CA Audit: GST Invoice + 269ST Checklist

Field auditors verify GST tax invoices, payment receipts, and cash receipts against three primary sources, and each source rules out a different class of fabrication. The GSTIN active-status pull on the GSTN portal confirms that the supplier was registered for GST on the invoice date and rules out shell-entity invoices. The Form 26AS and AIS reconciliation on the Income Tax e-Filing portal cross-references the transaction against the counter-party's reported income and rules out unilateral fabrication. The Invoice Reference Number (IRN) lookup on the e-invoicing registry for B2B suppliers above the threshold confirms the invoice was reported to the Invoice Registration Portal at issuance and rules out post-dated insertions.

The eight authenticity tests a CA runs on a GST invoice, the Section 269ST audit pattern (Rs. 2 lakh single-recipient cash limit, 100% penalty under Section 271DA), the Form 15CA / 15CB workflow for cross-border payments, and the AIS cross-check that surfaces every transaction reported by counter-parties. The field guide below covers the audit pattern at the supplier level, the buyer level, and the cross-border level.

A genuine GST tax invoice carries a fixed set of statutory fields under Rule 46 of the CGST Rules, 2017. A CA running an audit on a sampled invoice runs the eight checks below in roughly the order they fail.

1. **GSTIN format.** The supplier GSTIN must be 15 alphanumeric characters in the structure: 2-digit state code, 10-digit PAN, 1-digit entity code, the letter Z by default, and a 1-digit checksum. A malformed GSTIN fails the format check before any portal pull is needed.

2. **GSTIN active-status pull.** Search the GSTIN on the GSTN portal taxpayer-search facility. The portal returns the legal name, the trade name, the registration date, the state, the constitution of business, and the current status (Active, Cancelled, Suspended). An invoice issued after the cancellation date by a Cancelled GSTIN is fabricated or unauthorised.

3. **HSN/SAC code in master.** The 4-, 6-, or 8-digit HSN code (for goods) or SAC code (for services) on the invoice must exist in the CBIC master and must correspond to the supply description. A laptop sold under HSN 3304 (cosmetics) flags either coding error or misreporting.

4. **Invoice Reference Number (IRN) for above-threshold supplies.** B2B taxpayers with aggregate turnover above the e-invoicing threshold (Rs. 5 crore from 1 August 2023) must obtain an IRN from the Invoice Registration Portal at issuance. The IRN is a 64-character SHA-256 hash printed on the invoice, accompanied by a QR code. The e-invoice search facility returns the original signed invoice on IRN input. An above-threshold supplier issuing an invoice without an IRN is in breach of Rule 48(4) of the CGST Rules.

5. **Signed JSON file.** The IRP returns a signed JSON file alongside the IRN. The signed JSON contains the canonical invoice data and the IRP's digital signature. CAs auditing high-value supplies request the signed JSON from the supplier and verify the signature against the NIC public key. Tampering between issue and audit fails the signature check.

6. **Sequential invoice numbering.** Under Rule 46, invoice numbers must be consecutive within a financial year, with no gaps. A CA pulls the supplier's invoice register for the period and confirms that the audited invoice falls within the issued sequence. A missing or duplicated number warrants drill-down: either the supplier omitted invoices from disclosure, or the audited invoice was inserted after the fact.

7. **Place-of-supply consistency.** The place of supply determines whether IGST applies (inter-state) or CGST and SGST apply (intra-state). The supplier state on the GSTIN, the recipient state, and the place-of-supply field on the invoice must align with the tax split. A Tamil Nadu supplier invoicing a Maharashtra recipient with CGST and SGST instead of IGST has misclassified the supply.

8. **IGST/CGST/SGST split arithmetic.** The tax amount must equal the taxable value multiplied by the applicable rate, split into the correct heads. A 5% supply on Rs. 10,000 must show Rs. 500 (IGST) or Rs. 250 + Rs. 250 (CGST + SGST). Rounding errors above Rs. 1 are flagged.

