HomeServicesAccounting & PayrollFinancial Planning & Internal Control Support

Accounting & Payroll · Virtual CFO & Finance Function

Financial Planning & Internal Control Support

Most growing businesses discover their internal control gaps the hard way — a vendor paid twice, an employee reimbursement that should never have been approved, a cash discrepancy nobody can trace back to a single decision point.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Most growing businesses discover their internal control gaps the hard way — a vendor paid twice, an employee reimbursement that should never have been approved, a cash discrepancy nobody can trace back to a single decision point. Financial Planning & Internal Control Support exists to prevent that discovery from happening in the worst possible way — through fraud, an investor's due-diligence report, or an auditor's qualification. At PNPC Global, we have helped businesses across India and the UAE build annual budgets that hold up against actuals, and control frameworks that hold up against people, since 1986. We are not a software vendor selling you a budgeting template. We are a practising CA firm that sits with your finance team, understands where money actually moves in your business, and designs the planning cycle and the control points around that reality.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Financial Planning & Internal Control Support is

Financial Planning & Internal Control Support is an advisory and implementation service covering two related but distinct disciplines. The first is annual financial planning and budgeting — the structured process of translating a business's strategic goals into a quantified, department-wise, month-wise financial plan that management can track against actuals throughout the year. The second is internal financial controls (IFC) design — the system of authorisation limits, segregation of duties, approval workflows, documentation standards, and reconciliation checkpoints that protects a company's assets from error, misuse, and fraud, and that produces financial statements management can actually rely on.

For companies incorporated under the Companies Act 2013, internal financial controls are not merely good practice — Section 134(5)(e) requires the Board of Directors of every listed company to state in the Directors' Responsibility Statement that internal financial controls were laid down and were operating effectively during the year. The statutory auditor's parallel obligation to report on the adequacy and operating effectiveness of a company's internal financial controls over financial reporting, under Section 143(3)(i) of the Companies Act read with the Standards on Auditing (SA 315 and SA 265), applies more broadly — but MCA has specifically exempted one-person companies, small companies, and private companies below prescribed turnover and borrowing thresholds from this particular auditor-reporting requirement. Whether your company sits inside or outside that exemption depends on its current turnover, borrowings, and classification, which can change year to year. A company that has never formally documented its controls — who approves what, at what value, with what supporting evidence — puts its auditor in a difficult position and its directors at compliance risk regardless of which side of the exemption it falls on, because auditors and investors both look for a documented control environment in practice.

Annual budgeting, by contrast, is not a statutory requirement for most private companies, but it is the single most consistent predictor of financial discipline we observe across our client base. A business operating without a budget is, in practice, making spending decisions reactively — against whatever cash happens to be in the bank that week — rather than against a plan. A properly built budget breaks revenue and cost lines down by department, by month, and (where useful) by project or cost centre, and is designed from the outset to be compared against actuals so that variances are visible early enough to act on, not discovered at year-end when the option to correct course has passed.

The two disciplines reinforce each other. A budget without controls is just a forecast — nothing stops actual spending from drifting away from it undetected. Controls without a budget catch unauthorised transactions but give management no reference point to judge whether authorised spending is actually sound. PNPC designs both together: a realistic, department-owned budget, and the approval and reconciliation architecture that keeps actual financial activity aligned with it — and that gives your statutory auditor, your Board, and your investors documented evidence that the numbers in your financial statements can be trusted.

When your business needs this

You are past the founder-approves-everything stage — headcount, vendor volume, or transaction count has grown to where informal oversight is no longer realistic

You are preparing for a statutory audit, and your auditor has flagged (or is likely to flag) the absence of a documented internal financial controls framework under Section 143(3)(i) and SA 315

You are approaching a funding round, and investor due diligence will examine whether financial controls exist beyond 'the founder checks the bank statement'

You have had at least one incident — a duplicate payment, an unreconciled cash discrepancy, an unauthorised purchase, or a suspected internal fraud — that revealed a gap in approval or reconciliation discipline

You are running month-to-month without a budget, and management cannot say with confidence whether current spending is on track against any plan

You are opening a new branch, business line, or subsidiary and need the control framework to scale consistently across locations rather than being reinvented informally at each site

Your Board or investors have asked for a formal budget-vs-actual variance report and your current process cannot produce one reliably each month

When a lighter-touch service may be more appropriate first

A very early-stage business with 1–2 founders and no employees handling money independently — day-to-day bookkeeping discipline (see our Day-to-Day Accounting service) may be sufficient until the team grows

A business that already has a functioning budget-vs-actual dashboard and monthly MIS in place and needs a reporting tool, not a controls redesign — our Budget & MIS Dashboard service is the more direct fit

A business whose real need is basic bookkeeping accuracy and reconciliation rather than governance-level controls — controls layered on top of unreliable base data will not produce reliable results

A business seeking a one-time forensic investigation into a specific suspected fraud, rather than an ongoing planning and controls framework — this calls for a forensic audit engagement, which PNPC can also scope separately

A business with fewer than 3–4 employees and a single bank account, where the cost of a formal controls framework is unlikely to be proportionate to the risk being managed at this stage

