Expert verified Knowing the types of internal controls in India is essential if you’re involved in running any kind of business in India.
Learn with us the main types of internal controls with examples.
What Are Internal Controls?
Internal controls are the policies, procedures, practices, and safeguards a company’s management and board of directors puts in place.
Their main purpose is to:
- Protect Assets: Safeguard money, inventory, equipment, data, and reputation from loss, theft, or misuse.
- Ensure Accuracy: Keep financial and business records correct, complete, and timely for legal compliance.
- Improve Efficiency: Streamline operations to avoid waste and ensure tasks are done right.
- Ensure Compliance: Follow all applicable laws, regulations, and internal policies.
- Manage Risks: Spot and address risks like fraud or disruptions before they escalate.
Internal Control Requirements Under Indian Laws
In India, internal controls are not optional. As per the Companies Act 2013, certain companies must have internal financial controls and document them clearly.
Here’s a quick look at the regulations and what they mean for internal controls:
| Regulation | Key Internal Control Requirements |
| Companies Act, 2013 | Internal Financial Controls (IFC) by Board/CEO/CFO, Auditor reporting and Audit Committee oversight |
| ICAI | Auditors must assess and report on the adequacy and effectiveness of internal financial controls over financial reporting |
| SEBI LODR | Quarterly reviews, Internal audits, Vigil mechanisms, and Risk management committees |
| GST Laws | Internal controls for record-keeping, invoicing, compliance (turnover > ₹5 crore), self-certified GSTR-9C |
| Income Tax Act | Robust controls for tax/transfer pricing audits, related-party transaction documentation |
| PMLA & RBI Guidelines | Strict KYC, AML, and internal risk controls for financial institutions and payment operators |
Main Types of Internal Controls in India
In India, internal controls are grouped into different types based on their purpose. Each type helps a business stay compliant, reduce fraud, and work efficiently.
Let’s break them down:
| Type | Purpose | When Used |
| Preventive | Stop issues | Before activity |
| Detective | Find issues | After activity |
| Corrective | Fix issues | After detection |
| Compensating | Reduce risk | When ideal control not possible |
| Financial | Ensure accuracy & compliance | Throughout financial processes |
Preventive Controls
Preventive controls are actions taken by a company to stop fraud, errors, or policy violations before they happen. They act as the “first line of defense” in your control framework.
Preventive controls are crucial for meeting legal requirements like the Companies Act 2013 and guidelines from ICAI and SEBI.
These laws expect companies to actively manage their risks and protect their asset
Examples of Preventive Controls:
- Approval Hierarchies: Approval workflows for expenses, purchases, or fund transfers. Eg. Managers must sign off on large purchases.
- Segregation of Duties (SoD): No single person controls both payment and accounting. Eg: cashiers handling daily collections cannot update sales records.
- System Access Controls: Employees only access what they need. Eg. biometric access to warehouses, role-based system permissions, etc.
- Physical Safeguards: Protect and track inventory/ assets. Eg. Locked cash counters, CCTV in stockrooms, secure cheque books.
- Pre-employment Checks: Verifying qualifications and background.
- Employee Training: Teaching staff the rules, so they don’t deviate.
- Strong Password Policies: Prevent unauthorized data access
Detective Controls
Detective controls are tools and procedures that help businesses find errors, fraud, or policy violations after they’ve happened.
These are meant to catch the problems early, so companies can respond quickly. They act as a “safety net” when preventive controls fail.
These types of internal control are especially important for maintaining transparency, complying with the Companies Act 2013, and meeting audit standards set by ICAI and SEBI.
Common Detective Controls:
- Bank reconciliations: Comparing records with bank statements to find mismatches. Eg. Daily cash sales vs. POS/billing software for retailers
- Internal audits: Regular checks done by internal audit teams to review financials. Required for listed/large companies under Companies Act
- Inventory checks: Surprise or scheduled stock audits to detect theft or misuse. Eg. Physical stock counts vs. inventory records
- Exception reports: Reports that flag unusual or suspicious transactions.E.g. GST portal mismatch reports, duplicate vendor payments
- CCTV monitoring: Physical security footage used in retail, warehouses, and factories.
- Review of employee timesheets and reports: Catch fake attendance or overtime fraud.
- Management Reviews: Scrutiny of monthly P&L, debtors ageing, or expense trends by owners/CFOs.
Corrective Controls
Actions taken to fix identified issues, recover losses, and prevent recurrence after errors, fraud, or non-compliance are detected.
Without these controls, the same problems may keep repeating, leading to legal trouble, financial loss, or damaged reputation.
Corrective controls are a key part of corporate governance and are expected under laws like the Companies Act 2013 and audit guidelines from ICAI.
Examples of Corrective Controls:
- Disciplinary Actions: Suspending staff involved in fraud as per Vigil Mechanism policy
- Error Resolution: Adjusting or correcting errors made, Eg. accounting entries for GST input credit mismatches, Correcting financial statements.
- Process Updates: Revising approval workflows after a fraud incident.
