Internal audit is the most underutilised governance tool available to Indian companies. Mandatory for companies crossing specific thresholds, it is also increasingly adopted voluntarily by growing Pune startups and MSMEs preparing for funding rounds, operational scaling, or transition to larger compliance frameworks.
The confusion starts with basics: most businesses do not know whether internal audit is mandatory for them, what it costs (spoiler: zero government fees), how long it takes, or what the output looks like. This blog answers all of these questions from our Pune office’s experience across 100+ internal audit engagements.
What Is Internal Audit Under the Companies Act?
Internal audit under Section 138 of the Companies Act, 2013 is a statutory requirement for specified companies to appoint a qualified professional to independently evaluate the company’s functions and activities. The scope, functioning, periodicity, and methodology are determined by the Audit Committee (or Board) in consultation with the internal auditor (Rule 13 of Companies (Accounts) Rules, 2014).
Internal audit is not the same as statutory audit. Statutory audit verifies financial statements. Internal audit evaluates how the business operates - are controls working, are risks managed, is money being spent correctly, are regulations being followed? Businesses using internal audit services (know more) get this independent evaluation as a structured engagement.
Key Terms You Should Know
Section 138: Companies Act provision mandating internal audit for prescribed company classes.
Rule 13 (Companies (Accounts) Rules, 2014): Specifies the thresholds for mandatory internal audit and requires audit committee/Board to formulate scope and methodology.
Audit Committee (Section 177): Committee of the Board overseeing financial reporting, internal controls, and audit. Mandatory for listed companies and specified unlisted/private companies.
Section 144: Prohibits the statutory auditor from performing internal audit, management consultancy, accounting services, and other listed services for the same company.
Section 450: General penalty provision (Rs 10,000 + Rs 1,000/day for continuing default) applicable to Section 138 non-compliance since no specific penalty is prescribed under Section 138 itself.
MGT-14: Board resolution filing with ROC. Required for public companies (including deemed public) when appointing internal auditor. Exempted for private companies by MCA notification dated 5 June 2015.
IFC (Internal Financial Controls): Section 134(5)(e) requires all companies to maintain adequate IFC. The statutory auditor reports on IFC adequacy for specified companies. Internal audit directly evaluates these controls.
SA 610: Standard on Auditing dealing with statutory auditor’s reliance on internal audit work. In 2026, statutory auditors increasingly reference internal audit findings.
Who Must Conduct Internal Audit? The Applicability Matrix
| Company Type | Mandatory If (Preceding FY) | Filing / Notes |
|---|---|---|
| All listed companies | Always mandatory. No threshold - all companies on NSE/BSE. | SEBI LODR: intimate stock exchange within 24 hours of Board meeting approving appointment. |
| Unlisted public company | ANY ONE: turnover ≥ Rs 200 Cr, OR paid-up capital ≥ Rs 50 Cr, OR loans/borrowings ≥ Rs 100 Cr from banks/FIs, OR deposits ≥ Rs 25 Cr. | MGT-14 filing with ROC within 30 days of Board resolution. |
| Private company | ANY ONE: turnover ≥ Rs 200 Cr, OR loans/borrowings ≥ Rs 100 Cr from banks/FIs. | No MGT-14 required (exempted by MCA notification 5 June 2015). Board resolution sufficient. |
| Companies below thresholds | Not mandatory. Voluntary adoption recommended for governance and investor readiness. | No filing. Board resolution for appointment. |
| LLPs | Not mandated under LLP Act. Voluntary adoption for governance / investor requirements. | No statutory requirement. |
| NBFCs / Banks / Insurance | Mandatory under RBI Master Directions / IRDAI guidelines regardless of size. | Sector-specific regulations apply. |
Compliance window: companies newly crossing the threshold must appoint an internal auditor within 6 months from the start of the financial year following the year in which the threshold was crossed.
