In a recent digital boardroom hosted by Lightbox, leading experts in finance, risk, and forensic accounting came together to address the rising threat of fraud in India’s startup ecosystem—where 59% of companies reported incidents in the past two years. The discussion explored the “fraud triangle,” early red flags auditors watch for, and real-world lessons from companies like Rebel Foods. Panelists emphasized that fraud is not just a control failure but a behavioral issue rooted in pressure and rationalization. The session underscored the need for strong culture, vigilant monitoring, and proactive measures to protect startups in high-growth environments.

| Transcript of recorded conversation | 

(0:02 - 0:24)
Good evening everyone. Today we aim to address the dread associated with corporate frauds and discuss a framework to prevent, avert and fraud-proof our organisations in rather complex operating environments. According to PWC's Global Economic Crime Survey of 2024, 59% of organisations surveyed in India said that they faced financial or economic fraud in the past 24 months.

(0:25 - 0:46)
We've also seen a lot of angst within and outside the startup community due to a series of fraud and mismanagement incidents across startups and listed companies. We also have a fantastic panel between us today in Manoj, Vidya, Piyush and Sarda. All of them offering a very unique lens from their expertise and from their perspective into the world of frauds.

(0:47 - 1:00)
Manoj Nair leads the Statutory Practise and Cross-Shore Services Division of SDU. He is a Chartered Accountant, a member of Cost Accountants and Institute of Internal Auditors. He has over 30 years of experience in Assurance and Risk Consulting.

(1:01 - 1:11)
Vidya Rajarao is the Founder and CEO of Fraudopedia Pvt. Ltd. and her goal is to equip young finance professionals with knowledge training tools to combat and detect white-collar crime and fraud.

(1:12 - 1:25)
Vidya is a Chartered Accountant. She brings over 25 years of white-collar crime investigation experience with experience in Forensic Accounting and Risk Consulting. She has also been one of the seven members on the Technical Advisory Committee of the NFRA.

(1:27 - 1:45)
Piyush is a Chartered Accountant and a Company Secretary with 25 years of experience across various sectors like Pharma, Telecom and Media. He is also the CFO of Rebel Foods. Piyush's focus is on building strong finance functions and he is very passionate about building a very strong governance culture within his organisation.

(1:46 - 1:53)
Next is Sarda. She holds a Postgraduate Diploma in Management from XLRI. She is also a Bachelor of Engineering of Anna University.

(1:54 - 2:06)
Sarda has over 15 years of professional experience. Her journey began with the Mahindra Group. She served as the Group CEO of Cubase Cinema Technologies and Dr. Agarwal's Eye Hospital where she was responsible for overseeing very large-scale operations.

(2:07 - 2:37)
Her expertise lies in the field of Fundraising, M&A, Business Finance and Strategy. So if the screen is sort of visible to everybody, I think really why do frauds or why are frauds committed, right? So what this does is talks about the fraud triangle which is often at play and it begins with essentially a pressure and usually it's often an economic pressure or some form of duress, which then basically leads you to abuse trust. And finally, once you've done both, you need to find a way to rationalise what you've done and justify your fraud by saying it's OK.

(2:38 - 3:34)
And thus begins the triangle of fraud and the inescapable route, which is really a black hole through which we go down and fraud often takes precedence. So I think with that background and I don't want to get into the details of fraud. We all know what it is. 

Let's sort of begin this panel with a very objective lens on how the four of our panellists see fraud and what are some of the early signs. So maybe I'll look at you, Manoj, to sort of in your experience, talk us through how do you as an auditor see those ugly early shoots of a fraud? Well, for us, any audit while the preliminary lens of an auditor, whether it's a stat auditor or internal auditor, is not to look into fraud, but primarily to ensure that your financial reporting numbers are correct, true and fair. It's compliant to accounting and auditing standards.

