get buy-in
Day 23-25: Review stock (physical count)
- Match with system
- Investigate differences
Day 26-28: Setup founder dashboard (Excel)
- Input: Revenue, expenses, debtors, creditors, cash
- Review monthly
Day 29-30: First internal audit (self-audit using checklist)
- Identify gaps
- Fix immediately
By Day 30: You have basic internal controls running.
Next 6 months: Refine, improve, automate further.
6. Red Flags (Signs Your Controls Are Weak)
If you see these, ACT IMMEDIATELY:
🚩 Same person handles purchase + payment + reconciliation (Sunil’s mistake—high fraud risk)
🚩 Accountant “doesn’t want you to interfere” (“Main dekh lunga, aap busy raho”—biggest red flag)
🚩 Bank statements never reviewed by you (accountant says “all okay”—trust, but verify)
🚩 Cash withdrawals frequent, unexplained (₹50K cash every week—for what?)
🚩 Vendor complaints: “We sent invoice 3 months ago, still no payment” (payment released but not to vendor—where did it go?)
🚩 Stock discrepancies every month (system shows 100, physical 80—20 missing—theft?)
🚩 GST 2B reconciliation never done (claiming ITC blindly—notice will come)
🚩 Year-end tax shock (advance tax ₹15L due—you had no idea)
🚩 No monthly P&L (don’t know if you made profit/loss last month)
🚩 Invoices missing (vendor asks for payment, you check file—invoice not there—where is it?)
7. Real Case Studies (Controls Saved vs. Controls Absent)
Case Study A: Manufacturing Business (Controls Present) ✅
Profile: Auto parts manufacturer, ₹15Cr turnover, 40 employees.
Controls implemented:
- ✅ Maker-checker (purchase by manager, payment by founder)
- ✅ Monthly books closing (by 25th every month)
- ✅ Bank reconciliation (by accountant, reviewed by founder)
- ✅ GST 2B match (monthly, before filing 3B)
- ✅ Stock verification (monthly physical count vs. system)
- ✅ Vendor KYC (all vendors verified)
Fraud attempt:
- Accountant tried creating fake vendor (cousin’s firm)
- Created purchase invoice ₹3L
- Prepared payment
What stopped fraud:
- Founder reviewing payment list (saw unfamiliar vendor name)
- Asked: “Who is this vendor? First time?”
- Accountant: “New supplier, better rates”
- Founder: “Show me quotations from 3 vendors, then I’ll approve”
- Accountant couldn’t produce (exposed)
- Fired accountant, no loss incurred
Lesson: Maker-checker saved ₹3L+ (fraud nipped in bud).
Case Study B: Trading Business (No Controls) ❌
Profile: Electronics trader, ₹8Cr turnover, 15 employees.
No controls:
- ❌ Accountant had full control (create invoice, pay, reconcile)
- ❌ Founder checked books only at year-end (March)
- ❌ No GST reconciliation
- ❌ No stock verification
Fraud (over 10 months):
- Accountant created 15 fake vendors
- Total fake invoices: ₹45 lakhs
- Payments made to these vendors
- Money transferred back to accountant (via shell companies)
- Also claimed ₹8L ITC on fake invoices (now GST penalty)
Detection: External auditor (before loan application) found discrepancies.
Total loss:
- Fraud: ₹45L stolen
- GST penalty: ₹8L (fake ITC) + ₹2L interest
- Loan rejected (due to fraud in books)
- Total: ₹55 lakhs+
Recovery: ₹6L (accountant’s house mortgaged, court case ongoing 2 years).
Lesson: Lack of controls cost ₹55L+ and 2 years of stress.
