In the second part of our roundtable series, panelists Saradha Govindarajan (Former CFO, Veranda Learning), Vidya Rajarao (Founder & CEO, Fraudopedia), Piyush Kakkad (CFO, Rebel Foods), and Manoj Nair (Partner, SDU) explored the critical role of governance and financial controls in startups—particularly the often-underestimated importance of the CFO.

The conversation shed light on early-stage challenges where affordability concerns and a “do-it-all” mindset lead founders to sideline key financial functions. Panelists warned of the risks of neglecting compliance—even in seemingly minor areas like TDS—highlighting how small lapses can snowball into serious fraud. They emphasized the need to separate personal and business finances, avoid related-party transactions, and steer clear of questionable financial advice.

The discussion also examined the role of auditors—not just in financial reporting but in identifying and investigating fraud—and the importance of a proactive, prevention-first mindset. Panelists introduced a clear “three lines of defense” framework to safeguard startups:

(1) Strong internal controls

(2) Robust internal audits, and

(3) An effective whistleblower mechanism. 

Explore the complete transcript of the discussion to delve deeper into the panel’s perspectives and recommendations.

Rashmi Guptey: The Missing CFO is a big issue with startups, right? So, unless you reach a point of scale, people often don't hire CFOs, and they have to have their spine to stand behind controls. So, do you want to talk about the sort of level of defenses and what a CFO brings?

Piyush Kakkad: Yeah. So, Rashmi, maybe before I talk about the level of defense, right? I think startups, the roles have evolved. Specialized roles come in at a later stage, once the affordability increases. So in the initial phase, there could be a missing CFO, there could be a missing CMO, there could be a missing CTO, right? What happens is that roles are there. You don't have a specialized person to manage those roles, right? So there is a co-founding team, two, three members, and because it's more bootstrapped and affordability is a challenge, what they do is that they try to handle those different roles within themselves, right? And as the company grows, you bring in specialized people, right? Because that's the need of the hour. So the missing CFO is essentially Rashmi. I mean, the way to think about it is is up to a stage that company cannot afford to hire a senior resource. What does it do when it comes to managing the role of CFO? And we are talking here about a specific to the CFO. I think if you look at the role of a CFO, there is a functional work that a CFO is supposed to do, which is about a controller, shaping, or a decision support, or legal secretarial, right? There is a strategic partnership that a CFO brings in. And then there is an independence angle, which is there now for the first part, right, which is about the poor job of doing the task. You could get an outsourced agency. Also, when it comes to a strategic part of the piece, right, there could be others who can hack it. I think what gets compromised is the independence part. So, like Sharda was saying, initial phase, it is the founder who holds the role of independence. And over a period of time, right, once they are able to reach to a scale, they will hire a CFO and say, we, we expect you to now hold this and percolate it down to the organization, to all the stakeholders, including the board and all so I think the owner starts with founders to say that we are the torch bearers of independence. Independence is also a way of building a company. It's actually one part of driving the culture right. It may not be said so much when we think about culture. It is more about making every penny count, or innovation. But I think independence is that much more critical as part of DNA of building organization. 

Saradha Govindarajan: You always want a sounding board, and that's true of our personal lives. Also you need to hear others points of view where you could be potentially going wrong. And that is where I think what Piyush made is a very fantastic point. If you are the only smart person in the room at the beginning as a startup founder, you must not sit thinking whatever I decide is right, so at least the founding team or co founders bouncing ideas of each other may help in this. 

Manoj Nair: picking up from there. Generally, when we go for audit finalization and we find founders saying that we are technocrats. We don't understand finance. We come from different backgrounds. You let us know, and many times, we find they don't get involved in these audit discussions, and sometimes they are there is already a non-compliance that has happened. So as far as the authorities are concerned, it doesn't matter whether you are in the first year of your operations or your second year or third year. And you can't say that. I keep telling them, ignorance is not bliss, and that's not going to be awarded by the statutory authorities. And you know, I'll tell you some of these cases that I mentioned in the beginning were notices that came from the income tax or GST authorities. And so in a way, they were the whistleblowers for further investigations that we got into. So, you know, a founder cannot say that I'm not from the finance or a compliance function, and I do not understand this. I am not interested in marketing. And as you said, the valuation game, well, that's not going to be accepted by any authorities. And we have seen that when they go for any scrutiny with these authorities, they flip a lot, and they are not able to withstand the questions that some of the authorities are asking. 