(3:35 - 4:00)
It's also to look at internal controls or financial reporting. While looking at this, we come across certain trends which indicates that there is a possibility of a fraud that would have happened in the organisation. Now, such trends could be something right on the face of it, or it is well and very stealthily and well hidden under the rugs where it is very difficult to even identify such a fraud has happened.

(4:02 - 4:22)
Some of the trends that we see of late and I mean, these are not something new that I'm going to tell to the group here, because this has come in the media in the last four or five years. If you see the startups related fraud or misreporting on the financial numbers, it could be GMB or revenue. It could be things like related party transactions.

(4:22 - 5:11)
It could be some fraudulent entries passed in the books just to hide certain, you know, fund management that has happened between the people, related parties or some, you know, friends of the promoters, I would say. So what generally we look at are these kind of trends saying, what's the revenue moment between the previous years to the current year? If there is a sudden spike or a spurt, that really gives us a cause of concern saying, why did this really happen? And many a times, and let me tell you, in the last couple of years, three out of my five startups client where we went into this revenue trend analysis, we found that there was something fishy and suspicious out there. We had situations where, you know, peculiar accounting entries have happened, like a huge amount of GST input reversal.

(5:12 - 5:27)
Now, when we got into the details, we found that this reversal was done on the basis of a notice sent by DGGI and GST authorities. When we went into the detail, we found that these vendors were actually non-existent vendors. Fraudulent entries were passed.

(5:27 - 5:38)
These vendors to whom the company had made the payment has not deposited the GST onwards to the authorities. So they came after these entities. And as a result of it, our client had to suffer.

(5:39 - 5:54)
So, and when we get caught into the details, we found that there are people who are involved within the companies. And it's very sad to say some of them are promoters, which gives us further doubt on what are the kind of transactions the company has entered. You find a lot of related party transactions.

(5:55 - 6:13)
You will see a lot of non-operational fund moments, which means money is moving, the money raised from the investors of the banks, wherever is it. It's moving from one entity to other, but no significant operational developments have happened. So these are some of the early pointers that we as auditors notice.

(6:14 - 6:35)
And we try to build on it. And when it comes to appropriate time, we involve specialists like Vidya, who can take it to the logical end, including to the legal court, where the matter would be further settled. You know, Vidya, we investors are often criticised saying, what were you doing? Where was your diligence? What was the auditor doing? And like Manoj explained, these are early shoots, sometimes conclusive, sometimes not.

(6:36 - 6:54)
Your role is very different. You come into the picture once there is, you know, some trailing to be done or there is the definite suspicion involved. But could you highlight a few areas or a few instances which you know, you know, going in that these are definitely signs towards indicating a fraud.

(6:54 - 7:20)
And how do you go about the investigation of things like this? Sure. Thank you. Thank you, Rashmi. 

Good evening, everyone. See, I think the reason why, you know, investors, auditors, you know, especially statutory auditors, fail to detect fraud is because fraud is a problem of human beings. It's a problem of behaviour, whereas audit is focused on controls.

(7:20 - 7:50)
So that's where the dichotomy lies. And when I look at red flags, I follow the fraud triangle. So if you look at where's the pressure, you know, because it's both pressure and incentive, right? If the organisation is structured where the pressure to meet targets, unfortunately, even in a startup world, even if you don't have these quarterly earnings targets, you have targets because the market is racing ahead of you.

(7:51 - 7:57)
There are competitors entering the market. You have set certain targets for yourself. And if you have investors, you need to give them an exit.

(7:57 - 8:10)
So you're looking at a five year horizon. So targets are always, you know, kind of like Damocles sword, you know, on top of your head every day. And that leads to behaviour, which is sometimes errant behaviour.

(8:10 - 8:20)
You know, you start with the fraud triangle. It's an excellent tool. You know, if you look at incentives or a pressure to meet targets, and then you look at opportunities because controls don't keep up with business.

(8:20 - 8:30)
Because you, you know, you very quickly, you have a because you're starting with a very small baseline. You've sold 100 SKUs in one month. And, you know, next month, you're up to 200.

(8:31 - 8:35)
That's double. And then the next month, you're up to 400. That's geometric progression.

