A Series B-stage startup recently asked us: 'We have Rs 85 crore turnover and Rs 110 crore in bank borrowings - do we need an internal audit?' The answer surprised them: yes, because of the borrowings threshold (Rs 100 crore), even though their turnover was well below Rs 200 crore. They had been operating without one for two years, creating a compliance gap that their incoming investor flagged immediately.
This guide explains exactly when internal audit becomes mandatory for startups in India, what the 2026 regulatory changes mean, when voluntary audit makes strategic sense, and how to structure an internal audit that satisfies both compliance requirements and investor expectations. Whether your startup earns Rs 50 lakh or Rs 500 crore, the rules are clearer than most founders think - once you know where to look.
What Is Internal Audit and Why Does It Matter for Startups?
Internal audit is an independent, objective assurance and consulting activity designed to evaluate and improve the effectiveness of a company's risk management, internal controls, and governance processes. Under Section 138 of the Companies Act, 2013, certain classes of companies must appoint an internal auditor - a Chartered Accountant, Cost Accountant, or other qualified professional - to conduct this function.
For startups, internal audit matters beyond legal compliance. Investors, particularly at Series A and beyond, conduct due diligence that evaluates not just revenue and growth but governance maturity. A startup that can demonstrate formal internal controls - expense approval workflows, revenue recognition policies, related-party transaction monitoring - signals operational discipline. For startups relying on internal audit services (know more), this governance signal directly impacts valuation multiples and term sheet negotiations.
Unlike statutory audit (which every company must have) and tax audit (triggered by turnover thresholds under Section 44AB), internal audit under Section 138 has specific applicability thresholds that exempt most early-stage startups. Understanding these thresholds prevents both unnecessary expenditure and unintentional non-compliance.
Key Terms You Should Know
- Section 138 (Companies Act 2013): The provision mandating internal audit appointment for prescribed classes of companies. Applicability depends on thresholds defined in Rule 13 of the Companies (Accounts) Rules, 2014.
- Rule 13 (Companies (Accounts) Rules 2014): Specifies the financial thresholds triggering mandatory internal audit - turnover, paid-up capital, loans, deposits - for listed, unlisted public, and private companies.
- Small Company (Section 2(85)): A company with paid-up capital up to Rs 4 crore AND turnover up to Rs 40 crore (enhanced thresholds from 2025 MCA notification). Small companies enjoy simplified compliance including relaxed board meeting frequency and lighter penalty treatment.
- One Person Company (OPC): A company with a single member and director. OPCs are exempt from several compliance requirements. Internal audit under Section 138 applies to OPCs only if articles specifically provide for it.
- Internal Financial Controls (IFC) - Section 134(5): Broader than internal audit - every company must establish 'adequate internal financial controls' and ensure they operate effectively. The statutory auditor reports on IFC adequacy under Section 143(3)(i).
- DPIIT Startup Recognition (2026 Notification): DPIIT's February 2026 notification extended recognition to 10 years for regular startups and 20 years for deep tech startups, increased turnover ceiling to Rs 200 crore (Rs 300 crore for deep tech), and introduced a 'Relaxations and Modifications' clause for emerging sectors.
- Corporate Laws (Amendment) Bill 2026: Introduced in Lok Sabha on 24 March 2026. Proposes further compliance relaxations for smaller companies, CSR threshold revisions, decriminalisation of procedural offences, and alignment with ease of doing business objectives.
Which Startups Must Conduct Internal Audit Under Section 138?
The mandatory internal audit requirement depends on three factors: company type, financial thresholds in the preceding financial year, and any specific regulatory direction. Here is the complete applicability map for startups:
- Listed startups (any stock exchange) - internal audit mandatory regardless of turnover or borrowings. If your startup has listed via SME platform or main board, Section 138 applies from Day 1
- Unlisted public company startups - mandatory if ANY one of: (a) turnover Rs 200 crore+, (b) paid-up capital Rs 50 crore+, (c) borrowings from banks/PFIs Rs 100 crore+, (d) deposits Rs 25 crore+ in the preceding FY
- Private company startups (most common for startups) - mandatory if: (a) turnover Rs 200 crore+, OR (b) borrowings from banks/PFIs Rs 100 crore+ in the preceding FY
- OPC startups - Section 138 applies only if the company's articles specifically provide for it (Notification dated 04.01.2017)
- LLP startups - Section 138 does not apply to LLPs. LLPs are governed by the LLP Act, 2008 which has no internal audit mandate
For startups completing startup registration (know more) as Pvt Ltd companies with turnover below Rs 200 crore and borrowings below Rs 100 crore - internal audit is NOT mandatory under Section 138. However, statutory audit under Section 143 remains mandatory for all companies regardless of size.
