Gurugram houses over 250 Fortune 500 companies across Cyber City, DLF Cyber Hub, Golf Course Road, and Udyog Vihar. From Maruti Suzuki's manufacturing hub in Manesar to the fintech startups lining Sohna Road, the city's corporate density makes internal audit not just a legal requirement but a governance necessity.
If your Gurugram-based company has crossed Rs 200 crore in turnover, borrowed more than Rs 100 crore from banks, or is listed on NSE/BSE - Section 138 of the Companies Act 2013 mandates an internal audit. For the hundreds of MNC subsidiaries operating in Gurugram NCR, global parent companies often require internal audit standards exceeding Indian statutory minimums - aligning with IIA Global Standards and SOX-equivalent controls.
This guide covers the complete internal audit process for Gurugram companies - from applicability assessment and auditor appointment to fieldwork, reporting, costs, and penalties - with NCR-specific context and cost benchmarks.
What Is Internal Audit and Why Does It Matter for Gurugram Companies?
Internal audit is an independent, objective assurance activity under Section 138 of the Companies Act 2013 that evaluates the effectiveness of a company's risk management, internal controls, and governance processes. Unlike a statutory audit (know more) - which verifies financial statements for shareholders - internal audit focuses on operational improvement, fraud prevention, and compliance for management and the Audit Committee.
For Gurugram's corporate ecosystem, internal audit carries amplified significance. The city's concentration of listed companies (many headquartered on Golf Course Road and Cyber City), auto ancillary units in Manesar IMT, and IT/ITES companies in Udyog Vihar means that a large proportion of Gurugram businesses cross the Section 138 thresholds. MNC subsidiaries often face dual requirements - Indian statutory internal audit under Section 138 AND group-level internal audit aligned with global standards (SOX, IIA, COSO).
In 2026, internal audit priorities for Gurugram companies include cybersecurity controls (critical for IT/ITES), ESG assurance (for listed companies under SEBI BRSR framework), AI governance (for companies deploying AI in customer-facing applications), and related party transaction monitoring (for MNC subsidiaries with intercompany dealings).
Key Terms You Should Know
- Section 138: Companies Act provision mandating internal audit for specified companies. Read with Rule 13 of Companies (Accounts) Rules 2014.
- Audit Committee (Section 177): Board committee overseeing internal audit scope, findings, and follow-up. Mandatory for listed and prescribed companies. Minimum 3 directors, majority independent.
- Risk-Based Internal Audit (RBIA): Audit planning driven by organisational risks rather than fixed checklists. Recommended by ICAI SIA and IIA Global Standards. Essential for Gurugram's complex corporate structures.
- SEBI LODR: Listing Obligations and Disclosure Requirements Regulations 2015. Impose additional internal audit and audit committee requirements on listed companies beyond the Companies Act.
- Section 144(b): Prohibits the statutory auditor from providing internal audit services to the same company - ensuring independence of both functions.
- COSO Framework: Committee of Sponsoring Organizations framework for internal controls - widely adopted by MNCs in Gurugram. Complements ICAI Standards on Internal Audit.
- RoC NCT Delhi & Haryana: Registrar of Companies covering Gurugram. All MCA filings including auditor appointment forms are processed through this office.
Which Gurugram Companies Must Conduct Internal Audit Under Section 138?
Under Section 138 read with Rule 13, the following Gurugram companies must appoint an internal auditor. Note that tax audit (know more) under Section 44AB is a separate requirement - both may apply simultaneously:
- All listed companies - Gurugram houses 40+ NSE/BSE-listed corporate headquarters including major auto, IT, and financial services companies
- Unlisted public companies with paid-up share capital of Rs 50 crore or more during the preceding FY
- Unlisted public companies with turnover of Rs 200 crore or more during the preceding FY
- Unlisted public companies with outstanding loans/borrowings exceeding Rs 100 crore at any point during the preceding FY
- Unlisted public companies with outstanding deposits of Rs 25 crore or more at any point during the preceding FY
- Private companies with turnover of Rs 200 crore or more - many Gurugram MNC subsidiaries cross this threshold
- Private companies with outstanding loans/borrowings exceeding Rs 100 crore from banks or PFIs
Gurugram context: Many MNC subsidiaries (wholly-owned Pvt Ltd companies of global corporations) operate with turnover well above Rs 200 crore. Even those below the threshold often conduct internal audit voluntarily to comply with group audit requirements and to prepare for statutory audit. Companies along the Manesar auto belt and Udyog Vihar industrial zones frequently cross the Rs 100 crore borrowing threshold due to working capital facilities.
