Financial Controls for Startups: Setting Them Up Before They Bite (2026)

Financial Controls for Startups Setup Guide & Checklist
Finance Leadership · CFO Series
AS
Ankit Sarawagi|Founder, CFOmatrix·June 2026·12 min read
Most founders set up financial controls only after something goes wrong: a duplicate payment, a vendor that turns out not to exist, a TDS notice, or an investor in diligence asking who approves payments. By then the fix is expensive and embarrassing. This guide is the practical, India-context version of the controls section in our CFO and finance-function pillar guide. It covers why internal controls matter before they bite, the core controls every startup needs (maker-checker, the approval matrix, segregation of duties, vendor master, bank and payment controls, expense policy and reconciliations), the GST and TDS angles, and what good looks like at each stage from seed to Series B.
✍ Key Takeaways
  • Controls are cheap to set up and expensive to skip. Fraud, leakage and errors almost always trace back to a missing approval or a single person controlling a payment end to end.
  • Maker-checker is the one control that matters most for a small team: one person creates a payment, a different person approves it.
  • A simple delegation of authority (DOA) matrix (who can approve what, up to which rupee limit) removes ambiguity and keeps large spend in front of senior eyes.
  • A clean vendor master, monthly reconciliations and an expense policy are where most real money leaks, not in dramatic fraud.
  • In India, controls and GST and TDS compliance are joined at the hip: weak controls show up later as input-credit mismatches, TDS short-deductions, interest and penalties.
1 control Maker-checker on payments stops most small-company fraud on its own 2 people The minimum to split recording from approving a payment Series A When investors and auditors start expecting documented controls
One Example Throughout

We will follow one company: Brewly, a D2C coffee brand growing from ₹3 crore to ₹60 crore in revenue, seed to Series B, and from 8 to 80 people. We will use Brewly to show how the right financial controls change as headcount, payment volume and complexity grow.

Why Financial Controls Matter Before They Bite

At seed stage, finance runs on trust. The founder knows every vendor, every salary and roughly where the cash is going. Speed feels more valuable than process. That is exactly the environment in which money quietly leaks, and the loss usually has nothing to do with dramatic fraud.

Three things go wrong when there are no financial controls, and they go wrong in this order of frequency:

  • Errors. A payment made twice, a wrong bank account, an invoice paid before the goods arrived, a number keyed in wrong. Honest mistakes that controls would have caught.
  • Leakage. Vendors who keep billing after a contract ended, subscriptions nobody cancelled, expenses with no policy, prices that crept up unnoticed. Small amounts that add up every month.
  • Fraud. A fake vendor, an inflated invoice with a kickback, a payment routed to the wrong account. Rarer, but devastating, and almost always possible because one person controlled a payment from start to finish.

There is also a credibility cost. When Brewly started raising its Series A, the lead investor’s diligence team asked a simple question: “Who approves a payment, and who can release it from the bank?” If the honest answer is “the same person,” that is a red flag that surfaces at the worst possible moment. Auditors ask the same question for the internal financial controls reporting that Indian companies of a certain size must comply with. Controls are not bureaucracy; they are what lets someone else trust your numbers and your cash.

📋 Note

Controls are not about distrusting your team. They protect honest people too. A clean maker-checker trail means that if a payment is ever questioned, your finance person can point to the approval and be cleared. Good controls are as much for the team’s protection as the company’s.

Maker-Checker and Segregation of Duties

If you adopt only one control, make it maker-checker. One person creates or initiates a transaction (the maker), and a different person reviews and approves it before it goes through (the checker). At Brewly’s seed stage, that means the outsourced accountant enters a vendor payment, and the founder approves and releases it in the bank portal. No single person can both create a payment and send the money.

Maker-checker is the practical, small-team version of a bigger idea: segregation of duties. The principle is that no one person should control a transaction from start to finish. The four activities that should not all sit with the same person are:

  • Recording the transaction in the books.
  • Authorising or approving it.
  • Custody of the asset (access to release the actual payment).
  • Reconciling it afterwards against the bank.

In a team of eight you cannot split all four. So you compensate: the accountant records and reconciles, the founder authorises and holds custody (the bank approval), and at month-end a second person, even the fractional CFO, spot-checks the reconciliation. As Brewly grows to a controller plus a finance executive at Series A, these duties separate cleanly across people.

📈 CFO Lens

The fastest free control: turn on two-person approval in your bank’s corporate portal. Most Indian business banking portals let you set a maker and an authoriser, and a value threshold above which two authorisers are needed. It costs nothing and removes the single biggest fraud risk in a small company on day one.

The Delegation of Authority (DOA) Matrix

Maker-checker answers “who releases the money.” A delegation of authority matrix, often shortened to DOA or approval matrix, answers “who is allowed to approve it, and up to how much.” It is a single table that maps spend type and rupee value to an approver. It removes the daily friction of “can I buy this?” and ensures large payments always reach senior eyes.

Here is a workable DOA matrix for Brewly at Series A (around ₹15 crore revenue, roughly 30 people). Keep yours this simple.

