Content authored by practitioners with experience at Amazon India, Intuit QuickBooks, and the Tata Group. Meet the team →
OEM receivables at an Indian auto-component Tier 1 are the highest-volume, highest-variability receivables in Indian manufacturing — the scheduling-agreement-to-invoice-to-receipt chain has six control points, the OEM debit-note regime can short-pay 8% to 12% of monthly billing, RMPV claims are variable consideration with forward estimation risk, the OEM portal is the source of truth, and the SA 240 fraud overlay covers round-tripping, phantom RMPV, debit-note suppression, and DRC-08 GST patterns. A generic AR internal audit checklist will miss four out of these five distinct risk layers.
Apply a domain-specific controls testing matrix. Test the SA-to-invoice-to-receipt chain with six control points, each sampled at 30 to 60 transactions. Test the debit-note authorisation matrix with segregation of duties testing. Test the RMPV claim approval workflow with constraint-policy alignment. Run cum-quantity drift sampling per SA. Run short-pay decomposition by reason. Overlay SA 240 fraud-risk procedures — analytical review on dispatch trend, claim acceptance sample, GST credit note reconciliation. Document exception findings with materiality flagging and recommended remediation.
Six-control SA-to-invoice-to-receipt matrix with control owner, frequency, evidence, and exception threshold per control. Debit-note authorisation cap matrix per role. RMPV claim register with constraint-policy tier per claim. Cum-quantity drift sampling rule per SA. Short-pay reason taxonomy with ageing buckets per reason. SA 240 fraud-risk pattern library mapped to test procedure. OEM portal data access for substantive testing.
An internal-audit working-paper file per OEM with control test results, exception list with materiality flagging, fraud-risk pattern test conclusions, recommendation matrix with severity ranking, and a management letter draft addressing identified control weaknesses. A quarterly internal-audit report to the Audit Committee summarising OEM-receivables control state across the entire OEM portfolio.
An internal auditor walks into a ₹240 crore Mahindra Tier 1 in Aurangabad on the third Monday of June. The half-yearly internal audit charter covers OEM receivables. The opening balance is ₹62 crore of receivables across three OEM customers — Mahindra & Mahindra (52%), Tata Motors (28%), and Bajaj Auto (20%). The closing balance is ₹68 crore. The half-year billing was ₹148 crore. Eight percent of monthly billing — ₹11.8 crore over the half-year — moved through OEM debit notes and short-pays. The fieldwork for this engagement runs four weeks. The control testing matrix has six SA-to-invoice-to-receipt control points, a debit-note authorisation matrix, an RMPV claim workflow, and an SA 240 fraud overlay.
This guide is the internal audit OEM receivables auto component India procedures handbook that internal auditors at Tier 1s and Tier 2s use, that finance teams pre-run as self-audit, and that CFOs deploy as the Audit Committee reporting framework.
Quick reference
| Item | Standard | Regulator | Code / Threshold |
|---|---|---|---|
| Internal audit standards | Standards on Internal Audit (SIA) | ICAI IASB | Mandatory for listed |
| Fraud risk overlay | SA 240 | ICAI | Applicable |
| Non-compliance overlay | SA 250 | ICAI | Applicable |
| Internal financial controls | Section 143(3)(i) of Companies Act 2013 | MCA | Mandatory reporting |
| Source-of-truth data | OEM portal (e-Nagare, SRM, SupplyOn, MGE) | OEM-specific | Verify per OEM |
| Materiality threshold | 1% of OEM-receivables balance | Entity-set | Performance 50-75% |
| Tax overlay TDS | Section 393(1)(a) code 1002 | CBDT | Job-work paid out |
| Tax overlay TCS | Section 394 code 1071 | CBDT | Scrap sales |
The six-control SA-to-invoice-to-receipt chain
Control 1 — Scheduling agreement set-up
Test that every active scheduling agreement is in the customer master with authorised pricing, tooling annexure if applicable, payment terms, RMPV clause coverage, and FOMP reserve rate. Sample 30 SAs and verify: SA reference matches OEM portal, pricing tier matches the agreement, tooling lineage is recorded, payment terms match the agreement, and any unauthorised changes since prior period have a documented approval trail. Common exception: SA amendments via email-only updates without the customer-master change going through proper authorisation.
Control 2 — Call-off capture
Test that daily / weekly call-offs from the OEM portal are captured in the dispatch system without manual error. Sample 60 call-offs, verify the portal-to-system match per part number per quantity per delivery window. Common exception: portal data not refreshed timely, causing dispatch against stale call-off and triggering downstream short-pay.
Control 3 — Dispatch confirmation
Test that every dispatch is logged at the supplier gate with vehicle programme, part number, quantity, delivery slip number, and time stamp. Sample 60 dispatches and verify against the gate register and the call-off line they fulfil. Common exception: dispatch logged but not tagged to call-off line, leaving cum-quantity drift untracked.
Control 4 — GRN capture from OEM portal
Test that every GRN posted by the OEM on the portal is pulled into the supplier’s system, matched to the dispatch, and tagged with rejection slip if any. Sample 60 GRNs and verify the dispatch-to-GRN match. Common exception: rejection slip recorded but not linked to the original dispatch line, leaving the short-pay reason untracked.
Control 5 — Invoice raise
Test that invoices are raised per the SA price against confirmed GRN quantity with a three-way match check. Sample 30 invoices and verify the GRN-to-invoice match per part per price. Common exception: invoice raised against dispatch quantity, not GRN quantity, leading to short-pay on the rejected portion at OEM end.
