IT Company Annual Compliance Checklist for India 2026
Running an IT company in India means filing 40 to 55 compliance forms every year, from monthly TDS deposits and GST returns to annual ROC filings with the MCA. Miss your DIR-3 KYC by a single day and each director pays ₹5,000. Skip your AOC-4 and the penalty runs at ₹100 per day with no cap. For software companies generating revenue from exports, STPI performance reports and softex forms add another layer entirely. This checklist covers every monthly, quarterly, and annual compliance obligation that Indian IT companies face in 2026, organized by deadline so you never pay a penalty you did not have to.
- IT companies in India face 40 to 55 annual filings across ROC, GST, TDS, PF/ESI, and income tax
- Late ROC filing (AOC-4/MGT-7) attracts ₹100 per day penalty with no maximum cap
- Critical deadlines: DIR-3 KYC by Sep 30, ITR by Oct 31, GSTR-9 by Dec 31, AGM by Sep 30
- IT-specific compliance includes STPI/SEZ reporting, CERT-In incident reporting (6 hours), and DPDP Act obligations
- Annual compliance costs range from ₹25,000 for startups to ₹5,00,000 for large IT firms
What is Annual Compliance for IT Companies?
Annual compliance for IT companies is the set of mandatory filings, meetings, audits, and regulatory submissions that every registered IT business in India must complete each financial year. These obligations arise from the Companies Act, 2013 (for Pvt Ltd companies), the Income Tax Act, 1961, the GST Act, 2017, the Employees' Provident Fund Act, 1952, and sector-specific regulations like STPI guidelines and the IT Act, 2000. Compliance applies whether your IT company earned ₹1 lakh or ₹100 crore during the year.
The compliance burden for IT companies is heavier than for many other sectors because of three factors. First, most IT companies are Private Limited Companies, which carry the full weight of Companies Act requirements: board meetings, AGMs, statutory audits, and multiple MCA filings. Second, IT companies with employees trigger PF, ESI, and professional tax obligations that add 12 to 15 monthly filings. Third, IT companies engaged in software exports through STPI or SEZ must file additional performance reports and maintain export documentation. Missing your DIR-3 KYC is like forgetting to renew your Aadhaar link, except the penalty hits your wallet harder: ₹5,000 per director versus ₹0 for late Aadhaar updates.
IT company compliance is governed by the Companies Act, 2013 (Sections 92, 137, 139, 173), Income Tax Act, 1961, CGST Act, 2017, and EPF & MP Act, 1952. Filings are submitted through the MCA V3 portal, GST portal, and Income Tax e-filing portal.
Monthly Compliance Checklist for IT Companies
Monthly compliance is the most frequent and, if missed consistently, the most expensive category. An IT company with GST registration and 25 employees faces 6 to 8 filings every single month. Getting the monthly rhythm right prevents penalty accumulation that can wipe out a quarter's profit.
| Compliance | Due Date | Form/Portal | Applicable To | Penalty for Late Filing |
|---|---|---|---|---|
| TDS deposit | 7th of following month | Challan 281 / e-filing portal | All IT companies deducting TDS | 1.5% interest per month on amount |
| GSTR-1 (outward supplies) | 11th of following month | GST portal | IT companies with turnover above ₹5 crore | ₹50/day (₹25 CGST + ₹25 SGST), max ₹10,000 |
| GSTR-3B (summary return) | 20th of following month | GST portal | All GST-registered IT companies | ₹50/day + 18% interest on tax due |
| PF deposit (employer + employee) | 15th of following month | EPFO portal | IT companies with 20+ employees | 12% interest per annum + damages up to 100% |
| ESI deposit | 15th of following month | ESIC portal | Employees earning up to ₹21,000/month | 12% interest per annum |
| Professional tax | Varies by state (typically by end of month) | State commercial tax portal | IT companies in applicable states | Varies by state (₹1,000 to ₹5,000) |
The TDS deposit on the 7th is the tightest monthly deadline. IT companies deducting TDS on contractor payments (Section 194C), professional fees (Section 194J at 10%), and employee salaries (Section 192) must deposit total TDS by this date. A company paying ₹10 lakh in contractor fees monthly and missing TDS deposit by 2 months owes ₹3,000 in interest alone, before any penalty proceedings.
