Internal Audit Checklist for Indian SMEs FY 2025-26

TL;DR

Internal audits are mandatory under Section 138 for private companies exceeding ₹50 crore turnover, but even smaller Indian SMEs should conduct voluntary audits as GST and Income Tax departments now actively cross-match data across GSTR-1, TDS returns, and bank statements. A thorough audit covers financial records, GST/TDS compliance, internal controls, inventory, fixed assets, and statutory labor law filings — with weak internal controls being the single most common finding across Indian SME audits. PKC India’s AI-powered, business-first audit approach using proprietary tools like Fero delivers practical, actionable findings that help SMEs fix compliance gaps before they attract penalties or scrutiny.

Why Internal Audit Matters More Than Ever for Indian SMEs in FY 2025-26

Let us be honest. For most small and mid-sized business owners in India, the words ‘internal audit’ bring up one of two feelings — either mild anxiety or a sense of ‘we will deal with it later.’

But here is the thing: FY 2025-26 is not the year to put it off.

India’s regulatory environment has become sharper, faster, and less forgiving. The GST department is using data analytics to flag mismatches between your GSTR-1 and GSTR-3B. The Income Tax Department is cross-checking your TDS filings with your books. The Ministry of Corporate Affairs (MCA) is tightening compliance timelines. And with more businesses going digital, there is simply more data — and more places for errors to hide.

For Indian SMEs — whether you are a manufacturer in Coimbatore, a trader in Surat, or a services firm in Bengaluru — an internal audit is no longer just a box to tick. It is the most practical tool you have to catch problems before the taxman does, before your bank gets worried, or before a small error snowballs into a costly penalty.

This blog gives you a complete, plain-language internal audit checklist that reflects what experienced auditors actually check during FY 2025-26. Whether you are preparing for your own audit, working with a CA firm, or trying to understand what your auditor is looking for, this guide is for you.

What is an Internal Audit, in Simple Terms?

An internal audit is an independent check of your business’s finances, processes, and compliance. Think of it as a health check-up — but for your company. It is not the same as a statutory audit (which is done for legal reporting). An internal audit is done to help your business run better, catch errors early, and avoid penalties.

Is an Internal Audit Mandatory for Your SME? Section 138 of the Companies Act

Explained

One of the most common questions Indian SME owners ask is: ‘Do we even need an internal audit?’ The answer depends on your company’s size and structure.

The Legal Framework: Section 138 of the Companies Act, 2013

Section 138 of the Companies Act, 2013 makes internal audits mandatory for certain classes of companies. The law requires these companies to appoint an internal auditor — who can be a Chartered Accountant, Cost Accountant, or any other professional the Board considers suitable.

As per Rule 13 of the Companies (Accounts) Rules, 2014, the thresholds are as follows:

Company Type	Turnover Threshold	Paid-up Capital	Outstanding Loans
Private Company	Turnover > Rs. 50 crore	Paid-up capital > Rs. 10 crore	Outstanding loans > Rs. 25 crore
Public Company	Turnover > Rs. 200 crore	Paid-up capital > Rs. 50 crore	Outstanding loans > Rs. 100 crore
Listed Company	Mandatory regardless of size	Mandatory regardless of size	Mandatory regardless of size

Important Note for FY 2025-26

Even if your company does not meet these thresholds, conducting a voluntary internal audit is strongly recommended. It helps you identify compliance gaps, improve financial accuracy, and be better prepared if thresholds are crossed in future years.

What About Proprietorships, Partnerships, and LLPs?

Section 138 applies only to companies. However, if you run a partnership firm, LLP, or proprietorship with significant turnover, a voluntary internal audit is still a very wise investment. Many banks, investors, and large corporate clients today ask for internal audit reports before entering into contracts or sanctioning loans.

In short, if you want to grow, an internal audit is not optional — it is a competitive advantage.

Financial Records & Accounting Accuracy: The Core Internal Audit Checklist

The heart of any internal audit is your financial records. Auditors want to know: Are the numbers in your books real? Are they complete? And do they match what actually happened in the business?