Control 6 — Payment receipt and short-pay reason coding
Test that payments received are matched to invoices, short-pays are decomposed by reason (FOMP, quality, RMPV adjustment, line-stop, debit-note, line-item-level rejection), and reason-coded to the appropriate dispute or accept workflow. Sample 30 receipts and verify the reason coding. Common exception: short-pay received without reason coding, parked in the unreconciled bucket.
How is the debit-note authorisation matrix tested?
The authorisation matrix has three layers:
Layer 1 — Acceptance of OEM debit note. Typically restricted to the finance head or controller, with materiality threshold for CFO escalation. Sample 30 debit notes accepted in the period. Verify: amount per layer’s authorised cap, sign-off chain documentation, dispute consideration before acceptance, and timing within the GST credit note window (Section 34) where a corresponding tax credit note is required.
Layer 2 — Dispute of OEM debit note. Typically the commercial team head with a documented dispute file. Sample 15 disputes in the period. Verify: dispute file completeness, OEM communication trail, and timing of dispute resolution.
Layer 3 — Back-charge to Tier 2 sub-supplier. Typically procurement head with authorisation cap. Sample 15 back-charges in the period. Verify: linkage to the OEM debit note that triggered the back-charge, sign-off chain, and Tier 2 acknowledgement.
The segregation-of-duties test runs across the three layers — no single individual should hold acceptance, dispute, and back-charge authority.
How is the RMPV claim approval workflow tested?
RMPV claims are variable consideration estimated forward and constrained per Ind AS 115 paragraph 56. Internal audit tests the workflow at four points:
- Claim raise — verify the index data (JPC steel, LME aluminium, LME copper) used in the calculation against the contractual reference, sample 15 claims.
- Claim filing — verify the filing on the OEM portal with the documentary evidence pack, sample 15.
- Constraint policy application — verify the booked estimate against the documented constraint-policy tier (100% for index-formula monthly settlement, 60-80% for quarterly committee, 0-30% for discretionary).
- OEM acknowledgement tracking — age unresolved claims and verify the forward look against actual settlement.
Three-Way Match Exception Cost Calculator
Quantify the exception exposure that internal audit will surface at OEM receivables fieldwork — sized to your Tier 1 dispatch and GRN volume.
Open the Three-Way Match Exception Cost Calculator →How does the SA 240 fraud-risk overlay work?
SA 240 requires the auditor to assess fraud risk specific to the entity. For OEM receivables four high-risk patterns concentrate:
Pattern 1 — Round-tripping. Dispatches recorded that are immediately offset by short-pays of the same magnitude, masking phantom revenue. Test: analytical review of dispatch-to-GRN-to-invoice-to-receipt trend per part number per OEM. A repeat dispatch-then-short-pay pattern on a single part is a red flag for further investigation.
Pattern 2 — Phantom RMPV claims. Claim register padded for revenue smoothing. Test: sample claim filings against OEM portal acknowledgement, age unresolved claims, and trace settlement history to identify a divergence between booked estimates and actual settlements.
Pattern 3 — Debit-note suppression. Genuine OEM debits not booked to inflate receivables ageing favourably. Test: tally OEM portal debit-note register to internal books per OEM per month. Any debit note on portal but not in books is a control failure or potential suppression.
Pattern 4 — DRC-08 type GST round-tripping. Credit notes issued for revenue reduction but the corresponding GST credit note (Section 34 of CGST Act) is structured to inflate input credit elsewhere. Test: tally GST credit notes raised to revenue movement, verify Section 34 timing compliance, and reconcile to GSTR-1 outward supply.
Worked example: Mahindra Tier 1 internal audit
A half-yearly internal audit at a ₹240 crore Mahindra Tier 1 covering OEM receivables. Fieldwork four weeks. Control testing matrix applied per the framework above. Findings:
| Finding | Severity | Amount | Recommendation |
|---|---|---|---|
| 42 unreconciled short-pays past 90 days | High | ₹68 lakh | Age, escalate, accept-or-dispute with documented reason |
| 7 cum-quantity drift exceptions across 3 SAs | High | 1,420 units ₹38 lakh | Monthly cum reconciliation per SA, book receivables |
| 14 RMPV claims pending OEM acknowledgement 60+ days | Medium | ₹2.4 crore | Escalate, constrain booked estimate to 50% pending settlement |
| 3 debit notes accepted without prescribed sign-off | High control | ₹14 lakh | Enforce authorisation matrix, retrain finance team |
| Round-tripping pattern test (analytical review) | Low concern | No instance found | No action |
| GRN-to-invoice three-way match exception rate | Medium | 4.2% (above 2% threshold) | Tighten Control 5 testing |
| Section 393(1)(a) code 1002 deduction on job-work to heat-treatment vendor | Medium | ₹6 lakh under-deduction | Correct and deposit with interest under Section 466 |
The internal audit report is presented to the Audit Committee with severity ranking, recommended remediation per finding, and follow-up testing scheduled for the next quarter. The Section 143(3)(i) internal-financial-controls reporting at year-end will be informed by this engagement’s findings.
Tax overlay specifics
The internal audit covers the Section 393(1)(a) code 1002 deduction on job-work charges paid out (heat-treatment, plating, machining, assembly), the Section 394 code 1071 collection on scrap sales from 1 April 2026, and the Form 26AS three-way match on TDS receivable. Sampling 30 job-work invoices in the period typically surfaces one or two under-deductions — flagged for correction with interest under Section 466 if not yet deposited.
The Form 26AS three-way match — books vs Form 26AS vs Form 16A — is a routine internal audit procedure. Any variance above performance materiality requires investigation and provision review for write-back risk.
The ICAI Standards on Internal Audit and SA 240 / SA 250 are the authoritative reference. The CBDT new-framework codes are the applicable tax overlay.