Indian finance teams document their reconciliation processes through Standard Operating Procedures and checklists that confirm the process was executed. Neither document identifies the specific ways the process can silently produce a wrong result, ranks those failures by their real Indian tax and audit consequences, or maps a named control to catch each one. When a statutory auditor asks under Section 143(3)(i) whether internal financial controls are adequately designed, or when CARO 2020 Clause 3(ii)(b) requires the quarterly bank statements filed with lenders to reconcile to the books, the SOP-plus-checklist evidence base cannot answer the design test. A single Section 16(4) missed at-risk ITC row, a single 194J-vs-194C misclassification on manpower supply, or a single DRC-01B trigger from a GSTR-1 vs 3B timing mismatch does not have a documented control lineage — and the residual risk is undefendable to the audit committee.
Terra Insight's reconciliation process design method produces one artefact per stream: a one-page control plan. The template carries nine columns — function, failure mode, cause (mapped to the 6P taxonomy of People, Policy, Process, Portal, Period, Partner), Severity, Occurrence, Detection, Action Priority (High, Medium, Low), prevention control, detection control, owner, cadence, and evidence artefact. The Severity scale is anchored to Indian consequences: 10 for Section 16(4) permanent ITC loss and Section 40(a)(ia) expense disallowance; 9 for Section 200A demand with interest under Section 201(1A) and fee under Section 234E; 8 for CARO 2020 material weakness, DRC-01B or DRC-01C notice; 7 for period misstatement; 5-6 for ledger-level exceptions; 3-4 for presentation errors; 1-2 for cosmetic. The Action Priority table is Severity-first — any Severity 9 or 10 row is High regardless of Occurrence or Detection. Every High row requires two independent detection layers, at least one of which is either a system-enforced rule or an aging queue with escalation.
One control plan per stream: invoice-to-bank, TDS against Form 26AS or Form 168, GSTR-1 versus GSTR-3B, GSTR-2B ITC. Named owner for each row. Named prevention and detection control keyed to the row. Cadence — transactional, daily, monthly, quarterly — recorded against each detection control. Evidence artefact — the specific file, log, screenshot, or ERP report the control produces — named with a retention rule that aligns to the seven-year statutory record retention under Section 128(5) of the Companies Act. Review cadence for the control plan itself: monthly by the controller, quarterly with the audit committee, re-opened on any process change, portal change (Form 168 switchover, IMS rollout), or after every field incident that reveals a new failure mode.
Four one-page reconciliation control plans, one per stream, that the statutory auditor tests as the design evidence under Section 143(3)(i) and CARO 2020 Clause 3(ii)(b). Every High Action Priority row carries two independent detection layers and a named owner. Every residual risk is documented with a written acceptance rationale signed by the controller. The control plan populates the statutory audit checklist and the ICFR test plan, and both testing documents sample against it. Board and audit committee reporting: a monthly dashboard of open High Action Priority rows across the four streams, the aging of unresolved exceptions in each, and a quarterly review that re-scores Occurrence and Detection based on the previous quarter's incident data.
A statutory auditor at year-end asks a mid-market Indian controller for the written control document that governs the company’s GSTR-2B input tax credit reconciliation. The controller produces a fifteen-page Standard Operating Procedure and a monthly checklist. The auditor asks a second question: which specific control catches a supplier who files GSTR-1 in the fifth month after invoice date, past the Section 16(4) November 30 cut-off, and how is the exposure aged before the deadline? The SOP describes the reconciliation steps. The checklist confirms the steps ran. Neither document answers the question. This is the failure that a reconciliation control plan template India finance teams can defend to statutory auditors is designed to close — a one-page document per stream that names every failure mode, ranks each by its Indian tax and audit consequence, and pins a specific prevention and detection control to every High Action Priority row.
The reconciliation control plan is the output document of the reconciliation process design method. It is not a longer SOP. It is the written artefact that a Section 143(3)(i) ICFR reviewer, a CARO 2020 auditor, or an audit committee chair reads to conclude that the reconciliation risk is being managed at design standard.
