Navigating Internal Audit in India

Navigating Internal Audit in India

Internal audit in India is mandatory under Section 138 of the Companies Act, 2013 for listed companies, specified unlisted public companies, and private companies crossing turnover or borrowing thresholds. Beyond statutory compliance, a well-run internal audit function tests internal financial controls (IFC), supports the Audit Committee under Section 177, and — in FY 2026-27 — increasingly covers IT systems, ESG data and fraud analytics. This guide walks you through applicability, scope, process, common failures and how to build a function that actually protects your business.

Who Must Appoint an Internal Auditor: Section 138 Applicability

Section 138 of the Companies Act, 2013, read with Rule 13 of the Companies (Accounts) Rules, 2014, makes internal audit mandatory for three categories of companies. The thresholds are assessed against the preceding financial year's audited financials — so a company that crossed a threshold in FY 2025-26 must comply in FY 2026-27.

Listed companies: Every company listed on any recognised stock exchange in India, regardless of size, must appoint an internal auditor.

Unlisted public companies — mandatory if any one of these conditions is met:

• Paid-up share capital of Rs. 50 crore or more
• Turnover of Rs. 200 crore or more
• Outstanding loans or borrowings from banks or public financial institutions of Rs. 100 crore or more
• Outstanding deposits of Rs. 25 crore or more

Private companies — mandatory if either condition is met:

• Turnover of Rs. 200 crore or more
• Outstanding loans or borrowings from banks or public financial institutions of Rs. 100 crore or more

Who qualifies as an internal auditor? The law is deliberately flexible. The internal auditor may be a Chartered Accountant (whether in practice or not), a Cost and Management Accountant, or any other professional decided by the Board. For companies with complex IT environments, specialised manufacturing processes or regulated financial operations, competence in the relevant domain matters as much as the professional qualification. A generalist firm without sector experience will produce a tick-box audit, not a risk-based one.

What if you miss the appointment? Section 450 of the Companies Act applies as the residual penalty provision for non-compliance with Section 138. Beyond any penalty, a qualification by your statutory auditor in the CARO 2020 report — noting that the internal audit system is inadequate — carries lender and investor consequences that dwarf any adjudication fine. Banks increasingly request copies of internal audit reports as a covenant condition for working capital renewals.

What the Internal Audit Charter Must Cover in FY 2026-27

The internal audit charter is the mandate document — it defines scope, authority, reporting lines and frequency. A charter that simply says "review financial transactions" is structurally inadequate. In FY 2026-27, a credible charter explicitly covers:

Internal Financial Controls and IFC Testing

Section 134(5)(e) of the Companies Act requires directors of listed companies to confirm that adequate IFC exist and operate effectively. Testing those controls is the internal auditor's primary responsibility — it is not ceremonial language in the Directors' Responsibility Statement. CARO 2020 requires the statutory auditor to report on the adequacy of the internal audit system, creating a direct link between internal audit quality and your statutory audit outcome.

Operational Process Cycles

Procurement-to-pay, order-to-cash, hire-to-retire and treasury operations carry material leakage and fraud risk. Audit of these cycles generates savings and recoveries that frequently exceed the entire internal audit engagement fee. Revenue leakage in a Rs. 300 crore company of even 0.5% equals Rs. 1.5 crore annually — an amount that makes most internal audit investments self-financing.

Statutory Compliance Reviews

GST reconciliation (GSTR-1 vs. GSTR-3B vs. books, fed into GSTR-9 and GSTR-9C), TDS computation and deposition timelines, PF/ESI compliance, MCA annual filings and RBI regulations (for companies with ECBs or FDI) belong in scope. A compliance gap discovered by a regulator costs multiples of what an internal review would have cost to catch and fix.

IT General Controls and Cybersecurity

With the Digital Personal Data Protection Act, 2023 operational and RBI's IT governance frameworks extending to NBFCs and payment aggregators, IT audit is not optional. User access management, change management discipline, backup and recovery testing and application-level controls should be reviewed at least annually.

ESG and Sustainability Data

For companies in the top 1,000 by market capitalisation filing SEBI's Business Responsibility and Sustainability Report (BRSR), internal audit is increasingly asked to provide assurance on sustainability metrics — Scope 1 and Scope 2 emissions, water consumption, supply chain due diligence. This is still early-stage in India but growing fast, and early investment in BRSR data governance pays dividends when assurance requirements tighten.

Fraud Risk Assessment

The Companies Act requires auditors to report frauds above prescribed thresholds to the Central Government via Form ADT-4. Internal audit should run a formal fraud risk assessment as part of annual planning — not wait for a whistleblower complaint to trigger a reactive forensic review.