Legal Framework: Internal Audit vs Statutory Audit vs Tax Audit
| Parameter | Internal Audit | Statutory Audit | Tax Audit |
|---|---|---|---|
| Governing Section | Section 138, Companies Act | Section 143, Companies Act | Section 44AB, Income Tax Act |
| Purpose | Evaluate controls, risk, governance for management | Verify financial statements for shareholders | Verify income computation for IT Department |
| Reports To | Audit Committee / Board | Shareholders (via AGM) | Income Tax Department |
| Frequency | Quarterly / semi-annual / annual | Annual (mandatory) | Annual (if turnover exceeds threshold) |
| Who Conducts | CA, CMA, CIA, or employee | External CA (statutory auditor) | CA only (tax auditor) |
| Government Fee | None - professional fees only | None - professional fees only | None - professional fees only |
| Gurugram Cost Range | Rs 2-50 lakh+ annually | Rs 50,000-10 lakh+ annually | Rs 15,000-2 lakh annually |
Key restriction: Under Section 144(b), the same firm CANNOT serve as both statutory auditor and internal auditor. For Gurugram MNC subsidiaries, this means the Big 4 firm handling the statutory audit cannot also provide internal audit services - a separate engagement with a different firm is required.
How to Set Up Internal Audit in Gurugram: Step-by-Step Process
1. Assess applicability and scope. Review your company's preceding FY financial data - turnover, paid-up capital, borrowings, deposits. If any threshold is crossed, internal audit is mandatory. For Gurugram MNC subsidiaries, also review group-level internal audit requirements that may exceed Indian statutory minimums. For companies setting up through private limited company registration (know more), plan internal audit from the first year the threshold is triggered.
2. Appoint the Internal Auditor. The Board appoints the internal auditor (CA, CMA, CIA, or qualified employee) based on Audit Committee recommendation. Document the appointment in a Board Resolution. The auditor must NOT be the company's statutory auditor (Section 144(b)). In Gurugram, many companies engage mid-tier CA firms or specialised internal audit firms - Big 4 firms are typically engaged by listed companies and large MNCs.
3. Define audit scope with the Audit Committee. Under Rule 13, the Audit Committee (or Board, where no committee exists) determines the scope, functioning, periodicity, and methodology. For Gurugram companies, typical scope includes financial controls, procurement and vendor management, IT general controls, compliance with GST and TDS, HR and payroll controls, related party transactions, and inventory management.
4. Prepare a risk-based annual audit plan. Identify key risk areas, prioritise auditable units, allocate resources, and set timelines. The plan should cover all significant business processes over a 12-month cycle. High-risk areas (revenue recognition, procurement fraud, IT security) are audited every quarter; medium-risk areas semi-annually; low-risk areas annually.
5. Execute fieldwork - testing and evidence gathering. The audit team reviews policies, SOPs, transaction records, and previous audit reports. They conduct control testing, compliance testing, and substantive testing. For Gurugram's auto ancillary units, this includes production records, quality control documentation, and OEM compliance. For IT companies, it includes access control reviews, change management logs, and data privacy assessments.
6. Report findings to the Audit Committee. Prepare a comprehensive report with executive summary, detailed findings (observation, root cause, risk rating, impact, recommendation), management responses, and implementation timelines. Present to the Audit Committee quarterly (listed companies) or as per the agreed schedule. The Committee tracks follow-up on previous recommendations.
