Part 1 made the case that governance, not compliance, is what trips up Indian startups. Part 2 reframed recurring problems as missing processes. Part 3 showed how all of it gets graded in diligence. Founders who've followed this far usually ask the same practical question: fine — what do I actually build, and in what order?
This is that list. Not a textbook controls framework — the first ten things that, in our experience, give a small company the most protection for the least effort. They're ordered: each builds on the one before, and the early ones matter more than the late ones, so if you only do the first five you've still closed most of your real risk. None requires software you don't already have. Most are a single page and a named owner.
What counts as a "control" at this stage
Forget the audit-manual definition. At startup scale a control is just a rule that makes the correct outcome the default, so it doesn't depend on anyone remembering or choosing well under pressure. A good control has the same shape as the process we described in Part 2: a trigger, a step, an owner, and a record. The difference is emphasis — a control specifically exists to prevent an error or a leak, not just to get work done. "Two people approve any payment over ₹50,000" is a control. So is "no work starts without a signed contract." Small rules, large protection.
Here they are, in build order.
Not sure whether your records would survive diligence? Start with a readiness review. Request a review →
1. Separate business and personal money — completely
The first control is also the one most often skipped, because in month one it feels unnecessary. A dedicated business bank account and card, used only for business, with founder expenses reimbursed through a claim rather than paid directly off a personal card. This single rule prevents the commingling that turns a year of books into a forensic reconstruction (Part 1's classic founder mistake). If you do nothing else this quarter, do this. Everything downstream — clean books, a believable close, diligence — depends on it.
2. One source of truth for the books
Pick one accounting system — Zoho, QuickBooks, Tally Prime, Xero — and make it the single, authoritative record. Not a spreadsheet the founder maintains in parallel, not numbers that live in the bank app and someone's head. Every transaction lands in one place, owned by one person (internal or outsourced). The control is the singularity: when there's one source of truth, there's nothing to reconcile between versions and no argument about which number is real.
3. A bank-payment approval rule
Money should not leave the company on one person's say-so beyond a small threshold. Set a simple rule: payments above a defined amount require a second approver, and the approval is recorded (an email trail is enough early on). This is the highest-leverage anti-fraud and anti-error control a small company can have, and it costs nothing but a moment's discipline. It also quietly protects the founders from each other and from a rogue hire — the kind of gap that, left open, becomes the fund-flow finding in a forensic review.
4. Close the books every month
A monthly close — books reconciled to the bank, finalised, and not reopened — is the control that powers half of everything else in this series. It's what makes the numbers trustworthy (Part 3's first diligence test), what feeds a real MIS, what makes tax provisioning routine instead of a shock, and what produces contemporaneous records. The rule: by a fixed day each month (say the 10th), last month's books are closed and a one-page summary exists. If you adopt only one process control, this is it.
5. A compliance calendar with a single owner
Every recurring statutory obligation — GST, TDS, PF, ESI, PT, advance tax, ROC filings, payroll — on one calendar, each with a due date and one named owner. The control isn't the list; it's the ownership. A calendar nobody owns is decoration. With an owner, statutory compliance becomes a non-event handled in a few days a month instead of a year-end scramble with penalties. This is where "compliance is reactive" (Part 1) gets cured.
6. Document decisions as they happen
Material decisions need a contemporaneous record: board resolutions for ESOP grants, share allotments, related-party transactions, and significant spends; minutes for the meetings where they're decided. The control is the timing word — contemporaneous. A resolution written when the decision is made is worth everything; one reconstructed two years later for diligence is worth nothing and, if backdated, is worse than nothing. Create the record at the moment, however informal, and you never face the choice between "missing" and "backdated."
7. Keep the cap table reconciled — continuously
After every grant, allotment, transfer, or ESOP issuance, update the cap table and reconcile it to the underlying board resolution, share certificate, and statutory filing (including FEMA filings for any foreign investor). The control is doing this at the event, not at raise time. A cap table that's always true is a five-minute diligence item; one that's reconstructed under a term sheet is a legal workstream that re-prices the round (Part 3). This is cheap insurance on the single document that defines who owns your company.
8. No work starts without a signed contract
A simple, enforced rule: nothing is delivered and nothing is paid until the contract or engagement terms are signed — both ways, for customers and vendors. This closes Part 1's "contracts signed after work started" gap. It prevents disputes from defaulting to email archaeology, ensures revenue can be substantiated in diligence, and means your obligations and rights actually exist on paper. Templated agreements make this nearly frictionless; the discipline is simply refusing to start without one.
9. Basic segregation of duties
The person who approves a payment shouldn't be the same person who initiates it and reconciles the bank — at least not for everything, and especially not for cash and payments. In a tiny team perfect separation is impossible, and that's fine; the control is conscious separation of the riskiest combinations, plus the second-approver rule from control 3 as compensation where you can't fully split roles. The goal isn't bureaucracy, it's removing the single points where one person can both cause and conceal an error.
