Internal Audit with Risk-Based Approach

Internal Audit with Risk-Based Approach

Risk-based internal audit (RBIA) is the discipline of concentrating audit effort on the processes and controls whose failure would inflict the most damage—financial, operational, reputational, or regulatory—on your organisation. In FY 2026-27, Section 138 of the Companies Act, 2013 mandates internal audit for listed companies and large private/unlisted public companies above specified thresholds. The ICAI's Standards on Internal Audit (SIA) and the COSO Enterprise Risk Management (ERM) framework supply the methodological structure. Build your risk universe correctly, deploy data analytics, and align reporting to the Audit Committee, and internal audit moves from a compliance checkbox to a genuine early-warning system for the Board.

When is Internal Audit Mandatory? Section 138 Thresholds

Section 138 of the Companies Act, 2013, read with Rule 13 of the Companies (Accounts) Rules, 2014, makes the appointment of an internal auditor mandatory for the following classes of companies:

Listed companies: All listed companies, regardless of size, must appoint an internal auditor.

Unlisted public companies must appoint an internal auditor if any one of these conditions is met during the preceding financial year:

• Paid-up share capital of Rs. 50 crore or more
• Turnover of Rs. 200 crore or more
• Outstanding loans or borrowings from banks/public financial institutions exceeding Rs. 100 crore
• Outstanding deposits of Rs. 25 crore or more

Private companies must appoint an internal auditor if any one of these conditions is met:

• Turnover of Rs. 200 crore or more
• Outstanding loans or borrowings exceeding Rs. 100 crore

Sector-regulated entities — banks, insurance companies, NBFCs, and SEBI-regulated intermediaries — face additional internal audit requirements prescribed by their respective regulators (RBI, IRDAI, SEBI) that often override or supplement the Companies Act thresholds.

The internal auditor may be a Chartered Accountant (whether in practice or employed), a Cost Accountant, or any other professional as the Board decides. Critically, Section 138 says the internal auditor may or may not be an employee of the company — meaning co-sourcing and fully outsourced arrangements are explicitly permitted. The Audit Committee (or Board, where no Audit Committee exists) formulates the scope, functioning, periodicity, and methodology of the internal audit.

What "Risk-Based" Actually Means — and How It Differs from Calendar Auditing

Traditional internal audit follows the calendar: audit the finance function in Q1, procurement in Q2, HR in Q3, and IT in Q4 — every year, same rotation. The problem with this model is that it treats all processes as equally important and allocates audit hours by habit, not by exposure.

Risk-based internal audit inverts this logic. You start with the question: if this process or control failed tomorrow, what would the consequences be? The answer determines how much audit time and depth it receives. A process that is low-risk and well-controlled might appear in the audit plan every three years. A process sitting in the high-risk quadrant of your heat map gets a deep-dive engagement every cycle — potentially twice a year.

The COSO ERM (Enterprise Risk Management) 2017 framework provides the conceptual architecture. It integrates risk management with strategy-setting across five interrelated components: Governance and Culture; Strategy and Objective-Setting; Performance; Review and Revision; and Information, Communication and Reporting. For internal audit purposes, what matters most is the Performance component — which is where the organisation identifies, assesses, and prioritises risks. The internal audit plan should mirror that prioritisation, not substitute a parallel and disconnected one.

The practical test: if your Chief Financial Officer or CEO picks up your annual audit plan and cannot immediately see the link between the high-priority engagements and the enterprise's top strategic and operational risks — your plan is not risk-based, it is risk-labelled.

Building Your Risk Universe: A Step-by-Step Framework

The risk universe is the master inventory of every auditable entity — every process, system, legal entity, geography, or control objective that internal audit could in principle examine. Building it rigorously is the single most important preparatory step for RBIA.

Step 1: Map All Auditable Entities

Start with the process level, not the department level. Typical categories include:

• Revenue cycle: Order-to-cash, pricing, returns and credits, revenue recognition under Ind AS 115
• Procurement cycle: Procure-to-pay, vendor onboarding, contract management, related-party purchases
• Treasury and finance: Cash management, bank reconciliations, investments, borrowings
• Statutory compliance: GST (GSTR-1, GSTR-3B, GSTR-9 annual return), TDS/TCS, MCA filings, FEMA
• Human resources: Payroll, PF/ESI (EPFO, ESIC), joinings/exits, expense claims
• IT and cybersecurity: Access management, change control, business continuity, data privacy
• Financial reporting: Period-end close, manual journal entries, provisions, related-party disclosures
• ESG/BRSR: Sustainability data collection, supply chain disclosures, grievance mechanisms

A mid-size manufacturing company with Rs. 350 crore turnover will typically identify 22–28 auditable entities at this stage.

