Accounting & Payroll · Virtual CFO & Finance Function
Financial Planning & Internal Control Support
Most growing businesses discover their internal control gaps the hard way — a vendor paid twice, an employee reimbursement that should never have been approved, a cash discrepancy nobody can trace back to a single decision point.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Most growing businesses discover their internal control gaps the hard way — a vendor paid twice, an employee reimbursement that should never have been approved, a cash discrepancy nobody can trace back to a single decision point. Financial Planning & Internal Control Support exists to prevent that discovery from happening in the worst possible way — through fraud, an investor's due-diligence report, or an auditor's qualification. At PNPC Global, we have helped businesses across India and the UAE build annual budgets that hold up against actuals, and control frameworks that hold up against people, since 1986. We are not a software vendor selling you a budgeting template. We are a practising CA firm that sits with your finance team, understands where money actually moves in your business, and designs the planning cycle and the control points around that reality.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
Financial Planning & Internal Control Support is an advisory and implementation service covering two related but distinct disciplines. The first is annual financial planning and budgeting — the structured process of translating a business's strategic goals into a quantified, department-wise, month-wise financial plan that management can track against actuals throughout the year. The second is internal financial controls (IFC) design — the system of authorisation limits, segregation of duties, approval workflows, documentation standards, and reconciliation checkpoints that protects a company's assets from error, misuse, and fraud, and that produces financial statements management can actually rely on.
For companies incorporated under the Companies Act 2013, internal financial controls are not merely good practice — Section 134(5)(e) requires the Board of Directors of every listed company to state in the Directors' Responsibility Statement that internal financial controls were laid down and were operating effectively during the year. The statutory auditor's parallel obligation to report on the adequacy and operating effectiveness of a company's internal financial controls over financial reporting, under Section 143(3)(i) of the Companies Act read with the Standards on Auditing (SA 315 and SA 265), applies more broadly — but MCA has specifically exempted one-person companies, small companies, and private companies below prescribed turnover and borrowing thresholds from this particular auditor-reporting requirement. Whether your company sits inside or outside that exemption depends on its current turnover, borrowings, and classification, which can change year to year. A company that has never formally documented its controls — who approves what, at what value, with what supporting evidence — puts its auditor in a difficult position and its directors at compliance risk regardless of which side of the exemption it falls on, because auditors and investors both look for a documented control environment in practice.
Annual budgeting, by contrast, is not a statutory requirement for most private companies, but it is the single most consistent predictor of financial discipline we observe across our client base. A business operating without a budget is, in practice, making spending decisions reactively — against whatever cash happens to be in the bank that week — rather than against a plan. A properly built budget breaks revenue and cost lines down by department, by month, and (where useful) by project or cost centre, and is designed from the outset to be compared against actuals so that variances are visible early enough to act on, not discovered at year-end when the option to correct course has passed.
The two disciplines reinforce each other. A budget without controls is just a forecast — nothing stops actual spending from drifting away from it undetected. Controls without a budget catch unauthorised transactions but give management no reference point to judge whether authorised spending is actually sound. PNPC designs both together: a realistic, department-owned budget, and the approval and reconciliation architecture that keeps actual financial activity aligned with it — and that gives your statutory auditor, your Board, and your investors documented evidence that the numbers in your financial statements can be trusted.