10. A quarterly governance review
Once a quarter, a short, deliberate review: compliance status, cap-table accuracy, material contracts, related-party transactions, key financials, and any open risks. An hour or two, treated with the same seriousness as a board meeting or investor update. This is the control that catches the things the other nine missed, before they compound. The companies that scale smoothly don't have fewer problems; they have a standing rhythm that surfaces problems while they're still small and cheap to fix.
The build order, at a glance
| # | Control | What it prevents |
|---|---|---|
| 1 | Separate business & personal money | Commingled books; forensic reconstruction |
| 2 | One source of truth for the books | Conflicting numbers; "which figure is real?" |
| 3 | Bank-payment approval rule | Fraud, error, and unauthorised outflows |
| 4 | Monthly close | Untrustworthy numbers; year-end scrambles |
| 5 | Compliance calendar with an owner | Penalties; reactive compliance |
| 6 | Document decisions as they happen | Missing or backdated approvals |
| 7 | Reconciled cap table | Ownership disputes; diligence re-pricing |
| 8 | Contract before work | Disputes; unsubstantiated revenue |
| 9 | Basic segregation of duties | Single points of cause-and-conceal |
| 10 | Quarterly governance review | Small problems compounding unseen |
How to actually roll these out
Don't try to install all ten in a week — that's how controls become theatre that everyone quietly abandons. Do them in order, one or two a month. Controls 1–3 can go live this week and cost nothing. Control 4 (monthly close) takes a cycle or two to become routine. The rest layer on over a quarter. The test of whether a control is real is the one from Part 2: does the right thing still happen if the founder forgets? If it depends on memory, it's not installed yet — it needs an owner and a record.
A note on cost, because founders worry about it. None of these requires headcount you don't have. Most early-stage companies run all ten through a part-time arrangement — a Chartered Accountant on retainer owning the close, the compliance calendar, the documentation, and the quarterly review — for a fraction of what one bad outcome costs. As you scale past a few crores of revenue or toward a raise, that grows into a Virtual CFO arrangement, but the controls themselves don't change. You build them once, early, cheaply.
What implementation looks like with PB&A
For early-stage and scaling companies, we usually install this as a practical control stack — not a heavy audit framework. A typical rollout:
| Phase | What we put in place |
|---|---|
| Week 1–2 · Finance foundation | Business-only bank & expense rules; accounting-system hygiene; chart-of-accounts review; bank-payment approval matrix |
| Week 3–4 · Close & compliance | Monthly close checklist; bank, GST & TDS reconciliation process; statutory compliance calendar with owner-wise filing responsibility |
| Month 2 · Governance records | Board-approval tracker; cap-table reconciliation checklist; contract-before-work process; related-party and material-decision documentation |
| Quarterly · Governance review | Compliance status; open exposures; finance dashboard; cap-table and document hygiene; founder action list |
This gives founders a lightweight operating rhythm that can later scale into a Virtual CFO or investor-reporting engagement. Install the first 10 controls →
The bottom line
Controls have a bad reputation among founders because the word sounds like friction — approvals, forms, slowing down. But that's backwards. A company without controls is the one that's slow: it re-solves the same problems, scrambles before every deadline, and rebuilds its history every time someone asks a hard question. Controls are what let a company move fast safely, because the boring things take care of themselves.
Ten rules. Each cheap, each a page, each one the answer to a problem you'd otherwise meet at the worst possible time. You don't need all of them perfect. You need them started, in order, owned by someone.
The best time to build these was at incorporation. The second-best time is the day you read this.
Which leaves one last question, and it's the one the whole series has been circling: if controls and governance are this cheap and this protective, why do so many good companies still skip them until it's expensive? In Part 5, the closer, we look at the real cost of cleaning up governance late — and why governance isn't a thing you graduate into when you're big, but the thing that lets you get big at all.
Want the first ten controls installed — without building a finance team?
PB&A sets up and runs a founder-ready control stack: monthly close, approval matrix, compliance calendar, documented decisions, cap-table reconciliation, contract discipline and the quarterly governance review. Suitable for startups preparing for a fundraise, founder-led companies without a full finance team, companies with recurring compliance delays, and teams that want investor-grade records before they're asked for them.
Book a controls setup consultationThis series: Part 1 — India Isn't Hard to Start a Business In, It's Hard to Run One Responsibly · Part 2 — Why Most Startup Problems Are Process Problems · Part 3 — What Investors Actually Look For During Due Diligence · Part 4 — The First 10 Controls Every Founder Should Implement (you're here) · Part 5 — The Cost of Cleaning Up Governance Late (coming soon)
Disclaimer: This article reflects general practitioner observations as of June 2026 and is not a substitute for tailored professional advice. The right controls for a company depend on its industry, size, structure, and stage. Consult a qualified Chartered Accountant or company secretary for situation-specific guidance.