Step 2: Score Each Entity on Two Dimensions

For every entity on the list, assign a score of 1–5 (or 1–3 for simplicity) on:

• Inherent impact — the potential financial, regulatory, or reputational loss if the process failed completely. A payroll fraud of Rs. 50 lakh scores higher than a mailing list error.
• Likelihood/Control adequacy — how likely is a significant control failure, given the current control environment? An absence of automated three-way matching in procurement scores high likelihood; an automated reconciliation with daily exception reporting scores low.

Risk score = Impact × Likelihood. Entities scoring above 12 (on a 5×5 scale) fall in the high-risk tier.

Step 3: Plot the Heat Map and Assign Audit Frequency

Step 4: Refresh the Universe

The risk universe should be formally reviewed at the start of each financial year before the Audit Committee approves the annual plan. For FY 2026-27, that review should have occurred in March–April 2026. Additionally, schedule a quarterly sense-check to incorporate emerging risks — cybersecurity incidents, regulatory changes, market disruptions, or a new business line.

The RBIA Audit Cycle: Five Phases

Once the annual audit plan is Audit Committee-approved, each individual engagement follows a disciplined five-phase cycle prescribed by the ICAI's SIA framework.

Phase 1 — Planning: Define the engagement objective, scope, and methodology in writing. Identify key stakeholders, review prior audit findings and management action plan status, and assess risks specific to the engagement. SIA 1 (Planning the Internal Audit) requires this to be documented before fieldwork begins.

Phase 2 — Scoping and Walkthroughs: Walk through the process with process owners. Map the control points — preventive, detective, and corrective. Identify where manual controls exist versus automated controls, because manual controls are inherently higher-risk and require larger sample sizes or 100% population testing.

Phase 3 — Fieldwork: Execute control tests, transactional testing, and data analytics. Document evidence in working papers that comply with SIA 3 (Documentation). Working papers must be sufficient to allow another experienced auditor to independently reach the same conclusion.

Phase 4 — Reporting: Draft findings ranked by risk severity (Critical / High / Medium / Low), with clear root-cause analysis and agreed management action plans (MAPs) with owner names and target dates. SIA 4 (Reporting) requires the final report to be communicated to the Audit Committee. Avoid "management speak" in findings — write the risk and consequence plainly.

Phase 5 — Follow-Up: Track MAP closure through a central tracker. Re-test open items from prior cycles at the start of each new cycle. Recurrent findings that management fails to remediate must be escalated to the Audit Committee — not managed quietly.

SIA Standards: The Methodological Backbone

The ICAI has issued a series of Standards on Internal Audit that govern how the function operates in India. Key standards for a risk-based programme include:

• SIA 1 (Revised): Planning the Internal Audit — covers the risk assessment process, audit objectives, and resource allocation
• SIA 3: Documentation — working paper requirements, retention, and confidentiality
• SIA 4: Reporting — content, format, distribution, and communication of audit findings
• SIA 5: Sampling — statistical and non-statistical sampling methods; guidance on determining sample sizes
• SIA 12: Internal Control Evaluation — the framework for assessing the design and operating effectiveness of controls
• SIA 13: Enterprise Risk Management — integrating ERM with the internal audit function
• SIA 14: Internal Audit in an Information Technology Environment — IT general controls, application controls, and cybersecurity considerations

SIA standards have de facto mandatory status for Chartered Accountants performing internal audit engagements under Section 138. Non-compliance with SIA standards is a professional conduct matter before the ICAI. When appointing an external internal audit firm, your engagement letter should specifically require compliance with applicable SIAs and require working papers to be retained for a minimum of seven years.

Data Analytics: From Sampling to 100% Population Testing

The single biggest efficiency gain in modern RBIA comes from replacing statistical sampling with full-population data analytics. Where a traditional auditor might test 60 out of 2,400 vendor payment transactions, an analytics-enabled audit tests all 2,400 and flags every anomaly for human review.

Tools in common use:

• ACL/Galvanize (now Diligent HighBond): Industry-standard for accounts payable analytics, duplicate detection, and gap testing
• IDEA (CaseWare): Strong in audit trail analysis and Benford's Law testing for journal entries
• Power BI / Tableau: For continuous monitoring dashboards shared with management and the Audit Committee
• Python (Pandas, NumPy): For bespoke analytics — particularly useful for GST reconciliation between books and GSTR-2B on the GST portal

High-value analytics tests for Indian companies in FY 2026-27:

