Audit / Controls

CARO Red Flags for Private Companies

CA Nikhil Gupta·May 2026·3 min readAudit / Controls

Even where a specific reporting clause is not applicable, CARO-style questions expose weaknesses that lenders and investors also examine.

Quick View

Owner

CFO and internal audit owner

Cadence

Quarterly

First control

Confirm CARO applicability with the auditor.

Core evidence

CARO applicability memo.

Why It Matters

CARO 2020 contains detailed reporting areas for companies within its applicability. Finance should confirm the current applicability and not assume every private company is exempt.

The underlying control questions remain useful: Do asset records exist? Is inventory verified? Are statutory dues disputed or overdue? Are loans and guarantees authorised? Has the company defaulted?

Management should maintain a clause-wise readiness matrix with evidence and exceptions. The statutory auditor, not management, determines the final reporting conclusion.

Control Framework

ControlWhat it coversOperating rule
Asset and inventoryRecords, title and physical verification are tested.Resolve differences promptly.
Funding and loansBorrowing, guarantees and use of funds are tracked.Monitor defaults and diversion.
ComplianceStatutory dues and related parties are reconciled.Age every dispute.
IntegrityFraud, whistleblowing and internal audit are assessed.Escalate credible allegations.

Action Checklist

  1. Confirm CARO applicability with the auditor.
  2. Build a clause-wise evidence matrix.
  3. Age statutory and lender defaults.
  4. Review loans, guarantees and fund use.
  5. Reconcile fixed assets and inventory.
  6. Report fraud and control exceptions to the board.

Practical Example

A private startup assumes CARO does not matter, but it has overdue statutory dues, loans to a related entity and unexplained inventory differences. These issues will surface in audit and diligence regardless of the label.

Evidence to Keep

  • CARO applicability memo.
  • Fixed-asset and inventory records.
  • Statutory-dues ageing.
  • Loan and guarantee register.
  • Related-party approvals.
  • Fraud and internal-audit reports.

Warning Signs

  • Preparing the matrix after audit queries.
  • Marking clauses not applicable without basis.
  • Hiding disputed dues in payables.
  • Ignoring fund-use conditions.
  • Treating whistleblower complaints as HR-only matters.

Management Decision

Use CARO as a quarterly risk scan and then map exceptions to owners and board reporting.

Do not draft management conclusions as if they were auditor conclusions. Present facts, evidence and remediation.

Record the decision, owner, due date and evidence expected. A verbal explanation should become an approved working, board note, contract amendment, statutory filing or reconciliation before the item is treated as closed.

Rules, forms, thresholds and procedures can change. Use the latest official source and the actual company facts rather than copying a prior-year control or another entity’s legal position.

Exception Review

Classify every exception as a timing difference, data error, missing document, legal non-compliance, control-design gap or control-operating failure. This prevents management from treating fundamentally different problems as one ageing list.

The exception file should show amount or exposure, root cause, immediate correction, preventive action, owner and board-escalation threshold. Repeated low-value issues can become material when they reveal weak systems or management override.

Close the item only after the evidence agrees across source documents, books, portal data and management reporting. A screenshot or email promise is not equivalent to a completed filing, lender waiver, signed contract or reconciled ledger.

Board Escalation

The control should operate across the full transaction population, not only the samples management expects a reviewer to inspect. For this topic, the key stages are asset and inventory, funding and loans, compliance, integrity. Each stage should identify the source system, preparer, reviewer, deadline and evidence retained.

A useful management review asks whether the legal document, accounting entry, bank movement, tax treatment and public filing describe the same event. Differences may be valid, but they should be reconciled through a dated working rather than explained from memory during audit or diligence.

Materiality should determine escalation, not whether the company keeps a record. Repeated small exceptions can show weak master data, unclear authority, system bypass or management override. Root cause and preventive action should therefore be documented separately from the immediate correction.

Control evidence should show operation, not merely design. A policy document proves what management intended; a reconciliation, access review, approval log or exception report proves whether the control actually worked during the period.

Manual journals, spreadsheet uploads, administrator access and post-close changes deserve additional scrutiny because they can bypass automated workflows. The reviewer should assess both the entry and the reason normal processing was not used.

Frequently Asked Questions

Does CARO apply to every private company? â–¼
No. Applicability depends on the current order and exemption conditions.
Can management decide the audit wording? â–¼
No. The auditor forms the reporting conclusion independently.
Why track non-applicable clauses? â–¼
The same risks can affect audit, loans and diligence even without a CARO paragraph.
What is the best starting point? â–¼
A clause-wise matrix linked to current evidence and responsible owners.