Quick reference
| Aspect | Detail |
|---|---|
| Purpose | Output document of the reconciliation process design method — one page per stream |
| Columns | Function, failure mode, cause (6P), Severity, Occurrence, Detection, Action Priority, prevention control, detection control, owner, cadence, evidence |
| Streams (Phase 1) | Invoice-to-bank, TDS vs Form 26AS or Form 168, GSTR-1 vs GSTR-3B, GSTR-2B ITC |
| Severity 10 anchor | Section 16(4) ITC time bar, Section 40(a)(ia) expense disallowance |
| Severity 9 anchor | Section 200A demand notice with interest under Section 201(1A), fee under Section 234E |
| Severity 8 anchor | CARO 2020 material weakness, DRC-01B, DRC-01C |
| Action Priority rule | Severity-first — any S9 or S10 is High regardless of Occurrence or Detection |
| High AP requirement | Two independent detection layers, at least one system-enforced or aging queue with escalation |
| Review cadence | Monthly by controller, quarterly with audit committee, re-opened on process change |
| Design test authority | Section 143(3)(i) Companies Act 2013, CARO 2020 Clause 3(ii)(b) |
| Companion tool | Interactive worksheet at /tools/reconciliation-process-design-worksheet/ |
The one-page template — nine working columns
The template is engineered to fit on a single printed page in landscape orientation. The nine columns capture the full risk-to-control map for a single reconciliation function.
- Function. The exact reconciliation output the control plan governs — for example, “match Form 26AS or Form 168 credits to the TDS receivable ledger by deductor PAN and quarter (or payment code for FY 2026-27 onwards).” One control plan governs one function; a group’s TDS reconciliation and a group’s GSTR-2B reconciliation are separate documents.
- Failure mode. The specific way the function can produce a wrong or incomplete result. Every reconciliation function has ten to fourteen failure modes drawn from the twelve-class taxonomy Terra Insight publishes on the pillar — data extraction, classification, completeness, matching, timing, partner, precision, policy, aging, cutoff, evidence, portal.
- Cause (6P). The Terra Insight 6P cause taxonomy — People, Policy, Process, Portal, Period, Partner — is the finance-team analogue of the manufacturing Ishikawa taxonomy but rebuilt for the actual causes of Indian reconciliation failure. Every failure mode traces to one of the six.
- Severity, Occurrence, Detection. Three ratings on the 1-10 anchored scales. Severity is anchored to Indian consequences — Section 16(4), Section 200A, CARO 2020, DRC-01B. Occurrence is rated against the current prevention control. Detection is rated against the current detection control.
- Action Priority. The Severity-first lookup — High, Medium, or Low. Any Severity 9 or 10 row is High. This is the axiom that stops a permanent ITC loss from sitting behind a low-value formatting variance.
- Prevention control. The written or system-enforced rule that reduces the likelihood of the cause — an ERP field-level constraint, a vendor master data discipline, a cut-off calendar, a written policy with signed analyst acknowledgement, a training curriculum.
- Detection control. The technique that catches the failure after it happens but before it reaches the counterparty, the tax authority, or the auditor — a ratio analysis, a peer review with checklist, an aging queue with escalation, a conservation check (SGST + CGST = total GST), a system-enforced reasonableness test.
- Owner, cadence, evidence. The named person responsible for the control, the cadence at which the control runs (transactional, daily, monthly, quarterly), and the specific evidence artefact — a signed working paper, a screenshot with URL and timestamp, an ERP report — retained for seven years under Section 128(5) of the Companies Act 2013.
Four worked examples — one row per stream, two failure modes each
The worked examples below are illustrative. Every finance team’s Severity anchors are the same statutory anchors, but the Occurrence and Detection ratings are properties of that team’s current controls.
Stream 1 — Invoice to bank statement
| Failure mode | 6P cause | S | O | D | AP | Prevention control | Detection control | Owner | Cadence | Evidence |
|---|---|---|---|---|---|---|---|---|---|---|
| Multi-invoice bank credit assigned to the wrong customer set | Process | 8 | 6 | 7 | H | Bank narration parsing rule published; UTR-to-invoice mapping table maintained | Two-way tick-and-tie by peer on any credit above materiality; residual variance queue reviewed weekly | AR analyst; peer: senior AR | Transactional; peer weekly | Signed working paper with UTR list, narration extract, and matched invoice numbers |
| Bank charges (RTGS/NEFT fee) not booked in the period the credit was received | Precision | 6 | 8 | 6 | M | ERP fee ledger auto-posted from bank statement upload; charge codes mapped | Ratio test — bank charges as percentage of gross credits, trended monthly | AR analyst | Monthly | Bank charge summary reconciled to fee ledger, with variance note if any |
Stream 2 — TDS against Form 26AS / Form 168
| Failure mode | 6P cause | S | O | D | AP | Prevention control | Detection control | Owner | Cadence | Evidence |
|---|---|---|---|---|---|---|---|---|---|---|