Legal Framework: Mandatory vs Voluntary Internal Audit for Startups
| Aspect | Mandatory Internal Audit (Section 138) | Voluntary Internal Audit | Statutory Audit (Section 143) |
|---|---|---|---|
| When Required | Thresholds crossed: Rs 200 Cr turnover OR Rs 100 Cr borrowings (private companies) | Anytime - Board decision; no threshold required | Always - every company, every year, regardless of size |
| Legal Basis | Section 138 + Rule 13 Companies (Accounts) Rules 2014 | Board resolution under general governance powers | Section 143 Companies Act 2013 |
| Who Conducts | CA, Cost Accountant, or Board-approved professional (NOT the statutory auditor) | Same qualifications; can also be internal employee | Practising Chartered Accountant or CA firm with CoP |
| Scope | Functions and activities of the company - defined by Audit Committee/Board in consultation with auditor | Flexible - can focus on specific areas (revenue, expenses, internal controls, compliance) | Financial statements - true and fair view; also reports on IFC adequacy |
| Reporting To | Board of Directors (via Audit Committee if applicable) | Board of Directors | Members (shareholders) at AGM + filed with ROC |
| Penalty for Non-Compliance | Rs 10,000 + Rs 1,000/day (Section 450) | None - it is voluntary | Severe - financial statements cannot be filed without statutory audit |
| Cost (Typical for Startup) | Rs 1-3 lakh/year depending on complexity | Rs 50,000-1,50,000/year for focused scope | Rs 15,000-50,000/year for early-stage startups |
The key distinction: most startups below Rs 200 crore turnover and Rs 100 crore borrowings are exempt from mandatory internal audit. But they are NEVER exempt from statutory audit - and the statutory auditor must report on the adequacy of internal financial controls under Section 143(3)(i). This creates an indirect pressure to maintain internal controls even when formal internal audit is not required.
How to Determine If Your Startup Needs Internal Audit: Step-by-Step
- Step 1: Determine your company type. Pvt Ltd, Public, OPC, or LLP? LLPs are exempt. OPCs are exempt unless articles provide otherwise. For Pvt Ltd and Public companies, proceed to Step 2.
- Step 2: Check preceding FY financials against Rule 13 thresholds. For private companies: was turnover Rs 200 crore or more? OR were bank/PFI borrowings Rs 100 crore or more at ANY point during the preceding FY? If YES to either, internal audit is mandatory. If NO to both, Section 138 does not require it.
- Step 3: Check if you are a listed company. Even SME-listed startups must comply with Section 138 regardless of thresholds. If listed, internal audit is mandatory.
- Step 4: Check regulatory or sectoral requirements. NBFC startups, insurance companies, and banking entities have separate RBI/IRDAI/SEBI mandates for internal audit that override Companies Act thresholds. If your startup is in a regulated sector, check the sector-specific rules.
- Step 5: Assess voluntary audit value. Even if not mandatory, consider voluntary internal audit if: (a) you are raising Series A or above, (b) your turnover is growing rapidly and will cross Rs 200 crore within 2-3 years, (c) you handle sensitive data (fintech, healthtech) where control failures create regulatory and reputational risk, or (d) you have related-party transactions that need independent verification.
- Step 6: Appoint and scope the audit. If mandatory, appoint an internal auditor (CA, CMA, or Board-approved professional - NOT your statutory auditor per Section 144). Work with the Audit Committee or Board to define scope, periodicity (quarterly/half-yearly/annual), and reporting methodology per Rule 13(2). For managing ongoing compliance, startups maintaining private limited company compliance (know more) should integrate internal audit into their annual compliance calendar.
