If your Pune-based company has crossed Rs 200 crore in turnover, borrowed more than Rs 100 crore from banks, or is listed on any stock exchange - you are legally required to appoint an internal auditor under Section 138 of the Companies Act 2013. Skip this, and you face penalties starting at Rs 10,000 plus Rs 1,000 for every day the default continues.
But even if your company falls below these thresholds, voluntary internal audit is increasingly becoming a business necessity. For Pune's IT companies in Hinjewadi preparing for ISO certifications, manufacturers in Chakan MIDC seeking bank credit facilities, and startups in Kharadi planning Series A fundraising - an internal audit report signals operational maturity and governance strength to investors, lenders, and clients.
This guide explains what internal audit covers, who must conduct it, the step-by-step process, what documents you need, realistic timelines and cost benchmarks, and how it differs from statutory and tax audits.
What Is Internal Audit and Why Does It Matter?
Internal audit is an independent, objective assurance and consulting activity under Section 138 of the Companies Act 2013, designed to evaluate and improve the effectiveness of a company's risk management, internal controls, and governance processes. Unlike a statutory audit (know more) which verifies financial statements for external stakeholders, internal audit focuses on operational improvement for management and the board.
The internal auditor reports to the Audit Committee (for companies that have one under Section 177) or directly to the Board of Directors. The audit scope, frequency, methodology, and reporting structure are determined by the Audit Committee in consultation with the internal auditor - as specified in Rule 13 of the Companies (Accounts) Rules 2014.
In 2026, internal audit in India is evolving beyond traditional compliance checking. ICAI's Standards on Internal Audit (SIA) and IIA's Global Internal Audit Standards emphasise risk-based auditing, cybersecurity controls assessment, ESG assurance, and AI governance frameworks. For Pune's technology-driven economy, these expanded expectations make internal audit a strategic function, not just a regulatory checkbox.
Key Terms You Should Know
- Section 138: The Companies Act provision mandating internal audit for specified companies. Read with Rule 13 of Companies (Accounts) Rules 2014.
- Audit Committee (Section 177): A committee of the Board (mandatory for listed and prescribed companies) that oversees internal audit scope, findings, and follow-up. Must have a minimum of 3 directors, with majority being independent.
- Rule 13: Specifies the classes of companies requiring internal audit, the appointment procedure, and mandates that the Audit Committee determine scope, functioning, periodicity, and methodology.
- Risk-Based Internal Audit (RBIA): An approach where audit planning and resource allocation are driven by the organisation's key risks rather than a fixed checklist. Recommended by ICAI and IIA.
- Section 144(b): Prohibits the statutory auditor from providing internal audit services to the same company - ensuring independence of both functions.
- SIA (Standards on Internal Audit): Framework issued by ICAI governing the conduct of internal audit in India. Covers planning, execution, reporting, and quality assurance.
- SEBI LODR: SEBI Listing Obligations and Disclosure Requirements Regulations 2015 - impose additional internal audit and audit committee requirements on listed companies beyond the Companies Act.
Which Companies Must Conduct Internal Audit Under Section 138?
Under Section 138 read with Rule 13, the following companies must appoint an internal auditor. For Pune companies planning tax audit (know more) compliance, note that internal audit is a separate requirement - both may apply simultaneously:
- All listed companies - regardless of turnover, capital, or borrowings (mandatory under both Companies Act and SEBI LODR)
- Unlisted public companies with paid-up share capital of Rs 50 crore or more during the preceding FY
- Unlisted public companies with turnover of Rs 200 crore or more during the preceding FY
- Unlisted public companies with outstanding loans/borrowings from banks or PFIs exceeding Rs 100 crore at any point during the preceding FY
- Unlisted public companies with outstanding deposits of Rs 25 crore or more at any point during the preceding FY
- Private companies with turnover of Rs 200 crore or more during the preceding FY
- Private companies with outstanding loans/borrowings from banks or PFIs exceeding Rs 100 crore at any point during the preceding FY
Important: Companies not meeting these thresholds are NOT prohibited from conducting internal audit - they can (and should) do so voluntarily. Many Pune mid-market companies, particularly those seeking bank credit or investor funding, conduct internal audit even when not mandated.
Legal Framework: Internal Audit vs Statutory Audit vs Tax Audit
| Parameter | Internal Audit | Statutory Audit | Tax Audit |
|---|---|---|---|
| Governing Section | Section 138, Companies Act | Section 143, Companies Act | Section 44AB, Income Tax Act |
| Purpose | Evaluate controls, risk, governance for management | Verify financial statements for shareholders | Verify income computation for Income Tax Dept |
| Reports To | Audit Committee / Board | Shareholders (via AGM) | Income Tax Department |
| Frequency | Quarterly / semi-annual / annual (per Audit Committee) | Annual (mandatory) | Annual (if turnover exceeds threshold) |
| Who Conducts | CA, CMA, CIA, or qualified employee | External CA (statutory auditor) | CA only (tax auditor) |
| Government Fee | None - professional fees only | None - professional fees only | None - professional fees only |
| Report Format | No prescribed format - per ICAI SIA | CARO 2020 + Form 3CA/3CB | Form 3CA-3CD / 3CB-3CD |
Key restriction: Under Section 144(b), the same firm or individual CANNOT serve as both statutory auditor and internal auditor for the same company. This ensures independence and prevents conflicts of interest.