Structure Comparison

Financial Planning & Internal Control Support vs adjacent PNPC accounting services

FeatureFinancial Planning & ControlsBudget & MIS DashboardDay-to-Day AccountingStatutory Audit
Primary focusAnnual budget design + control framework designOngoing budget-vs-actual reporting & dashboardsTransaction recording, bookkeeping, reconciliationIndependent opinion on financial statements
DeliverableAnnual budget, SOPs, authorisation matrix, control checklistsRecurring monthly/quarterly MIS packs and dashboardsBooks of account, ledgers, bank reconciliationAudit report, management letter, IFC opinion
Frequency of engagementAnnual design cycle + periodic reviewMonthly or quarterly, ongoingDaily/weekly/monthly, ongoingAnnual (statutory requirement)
Statutory basisAdvisory — supports Sec 134(5)(e) IFC complianceNot statutory — management toolBooks required under Sec 128 Companies Act / Income-tax ActMandatory under Sec 139–143 Companies Act
Who typically needs itGrowing companies, pre-funding, post-incident, multi-locationCompanies wanting visibility into plan-vs-actual monthlyEvery company and LLP, from Day 1Every company; LLPs above prescribed turnover/capital
Segregation of duties designYes — core deliverableNo — assumes controls already existNo — records what is given, does not design approvalsTests existing controls, does not design them
Fraud-prevention orientationYes — explicit design objectiveIndirect — variance visibility can surface anomaliesIndirect — accurate records support later detectionYes — but as detection/opinion, not prevention design
Best combined withBudget & MIS Dashboard for ongoing trackingFinancial Planning & Controls for the underlying frameworkFinancial Planning & Controls once transaction volume growsFinancial Planning & Controls to strengthen the IFC opinion

These services are complementary, not mutually exclusive. Most PNPC clients start with day-to-day accounting, add financial planning and controls as headcount and transaction complexity grow, layer on a budget-vs-actual dashboard for ongoing visibility, and rely on statutory audit as the independent annual check on all of it. Your engagement CA will recommend the right starting point and sequencing for your stage.

How it works
#Stage & What PNPC DoesCA Advice Portals Never GiveTimeline
1Discovery & Risk Assessment — Understanding how money actually moves in your businessWe do not start with a template. We walk your actual payment approval chain, your vendor onboarding process, your cash handling (if any), your payroll approval, and your bank access controls — and identify where the real exposure sits. A retail business with cash collections has entirely different risk points from a B2B SaaS company invoicing on 30-day terms.Week 1
2Chart of Accounts & Cost Centre ReviewA budget built on a chart of accounts that does not map cleanly to how your business actually operates by department or product line will never produce a usable variance report. We review and, where needed, restructure the chart of accounts and cost centre tagging before building the budget on top of it.Week 1–2
3Annual Budget Construction — Revenue, cost, and cash flow projectionsWe build the budget bottom-up from department owners' inputs, not top-down from a growth percentage applied to last year's numbers. Sales pipeline assumptions, hiring plan, fixed versus variable cost splits, and known one-time capital expenditure are captured explicitly and separately, so variance analysis later can distinguish a real problem from a timing difference.Week 2–4
4Authorisation Matrix Design — Who can approve what, up to what valueThis is the single most consequential document in the entire engagement. We map every category of spend — vendor payment, employee reimbursement, payroll change, capital purchase, bank transfer — to a named approver and a value threshold, with escalation to a second approver above defined limits. Without this document in writing, 'who is allowed to approve this' is decided ad hoc, differently, every time.Week 3–4
5Segregation of Duties Review — Separating initiation, approval, and custodyThe classic control failure is one person who can both create a vendor, approve the payment, and release the funds. We map your current process against the standard segregation model — the person who requests a payment should not be the person who approves it or the person who executes it — and flag every point where the same individual holds two or more of these roles.Week 3–5
6Standard Operating Procedures (SOPs) DocumentationVerbal understanding of 'how we do things' does not survive staff turnover. We document SOPs for the core financial processes — procure-to-pay, payroll processing, expense reimbursement, petty cash, bank reconciliation, month-end close — in a format your finance team can actually follow and that a new hire can be trained on without relying on institutional memory.Week 4–6
7Reconciliation Framework Design — Bank, vendor, and inter-companyWe establish the cadence and ownership for reconciliations: daily or weekly bank reconciliation, monthly vendor statement reconciliation, and — where relevant — inter-company account reconciliation for group structures. An unreconciled bank account is one of the most common places discrepancies go unnoticed for months.Week 4–5
8Petty Cash & Physical Asset Controls (where applicable)For businesses handling cash or physical inventory, we design the specific controls that generic frameworks miss: petty cash imprest limits and replenishment approval, physical stock verification cadence, and fixed asset tagging and periodic verification against the fixed asset register.Week 5–6
9IT & System Access Controls ReviewWho has access to the accounting software, who can create or modify vendor master data, who can post journal entries, and whether access is reviewed when an employee changes role or exits — these system-level controls are as important as the paper-based approval chain and are frequently overlooked entirely.Week 5–6
10Control Testing & WalkthroughBefore finalising, we walk through a sample of actual transactions against the newly designed controls to confirm they work in practice, not just on paper. This also surfaces friction points — a control that is too slow for the business's actual pace gets bypassed within weeks, which defeats its purpose.Week 6–7
11Documentation Handover & Team TrainingThe authorisation matrix, SOPs, reconciliation calendar, and control checklists are formally handed over and walked through with your finance team and relevant department heads — not just emailed as a PDF. We conduct a structured training session so the people executing the controls understand not just the 'what' but the 'why'.Week 7
12Monthly Budget-vs-Actual Variance Review — First quarterFor the first quarter after rollout, PNPC reviews the budget-vs-actual variance with management directly — identifying whether variances are timing differences, genuine overspend, or assumptions that need revising for the remaining year. This is where a static budget becomes a living management tool.Month 1–3 post-rollout
13Annual Review & Refresh CycleBudgets and control frameworks are not one-time documents. Each year, PNPC revisits the budget against the prior year's actuals and revises assumptions, and reviews whether the control framework still matches the business — new departments, new locations, new payment channels, or new headcount often require targeted updates rather than a full redesign.Annually, ongoing engagement

