BUILT IN THE TRENCHES · FOR CAs · 2026

Audit tools for the work that's actually painful.

You know the pain: Three-way match in Excel.

Three years of articleship taught me which parts of audit are real value-add and which parts are just Excel grind. I'm building the tools to kill the grind. Free. Browser-only. Your data never leaves your laptop. AI-built, but it never sees your data.

Open Three-Way Match → See all tools
✓ Zero data transmission ✓ No login required ✓ Runs offline once loaded ✓ ICAI-aligned outputs ✓ AI-engineered
How it works

Three clicks. Ninety seconds. One audit report.

Designed for the way you actually work: open a browser, drop your file, walk away with the output. No installation, no upload, no spreadsheet wizardry, no second laptop your firm has to approve.

STEP 01

Drop your Excel files

PO register, GRN register, Invoice register. Optionally the Payment register. Auto-detects column headers across Tally, SAP, Oracle, and custom ERP exports.

.xlsx · .xls · .csv · up to ~50K rows
STEP 02

Browser processes locally

JavaScript runs eighteen forensic detection modules entirely on your laptop. No server call, no cloud upload, no LLM inference. Your client data never leaves the browser tab.

Zero network calls during analysis
STEP 03

Download audit-grade Excel

35+ sheet workbook with executive opinion, risk heat map, vendor risk scoring, root causes, control effectiveness, and every exception classified by materiality tier. Walks straight into your working paper.

SA-referenced · materiality-tiered · partner-ready
The Toolkit

Tools shipped, tools cooking.

Everything runs in your browser. Click, upload your file, get an audit-grade report. Walk away with an Excel workbook your senior will actually accept.

III
Live · v3.0

Three-Way Match Forensic Engine

Upload PO, GRN, Invoice (and optionally Payment) registers. Engine runs 18 forensic detection modules: risk-tiered variances, four duplicate detection modes, cut-off testing, vendor risk scoring, Benford analysis, payment analytics. Exports 35+ sheet Excel report with audit opinion and recommended controls.

18 modules 5-tier risk 35+ sheets Auto-opinion
GST
Building

GSTR-2B Reconciliation

Drop your purchase register and GSTR-2B JSON. Get vendor-wise mismatch report with Section 16(2) timing flags, ineligible ITC list, and reverse charge identification. Walks straight into your GST audit working paper.

Section 16(2) Rule 36(4) JSON / Excel
CHK
Beta

Audit Checklist Generator

Pick assertion, account, or risk area. AI-generates a working paper checklist aligned to ICAI Standards on Auditing. Editable, exportable, partner-ready.

SA-aligned Editable PDF export
$$
Planned

Bank Reco Hunter

Upload your books and bank statement. Auto-matches on date, amount, narration. Flags uncleared cheques, bank-only entries, and timing differences. Exports a partner-grade BRS with all reconciling items classified.

Fuzzy matching Multi-format BRS export
TDS
Planned

TDS Verifier

Cross-checks Form 26AS against your books. Flags short deduction, wrong section, mismatched challans, and PAN errors. Outputs a vendor-wise reconciliation with recovery / additional liability summary.

26AS parser Section mapper
FAR
Planned

Fixed Asset Audit Pack

Upload FAR plus current period additions/disposals. Engine recalculates depreciation as per Schedule II, flags useful life mismatches, missing physical verification rows, and capital vs revenue line items.

Schedule II Useful life check
The Difference

Six hours in Excel. Ninety seconds in browser.

A side-by-side honest look at what changes when you stop doing three-way match by hand. Numbers based on a 5,000-row PO/GRN/Invoice population from a typical mid-size client audit.

Criterion
Manual Excel
AuditAIKit
Time to first finding
3-6 hours of VLOOKUPs
~90 seconds
Detection modules covered
Maybe 4 (qty, rate, exact dup, no-GRN)
18 forensic modules
Duplicate detection depth
Only exact INV# match
Exact + fuzzy + vendor-amt-date + 7-day window
Risk classification
Senior judgement, inconsistent
5-tier (Low → Critical) by % variance + materiality
Root cause column
You write it from memory
Auto-assigned per exception type
Vendor risk scoring
Not realistic to compute manually
0-100 composite, Top 20 ranked
Forensic indicators (Benford, weekend, round numbers)
Skipped
All computed automatically
Audit opinion narrative
Senior re-writes after review
Auto-generated, edit-ready
Output format
Working file no one wants to read
35+ sheet workbook, partner-ready
Data leaving your laptop
Stays on your laptop
Also stays on your laptop
The grind is not the audit. The grind is the Excel work between the audit and the working paper. That gap is what the toolkit closes.
240×time compression on three-way match
Why this exists

Article life was brutal.