How Internal Audit Works: Step-by-Step Process
1. Appointment of Internal Auditor. The Board of Directors appoints the internal auditor (CA, CMA, CIA, or employee) based on the Audit Committee's recommendation. The appointment is documented in a Board Resolution. For companies incorporated through private limited company registration (know more), this step typically happens in the first board meeting after the company crosses the applicability threshold.
2. Audit Planning and Risk Assessment. The internal auditor, in consultation with the Audit Committee, prepares an annual audit plan. This identifies key risk areas (financial reporting, procurement, IT controls, regulatory compliance, revenue recognition), prioritises auditable units, allocates resources, and sets timelines. The plan is approved by the Audit Committee.
3. Fieldwork - Data Collection and Testing. The audit team reviews policies, SOPs, transaction records, and previous audit reports. They conduct sample testing of controls, compliance testing (adherence to laws and company policies), and substantive testing (accuracy of financial data). For Pune manufacturers, this includes production records, inventory controls, and vendor payment cycles.
4. Analysis and Finding Documentation. Each finding is documented with: observation, root cause, risk rating (high/medium/low), impact assessment, and recommendation. The audit team discusses preliminary findings with process owners to verify facts and obtain management responses.
5. Reporting to Audit Committee / Board. The internal auditor prepares a comprehensive report with executive summary, detailed findings, risk ratings, management responses, and implementation timelines. The report is presented to the Audit Committee (or Board, for companies without a committee). The committee tracks follow-up on previous audit findings.
6. Follow-Up and Continuous Monitoring. The internal auditor tracks the implementation of recommendations from previous reports. Unresolved findings are escalated to the Audit Committee. The audit plan is updated quarterly based on emerging risks, regulatory changes, and business developments.
Documents Required for Internal Audit
- Board Resolution appointing the internal auditor
- Engagement letter defining scope, objectives, timelines, and reporting structure
- Annual audit plan approved by the Audit Committee
- Organisational chart, policy manual, and Standard Operating Procedures (SOPs)
- Financial statements - trial balance, P&L, balance sheet (latest and prior year)
- Bank statements and bank reconciliation statements (all accounts)
- Sales and purchase registers with supporting invoices
- GST returns (GSTR-1, GSTR-3B, GSTR-9) and GST reconciliation statements
- Payroll records - salary register, PF/ESI challans, TDS returns (Form 24Q)
- Fixed asset register and depreciation schedule
- Previous internal audit reports and management action taken reports
- Minutes of Board meetings, Audit Committee meetings, and AGM
Internal Audit Timelines and Cost Benchmarks for Pune Companies
| Company Size / Type | Typical Duration | Frequency | Approximate Cost (Annual) |
|---|---|---|---|
| Small Pvt Ltd (Rs 10-50 Cr turnover) - voluntary | 5-10 working days per cycle | Annual or semi-annual | Rs 1-3 lakh |
| Mid-market (Rs 50-200 Cr turnover) | 10-20 working days per cycle | Quarterly or semi-annual | Rs 3-8 lakh |
| Large Pvt Ltd / Unlisted Public (Rs 200+ Cr) | 15-30 working days per cycle | Quarterly | Rs 5-15 lakh |
| Listed Company | Ongoing / continuous audit | Quarterly (SEBI LODR) | Rs 10-50 lakh+ |
| Manufacturing (Chakan MIDC / Bhosari) | 10-15 days (includes plant visit) | Quarterly or semi-annual | Rs 3-10 lakh |
| IT / SaaS (Hinjewadi / Magarpatta) | 7-12 days (includes IT controls review) | Quarterly or semi-annual | Rs 2-6 lakh |
Note: There is NO government fee for internal audit. Unlike statutory audit (which requires ROC filing fees) or tax audit (uploaded on the Income Tax portal at no fee), internal audit is a purely professional engagement. The costs above are indicative ranges based on Pune market rates for CA firms offering internal audit services. Actual costs depend on company complexity, number of locations, industry, and the internal auditor's experience.
Common Mistakes Companies Make in Internal Audit
Mistake 1: Treating internal audit as a year-end compliance exercise. Internal audit should be ongoing - quarterly reviews provide timely risk identification. An annual-only approach means control failures go undetected for 12 months. For companies managing annual compliance services (know more), integrating internal audit into the quarterly compliance calendar prevents last-minute scrambles.
Mistake 2: Appointing the statutory auditor as internal auditor. Section 144(b) explicitly prohibits this. The statutory auditor and internal auditor MUST be different persons/firms. Companies that violate this face both disqualification of the statutory audit and penalties under Section 450.
Mistake 3: No Audit Committee oversight. For companies required to constitute an Audit Committee under Section 177, the internal audit report MUST be presented to the committee - not just to the MD or CFO. The committee determines scope, reviews findings, and tracks management action. Bypassing the committee undermines the independence of the audit function.
