Quick answer. A typical Indian mid-market company treats audit as a six-week fire drill, “audit season” arrives in May, the AP team scrambles to chase missing invoices, GSTR-2B reconciliations get dug out of email, the CFO loses a month. The alternative is audit-readiness as a continuous discipline: every monthly close ends with the books reconciled to GST + TDS portals, every vendor master row is verifiable, every transaction has a complete audit trail. Done well, the year-end audit becomes a one-week sweep, auditors verify rather than rebuild. This guide is the 90-day operational playbook to get there.
Why the audit usually drags
Most audit pain is not the auditor’s fault. It traces to one of these gaps in the operational year:
- Books and portal data drift apart. Bills posted but never reconciled to GSTR-2B. TDS deducted but Form 26AS shows different numbers. Vendor invoices in books but not in GSTR-1/3B. By April, the gap is a tangled mess.
- Vendor and customer masters are stale. GSTINs cancelled, PANs inoperative, addresses outdated. The team rebuilds the master during audit instead of maintaining it.
- Audit trail is incomplete. Section 143(3) of CGST + Section 44AB of IT Act + Section 143 of Companies Act all imply a continuous, non-tamperable record. Many ERPs allow back-dating, edit-without-trace, or “approved by” without a logged actor.
- Reconciliations done annually, not monthly. GSTR-9 is supposed to be a recap; it ends up being a discovery exercise. By the time you reconcile, the underlying parties have moved on.
- Vendor non-filer recovery never happened. Invoices in your books that never appeared in 2B because vendor didn’t file. ITC stranded; books and portal disagree at year-end.
The discipline below makes each of these continuous rather than annual.
The audit landscape, what’s actually being audited
For a mid-market Indian company, four audits run in parallel:
| Audit | Authority | Scope | Frequency |
|---|---|---|---|
| Statutory audit | Companies Act 2013, Section 143 | Books vs. financial statements; ICFR opinion | Annual |
| Tax audit | Income Tax Act, Section 44AB | Books vs. tax computation; Form 3CA/3CB + 3CD | Annual (if turnover > thresholds) |
| GST audit | CGST Act, Section 35(5) (until repealed) + 9C | Books vs. GSTR-9; reconciliation | Annual via 9C self-certification (since FY 2020-21) |
| Internal audit | Companies Act 2013, Section 138 (for specified companies) | Process and control adequacy | Quarterly / continuous |
The auditors look for consistency, books, returns, statements, and underlying records all telling the same story. Inconsistency is what triggers questions, qualifications, and investigations.
The 90-day checklist
Three months of disciplined daily/weekly/monthly habits to become continuously audit-ready. By day 90, an auditor walking in finds a complete, reconciled, traceable record.
Days 1–7, Foundation (vendor and customer masters)
| Day | Action |
|---|---|
| 1–2 | Run a vendor master audit. Pull every active vendor. Check PAN validity, GSTIN active status, Udyam (for MSME), bank account verified. |
| 3 | Tag every vendor with: TDS section + rate, GST place of supply, MSME tier, payment terms in writing or default. |
| 4 | Disable inactive vendors (no bills in 12 months), keep them visible for audit lookups but block new bills. |
| 5–6 | Same exercise on customer master, GSTIN active, PAN, credit limit, place of supply. |
| 7 | Document the master-data change-management policy: who can add a vendor, what verifications are required, where the documents are stored. |
By day 7, master data is the foundation everything else builds on.
Days 8–14, Audit trail discipline
| Day | Action |
|---|---|
| 8 | Verify your books platform logs every change with actor, timestamp, before/after. Section 143(3)(b) of Companies Act requires this for ERP systems w.e.f. 1 Apr 2023 (the “audit trail” rule). |
| 9 | Disable any “back-dating” or “edit-without-trace” features for closed periods. |
| 10 | Run a sample test: edit a transaction in a closed period; verify the audit log captures it. |
| 11 | Implement period locks per GSTIN (per the Multi-GSTIN guide) so one state can close without affecting others. |
| 12 | Document the segregation-of-duties matrix, who can post, approve, pay, reconcile. |
| 13–14 | Test the matrix: try to post a bill and approve it from the same login; should fail. |
The audit trail rule is now a statutory requirement; auditors specifically test for it.