PF deposits carry the harshest late payment consequences among all monthly compliances. Delays beyond 2 months trigger damages of up to 100% of the arrear amount under Section 14B of the PF Act, 1952. An IT company with 50 employees and ₹3 lakh monthly PF liability that delays payment by 3 months faces damages up to ₹9 lakh.
Quarterly Compliance Checklist for IT Companies
Quarterly filings involve consolidation of monthly data and separate submissions. These are easy to forget because they sit between the monthly grind and the annual deadlines.
| Compliance | Due Date | Form | Details | Penalty |
|---|---|---|---|---|
| TDS return (salary) | 31st of month following quarter | 24Q | Salary TDS details for all employees | ₹200/day late fee under Section 234E |
| TDS return (non-salary) | 31st of month following quarter | 26Q | TDS on contractor, professional fees, rent | ₹200/day, max = TDS amount |
| Advance tax (1st installment) | June 15 | Challan 280 | 15% of estimated annual tax | Interest under Sections 234B and 234C |
| Advance tax (2nd installment) | September 15 | Challan 280 | 45% of estimated annual tax (cumulative) | Interest under Sections 234B and 234C |
| Advance tax (3rd installment) | December 15 | Challan 280 | 75% of estimated annual tax (cumulative) | Interest under Sections 234B and 234C |
| Advance tax (4th installment) | March 15 | Challan 280 | 100% of estimated annual tax | Interest under Sections 234B and 234C |
| Board meeting | Once every quarter (max 120-day gap) | Minutes of Meeting | Minimum 4 meetings per financial year | ₹25,000 (company) + ₹5,000 (per director) |
Advance tax is the payment of income tax in quarterly installments during the financial year itself, rather than as a lump sum after the year ends. IT companies with estimated tax liability above ₹10,000 must pay advance tax. Most profitable IT companies fall well above this threshold. The installment percentages are cumulative: by September 15, you should have paid 45% of your full-year estimate, not 45% of the remaining balance.
Based on our experience handling compliance for 2,000+ IT companies, TDS return (Form 26Q) delays are the most common quarterly failure. IT founders focus on GST and income tax but forget that 26Q has its own separate deadline. The ₹200 per day late fee under Section 234E adds up quickly: a 50-day delay on a single 26Q costs ₹10,000.
Stay on Top of Your IT Company's ROC Filings
IncorpX manages AOC-4, MGT-7, DIR-3 KYC, and all annual MCA filings for IT companies. Zero-penalty guarantee. Starting at ₹4,999 per year.
File Your Annual ReturnsAnnual Compliance Checklist for IT Companies
Annual filings carry the heaviest penalties and the most complex documentation requirements. Miss these and your directors risk disqualification under Section 164(2) of the Companies Act, 2013.
| Compliance | Due Date | Form | Section/Act | Penalty for Late Filing |
|---|---|---|---|---|
| Annual General Meeting (AGM) | September 30 (within 6 months of FY end) | Board resolution + minutes | Section 96, Companies Act 2013 | ₹1 lakh (company) + ₹5,000 per officer |
| Financial statement filing | Within 30 days of AGM | AOC-4 / AOC-4 XBRL | Section 137, Companies Act 2013 | ₹100/day, no cap |
| Annual return filing | Within 60 days of AGM | MGT-7 / MGT-7A | Section 92, Companies Act 2013 | ₹100/day, no cap |
| Director KYC | September 30 | DIR-3 KYC / DIR-3 KYC-WEB | Rule 12A, Companies Rules | ₹5,000 per director + DIN deactivation |
| Auditor appointment | Within 15 days of AGM (first year: within 30 days of incorporation) | ADT-1 | Section 139, Companies Act 2013 | ₹5,000/month of delay |
| Income tax return | October 31 (if audit applicable) | ITR-6 | Section 139, Income Tax Act 1961 | ₹10,000 late fee under Section 234F |
| Tax audit report | September 30 | Form 3CA-3CD / 3CB-3CD | Section 44AB, Income Tax Act 1961 | 0.5% of turnover or ₹1,50,000, whichever is less |
| GST annual return | December 31 | GSTR-9 | Section 44, CGST Act 2017 | ₹200/day, capped at 0.5% of state turnover |
| Transfer pricing report (if applicable) | November 30 | Form 3CEB | Section 92E, Income Tax Act 1961 | ₹1 lakh penalty |
Statutory audit is the independent examination of a company's financial statements by a qualified Chartered Accountant, mandatory for every Private Limited Company under Section 139 of the Companies Act, 2013, regardless of turnover. The statutory auditor is appointed at the AGM and holds office for a term of 5 consecutive years. IT companies with turnover exceeding ₹1 crore (or ₹10 crore with 95%+ digital transactions) also need a tax audit under Section 44AB.