Rashmi Guptey: including authorities, are taking a very, very, very difficult, coercive stand at times, and it's very difficult to face that kind of scrutiny, putting a lot of pressure on entrepreneurs and the finance teams. 

Saradha Govindarajan: Just want to add to what Mr. Manoj said, it's not only the starters during the audit discussion in my, you know, limited experience, what I've also done is having stat auditors access the entire operations, and the business team always allows for a lot of transparency. I'll tell you why. Like, there will be times when you know certain things are happening, the auditor doesn't understand why. Either they come up with a, you know, understanding the team also views this seriously, and that is how fraud either comes to light, gets avoided, or gets known. So I think the entire leadership, business leadership founders, should be accessing and having transparency with statutory and internal auditors. It sometimes really helps. Just taking that point forward, we should also ensure that it happens. Sure.. sorry go ahead, 

Vidya Rajarao: I was only saying that. I mean, I tend to disagree with Manoj, although that's the norm that everybody says that, oh, we are technocrats. We don't understand compliance. I'm sorry. I mean it, you could be technocrats, but you understand honesty, integrity, governance, and ethics. This isn't you know, honesty, ethics, governance is not just meant for chartered accountants and company secretaries and compliance officers, right? And you could be a technocrat. But what is startling is that you could be a disruptor in the market, you know, you have this fantastic technology. You're disrupting the market, but they're very quickly adapting to bad habits and cut corners. Yeah? Well, you know, we don't, and it starts with very small things, you know, of like, look, we should have this employee if we pay him a certain amount, then we have to pay deduct tax at source. Let's do one thing. Let's pay him, you know, keep it just at that threshold, get him as a consultant, or have another company, you know, as a contract, and then get some contract work done, again, avoiding taxes. But I mean, if you're a technocrat and you don't know anything about governance or compliance or risk, how is it that you know the bad ways? It always amazes me that they know all the bad ways of cutting corners, because there is that culture, right? I mean, founders talk to each other. I've had startups where the behavior of the founder, you know, and the attitude of the founder towards, you know, internal audit findings, you know, or even someone in finance who says, Look, we can't make these payments. We have to collect the GST. We need a GST number. If over a certain number of people, over 20 people, you need to deposit PF. I mean, we've all seen stories where startups don't pay salary, or they've not deposited PF for months. That's a serious violation. And I don't know if these are habits that they have learned, or this is kind of like, you know, tips and tricks to run a business, but all shortcuts, right? So, I mean, you cannot have shortcuts. If you think of your goal and being an entrepreneur is to build a sustainable business. You want to be here 30 years from today. So this is the sort of preventive, let's say framework, right? If one were to think of very quickly in brief terms, if startups on on, listening in today one, and since you said there's a long way for them to go, right, could maybe, between you and Manoj talk about with their some preventive framework, right, or building blocks that you think, and this is open to all of you that you think are absolutely sacrosanct, and have to be built in

Rashmi Guptey: Any light you can throw on that from a fraud-proofing perspective? 