Internal Financial Controls (IFC) Testing: A Seven-Step Process

IFC testing is the most technically demanding part of internal audit and the area most frequently done superficially. Here is a repeatable sequence:

1. Identify financial reporting risks — For each significant account balance and transaction class (revenue, inventory, fixed assets, borrowings, payroll), identify what could go materially wrong. This maps to the Risk of Material Misstatement framework.

1. Map controls to risks — Document the control or controls that mitigate each identified risk: automated ERP controls, manual approvals, reconciliations, system access restrictions, exception reports.

1. Assess control design effectiveness — Before testing operation, determine whether the control, if it operates as designed, would actually prevent or detect the risk. A poorly designed control cannot be remediated by frequency of operation. Design gaps must be reported even if you find no operating exceptions.

1. Test operating effectiveness — Select a statistically defensible sample. ICAI guidance recommends 25 to 60 items depending on control frequency (daily, weekly, monthly) and risk level. For high-frequency automated controls, a smaller sample combined with evidence of robust IT general controls can be sufficient.

1. Document exceptions and rate severity — Classify exceptions as: control deficiency (minor gap with low financial exposure), significant deficiency (warrants Audit Committee attention), or material weakness (the control does not prevent or detect a material misstatement and must be disclosed in the Directors' Report and flagged to the statutory auditor).

1. Issue findings with management response — Every significant finding requires a risk rating, root cause analysis, estimated financial exposure, and a time-bound management commitment. Vague responses such as "will be reviewed" should not be accepted as closure.

1. Follow up and verify remediation — Findings close when the internal auditor has verified evidence of remediation, not when management declares the issue fixed.

Worked Example: Catching a Revenue Control Failure

Setting: A private limited company with Rs. 285 crore turnover and Rs. 115 crore in bank borrowings — mandatory for internal audit under Section 138. Three manufacturing plants running SAP. FY 2026-27 Q1 internal audit covers the order-to-cash cycle.

Risk under review: Revenue recognised before goods are dispatched (invoice posted before a confirmed Goods Issue document exists in the system).

Control in place: SAP is configured to require a Goods Issue (GI) posting before an outbound billing document can be created. A manual override exists with CFO approval.

Sample tested: 60 invoices from April–June 2026, filtered to show all cases where the invoice date preceded the GI date.

Exceptions found: 4 invoices totalling Rs. 41.3 lakhs were raised before GI. Three had CFO approvals on file — the control was operating, the exceptions were authorised. One invoice for Rs. 11.6 lakhs had no approval: a plant accountant had used a manual SAP workaround to bypass the workflow.

Finding rated: Significant deficiency. Not a material weakness — isolated, not systemic — but the manual override capability without IT-level user restrictions is a design gap.

Financial impact: Rs. 11.6 lakhs of revenue recognised 9 days early. GST liability accelerated. If this occurred systematically across the year, potential revenue timing distortion of Rs. 55–65 lakhs and corresponding GST liability mismatch.

Management commitment: IT team to remove manual override capability from the plant accountant's user role and restrict GI bypasses to a dedicated exception workflow requiring the CFO's SAP user ID with a system audit log. Completion deadline: 45 days. Internal auditor to verify by testing in Q2.

Audit Committee reporting: Finding included in Q1 dashboard with risk rating (Significant), Rs. impact estimate, root cause (IT access design gap, not fraud), and 45-day remediation timeline.

This level of specificity is what makes internal audit reports actionable. A finding that concludes "revenue recognition controls are broadly adequate" gives the Audit Committee nothing to act on.

The Audit Committee's Role Under Section 177

The Audit Committee is not a passive recipient of internal audit reports. Section 177 of the Companies Act, read with SEBI's Listing Obligations and Disclosure Requirements (LODR) Regulations, 2015, gives the committee explicit powers and responsibilities in relation to internal audit.

The committee's core obligations:

• Approve the annual internal audit plan — scope, risk priorities, budget and resourcing. The committee should push back if the plan avoids high-risk areas or concentrates entirely on low-risk, easily auditable processes.
• Review internal audit reports — for listed companies, this should occur at least quarterly, with sufficient depth that the committee understands remediation status and not just findings.
• Ensure auditor independence — the internal auditor must have direct access to the Audit Committee chair without management filtering the communication or sanitising findings.
• Monitor open issues by ageing — a finding open for more than 180 days without closure is a governance failure that the committee should formally escalate to the Board.
• Conduct in-camera sessions — SEBI best practice and ICAI's Standards on Internal Audit recommend periodic sessions where the Audit Committee meets the internal auditor without CFO or CEO present. These sessions consistently surface issues that would otherwise be managed away before they reach the committee.

