Is Internal Audit Mandatory for All Private Limited Companies in India?

Introduction

Internal audit has become an important part of corporate governance for companies in India. Earlier, many private limited companies treated internal audit as a process meant only for large listed entities. However, with increased regulatory focus, lender expectations, and business risks, internal audit is now considered a critical management tool even for medium-sized private companies.

Under Section 138 of the the Companies Act, 2013 read with Rule 13 of the Companies (Accounts) Rules, 2014, certain classes of companies are required to appoint an internal auditor. The requirement depends mainly on turnover, borrowings, and deposits.

For many promoters and finance teams, one common question is: “Does my private limited company require internal audit?” This blog explains the latest applicability rules for 2026, practical compliance requirements, the role of the audit committee, the difference between NFRA and internal auditors, and the consequences of non-compliance.

This article is prepared for business owners, finance managers, startup founders, and private company directors who want a simple explanation of the law without complicated legal language.

What is Internal Audit?

Internal audit is an independent review process conducted within an organization to evaluate internal controls, operational efficiency, compliance, and risk management.

Unlike statutory audit, which mainly focuses on financial statements, internal audit checks how business processes are functioning on a day-to-day basis. It helps management identify gaps, errors, fraud risks, process weaknesses, and compliance failures before they become major issues.

An internal auditor may review:

• Accounting processes
  • Purchase and payment controls
  • Payroll systems
  • Inventory management
  • Vendor management
  • GST and tax compliance
  • Delegation of authority
  • Internal financial controls
  • Information technology controls
  • Risk management systems

The objective of internal audit is not only to detect mistakes but also to improve systems and strengthen governance.

Legal Provision for Internal Audit in India

The legal requirement for internal audit comes from Section 138 of the Companies Act, 2013.

Section 138 states that prescribed classes of companies are required to appoint an internal auditor. The internal auditor may be:

• A Chartered Accountant
  • A Cost Accountant
  • Another qualified professional as decided by the Board

The scope, methodology, periodicity, and reporting framework are generally decided by the Audit Committee or the Board of Directors in consultation with the internal auditor.

The detailed applicability conditions are provided under Rule 13 of the Companies (Accounts) Rules, 2014.

Updated Threshold Table — Turnover, Borrowing & Deposit Limits for 2026

As of 2026, the following classes of companies are required to appoint an internal auditor under Rule 13 of the Companies (Accounts) Rules, 2014.

Applicability for Private Limited Companies

A private limited company must appoint an internal auditor if it meets any one of the following conditions during the preceding financial year:

1. Turnover of more than ₹200 crore
   OR
2.  Outstanding loans or borrowings from banks or public financial institutions exceeding ₹100 crore at any point during the financial year

Applicability for Unlisted Public Companies

An unlisted public company must appoint an internal auditor if it meets any one of the following:

• Paid-up share capital of ₹50 crore or more
  • Turnover of more than ₹200 crore
  • Outstanding loans or borrowings exceeding ₹100 crore
  • Outstanding deposits of ₹25 crore or more

Applicability for Listed Companies

Every listed company is mandatorily required to appoint an internal auditor irrespective of turnover or borrowings.

Important Practical Point

The turnover and borrowing limits are checked based on the immediately preceding financial year. Therefore, companies should review their financial statements annually to determine applicability.

For example:

If a private company crosses ₹200 crore turnover during FY 2025-26, internal audit becomes applicable for FY 2026-27.

Meaning of Turnover for Internal Audit Applicability

Turnover generally refers to gross revenue generated from operations during the financial year. Companies should rely on audited financial statements for determining turnover.

Borrowings include:

• Term loans
  • Working capital facilities
  • Cash credit limits utilised
  • Loans from public financial institutions

The borrowing threshold is checked at any point during the year and not only at year-end.

Why Internal Audit is Important for Private Limited Companies?

Many private companies believe internal audit is only a compliance requirement. In reality, internal audit provides significant business benefits.

1. Better Financial Control

Internal audit helps companies ensure that transactions are properly authorised, recorded, and monitored. This reduces accounting errors and improves financial discipline.

2. Fraud Prevention

Weak internal controls increase the risk of fraud and misuse of company resources. Internal audit helps identify suspicious transactions and control weaknesses early.

3. Improved Compliance

Companies today must comply with GST, TDS, labour laws, Companies Act provisions, FEMA regulations, and industry-specific laws. Internal audit supports compliance monitoring.

4. Stronger Governance

Investors, banks, and private equity funds increasingly expect structured internal control systems. A strong internal audit framework improves business credibility.

5. Operational Efficiency

Internal audit reviews workflows and operational processes. This helps management identify delays, wastage, duplication, and inefficiencies.

6. Support During Statutory Audit

A well-maintained internal audit system reduces issues during statutory audit and improves financial reporting quality.

Who Can Be Appointed as Internal Auditor?

