Skip to main content
How-To · 13 min read

The Reconciliation Control Plan: A One-Page Template for Every Stream

The reconciliation control plan is the output document of the reconciliation process design method. This is the one-page template — function, failure mode, cause, Severity, Occurrence, Detection, Action Priority, prevention control, detection control, owner, cadence, evidence — with a worked example for each of the four core Indian reconciliation streams.

Terra Insight
Terra Insight Editorial Team Reconciliation Infrastructure

Content authored by practitioners with experience at Amazon India, Intuit QuickBooks, and the Tata Group. Meet the team →

Published 13 July 2026
Domain expertise
TDS Reconciliation GST Input Credit Platform Settlements NACH Batch Matching Bank Reconciliation Form 26AS Matching ERP Integrations Enterprise Finance Ops
Knowledge Card
Problem

Indian finance teams document their reconciliation processes through Standard Operating Procedures and checklists that confirm the process was executed. Neither document identifies the specific ways the process can silently produce a wrong result, ranks those failures by their real Indian tax and audit consequences, or maps a named control to catch each one. When a statutory auditor asks under Section 143(3)(i) whether internal financial controls are adequately designed, or when CARO 2020 Clause 3(ii)(b) requires the quarterly bank statements filed with lenders to reconcile to the books, the SOP-plus-checklist evidence base cannot answer the design test. A single Section 16(4) missed at-risk ITC row, a single 194J-vs-194C misclassification on manpower supply, or a single DRC-01B trigger from a GSTR-1 vs 3B timing mismatch does not have a documented control lineage — and the residual risk is undefendable to the audit committee.

How It's Resolved

Terra Insight's reconciliation process design method produces one artefact per stream: a one-page control plan. The template carries nine columns — function, failure mode, cause (mapped to the 6P taxonomy of People, Policy, Process, Portal, Period, Partner), Severity, Occurrence, Detection, Action Priority (High, Medium, Low), prevention control, detection control, owner, cadence, and evidence artefact. The Severity scale is anchored to Indian consequences: 10 for Section 16(4) permanent ITC loss and Section 40(a)(ia) expense disallowance; 9 for Section 200A demand with interest under Section 201(1A) and fee under Section 234E; 8 for CARO 2020 material weakness, DRC-01B or DRC-01C notice; 7 for period misstatement; 5-6 for ledger-level exceptions; 3-4 for presentation errors; 1-2 for cosmetic. The Action Priority table is Severity-first — any Severity 9 or 10 row is High regardless of Occurrence or Detection. Every High row requires two independent detection layers, at least one of which is either a system-enforced rule or an aging queue with escalation.

Configuration

One control plan per stream: invoice-to-bank, TDS against Form 26AS or Form 168, GSTR-1 versus GSTR-3B, GSTR-2B ITC. Named owner for each row. Named prevention and detection control keyed to the row. Cadence — transactional, daily, monthly, quarterly — recorded against each detection control. Evidence artefact — the specific file, log, screenshot, or ERP report the control produces — named with a retention rule that aligns to the seven-year statutory record retention under Section 128(5) of the Companies Act. Review cadence for the control plan itself: monthly by the controller, quarterly with the audit committee, re-opened on any process change, portal change (Form 168 switchover, IMS rollout), or after every field incident that reveals a new failure mode.

Output

Four one-page reconciliation control plans, one per stream, that the statutory auditor tests as the design evidence under Section 143(3)(i) and CARO 2020 Clause 3(ii)(b). Every High Action Priority row carries two independent detection layers and a named owner. Every residual risk is documented with a written acceptance rationale signed by the controller. The control plan populates the statutory audit checklist and the ICFR test plan, and both testing documents sample against it. Board and audit committee reporting: a monthly dashboard of open High Action Priority rows across the four streams, the aging of unresolved exceptions in each, and a quarterly review that re-scores Occurrence and Detection based on the previous quarter's incident data.