| Cross-era code confusion — deductor filed under legacy 194x code but transaction is a new-era Section 393 payment code case | Period | 9 | 7 | 7 | H | Cross-era mapping table maintained in a single document, reviewed monthly; both section code and payment code carried in the ledger for FY 2026-27 and FY 2027-28 | Two-key match — try old code first, then new code (see cross-era TDS reconciliation); residual review by tax manager | Tax manager | Quarterly | Match report with both keys, residual note |
| TDS deducted on GST-inclusive amount by mistake — Circular 23/2017 correction | Policy | 9 | 5 | 6 | H | ERP field for TDS base is a computed formula (Invoice value minus GST); no manual override | Sample-based tick-and-tie by peer; ratio test on total TDS receivable to net invoiced revenue trended quarter-on-quarter | Tax analyst; peer: tax manager | Quarterly | Signed reconciliation with rate applied per line |
Stream 3 — GSTR-1 versus GSTR-3B
| Failure mode | 6P cause | S | O | D | AP | Prevention control | Detection control | Owner | Cadence | Evidence |
|---|---|---|---|---|---|---|---|---|---|---|
| Invoice reported in GSTR-1 in one month and paid in GSTR-3B in a later month — DRC-01B trigger (see DRC-01B reply guide) | Period | 8 | 7 | 6 | H | Monthly output tax liability workbook that reconciles GSTR-1 declared to GSTR-3B paid before filing GSTR-3B; period-lock discipline on invoice booking | Peer review before GSTR-3B filing; DRC-01B pre-check tool run at day 22 of the return month | Indirect tax analyst; peer: indirect tax manager | Monthly | Pre-file reconciliation with GSTIN-wise variance schedule |
| Credit note issued in GSTR-1 in the current month, but corresponding reduction in output tax not reflected in GSTR-3B liability | Precision | 7 | 6 | 6 | M | Credit note register kept parallel to GSTR-1 preparation; credit note ID matched to original invoice ID | Ratio test — credit note value as percentage of gross output tax, trended monthly | Indirect tax analyst | Monthly | Credit note schedule cross-referenced to GSTR-3B Table 3.1(a) working |
Stream 4 — GSTR-2B input tax credit
| Failure mode | 6P cause | S | O | D | AP | Prevention control | Detection control | Owner | Cadence | Evidence |
|---|---|---|---|---|---|---|---|---|---|---|
| Supplier’s GSTR-1 not filed by November 30 — Section 16(4) permanent ITC loss (see Section 16(4) ITC time bar) | Partner | 10 | 6 | 8 | H | Vendor master flagged with GSTR-1 filing history and default rate; onboarding due-diligence rule for high-value vendors | At-risk ITC aging queue keyed to each vendor’s GSTR-1 filing status, refreshed daily, prioritised by days remaining to November 30; escalation to vendor key account manager at 30, 60, and 90 days out | Indirect tax analyst; escalation: controller | Daily during Oct-Nov; weekly otherwise | Aging report with vendor name, GSTIN, invoice value, days remaining |
| ITC on blocked expense under Section 17(5) claimed in GSTR-3B by mistake — DRC-01C trigger | Policy | 8 | 5 | 6 | H | Chart of accounts flagged with Section 17(5) block indicator on the ledger; ERP posting rule prevents ITC claim on blocked GLs | Peer review of Section 17(5) exception register; monthly reconciliation of blocked-ITC ledger to zero-claim assertion in GSTR-3B | Indirect tax analyst; peer: indirect tax manager | Monthly | Section 17(5) exception register with sign-off |
How the control plan feeds the statutory audit checklist
The statutory audit checklist is the operating-effectiveness testing document the auditor works through during the year-end audit. Every High Action Priority row in the control plan translates to a testable control on the checklist. The auditor requests sample evidence — the specific artefacts the control plan’s Evidence column names — and re-performs the detection control on a sample basis. Where the reconciliation control plan says the at-risk ITC aging queue is reviewed daily during October and November, the auditor samples the queue on two dates from October, one date from mid-November, and one date immediately before the November 30 cut-off, and traces each sampled item to the aging report, the vendor-side communication log, and the ultimate credit outcome. The statutory audit reconciliation checklist on terra-insight.com walks the audit-side reading of this integration in full; CARO 2020 Clause 3(ii)(b) on the quarterly bank statements filed with lenders reads directly against the invoice-to-bank control plan and its documented residual variance.
How the control plan feeds the ICFR test plan
The ICFR test plan under Section 143(3)(i) of the Companies Act 2013 walks the same rows on a walk-through-and-test-of-controls basis at interim, then re-tests at year-end. The ICFR reviewer does not re-perform every reconciliation — they test that the prevention control operates as designed and that the detection control catches a seeded exception. A prevention control of type “ERP field for TDS base is a computed formula with no manual override” is tested by attempting to book a manual override and confirming the ERP rejects it. A detection control of type “aging queue with 30-60-90 day review and escalation” is tested by reading two months of the review log and confirming that any item that crossed 90 days was escalated to a named person, that the escalation was actioned, and that the outcome is recorded. The Terra Insight guide on ICFR and reconciliation controls under Section 143(3)(i) covers the internal-audit-side integration in detail.
