Internal Audit for Startups: 2026 Rules

In this guide

Quick answer

Is internal audit mandatory for all startups? - No. Only if turnover exceeds Rs 200 crore or borrowings exceed Rs 100 crore under Section 138 read with Rule 13.
Are early-stage startups exempt? - Most are exempt by default - few startups cross Rs 200 crore turnover. But statutory audit is always mandatory.
What changed in 2026? - DPIIT's February 2026 notification expanded startup recognition to 20 years for deep tech; Corporate Laws (Amendment) Bill 2026 proposes further compliance relaxations.
Should startups voluntarily conduct internal audit? - Yes, especially pre-funding - investors value governance signals. Cost: Rs 50,000-1,50,000 per year.
What is the penalty for not conducting mandatory internal audit? - Rs 10,000 initial fine + Rs 1,000 per day of continuing default under Section 450.
Who can be the internal auditor? - A CA, Cost Accountant, or any other qualified professional approved by the Board. Cannot be the statutory auditor.

A Series B-stage startup recently asked us: 'We have Rs 85 crore turnover and Rs 110 crore in bank borrowings - do we need an internal audit?' The answer surprised them: yes, because of the borrowings threshold (Rs 100 crore), even though their turnover was well below Rs 200 crore. They had been operating without one for two years, creating a compliance gap that their incoming investor flagged immediately.

This guide explains exactly when internal audit becomes mandatory for startups in India, what the 2026 regulatory changes mean, when voluntary audit makes strategic sense, and how to structure an internal audit that satisfies both compliance requirements and investor expectations. Whether your startup earns Rs 50 lakh or Rs 500 crore, the rules are clearer than most founders think - once you know where to look.

What Is Internal Audit and Why Does It Matter for Startups?

Internal audit is an independent, objective assurance and consulting activity designed to evaluate and improve the effectiveness of a company's risk management, internal controls, and governance processes. Under Section 138 of the Companies Act, 2013, certain classes of companies must appoint an internal auditor - a Chartered Accountant, Cost Accountant, or other qualified professional - to conduct this function.

For startups, internal audit matters beyond legal compliance. Investors, particularly at Series A and beyond, conduct due diligence that evaluates not just revenue and growth but governance maturity. A startup that can demonstrate formal internal controls - expense approval workflows, revenue recognition policies, related-party transaction monitoring - signals operational discipline. For startups relying on internal audit services (know more), this governance signal directly impacts valuation multiples and term sheet negotiations.

Unlike statutory audit (which every company must have) and tax audit (triggered by turnover thresholds under Section 44AB), internal audit under Section 138 has specific applicability thresholds that exempt most early-stage startups. Understanding these thresholds prevents both unnecessary expenditure and unintentional non-compliance.

Key Terms You Should Know

Section 138 (Companies Act 2013): The provision mandating internal audit appointment for prescribed classes of companies. Applicability depends on thresholds defined in Rule 13 of the Companies (Accounts) Rules, 2014.
Rule 13 (Companies (Accounts) Rules 2014): Specifies the financial thresholds triggering mandatory internal audit - turnover, paid-up capital, loans, deposits - for listed, unlisted public, and private companies.
Small Company (Section 2(85)): A company with paid-up capital up to Rs 4 crore AND turnover up to Rs 40 crore (enhanced thresholds from 2025 MCA notification). Small companies enjoy simplified compliance including relaxed board meeting frequency and lighter penalty treatment.
One Person Company (OPC): A company with a single member and director. OPCs are exempt from several compliance requirements. Internal audit under Section 138 applies to OPCs only if articles specifically provide for it.
Internal Financial Controls (IFC) - Section 134(5): Broader than internal audit - every company must establish 'adequate internal financial controls' and ensure they operate effectively. The statutory auditor reports on IFC adequacy under Section 143(3)(i).
DPIIT Startup Recognition (2026 Notification): DPIIT's February 2026 notification extended recognition to 10 years for regular startups and 20 years for deep tech startups, increased turnover ceiling to Rs 200 crore (Rs 300 crore for deep tech), and introduced a 'Relaxations and Modifications' clause for emerging sectors.
Corporate Laws (Amendment) Bill 2026: Introduced in Lok Sabha on 24 March 2026. Proposes further compliance relaxations for smaller companies, CSR threshold revisions, decriminalisation of procedural offences, and alignment with ease of doing business objectives.

Which Startups Must Conduct Internal Audit Under Section 138?