For the buyer-side counterpart of these checks, the GST invoice receipt rights guide covers Section 31's mandatory issuance obligation and the remedies when a registered supplier refuses to issue a tax invoice.

Payment receipts close the audit loop on the financial side. Where a tax invoice is the demand for payment, a payment receipt is the acknowledgment of receipt. Three checks apply.

1. **Receipt-to-invoice matching.** Each payment receipt must reference the underlying invoice number, date, and outstanding amount. Where the receipt is for an advance against a future invoice, GST applies on the advance (Section 12 / Section 13 CGST Act, time-of-supply rules) and a Receipt Voucher under Rule 50 must be issued. CAs reconcile the receipt register with the invoice register quarter by quarter; advances received but not adjusted against invoices within 30 days warrant drill-down.

2. **UTR cross-check against bank statement.** For NEFT, IMPS, RTGS, and UPI payments, the receipt should carry the transaction's UTR. The CA matches the UTR against the supplier's bank statement: the credit must appear on the date the receipt is dated, in the matching amount, with the payer name matching the recipient on the receipt. A UTR that does not appear in the bank statement, or appears in a different amount or to a different payer, is a fabricated or misapplied receipt.

3. **Cash-vs-digital ratio.** The proportion of cash receipts to total receipts is a leading indicator of compliance risk. A retail business with 60-70 percent cash is normal; a B2B service provider with 60-70 percent cash carries the cash-handling exposure of Section 269ST and Section 269SS (Rs. 20,000 cash loan or deposit limit). Auditors profile the ratio over four quarters; sudden shifts toward cash, often around year-end, warrant 100 percent receipt-level review.

For cash receipts above Rs. 5,000 individually, the Indian Stamp Act 1899 requires a Re. 1 revenue stamp on the receipt, with the recipient's signature across the stamp. A cash receipt for Rs. 12,000 without a stamp is technically defective evidence; the auditor flags the file for either correction or disallowance of the underlying expense at the buyer's end.

Section 269ST of the Income Tax Act prohibits any person from receiving Rs. 2 lakh or more in cash from a single person in a single day, in respect of a single transaction, or in respect of transactions relating to one event or occasion. A breach attracts penalty equal to the amount received under Section 271DA. Each trigger captures a different cash-aggregation pattern.

**Trigger 1: single transaction.** A single sale, service contract, or payment of Rs. 2 lakh or more in cash, however many days it spans, is prohibited. A vehicle sold for Rs. 4 lakh in cash on one day, or in two cash tranches of Rs. 2 lakh across two days against the same invoice, both fall within the trigger.

**Trigger 2: single day.** Multiple cash receipts from the same person in a single day that aggregate to Rs. 2 lakh or more breach the limit. Twenty payments of Rs. 11,000 each from one customer in one day cross the threshold.

**Trigger 3: single event.** Cash payments relating to one event or occasion, even spread across days or invoices, aggregate. A wedding planner receiving cash from one family across multiple invoices for catering, decoration, and venue, totalling Rs. 2.5 lakh, breaches the limit.

**Trigger 4: single occasion.** Similar to event, but covers transactional patterns recognised as one occasion: a single gold purchase split across multiple bills, a single property booking split across earnest money and instalments, a single cash gift split across denominations.

The CA's audit checklist for Section 269ST exposure:

1. Pull the cash receipt register for the audit period

2. Sort by counter-party PAN (or name plus address where PAN is absent)

3. Aggregate by single-day, single-transaction, and single-event windows

4. Flag every aggregate that touches Rs. 2 lakh

5. For flagged aggregates, check whether the recipient was the seller (Section 269ST falls on the receiver, not the payer), and whether any exemption applies (government receipts, banking-company receipts, post office receipts, and cooperative bank receipts are excluded)

6. Quantify the exposure: penalty under Section 271DA equals the cash received in breach, payable by the receiver

The most common founder and freelancer trip-up is the single-event aggregation: a freelance designer billing a wedding-stationery client across separate cash receipts of Rs. 70,000, Rs. 80,000, and Rs. 75,000 over a month falls within Trigger 3. The aggregated Rs. 2.25 lakh attracts a Rs. 2.25 lakh penalty on the freelancer. Insisting on bank transfer above Rs. 1.99 lakh per transaction window is the standard mitigation. For the full counter-party-side framing, see Section 269ST: the Rs. 2 lakh cash transaction limit.

