Why Payroll Audits in India Are Not Optional Risks
A payroll audit in India is not a remote contingency. EPFO issued a revised Standard Operating Procedure for inspections in 2023 that formalized a three-stage process applied to tens of thousands of establishments annually. The Income Tax Department’s Computer-Assisted Scrutiny Selection system flags TDS returns based on data analytics and third-party mismatches. ESIC social security officers conduct test inspections on a rolling basis. State labour departments conduct their own Shops & Establishments checks.
For foreign employers running payroll in India — whether through an entity or an Employer of Record — the correct posture is not “we’ll handle it if it happens.” It is “we are documented, reconciled, and ready today, so an audit notice is administrative work rather than an emergency.”
This checklist covers every dimension of payroll audit preparation: what triggers audits, what authorities inspect, what documents you must maintain, common findings, and the penalty framework.
The Five Audit Authorities You Must Prepare For
India payroll compliance is enforced by multiple authorities, each with distinct jurisdiction and powers.
1. EPFO — Employees’ Provident Fund Organisation
EPFO conducts inspections under Section 13 of the Employees’ Provident Funds and Miscellaneous Provisions Act, 1952. Its inspectors have civil-court powers: they can enter premises, examine records, summon witnesses, and require document production.
The 2023 SOP formalized a three-step progression:
- Step 1 — Nudge & Watch: Establishments flagged as likely defaulters receive notices, SMS reminders, and email follow-ups to self-remit
- Step 2 — E-verification: Continued defaulters are asked to declare dues, produce digital records, or formally declare closure
- Step 3 — Physical Inspection: Establishments that do not respond are physically inspected with full Section 13 powers
When short payment is determined, EPFO initiates a formal inquiry under Section 7A where the Provident Fund Commissioner acts in a quasi-judicial capacity to determine liability. Orders carry interest at 12% per annum under Section 7Q and damages up to 100% of arrears under Section 14B.
2. ESIC — Employees’ State Insurance Corporation
Under Section 45 of the ESI Act, 1948, Social Security Officers can inspect establishments, call for information, search premises, examine employers or agents, and copy documents. Test inspections are generally limited to the 5 years preceding the contribution date under Section 45-A.
Non-compliance attracts damages up to 100% of the contribution under Section 85-B, imprisonment up to 1-2 years, and fines under Section 85.
3. Income Tax Department — TDS Assessment
The Income Tax Department assesses employer TDS compliance through several provisions:
- Section 143(1): Preliminary intimation after return processing
- Section 143(2): Scrutiny notice for detailed examination — issued when returns show inconsistencies or under CASS selection
- Section 143(3): Regular assessment order
- Section 144: Best judgment assessment when the assessee ignores prior notices
- Section 148: Reassessment for income deemed to have escaped assessment — up to 3 years ordinary, up to 10 years where escaped income exceeds ₹50 lakh
Penalties include interest at 1-1.5% per month on late payment, ₹200/day for late filing of TDS returns (no upper cap), and ₹100/day per certificate for late Form 16 issuance.
4. State Labour Departments
Each state’s labour department enforces its own Shops and Establishments Act, Professional Tax legislation, and Labour Welfare Fund rules. Inspectors check registrations, wage registers, attendance records, leave records, and working-hours compliance.
5. Directorate General of Labour Welfare / State Welfare Boards
Where applicable, state welfare boards audit Labour Welfare Fund contributions, often the smallest in absolute terms but a reliable audit finding because so many employers overlook them.
What Triggers an Audit
Auditors do not select establishments randomly. Triggers cluster around a few predictable patterns.
| Trigger | Authority |
|---|
| Non-filing or erratic ECR filing | EPFO |
| ECR amount variance versus bank payment | EPFO |
| Employee complaint (PF not credited, ESI not deducted) | EPFO, ESIC |
| Whistleblower complaint via government portal | All authorities |
| Third-party data mismatch (Form 26AS vs. TDS returns) | Income Tax |
| CASS random selection | Income Tax |
| High-value transaction flags | Income Tax |
| PF member database anomalies (duplicate UANs, KYC gaps) | EPFO |
| Industry-specific drives (seasonal IT inspections) | EPFO, ESIC, State Labour |
| Ex-employee complaint on final settlement | State Labour |
| Social media or press coverage alleging non-compliance | All authorities |
| Prior audit findings not resolved | All authorities |
A startup that files ECR every month, reconciles bank deposits against challans, issues Form 16 by June 15, and responds to employee queries promptly will rarely see an audit. Establishments with pattern breaks attract attention.
