AS | Ankit Sarawagi|Founder, CFOmatrix·June 2026·12 min read | Updated Jun 2026 |
- Controls are cheap to set up and expensive to skip. Fraud, leakage and errors almost always trace back to a missing approval or a single person controlling a payment end to end.
- Maker-checker is the one control that matters most for a small team: one person creates a payment, a different person approves it.
- A simple delegation of authority (DOA) matrix (who can approve what, up to which rupee limit) removes ambiguity and keeps large spend in front of senior eyes.
- A clean vendor master, monthly reconciliations and an expense policy are where most real money leaks, not in dramatic fraud.
- In India, controls and GST and TDS compliance are joined at the hip: weak controls show up later as input-credit mismatches, TDS short-deductions, interest and penalties.
| 1 control Maker-checker on payments stops most small-company fraud on its own | 2 people The minimum to split recording from approving a payment | Series A When investors and auditors start expecting documented controls |
We will follow one company: Brewly, a D2C coffee brand growing from ₹3 crore to ₹60 crore in revenue, seed to Series B, and from 8 to 80 people. We will use Brewly to show how the right financial controls change as headcount, payment volume and complexity grow.
01Why Financial Controls Matter Before They Bite
At seed stage, finance runs on trust. The founder knows every vendor, every salary and roughly where the cash is going. Speed feels more valuable than process. That is exactly the environment in which money quietly leaks, and the loss usually has nothing to do with dramatic fraud.
Three things go wrong when there are no financial controls, and they go wrong in this order of frequency:
- Errors. A payment made twice, a wrong bank account, an invoice paid before the goods arrived, a number keyed in wrong. Honest mistakes that controls would have caught.
- Leakage. Vendors who keep billing after a contract ended, subscriptions nobody cancelled, expenses with no policy, prices that crept up unnoticed. Small amounts that add up every month.
- Fraud. A fake vendor, an inflated invoice with a kickback, a payment routed to the wrong account. Rarer, but devastating, and almost always possible because one person controlled a payment from start to finish.
There is also a credibility cost. When Brewly started raising its Series A, the lead investor’s diligence team asked a simple question: “Who approves a payment, and who can release it from the bank?” If the honest answer is “the same person,” that is a red flag that surfaces at the worst possible moment. Auditors ask the same question for the internal financial controls reporting that Indian companies of a certain size must comply with. Controls are not bureaucracy; they are what lets someone else trust your numbers and your cash.
Controls are not about distrusting your team. They protect honest people too. A clean maker-checker trail means that if a payment is ever questioned, your finance person can point to the approval and be cleared. Good controls are as much for the team’s protection as the company’s.
02Maker-Checker and Segregation of Duties
If you adopt only one control, make it maker-checker. One person creates or initiates a transaction (the maker), and a different person reviews and approves it before it goes through (the checker). At Brewly’s seed stage, that means the outsourced accountant enters a vendor payment, and the founder approves and releases it in the bank portal. No single person can both create a payment and send the money.
Maker-checker is the practical, small-team version of a bigger idea: segregation of duties. The principle is that no one person should control a transaction from start to finish. The four activities that should not all sit with the same person are:
- Recording the transaction in the books.
- Authorising or approving it.
- Custody of the asset (access to release the actual payment).
- Reconciling it afterwards against the bank.
In a team of eight you cannot split all four. So you compensate: the accountant records and reconciles, the founder authorises and holds custody (the bank approval), and at month-end a second person, even the fractional CFO, spot-checks the reconciliation. As Brewly grows to a controller plus a finance executive at Series A, these duties separate cleanly across people.
The fastest free control: turn on two-person approval in your bank’s corporate portal. Most Indian business banking portals let you set a maker and an authoriser, and a value threshold above which two authorisers are needed. It costs nothing and removes the single biggest fraud risk in a small company on day one.
03The Delegation of Authority (DOA) Matrix
Maker-checker answers “who releases the money.” A delegation of authority matrix, often shortened to DOA or approval matrix, answers “who is allowed to approve it, and up to how much.” It is a single table that maps spend type and rupee value to an approver. It removes the daily friction of “can I buy this?” and ensures large payments always reach senior eyes.
Here is a workable DOA matrix for Brewly at Series A (around ₹15 crore revenue, roughly 30 people). Keep yours this simple.
| Spend / decision | Up to value | Approver |
|---|---|---|
| Routine operating spend | ₹50,000 | Team manager |
| Vendor payments, purchases | ₹5,00,000 | Finance lead / controller |
| Large vendor or capex | ₹25,00,000 | Founder / CEO |
| New vendor onboarding | Any | Finance lead (second person verifies) |
| Above limits / new bank account | Above ₹25,00,000 | Board / two founders jointly |
The exact numbers matter less than the discipline: write it down, share it, and make the bank portal and approval tool enforce it. A DOA matrix that lives only in someone’s head is not a control.
