In our practice, we receive the same ten questions about internal audit from nearly every client - whether they run a manufacturing unit in Pune, a SaaS company in Bengaluru, or a trading firm in Delhi. The questions are practical, not technical: 'Do I actually need this?', 'How is it different from the audit we already do?', 'What will it cost?', 'Will it help with our bank loan?'
This blog compiles the exact questions our clients ask most frequently about internal audit and provides direct CA answers - with section references, real examples, and the 2026 regulatory context. No legal jargon without explanation, no generic advice without specifics. If you have ever wondered whether your company needs internal audit, what it covers, or whether the investment is worth it, this is your guide.
What Is Internal Audit and Why Are Clients Asking About It More in 2026?
Internal audit is an independent, objective assurance function that evaluates a company's internal controls, risk management processes, operational efficiency, and compliance with laws and policies. Under Section 138 of the Companies Act, 2013, certain classes of companies must appoint an internal auditor - a CA, Cost Accountant, or Board-approved professional - to conduct this evaluation periodically.
Clients are asking more about internal audit in 2026 for three reasons: (1) the Corporate Laws (Amendment) Bill 2026 proposes further compliance relaxations for smaller companies, making business owners question which audit obligations still apply to them, (2) the Income Tax Act, 2025 (effective FY 2026-27) restructures IFC reporting requirements, and (3) investors and lenders increasingly request internal audit reports during due diligence, even from companies below the mandatory threshold. For businesses using internal audit services (know more), these trends make understanding the rules - and the strategic value - more important than ever.
The fundamental insight: internal audit is not just a compliance checkbox. It is a management tool that identifies where your company is leaking cash, where controls are weak, and where governance gaps could cost you a bank loan, a funding round, or worse - a fraud.
Key Terms You Should Know
- Section 138 (Companies Act 2013): Mandates internal audit appointment for prescribed classes of companies based on thresholds in Rule 13 of the Companies (Accounts) Rules, 2014.
- Statutory Audit (Section 143): Mandatory annual audit of financial statements for every company. Examines whether financials show a 'true and fair view.' Different purpose from internal audit.
- Tax Audit (Section 44AB, Income Tax Act): Mandatory audit of tax compliance when business turnover exceeds Rs 1 crore (Rs 10 crore with 95%+ digital transactions) or professional receipts exceed Rs 50 lakh. Separate from internal audit.
- Internal Financial Controls (IFC) - Section 134(5): Every company must establish adequate IFC. The statutory auditor reports on IFC adequacy under Section 143(3)(i). Internal audit strengthens IFC but they are not the same obligation.
- Rule 13 (Companies (Accounts) Rules 2014): Specifies thresholds: listed companies (always mandatory), unlisted public (turnover Rs 200 Cr / capital Rs 50 Cr / loans Rs 100 Cr / deposits Rs 25 Cr), private (turnover Rs 200 Cr / loans Rs 100 Cr).
- Section 144(b): Prohibits the statutory auditor from rendering internal audit services to the same company - ensures independence of both audit functions.
- Section 450 (General Penalty): Rs 10,000 initial fine + Rs 1,000 per day for continuing non-compliance. Applies when no specific penalty is prescribed - covers Section 138 default.
Who Must Conduct Internal Audit Under Section 138?
The applicability depends on company type and financial thresholds in the preceding financial year:
- All listed companies - mandatory regardless of turnover, capital, or borrowings
- Unlisted public companies - if ANY ONE of: turnover Rs 200 crore+, paid-up capital Rs 50 crore+, bank/PFI borrowings Rs 100 crore+, or deposits Rs 25 crore+ in the preceding FY
- Private limited companies - if: turnover Rs 200 crore+ OR bank/PFI borrowings Rs 100 crore+ in the preceding FY
- OPCs - only if articles specifically provide for it. Most OPCs formed through startup registration (know more) do not include this provision
- LLPs - Section 138 does not apply. LLPs are governed by the LLP Act, 2008 which has no internal audit mandate
- Sole proprietorships and partnership firms - not covered by the Companies Act; no internal audit obligation under any statute
If your company does not cross any threshold, internal audit is voluntary - but increasingly valuable. The section below explains why.