(8:35 - 8:49)
Your controls don't keep up as quickly as your business. And controls, again, has to be done by people. It isn't getting, you know, SAP and Oracle and PeopleSoft or whatever other software that you have.

(8:49 - 8:53)
It isn't software. It isn't. It's really behaviour around controls.

(8:53 - 9:08)
And only if you get these two right, you can fix the rationalisation piece of it. So that's where the red flags emerge, you know, from a forensic angle. And I think I'll stop there and see what the CFO in the hot seat, you know, has to say about all of this.

(9:08 - 9:32)
The CFO in the hot seat, I think, should help us understand how do you find these traces in an operationally complex environment, Piyush. Because startups, you know, as much as we can talk about governance and following protocol and doing everything systematically, the truth is it's chaos because you're growing at a very fast pace. So maybe, Piyush, you could give us some operational insights into what you've seen.

(9:33 - 9:39)
Sure. Thanks, Rashmi. And once again, thank you so much for giving the opportunity and warm welcome to all of you.

(9:40 - 9:48)
I represent Rebel Foods. We are a world's largest Internet restaurant company. Essentially, it is single infrastructure where we have multiple brands operating.

(9:49 - 10:02)
And we are 97 to 98 percent of our revenue is digital. So Manoj and Vidya talked about the fraud and, you know, different kind of how it happens. I think essentially, if we think about it, there are two buckets in which we can think about fraud.

(10:02 - 10:24)
One is about intentional, which means that internally within the company, there is some malefied intent to sort of take an extra benefit. Second could be someone external is trying to create a bypass in the process or the system and able to take an undue advantage. I'm going to talk a real life incident that happened to us at Rebel Foods around a couple of years back, which is in the second category.

(10:25 - 10:39)
So essentially, we have operations in India, and then there is operation in UAE and UK. So this happened in one of the transactions, which is based out of UK. Now, what happened is that basically, we have advertisement on the Facebook page.

(10:40 - 11:03)
So we came to know that there was an excess debit that happened. So typically, if there is a run rate of X debit, which happens on account of monthly invoice to Facebook, there was suddenly around 10X debit that happened in terms of when we receive the message from the bank account. So immediately triggered a thought from the executive who was managing it to say that, why is the debits on so much on the higher side? And then it was reported to the bank.

(11:04 - 11:12)
And then, you know, the teams got alerted. So basically two channels got activated. One was reporting to us to say that there is something suspicious that has happened.

(11:13 - 11:26)
Typically, a payout on marketing campaign is X, but there is a 10X debit that we have received. And then immediately we huddled together. We said that first, let's go to the bank, try to substantiate the claim in terms of why it's only one-tenth of what got debited.

(11:26 - 11:37)
So that was a trigger one that did. And immediately bank sort of took a note of the transaction invoice and all, and made sure that the unauthorised debit of 10X got immediately reversed. So that was one part.

(11:37 - 11:58)
Now, the second and most important was to understand exactly what happened. So typically what happens is that these kind of media spends and such other credit card led spends, it is through a direct debit. So what happened is, in case of we have multiple Facebook pages for advertisement and media post, right? And it is linked to the sub pages, which are linked to the bank account.

(11:58 - 12:16)
Now, the hacker was able to access the Facebook page, modified the name of one of our brand pages and altered the limit set for the transaction. And due to this alteration in the limit, Facebook reach increased and hence the billing also increased. Now, as a result of which there was an unauthorised 10X transaction that happened.

(12:16 - 12:31)
So one was to remain calm, report the transaction, and then make sure that we are able to immediately work to do a damage control. The second part is that we did a RCA to see that exactly where did we go wrong. I think there were clear 4-5 actionable that came in.

(12:31 - 12:47)
First was for this direct debit transaction, we should never link it to the primary bank account. The second was try to get into a mode of deploying the limit through a wallet only. So basically, even if there is an unauthorised debit, the transaction will fail because it's only a specified amount that we have parked in the wallet.