SEBI's LODR Regulation 18 requires the Audit Committee to review the adequacy of the internal audit function including its structure and staffing. For listed companies, cybersecurity findings, RPT compliance and BRSR data integrity have become standard standing agenda items in FY 2026-27.

Risk-Based Internal Audit Planning: Moving from Calendar to Risk Universe

The shift from a calendar-based plan (audit every department once a year) to a risk-based plan is the single highest-value improvement most internal audit functions can make. Here is how to execute it:

Step 1 — Build the risk universe: List every significant process, business unit and location. Assign an inherent risk score of 1 to 5 based on financial materiality, regulatory complexity, volume of transactions, past findings and management quality.

Step 2 — Assess residual risk: After accounting for the strength of existing controls, what risk remains? Processes with weak or untested controls and high inherent risk get the most audit attention.

Step 3 — Prioritise and allocate: Assign audit days in proportion to residual risk scores. A treasury function managing Rs. 400 crore of borrowings and inter-company placements with manual reconciliations gets more days than a stable, ERP-automated payroll for 80 staff.

Step 4 — Get Audit Committee sign-off on the plan: Present the plan with risk rationale. If management argues strongly against auditing a specific area, treat that resistance as information worth noting.

Step 5 — Reserve capacity for unplanned reviews: Hold back 15-20% of annual audit days for responsive work — fraud alerts, regulatory changes, acquisitions or any new business model. Fixed annual plans that leave no room for the unexpected are not risk-based; they are scheduled.

For FY 2026-27, every risk-based plan should include at least one dedicated review of: GST input tax credit reconciliation and GSTR-9C accuracy; cybersecurity and DPDP Act data protection controls; related party transactions following SEBI's tightened RPT approval thresholds; and, for BRSR filers, sustainability data governance.

Common Mistakes That Undermine Internal Audit — and How to Fix Them

Mistake 1: Auditing around sensitive areas Plans that never reach the promoter group's transactions, the CEO's travel expenses or the top-10 distributor relationships are not independent, whatever the charter says. If management decides what gets audited, the function is captured. Fix: The Audit Committee approves scope inclusions and exclusions. Any management-requested exclusion is documented with a rationale and disclosed to the committee in writing.

Mistake 2: Findings without financial exposure estimates A finding labelled "control gap in vendor onboarding" without a quantified exposure gives management no urgency signal. Fix: Every significant finding carries an estimated financial impact — even approximate. "Exposed Rs. 18-22 lakhs of vendor payments to duplicate payment risk based on current payment volumes" forces prioritisation.

Mistake 3: No follow-up audits Industry data consistently shows that 30-40% of management remediation commitments are not implemented within the agreed timeline. Without structured follow-up, internal audit is a paper exercise. Fix: Build follow-up reviews into the annual plan as a standing 10-15% allocation. Track open issues in a live tracker shared with the Audit Committee, showing ageing by finding.

Mistake 4: Statistically indefensible samples Testing 5-8 transactions from a population of 40,000 and concluding the control is effective is not audit evidence. It is a formality. Fix: Use analytics to test the full population and flag exceptions. Investigate the flagged items. This is more defensible, often faster when automated, and catches issues that sampling never would.

Mistake 5: Internal auditor reports only to CFO When the internal auditor's budget, scope and findings all flow through the CFO, the function is structurally compromised regardless of individual integrity. A CFO with control weaknesses in their own domain will not commission aggressive testing. Fix: Dual reporting — functionally to the Audit Committee (scope, findings, plan, independence), administratively to the CFO or CEO (logistics, access, scheduling). This structure is recommended by ICAI's Standards on Internal Audit and SEBI guidance.

Mistake 6: Fraud risk treated as reactive Waiting for a whistleblower complaint before thinking about fraud is a strategy that consistently fails. Frauds in Indian companies run on average for 18-24 months before detection. Fix: Annual fraud risk assessment workshop mapping fraud risks to processes, followed by targeted analytics embedded in the quarterly audit plan.

Building a Data-Driven Internal Audit Function Without a Large Budget

You do not need an enterprise analytics platform to move toward data-driven auditing. Here is a practical progression:

Start with ERP exports: Most ERPs — SAP, Oracle, Microsoft Dynamics, Tally — can export journal entry data, vendor master records and payment data to Excel or CSV. A basic duplicate payment test (match on vendor + amount + approximate date, allowing for a 3-day window) can be run in Excel in under two hours and catches a significant share of common payment errors and frauds.