Internal Audit vs Statutory Audit
| Parameter | Internal Audit | Statutory Audit |
|---|---|---|
| Purpose | Evaluate controls, risk, compliance, operational efficiency | Opinion on whether financial statements are true and fair |
| Legal basis | Section 138 + Rule 13 (specified companies only) | Section 139-143 (ALL companies) |
| Reports to | Board / Audit Committee | Shareholders at AGM |
| Frequency | Quarterly or half-yearly (audit committee decides) | Annual |
| Scope | Operations, controls, risk, compliance - broader than financials | Financial statements, accounting standards, disclosures |
| Who can do it | CA, CMA, CIA, or Board-decided professional. Employee or external. NOT statutory auditor. | Practising CA only. Appointed at AGM. ADT-1 filed with ROC. |
| ROC filing | No ROC filing for private companies. MGT-14 for public companies. | ADT-1 within 15 days of AGM. |
| Output | Internal audit report: findings, risk ratings, recommendations, action plans | Audit report: opinion (unqualified/qualified/adverse/disclaimer) |
For our statutory audit 2026 analysis (know more), see how internal audit work supports the statutory audit under SA 610.
The Appointment Process: Step by Step
Step 1: Check applicability. Review preceding FY financials against Section 138 thresholds. If any threshold is met: appointment is mandatory.
Step 2: Identify the internal auditor. Options: external CA firm, CMA firm, CIA professional, qualified employee, or Company Secretary firm. The statutory auditor of the company cannot serve as internal auditor (Section 144). For our auditor appointment guide (know more), see the complete appointment framework.
Step 3: Obtain written consent. The proposed internal auditor provides written consent to act.
Step 4: Pass Board resolution. The Board (on recommendation of Audit Committee, if applicable) passes a resolution appointing the internal auditor. The resolution specifies scope, functioning, periodicity, and methodology.
Step 5: File MGT-14 (public companies only). Within 30 days of Board resolution. Private companies are exempted from MGT-14 for this purpose.
Step 6: Issue engagement letter. Defines: scope, objectives, areas to be covered, timeline, access rights, reporting structure, fees, and confidentiality.
Step 7: For listed companies - SEBI intimation. Intimate the stock exchange within 24 hours of the Board meeting, including: name of internal auditor, date of appointment, qualifications, and brief profile.
Government Fees and Costs
| Component | Cost |
|---|---|
| Government fee for internal audit | Rs 0 - no government fee whatsoever. |
| ROC filing for internal auditor appointment (private companies) | Rs 0 - no ROC filing required (MGT-14 exempted for private companies). |
| MGT-14 filing (public companies only) | Rs 200-600 depending on authorised capital. Filed within 30 days of Board resolution. |
| Professional fee (paid to internal auditor / CA firm) | Not a government fee. Market-based. Depends on: company size, scope, frequency, complexity, and number of locations. Typical Pune range: Rs 50,000 to Rs 5,00,000+ per year. |
| Penalty for non-compliance (mandatory and not done) | Rs 10,000 on company + Rs 1,000/day for continuing default. Officers in default also liable (Section 450). |
Bottom line: internal audit costs your company zero in government fees. The entire cost is the professional fee. For a Pune MSME crossing the Rs 200 Cr turnover threshold, a comprehensive quarterly internal audit typically costs Rs 2-5 lakh per year - far less than the penalty for non-compliance or the cost of a single fraud incident that internal audit would have caught.
Documents the Internal Auditor Will Need
- Financial data: trial balance, P&L, balance sheet, cash flow (current year + prior year comparison)
- Bank statements: all accounts, all months
- GST returns: GSTR-3B, GSTR-1, GSTR-9 and books reconciliation
- Purchase register, sales register, invoices (sample + full-population data)
- Expense vouchers and approval records
- Payroll records: salary register, PF ECR, ESI challan, TDS 24Q, Form 16
- Fixed asset register and depreciation schedule
- Inventory / stock records and physical verification reports
- Board minutes and committee minutes
- Statutory compliance register (Companies Act, IT, GST, PF, ESI, PT)
- Contracts: vendor, customer, lease, employment, related-party
- Previous internal audit report (for follow-up)
- Organisation chart and SOPs (if documented)
- IT systems access: ERP, accounting software, banking portals
What Does an Internal Audit Cover?