When your business needs this
You are past the founder-approves-everything stage — headcount, vendor volume, or transaction count has grown to where informal oversight is no longer realistic
You are preparing for a statutory audit, and your auditor has flagged (or is likely to flag) the absence of a documented internal financial controls framework under Section 143(3)(i) and SA 315
You are approaching a funding round, and investor due diligence will examine whether financial controls exist beyond 'the founder checks the bank statement'
You have had at least one incident — a duplicate payment, an unreconciled cash discrepancy, an unauthorised purchase, or a suspected internal fraud — that revealed a gap in approval or reconciliation discipline
You are running month-to-month without a budget, and management cannot say with confidence whether current spending is on track against any plan
You are opening a new branch, business line, or subsidiary and need the control framework to scale consistently across locations rather than being reinvented informally at each site
Your Board or investors have asked for a formal budget-vs-actual variance report and your current process cannot produce one reliably each month
When a lighter-touch service may be more appropriate first
A very early-stage business with 1–2 founders and no employees handling money independently — day-to-day bookkeeping discipline (see our Day-to-Day Accounting service) may be sufficient until the team grows
A business that already has a functioning budget-vs-actual dashboard and monthly MIS in place and needs a reporting tool, not a controls redesign — our Budget & MIS Dashboard service is the more direct fit
A business whose real need is basic bookkeeping accuracy and reconciliation rather than governance-level controls — controls layered on top of unreliable base data will not produce reliable results
A business seeking a one-time forensic investigation into a specific suspected fraud, rather than an ongoing planning and controls framework — this calls for a forensic audit engagement, which PNPC can also scope separately
A business with fewer than 3–4 employees and a single bank account, where the cost of a formal controls framework is unlikely to be proportionate to the risk being managed at this stage
Financial Planning & Internal Control Support vs adjacent PNPC accounting services
| Feature | Financial Planning & Controls | Budget & MIS Dashboard | Day-to-Day Accounting | Statutory Audit |
|---|---|---|---|---|
| Primary focus | Annual budget design + control framework design | Ongoing budget-vs-actual reporting & dashboards | Transaction recording, bookkeeping, reconciliation | Independent opinion on financial statements |
| Deliverable | Annual budget, SOPs, authorisation matrix, control checklists | Recurring monthly/quarterly MIS packs and dashboards | Books of account, ledgers, bank reconciliation | Audit report, management letter, IFC opinion |
| Frequency of engagement | Annual design cycle + periodic review | Monthly or quarterly, ongoing | Daily/weekly/monthly, ongoing | Annual (statutory requirement) |
| Statutory basis | Advisory — supports Sec 134(5)(e) IFC compliance | Not statutory — management tool | Books required under Sec 128 Companies Act / Income-tax Act | Mandatory under Sec 139–143 Companies Act |
| Who typically needs it | Growing companies, pre-funding, post-incident, multi-location | Companies wanting visibility into plan-vs-actual monthly | Every company and LLP, from Day 1 | Every company; LLPs above prescribed turnover/capital |
| Segregation of duties design | Yes — core deliverable | No — assumes controls already exist | No — records what is given, does not design approvals | Tests existing controls, does not design them |
| Fraud-prevention orientation | Yes — explicit design objective | Indirect — variance visibility can surface anomalies | Indirect — accurate records support later detection | Yes — but as detection/opinion, not prevention design |
| Best combined with | Budget & MIS Dashboard for ongoing tracking | Financial Planning & Controls for the underlying framework | Financial Planning & Controls once transaction volume grows | Financial Planning & Controls to strengthen the IFC opinion |
These services are complementary, not mutually exclusive. Most PNPC clients start with day-to-day accounting, add financial planning and controls as headcount and transaction complexity grow, layer on a budget-vs-actual dashboard for ongoing visibility, and rely on statutory audit as the independent annual check on all of it. Your engagement CA will recommend the right starting point and sequencing for your stage.
| # | Stage & What PNPC Does | CA Advice Portals Never Give | Timeline |
|---|---|---|---|
| 1 | Discovery & Risk Assessment — Understanding how money actually moves in your business | We do not start with a template. We walk your actual payment approval chain, your vendor onboarding process, your cash handling (if any), your payroll approval, and your bank access controls — and identify where the real exposure sits. A retail business with cash collections has entirely different risk points from a B2B SaaS company invoicing on 30-day terms. | Week 1 |