8. Conclusion: Controls = Protection + Profitability
Key Takeaways:
- ✅ Internal controls are not “Big Company” thing (even ₹50L turnover business needs them)
- ✅ Fraud is common (35% SMEs face it—don’t think “mere saath nahi hoga”)
- ✅ Maker-checker is #1 control (separate duties—one creates, other approves)
- ✅ Monthly closing prevents chaos (don’t wait until year-end)
- ✅ GST reconciliation prevents notices (2B match monthly = safe)
- ✅ Stock verification prevents theft (monthly physical count)
- ✅ Payment approval saves crores (founder reviews >₹50K payments = fraud caught early)
- ✅ Documentation = Audit readiness (organized files = loan approved, investor impressed)
- ✅ Tools are cheap (Google Sheets, Tally, Zoho—₹5K-20K/month for full setup)
- ✅ 30 days to implement (start today, running by next month)
What internal controls give you:
- ✅ Fraud prevention (90%+ frauds stopped)
- ✅ Compliance safety (no GST/tax notices)
- ✅ Cash flow control (debtors, creditors, inventory optimized)
- ✅ Investor confidence (clean books = funding)
- ✅ Bank loans (audit-ready = approved)
- ✅ Peace of mind (sleep peacefully, no midnight accountant calls)
- ✅ Scalability (grow 2x, 5x without systems breaking)
What lack of controls costs:
- ❌ Fraud losses (₹3L-50L+ per incident)
- ❌ GST penalties (₹2L-20L for fake ITC, late filings)
- ❌ Tax interest (advance tax underpaid—18% interest)
- ❌ Cash flow crisis (working capital ₹20L-50L stuck)
- ❌ Loan rejection (bank sees messy books, says no)
- ❌ Investor walkaway (due diligence fails, no funding)
- ❌ Reputation damage (vendor complaints, cheque bounces)
Final word:
“Trust your team, but verify the processes.”
Internal controls are not about distrust—they’re about protecting everyone (founder, employees, business).
Start small:
- Week 1: Maker-checker for payments
- Week 2: Monthly books closing calendar
- Week 3: Bank reconciliation by independent person
- Week 4: GST 2B reconciliation
By Month 2: You’ll wonder how you survived without controls.
By Month 6: Your business will operate like a well-oiled machine—fraud-proof, audit-ready, investor-attractive.
Implement today. Protect tomorrow.
FAQs: Internal Controls for Small Businesses (30 Essential Questions)
Q1: What are internal controls in simple terms?
A: Internal controls = Systems, processes, and checks to ensure: (1) Financial accuracy, (2) Fraud prevention, (3) Compliance (GST, tax, labor laws), (4) Operational efficiency. Example: Requiring two people to approve payments >₹50K (one creates, other approves) = Maker-checker control.
Q2: Are internal controls only for large companies?
A: No. Even businesses with ₹50L+ turnover or 5+ employees need basic controls. Why: Employee fraud, GST notices, cash flow gaps, compliance errors happen in ALL sizes. Stat: 35% of SMEs face employee fraud (our client experience)—controls prevent 90%+.
Q3: What is maker-checker system?
A: Maker-Checker = Segregation of duties (no single person controls entire transaction).
Example:
- Maker (Accountant): Creates purchase order, enters invoice, prepares payment
- Checker (Founder/Manager): Reviews, approves payment
Prevents: Fake invoices, duplicate payments, unauthorized transactions.
Q4: How do I implement maker-checker with only 2 people (me + 1 accountant)?
A: You = Checker, Accountant = Maker.
Process:
- Accountant: Enters all transactions, prepares payment list daily
- You: Review payment list (5 mins/day), approve via banking app (dual auth), spot-check 5 random invoices/week
Result: Accountant can’t make fake payment without your approval.
Q5: What is payment approval workflow?
A: System where payments need approval based on amount:
| Amount | Approver |
|---|---|
| <₹10,000 | Accountant (with bills) |
| ₹10K-50K | Manager |
| >₹50,000 | Founder |
How: Use banking dual-auth (accountant initiates, founder approves) OR manual (payment list emailed daily for approval).
Q6: Why is monthly books closing important?
A: Benefits:
- Monthly P&L (see profit/loss trends, not just year-end)
- GST filed on time (reconciliation done monthly, not year-end panic)
- Errors caught early (₹10K error in Jan caught in Feb, not in March of next year)
- Audit-ready (anytime auditor comes, books ready)
- Cash flow visibility (know if you’re making/losing money monthly)
Without: Errors accumulate, GST mismatches unnoticed, year-end chaos.
Q7: What is GSTR-2B reconciliation and why is it critical?
A: GSTR-2B = Auto-populated list of ITC available (based on vendors’ GSTR-1 filings).
Reconciliation = Match your purchase register with GSTR-2B (invoice-wise).