A statutory auditor at year-end asks a mid-market Indian controller for the written control document that governs the company’s GSTR-2B input tax credit reconciliation. The controller produces a fifteen-page Standard Operating Procedure and a monthly checklist. The auditor asks a second question: which specific control catches a supplier who files GSTR-1 in the fifth month after invoice date, past the Section 16(4) November 30 cut-off, and how is the exposure aged before the deadline? The SOP describes the reconciliation steps. The checklist confirms the steps ran. Neither document answers the question. This is the failure that a reconciliation control plan template India finance teams can defend to statutory auditors is designed to close — a one-page document per stream that names every failure mode, ranks each by its Indian tax and audit consequence, and pins a specific prevention and detection control to every High Action Priority row.

The reconciliation control plan is the output document of the reconciliation process design method. It is not a longer SOP. It is the written artefact that a Section 143(3)(i) ICFR reviewer, a CARO 2020 auditor, or an audit committee chair reads to conclude that the reconciliation risk is being managed at design standard.

Quick reference

AspectDetail
PurposeOutput document of the reconciliation process design method — one page per stream
ColumnsFunction, failure mode, cause (6P), Severity, Occurrence, Detection, Action Priority, prevention control, detection control, owner, cadence, evidence
Streams (Phase 1)Invoice-to-bank, TDS vs Form 26AS or Form 168, GSTR-1 vs GSTR-3B, GSTR-2B ITC
Severity 10 anchorSection 16(4) ITC time bar, Section 40(a)(ia) expense disallowance
Severity 9 anchorSection 200A demand notice with interest under Section 201(1A), fee under Section 234E
Severity 8 anchorCARO 2020 material weakness, DRC-01B, DRC-01C
Action Priority ruleSeverity-first — any S9 or S10 is High regardless of Occurrence or Detection
High AP requirementTwo independent detection layers, at least one system-enforced or aging queue with escalation
Review cadenceMonthly by controller, quarterly with audit committee, re-opened on process change
Design test authoritySection 143(3)(i) Companies Act 2013, CARO 2020 Clause 3(ii)(b)
Companion toolInteractive worksheet at /tools/reconciliation-process-design-worksheet/

The one-page template — nine working columns

The template is engineered to fit on a single printed page in landscape orientation. The nine columns capture the full risk-to-control map for a single reconciliation function.

  • Function. The exact reconciliation output the control plan governs — for example, “match Form 26AS or Form 168 credits to the TDS receivable ledger by deductor PAN and quarter (or payment code for FY 2026-27 onwards).” One control plan governs one function; a group’s TDS reconciliation and a group’s GSTR-2B reconciliation are separate documents.
  • Failure mode. The specific way the function can produce a wrong or incomplete result. Every reconciliation function has ten to fourteen failure modes drawn from the twelve-class taxonomy Terra Insight publishes on the pillar — data extraction, classification, completeness, matching, timing, partner, precision, policy, aging, cutoff, evidence, portal.
  • Cause (6P). The Terra Insight 6P cause taxonomy — People, Policy, Process, Portal, Period, Partner — is the finance-team analogue of the manufacturing Ishikawa taxonomy but rebuilt for the actual causes of Indian reconciliation failure. Every failure mode traces to one of the six.
  • Severity, Occurrence, Detection. Three ratings on the 1-10 anchored scales. Severity is anchored to Indian consequences — Section 16(4), Section 200A, CARO 2020, DRC-01B. Occurrence is rated against the current prevention control. Detection is rated against the current detection control.
  • Action Priority. The Severity-first lookup — High, Medium, or Low. Any Severity 9 or 10 row is High. This is the axiom that stops a permanent ITC loss from sitting behind a low-value formatting variance.
  • Prevention control. The written or system-enforced rule that reduces the likelihood of the cause — an ERP field-level constraint, a vendor master data discipline, a cut-off calendar, a written policy with signed analyst acknowledgement, a training curriculum.
  • Detection control. The technique that catches the failure after it happens but before it reaches the counterparty, the tax authority, or the auditor — a ratio analysis, a peer review with checklist, an aging queue with escalation, a conservation check (SGST + CGST = total GST), a system-enforced reasonableness test.
  • Owner, cadence, evidence. The named person responsible for the control, the cadence at which the control runs (transactional, daily, monthly, quarterly), and the specific evidence artefact — a signed working paper, a screenshot with URL and timestamp, an ERP report — retained for seven years under Section 128(5) of the Companies Act 2013.