| 2 | Chart of Accounts & Cost Centre Review | A budget built on a chart of accounts that does not map cleanly to how your business actually operates by department or product line will never produce a usable variance report. We review and, where needed, restructure the chart of accounts and cost centre tagging before building the budget on top of it. | Week 1–2 |
| 3 | Annual Budget Construction — Revenue, cost, and cash flow projections | We build the budget bottom-up from department owners' inputs, not top-down from a growth percentage applied to last year's numbers. Sales pipeline assumptions, hiring plan, fixed versus variable cost splits, and known one-time capital expenditure are captured explicitly and separately, so variance analysis later can distinguish a real problem from a timing difference. | Week 2–4 |
| 4 | Authorisation Matrix Design — Who can approve what, up to what value | This is the single most consequential document in the entire engagement. We map every category of spend — vendor payment, employee reimbursement, payroll change, capital purchase, bank transfer — to a named approver and a value threshold, with escalation to a second approver above defined limits. Without this document in writing, 'who is allowed to approve this' is decided ad hoc, differently, every time. | Week 3–4 |
| 5 | Segregation of Duties Review — Separating initiation, approval, and custody | The classic control failure is one person who can both create a vendor, approve the payment, and release the funds. We map your current process against the standard segregation model — the person who requests a payment should not be the person who approves it or the person who executes it — and flag every point where the same individual holds two or more of these roles. | Week 3–5 |
| 6 | Standard Operating Procedures (SOPs) Documentation | Verbal understanding of 'how we do things' does not survive staff turnover. We document SOPs for the core financial processes — procure-to-pay, payroll processing, expense reimbursement, petty cash, bank reconciliation, month-end close — in a format your finance team can actually follow and that a new hire can be trained on without relying on institutional memory. | Week 4–6 |
| 7 | Reconciliation Framework Design — Bank, vendor, and inter-company | We establish the cadence and ownership for reconciliations: daily or weekly bank reconciliation, monthly vendor statement reconciliation, and — where relevant — inter-company account reconciliation for group structures. An unreconciled bank account is one of the most common places discrepancies go unnoticed for months. | Week 4–5 |
| 8 | Petty Cash & Physical Asset Controls (where applicable) | For businesses handling cash or physical inventory, we design the specific controls that generic frameworks miss: petty cash imprest limits and replenishment approval, physical stock verification cadence, and fixed asset tagging and periodic verification against the fixed asset register. | Week 5–6 |
| 9 | IT & System Access Controls Review | Who has access to the accounting software, who can create or modify vendor master data, who can post journal entries, and whether access is reviewed when an employee changes role or exits — these system-level controls are as important as the paper-based approval chain and are frequently overlooked entirely. | Week 5–6 |
| 10 | Control Testing & Walkthrough | Before finalising, we walk through a sample of actual transactions against the newly designed controls to confirm they work in practice, not just on paper. This also surfaces friction points — a control that is too slow for the business's actual pace gets bypassed within weeks, which defeats its purpose. | Week 6–7 |
| 11 | Documentation Handover & Team Training | The authorisation matrix, SOPs, reconciliation calendar, and control checklists are formally handed over and walked through with your finance team and relevant department heads — not just emailed as a PDF. We conduct a structured training session so the people executing the controls understand not just the 'what' but the 'why'. | Week 7 |
| 12 | Monthly Budget-vs-Actual Variance Review — First quarter | For the first quarter after rollout, PNPC reviews the budget-vs-actual variance with management directly — identifying whether variances are timing differences, genuine overspend, or assumptions that need revising for the remaining year. This is where a static budget becomes a living management tool. | Month 1–3 post-rollout |
| 13 | Annual Review & Refresh Cycle | Budgets and control frameworks are not one-time documents. Each year, PNPC revisits the budget against the prior year's actuals and revises assumptions, and reviews whether the control framework still matches the business — new departments, new locations, new payment channels, or new headcount often require targeted updates rather than a full redesign. | Annually, ongoing engagement |
Realistic end-to-end timeline for the initial build: 6–8 weeks from discovery to full documentation handover and team training, depending on business complexity and the availability of department heads for input sessions. Businesses with multiple locations or existing legacy processes that must be transitioned carefully may take longer. This is typically followed by an ongoing quarterly or annual review engagement — financial planning and controls are a discipline, not a one-time deliverable.