Realistic end-to-end timeline for the initial build: 6–8 weeks from discovery to full documentation handover and team training, depending on business complexity and the availability of department heads for input sessions. Businesses with multiple locations or existing legacy processes that must be transitioned carefully may take longer. This is typically followed by an ongoing quarterly or annual review engagement — financial planning and controls are a discipline, not a one-time deliverable.

Document Checklist
Financial & Accounting Records

Last 2–3 years of financial statements (P&L, balance sheet, cash flow statement) — used as the baseline for budget assumptions and trend analysis

Current chart of accounts and, if available, cost centre / department mapping from your accounting software

Trial balance and general ledger extracts for the most recent completed financial year

Bank statements for all active accounts for the last 6–12 months

Existing budget or forecast documents, if any were prepared previously, along with actual results against them

Organisational & Process Information

Organisation chart showing department heads and reporting lines relevant to financial approvals

Current list of employees or roles with any form of financial authority — payment approval, vendor onboarding, payroll processing, bank access

Existing written policies, if any — expense reimbursement policy, procurement policy, travel policy

List of bank accounts, signatories, and current signing authority limits for each account

Details of any existing ERP, accounting software, or expense management system in use, including user roles and access levels

Vendor & Payment Process Details

Vendor master list with payment terms, and description of how new vendors are currently onboarded and approved

Sample of recent large-value payment approvals — showing who requested, who approved, and how it was documented

Description of the current purchase order (PO) process, if one exists, and whether payments are matched against POs and goods receipt before release

Petty cash policy and current custodian details, if petty cash is maintained

Details of any recurring or standing payment instructions (rent, subscriptions, EMIs) and who monitors them

Payroll & HR-Linked Financial Controls

Current payroll process description — who initiates changes (new hire, salary revision, exit), who approves, and who processes the payroll run

Employee headcount and departmental cost breakup for the current year, used in the budget's people-cost projection

Reimbursement claim process and approval hierarchy currently in use

Details of any variable pay, incentive, or commission structures that need to be reflected in the annual budget

Business Plan & Growth Inputs

Sales pipeline, order book, or revenue forecast inputs from the sales/business team for the budget period

Planned hiring for the year, by department and approximate timing

Any known one-time or capital expenditure planned for the year — equipment, office fit-out, software licences, new location setup

Known contractual commitments — lease renewals, long-term vendor contracts, financing/loan repayment schedules

Board-approved strategic priorities or targets for the year, if formally documented, to align the budget with stated business goals

Governance & Compliance Context

Company's incorporation documents and latest MCA filings, to confirm applicable statutory audit and IFC reporting obligations

Prior year's statutory audit report and management letter, if any observations on internal controls were previously raised by auditors

Details of any prior fraud, error, or control-failure incident, and how it was resolved — used to prioritise control design around actual risk history

List of related-party transactions or inter-company arrangements, if applicable, requiring specific control and disclosure treatment