Documentation Requirements: The 10-Category Checklist
A payroll-audit-ready employer maintains documentation in ten categories. Missing any one category is the most common audit finding.
1. Statutory Registrations
- PF registration certificate with establishment code
- ESI registration certificate (if applicable)
- TAN allotment letter
- Professional Tax Employer Enrollment Certificate (EC) and Professional Tax Registration Certificate (RC) per state
- Shops & Establishments registration per state
- Labour Welfare Fund registration per applicable state
- GST registration if services invoicing applies
2. Employee Master Records
- Appointment letters for every current and former employee
- Employment contracts with all terms
- Updated KYC: PAN, Aadhaar, bank details
- UAN and ESIC IP numbers where applicable
- Resignation or termination letters
- Full and final settlement calculations and receipts
3. Monthly Contribution Evidence
- ECR files filed on EPFO unified portal (download the acknowledgement every month)
- PF challans with payment confirmation
- ESI monthly contribution statements and challans
- TDS challans (Challan 281) with BSR codes and payment dates
- Professional Tax challans per state
- LWF payment receipts per applicable state
4. Payroll Computation Records
- Monthly salary registers with full breakup per employee
- Payslips issued to every employee every month
- Attendance and leave registers (digital or physical)
- Overtime registers where applicable
- Loss-of-pay adjustments with documentation
- Bonus calculations (if applicable)
- Gratuity provisioning records
5. Tax Computation
- Year-to-date TDS calculation worksheets per employee
- Investment declarations filed by employees
- Investment proofs collected at year-end
- Tax regime elections per employee
- Previous-employer Form 12B for mid-year joiners
- Non-cash perquisite valuations (ESOPs, rent-free accommodation, interest-free loans)
6. TDS Returns and Certificates
- Form 24Q quarterly returns with acknowledgements
- Form 24Q Q4 Annexure II with full-year computation
- Form 16 Part A (from TRACES) for every employee
- Form 16 Part B prepared and issued per employee
- Evidence of Form 16 distribution date
7. Bank and Reconciliation
- Monthly bank statements showing contribution payments
- Reconciliation between payroll register, challans, and bank debits
- Salary credit evidence (NEFT/RTGS confirmations)
- Vendor payments for outsourced payroll services
8. Compliance Communications
- Notices received from any authority and responses filed
- Acknowledgements from authorities
- Inspection reports and closure letters
- Assessment orders and appeals filed
9. Policy Documents
- HR policy manual including leave, probation, termination
- Salary structure guidelines
- Working hours and overtime policy
- POSH policy with constituted internal committee
- Grievance redressal mechanism
- Standing orders (if applicable based on establishment size)
10. Statutory Registers Under the Labour Codes
- Register of workers (unified under OSH Code, replacing multiple registers from repealed acts)
- Wages register reflecting the new Code on Wages definition
- Leave register
- Overtime register
- Return of accidents and occupational diseases (if applicable)
Retention Periods by Statute
Different statutes impose different retention periods. Default to the longest applicable period for each document type.
| Document | Minimum Retention | Statute |
|---|
| Salary and wages registers | 3 years after last entry | Payment of Wages Act (preserved under Code on Wages transition) |
| PF records and ECR filings | 5 years after employee exit | EPF Act and EPFO procedures |
| ESI records | 5 years | ESI Act |
| TDS challans and returns | 8 years from assessment year | Income Tax Act |
| Form 16 copies | 8 years | Income Tax Act |
| Attendance and leave registers | 3 years | Shops & Establishments Acts |
| Bonus payment records | 8 years | Payment of Bonus Act (preserved under Code on Wages) |
| Gratuity records | 5 years post-payment | Payment of Gratuity Act (preserved under Code on Social Security) |
| Company statutory records | 8 years minimum | Companies Act, 2013 |
A practical default: maintain all payroll records digitally for 8 years. The marginal cost of storage is trivial compared to the cost of a missing document during an audit.