Why critical:
- If vendor didn’t file GSTR-1 → Invoice won’t be in 2B → If you claim ITC = Mismatch → Notice
- If you claim ITC only on matched invoices (in 2B) = Safe
Frequency: Monthly (before filing GSTR-3B on 20th).
Q8: How to prevent inventory theft?
A: Controls:
- ✅ GRN (Goods Receipt Note): Physical verification when goods arrive (store keeper counts, signs GRN)
- ✅ Monthly stock verification: Physical count vs. system (investigate differences)
- ✅ Barcode/batch tracking (if feasible—know which unit sold/in stock)
- ✅ Scrap control: Weigh scrap, sell via invoice (account for revenue—prevent workers stealing scrap)
Without: ₹5L-20L worth stock “disappears” annually (damage/theft untracked).
Q9: What is bank reconciliation and who should do it?
A: Bank Reconciliation = Matching bank statement with cash book (book balance vs. bank balance).
Identifies: Errors, unrecorded transactions (bank charges, direct debits), fraud (fake cheques).
Who should do:
- Accountant: Prepares reconciliation
- Founder/Manager: Reviews (spot-checks—verify 5 large payments, call vendors randomly to confirm receipt)
Frequency: Monthly (by 10th of next month).
Why independent review matters: If same person who makes payments also reconciles = Easy to hide fraud (like Sunil’s case).
Q10: How to set customer credit limits?
A: Based on:
- Customer relationship (new/regular/trusted)
- Financial strength (if available—bank statement, credit report)
- Past payment behavior
Example limits:
- New customer: ₹50K credit, 15 days (or advance payment)
- Regular (6+ months, good payment): ₹2L credit, 30 days
- Trusted (2+ years): ₹5L credit, 45 days
Enforce: In Tally/ERP (auto-block new order if limit exceeded) OR manual (sales team checks before dispatch).
Q11: What is debtor aging report?
A: Report showing customer-wise outstanding (bucketed by age):
| Customer | 0-30 days | 31-60 days | 61-90 days | >90 days | Total |
|---|---|---|---|---|---|
| Customer A | ₹1,00,000 | ₹50,000 | ₹0 | ₹0 | ₹1,50,000 |
| Customer B | ₹0 | ₹0 | ₹1,00,000 | ₹80,000 | ₹1,80,000 🚩 |
Action:
- 0-30: Normal (reminder on day 25)
- 31-60: Follow-up call
- 61-90: Legal notice
- 90: Legal action / Provision for bad debt
Frequency: Weekly review.
Q12: What is GRN (Goods Receipt Note)?
A: GRN = Document prepared when goods physically received.
Contains:
- Date, vendor name, invoice number
- Items received (description, quantity)
- Condition (OK/damaged)
- Store keeper signature
Purpose: Proof that goods actually received (prevents vendor invoicing for 100 units, sending 80, you paying for 100).
Process: Accounts matches PO → Invoice → GRN (all three align? Approve payment).
Q13: How often should I do physical stock verification?
A: Recommended:
- Monthly: For high-value/fast-moving items
- Quarterly: For slow-moving items
- Annually: Full stock count (all items)
Process:
- Store keeper physically counts stock
- Compares with system (stock register)
- Reports differences
- Investigate (damaged? sold but not entered? stolen?)
- Adjust books (with proper documentation)
Q14: What is vendor KYC and why is it important?
A: Vendor KYC = Verifying vendor before doing business.
Collect:
- GST certificate (check on portal—active? filing regularly?)
- PAN
- Bank details
- Physical address (if high-value, verify)
- References (2-3 other clients)
Why important: Prevents fake vendors (like Sunil’s accountant created).
Red flags:
- GST registration <6 months old
- Never filed GSTR-3B
- Residential address (not commercial)
- Bank account individual name (not company)
If red flags: Demand advance OR avoid.
Q15: What is petty cash control?
A: Petty cash = Small daily expenses (tea, courier, stationery).
Control:
- Fix limit (₹10K or ₹20K/month)
- Appoint custodian (office admin)
- Custodian maintains register (date, expense, bill, amount, balance)
- Month-end: Submit bills, get reimbursement
Why needed: Without control, ₹50K-1L “disappears” annually in unexplained cash.