Last 2–3 years of financial statements (P&L, balance sheet, cash flow statement) — used as the baseline for budget assumptions and trend analysis
Current chart of accounts and, if available, cost centre / department mapping from your accounting software
Trial balance and general ledger extracts for the most recent completed financial year
Bank statements for all active accounts for the last 6–12 months
Existing budget or forecast documents, if any were prepared previously, along with actual results against them
Organisation chart showing department heads and reporting lines relevant to financial approvals
Current list of employees or roles with any form of financial authority — payment approval, vendor onboarding, payroll processing, bank access
Existing written policies, if any — expense reimbursement policy, procurement policy, travel policy
List of bank accounts, signatories, and current signing authority limits for each account
Details of any existing ERP, accounting software, or expense management system in use, including user roles and access levels
Vendor master list with payment terms, and description of how new vendors are currently onboarded and approved
Sample of recent large-value payment approvals — showing who requested, who approved, and how it was documented
Description of the current purchase order (PO) process, if one exists, and whether payments are matched against POs and goods receipt before release
Petty cash policy and current custodian details, if petty cash is maintained
Details of any recurring or standing payment instructions (rent, subscriptions, EMIs) and who monitors them
Current payroll process description — who initiates changes (new hire, salary revision, exit), who approves, and who processes the payroll run
Employee headcount and departmental cost breakup for the current year, used in the budget's people-cost projection
Reimbursement claim process and approval hierarchy currently in use
Details of any variable pay, incentive, or commission structures that need to be reflected in the annual budget
Sales pipeline, order book, or revenue forecast inputs from the sales/business team for the budget period
Planned hiring for the year, by department and approximate timing
Any known one-time or capital expenditure planned for the year — equipment, office fit-out, software licences, new location setup
Known contractual commitments — lease renewals, long-term vendor contracts, financing/loan repayment schedules
Board-approved strategic priorities or targets for the year, if formally documented, to align the budget with stated business goals
Company's incorporation documents and latest MCA filings, to confirm applicable statutory audit and IFC reporting obligations
Prior year's statutory audit report and management letter, if any observations on internal controls were previously raised by auditors
Details of any prior fraud, error, or control-failure incident, and how it was resolved — used to prioritise control design around actual risk history
List of related-party transactions or inter-company arrangements, if applicable, requiring specific control and disclosure treatment
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Initial Build (Week 1–8) | Growth stage, audit requirement, or post-incident decision to formalise | Discovery, chart of accounts review, budget construction, authorisation matrix, segregation of duties mapping, SOP documentation, and control testing as described in the registration journey above. | Delaying the initial build means continued exposure to undetected error or fraud, and an audit season where the auditor has no documented IFC framework to assess — creating friction and possible qualification in the audit report. |
| First Quarter Post-Rollout | Controls and budget go live | PNPC reviews the first quarter's budget-vs-actual variance with management and observes whether the new approval and reconciliation processes are actually being followed in practice, not just on paper. | A control framework that is documented but not enforced in the first quarter tends to erode quickly — staff revert to old habits once the novelty of the new process fades, unless management visibly holds the line. |
| Annual Budget Refresh | New financial year approaching | PNPC revisits the prior year's actuals against budget, discusses what assumptions held and what did not with department heads, and builds the next year's budget incorporating those lessons — including any new departments, products, or locations. | A budget carried forward unchanged, or rebuilt as 'last year plus X%' without genuine review, loses credibility with management and stops being used as a real planning tool. |
| Statutory Audit Season | Financial year-end, ahead of audit | PNPC ensures the authorisation matrix, SOPs, and reconciliation records are current and available for the statutory auditor's review of internal financial controls under Section 143(3)(i), and briefs management on likely auditor queries. | An auditor who finds no evidence of a functioning IFC framework may raise it as an observation in the management letter or, in more serious cases, qualify the audit opinion — both of which are visible to investors, banks, and regulators. |
| Headcount or Location Growth | New department, new office, new business line | PNPC extends the authorisation matrix and SOPs to the new unit, ensuring segregation of duties is maintained rather than informally relaxed 'just for now' during the expansion, which is when many control gaps are first created. | New locations or departments set up without applying the existing control framework consistently become the weakest link — often the first place a control failure is later discovered. |
| Pre-Funding / Due Diligence | Investor interest or term sheet | PNPC prepares the documented control framework, budget history, and variance reports as part of the financial due-diligence pack, and briefs management on how to present the company's financial discipline credibly to investors. | Investors routinely treat the absence of basic financial controls as a red flag independent of the numbers themselves — it signals execution risk regardless of how strong the business model looks. |
| Incident Response | Suspected error, discrepancy, or fraud | PNPC assists in tracing the discrepancy against the documented control framework to identify exactly where the control was bypassed or was absent, and recommends the specific remediation — which is far faster and more precise when a control framework already exists to investigate against. | Without a pre-existing control framework, incident investigation becomes far slower and more speculative, and the same gap that caused the first incident often remains open to recur. |
What exactly is the difference between 'financial planning' and 'internal controls' in this service?