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Initial Build (Week 1–8)Growth stage, audit requirement, or post-incident decision to formaliseDiscovery, chart of accounts review, budget construction, authorisation matrix, segregation of duties mapping, SOP documentation, and control testing as described in the registration journey above.Delaying the initial build means continued exposure to undetected error or fraud, and an audit season where the auditor has no documented IFC framework to assess — creating friction and possible qualification in the audit report.
First Quarter Post-RolloutControls and budget go livePNPC reviews the first quarter's budget-vs-actual variance with management and observes whether the new approval and reconciliation processes are actually being followed in practice, not just on paper.A control framework that is documented but not enforced in the first quarter tends to erode quickly — staff revert to old habits once the novelty of the new process fades, unless management visibly holds the line.
Annual Budget RefreshNew financial year approachingPNPC revisits the prior year's actuals against budget, discusses what assumptions held and what did not with department heads, and builds the next year's budget incorporating those lessons — including any new departments, products, or locations.A budget carried forward unchanged, or rebuilt as 'last year plus X%' without genuine review, loses credibility with management and stops being used as a real planning tool.
Statutory Audit SeasonFinancial year-end, ahead of auditPNPC ensures the authorisation matrix, SOPs, and reconciliation records are current and available for the statutory auditor's review of internal financial controls under Section 143(3)(i), and briefs management on likely auditor queries.An auditor who finds no evidence of a functioning IFC framework may raise it as an observation in the management letter or, in more serious cases, qualify the audit opinion — both of which are visible to investors, banks, and regulators.
Headcount or Location GrowthNew department, new office, new business linePNPC extends the authorisation matrix and SOPs to the new unit, ensuring segregation of duties is maintained rather than informally relaxed 'just for now' during the expansion, which is when many control gaps are first created.New locations or departments set up without applying the existing control framework consistently become the weakest link — often the first place a control failure is later discovered.
Pre-Funding / Due DiligenceInvestor interest or term sheetPNPC prepares the documented control framework, budget history, and variance reports as part of the financial due-diligence pack, and briefs management on how to present the company's financial discipline credibly to investors.Investors routinely treat the absence of basic financial controls as a red flag independent of the numbers themselves — it signals execution risk regardless of how strong the business model looks.
Incident ResponseSuspected error, discrepancy, or fraudPNPC assists in tracing the discrepancy against the documented control framework to identify exactly where the control was bypassed or was absent, and recommends the specific remediation — which is far faster and more precise when a control framework already exists to investigate against.Without a pre-existing control framework, incident investigation becomes far slower and more speculative, and the same gap that caused the first incident often remains open to recur.
Frequently asked
What exactly is the difference between 'financial planning' and 'internal controls' in this service?

Financial planning is the annual budgeting process — translating your business goals into a quantified, month-wise, department-wise plan you can track actual performance against. Internal controls are the system of approvals, segregation of duties, and reconciliation checkpoints that protect your business from error and misuse, and that make your financial statements reliable. PNPC delivers both together because a budget without controls has nothing enforcing it, and controls without a budget have no reference point to judge whether spending is actually on track.

Practitioner noteClients often ask for one and need both. We scope the engagement after the discovery phase, once we understand which gap is actually larger in your business.
Is internal financial controls (IFC) documentation a legal requirement for my company?

Under Section 134(5)(e) of the Companies Act 2013, the Board of Directors of every listed company must state that internal financial controls were laid down and were operating effectively — and the statutory auditor separately reports on the adequacy and operating effectiveness of IFC over financial reporting under Section 143(3)(i), read with the applicable Standards on Auditing. MCA has specifically exempted one-person companies, small companies, and private companies below prescribed turnover and borrowing thresholds from the auditor-reporting limb of this requirement, so most smaller private companies fall outside the strict statutory trigger — though this depends on your company's current classification, turnover, and borrowings, which can shift year to year. Even where the strict statutory trigger does not apply to your company, auditors increasingly expect to see some documented control framework as part of a clean audit, and investors expect it as part of due diligence.

Practitioner noteApplicability rules for private companies have been refined by MCA notifications over the years, and the turnover/borrowing thresholds are amended periodically. We confirm your company's specific applicability at the start of engagement rather than relying on a generic answer — it depends on your company's classification, paid-up capital, turnover, and borrowings at the time of the relevant financial year.
We are a 15-person startup. Do we really need a formal controls framework yet?

There is no fixed headcount threshold in law, but in practice, once more than one or two people can independently initiate a payment or approve an expense, the risk of an uncaught error or a deliberate misuse rises sharply. Fifteen people with multiple department heads is often the point where informal, founder-checks-everything oversight starts breaking down. The framework does not need to be heavy — it needs to be proportionate to your actual risk, and it is far cheaper to build lightly now than to retrofit after an incident.

Practitioner noteWe scale the framework to the business. A 15-person startup gets a leaner authorisation matrix and fewer reconciliation checkpoints than a 200-person multi-location company — the principles are the same, the depth differs.
What is an authorisation matrix and why does PNPC say it is the most important document?

An authorisation matrix is a single reference document that maps every category of financial transaction — vendor payment, reimbursement, payroll change, capital purchase — to a named approver and a value threshold, with escalation to a second approver above that threshold. Without it in writing, 'who can approve this' gets decided differently each time, by whoever happens to be available, which is exactly the inconsistency that creates control gaps.

Practitioner noteWe have seen businesses where three different people believed they had final approval authority on vendor payments — none of them wrong, because nothing was ever written down. The matrix ends that ambiguity permanently.
What is segregation of duties, in practical terms?

It means the person who requests or initiates a transaction should not be the same person who approves it, and ideally not the same person who executes or has custody of the funds or assets involved. In a small business, one person often ends up doing two or all three — creating a single point where an error or a deliberate act could go undetected. Where full segregation is not staffing-feasible, we design compensating controls, such as mandatory periodic review by a second person, to reduce the exposure.

Practitioner noteComplete segregation is genuinely difficult in a very small team. We are honest about that constraint and design the best achievable control given your actual headcount, rather than prescribing a textbook model you cannot realistically staff.
How is a budget actually built — top-down from a growth target, or bottom-up from department inputs?