Q16: How to prevent payroll fraud (ghost employees)?
A: Controls:
- ✅ Appointment letter for every employee (on file)
- ✅ Attendance integration (biometric → payroll—auto-calculate salary based on present days)
- ✅ Salary approval (HR prepares, founder approves)
- ✅ Payment via bank (NOT cash for >₹10K—creates trail)
- ✅ Periodic headcount verification (Manager confirms team members exist)
Ghost employee fraud: HR creates fake employee, pockets salary. Prevention: Founder occasionally visits office unannounced (meet random employees, verify they exist).
Q17: What access should I give to accountant in Tally/accounting software?
A: User role: Data Entry (NOT Admin).
Permissions:
- ✅ Create vouchers (purchase, sales, payment, receipt)
- ❌ Delete vouchers (only Admin—you—can delete)
- ❌ Alter past periods (lock previous months—only Admin can unlock)
- ✅ View reports (P&L, Balance Sheet—read-only)
Founder = Admin (full access—create, edit, delete, view all).
Why: If accountant has Admin rights = Can delete fraud evidence.
Q18: How to implement dual authorization in net banking?
A: Most banks offer “Maker-Checker” facility.
Setup:
- Login to corporate net banking
- Settings → User Management
- Add users:
- User 1 (Accountant): Maker (can initiate payment, can’t approve)
- User 2 (Founder): Checker (can approve/reject payment)
- Set limits (e.g., Maker can do <₹10K alone, >₹10K needs Checker approval)
Process:
- Accountant logs in, initiates payment → Status: “Pending Approval”
- Founder logs in (separate login), sees pending payments, reviews, approves → Payment executes
Banks offering: ICICI, HDFC, SBI, Axis (most corporate accounts).
Q19: What is internal audit and how often should I do it?
A: Internal audit = Self-review or external auditor reviews controls, compliance, processes.
Frequency:
- Quarterly: For ₹2Cr+ turnover businesses
- Annually: For smaller businesses
Checklist:
- Bank reconciliation done?
- GST 2B reconciliation done?
- Payment vouchers have supporting docs (sample check 20)?
- Stock verification done?
- GST/TDS filed on time?
- TDS deducted matches deposited?
Who does: Founder (self-audit) OR hire CA (₹15K-50K/quarter).
Output: Report (issues found + recommendations) → Founder fixes.
Q20: What is founder’s dashboard and what should it include?
A: Monthly review dashboard (for CEO-level decision-making).
Metrics:
- Financial: Revenue, GP margin, EBITDA, net profit
- Cash: Cash balance, debtor aging (>90 days?), creditor aging
- Compliance: GST filed? TDS deposited? Any notices?
- Operations: Inventory level, stock turnover, employee headcount
Tool: Excel (simple), Google Data Studio (free), Zoho Analytics, Power BI.
Review: 30 mins/month (with finance/operations heads).
Q21: How much does it cost to set up internal controls?
A: Mostly FREE (process changes, no software needed).
Optional costs:
- Tally Prime: ₹18,000/year (most already have)
- Zoho Books: ₹1,500/month (if switching from Tally)
- Google Drive: ₹500/month (document storage)
- External auditor (quarterly): ₹15,000-50,000/quarter
Total: ₹2,000-5,000/month (for full automation).
ROI: Saves ₹5L-50L/year (fraud prevented, penalties avoided, better cash flow).
Q22: What are the signs of weak internal controls?
A: 🚩 Red flags:
- Same person creates invoice + approves payment + reconciles bank
- Accountant resists your involvement (“Main dekh lunga, aap busy raho”)
- Bank statements never reviewed by you
- Frequent cash withdrawals (₹50K weekly—for what?)
- No monthly P&L (don’t know if you made profit/loss last month)
- GST 2B reconciliation never done
- Stock verification never done (system shows 100, physical count 80—20 missing where?)
- Year-end tax shock (₹15L advance tax due—you had no idea)
Q23: Can internal controls slow down business operations?
A: No, if implemented smartly.
Common fear: “Approvals will delay everything.”
Reality:
- Payment approval: 5 mins/day (founder reviews list, approves)
- Bank reconciliation: 1 hour/month (accountant does, founder spot-checks)
- Stock verification: 2 hours/month
Total time: <10 hours/month (founder’s time).