Vidya Rajarao: the first one I would say, is the distinction between the company and you has to be a right bread line. You know, you cannot cross that line, even if you are 100% shareholder of the company, and the company is running from your house. The company's bank account is not your bank account. The company's assets are not your assets. You know, the company's employees are not your employees. The company's ideas are not your ideas. Because you founded this, if it's your idea, then you should do it on your own, but because you've incorporated it and want to, you know, be entrepreneurial, you need to have that distinction, and you have to have the patience to wait for, you know, compensation. You will be rightfully compensated, whether, you know, you cash out on your 100% equity, five years, 10 years, whatever it is, if your idea is brilliant and you're truly disrupting the market, you will have a big payday. But that big payday cannot come from spouses, company rendering Consultancy Services, sons, company rendering marketing services, not, you know, paying employees properly, not depositing pF, so you have to have that very clear distinction. And second is, you know, to completely shy away from, you know, related parties. I mean, it's the BAME in India. Everybody does it, not just startups, but even well established listed companies. But I have seen promoters and founders like Sharada send, you know, one or two which just got listed recently, they said, No, we, you know, we want to be clear, because if we for five founders, have five list, you know, related party transactions. We have hundreds of employees. Each of those employees can equally say, we have our spouses who can also do work what starts them so, you know, so they took the stance that if we can procure a service from a third party, independent, we'll do that, and we will not do it. You know, with our own spouses, it's not a question of familiarity. It's a question of, you know, optics. So you have to err on the side of, you know, if it is clear, you set the tone. And if you and you set the tone by walking the walk, not walking the talk, or talking the talk, both of them are useless. You have to model that behavior. Once you model that behavior. Everybody else will fall in line. They know that the founder will not stand for these kind of behaviors and integrity and ethics and honesty. Doesn't cost a lot of money. You don't need SAP, you don't need Oracle, you don't need people soft. You don't need any software tool. You know, you don't need to spend a lot of money. And sometimes even startups get bad advice. You know, sometimes, unfortunately, Chartered Accountants themselves will give bad advice. They'll say, Listen, it's okay if you don't remit in this quarter, you can remit. You know, next quarter, no, if it feels wrong, it's wrong, and you need to tell your third parties and consultants you work with that you do not believe in cutting corners, and you expect them to adhere to the company's code of conduct.

Manoj Nair: I think Vidya said most of it, but let me talk from the auditor's angle again. See one of the things that I've been capturing from all my co panelists is that very emphatically, tone at the top, the mindset of the founder is one of the things that I as an auditor, try to, you know, try to tone them, to say that, you know, this is not the route to be taken, if at all. I mean, if there is any tendency, because the valuation game for which they try to attempt is the one that will fail if they take the shortcut. So the value they try to create, it just, you know, depreciates at a faster pace than the pace at which it got created. And this is one thing which I keep on hammering at every discussions. Whenever we feel that kind of situation is arising, very importantly, from an auditor's perspective, what we say is, well, you don't have a CFO at the start of the, you know, your journey. We are happy without crossing our independence or without conflicting our interest. We get into this board meeting. We force it. We call it as a semi, you know, Audit Committee board meeting quarterly, or whatever frequency the founder is happy to do. Take them through the whole course. Explain to them the do's and don'ts, take them through the compliance requirements, take them to the financial reporting requirements. And this I have seen effectively, and especially for my clients, who are startups, who went through real difficult times in the abbey during the COVID, they all sprung back. They are all doing fantastically well. And now the values have been unlocked to a great extent for them. And I feel, and I take this with a lot of pride, because I was involved in those periods with them, whichever way, as maybe pseudo a board member, without crossing my limits. Second thing which I'm propagating nowadays with, even with my membership in the Institute of Internal Auditors, I've been talking to senior people, the ex, current Bucha members, Board of Governors. That you know, why don't we say that internal audit can be made? Man should be made mandatory to start. 

Rashmi Guptey: You know, we have so far talked about early shoots, ugly early shoots. We've talked about the importance of the CFO holding spine, the culture. We also talked about designing systems, right? Manoj vide, you spoke of that. I think. Now let's talk about, in spite of all of this, we land up in a fraud situation, right? And it's not pretty, it's not pleasant, but the reality is, you've been dish that out. Now you've got to face it, right? So what I'll do is, I'll go around to each one of you, because each one of you has a specific lens. So maybe, you know, Manoj, you could cover the auditor angle, right? The moment there's a fraud. What is the auditor required to do? Followed by Vidya, you could very briefly touch upon what kind of investigations you have seen come out of, let's say a post auditor, you know, assessment. And then Sardar and Bucha, if you could talk about how you would manage stakeholders, right, from an operating perspective in the business, your board, your shareholders, right? 

