Expert verified
| TL;DR Summary: |
| Internal audit and statutory audit serve different purposes. Statutory audit checks financial accuracy for external stakeholders. Internal audit improves operations, controls, and risk management. Internal audit is mandatory for listed companies and certain public and private companies based on turnover and borrowing thresholds. A risk-based internal audit focuses on strategic, operational, financial, compliance, IT, fraud, and governance risks. Beyond compliance, internal audit prevents fraud, improves efficiency, aids decision-making, builds investor confidence, and strengthens governance. An engagement includes planning, fieldwork, analysis, and reporting. PKC India uses a structured, risk-based methodology with AI-powered tools. |
Internal audit services in India go beyond statutory compliance – they are a structured, risk-based review of your operations, financial controls, fraud risks, and governance that helps businesses identify leakages, strengthen processes, and build the credibility that lenders and investors look for. Under Section 138 of the Companies Act 2013, an internal audit is mandatory for listed companies and for unlisted public and private companies crossing ₹200 crore turnover or ₹100 crore in bank borrowings.
Internal audit services in India have grown in demand in the last few years, not because internal audits are a regulatory burden, but because they can be a strategic tool that protects your business from risks and helps it grow.
This post covers all you need to know about internal audits in India. We cover when internal audit is mandatory under Indian law, how a risk-based approach works, the business case beyond compliance, and what an internal audit engagement with PKC looks like.
Internal Audit vs Statutory Audit: Key Differences
Internal audit and statutory audit are confused often, but they serve entirely. These are two distinct functions with different purposes, legal backing, and outcomes.
Here’s what you need to know:
| Parameter | Internal Audit | Statutory Audit |
| Purpose | Improve controls, manage risk | Certify financial statements |
| Mandatory for | Select companies (Section 138 thresholds) | All registered companies |
| Appointed by | Management / Audit Committee | Shareholders at AGM |
| Who conducts it | Internal team or external consultants | External CA registered with ICAI only |
| Reports to | Management / Audit Committee | Shareholders |
| Frequency | Quarterly, half-yearly, or as needed | Annual |
| Scope | Operational, financial, compliance, risk | Financial statements and compliance |
| Outlook | Forward-looking and advisory | Backward-looking |
Statutory Audit
Statutory Audit is a legal requirement under Section 139 of the Companies Act, 2013. Every company registered in India must get its financial statements audited by an independent CA who is registered with the Institute of Chartered Accountants of India (ICAI).
The statutory auditor is appointed by the shareholders and their job is to give an opinion on whether your financial statements present a “true and fair view” of your company’s financial position
The scope of a statutory audit is fixed. It covers the verification of books of accounts, compliance with accounting standards, and an assessment of the accuracy of the financial statements. It is backward-looking and conducted once a year, covering the full financial year from April 1 to March 31. The report goes to shareholders and regulators
Internal Audit
Under the Companies Act, 2013, internal audit is mandatory only for certain classes of companies. Even when not legally required, many businesses choose to conduct internal audits as a governance best practice
Internal audit has a broader and more flexible scope. It includes the review of operational processes, financial records, internal controls, risk management, compliance with internal policies, and detection of fraud or inefficiency. The audit is forward-looking and often advisory in nature.
The internal auditor can be a CA, a Cost Accountant, or another professional approved by the Board. They may be an employee of the company or an outsourced firm like PKC Management Consulting.
Where the statutory auditor answers to shareholders, the internal auditor reports to the management or audit committee.
Note: The same firm cannot simultaneously perform statutory and internal audits for the same company under Indian regulations to avoid conflicts of interest.
When Is Internal Audit Mandatory in India?
Internal audit is not mandatory for every company in India. The Companies Act, 2013, under Section 138, read with Rule 13 of the Companies (Accounts) Rules, 2014, specifies exactly which companies must appoint an internal auditor.
Here is the breakdown:
Listed Companies: All companies listed on a recognised stock exchange (BSE or NSE) must have an internal audit function. There’s no threshold requirement.