| Audit Area | What Is Examined | Why It Matters |
|---|---|---|
| Financial controls | Revenue recognition, journal entries, bank reconciliation, expense approvals, petty cash, inter-company transactions | Prevents misstatement, fraud, and cash leakage |
| Procurement & payables | Vendor selection, PO process, GRN matching, invoice verification, payment authorisation, related-party transactions | Prevents overpayment, duplicate payments, vendor fraud |
| Revenue & receivables | Invoicing accuracy, GST on sales, receivables ageing, credit policies, bad debt provisioning | Ensures revenue integrity and cash collection |
| Inventory & stock | Valuation, physical verification, slow-moving stock, wastage, stock-to-sales ratio | Prevents misappropriation and overstatement |
| Payroll & HR | Salary accuracy, PF/ESI/PT/TDS deductions, leave calculations, exit formalities, ghost employees | Prevents payroll fraud and statutory non-compliance |
| Statutory compliance | Companies Act (ROC filings, Board meetings), IT Act (TDS, ITR), GST, PF, ESI, PT, Shops & Establishments | Identifies gaps before regulators do |
| IT controls | Access management, data backup, ERP controls, software licensing, cyber security basics | Prevents data loss and unauthorised access |
| Risk management | Risk register, insurance adequacy, business continuity, key-person dependency | Strengthens resilience against disruptions |
For Pvt Ltd registration (know more) where internal audit becomes relevant as the company scales, we design control frameworks from incorporation. For Pvt Ltd compliance audit (know more), see how compliance review complements internal audit.
The Typical Timeline: What to Expect
| # | Phase | What Happens | Duration | Output |
|---|---|---|---|---|
| 1 | Planning & scoping | Risk assessment, scope finalisation, audit plan, information request list shared with client | 1-2 weeks | Audit plan + IR list |
| 2 | Fieldwork | Document review, transaction testing (sampling + full-population analytics), control walkthroughs, interviews with process owners | 2-4 weeks per cycle | Working papers + preliminary findings |
| 3 | Draft report | Findings with risk rating (critical/high/medium/low), root cause, recommendation | 1 week | Draft internal audit report |
| 4 | Management discussion | Present to management. They provide: agreed action plan, responsible person, target date | 1-2 weeks | Management response |
| 5 | Final report | Incorporate management response. Finalise. Present to Audit Committee / Board | 3-5 days | Final report to Board |
| 6 | Follow-up (next cycle) | Verify management has implemented agreed actions from prior cycle | Part of next cycle | Implementation status report |
Per cycle: 5-9 weeks. Quarterly audit: 4 cycles/year. Half-yearly: 2 cycles. Engagement runs April to March, aligned with the financial year.
Penalties for Non-Compliance
| Non-Compliance | Penalty | Provision |
|---|---|---|
| Not appointing internal auditor when mandatory | Rs 10,000 + Rs 1,000/day continuing default. Officers in default also liable. | Section 450 (no specific penalty under 138; Section 450 applies as residual) |
| Not conducting audit after appointment | Same penalty. Additionally: statutory auditor may qualify opinion on IFC adequacy. | Section 450 + Section 143(3)(i) |
| Statutory auditor acting as internal auditor | Contravention of Section 144. Statutory auditor’s independence compromised. | Section 144 |
| MGT-14 not filed (public companies) | Additional fee for late filing + Section 117 penalty (Rs 1,00,000-5,00,000 on company; Rs 50,000-5,00,000 on officers). | Section 117 |
| Not acting on findings (governance risk) | No direct penalty but: director liability if ignored findings cause loss; statutory auditor may qualify report. | Fiduciary duty + Section 134(5) |
Common Mistakes in Internal Audit Compliance
Mistake 1: Assuming internal audit is the same as statutory audit. They are different: different purpose, different scope, different reporting. Companies need both (where applicable). Having a statutory auditor does not exempt you from internal audit.
Mistake 2: Appointing the statutory auditor as internal auditor. Section 144 expressly prohibits this. The statutory auditor (and their firm/network) cannot perform internal audit for the same company.
Mistake 3: Not checking thresholds annually. Applicability is based on the preceding financial year. A Pune company that hit Rs 200 Cr turnover in FY 2025-26 must appoint an internal auditor by 30 September 2026 (6 months from FY start).
Mistake 4: Treating internal audit as a checkbox exercise. Companies that restrict scope, limit access, or ignore findings waste the exercise. The value comes from acting on recommendations and closing findings.
Mistake 5: No follow-up on prior findings. Each audit cycle must track prior findings. Recurring, unresolved findings indicate governance failure. For statutory audit (know more) where SA 610 now references internal audit quality, unresolved findings weaken the statutory audit outcome.
Why Pune Companies Are Adopting Voluntary Internal Audit
Even below mandatory thresholds, Pune businesses are increasingly adopting internal audit for three practical reasons:
(1) Investor due diligence: PE/VC investors review governance. Companies with internal audit reports demonstrate that they identify and manage risks proactively. In competitive Pune funding rounds, this differentiates.