Common Audit Findings: The Patterns We See Repeatedly
Across audits against foreign employers in India, the same findings appear with striking regularity.
- PF limited to ₹15,000 ceiling: Employers capping PF on the statutory wage ceiling while paying basic above that — once you opt to pay PF on actual basic, you cannot revert
- TDS on non-cash perquisites: ESOPs, rent-free accommodation, interest-free loans, and company car values frequently go untaxed
- Multi-state PT gaps: Remote employees in different states trigger professional tax obligations in each state — commonly missed
- LWF non-registration: The smallest statutory contribution, the most common finding
- Form 16 delays: Issued after the June 15 deadline, incurring ₹100/day per certificate
- Fixed-term gratuity provisioning: Post November 21, 2025, fixed-term contracts must provision pro-rata gratuity
- ECR versus bank mismatch: Challan generated for one amount, bank debit for another, not reconciled
- Investment proof gaps: Deductions allowed without valid proof, making the employer liable for under-deducted TDS
- Form 26AS mismatches: Employee’s Form 16 shows TDS deducted, but Form 26AS doesn’t show the credit — 24Q filed incorrectly
- Bonus eligibility errors: Employees earning up to ₹21,000/month are entitled to Payment of Bonus; routinely missed
- Minimum wage compliance: Not tracking state-specific minimum wage notifications semi-annually
The Audit Response Playbook
When a notice arrives, the first 72 hours matter most.
Day 1: Read the notice, note the authority, sections cited, and reply deadline. Verify it’s genuine — EPFO notices have unique IDs on the EPFO portal; income tax notices have DIN numbers on the e-filing portal. Acknowledge receipt if required but do not panic-respond.
Days 2-3: Pull all relevant documents for the period in question. Reconcile against the contributions, returns, or filings referenced. Quantify potential exposure. Engage a chartered accountant for income tax matters and a labour law advisor for EPFO/ESIC matters.
Days 4-14: Prepare a comprehensive reply with every document cross-referenced. Submit within the prescribed timeline; request extensions formally if genuinely needed. Retain acknowledgements.
Post-reply: Attend hearings on time with the full document set. If an adverse order is issued, evaluate appeal options (tribunals, commissioners, courts) within the prescribed time. Implement corrective actions immediately.
How Omnivoo Handles Payroll Audits for India Employees
For clients on Omnivoo’s EOR platform, payroll audit exposure is handled end-to-end:
- Documentation retention: Every payslip, challan, ECR, Form 16, and supporting document is retained digitally for the full statutory period
- Proactive reconciliation: Monthly reconciliation between payroll register, ECR, ESI statements, TDS challans, and bank debits — catching variances before they become audit flags
- Audit-response infrastructure: When a notice arrives, our compliance team responds directly to the authority as the legal employer of record
- Client-facing transparency: Clients see every filing, every payment, and every compliance log in real time through the platform
- Penalty protection: Audit outcomes against the EOR entity are handled by Omnivoo; clients face no direct statutory liability, and contractual indemnities are explicit
Foreign employers running payroll through their own Indian entity get none of this automatically — they must build it themselves, which is precisely why audit findings are so common among foreign-owned subsidiaries.
Key Takeaways
- Payroll audits in India come from five authorities — EPFO, ESIC, Income Tax, State Labour, and LWF boards — each with distinct triggers and powers
- Non-filing, mismatches, and employee complaints are the leading audit triggers
- Maintain 10 document categories for 5-8 years depending on the governing statute
- Section 7A inquiries (EPFO) and Section 143/148 assessments (income tax) are the most common formal proceedings
- The top 12 audit findings repeat across foreign employers — fix them now, not after a notice
- Response speed in the first 72 hours materially affects outcomes
- An EOR absorbs direct audit liability for Indian employees — that’s a large part of what you are paying for
Running payroll in India without audit-ready documentation is a liability waiting to surface. Omnivoo maintains every record, reconciles every payment, and responds to every notice as the legal employer for India employees. Get started with Omnivoo and remove payroll audit exposure from your India operations.