Unlisted Public Companies: They must appoint an internal auditor if they meet any one of the following during the preceding financial year:
- Turnover of ₹200 crore or more
- Paid-up share capital of ₹50 crore or more
- Outstanding loans or borrowings exceeding ₹100 crore from banks or financial institutions at any point
- Outstanding deposits exceeding ₹25 crore at any point
Private Limited Companies: Internal audit applicability for private companies is triggered when it meets any one of these criteria in the preceding financial year:
- Turnover is ₹200 crore or more
- Outstanding loans or borrowings from banks or financial institutions exceed ₹100 crore.
Unlike unlisted public companies, for private companies, paid-up capital or deposits are not a trigger.
LLPs and partnership firms are outside the scope of Section 138. LLPs are governed by the LLP Act, 2008, which has no internal audit mandate. Sole proprietorships and partnership firms are not covered by the Companies Act and have no internal audit obligation under any statute.
REMEMBER:
- Applicability is checked against the previous financial year’s figures. So if your company crossed the turnover threshold in FY 2024-25, the internal audit obligation applies from FY 2025-26.
- “Turnover” means the gross amount of revenue recognized in the profit and loss account from the sale of goods, supply of services, or both
Penalty for Non Compliance
The Companies Act does not prescribe a specific penalty for failing to appoint an internal auditor. However, Section 450 of the Act applies a general penalty: the company and every officer in default may be fined ₹10,000, with an additional ₹1,000 per day if the contravention continues.
Even if your company falls below these thresholds or you are a growing startup, voluntarily adopting internal audit is a good practice. With changes in governance expectations, investors, lenders, and large customers are increasingly looking at governance quality before committing.
What a Risk-Based Internal Audit Covers
A risk-based internal audit or RBIA is an internal methodology that focuses primarily on areas with inherent risk of loss or trouble. It aims at providing assurance that risk is being managed by the management within the defined risk appetite level.
The approach links the internal audit process directly to your organisation’s risk management framework and strategic objectives.
RBIA uses risk management principles to focus audits on the most urgent areas. It helps ensure that resources are assigned where they are needed most, audit work concentrates on key issues, and reported findings are significant and meaningful.
Here is what a risk-based internal audit actually covers.
Strategic risks: These are risks that can derail your long-term business goals. Internal auditors assess whether your strategy is realistic given market conditions, competition, and regulatory changes.
They examine whether your management team is monitoring external threats like new competitors, policy shifts, or economic downturns.
Operational risks: This covers your day-to-day business processes. Auditors review how work flows from start to finish in each department. They look at revenue cycles, procurement, inventory management, production, and service delivery.
The focus is on processes where failure would cause serious damage to your business. For example, if your cash handling process has weak controls, that gets priority attention.
Financial risks: Auditors examine core financial processes: order-to-cash, procure-to-pay, record-to-report, and payroll.
They check whether financial data is captured correctly at the source, whether reconciliation procedures detect discrepancies, and whether your organisation monitors data quality. Journal entries, account reconciliations, and estimates receive particular scrutiny because these are frequent sources of material misstatement.
Compliance risks: This includes adherence to the Companies Act, GST laws, income tax regulations, RBI guidelines, and industry-specific requirements.
Auditors verify whether your processes comply with applicable laws and whether you have documentation to prove compliance.
Information technology risks: As businesses become more system-driven, IT risks demand attention. Auditors assess cybersecurity, access controls, data protection, system resilience, and IT governance. The RBI explicitly requires information system audits as part of risk-based internal audits for banks and financial institutions.
Fraud risks: Auditors look for patterns that indicate potential fraud.
They analyse transaction data for anomalies like unusual discounting, refunds, round-sum payments, duplicate invoices, or authority violations. Continuous monitoring helps detect fraud significantly earlier than manual testing.
Governance risks: This covers how decisions are made, how authority is delegated, and whether the board and management exercise proper oversight.
Auditors assess whether the right person has the right authority and whether accountability is clearly defined.