Here is what auditors check in this area:

Books of Accounts

All books of accounts are maintained as required under Section 128 of the Companies Act — Cash book, journal, ledger, and supporting registers
Books are updated regularly and not left pending for weeks at a time
Electronic records (Tally, SAP, Busy, Zoho Books, etc.) are backed up regularly
Physical vouchers and invoices are filed properly and match digital entries
Opening balances of the current year match closing balances of the prior year

Bank Reconciliation

Bank reconciliation statements (BRS) are prepared monthly for each bank account
Uncleared cheques and outstanding deposits are followed up and resolved promptly
Bank statements are cross-checked against the books — no unexplained differences
Duplicate payments or reversed entries are identified and documented

Revenue and Expense Verification

All sales are supported by invoices, delivery challans, or service agreements
Expenses are backed by valid bills — no cash payments above Rs. 10,000 without proper documentation (as per Income Tax rules)
Related party transactions are disclosed and done at arm’s length
Capital expenditure is not incorrectly classified as revenue expenditure (or vice versa)
Provisions and accruals are correctly made at the year-end

Accounts Payable and Receivable

Debtors’ ledger is reconciled regularly — old outstanding balances are reviewed
Creditors’ ledger is up to date — all liabilities are correctly recognised
Advances paid or received are properly accounted for
Bad debts or doubtful debts are provisioned as per the company’s policy

Common Financial Red Flags Auditors Look For

When auditors review financial records, certain patterns immediately raise questions. Here are the most common red flags found in Indian SME audits:

• Round-figure entries — such as expenses of exactly Rs. 1,00,000 posted repeatedly

• Large cash transactions without proper documentation

• Expenses posted just below the tax threshold to avoid TDS deduction

• Sales figures that are very different from what GST returns show

• Payments to vendors without proper PAN or invoices

• Loans taken from directors or related parties without proper documentation or interest

• Unusually high staff or contractor costs with no commensurate output

These red flags do not always mean fraud — they may simply point to weak processes. But catching them early through an internal audit prevents them from becoming bigger problems later.

GST & TDS Compliance Checklist for SMEs

Tax compliance is probably the single biggest pain point for Indian SMEs in FY 2025-26. Errors in GST or TDS filings can attract notices, interest, and penalties — sometimes without the business owner even realising something went wrong. Here is what auditors check:

GST Compliance

GST registration is active and updated with the correct business address, nature of business, and authorised signatory
GSTR-1 (outward supplies) filed on time every month or quarter, as applicable
GSTR-3B filed on time and tax paid before the due date to avoid interest at 18% per annum
GSTR-2B input tax credit (ITC) reconciled with books — every rupee of ITC claimed must be supported by a valid supplier invoice reflected in GSTR-2B
No excess ITC claimed — blocked credit under Section 17(5) (such as for motor vehicles, personal expenses, and club memberships) is not availed
Reverse charge mechanism (RCM) correctly applied for applicable services such as GTA, legal fees, import of services
E-invoicing compliance verified for businesses with turnover above the notified threshold
Annual return (GSTR-9) and reconciliation statement (GSTR-9C) filed correctly for the previous financial year
GST on advances received is correctly accounted for and adjusted
Export invoices (if any) correctly marked as zero-rated with LUT or IGST payment

TDS Compliance

TDS deducted correctly on salary, contractor payments, rent, commission, professional fees, and other applicable payments — as per the correct rates under the Income Tax Act
TDS deposited on or before the 7th of the following month (30th April for March deductions)
TDS returns (Form 24Q for salary, 26Q for non-salary) filed quarterly on time
TDS certificates (Form 16 for employees, Form 16A for others) issued to deductees within due dates
No short deduction or non-deduction — especially in cases where vendor PAN is missing (20% TDS rate applies if PAN is not provided)
Form 26AS / Annual Information Statement (AIS) reconciled with books to ensure all receipts and payments match
TCS (Tax Collected at Source) compliance checked, if applicable

FY 2025-26 Alert: GST and TDS Data Matching

The Income Tax Department and GST Council are now cross-matching data from multiple sources — including GST returns, bank statements, and TDS filings. Any mismatch between your GSTR-1, books of accounts, and TDS returns is likely to trigger a scrutiny notice. An internal audit that reconciles all three is your best defence.

Internal Controls & Process Audit Checklist

Think of internal controls as the guardrails that prevent your business from going off track. They are the rules, approvals, and checks that ensure no single person can do something wrong without someone else noticing. Auditors pay very close attention to these.

A structured process audit helps identify gaps in your approval workflows and segregation of duties before they become compliance risks.