Spend / decisionUp to valueApprover
Routine operating spend₹50,000Team manager
Vendor payments, purchases₹5,00,000Finance lead / controller
Large vendor or capex₹25,00,000Founder / CEO
New vendor onboardingAnyFinance lead (second person verifies)
Above limits / new bank accountAbove ₹25,00,000Board / two founders jointly

The exact numbers matter less than the discipline: write it down, share it, and make the bank portal and approval tool enforce it. A DOA matrix that lives only in someone’s head is not a control.

💡 Memory Hook

Maker-checker = who releases it. DOA = who is allowed to approve it. You need both. The DOA decides whether the spend is permitted; maker-checker ensures two pairs of hands touch the money.

Vendor Master, Bank and Payment Controls

Most real losses happen at the point where money leaves the company, so this is where controls earn their keep.

The vendor master

The vendor master is your controlled list of approved suppliers, with bank details, GSTIN, PAN and a contact. The control is simple: you can only pay a vendor that exists in the master, and a vendor can only be added or its bank details changed by a controlled, two-person process. Fake-vendor fraud and the classic “vendor emailed us new bank details” scam both die here. When Brewly changes a vendor’s bank account, the finance executive enters it and the controller verifies it against the vendor on a known phone number before the next payment runs.

Bank and payment controls

  • Two-person bank authorisation for payments above a threshold, set in the bank portal itself.
  • Limited bank access: only named people, removed the day someone leaves.
  • Pay only against a three-way match: purchase order, goods or service received, and invoice agree before payment.
  • Batch payments on fixed days rather than ad-hoc transfers, so every payment passes through the same approval run.
  • No payments to personal accounts of employees except payroll and approved reimbursements.
⚠️ Watch Out For

The most common startup payment fraud in India is the changed-bank-details email: a message that looks like it is from a real vendor or even your founder, asking to update bank details or make an urgent transfer. The control that stops it is non-negotiable: verify any change of bank details on a separately sourced phone number, never by replying to the email.

Expense Policy and Reconciliations

Two quieter controls catch the leakage that maker-checker does not: a written expense policy and disciplined reconciliations.

The expense policy

An expense policy is one page that says what can be claimed, up to what limit, with what proof, and who approves it. It covers travel, meals, software subscriptions, and reimbursements. Without it, every claim is a negotiation and the answers drift. With it, the rule is clear and the finance team can reject a non-compliant claim without it being personal. For Brewly, the policy also lists who can buy SaaS subscriptions, because shadow subscriptions are a classic source of silent leakage as the team grows past 30 people.

Reconciliations

Reconciliation is the check that your books match reality. The three that matter most for a startup are:

  • Bank reconciliation, monthly at least, weekly once volume grows: does every rupee in the bank match a recorded transaction?
  • Vendor and customer ledger reconciliation: do balances agree with what suppliers and customers think you owe or they owe?
  • GST and TDS reconciliation: does what you recorded match what was filed and deposited? (More on this next.)

Reconciliations are where errors and leakage surface. A payment made twice, a subscription still billing, a vendor double-counted: all of it shows up in a reconciliation that someone other than the person who recorded the entries actually reviews.

📈 CFO Lens

Reconciliations only work as a control if a different person reviews them. An accountant reconciling their own work will, honestly and unconsciously, tend to confirm it. Build the monthly close so the controller or fractional CFO signs off on the bank reconciliation, not just the person who prepared it.

GST, TDS and Statutory Controls in India

In India, financial controls and statutory compliance are joined at the hip. A control failure does not just lose money internally; it shows up months later as a tax mismatch, interest and a penalty. Build these into the same control system.

  • GSTIN verification in the vendor master. A clean, verified GSTIN on every vendor protects your input tax credit. If a vendor’s GSTIN is wrong or they have not filed, your input credit can be denied. The control is to validate the GSTIN at onboarding, inside the same two-person vendor process.
  • Input tax credit reconciliation. Reconcile your purchase records against the GST portal (the auto-populated inward supplies) every month, so mismatches are chased while the vendor still cares, not at year-end.
  • TDS at the point of approval. Build TDS logic into payment approval: the right section, the right rate, deducted before payment. A late or short deduction means interest and disallowance of the expense. Maker-checker on vendor payments is also your TDS control.
  • A statutory close calendar. GST returns, TDS deposits and TDS returns, PF and ESI, advance tax: each has a due date. A shared calendar with an owner and a reviewer turns compliance from a scramble into a routine.

For Brewly, as the company crosses revenue thresholds and adds an in-house controller at Series A, this calendar and the input-credit reconciliation become a standing part of the monthly close, not a quarter-end fire drill.

📋 Note

Indian companies above certain size thresholds must report on the adequacy and operating effectiveness of their internal financial controls under the Companies Act, and auditors test them. Even if you are below the threshold today, building these controls early means the audit at Series B is a confirmation, not a clean-up project.

Controls by Stage, and a Checklist

You do not need every control on day one. Match the controls to the stage, exactly as Brewly does as it scales.