5 Business Benefits Beyond Compliance
Internal audit is way more than a compliance checkbox. Done right, with experts like PKC, Internal audits can deliver tangible business benefits including:
1. Operational Efficiency and Cost Optimisation
Internal auditors review your processes and identify bottlenecks, duplicated efforts, and unnecessary steps. They often surface revenue leakage or cost inefficiencies that businesses are too close to spot.
Overcharging by vendors, missing credit notes, procurement done outside approved channels, these are common findings with direct financial impact. An internal audit that uncovers even one significant control gap covers the cost of the engagement many times over.
2. Fraud Prevention and Early Detection
Internal audit creates a visible, ongoing control environment that discourages manipulation. Regular reviews of high-risk transactions like vendor payments, expense claims, write-offs, etc. raise the detection risk enough to deter opportunistic fraud.
Organisations that implement continuous monitoring detect fraud significantly earlier than those relying on manual testing. Early detection means lower losses and less damage to your reputation.
4. Stronger Fundraising and Due Diligence
Investors and lenders look for well-governed companies. A strong internal audit function signals that you take risk management seriously. When you approach banks for loans or investors for funding, having an internal audit track record adds credibility.
It shows that your financial data is reliable, your controls are effective, and your management team understands risk. Transparent, well-governed enterprises are more likely to attract long-term capital. This is especially important for mid-sized Indian companies looking to scale.
5. Better Management Decisions
Internal audits offer insights into a company’s strengths and weaknesses, aiding informed decision-making and supporting long-term strategic planning and growth.
Department heads who receive regular internal audit findings have data on where their teams are performing well and where processes are breaking down. This information is difficult to get through routine reporting alone.
5. Stronger Governance and Risk Culture
Internal audit serves as the conscience keeper of your organisation. It ensures that processes are not only followed but optimised. It holds management accountable. It creates a culture where people understand that controls exist for a reason, not just for show.
When audit findings are practical and consider business realities, teams become more open to accepting and implementing suggestions. Over time, this builds a risk-aware culture where problems are identified and fixed early, before they escalate.
What to Expect in an Engagement
When you engage an expert for an internal audit, you are entering a structured process with clearly defined stages. Here is what actually happens, stage by stage:
Stage 1: Planning and Scoping
The audit committee/board, internal auditor, and key stakeholders define the audit scope, frequency, coverage, and timelines. The audit team reviews business operations, concerns, policies, SOPs, regulatory requirements, past audit findings, and recent regulatory changes.
They assess the risk-control matrix to identify high-risk areas and evaluate the effectiveness of existing controls. With these insights, the team develops a formal audit plan, allocates resources, sets timelines, and prepares a detailed internal audit checklist.
A good management consulting firm will share the plan upfront, giving you clarity on what they will audit, when, and why.
Stage 2: Fieldwork and Data Collection
Next, the audit team conducts detailed testing to evaluate the effectiveness of controls and verify compliance with policies and regulations.
Auditors interview employees and management, review transaction samples, examine supporting documents, test system access controls, and compare actual practices against documented procedures.
They also perform physical verification of assets, inventory, and records to confirm accuracy and existence.
Using data analytics tools such as IDEA, ACL, and Power BI, the team analyzes large volumes of data, identifies anomalies, detects irregular patterns, and flags potential fraud or financial misstatements.
This approach provides comprehensive insights while minimizing disruption to daily operations.
Stage 3: Draft Findings and Management Response
After fieldwork, preliminary findings are shared with process owners for a response before the report is finalised.
This step is important as it allows factual corrections and gives management an opportunity to address issues before the report reaches the audit committee.
Stage 4: Reporting & Follow-up
The final report is presented to the audit committee or board. Audit reports are customised to meet the requirements of each stakeholder in an organisation, helping them make the right decisions.
A good internal audit report is specific, actionable, and prioritised by risk severity.
Findings without follow-up have limited value. A proper engagement tracks the implementation of recommendations across audit cycles, so management knows what has been addressed and what remains open.