Documents and Records Needed for Internal Audit
- Books of accounts - general ledger, cash book, bank book, journal entries for the audit period
- Bank statements and bank reconciliation statements - for cash flow verification and control testing
- Revenue recognition workpapers - invoices, contracts, delivery confirmations, subscription records
- Expense vouchers with supporting documents - vendor invoices, purchase orders, approval chains
- Payroll records - salary register, TDS challans, PF/ESI submissions, employee contracts
- Related-party transaction register - with Board approvals and arm's length pricing documentation
- Fixed asset register with depreciation schedules - for asset verification and capital expenditure controls
- GST returns (GSTR-1, GSTR-3B) - for revenue/input credit reconciliation with books
- Previous statutory audit report and management letter - for prior-year observations and follow-up
- Board minutes and committee minutes - for governance process verification and approval chain audit
- IT systems access controls documentation - user access logs, password policies, data backup records (critical for SaaS/tech startups)
- ESOP/ESOS records - grant letters, vesting schedules, exercise records (for perquisite and share capital verification)
Internal Audit Costs: What Startups Should Budget
| Startup Stage | Typical Annual Turnover | Internal Audit Required? | Typical Cost if Conducted |
|---|---|---|---|
| Pre-revenue / Seed | Below Rs 50 lakh | No (voluntary) | Rs 30,000-50,000 (focused control review) |
| Early growth / Pre-Series A | Rs 50 lakh - Rs 10 crore | No (voluntary; recommended pre-funding) | Rs 50,000-1,00,000 |
| Series A-funded / Growth | Rs 10-100 crore | No (unless borrowings > Rs 100 Cr) | Rs 1,00,000-2,00,000 |
| Scaling / Pre-Series B | Rs 100-200 crore | Approaching threshold - prepare now | Rs 1,50,000-3,00,000 |
| Rs 200 crore+ turnover | Above Rs 200 crore | YES - mandatory under Section 138 | Rs 2,00,000-5,00,000+ |
| Any stage with borrowings > Rs 100 crore | Any turnover | YES - mandatory under Section 138 | Rs 1,50,000-3,00,000 |
Note: Voluntary internal audit for a pre-Series A startup costs Rs 50,000-1,00,000 per year - a fraction of a single month's cloud infrastructure bill for most tech startups. The ROI is not in penalty avoidance (since it is not mandatory) but in investor confidence, cleaner financial statements, and early detection of process inefficiencies that waste cash.
Common Mistakes Startups Make About Internal Audit
Mistake 1: Confusing internal audit with statutory audit. Statutory audit (Section 143) is mandatory for ALL companies and examines financial statements. Internal audit (Section 138) evaluates operational processes, controls, and risk management - and is mandatory only above prescribed thresholds. Having a statutory auditor does not satisfy the internal audit requirement. A startup needs both if thresholds are crossed - and the statutory auditor CANNOT serve as the internal auditor per Section 144(b).
Mistake 2: Not tracking borrowing thresholds. Many startups focus on the Rs 200 crore turnover threshold and ignore the Rs 100 crore borrowings threshold. Venture debt, term loans, working capital facilities, and even inter-corporate deposits from group companies count toward this limit. A startup with Rs 30 crore turnover but Rs 110 crore in aggregate borrowings from banks/PFIs is mandatory for internal audit. Check borrowings at every quarter-end, not just year-end - the threshold is 'at any point during the preceding FY.' For startups maintaining private limited company compliance (know more), this check should be automated.
Mistake 3: Assuming DPIIT startup recognition exempts from internal audit. DPIIT recognition provides benefits like Section 80-IAC tax deduction, self-certification under certain labour laws, and simplified compliance under Startup India. But it does NOT exempt startups from Section 138 internal audit requirements if thresholds are crossed. The Companies Act requirements apply regardless of DPIIT status.
Mistake 4: Delaying internal audit appointment after crossing thresholds. Once your preceding FY financials cross the threshold, you must appoint an internal auditor within 6 months of the start of the current FY. A startup that crosses Rs 200 crore turnover in FY 2025-26 must appoint the internal auditor by 30 September 2026. Missing this deadline triggers Section 450 penalties.
Mistake 5: Treating voluntary internal audit as a one-time exercise before funding. Some startups conduct a quick internal review before a funding round and call it 'internal audit.' A meaningful internal audit is periodic (quarterly or half-yearly), covers multiple functional areas (revenue, expenses, payroll, IT controls, compliance), and produces actionable findings. A one-time snapshot before funding may satisfy due diligence questions but does not build the governance infrastructure that sustains post-funding compliance.
Penalties for Non-Compliance with Section 138
The Companies Act does not have a specific penalty section for Section 138 non-compliance. However, Section 450 (the general penalty provision) applies.
Under Section 450, if a company or any officer in default fails to comply with any provision for which no specific penalty is prescribed, the company and every officer in default shall be punishable with a fine of up to Rs 10,000. If the non-compliance continues, an additional fine of Rs 1,000 per day applies for every day the default continues.
This penalty is compoundable - meaning the company can approach the Regional Director (RD) or NCLT to settle the penalty without prosecution. However, compounding still requires payment of the penalty amount plus compounding fees.
