Controls / IFC

Startup Internal Financial Controls

CA Nikhil Gupta·June 2026·3 min readControls / IFC

Controls should reduce the chance that an error or fraud reaches the financial statements, cash account or board report undetected.

Quick View

Owner

CFO and process owners

Cadence

Continuous, quarterly testing

First control

Map material finance processes.

Core evidence

Risk and control matrix.

Why It Matters

Start with material processes: revenue, purchasing, payroll, payments, treasury, inventory, taxes, financial close and reporting. Identify where a wrong or unauthorised transaction could enter, change or escape review.

Design controls around clear objectives. Preventive controls stop an event; detective controls identify it; corrective controls resolve the cause and effect.

Smaller companies may use founder review or manual reconciliation, but the control must still be evidenced, timely and independent enough to challenge the preparer.

Control Framework

ControlWhat it coversOperating rule
Process riskMaterial error or fraud scenario is defined.Link to financial statement impact.
Control designOwner, frequency and evidence are specified.Avoid vague ‘management review’.
OperationThe control is performed on the complete population.Retain dated evidence.
TestingExceptions and remediation are independently assessed.Repeat after system change.

Action Checklist

  1. Map material finance processes.
  2. Write one objective per key control.
  3. Separate preparation and approval.
  4. Automate logs where practical.
  5. Test samples and complete populations appropriately.
  6. Report unresolved deficiencies to management.

Practical Example

A founder reviews every payment but approves from a chat message without invoice, purchase order or bank verification. Senior review exists, yet the control is not evidence-based.

Evidence to Keep

  • Risk and control matrix.
  • Delegation of authority.
  • System access reports.
  • Reconciliation and review evidence.
  • Control testing results.
  • Deficiency and remediation log.

Warning Signs

  • Writing controls that no one performs.
  • Using one person as maker and approver.
  • Testing only after fraud occurs.
  • Ignoring spreadsheet and interface risk.
  • Closing deficiencies without retesting.

Management Decision

Prioritise controls that protect cash, revenue, liabilities and statutory compliance. A short effective matrix is stronger than a hundred copied controls.

Reassess design after rapid hiring, ERP migration, new locations, acquisitions or a change in business model.

Record the decision, owner, due date and evidence expected. A verbal explanation should become an approved working, board note, contract amendment, statutory filing or reconciliation before the item is treated as closed.

Rules, forms, thresholds and procedures can change. Use the latest official source and the actual company facts rather than copying a prior-year control or another entity’s legal position.

Exception Review

Classify every exception as a timing difference, data error, missing document, legal non-compliance, control-design gap or control-operating failure. This prevents management from treating fundamentally different problems as one ageing list.

The exception file should show amount or exposure, root cause, immediate correction, preventive action, owner and board-escalation threshold. Repeated low-value issues can become material when they reveal weak systems or management override.

Close the item only after the evidence agrees across source documents, books, portal data and management reporting. A screenshot or email promise is not equivalent to a completed filing, lender waiver, signed contract or reconciled ledger.

Board Escalation

The control should operate across the full transaction population, not only the samples management expects a reviewer to inspect. For this topic, the key stages are process risk, control design, operation, testing. Each stage should identify the source system, preparer, reviewer, deadline and evidence retained.

A useful management review asks whether the legal document, accounting entry, bank movement, tax treatment and public filing describe the same event. Differences may be valid, but they should be reconciled through a dated working rather than explained from memory during audit or diligence.

Materiality should determine escalation, not whether the company keeps a record. Repeated small exceptions can show weak master data, unclear authority, system bypass or management override. Root cause and preventive action should therefore be documented separately from the immediate correction.

Control evidence should show operation, not merely design. A policy document proves what management intended; a reconciliation, access review, approval log or exception report proves whether the control actually worked during the period.

Manual journals, spreadsheet uploads, administrator access and post-close changes deserve additional scrutiny because they can bypass automated workflows. The reviewer should assess both the entry and the reason normal processing was not used.

Frequently Asked Questions

Does every startup need a formal IFC report?
Legal reporting applicability varies, but practical financial controls are essential at every scale.
Can founder review replace segregation?
It can mitigate some risk, but it needs complete information and documented evidence.
How are key controls selected?
From material risks and the possibility that other controls will not detect the error.
What makes a deficiency serious?
Magnitude, likelihood, control dependence and management’s ability to detect the issue matter.