1. Duplicate vendor detection: Match vendor bank account numbers, PAN, GST registration numbers, and address fields across the vendor master to identify ghost vendors or split billing schemes
2. GSTR-2B vs. books reconciliation: Compare ITC (Input Tax Credit) claimed in your books against the GST portal's GSTR-2B auto-populated statement. Mismatches above Rs. 1 lakh per GSTIN per period are a red flag both for audit and for potential GST demand notices
3. Benford's Law on journal entries: The natural logarithmic distribution of first digits (Benford's Law) is an effective screen for fabricated round-number journal entries, often a symptom of window-dressing
4. Segregation of duties (SoD) analysis: Extract user-role assignments from your ERP (SAP, Oracle, Tally, or Microsoft Dynamics) and identify users who can both create a vendor and approve a payment — a classic fraud-enabling SoD conflict
5. TDS compliance: Compare TDS deducted per books against amounts reported in Form 26Q/27Q and reflected in TRACES. Even a small gap translates into demand notices with interest under Section 201 of the Income-tax Act, 1961

Worked Example: Catching Procurement Fraud in a Rs. 350 Crore Manufacturer

Background: A private auto-components manufacturer with FY 2026-27 turnover of Rs. 350 crore (mandatory under Section 138) engaged an internal audit firm for a risk-based audit. The procurement process scored 20/25 on the risk heat map — Critical tier — because of high purchase volumes, a large supplier base of 340 active vendors, and a known prior finding of duplicate invoices two years ago.

Analytics run: The team extracted 14,280 purchase invoices for April 2025 to March 2026 — the full FY 2025-26 population — into ACL. They ran four tests:

1. Duplicate invoice numbers from the same vendor
2. Matching bank account numbers across different vendor GSTINs
3. Invoices posted by the same user who also onboarded the vendor (SoD conflict)
4. Invoices just below the Rs. 50,000 approval threshold (a classic "threshold splitting" test)

Findings:

• Duplicate payments identified: 23 invoices amounting to Rs. 18.7 lakh paid twice over 8 months. The root cause was that the accounts payable team processed PDFs from two email folders — an original and a rescan — without a system-level duplicate check. This was not fraud; it was a control gap. Management recovered Rs. 14.2 lakh from suppliers; Rs. 4.5 lakh remained under recovery at the time of reporting.
• Threshold splitting: 47 invoices from 3 vendors clustered between Rs. 45,000 and Rs. 49,900, all processed by the same accounts executive without the required department-head approval for invoices above Rs. 50,000. Total value: Rs. 21.3 lakh. This pattern warranted escalation to the Audit Committee as a potential control override finding.
• SoD conflict: Two users had both vendor-creation and payment-approval rights in Tally. One of these users had onboarded a vendor subsequently paid Rs. 7.8 lakh in the year. Transaction-level review of this vendor's payments found no irregularity, but the access control gap was rated High.

Audit Committee presentation (Q2 FY 2026-27): The three findings were presented in July 2026 with risk ratings, root-cause analysis, Rs. amounts at risk, and agreed management action plans including ERP-level controls for duplicate invoice detection (to be implemented by 30 September 2026) and a SoD remediation plan. The Audit Committee directed management to report back with evidence of control implementation at the Q3 meeting.

This is what risk-based internal audit looks like in practice: a targeted, analytics-driven engagement that surfaced Rs. 40+ lakh of exposure in a single cycle, with clear accountability for remediation.

Audit Committee Reporting: Your Section 177 Obligations

Section 177 of the Companies Act, 2013 — applicable to listed companies and companies required to have an Audit Committee under the Act — creates several specific obligations relevant to internal audit:

• The Audit Committee must review the adequacy of the internal audit function, including its staffing, seniority, reporting structure, and frequency of reporting
• It must review findings of internal investigations by the internal auditors and refer matters of suspected fraud or irregularity to the Board
• It must discuss with internal auditors any significant finding and follow-up action taken by management

In practice, this translates into a quarterly internal audit presentation to the Audit Committee covering:

1. Status of the approved audit plan (% engagements completed vs. planned)
2. Summary of findings from completed engagements, ranked by risk severity
3. Management action plan tracker: open items from prior periods, newly opened items, items closed in the quarter
4. Emerging risk update: any new risk areas identified that may require an ad hoc or accelerated engagement
5. Independence and resource update: any scope restrictions or access limitations encountered

The Chief Audit Executive (CAE) — or the engagement partner if the function is outsourced — must present directly to the Audit Committee, not through the CFO or the CEO. SEBI's Listing Obligations and Disclosure Requirements (LODR) Regulations, 2015, for listed entities, explicitly require the CAE to have a functional (dotted-line) reporting relationship to the Audit Committee, even if the administrative (solid-line) reporting is to the CFO.

Any finding rated Critical or High must be brought to the Audit Committee's attention promptly — not held until the next scheduled meeting. Most Audit Committee charters allow for written circulation with a brief turnaround window for significant findings.