The mandatory internal audit requirement depends on three factors: company type, financial thresholds in the preceding financial year, and any specific regulatory direction. Here is the complete applicability map for startups:

Listed startups (any stock exchange) - internal audit mandatory regardless of turnover or borrowings. If your startup has listed via SME platform or main board, Section 138 applies from Day 1
Unlisted public company startups - mandatory if ANY one of: (a) turnover Rs 200 crore+, (b) paid-up capital Rs 50 crore+, (c) borrowings from banks/PFIs Rs 100 crore+, (d) deposits Rs 25 crore+ in the preceding FY
Private company startups (most common for startups) - mandatory if: (a) turnover Rs 200 crore+, OR (b) borrowings from banks/PFIs Rs 100 crore+ in the preceding FY
OPC startups - Section 138 applies only if the company's articles specifically provide for it (Notification dated 04.01.2017)
LLP startups - Section 138 does not apply to LLPs. LLPs are governed by the LLP Act, 2008 which has no internal audit mandate

For startups completing startup registration (know more) as Pvt Ltd companies with turnover below Rs 200 crore and borrowings below Rs 100 crore - internal audit is NOT mandatory under Section 138. However, statutory audit under Section 143 remains mandatory for all companies regardless of size.

Legal Framework: Mandatory vs Voluntary Internal Audit for Startups

Aspect	Mandatory Internal Audit (Section 138)	Voluntary Internal Audit	Statutory Audit (Section 143)
When Required	Thresholds crossed: Rs 200 Cr turnover OR Rs 100 Cr borrowings (private companies)	Anytime - Board decision; no threshold required	Always - every company, every year, regardless of size
Legal Basis	Section 138 + Rule 13 Companies (Accounts) Rules 2014	Board resolution under general governance powers	Section 143 Companies Act 2013
Who Conducts	CA, Cost Accountant, or Board-approved professional (NOT the statutory auditor)	Same qualifications; can also be internal employee	Practising Chartered Accountant or CA firm with CoP
Scope	Functions and activities of the company - defined by Audit Committee/Board in consultation with auditor	Flexible - can focus on specific areas (revenue, expenses, internal controls, compliance)	Financial statements - true and fair view; also reports on IFC adequacy
Reporting To	Board of Directors (via Audit Committee if applicable)	Board of Directors	Members (shareholders) at AGM + filed with ROC
Penalty for Non-Compliance	Rs 10,000 + Rs 1,000/day (Section 450)	None - it is voluntary	Severe - financial statements cannot be filed without statutory audit
Cost (Typical for Startup)	Rs 1-3 lakh/year depending on complexity	Rs 50,000-1,50,000/year for focused scope	Rs 15,000-50,000/year for early-stage startups

The key distinction: most startups below Rs 200 crore turnover and Rs 100 crore borrowings are exempt from mandatory internal audit. But they are NEVER exempt from statutory audit - and the statutory auditor must report on the adequacy of internal financial controls under Section 143(3)(i). This creates an indirect pressure to maintain internal controls even when formal internal audit is not required.

How to Determine If Your Startup Needs Internal Audit: Step-by-Step

Step 1: Determine your company type. Pvt Ltd, Public, OPC, or LLP? LLPs are exempt. OPCs are exempt unless articles provide otherwise. For Pvt Ltd and Public companies, proceed to Step 2.
Step 2: Check preceding FY financials against Rule 13 thresholds. For private companies: was turnover Rs 200 crore or more? OR were bank/PFI borrowings Rs 100 crore or more at ANY point during the preceding FY? If YES to either, internal audit is mandatory. If NO to both, Section 138 does not require it.
Step 3: Check if you are a listed company. Even SME-listed startups must comply with Section 138 regardless of thresholds. If listed, internal audit is mandatory.
Step 4: Check regulatory or sectoral requirements. NBFC startups, insurance companies, and banking entities have separate RBI/IRDAI/SEBI mandates for internal audit that override Companies Act thresholds. If your startup is in a regulated sector, check the sector-specific rules.
Step 5: Assess voluntary audit value. Even if not mandatory, consider voluntary internal audit if: (a) you are raising Series A or above, (b) your turnover is growing rapidly and will cross Rs 200 crore within 2-3 years, (c) you handle sensitive data (fintech, healthtech) where control failures create regulatory and reputational risk, or (d) you have related-party transactions that need independent verification.
Step 6: Appoint and scope the audit. If mandatory, appoint an internal auditor (CA, CMA, or Board-approved professional - NOT your statutory auditor per Section 144). Work with the Audit Committee or Board to define scope, periodicity (quarterly/half-yearly/annual), and reporting methodology per Rule 13(2). For managing ongoing compliance, startups maintaining private limited company compliance (know more) should integrate internal audit into their annual compliance calendar.

