How to set up internal controls to prevent financial fraud as you scale

Financial fraud in growing Indian companies is more common than founders realise, and it almost never happens in companies with basic internal controls. It happens in companies where one person controls too many steps in a process.

The core principle: segregation of duties. The person who approves a payment should not be the same person who initiates it. The person who receives vendor invoices should not be the same person who authorises payment. The person who reconciles bank accounts should not be the same person who processes transactions.

Minimum controls for a 20–100 person company: dual approval for payments above a threshold (set based on your transaction sizes), monthly bank reconciliation by someone other than the person who processes payments, surprise petty cash audits, vendor master list maintained and audited by someone outside accounts payable, and purchase orders matched to invoices before payment.

Systems help but don't replace controls. A good accounting system (Tally, Zoho Books, or similar) with proper user access controls is essential. No single person should have admin access to everything.

Conduct a basic internal audit annually — even if you don't have an internal audit team, a CA firm can do a targeted review of your accounts payable, payroll, and procurement for ₹30,000–80,000. It's cheap insurance.

Watch for the warning signs: vendors who insist on cash payments, employees who resist audits or account for 'lost' petty cash with vague explanations, and processes that 'only one person knows how to do.'