How a ‘Digital’ Tax System Let Fraud Thrive Until CAG Intervened
Delhi traders hold a meeting on GST cuts (Image X.com)
Fake invoices, porous registrations and ₹57,000 crore in phantom credits—why India’s GST firewall was optional, and how audit forced a hard reset.
By P. SESH KUMAR
New Delhi, December 17, 2025 — India’s Goods and Services Tax (GST) was conceived as a technology-first, self-policing tax system in which invoice matching, real-time data flows and system-driven controls would replace intrusive inspections and discretionary enforcement. Yet, within a few years of rollout, the GST ecosystem became vulnerable to ‘large-scale’ fraud through fake registrations, circular trading, ineligible input tax credit and dubious refunds running into tens of thousands of crores.
As a very special case, resisting from producing an audit report, a Management Letter was issued by the CAG in February 2024—not as a routine audit communication; but as a forensic indictment of how a sophisticated tax architecture was perhaps, knowingly left porous, how preventive IT controls were sacrificed in favour of administrative convenience, and how the Government may have remained reactive rather than anticipatory despite mounting red flags.
The introduction of GST was rightly celebrated as a watershed in India’s fiscal history. Multiple central and state levies were subsumed, cascading taxes were dismantled, and a seamless chain of input tax credit (ITC) was promised across the value chain.
At its heart lay an ambitious promise: a non-intrusive, IT-driven tax regime where compliance would be ensured not by raids and inspections, but by system-verified invoice matching and automated checks- promoting ‘ease of doing business’.
The early years, however, told a different story. Technical glitches, an over-engineered return framework and repeated deferment of invoice matching diluted the very spine of the GST design.
What was meant to be a digital firewall against evasion slowly became a permissive platform where manipulation was not just possible, but alarmingly easy. The CAG’s first comprehensive audit of GST in 2019 had already flagged this structural drift.
Invoice matching, the core anti-fraud mechanism, had been sidelined in favour of a self-declared return in GSTR-3B. CAG had also narrated in the report how records were not produced and access to GSTN was denied for its then audit. The assumption, perhaps, was that post-facto scrutiny by tax officers would compensate for weak system controls.
That assumption proved catastrophically wrong. By the time simplified returns and linkages between GSTR-1, GSTR-2B and GSTR-3B were stabilised, the damage had already been done.
A system that allowed taxpayers to freely edit auto-populated tax liability and ITC figures effectively invited error, manipulation and fraud. The audit’s finding was blunt: the GST system trusted the taxpayer far more than it trusted its own data.
What made the February 2024 Management Letter particularly striking was that it documented not just isolated weaknesses, but a pattern of institutional complacency. It is understood that the then revenue secretary came to thank the enterprising Deputy CAG personally, said it was illuminating and had not seen anything like this in 30 years.
A more muted formal response is supposed to have come later in which Government appears to have mentioned the steps taken by them and some more to be taken in future after getting a nod from GST council. Subsequently, at an all India conference of Principal Chief Commissioners’ conference, the mischievous OTP based registration was discussed threadbare and decision was taken to stop it immediately.
By the Government’s own admission, between April 2020 and September 2023, over six thousand fake ITC cases involving more than ₹57,000 crore were detected, with hundreds of arrests. In 2023-24 alone, fake ITC fraud of about ₹14,000 crore surfaced. These figures were often projected as evidence of enforcement success.
The 10×Illusion: A Critical Review of GST 2.0’s Self-Eulogies
The Deputy CAG, however, turned that narrative (in the Management Letter) on its head. Detection on this scale, largely through departmental test checks and anti-evasion drives, was not proof of a strong system; it was proof of how much had slipped through unnoticed.
A truly preventive GST architecture would never have allowed such volumes of fraudulent credit to be generated in the first place. A central reason why the Government remained unaware—or chose to remain unaware—of the depth of the problem lies in the design philosophy adopted post-rollout.