PNPC builds budgets bottom-up: sales pipeline and revenue assumptions from the business/sales team, hiring plans and payroll costs from department heads, and known committed costs from finance — assembled into a single financial plan and then reviewed against overall strategic targets. A top-down budget built by applying a growth percentage to last year's numbers is faster to produce but rarely survives contact with reality, because it is not owned by the people actually responsible for hitting the numbers.

Practitioner noteDepartment ownership matters more than most founders expect. A budget imposed from the top gets quietly ignored by month three. A budget that department heads helped build gets defended by them when variances appear.
How often should budget-vs-actual variance be reviewed?

Monthly is the standard cadence for most businesses — frequent enough to catch a variance while there is still time in the year to act on it, but not so frequent that the review becomes noise from short-term timing differences. Some fast-moving businesses benefit from a lighter weekly cash-flow check layered on top of the monthly full variance review. PNPC recommends the cadence based on your transaction volume and how quickly your business's numbers actually move.

Practitioner noteA quarterly-only review is common in smaller businesses simply to save cost, but it means a problem visible in month one is not addressed until month four — by which point the corrective options are often narrower and more expensive.
What happens if our actual results diverge significantly from the budget mid-year — is the budget just wrong?

Not necessarily. A variance can be a timing difference (revenue that shifted a month later than planned), a genuine performance issue (costs running structurally above plan), or a change in underlying assumptions (a new competitor, a delayed product launch) that means the original budget needs a formal revision. PNPC's variance review distinguishes between these three categories explicitly, because the correct management response is different for each.

Practitioner noteWe advise against silently 're-forecasting' every month to make the numbers always look on-track. A budget that is quietly rewritten to match actuals stops functioning as a planning tool. Formal, documented revisions at defined checkpoints are better discipline.
Does PNPC design controls only for large companies, or also for proprietorships and small LLPs?

We work with businesses of every size and structure — sole proprietorships, partnerships, LLPs, and private/public companies. The statutory IFC reporting requirement under the Companies Act applies specifically to companies, but the underlying discipline of budgeting and basic controls — separating who approves payments from who executes them, reconciling bank accounts regularly — benefits any business handling money through more than one person.

Practitioner noteFor proprietorships and small LLPs, we typically scope a lighter engagement focused on the highest-risk points — cash handling, vendor payment approval, payroll — rather than a full corporate-grade IFC framework that would be disproportionate to the entity's size.
Can this service help us prepare for a statutory audit specifically?

Yes — this is one of the most common reasons companies engage PNPC for this service. We ensure the authorisation matrix, SOPs, and reconciliation evidence are current, documented, and available for the statutory auditor's review of internal financial controls under Section 143(3)(i), and we brief management ahead of time on the kind of queries the auditor is likely to raise, so there are no surprises during fieldwork.

Practitioner noteAn auditor arriving to find a documented control framework already in place moves through the IFC testing portion of the audit noticeably faster — which, in practice, also reduces audit fees and disruption to your team.
What is a management letter, and how does it relate to internal controls?

A management letter is a communication from the statutory auditor to the company's management and those charged with governance, setting out control weaknesses or process observations identified during the audit that did not necessarily affect the audit opinion but are worth management's attention. Recurring or unaddressed items in successive years' management letters are a signal — to the Board, and potentially to investors reviewing audit history — that control gaps are known but not being fixed.

Practitioner noteWe review prior years' management letters as one of our discovery inputs specifically because they are a documented, auditor-validated list of exactly where your existing gaps are — no need to rediscover them from scratch.
Our finance team already uses accounting software with built-in approval workflows. Do we still need this service?

Software approval workflows are useful enforcement mechanisms, but they only enforce whatever rules are configured into them — and those rules are frequently set up quickly at implementation without a proper authorisation matrix or segregation-of-duties review behind them. We regularly find software configured so that the same person who can create a vendor can also approve payments to that vendor, simply because nobody designed the access rules deliberately. The software is the enforcement layer; this service is the design layer behind it.

Practitioner noteWe review your existing software's user roles and access configuration as part of the engagement and flag any configuration that undermines the segregation of duties you actually need, even if the software 'looks' like it has approvals turned on.
How does PNPC handle petty cash and physical cash controls specifically?

For businesses that handle petty cash or physical cash collections, we design an imprest-based petty cash system with a fixed float, mandatory voucher documentation for every disbursement, a defined replenishment approval process, and periodic surprise verification. For cash collection points (retail counters, field collections), we design daily reconciliation and deposit discipline so cash does not sit unaccounted for extended periods.

Practitioner noteCash-handling businesses are disproportionately exposed to both genuine error and deliberate misuse simply because cash, unlike a bank transfer, leaves no automatic digital trail. We treat cash controls as a distinct, higher-priority workstream whenever they are relevant to a client's business.
What is the typical cost of this engagement?

PNPC agrees a fixed fee for the initial build phase, scoped after the discovery session based on your business's size, number of departments, locations, and complexity of existing processes. Ongoing quarterly or annual review engagements are typically quoted separately as a retainer. We provide a written scope and fee letter before any work begins — there is no engagement without your sign-off on cost.

Practitioner noteWe do not quote a fee before the discovery session, because a controls engagement for a single-location services business and a controls engagement for a multi-location business with cash handling and inventory are genuinely different scopes of work.
Will building a control framework slow down our operations?