Financial planning is the annual budgeting process — translating your business goals into a quantified, month-wise, department-wise plan you can track actual performance against. Internal controls are the system of approvals, segregation of duties, and reconciliation checkpoints that protect your business from error and misuse, and that make your financial statements reliable. PNPC delivers both together because a budget without controls has nothing enforcing it, and controls without a budget have no reference point to judge whether spending is actually on track.
Is internal financial controls (IFC) documentation a legal requirement for my company?
Under Section 134(5)(e) of the Companies Act 2013, the Board of Directors of every listed company must state that internal financial controls were laid down and were operating effectively — and the statutory auditor separately reports on the adequacy and operating effectiveness of IFC over financial reporting under Section 143(3)(i), read with the applicable Standards on Auditing. MCA has specifically exempted one-person companies, small companies, and private companies below prescribed turnover and borrowing thresholds from the auditor-reporting limb of this requirement, so most smaller private companies fall outside the strict statutory trigger — though this depends on your company's current classification, turnover, and borrowings, which can shift year to year. Even where the strict statutory trigger does not apply to your company, auditors increasingly expect to see some documented control framework as part of a clean audit, and investors expect it as part of due diligence.
We are a 15-person startup. Do we really need a formal controls framework yet?
There is no fixed headcount threshold in law, but in practice, once more than one or two people can independently initiate a payment or approve an expense, the risk of an uncaught error or a deliberate misuse rises sharply. Fifteen people with multiple department heads is often the point where informal, founder-checks-everything oversight starts breaking down. The framework does not need to be heavy — it needs to be proportionate to your actual risk, and it is far cheaper to build lightly now than to retrofit after an incident.
What is an authorisation matrix and why does PNPC say it is the most important document?
An authorisation matrix is a single reference document that maps every category of financial transaction — vendor payment, reimbursement, payroll change, capital purchase — to a named approver and a value threshold, with escalation to a second approver above that threshold. Without it in writing, 'who can approve this' gets decided differently each time, by whoever happens to be available, which is exactly the inconsistency that creates control gaps.
What is segregation of duties, in practical terms?
It means the person who requests or initiates a transaction should not be the same person who approves it, and ideally not the same person who executes or has custody of the funds or assets involved. In a small business, one person often ends up doing two or all three — creating a single point where an error or a deliberate act could go undetected. Where full segregation is not staffing-feasible, we design compensating controls, such as mandatory periodic review by a second person, to reduce the exposure.
How is a budget actually built — top-down from a growth target, or bottom-up from department inputs?
PNPC builds budgets bottom-up: sales pipeline and revenue assumptions from the business/sales team, hiring plans and payroll costs from department heads, and known committed costs from finance — assembled into a single financial plan and then reviewed against overall strategic targets. A top-down budget built by applying a growth percentage to last year's numbers is faster to produce but rarely survives contact with reality, because it is not owned by the people actually responsible for hitting the numbers.
How often should budget-vs-actual variance be reviewed?
Monthly is the standard cadence for most businesses — frequent enough to catch a variance while there is still time in the year to act on it, but not so frequent that the review becomes noise from short-term timing differences. Some fast-moving businesses benefit from a lighter weekly cash-flow check layered on top of the monthly full variance review. PNPC recommends the cadence based on your transaction volume and how quickly your business's numbers actually move.
What happens if our actual results diverge significantly from the budget mid-year — is the budget just wrong?
Not necessarily. A variance can be a timing difference (revenue that shifted a month later than planned), a genuine performance issue (costs running structurally above plan), or a change in underlying assumptions (a new competitor, a delayed product launch) that means the original budget needs a formal revision. PNPC's variance review distinguishes between these three categories explicitly, because the correct management response is different for each.
Does PNPC design controls only for large companies, or also for proprietorships and small LLPs?
We work with businesses of every size and structure — sole proprietorships, partnerships, LLPs, and private/public companies. The statutory IFC reporting requirement under the Companies Act applies specifically to companies, but the underlying discipline of budgeting and basic controls — separating who approves payments from who executes them, reconciling bank accounts regularly — benefits any business handling money through more than one person.
Can this service help us prepare for a statutory audit specifically?
Yes — this is one of the most common reasons companies engage PNPC for this service. We ensure the authorisation matrix, SOPs, and reconciliation evidence are current, documented, and available for the statutory auditor's review of internal financial controls under Section 143(3)(i), and we brief management ahead of time on the kind of queries the auditor is likely to raise, so there are no surprises during fieldwork.