Days 15–30, Books-to-portal reconciliations
The big one. Every monthly close should end with these reconciled:
| Reconciliation | Source A | Source B | Trigger |
|---|---|---|---|
| GSTR-1 reconciliation | Outward supply ledger | GSTR-1 filed | After GSTR-1 filing |
| GSTR-2B reconciliation | Purchase ledger | GSTR-2B (from 14th) | Same day as 2B |
| GSTR-3B reconciliation | GSTR-1 + GSTR-2B | GSTR-3B filed | Pre-filing review |
| TDS challan reconciliation | Books TDS payable | OLTAS challan + 26Q | Monthly |
| Form 26AS | TDS deducted on us | 26AS | Quarterly when 26AS updates |
| Bank reconciliation | Books bank ledger | Bank statement | Daily / weekly |
| Day | Action |
|---|---|
| 15 | Pull last 3 months’ GSTR-1 and reconcile to outward supply ledger. Identify mismatches; document each. |
| 16–18 | Same for GSTR-2B vs purchase ledger. (Use the GSTR-2B Reconciliation Playbook.) Vendor non-filer recovery for stranded ITC. |
| 19–20 | TDS deposit reconciliation: book TDS payable vs OLTAS challans vs 26Q filed. |
| 21 | Form 26AS reconciliation: TDS deducted on us by customers vs our books. |
| 22–24 | Bank reconciliation: every bank account, last 90 days, every line matched. |
| 25–28 | Lock the methodology: each reconciliation has a SOP, an owner, a SLA, and a dashboard. |
| 29–30 | Run the entire suite for the most recent month. Should now take hours, not weeks. |
Days 31–45, TDS deep dive
| Day | Action |
|---|---|
| 31 | Pull last 12 months’ TDS return data. Compare deductions to OLTAS challans deposited. Identify any short / late deposits. |
| 32 | Compute interest under Section 201(1A) for any late deposits. Pay if material. |
| 33–35 | Issue Form 16A to all deductees, pull from TRACES. Distribute via email automation. |
| 36 | Section 40(a)(ia) review: any expenses where TDS was never deducted? These are 30%-disallowed in tax computation. Add back in tax book. |
| 37 | Section 195 (non-resident) deductions, verify Form 15CA / 15CB filing. |
| 38–40 | Lower deduction certificates (Section 197), confirm any LDC is current; expired certificates revert to default rates. |
| 41 | 26Q correction returns, file any corrections discovered during reconciliation. |
| 42–45 | Build the dashboard: late deposit aging (target = 0), 26Q-26AS variance, Form 16A distribution rate. |
By day 45, TDS is fully reconciled, deposited, returned, and Form 16A’d.
Days 46–60, GST consolidation and GSTR-9 prep
| Day | Action |
|---|---|
| 46 | For each GSTIN, build the GSTR-9 worksheet. Tables 4 (outward), 5 (zero-rated), 6 (ITC availed), 7 (ITC reversed), 8 (ITC available per 2B), etc. |
| 47–48 | Reconcile Table 4 to GSTR-1 + GSTR-3B (outward supply). Identify any differences. |
| 49–50 | Reconcile Table 6 to GSTR-3B + 2B (ITC availed). |
| 51 | Table 8, ITC available as per 2B vs ITC actually claimed. The variance here is the stranded-ITC amount. |
| 52–55 | For each GSTIN with turnover > ₹5 cr, build the GSTR-9C reconciliation: books vs GSTR-9. Document the reconciling items (eliminations, accruals, timing differences). |
| 56 | If you operate ISD, reconcile GSTR-6 distributions for the year. |
| 57–58 | Inter-GSTIN supply elimination, sum branch transfers and cross-charges across the entire group. Verify books elimination matches portal supplies. |
| 59 | Aggregate turnover at PAN level, drives whether you needed e-invoicing in the year (already done if applicable). |
| 60 | Pre-audit dry run: pretend the auditor is here on day 90; could you produce GSTR-9 and 9C for every GSTIN? Time it. |
Days 61–75, Process audit + IFC
| Day | Action |
|---|---|
| 61 | Document Internal Financial Controls (IFC) per Section 143(3)(i). Identify the key processes (revenue recognition, expense recognition, approval matrix, period close, etc.) and the controls in each. |
| 62–65 | Test each control. Sample 25 transactions; verify the control was followed. Document deviations. |
| 66 | Approval matrix audit: any approvals where the maker also approved? Any approvals beyond authority? |
| 67 | Vendor onboarding audit: any vendor created without the standard verification process? Any payments to vendors created within 30 days (red flag)? |