Four worked examples — one row per stream, two failure modes each

The worked examples below are illustrative. Every finance team’s Severity anchors are the same statutory anchors, but the Occurrence and Detection ratings are properties of that team’s current controls.

Stream 1 — Invoice to bank statement

Failure mode6P causeSODAPPrevention controlDetection controlOwnerCadenceEvidence
Multi-invoice bank credit assigned to the wrong customer setProcess867HBank narration parsing rule published; UTR-to-invoice mapping table maintainedTwo-way tick-and-tie by peer on any credit above materiality; residual variance queue reviewed weeklyAR analyst; peer: senior ARTransactional; peer weeklySigned working paper with UTR list, narration extract, and matched invoice numbers
Bank charges (RTGS/NEFT fee) not booked in the period the credit was receivedPrecision686MERP fee ledger auto-posted from bank statement upload; charge codes mappedRatio test — bank charges as percentage of gross credits, trended monthlyAR analystMonthlyBank charge summary reconciled to fee ledger, with variance note if any

Stream 2 — TDS against Form 26AS / Form 168

Failure mode6P causeSODAPPrevention controlDetection controlOwnerCadenceEvidence
Cross-era code confusion — deductor filed under legacy 194x code but transaction is a new-era Section 393 payment code casePeriod977HCross-era mapping table maintained in a single document, reviewed monthly; both section code and payment code carried in the ledger for FY 2026-27 and FY 2027-28Two-key match — try old code first, then new code (see cross-era TDS reconciliation); residual review by tax managerTax managerQuarterlyMatch report with both keys, residual note
TDS deducted on GST-inclusive amount by mistake — Circular 23/2017 correctionPolicy956HERP field for TDS base is a computed formula (Invoice value minus GST); no manual overrideSample-based tick-and-tie by peer; ratio test on total TDS receivable to net invoiced revenue trended quarter-on-quarterTax analyst; peer: tax managerQuarterlySigned reconciliation with rate applied per line

Stream 3 — GSTR-1 versus GSTR-3B

Failure mode6P causeSODAPPrevention controlDetection controlOwnerCadenceEvidence
Invoice reported in GSTR-1 in one month and paid in GSTR-3B in a later month — DRC-01B trigger (see DRC-01B reply guide)Period876HMonthly output tax liability workbook that reconciles GSTR-1 declared to GSTR-3B paid before filing GSTR-3B; period-lock discipline on invoice bookingPeer review before GSTR-3B filing; DRC-01B pre-check tool run at day 22 of the return monthIndirect tax analyst; peer: indirect tax managerMonthlyPre-file reconciliation with GSTIN-wise variance schedule
Credit note issued in GSTR-1 in the current month, but corresponding reduction in output tax not reflected in GSTR-3B liabilityPrecision766MCredit note register kept parallel to GSTR-1 preparation; credit note ID matched to original invoice IDRatio test — credit note value as percentage of gross output tax, trended monthlyIndirect tax analystMonthlyCredit note schedule cross-referenced to GSTR-3B Table 3.1(a) working

