CARO 2020 & Internal Financial Controls — What Your Procurement and Asset Records Need

Published: April 4, 2026

Two of the most common areas where auditors raise observations relate to fixed asset records and procurement controls. CARO 2020 requires the auditor to report on whether the company maintains proper records of its property, plant and equipment. The Companies Act requires the auditor to report on whether the company has adequate internal financial controls. And since April 2023, every company using software to maintain its books must ensure that software has a tamper-proof audit trail.

This article covers what these requirements are, which companies they apply to, what controls auditors look for, and what happens when gaps are found.

1. CARO 2020 — Clause 3(i): Fixed Asset Records

The Companies (Auditor's Report) Order, 2020 requires the statutory auditor to report on several matters related to property, plant and equipment (PPE). Clause 3(i) specifically asks:

Whether the company maintains proper records showing full particulars — including quantitative details and situation (location) — of its PPE
Whether the PPE has been physically verified by the management at reasonable intervals
Whether any material discrepancies were noticed during such verification and if so, whether they have been properly dealt with in the books
Whether title deeds of all immovable properties are held in the name of the company

What "proper records" means in practice

The auditor expects to see, for each asset: a unique identifier, description, classification, cost of acquisition, date of acquisition, location (building, floor, room), department, custodian, depreciation method and rate, accumulated depreciation, and written-down value. An Excel sheet with "Laptop - Rs 50,000 - IT Dept" does not meet this standard. A structured register that tracks all these fields from the point of procurement is what the auditor expects.

Does CARO apply to your company?

CARO 2020 applies to all companies except banking, insurance, and Section 8 companies. Private limited companies are exempt only if they satisfy all three conditions simultaneously:

Condition	Threshold
Paid-up capital + reserves and surplus	Does not exceed Rs 1 crore
Borrowings from banks / financial institutions	Does not exceed Rs 1 crore at any point during the FY
Total revenue (including discontinued operations)	Does not exceed Rs 10 crore

If any one of these is breached, CARO applies in full. Small companies (paid-up capital up to Rs 4 crore and turnover up to Rs 40 crore) have a broader exemption.

2. Internal Financial Controls — Section 143(3)(i)

Section 143(3)(i) of the Companies Act 2013 requires the auditor to state whether the company has adequate internal financial controls (IFC) with reference to financial statements, and whether those controls are operating effectively.

Internal financial controls are defined under Section 134(5)(e) as the policies and procedures adopted by a company for:

Orderly and efficient conduct of business
Adherence to company policies
Safeguarding of assets
Prevention and detection of fraud and errors
Accuracy and completeness of accounting records
Timely preparation of reliable financial information

Does IFC audit apply to your company?

Private companies are exempt from IFC auditor reporting if both conditions are met:

Condition	Threshold
Turnover (per latest audited financial statement)	Less than Rs 50 crore
Aggregate borrowings from banks / FIs / corporates	Less than Rs 25 crore at any point during the FY

OPC and small companies are fully exempt. However, two important qualifications:

The exemption is lost if the company has defaulted in filing financial statements under Section 137 or annual return under Section 92.
Directors remain responsible regardless. Even if the auditor's IFC report is exempted, Section 134(5)(e) requires directors to state in the annual report that IFCs are adequate and operating effectively. There is no exemption from this directors' responsibility.

What IFC controls do auditors check on procurement and assets?

Control area	What the auditor looks for
Purchase authorisation	Are purchases approved by authorised personnel before commitment to a vendor?
Segregation of duties	Are the people who request, approve, and receive goods different individuals?
GRN verification	Is physical receipt verified against the purchase order before payment is processed?
Invoice matching	Are vendor invoices matched to PO and GRN before payment — quantity, price, and tax?
Asset capitalisation	Are assets recorded in the register when acquired, with correct cost and classification?
Asset safeguarding	Are assets physically verified at reasonable intervals? Are discrepancies investigated?
Disposal controls	Are asset disposals authorised, recorded, and proceeds accounted for?