GSTN was treated as a filing portal rather than as a compliance gatekeeper. Entry into the system was weakly policed, allowing fake and fly-by-night entities to obtain registrations, issue invoices, claim credits and disappear before enforcement could catch up.
The Deputy CAG’s letter was unequivocal in stating that most fake invoicing chains originated with entities whose credentials were never properly verified at the registration stage. Once inside the system, they enjoyed the same digital privileges as genuine businesses.
The executive response focused on cleaning up after fraud occurred, rather than preventing ineligible entities from entering the ecosystem at all. This failure was compounded by half-measures in technological reform. E-invoicing was introduced, but only for large taxpayers and through multiple invoice registration portals, diluting serial control and system oversight. Section 16 of the CGST Act clearly requires that tax must actually be paid to the Government before ITC is availed.
Yet the return system never enforced this condition technologically. Credits could be claimed based on filed returns, even if the supplier had not remitted tax.
The law was clear; the system was not. This gap became the oxygen for circular trading, shell entities and credit laundering. The CAG’s critique here was devastating in its simplicity: a tax system that cannot ensure that tax has been paid before credit is granted is structurally unsafe, no matter how many enforcement squads it deploys later.
The audit letter also exposed quieter, less sensational leakages that could collectively erode the tax base. Composition dealers, meant to be low-risk, low-compliance taxpayers, were found to be crossing turnover thresholds, collecting tax illegally and remaining outside effective verification mechanisms.
Non-registration of eligible taxpayers in high-growth sectors meant that GST buoyancy lagged behind the growth in economic activity. These were not blind spots; they were consequences of inadequate data integration and the absence of real-time third-party information flows into GSTN.
While the Income Tax Department moved towards an Annual Information System that pre-emptively flags discrepancies, GST remained largely transactional and retrospective in its enforcement mindset.
Against this backdrop, the role of the Deputy CAG (and by extension of CAG) would stand out as both corrective and catalytic. Far from being a mere post-mortem commentator, the CAG used data analytics, cross-database matching and risk profiling to demonstrate what the GST system itself should have been doing in real time.
Its recommendations consistently pushed the executive towards preventive, IT-embedded controls: mandatory biometric authentication, geo-tagging of business premises, universal e-invoicing, noneditable auto-populated returns, and tighter system enforcement of statutory conditions for ITC.
The Management Letter was not accusatory in tone, but its subtext was unmistakable. The architecture of GST was not flawed by accident; it was weakened by design choices that privileged flexibility over fidelity, and administrative ease over systemic integrity.
Credit for this unusual, positive, ‘out of the way’, innovative, measured and targeted approach should go to the Deputy CAG and his team. The most significant contribution of CAG lay in reframing the GST reform debate.
It shifted the conversation away from sporadic fraud headlines and enforcement tallies to a deeper question: why was a digital tax system allowed to function without digital discipline?
By highlighting how simple system controls could have prevented large-scale misuse, the audit forces policymakers to confront uncomfortable truths about governance in the age of technology. Technology does not fail silently; it fails exactly in the ways it is designed to fail.
The way forward is therefore not about more raids or harsher penalties, but about restoring GST to its original technological promise. Registration must become a gated process, not a formality. Invoicing must be universal, serially controlled and system-generated. Returns must be system-locked, with deviations allowed only through documented, auditable exceptions.
Input tax credit must be a consequence of tax payment, not a matter of trust. Above all, GSTN must evolve from a passive repository into an active compliance engine, fed continuously by third-party data and real-time transaction trails.
The February 2024 Management Letter provided not just a diagnosis, but a blueprint. Whether the executive acts on it ( it did act, though without as much publicly acknowledging the role of the CAG) will determine whether GST matures into a robust digital tax system-or continues to bleed through the very gaps it was meant to eliminate.
(This is an opinion piece, and views expressed are those of the author only)
Follow The Raisina Hills on WhatsApp, Instagram, YouTube, Facebook, and LinkedIn
About The Author