What is a management letter, and how does it relate to internal controls?
A management letter is a communication from the statutory auditor to the company's management and those charged with governance, setting out control weaknesses or process observations identified during the audit that did not necessarily affect the audit opinion but are worth management's attention. Recurring or unaddressed items in successive years' management letters are a signal — to the Board, and potentially to investors reviewing audit history — that control gaps are known but not being fixed.
Our finance team already uses accounting software with built-in approval workflows. Do we still need this service?
Software approval workflows are useful enforcement mechanisms, but they only enforce whatever rules are configured into them — and those rules are frequently set up quickly at implementation without a proper authorisation matrix or segregation-of-duties review behind them. We regularly find software configured so that the same person who can create a vendor can also approve payments to that vendor, simply because nobody designed the access rules deliberately. The software is the enforcement layer; this service is the design layer behind it.
How does PNPC handle petty cash and physical cash controls specifically?
For businesses that handle petty cash or physical cash collections, we design an imprest-based petty cash system with a fixed float, mandatory voucher documentation for every disbursement, a defined replenishment approval process, and periodic surprise verification. For cash collection points (retail counters, field collections), we design daily reconciliation and deposit discipline so cash does not sit unaccounted for extended periods.
What is the typical cost of this engagement?
PNPC agrees a fixed fee for the initial build phase, scoped after the discovery session based on your business's size, number of departments, locations, and complexity of existing processes. Ongoing quarterly or annual review engagements are typically quoted separately as a retainer. We provide a written scope and fee letter before any work begins — there is no engagement without your sign-off on cost.
Will building a control framework slow down our operations?
A poorly designed control framework can absolutely slow a business down — if every payment above a trivially low threshold requires three signatures, staff will find ways to route around it. PNPC deliberately walk-tests the designed controls against real transaction samples before finalising, specifically to catch friction points where the control is disproportionate to the risk it is managing, and to right-size approval thresholds to your actual transaction patterns.
How does this service interact with PNPC's Budget & MIS Dashboard service?
Financial Planning & Internal Control Support builds the annual budget and the control framework around it. The Budget & MIS Dashboard service builds the ongoing monthly or quarterly reporting tool that tracks actual performance against that budget on a recurring basis. Many clients start with this service to establish the budget and controls, then move into a dashboard retainer for ongoing visibility — the two are designed to work together rather than duplicate each other.
What is SA 315 and how does it relate to our internal controls?
Standard on Auditing (SA) 315, 'Identifying and Assessing the Risks of Material Misstatement', requires the statutory auditor to obtain an understanding of the entity's internal control relevant to the audit, as part of assessing risk. A company with clearly documented controls gives the auditor a faster, more reliable basis for this risk assessment; a company with no documented controls forces the auditor to spend more time (and often charge more) reconstructing an understanding of the control environment from scratch, and may lead to a more conservative, more testing-intensive audit approach.
Can PNPC design controls specifically to detect and prevent employee fraud?
Yes — fraud prevention is one of the explicit design objectives of this service, alongside general error reduction and financial reliability. Segregation of duties, mandatory second approval above defined thresholds, vendor master data change controls, and regular independent reconciliation are the core mechanisms that make fraud materially harder to commit and easier to detect quickly if attempted. No control framework eliminates fraud risk entirely, but a well-designed one significantly raises the difficulty and shortens detection time.
Do you provide this service for businesses in the UAE as well as India?
Yes. PNPC's Dubai office extends the same financial planning and internal controls methodology to UAE-based businesses, adapted for the UAE's corporate governance expectations, UAE Corporate Tax compliance considerations, and WPS payroll environment. For clients with both an Indian and a UAE entity, we design a consistent control framework across both jurisdictions rather than two disconnected ones.
How does PNPC's approach differ from buying an off-the-shelf budgeting or ERP template?
A template gives you a spreadsheet structure or software module — it does not tell you what your actual revenue assumptions should be, who in your organisation should approve a ₹50,000 vendor payment versus a ₹5 lakh one, or where your specific business's segregation-of-duties gaps sit. PNPC starts from your actual processes, your actual risk points, and your actual people, and builds the budget and controls around that reality. The output may end up living in a spreadsheet or your existing software, but the thinking behind it is specific to your business, not generic.