Maker-checker = who releases it. DOA = who is allowed to approve it. You need both. The DOA decides whether the spend is permitted; maker-checker ensures two pairs of hands touch the money.
04Vendor Master, Bank and Payment Controls
Most real losses happen at the point where money leaves the company, so this is where controls earn their keep.
The vendor master
The vendor master is your controlled list of approved suppliers, with bank details, GSTIN, PAN and a contact. The control is simple: you can only pay a vendor that exists in the master, and a vendor can only be added or its bank details changed by a controlled, two-person process. Fake-vendor fraud and the classic “vendor emailed us new bank details” scam both die here. When Brewly changes a vendor’s bank account, the finance executive enters it and the controller verifies it against the vendor on a known phone number before the next payment runs.
Bank and payment controls
- Two-person bank authorisation for payments above a threshold, set in the bank portal itself.
- Limited bank access: only named people, removed the day someone leaves.
- Pay only against a three-way match: purchase order, goods or service received, and invoice agree before payment.
- Batch payments on fixed days rather than ad-hoc transfers, so every payment passes through the same approval run.
- No payments to personal accounts of employees except payroll and approved reimbursements.
The most common startup payment fraud in India is the changed-bank-details email: a message that looks like it is from a real vendor or even your founder, asking to update bank details or make an urgent transfer. The control that stops it is non-negotiable: verify any change of bank details on a separately sourced phone number, never by replying to the email.
05Expense Policy and Reconciliations
Two quieter controls catch the leakage that maker-checker does not: a written expense policy and disciplined reconciliations.
The expense policy
An expense policy is one page that says what can be claimed, up to what limit, with what proof, and who approves it. It covers travel, meals, software subscriptions, and reimbursements. Without it, every claim is a negotiation and the answers drift. With it, the rule is clear and the finance team can reject a non-compliant claim without it being personal. For Brewly, the policy also lists who can buy SaaS subscriptions, because shadow subscriptions are a classic source of silent leakage as the team grows past 30 people.
Reconciliations
Reconciliation is the check that your books match reality. The three that matter most for a startup are:
- Bank reconciliation, monthly at least, weekly once volume grows: does every rupee in the bank match a recorded transaction?
- Vendor and customer ledger reconciliation: do balances agree with what suppliers and customers think you owe or they owe?
- GST and TDS reconciliation: does what you recorded match what was filed and deposited? (More on this next.)
Reconciliations are where errors and leakage surface. A payment made twice, a subscription still billing, a vendor double-counted: all of it shows up in a reconciliation that someone other than the person who recorded the entries actually reviews.
Reconciliations only work as a control if a different person reviews them. An accountant reconciling their own work will, honestly and unconsciously, tend to confirm it. Build the monthly close so the controller or fractional CFO signs off on the bank reconciliation, not just the person who prepared it.
06GST, TDS and Statutory Controls in India
In India, financial controls and statutory compliance are joined at the hip. A control failure does not just lose money internally; it shows up months later as a tax mismatch, interest and a penalty. Build these into the same control system.
- GSTIN verification in the vendor master. A clean, verified GSTIN on every vendor protects your input tax credit. If a vendor’s GSTIN is wrong or they have not filed, your input credit can be denied. The control is to validate the GSTIN at onboarding, inside the same two-person vendor process.
- Input tax credit reconciliation. Reconcile your purchase records against the GST portal (the auto-populated inward supplies) every month, so mismatches are chased while the vendor still cares, not at year-end.
- TDS at the point of approval. Build TDS logic into payment approval: the right section, the right rate, deducted before payment. A late or short deduction means interest and disallowance of the expense. Maker-checker on vendor payments is also your TDS control.
- A statutory close calendar. GST returns, TDS deposits and TDS returns, PF and ESI, advance tax: each has a due date. A shared calendar with an owner and a reviewer turns compliance from a scramble into a routine.
For Brewly, as the company crosses revenue thresholds and adds an in-house controller at Series A, this calendar and the input-credit reconciliation become a standing part of the monthly close, not a quarter-end fire drill.
Indian companies above certain size thresholds must report on the adequacy and operating effectiveness of their internal financial controls under the Companies Act, and auditors test them. Even if you are below the threshold today, building these controls early means the audit at Series B is a confirmation, not a clean-up project.
