The control gaps PE auditors flag in diligence — and how to close them in 90 days
Private equity diligence on growth-stage Indian targets surfaces the same eight control gaps in roughly 90% of cases. Catch them before the diligence starts, and the closing timeline tightens by weeks.
Private equity diligence has become more rigorous over the last three years, particularly for growth-stage Indian targets where the headline metrics — ARR, gross margin, customer logos — are solid but the underlying control environment has not had time to mature. The PE buyer's diligence team, working with a Big Four or boutique audit partner, produces a control diligence report that, in our experience, almost always identifies the same eight gaps.
We sit on both sides of these engagements — running the diligence for PE buyers and running the sell-side preparation for founders and CFOs. The patterns are consistent enough that the eight gaps below now form a standard pre-closing remediation checklist for any India target.
What PE diligence on controls actually covers
The control diligence report is one of three or four streams that feed into the buyer's final commitment letter. Financial diligence covers the numbers. Commercial diligence covers the market and customers. Legal diligence covers the contracts and structure. Control diligence covers whether the numbers can be trusted, whether the operations can scale, and whether the regulatory exposure is contained.
Buyers care because the post-close period — the 90 days after signing, when the founder is still in the chair and the new investors are still building their internal view of the business — is when control failures surface that should have been caught earlier. A PE fund that wrote a ₹500 crore cheque does not want to discover in month four that the GST liability is materially understated, or that the ITGC is at MVP-level, or that the related-party register has been stale for two years.
The eight gaps
Pattern across 90%-plus of growth-stage India targets. Some companies have one or two of these clean. Almost none have all eight.
Gap one: weak IT general controls
IT general controls (ITGC) cover access management, change management, computer operations, and program development. They are the foundation on which application-level controls operate. If the ITGC is weak, no application control can be relied on.
What diligence finds: shared administrative accounts in the ERP, no documented user access review in the last 12 months, code deployed to production without a documented approval, no segregation between developers and production access, no documented disaster recovery test in 18 months.
The remediation in 90 days: implement role-based access in the ERP, remove all shared admin accounts, document the change management workflow with an approval gate, run a user access review and revoke unnecessary access, run a tabletop disaster recovery exercise.
Gap two: no formal close calendar
A formal monthly financial close calendar with defined cut-off dates, owner, dependencies, and target close day. Growth-stage companies often close in 12 to 18 working days, with the close compressing only at quarter-end when investors are asking for numbers.
What diligence wants: close in 7 to 10 working days, with a documented calendar, owners for each step, and an exception log for any overdue item.
The remediation in 90 days: build the calendar, identify the bottlenecks (almost always intercompany matching, accruals review, or revenue recognition cut-off), and run a mock close to identify the time consumed by each step.
Gap three: IFC not tested
Internal Financial Controls under Section 134 are not optional for the target after closing, particularly if the PE buyer is preparing for an exit IPO. Most growth-stage targets have documented an IFC framework in name but have not tested the controls in operation.
What diligence wants: an RCM (Risk and Control Matrix) for the key processes, with documented testing of operating effectiveness for the most recent reporting period.
The remediation in 90 days: build the RCM for the top 8 to 10 processes, test the controls on a sample basis, document the results. This is the longest line item in most pre-close remediation plans.
Gap four: related-party transaction thresholds breached
Section 188 of the Companies Act, read with the SEBI LODR Regulation 23 for listed entities, sets thresholds above which related-party transactions require audit committee approval, shareholder approval, or specific disclosure.
What diligence finds: related-party transactions between the target and a promoter-linked entity that have crossed the threshold without the required approval, or where the approval was generic rather than transaction-specific.
The remediation in 90 days: pull the full related-party register, identify all transactions in the last three years, verify the approval trail for each transaction above the threshold, ratify any gaps through the audit committee and shareholders if needed.
Gap five: GST mismatches
GST input tax credit in the electronic credit ledger reconciled against the input credits claimed in GSTR-3B and the credits available per GSTR-2B.
What diligence finds: a sitting balance of unreconciled GST credits that may not be available, suppliers whose GSTIN status has changed (cancelled, suspended) but whose invoices were claimed for input credit, and GSTR-3B filings that do not match the GSTR-1 of customers.