Documents Required for Internal Audit in Gurugram
- Board Resolution appointing the internal auditor
- Engagement letter specifying scope, objectives, timelines, fees, and reporting structure
- Annual audit plan approved by the Audit Committee / Board
- Organisation chart, policy manuals, and Standard Operating Procedures (SOPs)
- Financial statements - trial balance, P&L, balance sheet (current and prior year)
- Bank statements and reconciliation statements for all accounts
- Sales and purchase registers with supporting invoices and GRNs
- GST returns (GSTR-1, GSTR-3B, GSTR-9) and GST reconciliation statements
- Payroll records - salary register, PF/ESI challans, TDS returns (Form 24Q)
- Fixed asset register and depreciation schedules (IT Act and Companies Act)
- Previous internal audit reports and management action taken reports
- Minutes of Board meetings, Audit Committee meetings, and AGM
- IT system access logs, user permissions matrix, and change management records (for IT companies)
- Related party transaction register and transfer pricing documentation (for MNC subsidiaries)
Internal Audit Fees and Timelines for Gurugram NCR Companies
| Company Type (Gurugram) | Typical Duration | Frequency | Annual Cost (Approx.) |
|---|---|---|---|
| MNC Subsidiary (Cyber City / Golf Course Rd) | Ongoing / 15-25 days per cycle | Quarterly | Rs 8-25 lakh |
| Listed Company (NSE/BSE HQ) | Continuous / 20-30 days per cycle | Quarterly (SEBI LODR) | Rs 15-50 lakh+ |
| Auto Ancillary (Manesar / IMT Sohna) | 10-15 days (includes plant visit) | Quarterly or semi-annual | Rs 4-12 lakh |
| IT / ITES (Udyog Vihar / Sohna Road) | 8-15 days (includes IT controls) | Quarterly or semi-annual | Rs 3-8 lakh |
| Mid-market Pvt Ltd (Rs 50-200 Cr turnover) | 10-20 days per cycle | Semi-annual or quarterly | Rs 3-10 lakh |
| Small Pvt Ltd - voluntary (below threshold) | 5-10 days per cycle | Annual or semi-annual | Rs 2-4 lakh |
Note: There is NO government fee for internal audit. These are purely professional engagement fees based on Gurugram NCR market rates. Gurugram costs tend to be 15-25% higher than Tier 2 cities due to the complexity of MNC operations, higher auditor qualification requirements (Big 4 alumni, CIA certified), and the depth of IT controls review expected by multinational parent companies. For listed companies, SEBI LODR mandates quarterly Audit Committee meetings with internal audit presentation - this drives higher engagement costs.
Common Mistakes Gurugram Companies Make in Internal Audit
Mistake 1: Confusing group internal audit with Indian statutory internal audit. Many Gurugram MNC subsidiaries assume that the global group audit covers the Indian requirement. Section 138 requires a separate Indian internal audit conducted by a qualified Indian professional, with a report to the Indian entity's Audit Committee. The group audit does not substitute for this. Companies managing company compliance services (know more) must maintain both streams independently.
Mistake 2: Appointing the statutory auditor firm for internal audit. Section 144(b) explicitly prohibits this. For Gurugram companies where a Big 4 firm handles the statutory audit, the internal audit must be performed by a different firm. Violating this disqualifies both the statutory audit engagement and exposes the company to penalties.
Mistake 3: Not aligning internal audit with SEBI LODR (for listed companies). Listed Gurugram companies must ensure the Audit Committee reviews internal audit findings quarterly and tracks management action. SEBI requires specific disclosures on related party transactions, whistle-blower complaints, and risk management in the Audit Committee report - internal audit is the primary input for these disclosures.
Mistake 4: Treating internal audit as a year-end compliance checkbox. Internal audit should be ongoing - quarterly fieldwork provides real-time risk identification. An annual-only approach means control failures at Manesar plants or IT access breaches in Cyber City offices go undetected for 12 months. The Audit Committee should receive quarterly reports.
Mistake 5: Not covering IT general controls for technology companies. Gurugram's IT/ITES concentration means many companies process sensitive customer data. Internal audit scope must include access controls, change management, data backup/recovery, cybersecurity incident response, and privacy compliance (DPDP Act 2023). A financial-only audit misses the company's highest risk areas.
Penalties for Non-Compliance with Internal Audit Requirements
Under Section 450 of the Companies Act 2013, failure to appoint an internal auditor when required under Section 138 attracts a penalty of Rs 10,000 on the company and every officer in default. If the contravention continues, an additional penalty of Rs 1,000 per day applies. For a Gurugram company defaulting for 6 months, the total penalty is Rs 10,000 + Rs 1,82,000 = Rs 1,92,000.
Under Section 164(2), persistent non-compliance with governance requirements can lead to director disqualification for 5 years. For Gurugram MNC subsidiaries, director disqualification creates a governance crisis - the nominee director from the global parent may be disqualified from serving on any Indian company board.