 Seed (~₹3 cr, 8 people)Series A (~₹15 cr, ~30)Series B (~₹60 cr, ~80)
PaymentsFounder approves in bank portal; maker-checkerDOA matrix; two-person bank authTiered approvals; payment tool with audit trail
VendorsSimple approved-vendor listVendor master, GSTIN verified, two-person changesThree-way match enforced in system
ReconciliationMonthly bank reconMonthly bank, ledger and GST/TDS reconWeekly recon; reviewed by controller/CFO
PolicyOne-page expense ruleExpense policy + DOA, documentedFull controls manual; audit-ready
OwnerFounder + outsourced accountantController + fractional CFOFull-time CFO + finance team

The startup financial controls checklist

If you are starting from scratch, work down this list in order. The first five cost almost nothing.

  • Turn on two-person approval in your bank portal.
  • Write a one-line maker-checker rule: no one creates and releases the same payment.
  • Build a one-page DOA / approval matrix and share it.
  • Create a vendor master; pay only listed vendors; verify any bank-detail change by phone.
  • Write a one-page expense policy.
  • Run a monthly bank reconciliation, reviewed by a second person.
  • Verify GSTINs and build a GST and TDS close calendar.
  • Remove bank and tool access the day anyone leaves.

“Controls are not about distrust. They are how an honest team proves the money was handled right, and how a founder sleeps the night before a payment run of fifty lakh.”

Ankit Sarawagi, CFOmatrix

Not sure your controls would survive diligence?

CFOmatrix sets up practical, stage-appropriate financial controls for Indian startups as part of our fractional and virtual CFO support, from maker-checker and the DOA matrix to vendor, GST and TDS controls. Tell us your stage and we will show you what good looks like.

Talk to CFOmatrix

Frequently Asked Questions

What are financial controls for startups?

Financial controls are the rules, approvals and checks that protect a startup’s money and ensure its numbers are accurate. They include maker-checker on payments, a delegation of authority matrix that sets who can approve what, segregation of duties so no single person controls a transaction end to end, a clean vendor master, bank and payment controls, an expense policy, and regular reconciliations. Good controls prevent fraud, leakage and errors before they hurt the business.

Why do financial controls matter for early-stage startups?

Early-stage startups run on trust and speed, which is exactly when leakage, duplicate payments, fake vendors and honest errors slip through unnoticed. Investors and auditors also expect basic internal controls before a Series A. Setting up simple controls early costs almost nothing, while fixing a fraud or a botched GST and TDS position after the fact is expensive and damages credibility during a raise.

What is maker-checker in financial controls?

Maker-checker means one person creates or initiates a transaction (the maker) and a different person reviews and approves it (the checker) before it goes through. For example, an accountant enters a vendor payment and the founder or finance lead approves it in the bank portal. It is the single most powerful control a small startup can adopt because it stops one person from both creating and releasing a payment.

What is a delegation of authority (DOA) matrix?

A delegation of authority matrix is a simple table that sets who can approve what, up to which rupee limit. For example, a manager can approve up to ₹50,000, the finance lead up to ₹5 lakh, and anything above needs the founder or board. It removes ambiguity, speeds up genuine spend, and ensures large payments always get senior eyes.

What financial controls do investors and auditors expect before Series A?

Before a Series A, investors and auditors typically expect maker-checker on payments, a documented approval or DOA matrix, segregation of duties between recording and payment, a controlled vendor master, monthly bank reconciliations, an expense policy, and clean GST and TDS compliance. These show that the company’s reported numbers can be trusted and that cash is protected, which directly affects diligence and valuation.

How do financial controls relate to GST and TDS compliance in India?

Controls and statutory compliance are linked. A clean vendor master with verified GSTINs ensures you claim correct input tax credit, maker-checker on vendor onboarding prevents fake invoices, and a monthly close calendar ensures GST returns and TDS deposits and filings happen on time. Weak controls usually show up later as input-credit mismatches, TDS short-deductions, interest and penalties under the GST and Income Tax provisions.

What is segregation of duties in a small startup?

Segregation of duties means splitting a transaction so no single person controls it from start to finish: the person who records a transaction should not also approve and release the payment, and the person who onboards a vendor should not be the only one approving its invoices. In a tiny team you cannot split everything, so you compensate with the founder as the second pair of eyes on payments and bank access until you can hire.

Rupee limits and examples are illustrative and should be set to your own stage, scope and risk. This is general information, not financial, tax or legal advice. Indian compliance under the Companies Act, GST and the Income Tax Act changes; speak to a qualified adviser about your specific situation.

Explore the CFO & Finance Function Series
AS
Founder, CFOmatrix  |  Finance Strategy & Equity Compliance

CFOmatrix is a knowledge platform focused on how finance actually works inside growing companies. Every insight is shaped by real operating experience across startups and growth-stage companies, including cross-border setups.

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

Insights

More Related Articles

Dematerialisation of Shares in India: Process, Cost and Rule 9B Guide

Dematerialisation of Shares of a Private Company (Rule 9B)

How to Dematerialise Shares: Step-by-Step Process and DRF