What is internal audit under Companies Act 2013?

Internal audit under Section 138 is a mandatory function for prescribed classes of companies. The Board appoints an internal auditor to conduct independent evaluation of the company functions. The Audit Committee formulates scope methodology and periodicity. Reports are presented to Audit Committee for review and corrective action.

Which companies must appoint an internal auditor in Mumbai?

Every listed company on BSE or NSE. Unlisted public companies with turnover Rs 200 crore or more, paid-up capital Rs 50 crore or more, loans exceeding Rs 100 crore, or deposits Rs 25 crore or more. Private companies with turnover Rs 200 crore or more or loans exceeding Rs 100 crore.

What is the difference between internal audit and statutory audit?

Internal audit evaluates risk management controls and governance for management and Board. Statutory audit provides opinion on financial statements for shareholders. Internal audit is appointed by Board under Section 138 while statutory auditor is appointed by shareholders. Same person cannot serve as both under Section 144(b).

What does an internal auditor do?

The internal auditor assesses adequacy and effectiveness of internal controls, risk management, and governance. Activities include risk-based audit planning, process walkthroughs, control testing, compliance testing, fraud risk assessment, data analytics, and reporting findings with recommendations to the Audit Committee.

Who can be appointed as internal auditor?

A Chartered Accountant, Cost Accountant, or other professional as decided by Board. May be individual, firm, or body corporate. May or may not be company employee. Statutory auditor cannot serve as internal auditor under Section 144(b).

What is IFC reporting under Section 143(3)(i)?

Section 143(3)(i) requires statutory auditor to report on adequacy of internal financial controls and their operating effectiveness. Internal auditor plays critical role in designing documenting and testing IFC before statutory audit. Strong internal audit ensures clean IFC opinions.

What is the penalty for not appointing an internal auditor?

Residual penalty under Section 450 applies. Company and officers in default can be penalised up to Rs 10,000 with Rs 1,000 per day for continuing default. Offence is compoundable. Beyond penalties, non-compliance weakens governance and investor confidence.

Can a startup benefit from internal audit before it becomes mandatory?

Yes. Mumbai startups at BKC and Powai benefit from voluntary internal audit even before crossing mandatory thresholds. It identifies control weaknesses early, creates investor-ready governance documentation, and prepares for regulatory compliance during growth.

Trusted by 10,000+ Businesses

Internal Audit Services in Mumbai: CA-Managed Risk-Based Audit Under Section 138 of Companies Act 2013

Reviewed by CA and CS Team, Patron Accounting LLP ICAI & ICSI Registered| 15+ Years Experience| Last Updated: Verify Credentials →

Applicability: Listed companies (mandatory). Unlisted public: turnover Rs 200 Cr+ / capital Rs 50 Cr+ / loans Rs 100 Cr+ / deposits Rs 25 Cr+. Private: turnover Rs 200 Cr+ / loans Rs 100 Cr+.

Framework: COSO-based risk assessment. ICAI Standards on Internal Audit. IFC design and reporting.

Deliverables: Internal audit plan, risk register, process walkthroughs, control testing, audit reports to Audit Committee/Board

Timeline: Scope finalisation in 1-2 weeks | Quarterly/periodic audit cycles

10,000+ Businesses Served | 4.9 Google Rating | 50,000+ Docs Filed | 15+ Years

Call +91 945 945 6700 Email Us WhatsApp Us

15+ YearsIndustry Experience

CA & CSCertified Experts

4.9

Based on 500+ reviews

Get Free Consultation

Talk to a CA/CS expert today

Full Name

Phone Number

City

Service Needed

Our team will get back to you shortly. No spam.

Real Stories from Real People

Hear how teams across industries use Patron to save time, cut costs, & stay in control.

“

Outstanding experience with Patron Accounting. Professionalism and attention to detail made the compliance process seamless.

Subhendu Mishra

Business Owner

★★★★★

“

Glad I connected with Patron. Professional team that understands complex compliance requirements thoroughly.

Rajib Dutta

Entrepreneur

★★★★★

“

Fantastic experience. Knowledgeable team, smooth handling of all documentation and audit processes.

Nishikant Gurav

Business Owner

★★★★★

“

Best service for all account handling and compliance. Extremely happy with dedicated point of contact assigned.

Nikhil Nimbhorkar

Company Director

★★★★★

“

Excellent service for company registration and compliance. Very responsive team handling everything end to end.