Cross-border remittances from India trigger reporting obligations under Section 195 of the Income Tax Act and Rule 37BB of the Income Tax Rules. The remitter (the resident making the payment) files Form 15CA before remittance; the CA certifies the chargeability of tax via Form 15CB where required.

**Form 15CA Part D: self-certification, no CA required.** Applicable when the remittance is for a Specified List item (LRS investments, education abroad, medical treatment, and similar items per the CBDT Specified List). The remitter uploads Form 15CA Part D directly on the Income Tax e-Filing portal without a CA certificate.

**Form 15CA Part C with Form 15CB: CA certification required.** Applicable when the remittance exceeds Rs. 5 lakh in the financial year aggregate AND the remittance is not in the Specified List AND the remittance is chargeable to tax. The CA evaluates the chargeability of tax under the Income Tax Act, the applicability of the relevant Double Tax Avoidance Agreement (DTAA), and the appropriate withholding rate. The CA issues Form 15CB online on the e-Filing portal, which the remitter then references in Form 15CA Part C.

**Form 15CA Part A: small remittances.** Applicable when the single remittance does not exceed Rs. 5 lakh AND there is no aggregate above Rs. 5 lakh in the financial year. Self-filed.

**Form 15CA Part B: remittance covered by AO order.** Applicable when an Assessing Officer or Income Tax Authority order under Section 195(2), 195(3), or 197 prescribes the withholding. References the order number.

The CA's audit pattern at year-end: pull the remitter's foreign bank transfers list, classify each remittance by Specified List eligibility, by aggregate threshold, and by chargeability under the relevant DTAA. The CA confirms that the corresponding Form 15CA + 15CB pair was filed in advance for each remittance above the threshold. Late or missing filings attract penalty under Section 271-I at Rs. 1 lakh per default.

For the freelancer counterpart of cross-border invoicing (when Indian freelancers receive foreign currency for export of services), see Rule 114B Rs. 50,000 threshold for NRI freelancers.

The Annual Information Statement is the consolidated PAN-linked record of every transaction reported by counter-parties to the Income Tax Department. Where Form 26AS shows TDS deposited against a PAN, the AIS shows the broader picture: salary credits, interest income, dividends, mutual fund redemptions, securities transactions, foreign remittances, high-value cash deposits, immovable property transactions, and Specified Financial Transactions (SFT) above the reporting thresholds.

The SFT thresholds drive what surfaces in AIS:

• Cash deposits aggregating Rs. 10 lakh or more in a savings account in a financial year (reported by banks)

• Cash deposits aggregating Rs. 50 lakh or more in a current account in a financial year (reported by banks)

• Credit card payments aggregating Rs. 1 lakh in cash or Rs. 10 lakh through any mode in a financial year

• Purchase or sale of immovable property of Rs. 30 lakh or more (reported by Sub-Registrar)

• Purchase of bonds or debentures aggregating Rs. 10 lakh or more in a financial year (reported by issuer)

• Purchase of shares aggregating Rs. 10 lakh or more in a financial year (reported by company)

• Purchase of mutual fund units aggregating Rs. 10 lakh or more in a financial year (reported by AMC)

• Receipt from sale of foreign currency aggregating Rs. 10 lakh or more (reported by authorised dealer)

• Time deposits aggregating Rs. 10 lakh or more in a financial year (reported by banks)

The CA's AIS audit pattern:

1. Pull the assessee's AIS from the Income Tax e-Filing portal at the start of the audit (the AIS updates throughout the year as counter-parties report)

2. Reconcile each reported entry against the assessee's books: a Rs. 25 lakh property purchase reported in AIS must appear as an asset addition in the books, the Rs. 12 lakh share purchase must appear in the investment register

3. Identify gaps in either direction: AIS entries with no corresponding book entry indicate either misreporting by the counter-party or unrecorded transactions; book entries with no corresponding AIS reflect either below-threshold transactions or non-reported categories

4. For high-value gaps, request the underlying counter-party document (invoice, contract, sale deed) and verify

The AIS is the highest-yield cross-check the IT Act provides. A complete AIS reconciliation catches both unilateral fabrication (the assessee declared Rs. 8 lakh interest income from Bank A but Bank A reported nothing) and material omission (the assessee did not declare a Rs. 22 lakh property purchase reported by the Sub-Registrar).

Four shifts matter for CAs running compliance audits from 1 April 2026. The e-invoicing threshold has been lowered to Rs. 5 crore aggregate turnover (was Rs. 10 crore earlier), pulling many mid-sized B2B suppliers into the IRN-mandatory regime. Faceless assessment now covers tax audits where transaction-level documentation stands as the only record; the auditor cannot ask supplementary questions in person, so the document is the audit. AIS coverage has expanded to digital wallet transactions, capturing UPI receipts and digital wallet aggregates that previously sat outside the SFT net. The GST input-credit reform under Section 16(2)(c) of the CGST Act ties recipient input credit to the supplier's tax payment, so reverse-direction supplier audits now affect recipient credit positions. Verify any inbound invoice or payment receipt carrying a verification QR for instant authenticity confirmation, free for the verifier. For CA-issued client invoicing, the pakka bill (GST tax invoice) generator issues Section 31-compliant invoices in 60 seconds.

A CA firm runs two parallel document workflows. The verification workflow handles inbound documents (audit clients submit invoices, receipts, and contracts). The issuance workflow handles outbound documents (the firm bills its own clients and issues receipts to the firm's vendors).

**Inbound verification: the QR-scan side.** When a client submits a vendor invoice, a payment receipt, or a salary slip carrying a verification QR, the CA scans the QR with any phone camera and the verifier endpoint returns the payload: issuer, document type, key fields, and a time-stamp. The check confirms whether the document is unmodified since issue. For documents not carrying a verification QR, the CA falls back on the eight-field GST invoice check, the UTR-to-bank-statement match for payment receipts, and the AIS cross-check.

**Outbound issuance: the firm's own client billing.** A CA practice billing fifty clients monthly issues fifty tax invoices a month under its own GSTIN. Issuing each through a Section 31-compliant tool (pakka bill generator) confirms the invoice carries the mandatory Rule 46 fields, the IRN where the firm crosses the e-invoicing threshold, and the digital signature. For payment receipts the firm issues to clients (advances, milestone payments, retainer receipts), the misc receipt generator handles the UTR field, the revenue stamp where applicable, and the receipt-voucher format under Rule 50.

**The corporate bundle for multi-CA practices.** A CA firm with ten or more associates issues thousands of documents annually, both for the firm's own billing and increasingly for client back-office support. The corporate bundle provides verification-strengthened generators across the document suite under one access code, billed monthly. Plans start at Rs. 499 for 100 credits on a 45-day wallet. For freelance CAs operating solo, the per-document pricing on the standalone generators (Rs. 4 to Rs. 49 per PDF) usually works out cheaper for under 50 documents per month.

For the parallel pattern of how lenders and banks verify documents at scale (using the same primitives but on inbound applicant submissions), see the salary slip and rent receipt verification checklist for banks and NBFCs. For the founder-side first-year compliance walkthrough that complements this audit-side guide, see Indian startup first-year compliance: GST, TDS, and payroll basics.