CARO 2020: the reporting questions that catch growing companies off-guard

The Companies (Auditor's Report) Order 2020 — CARO 2020 — is the most underestimated part of an Indian audit. The main audit report says whether the financial statements are true and fair. CARO is where the auditor reports specific procedural and compliance matters to the Ministry of Corporate Affairs. It runs as a separate annexure to the audit report. It is public. And it is read more carefully by regulators, lenders, and acquirers than the audit opinion itself.

CARO 2020 replaced CARO 2016 for financial years starting 1 April 2021. The reporting requirements expanded. Twenty-one clauses now, with several sub-clauses each. We work through every one of them on every applicable audit. The clauses below are the ones that growing companies trip on most often.

Who CARO applies to

CARO 2020 applies to most companies. The exceptions are small — banking and insurance companies, small private companies meeting all three thresholds (paid-up capital up to ₹1 crore, turnover up to ₹10 crore, borrowings up to ₹1 crore), and a handful of other categories listed in the order itself.

If your company has crossed any of these thresholds — and most growing companies have — CARO applies.

Clause (iii)(c): loans to related parties

The clause requires the auditor to report whether loans, guarantees, or security have been given to companies, firms, LLPs, or other parties listed in the register maintained under Section 189 of the Companies Act.

The trap is the register itself. Many private companies never maintained a Section 189 register because no one asked for it during steady-state audits. When the auditor asks, the company scrambles to reconstruct one. The reconstruction is itself a compliance issue — the register is supposed to be live, not reconstructed.

If loans to related parties exist and the terms are not at arm's length, or repayment schedules have not been stipulated, the auditor reports it. The public record then carries a note that the company gave a director's relative an interest-free loan, repayable on demand. That is not the headline the company wanted.

Clause (vii)(b): income-tax and GST dues outstanding for more than six months

The clause requires reporting of statutory dues — income tax, GST, customs duty, ESI, EPF — that are outstanding for more than six months from the date they became payable. For a company in the middle of a GST refund dispute or a TDS reconciliation issue, this clause forces the disclosure into the audit report.

We have seen companies argue that an income-tax demand under appeal is not 'payable' until the appeal is decided. The auditor's position under CARO is different. If the dues are not paid and not subject to a stay order, they are outstanding. The audit report carries the disclosure.

The right answer is to either pay the dues under protest while the appeal continues, or obtain a stay order. Without one of those, the disclosure is mandatory.

Clause (ix): default in repayment of borrowings

Clause (ix)(a) requires reporting of any default in repayment of loans or borrowings to financial institutions, banks, debenture holders, or other lenders. The reporting includes the period of default and the amount.

For growing companies, defaults often happen at month-end if a debtor collection slips. The bank may not have formally classified the account as NPA, but the EMI was paid two weeks late. Under CARO, that two-week delay is a default in repayment and gets reported.

Clause (ix)(c) requires reporting whether term loans were applied for the purpose for which they were obtained. If the company took a working-capital term loan and ended up using a portion for capital expenditure, that is end-use deviation and gets reported.

Clause (ix)(d) is the one that catches CFOs off-guard. It requires reporting whether short-term funds were used for long-term purposes. If the company funded a fixed-asset purchase from working-capital limits because it was waiting for a term-loan disbursement, the auditor will analyze the year-end balance sheet and report the maturity mismatch.

Clause (xi)(a): fraud reported during the year

This clause requires the auditor to report any fraud by the company or on the company by its officers or employees, noticed or reported during the year. The reporting includes the nature and the amount.

This is separate from the Section 143(12) fraud reporting obligation. Section 143(12) is what the auditor reports to the MCA. CARO clause (xi)(a) is what gets reported in the audit report itself. Both can be triggered by the same fraud.

Companies sometimes choose not to formally report internal frauds — say, a senior manager who siphoned ₹35 lakh through fake vendor invoices and was quietly terminated. Under CARO, if the auditor became aware of the fraud during the audit, the disclosure is mandatory. Quiet termination does not solve the disclosure problem.

Clause (xiii): related-party transaction compliance

The clause requires reporting whether all transactions with related parties are in compliance with Sections 177 and 188 of the Companies Act, and whether the details have been disclosed in the financial statements as required by the applicable accounting standards.

Section 177 requires audit committee approval for related-party transactions in companies that have an audit committee. Section 188 requires board approval (and, above thresholds, shareholder approval) for specified RPTs not in the ordinary course of business or not at arm's length.

Where it goes wrong is the audit-committee approval trail. The board approval may be on file. The audit committee may have discussed the matter. But the minutes do not specifically record approval of the RPT, or the disclosure to shareholders is incomplete. Under CARO, that is a non-compliance and gets reported.

Clause (xv): undisclosed income from search

The clause asks whether the company has disclosed income that was surrendered or disclosed during a search, survey, or other proceeding under the Income Tax Act. If yes, it should be disclosed in the financial statements.

For companies that have had income-tax searches or surveys — even years ago — and where surrendered amounts were not formally booked into the financials, this clause forces a reconciliation. The auditor will ask for the search records, the surrender statements, and the corresponding entries in the books. Gaps get reported.

Clause (xvi)(a): RBI registration for NBFC activity

Required if the company is engaged in activities that would qualify it as a Non-Banking Financial Company under the RBI Act. Lending more than 50% of net assets, or earning more than 50% of income from financial activities, triggers NBFC classification.

Some startups — fintech wallets, point-of-sale lenders, BNPL platforms — operate in the grey zone. They lend but argue they are technology platforms. The auditor's CARO analysis will test the principal-business criteria and report if registration is required but not obtained. That report can trigger an RBI inquiry.

Clauses that get attention from acquirers and lenders

When an acquirer's due-diligence team pulls the target's audit reports, the CARO annexure is one of the first things they read. The clauses above are the ones that surface red flags. A CARO note about end-use deviation in a term loan, or a fraud disclosure, or a non-compliance on RPTs — each of those becomes a deal point.

Lenders read CARO before extending facilities. A repeated default disclosure under clause (ix), even for two-week delays, can affect the next sanction or pricing.

How to manage CARO before the audit

Three months before the audit, work through the 21 clauses internally. For each clause, assess whether the company is compliant, partially compliant, or non-compliant. For the non-compliant items, decide whether they can be cured before the audit cutoff or whether the disclosure is unavoidable.

Cure what you can. For Section 189 register gaps, build the register and have it approved. For statutory dues over six months, pay them or obtain stay orders. For loan repayment defaults, request the bank to issue a no-default certificate for the year. For RPT non-compliances, regularize them through delayed board or audit-committee approvals — better than letting the auditor record the gap.

What cannot be cured should be discussed with the auditor in writing before fieldwork. Agree on the wording of the CARO disclosure. The disclosure is going to be on the public record. The CFO and the auditor should agree how it reads.

CARO is not a hostile document. It is a structured set of questions that the regulator wants answered. Answer them well and the disclosure is a non-event. Answer them poorly and the disclosure becomes the story.