Legal Framework: What the Companies Act Actually Requires
| Requirement | What the Law Says | What It Means for Your Business |
|---|---|---|
| Who must appoint | Section 138(1): 'such class or classes of companies as may be prescribed' | Only companies meeting Rule 13 thresholds - not all companies |
| Who can be auditor | Section 138(1): CA, Cost Accountant, or Board-approved professional | Flexible - can be your employee or an external firm. NOT your statutory auditor (Section 144(b)) |
| Scope of audit | Rule 13(2): Audit Committee/Board defines scope in consultation with internal auditor | Customisable - can focus on specific areas (finance, operations, compliance, IT controls) |
| Frequency | Rule 13(2): periodicity defined by Audit Committee/Board | Flexible - quarterly, half-yearly, or annual depending on company size and risk |
| Reporting | Section 138: report to Board | Internal report - not filed with ROC. Stays within the company for management action |
| Penalty for non-compliance | Section 450: Rs 10,000 + Rs 1,000/day continuing default | Compoundable - can be settled with Regional Director/NCLT without prosecution |
| IFC vs internal audit | Section 134(5): all companies must have adequate IFC | IFC is broader (every company). Internal audit under 138 is specific (threshold companies only). Both serve governance |
The Top 10 Questions Clients Ask About Internal Audit - With CA Answers
Question 1: 'Is internal audit the same as the audit we already do?'
No. The audit you already do is the statutory audit - mandatory for all companies under Section 143, conducted by a practising CA who examines your financial statements. Internal audit is a separate function under Section 138 that evaluates your internal controls, processes, and risk management. Statutory audit looks backward (did the financials report accurately?). Internal audit looks around and forward (are controls working? where are the risks?). Your statutory auditor cannot serve as your internal auditor - Section 144(b) prohibits it. For businesses managing statutory audit (know more) alongside internal audit, both serve different but complementary purposes.
Question 2: 'My turnover is Rs 80 crore. Do I need internal audit?'
Not under Section 138 - the threshold for private companies is Rs 200 crore turnover. But check your borrowings: if you have bank or PFI loans exceeding Rs 100 crore at any point during the preceding FY, internal audit becomes mandatory even at Rs 80 crore turnover. Venture debt, term loans, working capital facilities, and overdraft limits all count.
Question 3: 'What will the internal auditor actually look at in my company?'
The scope is defined by your Audit Committee or Board in consultation with the internal auditor (Rule 13(2)). Common areas include: revenue recognition and billing accuracy, expense approval workflows and policy compliance, payroll and HR compliance (PF, ESI, TDS), inventory management and stock controls, bank reconciliations, related-party transactions, IT access controls and data security, GST return reconciliation with books, and fixed asset verification. The scope is customised to your business - a manufacturing company's audit emphasises inventory and procurement; a SaaS company's emphasises revenue recognition and subscription metrics.
Question 4: 'How often do we need internal audit - every month?'
The Companies Act does not prescribe a specific frequency - Rule 13(2) leaves it to the Audit Committee/Board. For most companies, quarterly internal audits work well: frequent enough to catch issues early, not so frequent that they disrupt operations. Large companies (Rs 500 crore+ turnover) often do monthly or continuous audits. Smaller companies at the threshold may start with half-yearly or annual audits and increase frequency as operations grow.
Question 5: 'How much does internal audit cost? Is it worth the investment?'
Cost depends on company size, complexity, number of locations, and audit scope. Typical ranges: Rs 50,000-1,50,000 per year for companies just above the threshold or doing voluntary audit; Rs 1,50,000-3,00,000 for mid-size companies; Rs 3,00,000-5,00,000+ for large companies with multiple locations and complex operations. The ROI comes from three sources: (1) penalties avoided (Rs 10,000 + Rs 1,000/day for mandatory companies), (2) fraud and leakage prevention (one caught expense fraud typically exceeds the entire audit fee), and (3) improved financial statement quality that strengthens loan applications and investor confidence.
Question 6: 'Will internal audit help us get a bank loan?'
Yes. Banks assess financial discipline and control maturity when evaluating loan applications. An internal audit report demonstrates that your company proactively monitors its finances, manages risks, and maintains accurate records. For companies applying for loans above Rs 5 crore, many banks specifically ask about internal audit practices. The statutory auditor's IFC opinion (Section 143(3)(i)) also benefits from a functioning internal audit - a clean IFC opinion strengthens your financial statement credibility with lenders.
Question 7: 'Can I appoint my accountant or employee as internal auditor?'
Yes - Rule 13 allows the internal auditor to be an employee. However, the employee should have sufficient independence from the functions being audited. An accounts team member auditing the accounts department lacks objectivity. Best practice: if using an internal employee, appoint someone from a different department (e.g., a senior compliance officer) or use an external professional. The Board can appoint a CA, Cost Accountant, or any qualified professional. Many companies prefer external firms for independence and specialised expertise.
Question 8: 'We are a small private company - does Section 138 apply?'
Only if your turnover exceeds Rs 200 crore or borrowings exceed Rs 100 crore. If you qualify as a 'small company' under Section 2(85) - paid-up capital up to Rs 4 crore AND turnover up to Rs 40 crore (enhanced 2025 thresholds) - internal audit under Section 138 is not mandatory. For businesses managing private limited company compliance (know more), check both thresholds every year against your preceding FY financials.
Question 9: 'What happens if we do not conduct internal audit even though it is mandatory?'