Documents and Records Needed for Internal Audit

Books of accounts - general ledger, cash book, bank book, journal entries for the audit period
Bank statements and bank reconciliation statements - for cash flow verification and control testing
Revenue recognition workpapers - invoices, contracts, delivery confirmations, subscription records
Expense vouchers with supporting documents - vendor invoices, purchase orders, approval chains
Payroll records - salary register, TDS challans, PF/ESI submissions, employee contracts
Related-party transaction register - with Board approvals and arm's length pricing documentation
Fixed asset register with depreciation schedules - for asset verification and capital expenditure controls
GST returns (GSTR-1, GSTR-3B) - for revenue/input credit reconciliation with books
Previous statutory audit report and management letter - for prior-year observations and follow-up
Board minutes and committee minutes - for governance process verification and approval chain audit
IT systems access controls documentation - user access logs, password policies, data backup records (critical for SaaS/tech startups)
ESOP/ESOS records - grant letters, vesting schedules, exercise records (for perquisite and share capital verification)

Internal Audit Costs: What Startups Should Budget

Startup Stage	Typical Annual Turnover	Internal Audit Required?	Typical Cost if Conducted
Pre-revenue / Seed	Below Rs 50 lakh	No (voluntary)	Rs 30,000-50,000 (focused control review)
Early growth / Pre-Series A	Rs 50 lakh - Rs 10 crore	No (voluntary; recommended pre-funding)	Rs 50,000-1,00,000
Series A-funded / Growth	Rs 10-100 crore	No (unless borrowings > Rs 100 Cr)	Rs 1,00,000-2,00,000
Scaling / Pre-Series B	Rs 100-200 crore	Approaching threshold - prepare now	Rs 1,50,000-3,00,000
Rs 200 crore+ turnover	Above Rs 200 crore	YES - mandatory under Section 138	Rs 2,00,000-5,00,000+
Any stage with borrowings > Rs 100 crore	Any turnover	YES - mandatory under Section 138	Rs 1,50,000-3,00,000

Note: Voluntary internal audit for a pre-Series A startup costs Rs 50,000-1,00,000 per year - a fraction of a single month's cloud infrastructure bill for most tech startups. The ROI is not in penalty avoidance (since it is not mandatory) but in investor confidence, cleaner financial statements, and early detection of process inefficiencies that waste cash.

Common Mistakes Startups Make About Internal Audit

Mistake 1: Confusing internal audit with statutory audit. Statutory audit (Section 143) is mandatory for ALL companies and examines financial statements. Internal audit (Section 138) evaluates operational processes, controls, and risk management - and is mandatory only above prescribed thresholds. Having a statutory auditor does not satisfy the internal audit requirement. A startup needs both if thresholds are crossed - and the statutory auditor CANNOT serve as the internal auditor per Section 144(b).

Mistake 2: Not tracking borrowing thresholds. Many startups focus on the Rs 200 crore turnover threshold and ignore the Rs 100 crore borrowings threshold. Venture debt, term loans, working capital facilities, and even inter-corporate deposits from group companies count toward this limit. A startup with Rs 30 crore turnover but Rs 110 crore in aggregate borrowings from banks/PFIs is mandatory for internal audit. Check borrowings at every quarter-end, not just year-end - the threshold is 'at any point during the preceding FY.' For startups maintaining private limited company compliance (know more), this check should be automated.

Mistake 3: Assuming DPIIT startup recognition exempts from internal audit. DPIIT recognition provides benefits like Section 80-IAC tax deduction, self-certification under certain labour laws, and simplified compliance under Startup India. But it does NOT exempt startups from Section 138 internal audit requirements if thresholds are crossed. The Companies Act requirements apply regardless of DPIIT status.

Mistake 4: Delaying internal audit appointment after crossing thresholds. Once your preceding FY financials cross the threshold, you must appoint an internal auditor within 6 months of the start of the current FY. A startup that crosses Rs 200 crore turnover in FY 2025-26 must appoint the internal auditor by 30 September 2026. Missing this deadline triggers Section 450 penalties.