3. The Audit Trail Requirement — Rule 3 of Companies (Accounts) Rules 2014

This is a requirement many organisations are still catching up with. Effective 1 April 2023, Rule 3(1) of the Companies (Accounts) Rules 2014 requires:

Every company which uses accounting software for maintaining its books of account shall use only such accounting software which has a feature of recording audit trail of each and every transaction, creating an edit log of each change made in books of account along with the date when such changes were made and ensuring that the audit trail cannot be disabled.

Key points:

Applies to ALL companies — including OPC, small, dormant, and Section 8 companies. No exemption.
"Books of account" under Section 2(13) includes records of all assets and liabilities. The fixed asset register is within scope.
The audit trail must be preserved for 8 years (Section 128(5)).
The auditor must separately report on audit trail compliance under Rule 11(g) of the Companies (Audit and Auditors) Rules 2014 — whether the feature was operational throughout the year, whether it was tampered with, and whether it was preserved.

What this means for Excel-based records

Excel does not have a built-in, tamper-proof audit trail. A cell can be edited, a row deleted, a formula changed — with no automatic record of who did it, when, or what the previous value was. Any company maintaining asset records, procurement records, or financial data in Excel spreadsheets does not satisfy this requirement.

This is not a technical interpretation — it is the plain reading of the rule. The software must record the trail. Excel does not.

4. Consequences for the Company and Its Directors

Provision	What it covers	Penalty
Section 128	Failure to maintain proper books of account	Company: Rs 1 lakh + Rs 500/day (max Rs 5 lakh). Officers: Rs 25,000 each
Section 129	Financial statements not giving true and fair view	Company: Rs 5 lakh. Officers: imprisonment up to 1 year or fine Rs 1-5 lakh or both
Section 134(8)	False directors' responsibility statement (including IFC adequacy)	Company: Rs 50,000-25 lakh. Officers: imprisonment up to 3 years or fine Rs 50,000-5 lakh or both
Section 447	Fraud (including fraudulent records)	Imprisonment 6 months to 10 years + fine 1x to 3x the fraud amount
Section 448	False statement in any return, report, or financial statement	Imprisonment up to 2 years + fine Rs 50,000-5 lakh

Beyond statutory penalties, the practical consequences matter more for most companies: a qualified audit report affects bank loan processing, investor due diligence, and vendor relationships. Banks review the CARO report and IFC opinion before sanctioning or renewing credit facilities.

5. Consequences for the Auditor

Auditors face their own consequences for inadequate reporting. These provisions are relevant because they explain why your statutory auditor is increasingly insistent on seeing proper records and controls.

Provision	What it covers	Penalty
Section 147(1)	Contravention of audit provisions	Fine Rs 25,000 to Rs 5 lakh
Section 147(2)	Knowingly/wilfully with intent to deceive	Imprisonment up to 1 year + fine Rs 1-25 lakh
Section 143(12)	Failure to report fraud discovered during audit	Fine Rs 1 lakh to Rs 25 lakh
NFRA	Inadequate audit quality	Penalty up to 5x audit fees + debarment up to 10 years
ICAI	Professional misconduct	Removal from register up to 5 years + fine up to Rs 5 lakh

NFRA has debarred 85 chartered accountants as of 2025 for audit failures — including cases involving inadequate control testing, failure to verify asset records, and baseless reports on internal financial controls. ICAI penalised 241 members in a single year — a record high. These are not theoretical risks.

6. What Good Records and Controls Look Like

When an auditor tests your procurement and asset records, they are looking for a system — not a collection of documents. The difference:

What auditors ask	Without a system	With a governed system
"Show me the approval for this purchase"	Email thread, verbal confirmation	Approval matrix with frozen snapshot showing who approved, when, at what level
"Show me receipt was verified before payment"	Signed delivery challan in a file	GRN matched to PO with quantity, price, and condition recorded
"Show me your asset records"	Excel with asset name and cost	Register with 40+ fields — ID, location, custodian, classification, depreciation, acquisition trail
"Show me assets physically exist"	"We did a check last year"	Verification campaign report — who scanned, when, what condition, what was missing
"Show me disposals were authorised"	Board resolution	Disposal requisition with approval chain, asset value at disposal, proceeds recorded
"Show me the audit trail"	"We don't delete anything"	System-generated log of every change with user, timestamp, and before/after values