Three years at S.P. Chopra & Co., Noida. Statutory audits, internal audits, ICFR documentation. Audited security agency payroll, travel vendors, and HACT-framework engagements for WHO, UNICEF, UNDP, UNFPA implementing partners.

Spent hundreds of hours doing three-way match in Excel with VLOOKUPs. Manual duplicate detection. Eyeball-based vendor risk assessment. The audit was rarely the hard part. The Excel grind around the audit was.

Big 4 firms have ACL, IDEA, EY Helix, KPMG Clara. Mid-size and small firms have Excel, copy-paste, and overtime.

So I started building the tools I wished I had during articleship. Browser-only, because that is the only way an article can actually run them without their partner panicking about client data leaving the firm.

If you are an article reading this at 11pm trying to finish a vouching working paper: this is for you. Free, always. Open the tool, drop the file, walk away with the output.

Built by
Gaurav Aggarwal. CA Final Group 1 cleared (Jan 2026 attempt). Group 2 result awaited (May 2026 attempt). Three years articleship at S.P. Chopra & Co., Noida. Forensic data analytics, international assurance, statutory audit, ICFR. Currently building this in public.
Delhi NCR · LinkedIn →
3 yrs
Articleship at S.P. Chopra & Co.
4
UN agencies audited (WHO · UNICEF · UNDP · UNFPA)
18
Detection modules shipped in v1
35+
Excel sheets per audit report
House Rules

Three things I will not compromise on.

PRINCIPLE 01

Your data stays on your laptop.

Every tool is a single HTML file. JavaScript runs in your browser. No upload to my server, no cloud processing, no analytics tracking your file contents. Close the tab and nothing persists. This is the only way an articleship student can actually use these tools without a partner panic.

PRINCIPLE 02

Output that's ICAI-grade, not toy-grade.

Every report includes the audit observation language your senior expects. SA references where relevant. Materiality framework that matches ICAI's. Risk-tiered findings, not just a flat exception dump. Built so you can paste output into your working paper without rewriting.

PRINCIPLE 03

Free, for as long as I can.

No login walls. No "upgrade for premium" pop-ups on the core analytics. If I ever need to charge for something heavy, it'll be a separate paid track. The tools you see here will stay free for CAs and articles. That's the deal.

What the output actually looks like

A working paper, not a data dump.

Sample exception from the Three-Way Match engine. Every finding carries vendor, materiality tier, financial impact, risk classification, root cause, and the SA reference your senior will ask about.

Why this matters at review stage

The difference between an exception report and an audit finding is the context around the number. Most exception engines stop at "Invoice X exceeds PO by Y%." Your senior then has to fill in the rest.

Three-Way Match v3 fills it in for you:

  • Materiality tier auto-assigned (Immaterial → Critical)
  • Risk classification across 5 levels of variance
  • Root cause from a library of 24 mapping rules
  • Vendor risk score and concentration flag
  • SA reference for the working paper trail
  • Recommended control to remediate

The result is a finding your senior can sign off on without rewriting it.

EXCEPTION · OVER-INVOICING
ID 0047 · CRIT
PO No.PO-2025-027
VendorMahalaxmi Trading
Vendor CodeV007
ItemTRD-15 · Trading Goods Mix
PO ValueRs. 1,02,000
Invoice ValueRs. 1,20,360
OverageRs. 18,360 (+18.0%)
Materiality TierMEDIUM
Risk ClassificationCRITICAL
SA ReferenceSA 240 · SA 330
PO sanction limit not enforced in three-way match block; PO amendment workflow circumvented. Vendor has billed Rs. 18,360 above approved PO value without recorded PO amendment.
Honest answers

Questions every CA asks before clicking.

If you have a question that isn't here, drop it in the suggestion form below or DM me on LinkedIn.

Your data never leaves your laptop. Every tool on this site is a single HTML file with JavaScript that runs entirely in your browser tab. There is no upload, no server call, no cloud LLM processing.

Want to verify? Open the Three-Way Match tool, then open your browser's Network tab (F12 → Network). Run a full audit on sample data. You will see zero outgoing network requests during analysis. The only network activity is the initial page load of the HTML file itself, after which you could literally disconnect your laptop from the internet and the tool would still work.

Close the browser tab and nothing persists. The next time you open the tool, your previous file and findings are gone. This is by design.