High-Risk Focus Areas for FY 2026-27

Based on the current regulatory environment and common control failures encountered in practice, the following process areas warrant elevated attention in FY 2026-27 audit plans:

• GST compliance and ITC reversal: With GST authorities intensifying scrutiny of ITC mismatches between GSTR-3B and GSTR-2B, incorrect or inflated ITC claims are a significant exposure. The audit should test whether Rule 36(4) restrictions on ITC availability are correctly applied and whether ITC on ineligible items (Section 17(5) of the CGST Act, 2017) has been reversed
• Related-party transactions (RPTs): SEBI has tightened the RPT framework for listed entities. Internal audit should independently verify that all RPTs are arm's length, Board/Audit Committee approved, and disclosed correctly in the financial statements under Ind AS 24
• Manual journal entries at period-end: The single most reliable indicator of financial reporting manipulation is a cluster of large, round-number, unsupported journal entries posted between the 25th and 31st of March. Benford's Law testing and a journal entry population review should be standard year-end procedures
• Cybersecurity and IT general controls: With DPDP Act, 2023 compliance obligations gaining traction in FY 2026-27, data privacy controls and incident response processes are now audit-relevant beyond just IT security
• BRSR (Business Responsibility and Sustainability Reporting): SEBI's BRSR framework requires top-1,000 listed companies by market cap to report on ESG metrics. Reasonable assurance on BRSR disclosures is required for the top 150 from FY 2023-24 onwards. Internal audit teams should validate the data collection processes behind BRSR disclosures before the statutory assurance engagement begins
• Payroll and workforce compliance: With EPFO enforcement and ESIC compliance audits increasing, internal audit should verify that all eligible employees are enrolled, contributions are computed correctly on the right wage components, and ECR (Electronic Challan cum Return) filings reconcile to payroll registers

Common Mistakes in Risk-Based Internal Audit — and How to Fix Them

Mistake 1: Calling a plan "risk-based" without linking it to the enterprise risk register. The audit plan was built by the CAE independently, with no input from the enterprise risk team. The plan looks rigorous but misses a material risk (e.g., a new digital payment platform) that is on the CRO's radar. Fix: require the CAE to formally review the enterprise risk register and obtain sign-off from the CRO before presenting the plan to the Audit Committee.

Mistake 2: Treating the risk score as permanent. A process is classified Low-risk in Year 1 and is never revisited. The business acquires a new subsidiary, the process scope doubles, and the risk score should now be Critical — but the audit plan still ignores it. Fix: mandatory annual refresh with a mid-year trigger review if a business event (acquisition, new product line, regulatory change) occurs.

Mistake 3: Weak management action plans. The audit report lists findings, management responds with "noted, will be rectified" — no owner name, no target date, no definition of what "rectified" means. The Audit Committee sees a clean MAP tracker six months later because items have been marked closed without verification. Fix: every MAP entry must have a named owner, a measurable completion criterion, and a target date. The internal auditor re-tests control effectiveness — not management's self-certification — before marking an item closed.

Mistake 4: Analytics without interpretation. The team runs Benford's Law on 50,000 journal entries and produces a list of 340 exceptions. No one has time to investigate all 340, nothing is prioritised, and the report says "anomalies were noted." Fix: apply a materiality filter (e.g., only exceptions above Rs. 5 lakh) and a risk filter (posted by users with elevated access rights) before the exception list reaches the fieldwork team.

Mistake 5: Internal audit reporting to the CFO, not the Audit Committee. The CAE functionally reports to the CFO, who reviews draft audit reports before they go to the Audit Committee — and occasionally asks for "softening" of findings. This fundamentally compromises independence. Fix: amend the Internal Audit Charter to establish a direct functional reporting line to the Audit Committee Chairperson. The CFO receives a courtesy copy simultaneously with the Audit Committee, not before.

Key Takeaways

• Section 138 is not optional: If your company meets any one threshold — turnover ≥ Rs. 200 crore, loans > Rs. 100 crore, listed status — you must appoint an internal auditor for FY 2026-27 or face penalties under the Companies Act.
• The risk universe is the foundation: Build it process-by-process, score it on impact and likelihood, refresh it annually, and make sure it mirrors your enterprise risk register — not last year's audit schedule.
• SIA standards are professionally binding: Chartered Accountants performing internal audit must comply with ICAI SIA standards on planning, documentation, sampling, reporting, and IT audit.
• 100% population testing beats sampling: Deploy ACL, IDEA, Power BI, or Python to test the full transaction population. Duplicate payments, threshold splitting, and SoD conflicts are almost invisible in a 5% sample but glaringly obvious in the full data.
• Section 177 mandates Audit Committee oversight: The CAE must report directly to the Audit Committee, not through the CFO. Critical and High-rated findings warrant prompt escalation, not deferral to the next scheduled meeting.
• FY 2026-27 priority areas: GST ITC mismatches, related-party transactions, period-end journal entries, DPDP-aligned IT controls, BRSR data quality, and payroll compliance.
• MAPs without verification are fiction: Re-test control effectiveness before closing any management action plan item. Self-certification by management is not audit evidence.