Building your own control plans — the interactive worksheet
The companion worksheet at /tools/reconciliation-process-design-worksheet/ is the interactive version of the nine-column template. The twelve-class failure mode taxonomy is pre-populated in a dropdown, the Action Priority lookup is a formula that reads Severity, Occurrence, and Detection and returns High, Medium, or Low with Severity dominance built in, and four blank stream tabs — invoice-to-bank, TDS, GSTR-1 vs 3B, and GSTR-2B — are ready to fill. A Terra Insight Excel workbook version of the same template is under production as a Tier 1 Assets Catalog download; the interactive web version is live now and produces a printable one-page-per-stream output that goes straight into the reconciliation binder or the internal audit workpaper.
When manual control plans surface a High AP row the finance team cannot manually catch
A well-run reconciliation control plan will surface High Action Priority rows whose detection controls are economically infeasible for a manual team. The at-risk ITC queue across two hundred vendors refreshed daily with escalation is the canonical example — the Severity is 10 (Section 16(4) permanent loss), the detection technique is a live aging queue, and the manual control breaks somewhere between one hundred and two hundred vendors. The reconciliation infrastructure layer at TransactIG treats the at-risk ITC queue as a first-class output — the control plan surfaces the requirement, the platform provides the machine-enforced detection layer, and the manual control plan for that stream then records the detection as “automated queue with escalation triggers, refreshed daily” against a system owner rather than a human analyst. The moment of transition is the moment the Action Priority table forbids the residual risk from being accepted — Severity 9 or 10 rows cannot sit as open exceptions when the detection layer is inadequate.
Where this fits
- TransactIG — reconciliation infrastructure
- Reconciliation software for India — pillar guide
- TDS reconciliation software
- GST reconciliation software
Related reading
- Statutory audit reconciliation checklist
- ICFR and reconciliation controls under Section 143(3)(i)
- Internal audit of reconciliation
- Section 16(4) ITC time bar
- Form 168 — the new TDS statement
- DRC-01B reply guide
- Cross-era TDS reconciliation
- CARO 2020 bank reconciliation audit
- TDS penalty and interest framework
The five FAQs below address the operational questions Indian controllers and CA firm reconciliation leads ask most often when adopting the one-page control plan template across their reconciliation streams.
- ▸ Section 143(3)(i), Companies Act 2013 — The auditor's report shall state whether the company has adequate internal financial controls with reference to financial statements in place and the operating effectiveness of such controls. The design test is served by written documentation that identifies the risks to reliable financial reporting, the controls designed to mitigate each risk, and the evidence trail that supports the control's operation. A reconciliation control plan for each stream is the design evidence a statutory auditor tests for control adequacy.
- ▸ CARO 2020, Clause 3(ii)(b), Companies (Auditor's Report) Order 2020 — Whether during any point of time of the year, the company has been sanctioned working capital limits in excess of five crore rupees, in aggregate, from banks or financial institutions on the basis of security of current assets. Whether the quarterly returns or statements filed by the company with such banks or financial institutions are in agreement with the books of account of the Company. Clause 3(ii)(b) reads directly against a bank reconciliation control plan, and the auditor's exception, if any, must reconcile to the control plan's documented residual risk.
- ▸ Section 16(4), Central Goods and Services Tax Act 2017 — A registered person shall not be entitled to take input tax credit in respect of any invoice or debit note for supply of goods or services or both after the thirtieth day of November following the end of the financial year to which such invoice or debit note pertains, or furnishing of the relevant annual return, whichever is earlier. This Section 16(4) time bar is the Severity 10 anchor in the GSTR-2B reconciliation control plan — a missed at-risk ITC row before November 30 becomes a permanent, unrecoverable loss.
- ▸ Section 200A, Income-tax Act 1961 (retained in Income-tax Act 2025 codification) — Where a statement of tax deduction at source has been made under Section 200 or a correction statement has been made, such statement shall be processed and any arithmetical error or incorrect claim shall be adjusted, and a notice of demand shall be issued specifying the amount payable. A Section 200A demand notice — with interest under Section 201(1A) and fee under Section 234E — is the Severity 9 anchor in the TDS reconciliation control plan.
- ▸ Guidance Note on Audit of Internal Financial Controls Over Financial Reporting, ICAI — The ICAI Guidance Note operationalises Section 143(3)(i) for statutory auditors. It requires that management maintain written documentation of the risks, the controls designed to mitigate the risks, and the evidence that the controls operated during the period. A reconciliation control plan, one page per stream, is a compliant form of that documentation for the reconciliation risks a finance team owns.