- System Patches: Updating software to plug security loopholes. E.g., after RBI’s cybersecurity audit
- Training & Re-training Employees: Briefing on new updates and mechanisms after they break company policy
Compensating Controls
Alternative safeguards implemented when primary controls (preventive/detective) cannot be applied due to cost, staffing, or operational constraints. Although not ideal, they are better than having no control at all.
They are commonly used in small and medium enterprises where full internal control systems may not be possible due to budget or staffing.
These are recognized under audit practices guided by ICAI and the Companies Act 2013.
Examples of Compensating Controls:
- Owner Oversight: In small businesses, the proprietor personally verifies all high-value payments if staff segregation isn’t possible.
- Enhanced Monitoring: Daily review of SMS banking alerts by the CEO if online banking access isn’t fully restricted.
- Reviewing CCTV footage: When real-time supervision isn’t possible
- Monthly Audits: External CA conducts audits instead of hiring an in-house team
- Password-protected Excel files: When sophisticated tools like ERP systems aren’t affordable
Financial Internal Controls
Financial internal controls are policies, processes, and tools to safeguard assets, ensure financial accuracy, prevent fraud, and enforce compliance with Indian laws.
These controls are a mandated under:
- Companies Act 2013 (Sections 134 & 143)
- SEBI LODR (for listed entities)
- GST/Income Tax Laws
- RBI Guidelines (for banks/NBFCs)
These controls protect against major frauds, like those seen in the Satyam and PNB scams.
Common Financial Controls Used in Indian Companies:
- Cash & Bank Management : Dual custody, fast reconciliation, alerts, and RBI/GST compliance.
- Procure-to-Pay (P2P): Match documents, verify KYC, and reconcile ITC to avoid fraud.
- Reporting: Close monthly, reconcile, and certify per audit rules.
- Payroll & Expenses: Use biometrics, approve claims, and check TDS to prevent fraud
- Authorized Approval: Before making payments approved by authorized personnel
- Segregation of Financial Duties: Different people handle cash, banking, and accounting
- Bank Reconciliations: Matching company records with bank statements
- Audit Trails: Keeping records of every financial transaction
Administrative or Operational Controls
They are the day-to-day rules, processes, and procedures that help a company run smoothly and safely.
They are not directly related to money, instead, they focus on people, tasks, and business operations.
Administrative/ operational controls are widely used to make sure businesses follow company policies, government laws, and labour regulations.
They are especially important in industries like manufacturing, retail, healthcare, and IT, where daily operations involve many people and moving parts.
Examples of Administrative or Operational Controls:
- HR policies for hiring, onboarding, and employee conduct
- Leave and attendance tracking systems
- Vendor approval processes
- Access control to office premises: ID cards, biometric systems)
- Standard Operating Procedures: SOPs for every department
- Travel and expense claim policies
- Employee handbooks and training programs
- Whistleblower policies to report misconduct and protect whistleblower
How Can PKC Help With Internal Controls?
✅Four-method test of controls ensuring comprehensive coverage
✅Segregation of duties implementation preventing revenue leakage
✅ERP automation reducing manual errors and delays
✅COSO framework compliance for global best practices
✅Management override prevention through robust governance structures
✅Documentation policies creating foolproof audit trails
✅Weak control identification before breach incidents
✅Regulatory compliance across SEBI, GST, Income Tax
✅Operational efficiency improvements through process optimization
Internal Controls in Public vs Private Companies in India
In India, both public and private companies are required to have internal controls, but the rules and intensity differ based on the company type.
Public Companies
Public companies, especially those listed on stock exchanges, must:
- Follow SEBI (LODR) Regulations, 2015
- Maintain Internal Financial Controls (IFC) under Section 134(5)(e)
- Have an audit committee to review controls
- Conduct regular internal audits
- Disclose controls and weaknesses in annual reports
- Use independent directors to oversee compliance
Private Companies
Private companies still need internal controls, but:
- Requirements are less strict
- Small companies may be exempt from audit committee requirements
- Internal audits are only mandatory if certain turnover or borrowing thresholds are crossed
- Reporting can be more flexible
Overall, public companies face tighter control laws, while private firms get more flexibility, but both must ensure their internal systems are strong and effective.
FAQs About Types of Internal Controls
1. What are internal controls in India?
Internal controls are rules and procedures that Indian companies use to manage risks, prevent fraud, and follow legal requirements. They are legally required under the Companies Act 2013.
2. What are the main types of internal controls?
The main types include preventive, detective, corrective, financial, administrative, and compensating controls. Each one plays a different role in reducing risk.
3. What are preventive controls?
Preventive controls stop mistakes or fraud before they happen. Examples include approval processes, limited access, and segregation of duties.
4. What are detective controls?
Detective controls help discover fraud or errors after they occur. Common methods include internal audits and bank reconciliations.
5. Who enforces internal control laws in India?
Internal control laws are enforced by bodies like SEBI, ICAI, and the Ministry of Corporate Affairs. Auditors also check internal controls during company audits.