Authorization and Approval Controls

A defined approval hierarchy is in place for payments, purchases, and commitments
No single person has both the authority to raise a purchase order and approve the payment for the same transaction
Bank signatories are current and no ex-employees retain signing authority
Cheque books and digital payment credentials are kept securely and access is restricted

Segregation of Duties

The person who handles cash does not also maintain the cash book
The person who raises invoices does not also post receipts in the books
Payroll is prepared and verified by different people
Access to accounting software is role-based — not everyone can edit past entries

IT and System Controls

Accounting software access is password-protected and reviewed periodically
Audit trails are enabled — the software must record who made what changes and when
Regular data backups are performed and tested
User access is removed promptly when an employee leaves the organisation

Fraud Prevention Controls

A whistleblower or internal complaint mechanism is in place
Petty cash is maintained within approved limits and reconciled daily or weekly
Vendor master is reviewed periodically — no fake or duplicate vendors
New vendor creation requires approval from the finance head or management

Why Weak Internal Controls Are the #1 Audit Finding in Indian SMEs

In PKC India’s experience working with hundreds of Indian businesses, weak internal controls are by far the most common finding during internal audits. Here is why this happens — and what it leads to:

• Most SMEs start as family-run businesses where trust replaces process. As the business grows, this trust without verification creates gaps.

• Employees who have been with the company for years often hold multiple responsibilities — and no one checks their work.

• Petty fraud — such as inflated expense claims or ghost vendors — can go undetected for years when controls are absent.

• Without proper IT controls, a single disgruntled employee can manipulate financial records, delete entries, or create fake transactions.

The good news: most control gaps are easy to fix once they are identified. A structured internal audit by PKC India typically uncovers these issues within the first audit cycle — and our team works with you to put practical fixes in place.

Inventory & Asset Management Audit Checklist

For manufacturing companies, traders, and retailers, inventory is often the largest asset on the balance sheet. For all businesses, fixed assets represent significant capital. Auditors spend considerable time here because this is also where significant errors — and frauds — tend to hide.

Inventory Verification

Physical stock count matches the stock ledger or inventory management system
Closing stock is valued correctly — as per AS-2, using cost or net realisable value, whichever is lower
Slow-moving, non-moving, or damaged stock is identified and properly provisioned or written off
Raw material, work-in-progress (WIP), and finished goods are separately tracked
Goods received but not yet billed (GRNI) are properly accounted for as a liability
Stock stored at third-party locations (consignees, job workers) is confirmed and included in the stock count
Inventory valuation method (FIFO, Weighted Average, etc.) is consistent year on year

Fixed Asset Management

A fixed asset register (FAR) is maintained, listing all assets — with purchase date, cost, depreciation method, accumulated depreciation, and net book value
Physical verification of fixed assets done at least once a year — every asset in the register should be physically present
Depreciation calculated correctly as per Schedule II of the Companies Act and also as per Income Tax Act (for tax purposes)
Fully depreciated assets that are still in use are identified and noted
Assets scrapped or disposed of are removed from the register and any profit or loss on disposal is correctly accounted for
Capital work-in-progress (CWIP) is reviewed — assets under construction should not stay in CWIP indefinitely after commissioning
Asset additions during the year are supported by proper purchase orders, invoices, and capitalisation notes

Practical Tip from PKC India’s Audit Team

In almost every SME audit, we find at least a handful of assets in the register that no longer exist — sold years ago, lost, or discarded — but never removed from the books. Similarly, several new assets added during the year may have been incorrectly expensed instead of capitalised. A proper physical verification exercise, done with the help of your CA, resolves both issues cleanly.

Statutory & Labor Law Compliance Checklist

Compliance with statutory requirements is a significant area of risk for Indian SMEs. A missed filing or underpayment can trigger penalties, interest, and in some cases, legal proceedings. Auditors verify the following:

Corporate Compliance (Companies Act)

Annual General Meeting (AGM) held within the prescribed time
Annual return (Form MGT-7/7A) and financial statements (Form AOC-4) filed with the Registrar of Companies on time
Board meetings held as required and minutes maintained
Director KYC (DIR-3 KYC) filed annually for all directors
Any changes in directors, registered office, share capital, or charges properly filed with the MCA
Statutory registers (register of members, register of directors, register of charges, etc.) updated and maintained