The remediation in 90 days: run the reconciliation for the last 24 months, identify and reverse credits that are not supportable, contact suppliers with GSTIN issues to resolve before the diligence team finds them.
Gap six: KMP register stale
The Key Managerial Personnel register, the directors' register, and the board resolution archive are documents that the buyer's legal team will pull and compare against actual practice.
What diligence finds: directors who have moved off the board but whose resignation has not been filed with the ROC, KMP appointments that are not reflected in the company secretary's record, board resolutions for material decisions that exist as draft minutes but were never approved.
The remediation in 90 days: full ROC compliance review, file any missing forms, update the registers, organise the board resolution archive into a clean, indexed repository.
Gap seven: incomplete board resolution archive
Tied to the previous gap. Diligence will ask for board resolutions for specific material decisions — capital raises, key personnel appointments, ESOP allotments, related-party transactions, bank borrowings. The buyer's lawyer expects to receive a clean PDF for each.
What diligence finds: minutes that reference a resolution that was never separately documented, resolutions that were signed in counterpart by directors via email but not collated into a single signed document, ESOP grants that were approved in principle but the grant letter and acceptance trail are incomplete.
The remediation in 90 days: reconstruct the archive. For any material decision in the last three years, ensure there is a documented resolution with required signatures, an extract from the minutes book, and any supporting agreement.
Gap eight: cybersecurity at MVP level
Growth-stage SaaS and fintech targets often have invested in product security but not in enterprise security. The security posture looks adequate from a customer standpoint but is below what an institutional PE buyer expects.
What diligence finds: no annual penetration test, no documented incident response plan, no quarterly access review, no formal third-party SaaS inventory, no employee phishing simulation in the last 12 months, no CISO function (often the CTO has both hats).
The remediation in 90 days: commission a pen test, build the incident response plan, run a user access review across SaaS tools, document the vendor inventory, run a phishing simulation, and if scale warrants, hire or appoint a CISO function distinct from the CTO.
The 90-day plan
What follows is the sequence we run when a sell-side engagement begins with 90 days before the buyer's diligence team is expected on site.
Days 1 to 15. Pull the existing documentation. RCM, close calendar, board resolutions, ROC compliance, GST reconciliations, ITGC documentation. Identify gaps. Build the remediation register.
Days 16 to 45. Execute the high-effort items in parallel. ITGC role redesign and access review. ROC catch-up. GST reconciliation. RCM build for the top processes.
Days 46 to 75. Testing and validation. Test the controls in the RCM. Run the mock close. Run the pen test. Run the phishing simulation.
Days 76 to 90. Documentation and packaging. Build the data room. Index the board resolutions. Prepare the management presentation on the control environment. Brief the senior team on the diligence walkthroughs they will be asked to do.
What buyers actually look at
Three patterns in how PE diligence teams read the control environment.
First, they look at the gap between what management says and what the documentation supports. If management says ITGC is solid and the documentation shows a 14-month-old access review, the gap is the finding.
Second, they look at the trend, not just the point-in-time state. If the company is moving from manual to system-based controls, that direction is positive. If the company is regressing — controls that operated last year are not operating this year — that is a flag.
Third, they look at how the founder and CFO discuss the gaps. A founder who can articulate where the control environment is weak and what the remediation plan is gets credit. A founder who claims the environment is fine when the diligence team has already identified gaps loses credibility, and the negotiation tightens on warranties, indemnities, and earn-outs.
The control gap discussion is not a binary. The buyer is not deciding whether the gaps exist. They almost always do. The buyer is deciding whether the founder has the operational discipline to close them in the year after closing. A clean 90-day pre-close remediation plan, with evidence, is the strongest signal the founder can offer.
What we tell sell-side founders
Two things, before the engagement begins.
First, the diligence will find the gaps. It always does. The question is whether the founder finds them first and shows up with a plan, or whether the buyer finds them and uses them in the negotiation.
Second, the 90-day timeline is enough only if the founder is fully committed. The CFO and the company secretary cannot run this on top of their day jobs. Either the founder reallocates them for the duration of the pre-close work, or the engagement does not get done.
The deals that close cleanly are the ones where the founder takes the pre-close period as seriously as they took the fundraise.
References