September 30 is the most dangerous date on an IT company's compliance calendar. Three critical deadlines converge: AGM (Section 96), DIR-3 KYC (DIN deactivation if missed), and tax audit report (Section 44AB). Missing all three triggers penalties exceeding ₹1,50,000 combined. Mark this date in every director's personal calendar.
Event-Based Compliance for IT Companies
Beyond the regular calendar, IT companies must file specific forms whenever certain corporate events occur. These are not annual, so they catch founders off guard more often than recurring deadlines.
Change in Directors
Appointing or removing a director requires filing DIR-12 with the MCA within 30 days of the board resolution. The incoming director must have a valid DIN and DSC. If the director is being appointed for the first time, they must also file DIR-3 for DIN allotment. Government fee: ₹200 to ₹600 based on authorized capital.
Change of Registered Office
Shifting within the same city requires filing INC-22 within 15 days. Shifting between cities within the same state needs a special resolution plus INC-22. Interstate transfer requires NCLT approval and filing RD-1, which can take 3 to 6 months. IT companies relocating to tech parks in Bangalore, Hyderabad, or Pune commonly trigger this filing.
Share Allotment
When an IT company raises funding by issuing new shares, it must file PAS-3 (return of allotment) within 15 days of the board resolution. Private placement requires PAS-3 plus PAS-4 (private placement offer letter). Late filing of PAS-3 attracts a penalty of ₹1,000 per day for the company and every officer in default.
Increase in Authorized Capital
Before allotting shares beyond the authorized capital mentioned in the MOA, the company must pass a special resolution and file SH-7 with the MCA. Government fee for SH-7 depends on the increase amount: ₹5,000 for increases up to ₹5 lakh, scaling up to ₹25,000 for increases above ₹50 lakh. The entire process typically takes 5 to 7 working days.
Penalty for Non-Compliance: What IT Companies Actually Pay
Penalties are not theoretical. The MCA has automated the penalty generation process on the V3 portal, which means late filings trigger penalty calculations immediately upon submission. Here is what each missed deadline costs.
| Form | Compliance | Late Fee / Penalty | Authority | Additional Consequences |
|---|---|---|---|---|
| AOC-4 | Financial statements | ₹100/day (no cap) | MCA / ROC | Company marked as defaulting |
| MGT-7 | Annual return | ₹100/day (no cap) | MCA / ROC | Director disqualification after 3 years |
| DIR-3 KYC | Director KYC | ₹5,000 per director | MCA | DIN deactivation |
| ADT-1 | Auditor appointment | ₹5,000/month | MCA / ROC | Government may appoint auditor |
| GSTR-3B | Monthly GST return | ₹50/day (max ₹10,000) + 18% interest | GST Department | Input tax credit blocked |
| GSTR-9 | Annual GST return | ₹200/day (max 0.5% of turnover) | GST Department | Scrutiny notices triggered |
| 24Q/26Q | Quarterly TDS return | ₹200/day (max = TDS amount) | Income Tax Department | Employees cannot claim TDS credit |
| ITR-6 | Company income tax return | ₹10,000 late fee | Income Tax Department | Cannot carry forward losses |
| PAS-3 | Share allotment return | ₹1,000/day (company + officers) | MCA / ROC | Allotment may be questioned |
The real cost of non-compliance goes beyond penalties. An IT company with 2 directors that misses AOC-4 and MGT-7 by 6 months and forgets DIR-3 KYC pays: ₹18,000 (AOC-4) + ₹18,000 (MGT-7) + ₹10,000 (DIR-3 KYC for 2 directors) = ₹46,000 minimum. Add professional fees for filing with penalties, and the total crosses ₹60,000 to ₹70,000, enough to pay for 2 full years of compliant filing through a professional service.
IT-Specific Compliance Beyond ROC
IT companies face regulatory requirements that manufacturing or trading businesses do not encounter. These sector-specific obligations catch founders by surprise, especially those transitioning from freelancing to a registered company structure.