| 68 | Cash and bank: any unusual journal entries, round-number adjustments, late corrections? |
| 69–71 | Inventory: physical verification cycle, was every location covered in the year? Variance reports reconciled? |
| 72 | Fixed assets: register reconciled to GL, depreciation reviewed, additions vs CWIP movements documented. |
| 73 | Related-party transactions: identified, valued, disclosed. |
| 74 | Provisions and accruals: documented basis for each material provision. |
| 75 | Subsequent events review: anything between balance sheet date and audit completion that needs disclosure. |
Days 76–85, Auditor coordination
| Day | Action |
|---|---|
| 76 | Audit kickoff call. Share the IFC documentation, master-data summary, key reconciliation outputs. |
| 77–80 | Auditor sample requests, provide each within 24 hours. Auditors form judgment based on response speed as much as on content. |
| 81–83 | Walk-through of high-risk processes: revenue recognition, AP cycle, period close, related-party, contingencies. |
| 84 | Management representation letter, draft based on auditor’s typical asks plus your specific business risks. |
| 85 | Audit findings discussion. Address each finding before audit close. |
Days 86–90, Close and continuous discipline
| Day | Action |
|---|---|
| 86 | Audit report finalised. Sign off. |
| 87 | Statutory filings: AOC-4, MGT-7, ITR-6, GSTR-9 / 9C all uploaded. |
| 88 | Post-audit retrospective: what did the auditor flag? Convert each into a continuous control. |
| 89 | Update the SOP for next year’s audit-readiness, bake in any new controls. |
| 90 | Restart the calendar for next year. Day 1 of the next 90-day cycle. |
The discipline becomes continuous: by next audit, you don’t sprint, you walk in.
What auditors actually test
Knowing what auditors are looking at lets you pre-empt the prep:
Substantive testing
- Revenue cut-off, were Mar 30 sales legitimately invoiced in March? Were Apr 1 sales held to April?
- Expense cut-off, were March-incurred expenses booked in March, even if billed in April?
- AR aging, provision for bad debts; long-overdue receivables analysed.
- AP aging, unrecorded liabilities, provisions for unbilled accruals.
- Inventory, physical existence, valuation, slow-moving / obsolete.
- Fixed assets, additions, retirements, depreciation, impairment.
- Tax provisions, current tax, deferred tax, contingent liabilities.
Compliance testing
- GST, every Section 16/17 ITC condition met; place of supply correctly determined; reverse charge applied where mandatory; e-invoicing applied where in scope.
- TDS, every applicable section deducted; deposited on time; returns filed; Form 16/16A issued; Section 40(a)(ia) disallowance computed.
- Companies Act, board minutes, register of members, directors’ disclosures, related-party disclosures, MSME reporting (Form 1).
- Labour, PF, ESI, PT, gratuity, bonus, leave encashment computations and payments.
Controls testing
- Maker-checker segregation in payments, journal entries, master data changes.
- Period locks, past periods inaccessible for edits.
- Audit trail for changes to financial transactions (Section 143(3) Companies Act).
- Access controls, user permissions, leaver-process discipline.
A complete audit-readiness file pre-emptively documents responses to all of these.
The continuous-readiness cadence
Once the 90 days are over, becoming audit-ready year-round looks like this:
| Cadence | Activity |
|---|---|
| Daily | Bank reconciliation, AP exception queue, AR collections updates |
| Weekly | TDS deposit prep, vendor non-filer chase, approval bottleneck review |
| Monthly close (within 5 days of month-end) | GSTR-1, 2B, 3B reconciliation; TDS challan + return; books period-lock |
| Quarterly | 26AS reconciliation, MSME Form 1, 24Q/26Q filing, internal audit review |
| Half-yearly | MSME Form 1 (with MCA), DIR-3 KYC if directors change |
| Annual close (within 30 days) | GSTR-9 + 9C drafted, tax computation drafted, book-tax reconciliation, IFC sign-off |
| Annual audit (within 60 days of close) | Full audit completed |
A team running this cadence is not “preparing” for audit, the audit is just a verification of the records.
