PE/VC Due Diligence: CFE Fraud Risk Checklist

Why Standard Due Diligence Is Not Enough

Standard financial due diligence (typically performed by audit firms) focuses on:

• Normalising historical financials (adjusted EBITDA)
• Quality of earnings analysis
• Working capital assessment
• Debt and contingent liability identification
• Tax compliance review

While valuable, standard due diligence has structural limitations:

• Reliance on management representations: Standard DD relies heavily on management-provided data and explanations. Fraudulent management provides consistent false representations.
• No fraud testing: Standard DD tests accuracy, not intentional manipulation. Beneish M-Score, Benford’s Law, and other fraud detection techniques are not part of standard DD scope.
• No background verification: Standard DD does not investigate promoter backgrounds for litigation history, regulatory disqualifications, personal insolvency, or association with shell companies.
• Limited related party investigation: Standard DD reviews disclosed related party transactions but does not actively search for undisclosed related parties through MCA, GST, and bank data cross-referencing.
• No FEMA depth testing: Standard DD reviews FEMA compliance at a checklist level but does not perform independent valuation verification for prior round pricing compliance.

The Forensic Due Diligence Fraud Risk Checklist

Domain 1: Revenue and Financial Statement Integrity

This is the highest-risk domain. Revenue inflation is the most common fraud in PE/VC investee companies because it directly affects valuation (revenue multiples for SaaS, GMV multiples for marketplaces, ARR multiples for subscription businesses).

Checklist Items

• Beneish M-Score computation: Calculate for the latest 3 fiscal years. M-Score above -1.78 is a red flag requiring detailed investigation. (See our detailed guide: Financial Statement Fraud: Detection & Expert Witness)
• Cash flow vs. reported revenue analysis: Compare operating cash flow to reported revenue over 3 years. Consistent divergence (revenue growing but cash flow stagnant or negative without clear business reason) signals potential revenue manipulation.
• Customer concentration and verification: Identify the top 10 customers by revenue. Independently verify their existence (MCA records, GST registration, website, physical address). For SaaS companies: verify through platform analytics (not management-provided reports).
• Revenue recognition policy review: Test compliance with Ind AS 115 (or Indian GAAP AS 9 for companies not under Ind AS). Verify that the five-step model is correctly applied and that revenue timing matches performance obligation satisfaction.
• Round-tripping detection: Trace large revenue transactions to verify that funds originated from genuine customers and not from entities funded by the company or its promoters.
• Channel stuffing analysis: For companies with distribution models — analyse sales patterns around quarter-end and year-end. Spike followed by returns or credit notes in the following period indicates channel stuffing.
• Benford’s Law testing: Apply to invoice amounts, expense claims, and journal entries. (Methodology detailed in our Vendor Fraud Detection guide.)
• Operating metrics vs. financial metrics correlation: For technology companies — correlate reported revenue with server costs, API call volumes, customer support tickets, employee headcount. Disconnection signals potential inflation.

Domain 2: Promoter and Key Management Background Verification

Promoter integrity is the single most important determinant of investment outcome. Background verification is non-negotiable.

Checklist Items

• MCA directorship search: Check all current and past directorships of promoters and key management through MCA21. Flag: directorship in struck-off companies (Section 248), companies under investigation, or large numbers of dormant companies.
• Director disqualification check: Under Section 164(2)(a), a director is disqualified if the company in which they are a director has not filed financial statements or annual returns for three consecutive years. Verify current status.
• Litigation search: Search all courts (Supreme Court, High Courts, District Courts) and tribunals (NCLT, NCLAT, SAT, ITAT, CESTAT) for pending or disposed cases involving promoters — both personally and through their companies.
• Criminal record check: Search for FIRs, charge sheets, and criminal cases. Section 164(1)(d) of the Companies Act disqualifies persons convicted of an offence involving moral turpitude.
• Credit history: CIBIL report for promoters to identify defaults, settlements, and credit discipline issues.
• Regulatory debarment: Check SEBI debarment list, RBI defaulter list, IBBI disciplinary orders, and ICAI/ICSI disciplinary records where applicable.
• Social media and public information review: Verify claims made in investor presentations (educational qualifications, previous employment, previous exits) against publicly available information.
• Personal asset verification: Where the promoter has pledged personal assets or provided personal guarantees, verify ownership through land records, vehicle registration, and demat account statements.