STPI Compliance
Software Technology Parks of India (STPI) is a government body under the Ministry of Electronics and IT that provides infrastructure and regulatory support to IT/ITES export units. IT companies registered as STPI units must file annual performance reports, maintain a minimum 1.5:1 export obligation ratio, submit softex forms for every software export transaction, and renew their STPI registration periodically. Failure to meet export obligations can result in cancellation of benefits, including duty-free import privileges.
SEZ Compliance
Special Economic Zone (SEZ) units enjoy tax benefits under Section 10AA of the Income Tax Act, but carry strict compliance obligations. SEZ IT companies must maintain separate books of accounts for SEZ and non-SEZ operations, file quarterly performance reports with the Development Commissioner, achieve positive net foreign exchange earning, and comply with customs bonding requirements. SEZ non-compliance can lead to reversal of tax exemptions already claimed.
CERT-In Reporting
CERT-In (Indian Computer Emergency Response Team) mandates incident reporting for all organizations, but IT companies handling client data face heightened scrutiny. Cybersecurity incidents, including data breaches, ransomware attacks, unauthorized network access, and identity theft, must be reported within 6 hours of detection. IT companies must maintain ICT system logs for 180 days within Indian jurisdiction. Non-reporting attracts penalties under the Information Technology Act, 2000.
DPDP Act Requirements
The Digital Personal Data Protection Act, 2023 (DPDP Act) directly affects IT companies that process personal data of Indian citizens, whether as data fiduciaries or data processors. Requirements include obtaining verifiable consent before data collection, publishing a clear privacy policy on the company website, appointing a Data Protection Officer (for significant data fiduciaries), implementing reasonable security safeguards, and enabling data erasure requests. Penalties under the DPDP Act reach ₹50 crore to ₹250 crore for significant non-compliance.
Software License Audits
IT companies using licensed software (Microsoft, Oracle, SAP, Adobe) face periodic license compliance audits. Vendors have contractual rights to audit your installations. Using unlicensed copies triggers settlement demands that can range from ₹5 lakh to ₹50 lakh depending on the software and the number of installations. Maintaining a Software Asset Management (SAM) register is not legally mandated but is a practical necessity for IT companies.
Get Your IT Company's Compliance Sorted
From ROC filings to GST returns, IncorpX handles the full compliance stack for IT companies. Talk to a compliance expert today.
Get a Free ConsultationCompliance Calendar 2026 for IT Companies
Pin this calendar to your office wall, or better yet, set reminders 15 days before each deadline. One missed date can cascade into multiple penalties.
| Month | Deadline | Compliance | Form | Penalty if Missed |
|---|---|---|---|---|
| April 2026 | 7th | TDS deposit for March (special deadline: April 30) | Challan 281 | 1.5% interest/month |
| April 2026 | 30th | PF annual return for FY 2025-26 | Form 3A/6A (electronic) | Damages under PF Act |
| May 2026 | 15th | TDS return for Q4 (Jan-Mar 2026) | 24Q, 26Q | ₹200/day |
| June 2026 | 15th | Advance tax: 1st installment (15%) | Challan 280 | Interest under Section 234C |
| July 2026 | 31st | TDS return for Q1 (Apr-Jun 2026) | 24Q, 26Q | ₹200/day |
| September 2026 | 15th | Advance tax: 2nd installment (45%) | Challan 280 | Interest under Section 234C |
| September 2026 | 30th | AGM for FY 2025-26 | Board resolution + minutes | ₹1 lakh + ₹5,000/officer |
| September 2026 | 30th | DIR-3 KYC for all directors | DIR-3 KYC / DIR-3 KYC-WEB | ₹5,000 per director |
| September 2026 | 30th | Tax audit report | Form 3CA-3CD / 3CB-3CD | 0.5% of turnover or ₹1,50,000 |
| October 2026 | 29th | AOC-4 (within 30 days of AGM held on Sep 30) | AOC-4 / AOC-4 XBRL | ₹100/day, no cap |
| October 2026 | 31st | Income tax return (with audit) | ITR-6 | ₹10,000 late fee |
| October 2026 | 31st | TDS return for Q2 (Jul-Sep 2026) | 24Q, 26Q | ₹200/day |
| November 2026 | 29th | MGT-7 (within 60 days of AGM held on Sep 30) | MGT-7 / MGT-7A | ₹100/day, no cap |
| November 2026 | 30th | Transfer pricing report (if applicable) | Form 3CEB | ₹1 lakh penalty |
| December 2026 | 15th | Advance tax: 3rd installment (75%) | Challan 280 | Interest under Section 234C |
| December 2026 | 31st | GSTR-9 annual return | GSTR-9 | ₹200/day, max 0.5% of turnover |
| January 2027 | 31st | TDS return for Q3 (Oct-Dec 2026) | 24Q, 26Q | ₹200/day |
| March 2027 | 15th | Advance tax: 4th installment (100%) | Challan 280 | Interest under Section 234C |
October is the most filing-intensive month for IT companies. Within 31 days, you must file AOC-4 (by Oct 29), ITR-6 (by Oct 31), and TDS returns for Q2 (by Oct 31). Start preparation in mid-September. Coordinate with your CA, CS, and tax consultant simultaneously. Last-minute filing leads to errors that trigger income tax notices.