(2) Pre-scaling governance: Startups growing from Rs 50 Cr to Rs 200 Cr need control frameworks before the threshold hits. Building these incrementally through voluntary audit is cheaper than a sudden mandatory compliance overhaul.
(3) Fraud prevention: As companies scale and founders lose direct visibility over every transaction, internal audit provides the independent oversight that catches irregularities early.
Our Pune Office Methodology: 7-Step Approach
From 100+ internal audit engagements through our Pune office:
(1) Risk-based scoping: We assess the company’s risk profile (revenue, industry, transaction volume, regulatory complexity) and allocate audit effort to high-risk areas. Not everything gets equal attention.
(2) Process mapping: We map core business processes (procure-to-pay, order-to-cash, hire-to-retire, record-to-report), identify control points, and test whether those controls are designed and operating effectively.
(3) Data analytics: We use analytics to test 100% of transactions - not just samples - for anomalies: duplicate payments, unusual journal entries, threshold breaches, segregation-of-duties violations.
(4) Clear, rated reporting: Every finding is rated (critical/high/medium/low), includes root cause analysis, and provides specific, actionable recommendations - not generic observations.
(5) Management engagement: We present draft findings to management before finalising. Management provides agreed action plans with timelines and responsible persons.
(6) Board presentation: Final report to Audit Committee / Board with executive summary: total findings, risk distribution, critical issues, and trend vs prior cycles.
(7) Continuous improvement: Cumulative tracker across cycles. We measure: closure rate, average closure time, recurring finding rate. The goal: fewer findings each cycle, demonstrating improving controls. For tax planning services (know more) that integrate internal audit insights with tax strategy, we handle the governance-to-tax lifecycle.
2026 Context: What’s Current
| 2026 Development | Impact | Action |
|---|---|---|
| SA 610: statutory auditor reliance on internal audit | Statutory auditors increasingly use internal audit work papers (per SA 610). Strong internal audit reduces statutory audit cost and improves opinion quality. | Maintain audit-standard work papers. Coordinate internal and statutory audit timelines. |
| IFC reporting for specified companies | Statutory auditor must report on Internal Financial Controls adequacy. Internal audit directly tests IFC. | Include IFC testing explicitly in internal audit scope. Document separately for statutory auditor reference. |
| Voluntary adoption by Pune MSMEs and startups | Companies below threshold adopting internal audit for investor readiness, fraud prevention, and governance. | Even if not mandatory: focus on high-risk areas (cash, procurement, payroll) at least annually. |
| Data analytics in internal audit | 2026 audits increasingly use full-population analytics, anomaly detection, and continuous monitoring. | Choose an internal auditor who uses data analytics, not just manual sample testing. |
| SEBI LODR tightening for listed companies | 24-hour intimation to exchanges on internal auditor appointment. Internal audit findings discussed at Audit Committee meetings quarterly. | For listed companies: ensure Audit Committee reviews internal audit report every quarter. |
Key Takeaways
Internal audit is mandatory under Section 138 for: all listed companies, unlisted public companies exceeding turnover/capital/loan/deposit thresholds, and private companies exceeding turnover/loan thresholds. Voluntary for all others.
Government fee: Rs 0. No ROC filing for private companies. MGT-14 for public companies (Rs 200-600). Cost is purely professional fee: Rs 50,000-5,00,000/year for Pune MSMEs.
Timeline: 5-9 weeks per cycle. Quarterly or half-yearly. Planning → fieldwork → draft → management response → final report → Board presentation → follow-up.
Internal audit is NOT statutory audit. Different purpose, scope, frequency, and auditor. Both are needed where applicable. Statutory auditor CANNOT do internal audit (Section 144).
Our Pune methodology: risk-based scoping, data analytics, rated findings, management engagement, Board reporting, cumulative tracking. 100+ companies served.
Need Internal Audit Services in Pune?
Whether your company has crossed the mandatory threshold or you want voluntary internal audit for governance and investor readiness - our Pune CA team handles the complete engagement from scoping to Board reporting.
Explore our internal audit services (know more) and statutory audit (know more) for integrated audit coverage across Pune, Mumbai, Delhi, Gurugram, and all-India.
For queries, reach out at +91 945 945 6700 or WhatsApp us directly.