Under Section 138, the internal auditor may be:

• A Chartered Accountant
  • A Cost Accountant
  • Another qualified professional
  • An external audit firm
  • An employee of the company (in certain situations)

Many companies prefer appointing an independent external firm to ensure objectivity and professional reporting.

The Board of Directors usually passes a resolution approving the appointment.

Can Statutory Auditor Also Become Internal Auditor?

As a general governance practice, companies should avoid appointing the statutory auditor as internal auditor because independence may be affected.

The statutory auditor is expected to independently evaluate financial statements. If the same person performs internal audit, there may be a conflict in reviewing their own work.

Companies should obtain professional advice before considering such appointments.

Risk-Based Internal Audit — What Private Companies Should Follow

Modern internal audit is moving away from checklist-based reviews and focusing more on risk-based internal audit.

A risk-based internal audit approach identifies areas where the company faces the highest operational, financial, compliance, or fraud risk.

Globally accepted frameworks such as COSO and the Institute of Internal Auditors (IIA) framework are commonly used for designing risk-based audit systems.

Under a risk-based framework, companies generally focus on:

• Revenue leakage risks
• Procurement risks
• Cybersecurity and IT risks
• GST and tax exposure
•  Vendor dependency
• Payroll fraud
• Related party transactions
• Cash flow management
• Delegation of authority failures
• Inventory pilferage
• Regulatory non-compliance

For mid-sized private companies, a practical risk-based internal audit model usually includes:

Quarterly risk assessment
Process walkthroughs
Testing of controls
Exception reporting
Corrective action tracking
Management reporting

Instead of checking every transaction, the internal auditor focuses on areas with greater business impact.

How Frequently Should Internal Audit Be Conducted?

The Companies Act does not prescribe a fixed frequency for internal audit. The periodicity is generally decided by the Audit Committee or Board.

In practice:

• Large companies generally conduct quarterly internal audits
  • Medium-sized companies may conduct half-yearly reviews
  • Smaller companies may conduct annual internal audits

However, businesses with higher transaction volumes or operational risks usually benefit from more frequent reviews.

Audit Committee Requirements for Private Companies

Many business owners confuse internal audit applicability with audit committee applicability. These are different compliance requirements.

Under Section 177 of the Companies Act, certain classes of companies are required to constitute an Audit Committee.

Audit Committee applicability generally covers:

• Listed companies
  • Certain public companies crossing prescribed thresholds

Most small and medium private limited companies are not required to form an Audit Committee unless specifically covered under the law.

Where an Audit Committee is not applicable, the Board of Directors performs the responsibilities relating to internal audit oversight.

The Audit Committee or Board generally decides:

• Scope of internal audit
  • Audit plan
  • Reporting structure
  • Review of findings
  • Corrective action monitoring

Even where not legally mandatory, many growing private companies voluntarily form governance committees for better oversight.

NFRA vs Internal Auditor — Who Oversees What?

Many companies confuse the role of NFRA with internal audit.

NFRA refers to the National Financial Reporting Authority established under Section 132 of the Companies Act, 2013.

NFRA mainly regulates:

• Auditing standards
  • Accounting standards
  • Statutory auditor oversight
  • Professional misconduct relating to auditors

NFRA does not perform internal audit of companies.

Internal auditors are appointed by companies to review operational and internal control systems.

The role of an internal auditor is completely different from NFRA oversight.

NFRA applicability for private companies is limited and generally depends on prescribed thresholds or public interest considerations. Most ordinary private limited companies are not directly regulated by NFRA unless specifically covered under applicable rules.

In simple terms:

NFRA regulates auditors and audit quality.
Internal auditors review company processes and controls.

Difference Between Internal Audit and Statutory Audit

Internal Audit

• Conducted for management and governance improvement
  • Focuses on controls, operations, risks, and processes
  • Scope is flexible
  • Conducted periodically during the year
  • Reports submitted to management or Audit Committee

Statutory Audit

• Mandatory under Companies Act for all companies
  • Focuses on true and fair presentation of financial statements
  • Conducted annually
  • Auditor issues audit opinion on financial statements
  • Reports submitted to shareholders

Both audits are important but serve different purposes.

What Happens if Internal Audit is Not Conducted?

Failure to comply with internal audit requirements may result in regulatory and governance consequences.

Possible consequences include:

1. Non-compliance under Companies Act

Failure to appoint an internal auditor when applicable may be treated as non-compliance under the Companies Act, 2013.

2. Board Governance Concerns

Directors may face questions regarding failure to maintain adequate internal control systems.

3. Increased Risk of Fraud and Errors

Without internal audit, management may not identify process failures, fraud risks, or compliance gaps on time.

4. Issues During Statutory Audit

Statutory auditors may report internal control weaknesses or governance deficiencies.

5. Lender and Investor Concerns

Banks, investors, and due diligence teams increasingly review internal control systems before funding or investments.

6. Possible Regulatory Notices

Companies may receive notices seeking clarification regarding non-compliance with Section 138 and related rules.

Practical Internal Audit Areas for SMEs and Mid-Sized Companies

For small and medium enterprises, internal audit should be practical and focused.