What You Need to Provide:
Plan for the auditors to need access to your ERP, financial records, process documentation, and key personnel. The more prepared your team is, the faster the fieldwork moves.
For an IT systems audit, for example, you will need to share access logs, security policies, asset lists, backup reports, change management logs, and compliance documentation. Your audit team will give you a clear list of required documents well in advance.
Timeline:
Depending on your business size and complexity, an internal audit engagement typically takes anywhere from two weeks to three months.
PKC conducts over 1,000 audits annually with a team of 20+ qualified chartered accountants, so they have the capacity and systems to complete engagements accurately and on time.
PKC India’s Internal Audit Methodology
At PKC Management Consulting, we approach internal audit as a strategic partnership. Our methodology is structured, risk-based, and designed to deliver actionable insights that drive real business improvement.
Here are the elements that distinguish our internal audit methodology:
- Risk-based audit planning: Instead of using generic audit samples, PKC’s internal auditors adopt a risk-based internal audit methodology. Audit tools help assign risk scores to specific departments, transactions, or business activities, allowing auditors to prioritise high-risk areas.
- AI-powered audit techniques: We use proprietary audit tools that automate certain aspects of audit and improve quality, spending less time on data extraction and comparison, and allowing more time for audit and analysis.
- Result-oriented recommendations: PKC tracks recommendations through a compliance monitoring system until they are actually implemented, not just reported and left to management. This closes the loop between findings and outcomes.
- Performance partnership: Our internal audit teams act as performance partners rather than compliance agents. That domain depth is built from the ground up — PKC’s audit articleship programme in Chennai trains professionals across statutory audit, internal audit, concurrent audit, and process audit on live client engagements, which means the team arriving at your audit already understands how real businesses operate.
What You Will Receive:
With PKC you will get more than a report. You get a 360° view of your company’s financial health and operational efficiency.
The insights are customized to your business, presented in clear language, and backed by data. The goal is not just to flag problems but to give you a roadmap for fixing them.
PKC conducts internal audits covering financial, process, and compliance dimensions, with specific capability in ERP environments including SAP, Oracle, and Tally.
For companies seeking a CA firm for internal audit in Chennai or across India, we offer both the regulatory depth and the business perspective needed to make internal audit genuinely useful.
Schedule a call with our experts today.
FAQs
When is internal audit mandatory in India?
The requirement is governed by Section 138 of the Companies Act, 2013 and applies to certain classes of companies. All listed companies must comply. Unlisted public companies are covered if they meet any one of four thresholds: turnover ≥ ₹200 crore, paid-up capital ≥ ₹50 crore, bank borrowings > ₹100 crore, or deposits ≥ ₹25 crore. Private companies are covered if turnover exceeds ₹200 crore or bank borrowings exceed ₹100 crore. Thresholds are checked against the previous financial year.
What is the difference between internal and statutory audit?
Statutory audit is mandatory for every company and involves an independent examination of financial statements for shareholders. Internal audit is a management tool with a broader scope covering operations, risk, compliance, and internal controls. Internal auditors are engaged by management and may be in-house or outsourced; statutory auditors are independent professionals appointed by shareholders. The two serve different purposes and report to different principals.
How much does an internal audit cost?
There is no fixed rate. Fees depend on company size, the number of locations, the scope of coverage, and the frequency of audits. For a company with ₹200–500 crore turnover, expect approximately ₹1.5–3 lakh per year for quarterly external audits covering major functional areas. Larger companies with multiple business units or complex ERP environments will typically pay more. PKC charges based on person-days spent, which keeps the fee tied to actual effort rather than a flat retainer.
What does an internal auditor actually check?
The scope varies by engagement, but typically covers: financial transaction accuracy, internal control effectiveness, regulatory compliance (GST, TDS, labour laws), vendor and procurement processes, inventory management, IT and system access controls, and fraud indicators. It includes the review of operational processes, financial records, internal controls, risk management, compliance with internal policies, and detection of fraud or inefficiency. The audit committee or board defines the specific coverage areas before each audit cycle.