Under Section 450, the company and every officer in default face a fine of up to Rs 10,000, with an additional Rs 1,000 per day for continuing default. The offence is compoundable. Beyond the direct penalty, the statutory auditor may issue a qualified opinion regarding inadequate internal controls, which impacts your company's credibility with banks, investors, and regulators. Non-compliance also appears on the MCA compliance record - visible during due diligence.
Question 10: 'We want to start voluntary internal audit. Where do we begin?'
Start with a Board resolution approving the appointment and defining the initial scope. Identify 3-5 high-risk areas specific to your business (revenue, expenses, payroll, inventory, IT). Appoint an external CA or audit firm for independence. Begin with an annual audit covering these focus areas. After the first cycle, expand scope and increase frequency based on findings. Budget Rs 50,000-1,00,000 for the first year. The first audit typically reveals 10-20 actionable improvements - some of which save more than the audit cost in the first quarter.
Documents Your Internal Auditor Will Request
- General ledger and trial balance for the audit period
- Bank statements and bank reconciliation statements - all accounts
- Sales invoices, purchase invoices, and supporting contracts
- Expense vouchers with approval chains and supporting bills
- Payroll register, TDS challans, PF/ESI payment receipts
- Fixed asset register with depreciation schedules
- Inventory records and stock statements (for manufacturing/trading)
- GST returns (GSTR-1, GSTR-3B) - for revenue reconciliation
- Related-party transaction register with Board approvals
- Previous statutory audit report and management letter
- Board minutes and Audit Committee minutes
- IT access control logs and user management records (for tech companies)
Internal Audit Costs: What Businesses Should Expect
| Company Profile | Typical Scope | Annual Cost Range |
|---|---|---|
| Small private company (voluntary audit) | Focused - 3-5 risk areas, annual frequency | Rs 50,000-1,50,000 |
| Mid-size company (Rs 200-500 Cr turnover) | Comprehensive - quarterly audits, multiple departments | Rs 1,50,000-3,00,000 |
| Large company (Rs 500 Cr+ turnover) | Full scope - quarterly/monthly, multi-location | Rs 3,00,000-5,00,000+ |
| Listed company (SEBI LODR) | Continuous - monthly audits, risk-based, Audit Committee reporting | Rs 5,00,000-15,00,000+ |
| Startup (pre-funding voluntary) | Focused - controls framework, process documentation | Rs 30,000-75,000 |
Note: Cost varies by number of locations, industry complexity, and whether the auditor is in-house or external. External firms charge higher fees but bring independence and specialised expertise. In-house auditors are cost-effective for ongoing monitoring but may lack objectivity for sensitive areas.
Common Misconceptions About Internal Audit
Misconception 1: 'Internal audit is just another compliance cost.' Internal audit is an investment, not an expense. A well-scoped audit identifies cash leakages (vendor overcharges, duplicate payments, policy violations), strengthens controls that prevent fraud, and improves financial reporting accuracy. The findings from one quarter's audit often save more than the entire year's audit fee. Companies that treat internal audit as compliance-only miss its management value.
Misconception 2: 'My statutory audit already covers internal controls.' The statutory audit under Section 143 examines financial statements and reports on IFC adequacy. It does not evaluate operational processes, vendor management, HR compliance, or IT controls in depth. Internal audit covers the full operational spectrum - not just financials. The statutory auditor relies on the existence of a functioning internal audit to support their IFC opinion. Without internal audit, the statutory auditor's work is more difficult and the IFC opinion may be qualified.
Misconception 3: 'Internal audit is only for large companies.' Mandatory internal audit has thresholds (Rs 200 Cr turnover / Rs 100 Cr borrowings). But voluntary internal audit is valuable at any size. SMEs with Rs 10-50 crore turnover that conduct internal audit demonstrate governance maturity that banks and investors reward. Even a focused Rs 50,000 annual audit covering 3-5 risk areas provides actionable insights. The misconception that 'we are too small' often translates to 'we have too little control' - which is exactly why audit helps.
Misconception 4: 'The internal auditor will disrupt our operations.' A professional internal auditor works with management, not against it. The audit scope, timing, and document requirements are agreed in advance. Most audits require 3-5 working days per quarter of on-site time. The disruption is minimal compared to the disruption caused by undetected fraud, regulatory notices, or failed bank loan applications due to weak controls. For businesses maintaining tax audit (know more) compliance alongside internal audit, scheduling both audits in the compliance calendar prevents overlap.
Misconception 5: 'We can handle controls ourselves - we don't need an outsider.' Internal controls designed and monitored by the same team that executes transactions lack independence. The person approving expenses should not be the person auditing them. Section 138 requires the internal auditor to be independent of the functions being audited - this is the core principle. Even if you appoint an employee, they must audit areas outside their regular responsibility to maintain objectivity.