The honest answer: I built this for the article version of me. Three years at S.P. Chopra and I spent hundreds of hours on Excel work that should have taken minutes. I'm building these tools as a portfolio piece and because they genuinely help people I care about (articles, finalists, qualified CAs in small and mid-size practice).

No login walls. No tracking. No selling your email. If I ever need to charge for something heavy (a server-side processing tier for 100K+ records, custom-built tools for firms), that will be a separate paid track and clearly labelled. The core analytics on this site stay free.

Yes, with the same professional judgement you would apply to any audit tool. The output is designed to be paste-ready into a working paper, but it is your audit evidence and your conclusion. The tool computes; the auditor signs off.

For partner-side comfort: show them the principle. Tools run in browser. Data never uploads. No cloud processing. No persistent storage. The only way client data leaves your laptop is if you screenshot it or download the Excel report yourself. From a confidentiality standpoint, this is closer to using Excel macros than using a cloud SaaS.

I have used the v3 engine on my own articleship work to cross-check manually-prepared exception reports. Found three real exceptions the manual reports missed, including one fuzzy duplicate.

The detection engine is rule-based, not AI-inference. That means every flag is deterministic and auditable: you can see exactly which threshold was crossed, what the variance percentage was, why a tier was assigned. No black-box, no "the model said so."

Thresholds are configurable. The default materiality framework (Rs. 10K / 1L / 10L / 50L breakpoints) and variance tiering (2% / 5% / 10% / 25%) are ICAI-aligned, but you can adjust them per engagement to match the client's risk profile and your firm's internal materiality.

The severity filter defaults to "Medium and above" so you do not get flooded with low-risk noise. Switch to "All" if you want to see every variance regardless of materiality.

Deliberate distinction. AI was used to engineer the tools (writing the JavaScript, designing the detection logic, building the UI). AI does not run inside the tools at execution time. There is no LLM call, no cloud inference, no model running in the background analysing your data.

This matters because LLM-at-runtime would mean sending your data to a cloud API, which would break the privacy promise. By making the tools deterministic rule engines, the data never has to leave the browser. AI-built, but never AI-fed.

Most "AI audit tools" you will see at vendor conferences are the opposite: thin UI + cloud LLM inference. They are useful for some things but they cannot make the privacy promise we make.

Email me or DM on LinkedIn with a description of what happened. If you can share a redacted sample file that triggers the issue, even better. I read every report personally and ship fixes weekly.

This is a v1 product built by one person. Bugs are real and I am open about that. Your bug report is genuinely valuable to me because every fix benefits every other article using the tool.

Important: always cross-verify high-stakes findings manually. Treat the output as a first-pass screen, not an audit opinion. Your professional judgement remains the controlling layer.

Comfortable up to about 40,000 to 50,000 rows per file on a typical office laptop (8 GB RAM, modern browser). The XLSX parsing is the bottleneck, not the detection logic.

Beyond 50K, you may hit browser memory limits depending on your machine. If you regularly work with 100K+ row populations, this is the point where a server-side processing tier becomes useful. That is on the roadmap as a paid track if there is demand. For now: split the file by month or vendor, run separately, consolidate the Excel outputs.

Easier for me, not safer for you. A cloud SaaS would mean: signup, login, file upload to my server, processing on my infrastructure, storage of your file even temporarily, my company assuming responsibility for data residency under DPDP Act 2023.

Every one of those is a reason an article cannot use the tool. Their partner would (rightly) refuse to authorise uploading client data to a random CA's website. The cloud path closes the door for the exact audience this is built for.

So I kept it client-side. Less convenient to build features, much safer to use. That tradeoff is the entire point.

Roadmap

What else should I build?

If there's an Excel grind you do every audit that you wish was automated, tell me. I'm building this for the article version of me. Your suggestion shapes the roadmap.

  • Shipped
    Three-Way Match v3.018 detection modules including payment analytics, root cause, control effectiveness rating, 35+ Excel sheets.
  • Building
    GSTR-2B ReconciliationSection 16(2) timing, ineligible ITC under Section 17(5), reverse charge identification.
  • Building
    Audit Checklist Generator v2SA-aligned, assertion-driven, partner-ready PDF export.
  • Planned
    Bank Reconciliation HunterBooks vs bank, fuzzy narration matching, BRS auto-build.
  • Planned
    TDS Reconciliation (26AS)Vendor-wise short-deduction, wrong-section, mismatched challan detection.
  • Planned
    Fixed Asset Audit PackSchedule II depreciation recalc, useful life mismatch, PV-pending lines.
Optional. Used only to update you when your suggestion goes live.