Add dedicated analytics tools: ACL Analytics (now Galvanize/Diligent), IDEA or open-source Python with pandas allow full-population stratification, gap testing on invoice number sequences, Benford's Law analysis on payment amounts, and trend comparisons across periods. Annual licences for IDEA or ACL start at approximately Rs. 1.5 to 2.5 lakhs — typically recoverable from a single duplicate payment or billing error catch.

Deploy continuous controls monitoring: CCM sets automated tests running on a daily or weekly basis — segregation of duties violations, invoices approved by the same person who created the vendor, payments above authorisation thresholds without required approval. Exceptions are flagged to the auditor in near real-time, shifting the function from periodic review to ongoing assurance.

Report visually to the Audit Committee: A single-page quarterly dashboard showing open findings by ageing bracket (0-30 days, 31-90 days, 90+ days and beyond), risk rating distribution, and quarter-on-quarter remediation rate transforms the committee meeting from a recitation of findings to a governance conversation.

Fraud Prevention: Obligations and Practical Steps in 2026

Section 143(12) of the Companies Act requires any auditor — and the provision has been interpreted broadly to include internal auditors where they encounter evidence — to report suspected or confirmed fraud above Rs. 1 crore to the Central Government via Form ADT-4 filed with the MCA. Fraud below that threshold is reported to the Audit Committee and the Board. Failure to report carries personal liability.

Beyond the reporting obligation, proactive fraud prevention embeds specific analytics in the audit plan:

• Payroll analytics: Ghost employees (payroll names absent from HR records), duplicate PF/UAN numbers, payments continuing to resigned employees beyond the exit date.
• Vendor analytics: Vendors sharing bank account numbers with employees, vendors whose registration date post-dates the purchase order, round-number invoices that cluster just below approval thresholds (Benford's Law flags these reliably).
• Expense and reimbursement analytics: Claims dated on weekends or holidays, amounts just below the receipt-required threshold, duplicate receipts submitted across different periods or by different claimants.
• Revenue analytics: Large credit notes raised in the 15-day window after period close, discounts approved without documented commercial rationale, consignment returns credited without physical stock verification.

Rotating these analytics across different process areas each quarter creates genuine deterrence. Employees aware that payments, payroll and expenses are systematically tested — not sampled — change behaviour.

Reporting Lines and Independence: The Structural Foundation

The most capable internal auditor operating under the wrong reporting structure will eventually be compromised. Independence requires hard-wired structural safeguards:

• Functional reporting to the Audit Committee: The committee approves the charter, the annual plan, and the internal auditor's appointment and remuneration. Management cannot unilaterally restrict scope or delay findings.
• Administrative reporting to CFO or CEO: Day-to-day logistics — system access, scheduling of auditee interviews, workspace — go through management for efficiency. This is not compromise; it is practicality.
• In-camera sessions at least annually: The Audit Committee meets the internal auditor without management present. For listed companies, quarterly is best practice. These sessions are where the most sensitive issues surface — issues that would otherwise be managed away before they reach the committee table.
• Whistleblower mechanism testing: The internal auditor should verify annually that the whistleblower mechanism mandated under Section 177(9) is functional, that complaints are being logged and investigated, and that confidentiality is being maintained. The mechanism itself is a control that can fail.

Key Takeaways

• Section 138 thresholds are assessed on the previous year's audited financials: A company that crossed the private company turnover threshold of Rs. 200 crore in FY 2025-26 must appoint an internal auditor for FY 2026-27. Check all four conditions for unlisted public companies — any one triggers the requirement.
• IFC testing is a seven-step closed loop: Design assessment and follow-up verification are the steps most frequently skipped. Skipping either one invalidates the assurance you are trying to provide.
• The Audit Committee owns the internal audit relationship: Plan approval, scope authority, in-camera sessions and remediation monitoring belong to the committee — not to management. This is statutory under Section 177, not just best practice.
• Risk-based planning must allocate 15-20% for unplanned reviews: A fully pre-committed annual plan cannot respond to fraud alerts, regulatory changes or acquisitions. Flexibility is not slack; it is structural readiness.
• Full-population analytics is the 2026 standard: Testing 5-10 samples from 50,000 transactions is no longer defensible as the primary approach. Even basic ERP exports tested in Excel raise the bar significantly over manual sampling.
• Fraud risk assessment is a formal annual deliverable: Form ADT-4 reporting obligations, personal liability for failure to report, and the 18-24 month average fraud duration in India all argue for proactive assessment rather than reactive forensic response.
• Structural independence is non-negotiable: Dual reporting lines, committee-approved scope and in-camera sessions are the three mechanisms that protect the function from capture — and protect directors from the consequences of undetected failures.