A poorly designed control framework can absolutely slow a business down — if every payment above a trivially low threshold requires three signatures, staff will find ways to route around it. PNPC deliberately walk-tests the designed controls against real transaction samples before finalising, specifically to catch friction points where the control is disproportionate to the risk it is managing, and to right-size approval thresholds to your actual transaction patterns.

Practitioner noteThe most common mistake we see in self-designed control frameworks is thresholds copied from a generic template that do not match the business's actual transaction sizes — resulting in either near-zero oversight or every routine payment needing director sign-off. Neither works long-term.
How does this service interact with PNPC's Budget & MIS Dashboard service?

Financial Planning & Internal Control Support builds the annual budget and the control framework around it. The Budget & MIS Dashboard service builds the ongoing monthly or quarterly reporting tool that tracks actual performance against that budget on a recurring basis. Many clients start with this service to establish the budget and controls, then move into a dashboard retainer for ongoing visibility — the two are designed to work together rather than duplicate each other.

Practitioner noteIf you already have a reliable budget and controls in place and just need better ongoing reporting visibility, it may be more efficient to start directly with the Budget & MIS Dashboard service instead — we will tell you honestly if that is the better starting point for your situation.
What is SA 315 and how does it relate to our internal controls?

Standard on Auditing (SA) 315, 'Identifying and Assessing the Risks of Material Misstatement', requires the statutory auditor to obtain an understanding of the entity's internal control relevant to the audit, as part of assessing risk. A company with clearly documented controls gives the auditor a faster, more reliable basis for this risk assessment; a company with no documented controls forces the auditor to spend more time (and often charge more) reconstructing an understanding of the control environment from scratch, and may lead to a more conservative, more testing-intensive audit approach.

Practitioner noteWe are occasionally asked whether documenting controls 'invites more auditor scrutiny'. The opposite is usually true in our experience — a documented, sensible control environment tends to reduce the auditor's assessed risk and the resulting depth of substantive testing.
Can PNPC design controls specifically to detect and prevent employee fraud?

Yes — fraud prevention is one of the explicit design objectives of this service, alongside general error reduction and financial reliability. Segregation of duties, mandatory second approval above defined thresholds, vendor master data change controls, and regular independent reconciliation are the core mechanisms that make fraud materially harder to commit and easier to detect quickly if attempted. No control framework eliminates fraud risk entirely, but a well-designed one significantly raises the difficulty and shortens detection time.

Practitioner noteWe are careful never to promise a framework that 'prevents all fraud' — that claim is not honest. What a good framework does is remove the easiest opportunities and shorten the window before something unusual is noticed.
Do you provide this service for businesses in the UAE as well as India?

Yes. PNPC's Dubai office extends the same financial planning and internal controls methodology to UAE-based businesses, adapted for the UAE's corporate governance expectations, UAE Corporate Tax compliance considerations, and WPS payroll environment. For clients with both an Indian and a UAE entity, we design a consistent control framework across both jurisdictions rather than two disconnected ones.

Practitioner noteGroup structures with an Indian parent and a UAE subsidiary (or vice versa) often need inter-company transaction controls specifically — approvals and documentation for cross-border payments, transfer pricing support, and consistent authorisation limits across both entities. We handle this as one coordinated engagement, not two separate ones.
How does PNPC's approach differ from buying an off-the-shelf budgeting or ERP template?

A template gives you a spreadsheet structure or software module — it does not tell you what your actual revenue assumptions should be, who in your organisation should approve a ₹50,000 vendor payment versus a ₹5 lakh one, or where your specific business's segregation-of-duties gaps sit. PNPC starts from your actual processes, your actual risk points, and your actual people, and builds the budget and controls around that reality. The output may end up living in a spreadsheet or your existing software, but the thinking behind it is specific to your business, not generic.

Practitioner noteWe have taken over engagements where a client bought a budgeting template, populated it with guessed numbers because nobody owned the assumptions, and abandoned it by month two. The tool was never the missing piece — the process and ownership around it was.
What is a reconciliation, and why does PNPC treat it as a control, not just an accounting task?

A reconciliation compares two independent records of the same activity — your bank statement against your cash book, a vendor's statement against your accounts payable ledger — to confirm they agree, and to surface discrepancies immediately if they do not. Reconciliation is a control because it is one of the few checkpoints that can catch an error or an unauthorised transaction after the fact, even if the initial approval control was bypassed or failed. An unreconciled account is a blind spot — discrepancies can sit there undetected for months.

Practitioner noteWe ask every new client how recently their bank accounts were last reconciled. The answer is often more revealing about the state of financial control in a business than any other single question we ask.
How do you handle controls for a business with multiple bank accounts or multiple branches?

We map the authorisation matrix and segregation-of-duties framework consistently across every account and location, rather than allowing each branch or account to develop its own informal practice. Signatory limits, reconciliation cadence, and reporting lines are standardised, with clear escalation to head office for anything above defined thresholds. Multi-location businesses are exactly where inconsistent, informally-applied controls create the biggest and hardest-to-trace gaps.