What is a reconciliation, and why does PNPC treat it as a control, not just an accounting task?
A reconciliation compares two independent records of the same activity — your bank statement against your cash book, a vendor's statement against your accounts payable ledger — to confirm they agree, and to surface discrepancies immediately if they do not. Reconciliation is a control because it is one of the few checkpoints that can catch an error or an unauthorised transaction after the fact, even if the initial approval control was bypassed or failed. An unreconciled account is a blind spot — discrepancies can sit there undetected for months.
How do you handle controls for a business with multiple bank accounts or multiple branches?
We map the authorisation matrix and segregation-of-duties framework consistently across every account and location, rather than allowing each branch or account to develop its own informal practice. Signatory limits, reconciliation cadence, and reporting lines are standardised, with clear escalation to head office for anything above defined thresholds. Multi-location businesses are exactly where inconsistent, informally-applied controls create the biggest and hardest-to-trace gaps.
What if our business is too small to formally separate duties among different people?
In a genuinely small team, full segregation of duties may not be staffing-feasible — the same person may need to both process and record a transaction. In these cases, PNPC designs compensating controls: mandatory periodic independent review by the owner or a second person (even if that review happens weekly rather than transaction-by-transaction), system-level restrictions on what can be changed without a trail, and simplified but still-documented approval thresholds. The goal is the best achievable control given real constraints, not an unachievable ideal.
Does this service cover capital expenditure (capex) approval separately from operating expenses?
Yes. Capital expenditure — equipment purchases, office fit-outs, software licences with multi-year value, vehicles — typically warrants a distinct, usually more stringent approval threshold and process compared to routine operating expenses, given the larger sums and longer-term commitment involved. The authorisation matrix specifies capex thresholds separately, often requiring Board or director-level sign-off above a defined value, consistent with your Articles of Association and Board-approved delegation of authority.
How does PNPC handle vendor master data controls specifically?
Vendor master data — bank account details, GSTIN, contact information for each vendor in your accounting system — is a common fraud vector: a fraudulent change to a vendor's bank account details can redirect a legitimate payment to an unauthorised account. We design a control requiring any change to vendor bank details to be independently verified (typically via a callback to a known contact, not the number on the change request) and approved by someone other than the person who processes payments to that vendor.
Can the internal controls framework you design help with GST or TDS compliance too?
Indirectly, yes. A well-designed procure-to-pay control ensures invoices are checked for correct GSTIN and tax treatment before payment, and that TDS is deducted at source on applicable payments (rent, professional fees, contractor payments) as part of the standard payment approval workflow rather than being caught later at reconciliation. Building the tax-compliance check into the approval step, rather than treating it as a separate downstream task, meaningfully reduces the risk of missed TDS deductions and input tax credit mismatches.
How long does the control framework remain valid before it needs to be revisited?
There is no fixed statutory validity period, but PNPC recommends a formal annual review at minimum, alongside the annual budget refresh cycle, and an ad hoc review whenever there is a material change — new department, new location, significant headcount growth, a new accounting system, or a control-related incident. A framework that is never revisited tends to fall out of step with how the business actually operates within 12–18 months.
What is the role of the Board or promoters in this process, versus the finance team?
The Board (or promoters, in a smaller company) sets the overall risk appetite and approves the final authorisation matrix and budget, since ultimate accountability for internal financial controls under Section 134(5)(e) rests with the directors. The finance team executes the day-to-day process — processing transactions, running reconciliations, flagging variances. PNPC facilitates both sides: building the technical framework with the finance team's input, and presenting it to the Board or promoters for formal approval and sign-off.
Do you provide ongoing support after the initial framework is built, or is this a one-time engagement?
The initial build is scoped as a defined project with a clear deliverable and timeline. Most clients then move into an ongoing engagement — typically quarterly variance reviews and an annual full refresh — because a budget and control framework that is never revisited loses relevance within a year or two. PNPC offers both the initial build and the ongoing retainer, and we are transparent about which one you are agreeing to at each stage.
What happens during a control 'walkthrough' — what should we expect?