Benefit: Saves lakhs (fraud prevented) + Peace of mind.
Smart implementation: Automate approvals (banking dual-auth), use software (Tally user roles), delegate but verify.
Q24: What if my accountant resigns? Will controls prevent knowledge loss?
A: Yes, actually controls HELP during transitions.
With controls:
- All processes documented (anyone can follow)
- Maker-checker (new accountant can’t do fraud easily—second person checks)
- Monthly closing (books up-to-date—new accountant picks up from last month)
Without controls:
- Old accountant had all knowledge (sole control)
- New accountant takes 3-6 months to understand mess
- Errors/fraud during transition
Tip: Maintain SOP (Standard Operating Procedure) document—step-by-step for each process (how to do purchase entry, payment, reconciliation).
Q25: How to implement controls without demotivating honest employees?
A: Communication is key.
DON’T say: “I don’t trust you, so I’m adding controls.”
DO say: “We’re growing, need professional systems (like corporates). Controls protect everyone—including you (no false accusations), me (business safety), and business (investor/bank confidence).”
Involve team: Ask for their input (“What controls do you think will help us work better?”)—they’ll suggest good ideas.
Appreciate compliance: When team follows controls well, acknowledge (“Great job on timely reconciliation!”).
Result: Team sees controls as HELP (not surveillance), adopts willingly.
Q26: What is the biggest mistake founders make regarding internal controls?
A: Waiting until fraud happens.
Common thinking: “We’re small, fraud won’t happen to us.”
Reality: Fraudsters don’t care about size—they care about OPPORTUNITY (weak controls = opportunity).
Sunil’s regret: “I should’ve set up controls when I hit ₹1Cr turnover. Now I’m ₹12Cr and lost ₹27L.”
Right approach: Set up controls BEFORE you need them (when you’re ₹50L-1Cr turnover, 5+ employees).
Q27: Can I use Excel instead of expensive software for controls?
A: Yes, absolutely (for starting out).
Excel templates (free):
- Payment approval tracker (daily list for founder approval)
- Vendor master (KYC details, compliance status)
- Debtor aging (customer-wise outstanding)
- Bank reconciliation format
- Monthly closing calendar (task list with deadlines)
- Petty cash register
Later (when scaling): Shift to Tally/Zoho/QuickBooks (for automation, multi-user access).
Q28: What is the role of external auditor vs. internal controls?
A:
- Internal controls: Day-to-day processes (you implement, team follows—ongoing)
- External auditor: Periodic review (quarterly/annually—checks if controls are working)
Analogy:
- Internal controls = Daily exercise + healthy diet
- External auditor = Annual health check-up (doctor validates you’re healthy OR flags issues)
Both needed: Controls prevent issues, auditor verifies controls are effective.
Q29: How do internal controls help with getting bank loans?
A: Banks fund ONLY businesses with strong controls.
Bank’s due diligence checks:
- ✅ Are books audit-ready? (monthly closing, clean reconciliation)
- ✅ Is stock verified? (physical vs. system match—proves inventory exists, not inflated)
- ✅ Are debtors real? (aging report, collection pattern—proves revenue genuine)
- ✅ Is GST compliant? (no notices, timely filing—proves business is legal)
With controls: All above available (within 1 day) → Loan approved.
Without controls: Books messy, can’t prove stock/debtors, GST issues → Loan rejected.
Stat (our experience): Businesses with strong controls get loans 3x faster and at 1-2% lower interest (bank sees lower risk).
Contact AdvoFin Consulting to protect your business from fraud, ensure compliance, and build investor-ready systems—one control at a time.
Disclaimer: This blog is for educational purposes only and does not constitute legal, financial, or business advice. Internal control needs vary by business type, size, industry, and risk profile. Implementation of controls should be tailored to specific business circumstances and regulatory requirements. While internal controls significantly reduce fraud and compliance risks, they cannot eliminate all risks entirely. Case studies mentioned are based on real situations but details have been modified to protect confidentiality. Please consult qualified professionals (Chartered Accountant, Internal Auditor, Legal Advisor) for personalized guidance on designing and implementing internal controls for your specific business. AdvoFin Consulting is not liable for actions taken based solely on this content.