Cost of Annual Compliance for IT Companies
Compliance costs scale with company size, number of employees, revenue, and the complexity of operations. These ranges include professional fees (CA, CS, tax consultant) and government filing fees but exclude penalties.
| Company Type | Annual Revenue | Estimated Compliance Cost | Major Components |
|---|---|---|---|
| IT Startup (2-5 employees) | Up to ₹50 lakh | ₹25,000 to ₹50,000 | Statutory audit, ROC filing, GST returns, TDS returns |
| Small IT Company (6-25 employees) | ₹50 lakh to ₹5 crore | ₹50,000 to ₹1,50,000 | All startup items + PF/ESI, payroll compliance, tax audit |
| Mid-size IT Company (26-100 employees) | ₹5 crore to ₹50 crore | ₹1,50,000 to ₹3,00,000 | All small company items + transfer pricing (if applicable), STPI, internal audits |
| Large IT Company (100+ employees) | Above ₹50 crore | ₹3,00,000 to ₹5,00,000+ | All mid-size items + SEZ compliance, DPDP compliance, secretarial audit, CSR compliance |
The math is straightforward. A startup paying ₹35,000 per year for professional compliance services avoids penalties that can exceed ₹50,000 from a single missed deadline. The ROI on professional compliance management is not a percentage; it is a multiple. An IT founder who says "I will handle compliance myself" typically discovers that the time cost (15 to 20 hours per month) plus the penalty risk makes outsourcing the rational choice by the end of the first financial year.
Based on our experience managing compliance for 2,000+ IT companies, the breakeven point for outsourcing compliance is around ₹30 lakh annual revenue. Below that, a single good CA handling everything may be sufficient. Above ₹30 lakh, the filing volume and deadline complexity justify a dedicated compliance management service that tracks every deadline and files proactively.
Common Compliance Mistakes IT Companies Make
Knowing what to file is half the battle. Knowing what goes wrong is what separates companies with clean records from those drowning in penalty notices. Here are the 7 mistakes we see most often.
1. Treating DIR-3 KYC as Optional
IT founders assume that DIR-3 KYC is a one-time requirement after getting their DIN. It is not. Every director must file DIR-3 KYC or DIR-3 KYC-WEB every year by September 30. A 3-director IT company that misses this deadline pays ₹15,000 in penalties before filing the form. Directors whose DINs are deactivated cannot sign any MCA forms until reactivation, which blocks all other filings.
2. Missing the 120-Day Board Meeting Gap
Section 173 requires that the gap between two board meetings does not exceed 120 days. IT companies that hold meetings in January and June (150-day gap) violate this requirement even if they hold 4 meetings in the year. The penalty: ₹25,000 for the company plus ₹5,000 for every director. Set quarterly calendar invites on fixed dates to prevent this.
3. Filing TDS Returns Without Depositing TDS
Some IT companies file quarterly TDS returns (24Q/26Q) on time but forget to deposit the actual TDS amount by the 7th of each month. The return filing and the deposit are two separate obligations. Filing a return showing ₹2 lakh TDS deducted while the deposit is pending triggers both interest (1.5% per month) and penalty proceedings under Section 271C.