Provident Fund (PF) and ESI

All eligible employees are covered under the Employees’ Provident Fund (EPF) scheme
PF contributions deducted from employee salary and matched by employer contribution — both deposited before the 15th of the following month
PF returns filed on time — ECR (Electronic Challan cum Return) uploaded monthly
Employees’ State Insurance (ESI) registration obtained if more than 10 employees (in establishments covered under the ESI Act)
ESI contributions deposited on time and returns filed half-yearly

Professional Tax, Shops & Establishments, and Other Labor Laws

Professional tax (PT) deducted from employee salaries as per the state-specific slab and deposited on time
Shops & Establishments registration obtained and renewed, if applicable
Labour law registers (attendance register, wage register, etc.) maintained as per the Factories Act, Shops Act, or applicable state labour laws
Minimum wages paid to eligible employees as per the latest state government notification
Gratuity provisions made for employees with more than 5 years of service (as per the Payment of Gratuity Act)
Bonus provisions or payments made as per the Payment of Bonus Act, if applicable

Income Tax & Other Filings

Income tax return filed on time — by 31st October for companies requiring audit, 31st July for others
Tax audit under Section 44AB conducted, if turnover exceeds the applicable threshold
Advance tax paid on time in four instalments (June, September, December, March)
Any international transactions or specified domestic transactions reported in Form 3CEB (Transfer Pricing)

Download: Free Internal Audit Checklist for Indian SMEs (FY 2025-26)

We know that reading a long blog is one thing — but having a ready-to-use checklist in hand when you are actually preparing for an audit is quite another.

PKC India has prepared a free, downloadable Internal Audit Checklist for Indian SMEs covering all the areas discussed in this blog. It is designed to be used by:

• Business owners who want to do a self-assessment before calling their CA

• Finance managers and accountants who want to track audit readiness

• CA firms and auditors who work with SME clients

• Startup founders and early-stage companies getting their compliance in order

Checklist Area	What It Covers
Financial Records & Accounting	30+ checkpoints covering books, BRS, revenue, expenses
GST Compliance	15+ checkpoints covering returns, ITC, e-invoicing, RCM
TDS Compliance	10+ checkpoints covering deduction, deposit, returns
Internal Controls & Processes	20+ checkpoints covering approvals, IT systems, fraud prevention
Inventory & Asset Management	15+ checkpoints covering stock, fixed assets, depreciation
Statutory & Labour Law	25+ checkpoints covering MCA, PF, ESI, PT, income tax

Download the Free Checklist PDF

To receive the complete Internal Audit Checklist for Indian SMEs (FY 2025-26) as a PDF, visit:

www.pkcindia.com/services/audit-assurance-services/internal-audit/

Or reach out to our team at co*****@******ia.com to get the checklist directly in your inbox.

How PKC India Helps Indian SMEs Conduct Stress-Free Internal Audits

Founded in 1988 and headquartered in Chennai, PKC India (also known as PKC Management Consulting) is one of India’s leading mid-tier CA and management consulting firms. With over three decades of experience and a client base of 1,600+ businesses across retail, manufacturing, construction, healthcare, e-commerce, real estate, IT/ITES, and more, PKC has a deep understanding of the challenges Indian SMEs face.

When it comes to internal audits, PKC is different from a traditional audit firm in a few important ways:

1. Business-First Approach

PKC’s audit philosophy is not about ticking boxes. Our team approaches every audit with the mindset of a business advisor — not just a compliance checker. We ask: what does this finding mean for your business? What risk does it create? And how can you fix it practically, without turning your operations upside down?

2. AI-Powered Audit Tools

PKC uses proprietary technology — including the Fero audit automation tool — to run comprehensive, data-driven checks on your financial data. This means less time spent on manual data extraction and more time on meaningful analysis. Our technology can process months of transaction data in hours, identifying patterns, anomalies, and red flags that a manual review might miss.

3. Industry-Specific Expertise

A retail company’s audit needs are very different from those of a manufacturer or a real estate developer. PKC’s audit teams are organized by industry, which means the person auditing your books actually understands your business model, typical costs, margin structures, and compliance requirements.

4. Three-Stage Audit Process

PKC follows a structured three-stage process for every internal audit engagement:

• Stage 1 — Planning: We define the audit scope, identify the highest-risk areas specific to your business, and develop a focused audit plan.