Stream 4 — GSTR-2B input tax credit

Failure mode6P causeSODAPPrevention controlDetection controlOwnerCadenceEvidence
Supplier’s GSTR-1 not filed by November 30 — Section 16(4) permanent ITC loss (see Section 16(4) ITC time bar)Partner1068HVendor master flagged with GSTR-1 filing history and default rate; onboarding due-diligence rule for high-value vendorsAt-risk ITC aging queue keyed to each vendor’s GSTR-1 filing status, refreshed daily, prioritised by days remaining to November 30; escalation to vendor key account manager at 30, 60, and 90 days outIndirect tax analyst; escalation: controllerDaily during Oct-Nov; weekly otherwiseAging report with vendor name, GSTIN, invoice value, days remaining
ITC on blocked expense under Section 17(5) claimed in GSTR-3B by mistake — DRC-01C triggerPolicy856HChart of accounts flagged with Section 17(5) block indicator on the ledger; ERP posting rule prevents ITC claim on blocked GLsPeer review of Section 17(5) exception register; monthly reconciliation of blocked-ITC ledger to zero-claim assertion in GSTR-3BIndirect tax analyst; peer: indirect tax managerMonthlySection 17(5) exception register with sign-off

How the control plan feeds the statutory audit checklist

The statutory audit checklist is the operating-effectiveness testing document the auditor works through during the year-end audit. Every High Action Priority row in the control plan translates to a testable control on the checklist. The auditor requests sample evidence — the specific artefacts the control plan’s Evidence column names — and re-performs the detection control on a sample basis. Where the reconciliation control plan says the at-risk ITC aging queue is reviewed daily during October and November, the auditor samples the queue on two dates from October, one date from mid-November, and one date immediately before the November 30 cut-off, and traces each sampled item to the aging report, the vendor-side communication log, and the ultimate credit outcome. The statutory audit reconciliation checklist on terra-insight.com walks the audit-side reading of this integration in full; CARO 2020 Clause 3(ii)(b) on the quarterly bank statements filed with lenders reads directly against the invoice-to-bank control plan and its documented residual variance.

How the control plan feeds the ICFR test plan

The ICFR test plan under Section 143(3)(i) of the Companies Act 2013 walks the same rows on a walk-through-and-test-of-controls basis at interim, then re-tests at year-end. The ICFR reviewer does not re-perform every reconciliation — they test that the prevention control operates as designed and that the detection control catches a seeded exception. A prevention control of type “ERP field for TDS base is a computed formula with no manual override” is tested by attempting to book a manual override and confirming the ERP rejects it. A detection control of type “aging queue with 30-60-90 day review and escalation” is tested by reading two months of the review log and confirming that any item that crossed 90 days was escalated to a named person, that the escalation was actioned, and that the outcome is recorded. The Terra Insight guide on ICFR and reconciliation controls under Section 143(3)(i) covers the internal-audit-side integration in detail.

Building your own control plans — the interactive worksheet

The companion worksheet at /tools/reconciliation-process-design-worksheet/ is the interactive version of the nine-column template. The twelve-class failure mode taxonomy is pre-populated in a dropdown, the Action Priority lookup is a formula that reads Severity, Occurrence, and Detection and returns High, Medium, or Low with Severity dominance built in, and four blank stream tabs — invoice-to-bank, TDS, GSTR-1 vs 3B, and GSTR-2B — are ready to fill. A Terra Insight Excel workbook version of the same template is under production as a Tier 1 Assets Catalog download; the interactive web version is live now and produces a printable one-page-per-stream output that goes straight into the reconciliation binder or the internal audit workpaper.

When manual control plans surface a High AP row the finance team cannot manually catch

A well-run reconciliation control plan will surface High Action Priority rows whose detection controls are economically infeasible for a manual team. The at-risk ITC queue across two hundred vendors refreshed daily with escalation is the canonical example — the Severity is 10 (Section 16(4) permanent loss), the detection technique is a live aging queue, and the manual control breaks somewhere between one hundred and two hundred vendors. The reconciliation infrastructure layer at TransactIG treats the at-risk ITC queue as a first-class output — the control plan surfaces the requirement, the platform provides the machine-enforced detection layer, and the manual control plan for that stream then records the detection as “automated queue with escalation triggers, refreshed daily” against a system owner rather than a human analyst. The moment of transition is the moment the Action Priority table forbids the residual risk from being accepted — Severity 9 or 10 rows cannot sit as open exceptions when the detection layer is inadequate.