Beyond the direct penalty, non-compliance with Section 138 creates indirect consequences: the statutory auditor may issue a qualified opinion or emphasis of matter paragraph regarding inadequate internal controls, which weakens the company's financial statements in the eyes of lenders, investors, and regulators. For startups in regulated sectors (NBFC, fintech, insurance), failure to maintain adequate internal audit can trigger sectoral regulatory action.
How Internal Audit Connects with Statutory Audit, Tax Audit, and Investor Readiness
Internal audit, statutory audit (know more), and tax audit (know more) serve different but interconnected purposes. The statutory auditor, when reporting under Section 143(3)(i), must state whether the company has adequate internal financial controls (IFC) with reference to financial statements. If no internal audit has been conducted and internal controls are weak, the statutory auditor may report IFC inadequacy - a serious red flag for investors and lenders.
Tax audit under Section 44AB is triggered by turnover exceeding Rs 1 crore (Rs 10 crore with 95%+ digital receipts) or professional receipts exceeding Rs 50 lakh. Tax audit examines tax compliance - deductions claimed, income reported, TDS deposited. Internal audit goes broader - examining operational processes, governance, risk management, and compliance across all functions, not just tax. Many startups need tax audit (turnover Rs 1-10 crore range) long before they need internal audit (Rs 200 crore threshold). Having a tax audit without internal audit is common and legally compliant for most startups.
For investor readiness, the three audits create a governance triad: statutory audit confirms financial accuracy, tax audit confirms tax compliance, and internal audit confirms operational control maturity. A startup presenting all three to a Series B+ investor demonstrates institutional-grade governance - the kind that justifies higher valuation multiples and cleaner term sheets.
Mandatory vs Voluntary Internal Audit: Impact on Startups
| Criterion | Mandatory (Above Threshold) | Voluntary (Below Threshold) |
|---|---|---|
| Legal requirement | Yes - Section 138 + Rule 13 | No - Board decision |
| Penalty for non-compliance | Rs 10,000 + Rs 1,000/day (Section 450) | None |
| Scope defined by | Audit Committee/Board in consultation with internal auditor (Rule 13(2)) | Board - flexible; can focus on specific risk areas |
| Periodicity | As defined - typically quarterly or half-yearly | Flexible - annual or focused reviews before key events (funding, acquisition) |
| Auditor independence | Cannot be statutory auditor (Section 144(b)) | Same best practice; can also use internal employees |
| Investor perception | Expected compliance - not a differentiator | Governance signal - positive differentiator in due diligence |
| Cost | Rs 1.5-5 lakh/year (higher complexity) | Rs 50,000-1.5 lakh/year (focused scope) |
| ROI source | Penalty avoidance + control improvement | Investor confidence + process efficiency + early risk detection |
Key Takeaways
Internal audit under Section 138 of the Companies Act, 2013 is mandatory for private company startups only when turnover exceeds Rs 200 crore or borrowings from banks/PFIs exceed Rs 100 crore in the preceding financial year. Most early-stage and growth-stage startups fall below these thresholds and are legally exempt.
The Rs 100 crore borrowings threshold catches more startups than the Rs 200 crore turnover threshold - venture debt, term loans, and working capital facilities all count, and the threshold is checked at 'any point during the preceding FY,' not just year-end.
DPIIT's February 2026 notification expanded startup recognition to 20 years for deep tech and raised the turnover ceiling to Rs 200 crore (Rs 300 crore for deep tech), but this does NOT exempt startups from Section 138 internal audit requirements if the Companies Act thresholds are crossed.
Voluntary internal audit for pre-funding startups costs Rs 50,000-1,50,000 per year and serves as a governance signal that strengthens investor confidence, improves financial statement quality, and catches operational inefficiencies before they scale with the business.
The penalty for non-compliance with Section 138 is Rs 10,000 plus Rs 1,000 per day of continuing default under Section 450 - modest in isolation but compounded by the reputational damage of qualified statutory audit opinions and investor due diligence failures.
Need Help with Internal Audit for Your Startup?
Whether your startup has crossed the Section 138 threshold or is considering voluntary internal audit for investor readiness, the scope, periodicity, and methodology must be tailored to your business model, funding stage, and risk profile.
Explore our internal audit services (know more) for startup-focused internal audit - from control framework design and risk assessment to periodic audit execution and Board-ready reporting.
For queries, reach out at +91 945 945 6700 or WhatsApp us directly.