Practitioner noteThe most common failure pattern we see in multi-branch businesses is a strong control framework at head office and almost none at newer or remote branches, simply because nobody extended the framework when the branch opened. We build branch expansion into the framework from the start specifically to prevent this.
What if our business is too small to formally separate duties among different people?

In a genuinely small team, full segregation of duties may not be staffing-feasible — the same person may need to both process and record a transaction. In these cases, PNPC designs compensating controls: mandatory periodic independent review by the owner or a second person (even if that review happens weekly rather than transaction-by-transaction), system-level restrictions on what can be changed without a trail, and simplified but still-documented approval thresholds. The goal is the best achievable control given real constraints, not an unachievable ideal.

Practitioner noteWe tell small clients honestly when a control gap exists that cannot be fully closed at their current size, along with the compensating step that reduces the risk as much as practically possible. Pretending a small team has full segregation when it does not is worse than being upfront about the residual risk.
Does this service cover capital expenditure (capex) approval separately from operating expenses?

Yes. Capital expenditure — equipment purchases, office fit-outs, software licences with multi-year value, vehicles — typically warrants a distinct, usually more stringent approval threshold and process compared to routine operating expenses, given the larger sums and longer-term commitment involved. The authorisation matrix specifies capex thresholds separately, often requiring Board or director-level sign-off above a defined value, consistent with your Articles of Association and Board-approved delegation of authority.

Practitioner noteWe cross-check the capex approval thresholds in the authorisation matrix against your company's Articles of Association and any existing Board resolutions on delegation of authority, to make sure the two documents do not contradict each other.
How does PNPC handle vendor master data controls specifically?

Vendor master data — bank account details, GSTIN, contact information for each vendor in your accounting system — is a common fraud vector: a fraudulent change to a vendor's bank account details can redirect a legitimate payment to an unauthorised account. We design a control requiring any change to vendor bank details to be independently verified (typically via a callback to a known contact, not the number on the change request) and approved by someone other than the person who processes payments to that vendor.

Practitioner noteBusiness email compromise fraud, where a fraudster impersonates a vendor and requests a bank detail change by email, has become increasingly common. This specific control — independent verification before any bank detail change is actioned — is one of the highest-value, lowest-cost controls we recommend to every client, regardless of size.
Can the internal controls framework you design help with GST or TDS compliance too?

Indirectly, yes. A well-designed procure-to-pay control ensures invoices are checked for correct GSTIN and tax treatment before payment, and that TDS is deducted at source on applicable payments (rent, professional fees, contractor payments) as part of the standard payment approval workflow rather than being caught later at reconciliation. Building the tax-compliance check into the approval step, rather than treating it as a separate downstream task, meaningfully reduces the risk of missed TDS deductions and input tax credit mismatches.

Practitioner noteTDS defaults are one of the most common and costly compliance failures we see in businesses without a controls framework — largely because nobody's job explicitly included checking TDS applicability before a payment was released. We build that check into the approval workflow itself.
How long does the control framework remain valid before it needs to be revisited?

There is no fixed statutory validity period, but PNPC recommends a formal annual review at minimum, alongside the annual budget refresh cycle, and an ad hoc review whenever there is a material change — new department, new location, significant headcount growth, a new accounting system, or a control-related incident. A framework that is never revisited tends to fall out of step with how the business actually operates within 12–18 months.

Practitioner noteWe build the annual review into the same engagement cycle as the budget refresh specifically so the two conversations happen together — reviewing what the business achieved financially and whether the controls kept pace with how the business changed operationally.
What is the role of the Board or promoters in this process, versus the finance team?

The Board (or promoters, in a smaller company) sets the overall risk appetite and approves the final authorisation matrix and budget, since ultimate accountability for internal financial controls under Section 134(5)(e) rests with the directors. The finance team executes the day-to-day process — processing transactions, running reconciliations, flagging variances. PNPC facilitates both sides: building the technical framework with the finance team's input, and presenting it to the Board or promoters for formal approval and sign-off.

Practitioner noteWe insist on formal Board or promoter sign-off of the authorisation matrix and budget, not just finance-team agreement. A framework the finance team designed for itself, without director-level endorsement, has no real authority when someone senior wants to bypass it.
Do you provide ongoing support after the initial framework is built, or is this a one-time engagement?

The initial build is scoped as a defined project with a clear deliverable and timeline. Most clients then move into an ongoing engagement — typically quarterly variance reviews and an annual full refresh — because a budget and control framework that is never revisited loses relevance within a year or two. PNPC offers both the initial build and the ongoing retainer, and we are transparent about which one you are agreeing to at each stage.

Practitioner noteWe deliberately do not bundle an indefinite retainer into the initial engagement without your explicit agreement. You decide, after seeing the initial deliverable, whether ongoing support makes sense for your business.
What happens during a control 'walkthrough' — what should we expect?

A walkthrough is where PNPC traces a small number of actual, real transactions — a vendor payment, an expense reimbursement, a payroll change — end-to-end through the newly designed control process, confirming at each step that the approval, documentation, and system entries happened as the framework specifies. It is a practical test, not a theoretical review, and it is where we typically catch the gap between what the framework says on paper and what actually happens when people execute it.