7. Implementing These Controls

The requirements described in this article — CARO-compliant asset records, internal financial controls over procurement, and tamper-proof audit trails — are not about installing software. They are about putting a structured process in place:

Define your approval structure: Who can request purchases? Who approves, and at what thresholds? Map this to an approval matrix with clear levels and dimensions.
Govern the procurement chain: Every purchase follows PR → PO → GRN with each step requiring completion before the next. No ad-hoc purchases, no retroactive documentation.
Maintain a structured asset register: Every asset has a complete record — identity, location, financial details, lifecycle status. Depreciation runs on defined schedules with year-end snapshots that cannot be modified.
Verify physically: Tag assets with QR codes, run periodic verification campaigns, record what was found and what was missing. This directly satisfies CARO Clause 3(i).
Match invoices: Before payment, the vendor's invoice is matched to the PO and GRN — quantity, price, and GST. Mismatches are resolved through a defined workflow, not ignored.
Ensure the audit trail: Every action in the system — creation, approval, rejection, edit, posting, reversal — is logged with user, timestamp, and before/after values. The trail cannot be disabled or tampered with.

ProcureTrail supports this complete workflow. But the principle applies regardless of the tool — the statutory requirement is for controls and records, not for any specific software.

Frequently Asked Questions

What does CARO 2020 require for fixed asset records?

CARO 2020 Clause 3(i) requires the statutory auditor to report on whether the company maintains proper records of its property, plant and equipment — with full particulars including quantitative details and location, whether PPE has been physically verified at reasonable intervals, and whether title deeds of immovable property are held in the company's name.

How are fixed assets classified under the Companies Act?

Under Schedule II of the Companies Act 2013, fixed assets are classified by asset class — buildings, plant and machinery, furniture and fixtures, office equipment, vehicles, computers, and intangibles — each with a prescribed useful life for straight-line or written-down depreciation. The classification drives the asset register structure and the depreciation schedule.

Does CARO 2020 apply to private limited companies?

Yes, unless the company meets all three exemption conditions simultaneously: paid-up capital plus reserves not exceeding Rs 1 crore, borrowings from banks or financial institutions not exceeding Rs 1 crore at any point during the year, and revenue not exceeding Rs 10 crore. If any one threshold is breached, CARO 2020 applies in full.

Is internal financial controls (IFC) audit mandatory for all private companies?

No. Private companies with turnover below Rs 50 crore and borrowings below Rs 25 crore are exempt from IFC auditor reporting under Section 143(3)(i). However, directors of all companies — regardless of size — must state in the annual report that IFCs are adequate and operating effectively under Section 134(5)(e).

Does the audit trail requirement apply to asset registers maintained in Excel?

Rule 3 of the Companies (Accounts) Rules 2014 requires accounting software to have a built-in audit trail that records every transaction change with date and user, and that cannot be disabled. Excel does not have this capability. Asset records maintained in Excel do not satisfy this requirement, which applies to all companies from 1 April 2023.

What are the penalties for not maintaining proper books of account?

Under Section 128 of the Companies Act 2013, the company faces a penalty of Rs 1 lakh plus Rs 500 per day of continuing failure (up to Rs 5 lakh), and every officer in default faces a penalty of Rs 25,000. Under Section 134(8), for false statements in the directors' responsibility statement, officers face imprisonment up to 3 years or fine up to Rs 5 lakh or both.

Audit-Ready Procurement Statutory Compliance Fixed Asset Register Procurement Governance Guide: Companies Act 2013 Guide: Auditor Qualified Report Guide: Approval Workflows

Assess How This Applies to Your Organisation

Share a brief overview of your current procurement and asset record-keeping setup and we will evaluate where the gaps are.

Book a Consultation