Key review areas generally include:

Finance and Accounts

• Bank reconciliation
  • Expense approvals
  • Journal entry controls
  • Revenue recognition
  • Cash handling

GST and Tax Compliance

• GST returns
  • Input tax credit validation
  • TDS deductions
  • Advance tax compliance

Procurement

• Vendor approvals
  • Purchase order controls
  • Duplicate payments
  • Related party transactions

Inventory

• Stock verification
  • Slow-moving inventory
  • Material consumption review
  • Inventory valuation

Payroll

• Employee master controls
  • Attendance verification
  • Salary approvals
  • Statutory deductions

IT Controls

• Access rights
  • Data backups
  • ERP controls
  • Password management

Companies may also maintain a standard internal audit checklist for periodic review. 

Download our free internal audit checklist for Indian SMEs covering all key review areas — finance, GST compliance, procurement, inventory, payroll, and IT controls — designed specifically for private limited companies and growing businesses.

Businesses looking for a practical SME internal audit checklist should consider maintaining a separate documented checklist covering finance, compliance, procurement, inventory, payroll, and IT controls.

How to Appoint an Internal Auditor

The typical process for appointment includes:

Step 1 — Evaluate Applicability

Review turnover, borrowings, and deposits based on audited financial statements.

Step 2 — Select Auditor

Identify a qualified professional or firm.

Step 3 — Board Approval

Pass Board Resolution approving appointment.

Step 4 — Define Scope

Decide audit coverage, reporting frequency, and timelines.

Step 5 — Conduct Audit

Internal auditor performs reviews and submits reports.

Step 6 — Corrective Action

Management implements corrective actions based on observations.

Best Practices for Private Limited Companies

Even where internal audit is not mandatory, companies should consider voluntary internal audit if:

• Business operations are expanding rapidly
  • Multiple branches exist
  • Cash transactions are high
  • Inventory management is complex
  • Investor funding is expected
  • ERP systems are implemented
  • Fraud risk is increasing

Good internal audit practices include:

• Independent reporting
  • Timely management response
  • Risk-based audit planning
  • Documentation of corrective actions
  • Periodic follow-up reviews

What is the Role of Internal Audit in Startup and Growing Companies?

Startups and fast-growing companies often focus heavily on growth and fundraising. However, weak controls during growth stages may create future problems.

Internal audit helps startups establish:

• Expense discipline
  • Approval workflows
  • Vendor controls
  • Compliance systems
  • Delegation structures
  • Financial reporting accuracy

Investors and due diligence teams increasingly evaluate internal control maturity before investments.

Technology and Internal Audit

Technology is transforming internal audit functions.

Modern audit practices now use:

• Data analytics
  • ERP-based controls
  • Automated exception reports
  • Continuous auditing tools
  • Dashboard reporting

Companies using accounting software and ERP systems should periodically review user access controls and system-generated reports.

Conclusion

Internal audit is no longer viewed as a process meant only for large corporations. In today’s business environment, even private limited companies need strong internal control systems to manage compliance, operational risks, and governance expectations.

Under Section 138 of the Companies Act, 2013, private companies crossing turnover or borrowing thresholds are required to appoint an internal auditor. However, even companies below the threshold may benefit significantly from a structured internal audit framework.

A practical and risk-based internal audit system helps businesses improve operational efficiency, strengthen financial discipline, reduce fraud risks, and build investor confidence.

Companies should periodically review applicability conditions, maintain proper documentation, and adopt a proactive compliance approach.

References

• Ministry of Corporate Affairs — Companies Act, 2013
• Section 138 of the Companies Act, 2013
• Rule 13 of the Companies (Accounts) Rules, 2014
• National Financial Reporting Authority (NFRA) framework and notifications

---

Frequently Asked Questions

1. Is internal audit mandatory for every private limited company?

No. Internal audit becomes mandatory only if the company crosses prescribed thresholds under Rule 13 of the Companies (Accounts) Rules, 2014.

2. What is the turnover limit for internal audit applicability for private companies in 2026?

Internal audit is mandatory if turnover exceeds ₹200 crore during the preceding financial year.

3. What is the borrowing limit for internal audit applicability?

Internal audit becomes mandatory if outstanding loans or borrowings from banks or public financial institutions exceed ₹100 crore at any point during the preceding financial year.

4. Can a company employee become internal auditor?

Yes, in certain cases, the internal auditor may be an employee of the company. However, many companies prefer independent professionals for better objectivity.

5. Is internal audit different from statutory audit?

Yes. Internal audit focuses on controls and operational risks, whereas statutory audit focuses on financial statements and statutory reporting.

6. Does NFRA conduct internal audit?

No. NFRA regulates auditing and accounting standards and oversees certain audit-related matters. It does not conduct internal audits of companies.

7. What happens if internal audit is not conducted?

Non-compliance may result in governance issues, regulatory scrutiny, lender concerns, and higher operational risks.