Penalties for Not Conducting Mandatory Internal Audit
Under Section 450 of the Companies Act, 2013, if a company fails to comply with Section 138 (appoint internal auditor, conduct internal audit), the company and every officer in default face a fine of up to Rs 10,000. If non-compliance continues, an additional Rs 1,000 per day applies for each day of continuing default.
This penalty is compoundable under Section 441 - the company can approach the Regional Director or NCLT to settle the penalty without criminal prosecution. However, compounding requires payment of the full penalty plus compounding fees.
Beyond direct penalties, non-compliance creates indirect consequences: the statutory auditor may report inadequate IFC under Section 143(3)(i), creating a qualified opinion that weakens financial statement credibility. Banks may refuse or delay loans. Investors may flag it in due diligence. The ROC compliance record shows the default - visible in any future compliance check.
The Corporate Laws (Amendment) Bill 2026, introduced in Lok Sabha on 24 March 2026, proposes further decriminalisation of procedural offences - but the internal audit obligation under Section 138 remains substantive, not procedural, and is unlikely to be relaxed.
How Internal Audit Connects with Statutory Audit, Tax Audit, and Governance
The three audits form a governance triad. Statutory audit (know more) confirms financial accuracy. Tax audit (know more) confirms tax compliance. Internal audit confirms operational control maturity. Each serves a different stakeholder: statutory audit serves shareholders and ROC, tax audit serves the Income Tax Department, and internal audit serves the Board and management.
The statutory auditor, when reporting on IFC adequacy under Section 143(3)(i), relies on the existence and quality of the internal audit function. A company with a robust internal audit process makes the statutory auditor's work easier, leading to cleaner opinions and faster audit completion. Without internal audit, the statutory auditor must perform additional procedures to assess controls, increasing both audit time and fees.
For tax compliance, internal audit catches issues that create tax risks - revenue timing errors, disallowed expenses, TDS non-deductions, GST input credit mismatches. These are not visible in the statutory audit (which focuses on financial statements) or the tax audit (which focuses on specific tax provisions). Internal audit fills the gap between what the other two audits examine, creating a comprehensive assurance framework.
Internal Audit: When It Is Mandatory vs When It Is Worth Doing Voluntarily
| Criterion | Mandatory (Above Threshold) | Worth Doing Voluntarily |
|---|---|---|
| Legal trigger | Section 138 thresholds crossed | No legal trigger - Board decision |
| Typical company | Rs 200 Cr+ turnover or Rs 100 Cr+ borrowings | Rs 10-200 Cr turnover; growing fast; seeking funding |
| Primary driver | Compliance - avoid penalties | Strategic - governance, investor confidence, risk management |
| Scope | Full functional coverage required | Focused - 3-5 high-risk areas initially |
| Frequency | Quarterly to monthly (Board-defined) | Annual to half-yearly initially |
| Cost | Rs 1.5-5 lakh+/year | Rs 50,000-1.5 lakh/year |
| ROI source | Penalty avoidance + control improvement | Investor confidence + process efficiency + fraud prevention + cleaner statutory audit |
| Investor perception | Expected compliance - not a differentiator | Positive governance signal - differentiator in due diligence |
Key Takeaways
Internal audit under Section 138 is mandatory only for listed companies and companies crossing prescribed thresholds (Rs 200 crore turnover or Rs 100 crore borrowings for private companies). Most SMEs and startups are legally exempt but increasingly benefit from voluntary audit.
Internal audit is fundamentally different from statutory audit and tax audit. Statutory audit verifies financial statements. Tax audit verifies tax compliance. Internal audit evaluates operational controls, risk management, and governance processes. The statutory auditor cannot serve as internal auditor (Section 144(b)).
The top client question is always 'Do I actually need this?' - and the honest CA answer is: if you are above the threshold, yes (legally required). If you are below the threshold but growing, seeking funding, or handling sensitive operations, yes (strategically valuable). The cost of a focused voluntary audit (Rs 50,000-1,00,000) is a fraction of the value it creates.
Penalties for non-compliance are Rs 10,000 plus Rs 1,000 per day of continuing default under Section 450 - modest in isolation but compounded by qualified statutory audit opinions, weaker bank loan applications, and investor due diligence failures.
The 2026 regulatory landscape (Corporate Laws Amendment Bill, Income Tax Act 2025 IFC reporting, DPIIT startup notification) is evolving toward more transparency and governance - making internal audit more relevant, not less, for Indian businesses of all sizes.
Need Help with Internal Audit?
Whether your company has crossed the Section 138 threshold or is considering voluntary internal audit for governance and investor readiness, the scope, frequency, and reporting must be tailored to your business model, industry, and risk profile.
Explore our internal audit services (know more) for comprehensive audit solutions - from risk assessment and control framework design to periodic audit execution and Board-ready reporting.
For queries, reach out at +91 945 945 6700 or WhatsApp us directly.