Where this fits

The five FAQs below address the operational questions Indian controllers and CA firm reconciliation leads ask most often when adopting the one-page control plan template across their reconciliation streams.

Terra Insight
Terra Insight Editorial Team Reconciliation Infrastructure

Content authored by practitioners with experience at Amazon India, Intuit QuickBooks, and the Tata Group. Meet the team →

Published 13 July 2026
Domain expertise
TDS Reconciliation GST Input Credit Platform Settlements NACH Batch Matching Bank Reconciliation Form 26AS Matching ERP Integrations Enterprise Finance Ops
Primary reference: Ministry of Corporate Affairs — for the Companies Act 2013 auditor's report requirements under Section 143(3)(i) and the Companies (Auditor's Report) Order 2020.
Primary sources cited
Last reviewed against sources on 13 July 2026
  • Section 143(3)(i), Companies Act 2013 — The auditor's report shall state whether the company has adequate internal financial controls with reference to financial statements in place and the operating effectiveness of such controls. The design test is served by written documentation that identifies the risks to reliable financial reporting, the controls designed to mitigate each risk, and the evidence trail that supports the control's operation. A reconciliation control plan for each stream is the design evidence a statutory auditor tests for control adequacy.
  • CARO 2020, Clause 3(ii)(b), Companies (Auditor's Report) Order 2020 — Whether during any point of time of the year, the company has been sanctioned working capital limits in excess of five crore rupees, in aggregate, from banks or financial institutions on the basis of security of current assets. Whether the quarterly returns or statements filed by the company with such banks or financial institutions are in agreement with the books of account of the Company. Clause 3(ii)(b) reads directly against a bank reconciliation control plan, and the auditor's exception, if any, must reconcile to the control plan's documented residual risk.
  • Section 16(4), Central Goods and Services Tax Act 2017 — A registered person shall not be entitled to take input tax credit in respect of any invoice or debit note for supply of goods or services or both after the thirtieth day of November following the end of the financial year to which such invoice or debit note pertains, or furnishing of the relevant annual return, whichever is earlier. This Section 16(4) time bar is the Severity 10 anchor in the GSTR-2B reconciliation control plan — a missed at-risk ITC row before November 30 becomes a permanent, unrecoverable loss.
  • Section 200A, Income-tax Act 1961 (retained in Income-tax Act 2025 codification) — Where a statement of tax deduction at source has been made under Section 200 or a correction statement has been made, such statement shall be processed and any arithmetical error or incorrect claim shall be adjusted, and a notice of demand shall be issued specifying the amount payable. A Section 200A demand notice — with interest under Section 201(1A) and fee under Section 234E — is the Severity 9 anchor in the TDS reconciliation control plan.
  • Guidance Note on Audit of Internal Financial Controls Over Financial Reporting, ICAI — The ICAI Guidance Note operationalises Section 143(3)(i) for statutory auditors. It requires that management maintain written documentation of the risks, the controls designed to mitigate the risks, and the evidence that the controls operated during the period. A reconciliation control plan, one page per stream, is a compliant form of that documentation for the reconciliation risks a finance team owns.