• Stage 2 — Execution: Our team gathers data, interviews key personnel, reviews documents, and tests internal controls using both manual and automated techniques.

• Stage 3 — Reporting & Follow-up: We deliver a clear, actionable Internal Audit Report — and more importantly, we work with you until the findings are actually resolved.

5. Transparent Pricing and No Disruption

PKC charges based on person-days, with no hidden fees. We work around your operations schedule and ensure your team is not overwhelmed during the audit period.

Frequently Asked Questions About Internal Audit for Indian SMEs

1. What is the difference between an internal audit and a statutory audit?

A statutory audit is a legal requirement under the Companies Act or Income Tax Act, done primarily to give an independent opinion on the accuracy of your financial statements — for the benefit of regulators, shareholders, and lenders. An internal audit, on the other hand, is focused on your business internally — it checks whether your processes, controls, and compliance are working as they should. The goal of an internal audit is improvement, not just certification. While a statutory auditor gives a report to outsiders, an internal auditor’s report is primarily for your management and Board.

For a detailed breakdown, read our guide on the difference between internal and statutory audits.

2. How often should an SME conduct an internal audit?

For most SMEs, an annual internal audit is the minimum. However, if your business has rapid growth, a large number of transactions, multiple locations, or a history of compliance issues, a half-yearly or quarterly internal audit is more appropriate. PKC India recommends at least an annual audit for all companies meeting Section 138 thresholds and bi-annual audits for growing companies with turnover above Rs. 25 crore.

3. Can we conduct an internal audit ourselves, without an external CA firm?

Yes, if your company has a qualified internal audit team, they can conduct the audit. However, for most SMEs, maintaining an in-house internal audit department is expensive and may lack objectivity — the same team that makes the processes is unlikely to find faults with them. Hiring an external firm like PKC India gives you the benefit of an independent and experienced view, access to proprietary audit tools, and a fresh perspective that often uncovers issues an internal team would miss.

4. What is the cost of an internal audit for an Indian SME?

The cost of an internal audit depends on factors such as the size of your business, the number of transactions, the scope of the audit, and the number of locations. At PKC India, internal audit fees are structured based on the number of person-days required for the engagement. We recommend a free 30-minute consultation first, after which we provide a transparent, no-surprise fee proposal tailored to your specific situation.

5. What documents should I keep ready before an internal audit?

You should ideally have the following ready: financial statements and trial balance for the period under audit, bank statements and bank reconciliation statements, GST returns (GSTR-1, GSTR-3B, GSTR-2B) and TDS returns (24Q/26Q), sales and purchase invoices, payroll records and PF/ESI challans, fixed asset register, inventory records, MCA filings and board minutes, and any loan or credit facility agreements. The more organized your records are, the smoother and faster the audit process will be.

6. Will an internal audit disrupt our day-to-day operations?

A well-planned internal audit should cause minimal disruption to your business. PKC India’s audit team is trained to work with your staff in a cooperative, non-disruptive manner. We schedule data requests and interviews in advance, work with your existing systems, and ensure that your team’s time is used efficiently. Typically, the only time any disruption occurs is during physical verification of stock or assets — and this too is scheduled in advance to minimize inconvenience.

7. What happens after the internal audit is completed?

After the audit, you will receive a detailed Internal Audit Report (IAR) covering all findings, risk levels, and practical recommendations. At PKC India, we do not just hand over a report and leave — we sit with your management team to walk through each finding, explain the implications in plain language, and prioritize the actions that need to be taken. We also track the closure of open audit points in subsequent audits to ensure issues are actually resolved, not just acknowledged.

About PKC India

PKC Management Consulting (PKC India) is a Chennai-based CA and management consulting firm established in 1988. With 100+ consultants and a presence across major Indian cities, PKC offers Audit & Assurance, Process Consulting, Taxation, and Business Advisory services to Indian family businesses and SMEs. PKC is known for its tech-driven audit approach and its commitment to acting as a business performance partner — not just a compliance firm.

Website: www.pkcindia.com | Email: co*****@******ia.com | Internal Audit Services: pkcindia.com/services/audit-assurance-services/internal-audit/

Disclaimer: This blog is intended for informational purposes only. It does not constitute legal or professional advice. Please consult a qualified Chartered Accountant for advice specific to your business situation.