Mistake 4: Audit plan not aligned with company risks. Using a generic checklist-based approach instead of risk-based audit planning wastes resources on low-risk areas while critical risks go unexamined. The audit plan should be driven by the company's risk register, industry-specific risks, and previous audit findings.
Mistake 5: Not following up on previous findings. An internal audit report without follow-up is just a document. The Audit Committee must track the implementation status of every recommendation. Recurring unresolved findings signal governance weakness to external auditors, regulators, and investors.
Penalties for Non-Compliance with Internal Audit Requirements
Under Section 450 of the Companies Act 2013 (general penalty for contravention), failure to comply with Section 138 (not appointing an internal auditor when required) attracts a penalty of Rs 10,000 on the company and every officer in default. If the contravention continues, an additional penalty of Rs 1,000 per day applies until the default is rectified.
Under Section 164(2), persistent non-compliance with filing and governance requirements - including failure to conduct mandatory internal audit - can lead to disqualification of directors. A director disqualified under Section 164 cannot be appointed as director in any company for 5 years.
Additionally, failure to maintain adequate internal controls (which internal audit is designed to evaluate) can have cascading consequences. The statutory auditor is required under Section 143(3)(i) to report on the adequacy of internal financial controls. If the statutory auditor reports inadequate controls due to the absence of internal audit, it can trigger NFRA scrutiny (for listed companies), investor concern, and bank covenant breaches.
For Pune companies borrowing from banks, many loan agreements include a covenant requiring periodic internal audit. Non-compliance with this covenant can trigger a technical default, accelerating loan repayment obligations even if the company is otherwise performing well.
How Internal Audit Connects with Other Compliance
Internal audit findings feed into multiple compliance streams. The statutory auditor relies on internal audit reports to assess the adequacy of internal financial controls under Section 143(3)(i). The stock audit (know more) verifies inventory accuracy that the internal auditor evaluates as part of operational controls. The tax auditor references internal audit findings when reporting on compliance with tax laws in Form 3CD.
For listed companies, SEBI LODR requires the Audit Committee to review internal audit findings quarterly and ensure management action. The internal auditor's report on related party transactions, whistle-blower complaints, and insider trading controls directly impacts the company's SEBI compliance posture.
In Pune's growing MSME ecosystem, even companies below the Section 138 threshold benefit from voluntary internal audit. Banks assess credit risk partly based on the borrower's internal control environment. A clean internal audit report strengthens the working capital loan application and can result in better credit terms - lower interest rates, higher sanctioned limits, and fewer covenants.
Internal Audit vs Voluntary Audit: When Should Pune Companies Opt In?
| Scenario | Mandatory (Section 138)? | Recommended? |
|---|---|---|
| Listed company (NSE/BSE) | Yes - always | Quarterly under SEBI LODR |
| Pvt Ltd with Rs 200+ Cr turnover | Yes | Quarterly - comprehensive coverage |
| Pvt Ltd with Rs 100+ Cr borrowings | Yes | Quarterly - bank covenant compliance |
| Pvt Ltd below thresholds - seeking VC/PE funding | No | Yes - signals governance maturity to investors |
| Pvt Ltd below thresholds - ISO certification | No | Yes - supports ISO 9001/27001 control requirements |
| MSME with bank credit facility | No | Yes - strengthens loan renewal and credit terms |
| Startup (early stage, pre-revenue) | No | Not yet - focus on statutory compliance first |
Key Takeaways
Internal audit under Section 138 of the Companies Act 2013 is mandatory for all listed companies, unlisted public companies with Rs 50 crore paid-up capital or Rs 200 crore turnover or Rs 100 crore borrowings or Rs 25 crore deposits, and private companies with Rs 200 crore turnover or Rs 100 crore borrowings.
The internal auditor can be a CA, CMA, CIA, or a qualified employee - but CANNOT be the company's statutory auditor (Section 144(b)). The Audit Committee (Section 177) determines audit scope, frequency, and methodology.
There is no government fee for internal audit - it is a professional engagement with costs ranging from Rs 1-50 lakh per year depending on company size, complexity, and audit frequency.
Non-compliance attracts a penalty of Rs 10,000 plus Rs 1,000 per day of continuing default. Persistent non-compliance can lead to director disqualification under Section 164(2).
Even companies below Section 138 thresholds should consider voluntary internal audit if they are seeking bank credit, preparing for investor due diligence, pursuing ISO certification, or want to strengthen operational controls before scaling.
Need Help with Internal Audit?
Internal audit requires understanding your company's risk landscape, designing a risk-based audit plan, executing fieldwork across financial, operational, and compliance domains, and reporting actionable findings to the Audit Committee - all while maintaining independence and adhering to ICAI standards.
Explore our internal audit services (know more) for CA-led internal audit engagements - from annual audit planning and quarterly fieldwork to Audit Committee presentation and follow-up tracking.
For queries, reach out at +91 945 945 6700 or WhatsApp us directly.