07Controls by Stage, and a Checklist
You do not need every control on day one. Match the controls to the stage, exactly as Brewly does as it scales.
| Seed (~₹3 cr, 8 people) | Series A (~₹15 cr, ~30) | Series B (~₹60 cr, ~80) | |
|---|---|---|---|
| Payments | Founder approves in bank portal; maker-checker | DOA matrix; two-person bank auth | Tiered approvals; payment tool with audit trail |
| Vendors | Simple approved-vendor list | Vendor master, GSTIN verified, two-person changes | Three-way match enforced in system |
| Reconciliation | Monthly bank recon | Monthly bank, ledger and GST/TDS recon | Weekly recon; reviewed by controller/CFO |
| Policy | One-page expense rule | Expense policy + DOA, documented | Full controls manual; audit-ready |
| Owner | Founder + outsourced accountant | Controller + fractional CFO | Full-time CFO + finance team |
The startup financial controls checklist
If you are starting from scratch, work down this list in order. The first five cost almost nothing.
- Turn on two-person approval in your bank portal.
- Write a one-line maker-checker rule: no one creates and releases the same payment.
- Build a one-page DOA / approval matrix and share it.
- Create a vendor master; pay only listed vendors; verify any bank-detail change by phone.
- Write a one-page expense policy.
- Run a monthly bank reconciliation, reviewed by a second person.
- Verify GSTINs and build a GST and TDS close calendar.
- Remove bank and tool access the day anyone leaves.
“Controls are not about distrust. They are how an honest team proves the money was handled right, and how a founder sleeps the night before a payment run of fifty lakh.”
Ankit Sarawagi, CFOmatrix
|
08Frequently Asked Questions
What are financial controls for startups?
Financial controls are the rules, approvals and checks that protect a startup’s money and ensure its numbers are accurate. They include maker-checker on payments, a delegation of authority matrix that sets who can approve what, segregation of duties so no single person controls a transaction end to end, a clean vendor master, bank and payment controls, an expense policy, and regular reconciliations. Good controls prevent fraud, leakage and errors before they hurt the business.
Why do financial controls matter for early-stage startups?
Early-stage startups run on trust and speed, which is exactly when leakage, duplicate payments, fake vendors and honest errors slip through unnoticed. Investors and auditors also expect basic internal controls before a Series A. Setting up simple controls early costs almost nothing, while fixing a fraud or a botched GST and TDS position after the fact is expensive and damages credibility during a raise.
What is maker-checker in financial controls?
Maker-checker means one person creates or initiates a transaction (the maker) and a different person reviews and approves it (the checker) before it goes through. For example, an accountant enters a vendor payment and the founder or finance lead approves it in the bank portal. It is the single most powerful control a small startup can adopt because it stops one person from both creating and releasing a payment.
What is a delegation of authority (DOA) matrix?
A delegation of authority matrix is a simple table that sets who can approve what, up to which rupee limit. For example, a manager can approve up to ₹50,000, the finance lead up to ₹5 lakh, and anything above needs the founder or board. It removes ambiguity, speeds up genuine spend, and ensures large payments always get senior eyes.
What financial controls do investors and auditors expect before Series A?
Before a Series A, investors and auditors typically expect maker-checker on payments, a documented approval or DOA matrix, segregation of duties between recording and payment, a controlled vendor master, monthly bank reconciliations, an expense policy, and clean GST and TDS compliance. These show that the company’s reported numbers can be trusted and that cash is protected, which directly affects diligence and valuation.
How do financial controls relate to GST and TDS compliance in India?
Controls and statutory compliance are linked. A clean vendor master with verified GSTINs ensures you claim correct input tax credit, maker-checker on vendor onboarding prevents fake invoices, and a monthly close calendar ensures GST returns and TDS deposits and filings happen on time. Weak controls usually show up later as input-credit mismatches, TDS short-deductions, interest and penalties under the GST and Income Tax provisions.
What is segregation of duties in a small startup?
Segregation of duties means splitting a transaction so no single person controls it from start to finish: the person who records a transaction should not also approve and release the payment, and the person who onboards a vendor should not be the only one approving its invoices. In a tiny team you cannot split everything, so you compensate with the founder as the second pair of eyes on payments and bank access until you can hire.
Rupee limits and examples are illustrative and should be set to your own stage, scope and risk. This is general information, not financial, tax or legal advice. Indian compliance under the Companies Act, GST and the Income Tax Act changes; speak to a qualified adviser about your specific situation.
- Virtual & Fractional CFO for Startups: The Complete GuideFinance Leadership · CFO Series (Pillar)
- The Month-End Close: From Weeks to DaysFinance Leadership · CFO Series
- Building Your Monthly MIS / Management Reporting PackFinance Leadership · CFO Series
AS | Founder, CFOmatrix | Finance Strategy & Equity Compliance CFOmatrix is a knowledge platform focused on how finance actually works inside growing companies. Every insight is shaped by real operating experience across startups and growth-stage companies, including cross-border setups. |