Mistake 5: Treating voluntary internal audit as a one-time exercise before funding. Some startups conduct a quick internal review before a funding round and call it 'internal audit.' A meaningful internal audit is periodic (quarterly or half-yearly), covers multiple functional areas (revenue, expenses, payroll, IT controls, compliance), and produces actionable findings. A one-time snapshot before funding may satisfy due diligence questions but does not build the governance infrastructure that sustains post-funding compliance.

Penalties for Non-Compliance with Section 138

The Companies Act does not have a specific penalty section for Section 138 non-compliance. However, Section 450 (the general penalty provision) applies.

Under Section 450, if a company or any officer in default fails to comply with any provision for which no specific penalty is prescribed, the company and every officer in default shall be punishable with a fine of up to Rs 10,000. If the non-compliance continues, an additional fine of Rs 1,000 per day applies for every day the default continues.

This penalty is compoundable - meaning the company can approach the Regional Director (RD) or NCLT to settle the penalty without prosecution. However, compounding still requires payment of the penalty amount plus compounding fees.

Beyond the direct penalty, non-compliance with Section 138 creates indirect consequences: the statutory auditor may issue a qualified opinion or emphasis of matter paragraph regarding inadequate internal controls, which weakens the company's financial statements in the eyes of lenders, investors, and regulators. For startups in regulated sectors (NBFC, fintech, insurance), failure to maintain adequate internal audit can trigger sectoral regulatory action.

How Internal Audit Connects with Statutory Audit, Tax Audit, and Investor Readiness

Internal audit, statutory audit (know more), and tax audit (know more) serve different but interconnected purposes. The statutory auditor, when reporting under Section 143(3)(i), must state whether the company has adequate internal financial controls (IFC) with reference to financial statements. If no internal audit has been conducted and internal controls are weak, the statutory auditor may report IFC inadequacy - a serious red flag for investors and lenders.

Tax audit under Section 44AB is triggered by turnover exceeding Rs 1 crore (Rs 10 crore with 95%+ digital receipts) or professional receipts exceeding Rs 50 lakh. Tax audit examines tax compliance - deductions claimed, income reported, TDS deposited. Internal audit goes broader - examining operational processes, governance, risk management, and compliance across all functions, not just tax. Many startups need tax audit (turnover Rs 1-10 crore range) long before they need internal audit (Rs 200 crore threshold). Having a tax audit without internal audit is common and legally compliant for most startups.

For investor readiness, the three audits create a governance triad: statutory audit confirms financial accuracy, tax audit confirms tax compliance, and internal audit confirms operational control maturity. A startup presenting all three to a Series B+ investor demonstrates institutional-grade governance - the kind that justifies higher valuation multiples and cleaner term sheets.

Mandatory vs Voluntary Internal Audit: Impact on Startups

Criterion	Mandatory (Above Threshold)	Voluntary (Below Threshold)
Legal requirement	Yes - Section 138 + Rule 13	No - Board decision
Penalty for non-compliance	Rs 10,000 + Rs 1,000/day (Section 450)	None
Scope defined by	Audit Committee/Board in consultation with internal auditor (Rule 13(2))	Board - flexible; can focus on specific risk areas
Periodicity	As defined - typically quarterly or half-yearly	Flexible - annual or focused reviews before key events (funding, acquisition)
Auditor independence	Cannot be statutory auditor (Section 144(b))	Same best practice; can also use internal employees
Investor perception	Expected compliance - not a differentiator	Governance signal - positive differentiator in due diligence
Cost	Rs 1.5-5 lakh/year (higher complexity)	Rs 50,000-1.5 lakh/year (focused scope)
ROI source	Penalty avoidance + control improvement	Investor confidence + process efficiency + early risk detection

Key Takeaways

Internal audit under Section 138 of the Companies Act, 2013 is mandatory for private company startups only when turnover exceeds Rs 200 crore or borrowings from banks/PFIs exceed Rs 100 crore in the preceding financial year. Most early-stage and growth-stage startups fall below these thresholds and are legally exempt.

The Rs 100 crore borrowings threshold catches more startups than the Rs 200 crore turnover threshold - venture debt, term loans, and working capital facilities all count, and the threshold is checked at 'any point during the preceding FY,' not just year-end.

DPIIT's February 2026 notification expanded startup recognition to 20 years for deep tech and raised the turnover ceiling to Rs 200 crore (Rs 300 crore for deep tech), but this does NOT exempt startups from Section 138 internal audit requirements if the Companies Act thresholds are crossed.

Voluntary internal audit for pre-funding startups costs Rs 50,000-1,50,000 per year and serves as a governance signal that strengthens investor confidence, improves financial statement quality, and catches operational inefficiencies before they scale with the business.