Domain 3: Related Party Transaction Analysis

Related party transactions are the primary mechanism for promoter fund diversion in Indian companies.

Checklist Items

• Disclosed related party mapping: Map all disclosed related parties from financial statements, board resolutions, and Companies Act Section 188 approvals.
• Undisclosed related party search: Cross-reference promoter family members, previous directorships, common addresses, and common bank accounts against the vendor master and customer master. Identify entities controlled by promoter associates that are not disclosed as related parties.
• Transaction pricing analysis: For each material related party transaction, verify that the price is at arm’s length. Obtain independent valuation where necessary.
• Fund flow tracing: Trace the flow of funds through related party transactions. Identify circular flows where money leaves the company, passes through one or more related entities, and returns as revenue or loan repayment.
• Loans and advances to related parties: Verify compliance with Section 185 (loan to directors) and Section 186 (inter-corporate loans and investments). Check whether advances to related parties have been recovered or written off.
• Common cost sharing arrangements: Where the target company shares premises, employees, or infrastructure with promoter-related entities, verify that cost allocation is fair and documented.

Domain 4: Regulatory Compliance Assessment

Companies Act Compliance

• Annual filing compliance: Verify that all annual returns (MGT-7/MGT-7A) and financial statements (AOC-4) have been filed with the ROC within statutory deadlines for the past 5 years.
• Board composition: Verify compliance with Section 149 (minimum directors), Section 152 (appointment of directors), and applicable rules for women director, independent director, and resident director requirements.
• Statutory audit: Verify that statutory audit has been conducted for all years. Review auditor reports for qualifications, adverse opinions, or disclaimers. Review CARO (Companies (Auditor’s Report) Order) observations.
• Share allotment compliance: Verify that all share allotments (equity, preference, convertible instruments) have been filed with ROC via PAS-3 within 30 days of allotment.
• Section 56 compliance (Income Tax): For shares issued at a premium, verify compliance with Section 56(2)(viib) — shares issued to residents above fair market value attract tax as income in the hands of the company. Verify that the valuation report supporting the issue price was obtained from a merchant banker or registered valuer.

FEMA Compliance (Critical for Foreign-Invested Companies)

• Pricing compliance — FEMA (Non-Debt Instruments) Rules, 2019: For unlisted companies, shares can be issued to non-residents at a price not less than the fair market value determined using any internationally accepted pricing methodology on an arm’s length basis, duly certified by a Chartered Accountant or a SEBI registered merchant banker (Rule 21, read with Regulation 4 of FEMA 20(R)). Verify that a valuation certificate was obtained for each FDI tranche and that the actual issue price was at or above the certified fair market value.
• FC-GPR filing: Form FC-GPR (Foreign Currency — Gross Provisional Return) must be filed with the authorised dealer bank and reported to RBI within 30 days of allotment of shares to non-residents. Verify filing for every FDI allotment.
• Sectoral cap compliance: Verify that total foreign investment is within the applicable sectoral cap. For sectors with FDI restrictions (e-commerce, multi-brand retail, media), verify compliance with sector-specific conditions.
• FC-TRS compliance: For any transfer of shares between resident and non-resident (secondary sale), Form FC-TRS must have been filed within 60 days. Verify for all such transfers.
• Downstream investment compliance: If the target company has received foreign investment and has made downstream investments, verify compliance with downstream investment norms and reporting requirements.
• ECB compliance: If the company has received external commercial borrowings, verify compliance with ECB framework including end-use restrictions, all-in-cost ceiling, and reporting requirements.
• Compounding history: Check if the company has applied for compounding of any FEMA contraventions. Compounding applications and orders are publicly available on the RBI website.