Manoj Nair: bit. As far as fraud, another thing fraud is concerned. Now the companies at 2013 has clearly defined. There's a section 143 12, which talks about how this fraud has to be reported and at what pace let and it's also set the materiality limit beyond which it should be reported to even the central government through the MCA. So basically, as an auditor, as soon as we unearth the for the first thing is to go to the board. Now you may say that even the board members, the founders, are involved, but we have no choice. But you know, we need to inform them. We cannot, on our own, go out and blow the whistle to the government without even talking to them, we would like to be generally within two days of hearing this. The auditor is supposed to inform the board, and when he said two days, it is not two working days, even if it's on a Sunday, we saw that it's better that we count the day from there, then we are expected to get a response from the board within 45 days. So that's again, our time specified by the and after 45 days, within 15 days of that, we are supposed to report to the central government. Now reporting to central government is when the fraud individually constitutes one crores and one crore and above, and I say individually, so that it cannot accumulate all the frauds together and say it's one crore data, so each individual case has to be taken and considered. And if it is less than one crore or. Our first point of contact has to be board now that we find that kind of suspicion, where the board member itself is involved, and some of the times and if it is a startup, let me tell you, because in other cases, our audit committee and other board members, larger board members, in case of listed companies to talk about. But in case of a startup, we generally go back to the investor, investors sometime, because sometimes the investor is keen to know from us as to what's happening. And there is a channel that we keep it open, because ultimately it's the investor in the public money. And I say public money, a banker is also involved. Today we talk about not the shareholder as a concept. We talk about stakeholders as a concept. It's an employee, the vendor, consumer. Everyone gets affected once, and a company goes down. So So while we don't go to the other stakeholders, the investor sometimes becomes our first, the next point of contact when we have a doubt on the board of directors, per se. So, that's generally the routine that we follow as auditors. But the whole thing is, the auditor should also remain calm. Don't go to the media. There are first, let's like, you know, if an auditor, look at it, look at looks at this report, you will find that there is something called those charts with governance. So in the audit report, we write that we are informed that those charts with governance if there is some best doings or wrongdoings happening in the company. So, without crossing that step, even if they are involved in something wrong, the first, step should always be through the board of directors, and then we get into the investors. And if that also is not serving the purpose, central government is very clear today, whether even if the fraud has been detected by the company or by the auditor, this has to be reported to the central government if it crosses the one crore limit. 

Rashmi Guptey: So the auditor's duty kind of ends there with the reporting. Let's assume there is you followed the process that you talked about. Once you have reported, then for that financial year, you have kind of done your obligated duty. 

Manoj Nair: See 143 12 also talks about the fraud committed by the employees or officers of the company on the company. So if the board of directors are clean, and this is happening in our couple of our current cases, we are talking to the Board of Directors, telling them, what's the progress of this. We even go ask them to put up some investigation agency like, you know, Vidya in the past, and now she is a teacher of this in the past. Vidya and I work together on some of the assignments. So we go back to investigating agencies to find out what is the depth and breadth of this incident that has happened, and if that's to do with something to do with the internal controls people culture, then there are other people to tackle it. If it is to do with internal controls and systems, we are there to help them put up the right controls and systems in place. So I don't see an auditor is somebody who comes once in a year, at the end of the year to, you know, do the audit, criticize you on your financial reporting, and then go away. I see an auditor to also be an equal partner without crossing the limit and the conflict of interest or the independence that auditor has to carry throughout the assignment. Client may become your friend, but that doesn't mean it compromises on your independence.

Rashmi Guptey: Vidya questions for you two questions, and maybe on the second one, you could elaborate a little bit more. One is about, you know, oftentimes these fraud investigations may not be conclusive, so an auditor asks for an inquiry or an investigation, and then you come into the picture, right? So to speak, how do companies tackle this? What if you can't conclude? What if there is a conclusion? Maybe some quick insights into that, and then I'll also extend that before I go to Saradha and Piyush. Could you also talk about, like Manoj talked about reporting to the central government at a very high level? Could you talk about what kind of regulatory authorities a company that's dealing with fraud could get into trouble with, right? And how expensive and tricky that is. 