Practitioner noteWalkthroughs regularly surface something the discovery phase missed — a workaround staff have been using for months because the 'official' process was too slow. We treat these findings as valuable input to refine the framework, not as a failure of the design.
Is this service relevant for a Section 8 company, trust, or NGO handling grant funds?

Yes, and arguably more so — non-profits and Section 8 companies handling donor or grant funds are frequently subject to specific funder-mandated financial control requirements (utilisation certificates, fund-wise segregation, restricted versus unrestricted fund tracking), in addition to their own governance obligations. PNPC designs controls that address both general financial discipline and the specific fund-accountability requirements donors and grant-making bodies typically expect.

Practitioner noteWe frequently see grant-funded organisations lose future funding eligibility not because funds were misused, but because fund-wise tracking and documentation were inadequate to demonstrate proper utilisation. The controls framework here is as much about protecting future funding access as about preventing misuse.
How does budgeting for a services business differ from budgeting for a business that holds inventory?

A services business budget is dominated by people costs — salaries, contractor fees, and utilisation-linked revenue — and cash flow timing is largely driven by invoicing and collection cycles. A business holding inventory has the additional complexity of purchase timing, inventory carrying cost, stock valuation method, and the working capital tied up between purchase and sale. PNPC tailors the budget structure and the associated controls (particularly around procurement and stock verification) to which model applies to your business.

Practitioner noteWe have seen generic budget templates fail specifically because they were built for a services model and then applied unchanged to an inventory-holding business, missing the working capital and stock control dimensions entirely.
What is a 'compensating control' and when does PNPC recommend one?

A compensating control is an alternative safeguard used when the ideal control — typically full segregation of duties — cannot be implemented due to genuine constraints such as small team size. For example, if one person must both process and record vendor payments because there is no one else to separate the role to, a compensating control might be a mandatory weekly independent review of all payments processed by that person, performed by the owner or a second reviewer.

Practitioner noteCompensating controls are a legitimate, standard practice — not a shortcut. We document clearly why a compensating control was chosen over the ideal control, so the reasoning is transparent to your auditor or any future reviewer of the framework.
Why should we engage PNPC rather than build this framework ourselves using free templates online?

Free templates give you a generic structure — they do not know your actual approval chain, your actual risk points, your actual chart of accounts, or your actual statutory obligations under the Companies Act and Standards on Auditing. PNPC has designed and implemented these frameworks across businesses of many sizes and sectors since 1986, and we bring the pattern recognition of having seen exactly where control gaps typically hide — vendor master data, petty cash, segregation of payment initiation and approval — that a generic template will not flag for your specific business.

Practitioner noteWe frequently take over engagements where a business implemented a downloaded template, felt reassured by having 'a policy document', and then discovered at audit time or after an incident that the template did not actually address their real risk points. A document that exists but does not match reality is arguably worse than no document, because it creates false confidence.
Why PNPC Global

PNPC Financial Planning & Controls engagement vs a generic template or software-only approach

AspectPNPC CA-Led EngagementDownloaded Template / Software-Only
Basis of designBuilt from your actual processes, risk points, and peopleGeneric structure, not specific to your business
Authorisation matrixCustom-mapped to your approvers, values, and escalation needsOften absent or a placeholder table left unfilled
Segregation of duties analysisExplicit review of who holds which roles, with compensating controls where neededNot assessed — assumed to already exist
Statutory alignmentMapped to Section 134(5)(e), Section 143(3)(i), and applicable Standards on AuditingNo linkage to statutory IFC reporting requirements
Testing before rolloutReal transaction walkthroughs to catch friction pointsUntested — friction discovered only after staff bypass it
Ongoing reviewQuarterly variance review and annual refresh built into the engagementOne-time document, rarely revisited
Team trainingStructured handover session with finance team and department headsPDF emailed with no walkthrough
ContinuitySame CA firm available for audit season, funding rounds, and incidentsNo ongoing point of contact once the template is downloaded

What the PNPC package includes

  1. 01

    Discovery session mapping your actual payment, payroll, and reconciliation processes

  2. 02

    Bottom-up annual budget built from department-owner inputs, not a generic growth percentage

  3. 03

    Custom authorisation matrix — approvers and value thresholds mapped to your actual roles

  4. 04

    Segregation-of-duties review with compensating controls designed where full separation is not feasible

  5. 05

    Documented SOPs for procure-to-pay, payroll, expense reimbursement, petty cash, and month-end close

  6. 06

    Reconciliation framework — bank, vendor, and inter-company, with defined ownership and cadence

  7. 07

    Vendor master data and IT/system access control review

  8. 08

    Real-transaction walkthrough testing before final rollout

  9. 09

    Structured training handover with your finance team and department heads

  10. 10

    First-quarter budget-vs-actual variance review included

  11. 11

    Statutory alignment briefing ahead of your audit season under Section 143(3)(i)

  12. 12

    Direct contact with your engagement CA — not a support ticket queue

Speak directly with a PNPC Chartered Accountant about your business's actual risk points — not a generic checklist. A practising CA who will still be reviewing your budget-vs-actual variance, briefing your auditor, and refining your control framework a year from now, not just handing over a document and moving on.

← Back to Accounting & Payroll
Talk to a CA