For listed companies, SEBI can impose separate penalties for non-compliance with LODR audit committee requirements. These include financial penalties, warnings, and in severe cases, suspension of trading. The reputational damage in Gurugram's tight-knit corporate community - where companies share directors, auditors, and bankers - amplifies the business impact of non-compliance.
Bank loan covenants in Gurugram frequently require periodic internal audit. Manufacturing companies in Manesar with working capital facilities against inventory and receivables face covenant requirements for quarterly internal audit reports. Non-compliance triggers a technical default - the bank can call the loan even if the company is otherwise performing well.
How Internal Audit Connects with Other Compliance in Gurugram
Internal audit findings feed into the statutory auditor's assessment of internal financial controls under Section 143(3)(i). The stock audit (know more) verifies inventory accuracy that the internal auditor evaluates as part of operational controls - particularly critical for Manesar auto ancillary units with bank-hypothecated inventory.
For Gurugram's MNC subsidiaries, the internal audit report feeds into the global group audit. The Indian internal auditor's findings on related party transactions (transfer pricing), intercompany balances, and management override of controls are reviewed by the group auditor. A weak Indian internal audit report can trigger enhanced group audit procedures - increasing both cost and scrutiny.
The tax auditor (Section 44AB) also references internal audit findings when reporting on compliance with tax provisions in Form 3CD. For Gurugram IT companies claiming tax benefits under Section 10AA (SEZ units) or Section 80-IAC (DPIIT startups), the internal audit report on eligibility conditions strengthens the tax audit and reduces assessment risk.
Mandatory vs Voluntary Internal Audit: Decision Guide for Gurugram Companies
| Gurugram Company Scenario | Mandatory (S.138)? | Recommendation |
|---|---|---|
| Listed company (NSE/BSE headquarters) | Yes - always | Quarterly under SEBI LODR - continuous audit ideal |
| MNC subsidiary (Pvt Ltd, Rs 200+ Cr turnover) | Yes | Quarterly - align with group audit cycle |
| MNC subsidiary (below Rs 200 Cr but group mandate) | No (Indian law) | Yes - group policy requires it; dual compliance |
| Auto ancillary (Manesar) with Rs 100+ Cr borrowings | Yes | Quarterly - bank covenant + statutory requirement |
| IT/ITES startup (below threshold) - VC-funded | No | Yes - signals governance maturity to investors |
| Mid-market Pvt Ltd (Rs 50-200 Cr) - bank credit | No | Yes - improves credit terms and bank confidence |
| Early-stage startup (pre-revenue) | No | Not yet - focus on statutory compliance first |
Key Takeaways
Internal audit under Section 138 is mandatory for all listed companies, unlisted public companies with Rs 50 crore paid-up capital or Rs 200 crore turnover or Rs 100 crore borrowings or Rs 25 crore deposits, and private companies with Rs 200 crore turnover or Rs 100 crore borrowings. Gurugram's corporate concentration means a disproportionately high number of companies trigger these thresholds.
The internal auditor can be a CA, CMA, CIA, or qualified employee - but CANNOT be the statutory auditor (Section 144(b)). The Audit Committee determines scope, frequency, and methodology under Rule 13.
There is no government fee. Gurugram NCR professional fees range from Rs 2 lakh (small voluntary audit) to Rs 50 lakh+ (listed company continuous audit). Costs are 15-25% higher than Tier 2 cities due to MNC complexity and IT controls requirements.
Non-compliance attracts Rs 10,000 + Rs 1,000/day continuing penalty (Section 450). Director disqualification (Section 164) and bank covenant breaches are additional risks for Gurugram companies.
MNC subsidiaries must maintain both Indian statutory internal audit (Section 138) and group internal audit independently - the global group audit does not replace the Indian requirement.
Need Help with Internal Audit in Gurugram?
Internal audit for Gurugram companies requires understanding the intersection of Indian statutory requirements (Section 138), SEBI LODR (for listed companies), and global group audit expectations (for MNC subsidiaries). The scope extends beyond financials to IT controls, cybersecurity, ESG, and related party transactions.
Explore our internal audit services (know more) for CA-led internal audit engagements - from risk assessment and annual planning to quarterly fieldwork, Audit Committee presentation, and follow-up tracking. Our Gurugram office serves NCR clients across Cyber City, Golf Course Road, Manesar, Udyog Vihar, and Sohna Road.
For queries, reach out at +91 945 945 6700 or WhatsApp us directly.