Vidya Rajarao:  Yeah, sure. See, I think in terms of doing an investigation, you know, so if there is a suspicion of fraud, you need to get the specialists involved right, and sometimes it can be led by the company. There is no rule, and there is no law that you must have only an external investigative agency to come and investigate fraud. If you have the skills in house, you, by all means, you can do it, but many companies will not have the skills in house, and nor do they want to be burdened with investigating, because that's not their daily you know, scope of work so but I've seen companies have set up a committee where it's legal, finance, you know, HR, internal audit. But in a startup, these are all, generally, all four roles are combined in one, so that becomes a problem, and then that person also wants to, you know, they're very friendly with everyone. The culture is very collegial, consensual, and it's a very open culture, Open Office, and you have a suspicion, but you but they're all friends, much more than co-workers. Some of them may be relatives, so they don't want to get involved in it, so it's best then you get someone who's independent, external to the company. And the issue is simple. It is simple fact-finding, right? The investigation is nothing but finding Facts. Is you find who did the fraud, what was the fraud? When did it happen? Where did it happen? Why and how? You must be able to conclude. You may not be able to conclude on one or two aspects of it, but it's highly unusual. In my 25-plus years of experience, I've never seen a fact-finding investigation where they're unable to conclude; you have to be able to conclude one way or the other. In other words, you have to be able to conclude that, yes, the a suspicion that there is was excess billing in procurement. Is it confirmed? Not Confirmed? You cannot say, well, after spending two months of work, I do not know. Yeah, that's not an acceptable answer. You have to be able to determine the responses to these simple questions. You know, five Ws and 1h, that's a simple fact finding. You must be able to conclude, and I think apart from, you know, to your point on the second question on, unfortunately, in India, even if you're a startup, if you're a private limited company, which is what most startups are, because investors money comes into private limited companies, rather than, say, proprietorship or other forms of enterprise, you are subject to a plethora of regulations. It doesn't matter if you're not listed. It doesn't matter if you are below 100 crores. It doesn't matter if you're 50 crores. You know, if you have more than because you have both regulator at the at the state level and at the central level, because it comes from the laws that you have to comply with. And there are tons of laws. So you would have the Serious Fraud Investigation Office, you will have the MCA. You also have the enforcement Directorate. You will have the state police. You could have CBI. You could have cyber police, because you see a lot in Bangalore, many of the cases of fraud that we see are not accounting fraud, but it's data theft and theft of IP. You know, where they're developing proprietary software or IP, and their employees walk away. Key employees walk away with that IP set up shop literally opposite the erstwhile company, and then they come to market using their IP much faster. So you see a lot of these IP theft which could just kill your startup, because you have your competitor, which is your own former employees who've come to market faster than you. So you could also have, you know, in some of those cases, you have the cyber police who are involved. So then you have other tax regulators, whether it is, you know, like enforcement directorate, you could have DRI, you have income tax, you have the GST wing. So you have multiple regulators. And that is why you need to get this investigation. Or if investigation is too scary a word, keep it as simple fact finding, so that you have one report, you do it right, and you do things right, and you do it right the first time, then one report is sufficient to answer any regulator who comes and asks for any questions anytime in the future. Otherwise, you'll end up spinning the wheel and you keep reinventing the wheel on finding out who did what, when, where, and in the meantime, you've lost interest in the business you know, or your business has suffered. Some competitors have come and taken over, because it's an internal distraction. You're distracted by all these internal issues. 

Rashmi Guptey: I think it's very important to do it once, get it right, make sure all the concerns of you know, the internal stakeholders, as well as auditors across breadth, I mean auditors with a stake or internal, and you keep that as a record for the future. And I mean, needless to say, I think once something like this gets filed, you can expect the regulators to call upon you and explain which is where this report forms the basis of your conclusion. Absolutely so you know, as a listed entity, you've been through multiple of these. How have you never been multiple, not the fraud, not the fraud. I mean the system. 