GST and Tax Compliance

• GST return filing compliance: Verify regular filing of GSTR-1 (outward supplies), GSTR-3B (monthly return), and annual return GSTR-9/9C for all applicable periods.
• Input tax credit reconciliation: Major ITC mismatch between GSTR-2A/2B (auto-populated from supplier filings) and GSTR-3B (claimed by the company) creates contingent liability.
• Show cause notices: Obtain details of all pending GST show cause notices under Section 73 (non-fraud cases) and Section 74 (fraud/suppression cases). Section 74 notices carry penalty of 100% of tax, creating significant contingent liability.
• Income tax assessments: Review status of all open assessment years. Identify pending demands, appeals, and contingent tax liabilities.
• Transfer pricing: For companies with international transactions or specified domestic transactions, verify compliance with transfer pricing documentation requirements (Section 92D) and filing of Form 3CEB.

Domain 5: Operational Fraud Risk Assessment

Checklist Items

• Employee verification: Verify employee headcount against PF (Provident Fund) contributions, ESI contributions, TDS deductions (Form 24Q), and payroll bank transfers. Significant discrepancy indicates phantom employees or inflated headcount metrics.
• Vendor fraud screening: Apply vendor fraud detection techniques (Benford’s Law, duplicate detection, shell company checks) to the accounts payable ledger. (Detailed methodology in our Vendor Fraud Detection guide.)
• Expense reimbursement analysis: Screen management expense claims for round numbers, weekend dates, and amounts just below approval thresholds.
• Cash handling controls: Where the business handles cash (retail, hospitality, logistics), assess cash handling procedures and reconciliation practices.
• Inventory verification: For inventory-heavy businesses, verify physical stock against book records. Test inventory valuation methodology against Ind AS 2.
• IP ownership verification: Verify that intellectual property (software code, patents, trademarks, domain names) is owned by the company and not by the promoter personally or by a related entity.

Domain 6: Corporate Governance Assessment

Checklist Items

• Board minutes review: Review board minutes for the past 3 years. Flag any instances where the board approved related party transactions without adequate disclosure, where minutes do not reflect discussion, or where significant decisions were ratified post-facto.
• Vigil mechanism: If the company is required to have a vigil mechanism under Companies Act Section 177(9), verify that it exists and is functional. (See our guide: Whistleblower Investigation: Vigil Mechanism & SEBI.)
• Internal audit function: Assess the independence, scope, and quality of the internal audit function. Review internal audit reports for the past 2 years for unresolved issues.
• Conflict of interest disclosures: Under Section 184, every director must disclose their interest in other entities at the first board meeting of each financial year. Verify that MBP-1 disclosures have been obtained.
• Secretarial compliance: Review the latest secretarial audit report (if applicable under Section 204). Identify non-compliances that may affect the transaction.

Domain 7: Litigation and Contingent Liability Assessment

Checklist Items

• Comprehensive litigation search: Not just disclosed litigation — independent search across all courts and tribunals for the company, its subsidiaries, promoters, and key management.
• Labour law compliance: Verify PF, ESI, gratuity, and bonus compliance. Labour inspections and orders can create significant back-liability.
• Environmental compliance: For manufacturing companies, verify compliance with environmental clearances, consent to operate (State Pollution Control Board), and hazardous waste management rules.
• Consumer complaints: Search consumer forum (National, State, District) for complaints against the company. High volume of complaints signals product/service quality issues and potential liability.
• Pending regulatory proceedings: Check for any pending proceedings before SEBI, RBI, FEMA authorities, CCI (Competition Commission of India), or sector-specific regulators.

SEBI AIF Regulations: Due Diligence Obligations

SEBI (Alternative Investment Funds) Regulations, 2012 impose specific due diligence obligations on AIF managers:

• Regulation 15(1)(d): The manager shall be responsible for the due diligence of the investments of the Alternative Investment Fund and ensure compliance with the regulations.
• Regulation 15(1)(e): The manager shall carry out due diligence activities as may be specified by the Board from time to time for the investments of the AIF.
• SEBI Circular CIR/IMD/DF/14/2014 (dated 19 June 2014): Provides guidelines on due diligence by AIF managers. Key requirements include:
  • Performing adequate due diligence on all prospective investee companies
  • Documenting the due diligence process and findings
  • Making the documentation available for SEBI inspection
  • Ensuring that investment decisions are based on adequate due diligence
• Regulation 23: SEBI can take enforcement action against the manager of an AIF for failure to comply with the Regulations, which includes failure to conduct adequate due diligence.