4. Ignoring GST on Software Services
IT companies providing software services to Indian clients must charge GST at 18% on all invoices. Companies that treat software as zero-rated without meeting export conditions (foreign client, payment received in foreign currency, service delivered outside India) face GST demands with interest and penalty. The confusion typically arises with offshore development work billed to a foreign company's Indian subsidiary.
5. Not Appointing an Auditor Within 30 Days
Newly incorporated IT companies must appoint a statutory auditor within 30 days of incorporation and file ADT-1. Missing this attracts ₹5,000 per month of delay. Many IT founders focus on product development and customer acquisition, leaving auditor appointment for "later." By the time they realize it, 4 to 5 months have passed, and the penalty alone is ₹20,000 to ₹25,000.
6. Forgetting GSTR-9 Annual Return
GSTR-9 is the annual GST return that consolidates all monthly returns for the financial year. IT companies with turnover above ₹2 crore must file this by December 31. The late fee is ₹200 per day (₹100 CGST + ₹100 SGST), capped at 0.5% of the company's turnover in the state. A company with ₹2 crore turnover in one state faces a maximum late fee of ₹1,00,000 for GSTR-9 alone.
7. Not Maintaining Minutes of Meetings
IT companies hold board meetings but fail to document proper minutes. Under Section 118, minutes must be recorded within 30 days of the meeting, maintained in a minutes book (physical or digital), and signed by the chairperson. During ROC inspections or due diligence for funding rounds, missing minutes create serious red flags. Investors and regulators treat poor record-keeping as a governance failure.
Avoid These Mistakes With Professional Compliance Management
IncorpX tracks every deadline for your IT company and files proactively. No missed deadlines. No penalties. Starting at ₹4,999 per year.
Talk to a Compliance ExpertHow to Stay Compliant: A Practical Approach for IT Founders
Compliance does not need to be a full-time occupation. Here is a practical system that works for IT companies at every stage.
- Appoint professionals early: Hire a CA and CS (or a compliance firm like IncorpX) within 30 days of incorporation. Do not wait for revenue to start flowing. The ADT-1 deadline starts ticking from day one.
- Set up a compliance calendar: Use the month-by-month table above as a template. Add reminders 15 days before each deadline in a shared Google Calendar or project management tool that your CA and CS have access to.
- Automate monthly deposits: Set up standing instructions for TDS, PF, and ESI deposits. These are the most frequently missed monthly obligations because they require manual action each month.
- Hold board meetings on fixed dates: Schedule all 4 board meetings for the year in April. Pick the same week each quarter (first Monday of April, July, October, January). This eliminates the 120-day gap violation risk.
- Start AGM preparation in August: The September 30 AGM deadline requires finalized audited financials, director reports, and shareholder notices. Starting in September is too late. Begin the audit process by mid-August.
- Keep a compliance tracker spreadsheet: Track every filing with columns for: form name, due date, filing date, acknowledgment number, penalty paid (if any). This becomes invaluable during due diligence rounds when investors ask for a compliance history.
- Budget for compliance from day one: Allocate ₹25,000 to ₹50,000 per year for compliance services in your startup budget. This is not an expense; it is penalty insurance.
Your IT company's compliance record becomes part of your business reputation. Clean records translate to faster bank account approvals, smoother investor due diligence, and the peace of mind that comes from knowing no penalty notice is sitting in your MCA inbox. The founders who treat compliance as a business function (rather than an afterthought) consistently perform better in fundraising, government tenders, and strategic partnerships.
Summary
IT companies in India face one of the most complex compliance landscapes of any business sector, with 40 to 55 filings across ROC, GST, TDS, PF/ESI, and sector-specific regulations like STPI and CERT-In. The critical deadlines are September 30 (AGM, DIR-3 KYC, tax audit), October 31 (income tax return), and December 31 (GSTR-9). Penalties for non-compliance start at ₹100 per day for ROC filings with no cap, and a single year of missed deadlines can cost ₹50,000 to ₹1 lakh in avoidable penalties. Whether you are a 2-person startup or a 200-person IT services company, professional compliance management is the most cost-effective investment you can make in your company's longevity.
Get Your IT Company's Annual Compliance Done Right
IncorpX manages ROC, GST, TDS, and all annual filings for IT companies across India. Zero-penalty guarantee with proactive deadline tracking. Starting at ₹4,999 per year.
File Your Annual Compliance