Common pitfalls
| Pitfall | Why it happens | Fix |
|---|---|---|
| GSTR-9 done in one month | No monthly reconciliation discipline | Reconcile every month; year-end is just a recap |
| TDS interest paid on late deposits | Calendar awareness only | Automated calendar with deposit-by-7th SLA |
| Vendor master full of stale GSTINs | No periodic validation | Quarterly bulk GSTIN validation |
| Section 40(a)(ia) discovered at audit | TDS check happens after expense already booked | TDS check at bill-posting gate |
| Audit trail not enabled | ERP setting overlooked | Verify at platform onboarding, retest annually |
| Inter-GSTIN reconciliation missed | Treated as internal | Run dedicated branch-transfer + cross-charge reconciliation monthly |
| Form 26AS variance | Customers don’t deduct correctly | Tag every TDS-eligible receipt; chase mismatches monthly |
| Internal audit report never closed | No remediation tracking | Each finding has an owner + closure date |
CFO dashboard, audit-readiness view
- Days since last close, should be ≤ 5 at any point of the year
- Open reconciliation items, count, value, age
- MSME at-risk amount, Section 43B(h) projection
- TDS late-deposit interest YTD, should be zero
- GSTR-2B stranded ITC, value, vendor breakdown
- Vendor master health, % validated, % active, % MSME-tagged
- Audit findings open, from internal audit, last cycle
- IFC test results, % controls passing
Tooling: what to look for
- One record across books, GST, TDS, payroll, MSME, so reconciliations are by-products
- Period locks per GSTIN with full audit trail
- Section 143(3)-compliant audit trail, actor + timestamp + before/after on every state change
- Monthly reconciliation pipelines, automated, with mismatch routing
- Compliance calendar, every state, every form, every deadline
- GSTR-9 / 9C draft generation at any month, on demand
- IFC framework, control library, test results, exception tracking
- Auditor portal, read-only access for auditors to pull samples directly
OneFinOps is built so audit-readiness is a continuous default. Books, GST, TDS, MSME, audit trail all on one record. The annual audit becomes a one-week sweep. Start a free trial or book a 30-min walkthrough.
Frequently asked questions
What’s the difference between “audit-ready” and “audit-passed”?
Audit-passed means the auditor signed an unqualified opinion on this year’s books. Audit-ready means the next auditor walking in tomorrow could complete the audit without you sprinting. The first is a point-in-time outcome; the second is an operational discipline.
Do small private companies need to maintain an audit trail?
Section 143(3) Companies Act made it applicable to all companies maintaining books in software, w.e.f. 1 April 2023. Including OPCs and small private companies. The threshold for audit may differ by company type, but the audit-trail requirement is universal.
What if our ERP doesn’t support audit trail?
Replace it. Auditors are now required to specifically report on audit-trail availability and tampering. An ERP without it triggers a qualified audit report, which has knock-on effects on lender relationships, tender eligibility, and stakeholder confidence.
Is GSTR-9C required if our turnover is below ₹5 cr?
GSTR-9C self-certified reconciliation is required for aggregate turnover > ₹5 cr (per latest CBIC notifications). GSTR-9 (annual return) is required for > ₹2 cr. For smaller businesses, only GSTR-9, and even that is optional below ₹2 cr in some interpretations. Confirm against the latest notification each year as thresholds shift.
Can we do the audit ourselves if we have a CA on staff?
A statutory audit must be done by an independent CA in practice, not by an in-house CA, regardless of qualification. Internal audit can be in-house. Statutory audit cannot.
How early should we engage the statutory auditor?
For year ending 31 March, engage by January for an April-May audit. Provide a “year-end pack” by mid-April with 90% of the data. The audit is then a 4-week confirmation rather than an 8-week build.
What’s the auditor most likely to qualify on?
Top three for mid-market India:
- GSTR-2B reconciliation gaps with significant stranded ITC
- Section 40(a)(ia) disallowance uncomputed
- Inadequate audit trail, typically because the ERP allows back-dating
Address all three pre-emptively and the qualification risk drops dramatically.
Sources
- Companies Act, 2013, Sections 138, 143, Schedule III, statutory and internal audit requirements; audit trail.
- Income Tax Act, 1961, Sections 44AB, 40(a)(ia), 195, 197, 201, 234E, tax audit, TDS, late-fee provisions.
- CGST Act, 2017, Sections 35, 44 (annual return), GST audit and annual return.
- ICAI, Standards on Auditing (SAs), audit methodology and requirements.
- GSTR-2B Reconciliation Playbook, TDS Automation Playbook, MSME 43B(h) Playbook, Multi-GSTIN Consolidation Playbook, adjacent OneFinOps guides.
This guide is operational, not legal advice. Specific audit edge cases, listed-company SEBI requirements, IND-AS adoption issues, group consolidation under SEBI LODR, transfer pricing, should be reviewed with your statutory auditor and tax counsel.
Tags
- audit readiness
- GSTR-9
- GSTR-9C
- TDS reconciliation
- Form 26AS
- audit trail
- statutory audit
- internal financial controls