Implications for Fund Managers

AIF managers who invest without adequate due diligence face multiple risks:

• SEBI regulatory action: Warning, monetary penalty, suspension, or cancellation of registration
• LP (Limited Partner) liability: LPs can hold the fund manager liable for losses arising from inadequate due diligence, depending on the LPA (Limited Partnership Agreement) terms
• Personal liability: Key management personnel of the AIF manager may face personal liability under SEBI Intermediaries Regulations

Our Forensic Due Diligence Process

Phase 1: Scoping and Data Request (Week 1)

• Initial call with the PE/VC investor to understand the deal thesis, valuation drivers, and specific concerns
• Comprehensive data request list (financial statements, bank statements, ERP data, tax returns, MCA filings, cap table, FEMA filings, contracts)
• Data room setup and access
• Scope finalisation and engagement letter

Phase 2: Financial Statement Fraud Screening (Week 1-2)

• Beneish M-Score computation
• Cash flow vs. accrual analysis
• Key ratio trend analysis
• Benford’s Law testing on transaction data
• Revenue quality assessment (customer concentration, recurring vs. non-recurring, cash conversion)
• Identification of areas requiring detailed testing

Phase 3: Background Verification (Week 1-3)

• Promoter and key management MCA, litigation, and criminal background checks
• Regulatory debarment verification
• Related party identification and undisclosed relationship search
• Corporate structure analysis

Phase 4: Regulatory Compliance Deep-Dive (Week 2-3)

• Companies Act compliance review
• FEMA compliance review (pricing, reporting, sectoral cap)
• GST and income tax compliance assessment
• Sector-specific regulatory compliance (if applicable)

Phase 5: Detailed Transaction Testing (Week 2-4)

• Revenue transaction testing (sample-based plus all flagged transactions)
• Related party transaction analysis and arm’s length assessment
• Vendor and expense testing
• Bank statement analysis and fund flow verification
• Employee and payroll verification

Phase 6: Reporting and Presentation (Week 4-5)

• Draft report with findings classified as deal-breakers, significant risks, and observations
• Risk-rated summary for investment committee
• Discussion with the investor to clarify findings and answer questions
• Final report
• Recommendations for post-investment monitoring and control implementation

Common Fraud Patterns by Industry Vertical

SaaS / Technology Companies

• Inflated MRR/ARR through annual pre-billing of monthly customers
• Revenue from pilot projects or free trials recorded as paid subscriptions
• Related party entities posing as customers to inflate user metrics
• Capitalisation of routine development costs as intangible assets under Ind AS 38
• IP ownership transferred to promoter-controlled entity in a different jurisdiction

E-Commerce / D2C Companies

• GMV inflation through self-purchasing or related-party purchases
• Return rates understated by recording returns in subsequent accounting periods
• Customer acquisition cost (CAC) amortised over unrealistically long periods
• Inventory valuation at cost without NRV write-down for slow-moving products
• FEMA non-compliance in marketplace model vs. inventory model classification

Fintech / NBFC Companies

• Loan book quality manipulation through evergreening (restructuring defaulting loans to avoid NPA classification)
• Understated NPA provisions relative to RBI norms
• Related party lending disguised as regular loan book exposure
• Income recognition on non-performing loans
• Regulatory compliance issues with RBI licensing and reporting requirements

Manufacturing Companies

• Inventory inflation through overstated quantities or values
• Vendor fraud and shell company billing in the supply chain
• Capitalisation of routine maintenance expenditure
• Understatement of environmental liabilities
• Labour law non-compliance creating contingent liabilities

Healthcare / Pharma Companies

• Revenue inflation through channel stuffing to distributors
• Regulatory approval status misrepresentation
• Clinical trial data integrity issues
• Undisclosed regulatory actions (drug recalls, warning letters, show cause notices)
• Transfer pricing issues in API sourcing from related overseas entities

Structuring Post-Investment Protection Based on Due Diligence Findings

Forensic due diligence findings should inform the following investment documentation provisions:

• Representations and warranties: Specific reps covering all areas where risks were identified during due diligence
• Indemnity clauses: Promoter indemnity for specific identified risks (pending tax demands, regulatory non-compliance, undisclosed litigation)
• Escrow/holdback: Portion of investment held in escrow pending resolution of specific identified issues
• Board seat and information rights: Enhanced information rights and board observer/director seats to monitor areas of concern
• Anti-dilution and anti-fraud provisions: Specific consequences (enhanced anti-dilution, put option, conversion price adjustment) if fraud is discovered post-investment
• Periodic forensic audit right: Contractual right for the investor to commission periodic forensic audits at the company’s expense

Pricing for PE/VC Forensic Due Diligence

Service	Scope	Starts From
Seed / Series A Forensic DD	Financial screening + promoter background + FEMA check	₹1,50,000
Growth Stage (Series B+) Forensic DD	Full 7-domain checklist + transaction testing	₹3,00,000
Late Stage / Pre-IPO Forensic DD	Comprehensive forensic + SEBI compliance readiness	₹5,00,000
Multi-Entity Group DD	Target + subsidiaries + promoter group entities	₹7,50,000
Independent Valuation	IBBI RV-certified valuation for investment pricing	₹1,50,000

For a custom quote based on your deal specifics, visit Virtual Auditor Pricing or call +91 99622 60333.

Frequently Asked Questions

What is forensic due diligence for PE/VC investments?

Forensic due diligence goes beyond standard financial and legal due diligence by specifically testing for fraud risk indicators, financial statement manipulation, undisclosed liabilities, promoter integrity issues, and regulatory non-compliance. It uses CFE methodology including Beneish M-Score analysis, Benford’s Law testing, related party investigation, and background verification. Contact Virtual Auditor for details.

Why do PE/VC investors need forensic due diligence in India?

India’s PE/VC ecosystem has experienced several high-profile investment fraud cases. Common issues include inflated revenue metrics, undisclosed related party transactions, fictitious customer bases, GST/tax non-compliance creating contingent liabilities, and promoter fund diversion. Standard financial due diligence does not specifically test for fraud — forensic due diligence fills this gap.

What does the SEBI AIF Regulations require for due diligence?

SEBI (Alternative Investment Funds) Regulations, 2012, Regulation 15(1)(d) requires AIF managers to conduct due diligence on investee companies. SEBI Circular CIR/IMD/DF/14/2014 provides guidelines. Due diligence documentation must be available for SEBI inspection. Failure can result in regulatory action under Regulation 23.

What are the most common fraud schemes found during PE/VC due diligence?

Revenue inflation (fictitious customers, channel stuffing, round-tripping), undisclosed related party transactions, GST/tax non-compliance creating hidden liabilities, inflated operating metrics, FEMA non-compliance in prior rounds, and promoter background issues (undisclosed litigation, disqualified directorships).

How much does forensic due diligence cost for PE/VC deals?

Early-stage (Seed/Series A): from ₹1,50,000. Growth-stage (Series B+): from ₹3,00,000. Late-stage or pre-IPO: from ₹5,00,000. Multi-entity group: from ₹7,50,000. Contact Virtual Auditor at +91 99622 60333 or visit our contact page.

What FEMA compliance issues should PE/VC investors check during due diligence?

Critical FEMA checks: pricing compliance under FEMA (Non-Debt Instruments) Rules, 2019 (Rule 21 — fair market value certification for each FDI tranche); FC-GPR filing within 30 days of allotment; sectoral cap compliance; FC-TRS for secondary transfers; downstream investment reporting; and ECB compliance if applicable.

Virtual Auditor — AI-Powered CA & IBBI Registered Valuer Firm
Valuer: V. VISWANATHAN, FCA, ACS, CFE, IBBI/RV/03/2019/12333
Chennai (HQ): G-131, Phase III, Spencer Plaza, Anna Salai, Chennai 600002
Bangalore: 7th Floor, Mahalakshmi Chambers, 29, MG Road, Bangalore 560001
Mumbai: Workafella, Goregaon West, Mumbai 400062
Phone: +91 99622 60333 | Email: support@virtualauditor.in
Book a Free Consultation