Saradha Govindarajan:  I just want to, you know, probably tilt this a little bit. I think the first question should have been to Pio show me, because multiple planes end up, right and so, so, for example, and I look at sometimes even posh, all is linked in one bucket, right? So whistleblower posh, and sometimes you just unearth things, right? Was giving some examples. Not all of them go to a stat audit level. And you know, after that Vidya comes in. All of them do not end up there, right? First of all, treat every complaint with utmost seriousness, sincerity and respect. And depending on what you unearth, the first port of call ideally should be your audit committee and board in most things. And I think today, especially after you know lot of things on what constitutes fraud, like Manoj was mentioning the sections, there's also someone clarity, non clarity on, do the auditors report vendor frauds, or is it only officers charged, and so on and so forth. But I think it's a good practice to keep your stat auditors and internal auditors also in the loop to look out for stuff, depending on what you find, but ideally you should go with some point of action. This was what came this is what I have unearthed. But I'm sure it's not big enough, or it's big enough, and what are my Piyush was talking. About, how will I ensure it doesn't happen? Some of them are very small, but unless you find that out, you know that that's a loophole in the system. Now you know that an employee pan is something like you will have to look out for. It needs to be banned for payments within right so on and so forth. So first is treat every complaint with respect, explore to the fullest, and try to come up with actions report to the right authorities. I think this will be my port of call, even in spite of materiality. 

Vidya Rajarao:  I think all of this needs to be done. Yeah, I think your point on, you know, even if it is small, it is actually, you know, in fact, the small ones, which are the most dangerous, because it's the leaking tap syndrome, the big ones, everybody bounces on them, but the small ones are promoting your culture. 

Rashmi Guptey: Yeah. Any thoughts that you have to add here, how would you tackle your stakeholders?

Piyush Kakkad: I think most if it has been spoken, right? That you know, as far as the reactive is concerned, it's very simple, right? We should not panic. Whatever has happened, has happened. I think we should do the reporting and do a quick RC and damage control and then fix the process. So I think that's the simple template that you know, Manoj, Vidya, Saradha all have spoken about it. What I want to talk about is something that Rashmi, you asked before, but I could not cover that was the line of defense, because I think we have all spoken about frauds that happen, intentional and all. But I think there is a responsibility of we as a finance team to be able to build the right lines of defense, so that any of these intentional practice or unintentional, it gets unearthed at the right point of time. So I sort of say this as like, you know, three lines of three levels of defense before even it goes to the auditor, right? These are the internal lines of defense. The first one is more the stronger controls and review mechanism. I mean, typically, when we look at the review mechanism, it's always about how much is the revenue, and what's the EBITDA and what's the achievement versus AOP? I think that's just a hygiene. It's the starting point. What we need to focus more is on the balance sheet controls, right, which means that, what's it on the physical verification right? What's it on the customer refund pattern? I mean, there are patterns that, once you go deep, you will realize that certain sections as a higher percentage versus the rest of the network. Why is it happening? I think being inquisitiveness will help us either discover something is wrong or may be discover that some of the processes are weak as a result of which, inherently, there is a leakage. So that's the first line of defense. The second line of defense is more about having a strong IFC and internal audit, and it's irrespective the size of the company, right? I think we should start earlier, the better and have this IFC and internal audit more from a assurance and a positive assurance perspective, not as a requirement for a stat auditor, right? So that's the second piece. The third is more around a whistle blower mechanism, which could cover things like Porsche or, you know, anything across. I mean, we have 6000 folks on the ground, and then there will be vendor partners that we work with, right? Do they have a access to report something if they find something that is not right, and then it has to be investigated in the right manner, without worrying about who has sent that right? And then also have a team which is not impacted from the outcome of the investigation. It is like a mirror, right? And wherever the need be, involve the external teams also right, from an investigation perspective, if you feel that. So I think, to my mind, these three lines of defense are very important. One is about the internal review mechanism, which is a stronger control and balance sheet governance and cash flow governance. In fact, most of the time you get to know things through cash flow review. Why is the working capital adverse consistently, right? That's the starting point. The second is more about a stronger IFC and internal control, more to benefit the business, rather than it being a mandatory requirement from a statutory perspective. And the third is having the right kind of committee governance, which means that there is a mechanism of people who are engaged with the company in the right manner to be able to report, and we should impartially do the review.