The penalty for non-compliance with Section 138 is Rs 10,000 plus Rs 1,000 per day of continuing default under Section 450 - modest in isolation but compounded by the reputational damage of qualified statutory audit opinions and investor due diligence failures.

Need Help with Internal Audit for Your Startup?

Whether your startup has crossed the Section 138 threshold or is considering voluntary internal audit for investor readiness, the scope, periodicity, and methodology must be tailored to your business model, funding stage, and risk profile.

Explore our internal audit services (know more) for startup-focused internal audit - from control framework design and risk assessment to periodic audit execution and Board-ready reporting.

For queries, reach out at +91 945 945 6700 or WhatsApp us directly.

Common Questions

Frequently Asked Questions

Have a look at the answers to the most asked questions.

Is internal audit mandatory for all startups in India?

No. Under Section 138 of the Companies Act, 2013 read with Rule 13, internal audit is mandatory for private companies only if turnover exceeds Rs 200 crore or borrowings from banks/PFIs exceed Rs 100 crore in the preceding financial year. Most early-stage startups fall below these thresholds. Listed startups must comply regardless of thresholds.

What is the difference between internal audit and statutory audit for startups?

Statutory audit (Section 143) is mandatory for every company and examines financial statements for accuracy and compliance. Internal audit (Section 138) evaluates operational processes, internal controls, and risk management, and is mandatory only above prescribed thresholds. Both are independent audits, but they serve different purposes and cannot be conducted by the same auditor.

What are the 2026 changes that affect startup audit compliance?

Three developments: (1) DPIIT's February 2026 notification expanded startup recognition to 20 years for deep tech and raised turnover ceilings, (2) The Corporate Laws (Amendment) Bill 2026 proposes further compliance relaxations including CSR threshold revisions and penalty decriminalisation, (3) The Income Tax Act, 2025 (effective FY 2026-27) restructures tax audit reporting forms but does not change internal audit requirements.

Kya startup ke liye internal audit zaroori hai Companies Act mein?

Sirf tab jab preceding FY mein turnover Rs 200 crore se zyada ho ya bank/PFI se borrowings Rs 100 crore se zyada ho. Zyaadatar early-stage startups is threshold ke neeche hote hain aur unhe Section 138 ke under internal audit ki zaroorat nahi hoti. Lekin statutory audit har company ke liye mandatory hai - chahe turnover kuch bhi ho.

Startup mein voluntary internal audit karwana chahiye ya nahi?

Haan, agar aap funding raise kar rahe ho toh bilkul karwao. Investors due diligence mein governance maturity dekhte hain. Rs 50,000-1,00,000 mein focused internal audit karwa lo - ye aapke statutory audit ki quality bhi improve karega aur investor confidence badhega. Pre-Series A mein ye ek strong governance signal hai.

Who can be appointed as internal auditor for a startup?

Under Section 138, the internal auditor can be a Chartered Accountant, Cost Accountant, or any other qualified professional approved by the Board. The auditor can be an employee of the company or an external professional. However, the statutory auditor of the company cannot serve as the internal auditor - Section 144(b) prohibits this dual role.

What is the penalty for not conducting mandatory internal audit?

Section 450 of the Companies Act applies - fine of up to Rs 10,000, with an additional Rs 1,000 per day for continuing default. The offence is compoundable. Beyond direct penalties, non-compliance may result in a qualified statutory audit opinion on internal financial controls, which impacts investor and lender confidence.

Does DPIIT startup recognition exempt from internal audit?

No. DPIIT recognition provides tax benefits (Section 80-IAC), self-certification under certain labour laws, and simplified compliance under Startup India. But it does not exempt startups from Section 138 internal audit requirements under the Companies Act. If the financial thresholds are crossed, internal audit is mandatory regardless of DPIIT status.

How often should a startup conduct internal audit?

For mandatory internal audit, the Audit Committee or Board determines the periodicity in consultation with the internal auditor - typically quarterly or half-yearly for large companies. For voluntary internal audit in startups, annual frequency is common, with focused reviews before key events (funding rounds, board meetings, regulatory filings). Quarterly reviews are recommended once turnover exceeds Rs 50 crore.

Can our statutory auditor also do the internal audit?

No. Section 144(b) of the Companies Act, 2013 explicitly prohibits the statutory auditor (or any partner/firm associated with the statutory auditor) from providing internal audit services to the same company. This independence requirement ensures objectivity in both audit functions.