Frequently Asked Questions

What is a reconciliation control plan and what does it contain?
A reconciliation control plan is a one-page working document that captures, for a single reconciliation function, the full risk-to-control map: the function being controlled, the specific ways the function can fail (the failure modes), the underlying cause in the Terra Insight 6P taxonomy (People, Policy, Process, Portal, Period, Partner), the Severity, Occurrence, and Detection ratings anchored to Indian reconciliation consequences, the resulting Action Priority (High, Medium, Low), the prevention control designed to reduce the likelihood of the cause, the detection control designed to catch the failure before it lands with the counterparty, tax authority, or auditor, the named owner of each control, the cadence at which the control runs (transactional, daily, monthly, quarterly), and the evidence artefact the control produces. It is the output document of the reconciliation process design method. A finance team runs one control plan per stream — one for invoice-to-bank, one for TDS, one for GSTR-1 vs GSTR-3B, one for GSTR-2B — and it is the document a statutory auditor tests for design adequacy under Section 143(3)(i) and CARO 2020 Clause 3(ii)(b).
How is a control plan different from a reconciliation SOP or a checklist?
A Standard Operating Procedure describes the steps an analyst executes to run the reconciliation. A checklist confirms that each of those steps was executed. Neither document says anything about the specific ways the steps can silently produce a wrong result. A reconciliation control plan starts with the failure modes — the fourteen or so distinct ways a specific reconciliation function can produce a wrong or incomplete output — and works backward to the prevention and detection controls that catch each one. The SOP tells the analyst what to do. The checklist confirms that it was done. The control plan explains, to the auditor and to the board, why the process would catch a failure if one occurred and what happens to the residual risk when it does not. The three artefacts are complementary, but only the control plan is defensible under an ICFR review or a CARO 2020 audit.
Why does each reconciliation function need its own one-page control plan?
Different reconciliation streams carry different Severity anchors and different cadences. The invoice-to-bank reconciliation runs daily or transactionally and its Severity anchor is a CARO 2020 material weakness observation. The TDS reconciliation runs quarterly and its Severity anchor is a Section 200A demand notice with interest under Section 201(1A) and Section 234E fee. The GSTR-1 vs 3B reconciliation runs monthly and its Severity anchor is a DRC-01B intimation. The GSTR-2B ITC reconciliation runs monthly with a November 30 hard deadline and its Severity anchor is the Section 16(4) permanent ITC time bar. A single omnibus control plan cannot honour the four different cadences, the four different anchors, and the four different evidence requirements simultaneously. One page per stream — enforced discipline — keeps each control plan short enough to be actively used and long enough to be defensible.
How does the control plan integrate with the statutory audit checklist and the ICFR test plan?
The reconciliation control plan is the design document. The statutory audit checklist and the ICFR test plan are the operating-effectiveness testing documents. Every High Action Priority row in the control plan becomes a testable control the statutory auditor samples during the year-end audit, and every prevention and detection control listed against it becomes an evidence requirement the auditor requests. The ICFR test plan under Section 143(3)(i) walks the same rows on a walk-through-and-test-of-controls basis at interim, and re-tests at year-end. Where a control plan row shows a detection control of type 'aging queue with 30-60-90 day review', the ICFR test asks for two months of the review evidence and the escalation records for any item that crossed the maximum age. The control plan populates the checklist, and the checklist samples the control plan. Read the Terra Insight guide on the [statutory audit reconciliation checklist](/insights/statutory-audit-reconciliation-checklist-india/) for the corresponding audit-side reading.
Can the same control plan template be used across multiple entities in a group?
Yes, and it should be. The template is standard — the nine columns from function to evidence do not change from entity to entity. What changes is the failure mode inventory, the Severity ratings anchored to each entity's transaction profile, and the Occurrence and Detection ratings based on each entity's current controls. A holding company with five operating entities runs the same template across all five, with an entity-level control plan for each stream at each entity, plus a group-level roll-up that flags any High Action Priority row unresolved for more than one review cycle. This is how a group controller can defend, to the audit committee, that the reconciliation risk across the group is being managed at a uniform standard while acknowledging that the underlying transaction volumes, portal exposures, and partner mix vary by entity.

See how TransactIG handles reconciliation for your industry

Configuration takes 2–4 weeks. No code development required. ISO 27001:2022 certified.