A walkthrough is where PNPC traces a small number of actual, real transactions — a vendor payment, an expense reimbursement, a payroll change — end-to-end through the newly designed control process, confirming at each step that the approval, documentation, and system entries happened as the framework specifies. It is a practical test, not a theoretical review, and it is where we typically catch the gap between what the framework says on paper and what actually happens when people execute it.
Is this service relevant for a Section 8 company, trust, or NGO handling grant funds?
Yes, and arguably more so — non-profits and Section 8 companies handling donor or grant funds are frequently subject to specific funder-mandated financial control requirements (utilisation certificates, fund-wise segregation, restricted versus unrestricted fund tracking), in addition to their own governance obligations. PNPC designs controls that address both general financial discipline and the specific fund-accountability requirements donors and grant-making bodies typically expect.
How does budgeting for a services business differ from budgeting for a business that holds inventory?
A services business budget is dominated by people costs — salaries, contractor fees, and utilisation-linked revenue — and cash flow timing is largely driven by invoicing and collection cycles. A business holding inventory has the additional complexity of purchase timing, inventory carrying cost, stock valuation method, and the working capital tied up between purchase and sale. PNPC tailors the budget structure and the associated controls (particularly around procurement and stock verification) to which model applies to your business.
What is a 'compensating control' and when does PNPC recommend one?
A compensating control is an alternative safeguard used when the ideal control — typically full segregation of duties — cannot be implemented due to genuine constraints such as small team size. For example, if one person must both process and record vendor payments because there is no one else to separate the role to, a compensating control might be a mandatory weekly independent review of all payments processed by that person, performed by the owner or a second reviewer.
Why should we engage PNPC rather than build this framework ourselves using free templates online?
Free templates give you a generic structure — they do not know your actual approval chain, your actual risk points, your actual chart of accounts, or your actual statutory obligations under the Companies Act and Standards on Auditing. PNPC has designed and implemented these frameworks across businesses of many sizes and sectors since 1986, and we bring the pattern recognition of having seen exactly where control gaps typically hide — vendor master data, petty cash, segregation of payment initiation and approval — that a generic template will not flag for your specific business.
PNPC Financial Planning & Controls engagement vs a generic template or software-only approach
| Aspect | PNPC CA-Led Engagement | Downloaded Template / Software-Only |
|---|---|---|
| Basis of design | Built from your actual processes, risk points, and people | Generic structure, not specific to your business |
| Authorisation matrix | Custom-mapped to your approvers, values, and escalation needs | Often absent or a placeholder table left unfilled |
| Segregation of duties analysis | Explicit review of who holds which roles, with compensating controls where needed | Not assessed — assumed to already exist |
| Statutory alignment | Mapped to Section 134(5)(e), Section 143(3)(i), and applicable Standards on Auditing | No linkage to statutory IFC reporting requirements |
| Testing before rollout | Real transaction walkthroughs to catch friction points | Untested — friction discovered only after staff bypass it |
| Ongoing review | Quarterly variance review and annual refresh built into the engagement | One-time document, rarely revisited |
| Team training | Structured handover session with finance team and department heads | PDF emailed with no walkthrough |
| Continuity | Same CA firm available for audit season, funding rounds, and incidents | No ongoing point of contact once the template is downloaded |
What the PNPC package includes
- 01
Discovery session mapping your actual payment, payroll, and reconciliation processes
- 02
Bottom-up annual budget built from department-owner inputs, not a generic growth percentage
- 03
Custom authorisation matrix — approvers and value thresholds mapped to your actual roles
- 04
Segregation-of-duties review with compensating controls designed where full separation is not feasible
- 05
Documented SOPs for procure-to-pay, payroll, expense reimbursement, petty cash, and month-end close
- 06
Reconciliation framework — bank, vendor, and inter-company, with defined ownership and cadence
- 07
Vendor master data and IT/system access control review
- 08
Real-transaction walkthrough testing before final rollout
- 09
Structured training handover with your finance team and department heads
- 10
First-quarter budget-vs-actual variance review included
- 11
Statutory alignment briefing ahead of your audit season under Section 143(3)(i)
- 12
Direct contact with your engagement CA — not a support ticket queue
Speak directly with a PNPC Chartered Accountant about your business's actual risk points — not a generic checklist. A practising CA who will still be reviewing your budget-vs-actual variance, briefing your auditor, and refining your control framework a year from now, not just handing over a document and moving on.