(12:48 - 13:04)
The third is about account access advisory. So basically, at a periodic interval, we should do a review and make sure that access rights are only within the authorised individual and also strong password rules needs to be implemented. And last is try to do a periodic review wherever the such debits are actually enforced.

(13:04 - 13:16)
There is a review mechanism like Manoj was saying in a traditional thing about a bank account review. But we don't do wherever the auto debits have been set. So I think this is a classic example that world is moving towards more and more digital.

(13:16 - 13:39)
There are types of this digital fraud that happen. In a rush, we may not follow proper protocol or control or either in a regular review, these things don't get surfaced. So I just thought that it would be good to sort of discuss a live example and luckily with the help of team member was quite vigilant and alerted at the right point of time and also took it up with the banks to ensure that there is no unauthorised debit that was there finally.

(13:40 - 13:57)
But it was a big learning for us and as a result of which we have strengthened the process. Piyush, you took this in the direction of, you know, basically being the torchbearer and sort of trying to prevent it, prevent these kind of occurrences. But maybe Sardar, you know, in your past experience, I think it begins with culture.

(13:57 - 14:38)
And that's the first line of defence in how we as, you know, torchbearers of the finance function can control this. You know, you've served on so many listed companies. Could you talk about sort of the trickle down effect of culture and promoter sort of views on how this is managed? It starts with the founder. 

Let's put it that way. Founder culture, I think we were talking about. I just want to rephrase it. 

Founder is the culture. They set the tone, right? Like many startups would not have a proper finance team, would not even have a finance function. So if the culture set by then, no matter how brilliant a CFO you get at a later stage, or if somebody gives you brilliant advice, the founder has to accept the advice.

(14:38 - 14:47)
So I think it starts with the attitude and the tone of the founder. Rightly, like Vidya pointed, it is people. You have to set it right.

(14:47 - 15:00)
So I have more often than not seen that many founders and, you know, people who have very limited related party transactions or very above board. So my spouse's company is not involved. They are not a vendor.

(15:01 - 15:08)
My spouse is not an employee. I'm sure genuine spouse being employees are there. I'm just saying for the sake of it, 10 people from my family are not employed.

(15:08 - 15:17)
So on and so forth. You know, it gives a lot of comfort. So I think the founder should think about it as a long term goal.

(15:18 - 15:27)
I look at this as karma. Today it may look very fantastic, but it will catch up with you at some point in time. So you're better off not taking, you know, today's profit will be 1x.

(15:27 - 15:36)
And you are asking for two multiple more. But look at it five years down the line when you will probably list or you are a unicorn. You're also carrying the credibility.

(15:36 - 15:50)
Secondly, we talked about the fraud triangle, the incentives itself. Right. I believe the incentive for a CFO, for example, to do a fraud is much lower than a founder because the shareholding wise, the percentage itself, the return wise, ROI is much better for them.

(15:51 - 16:03)
And that is why we see them getting involved. So founders should abstain given their long term goals are much better if they act by the book. And I think as management finance professionals look for these intangibles.

(16:03 - 16:19)
And ideally, either if you can influence and correct them, it's fine. Or do you want to stay with them in the longer journey? I don't know that to each their own. And to founders, the last thing, you know, most of the frauds that happen are from cost cutting because generally founders want to make more profit.

(16:19 - 16:24)
Yes, accounting standards, which you want to show more revenue fudging. That's one part. But this bucket is also bigger.

(16:24 - 16:36)
How can I be quick? There's one thing that's bootstrapping being smart and sensible. But that's there's one more thing that is, you know, going against. So I would urge people to differentiate between good and bad cost.

(16:36 - 16:48)
There is always a good cost that's required to be spent by businesses. Being over smart about it will just hurt you and lead you down the fraud arena. So these are the few things the founders should do right.

(16:49 - 16:59)
And if they have the right culture, they should also hire the right people. I don't want to talk more on that because it may lead to a more. I know some of the talking points from others.