Sunny Ashpal

Director - Demandify Media

★★★★★

Join 10,000+ Satisfied Businesses

Patron has helped 10,000+ businesses with audit, compliance, and governance services. Mumbai companies trust us for end-to-end internal audit under Section 138.

Talk to an Expert

10,000+Businesses ServedGST compliance and litigation support across India.

15+Years ExperienceDeep expertise in IP registration, GST & business compliance.

50,000+Documents FiledReturns, appeals, and filings handled accurately.

4.9★Client RatingTrusted by entrepreneurs, startups, and growing businesses.

ISO CertifiedProfessional standards and documented processes.

SSL SecureYour financial and business data is fully protected.

Overview What Is Who Needs Services Process Documents Challenges Fees Timeline Why Patron Compare FAQs

Internal Audit Services in Mumbai - Overview

📌 TL;DR - Internal Audit Services in Mumbai Services at a Glance

Internal audit is an independent, objective assurance and advisory function that evaluates and improves the effectiveness of an organisation's risk management, internal controls, and governance processes. Under Section 138 of the Companies Act 2013, read with Rule 13, certain classes of companies are mandated to appoint an internal auditor. Mumbai is India's corporate and financial services capital, housing SEBI (BKC), RBI (Fort), BSE (Dalal Street), NSE (BKC), and some of the highest concentration of listed companies, MNC subsidiaries, NBFCs, and large unlisted companies in the country.

Mumbai hosts India's highest density of companies requiring mandatory internal audit. The city's listed company universe (BSE lists 5,000+ companies, NSE 2,000+) creates enormous demand. Beyond listed companies, Mumbai's financial services sector - banks, NBFCs, insurance companies - has sector-specific internal audit requirements from RBI and SEBI headquartered in the city. Learn more about Internal Audit Services across India.

MNC subsidiaries report to foreign holding companies under global frameworks including COSO, SOX, and UK SOX equivalents. Manufacturing companies at Andheri MIDC need inventory and cost control audits. Technology companies at BKC and Powai require IT general controls and data privacy audits. Patron Accounting's Marine Lines office - co-located with RoC Mumbai at Everest House - provides the geographical and regulatory proximity that Mumbai's internal audit landscape demands. Consider bundling with Statutory Audit and Accounting Services for complete assurance coverage.

Content is reviewed quarterly for accuracy.

What Is Internal Audit?

Internal audit is a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes within an organisation. Unlike statutory audit (which provides an opinion on financial statements to shareholders), internal audit serves the management, the Audit Committee, and the Board by identifying operational inefficiencies, control weaknesses, compliance gaps, and fraud risks - and recommending improvements.

Under Section 138 of the Companies Act 2013, the internal auditor is appointed by the Board to conduct an internal audit of the functions and activities of the company. The Audit Committee (Section 177) or the Board formulates the scope, functioning, periodicity, and methodology in consultation with the internal auditor. The internal audit report is presented to the Audit Committee, which then reports to the Board.

Modern internal audit goes beyond transaction checking. A risk-based approach - aligned with the COSO Internal Control Integrated Framework - prioritises audit effort on the areas of highest risk. For Mumbai companies, this means focusing on revenue recognition integrity for media companies, loan portfolio quality for NBFCs, inventory valuation for manufacturers, data security for tech firms, and regulatory compliance across all regulated industries. The ICAI Standards on Internal Audit (SIA) provide the professional framework.

Key Terms for Internal Audit Services in Mumbai:

Section 138: Companies Act 2013 provision mandating internal audit for prescribed classes of companies.

COSO Framework: Committee of Sponsoring Organizations Internal Control Integrated Framework.

IFC: Internal Financial Controls that the statutory auditor must report on under Section 143(3)(i).

Audit Committee: Board committee under Section 177 that formulates scope and reviews findings.

SEBI LODR: Listing Obligations and Disclosure Requirements for listed companies.

Section 144(b): Statutory auditor cannot serve as internal auditor of the same company.

Mumbai Regulatory Hub Section 138 Compliant

Who Needs Internal Audit in Mumbai?

Listed Companies (BSE/NSE - Dalal Street, BKC): Every company listed on BSE or NSE must appoint an internal auditor under Section 138 - no threshold required. Mumbai hosts both exchanges and the largest concentration of listed company offices. Listed companies also face SEBI LODR requirements for internal financial controls reporting.

Unlisted Public Companies Meeting Thresholds: Unlisted public companies must appoint an internal auditor if they meet any threshold: turnover Rs 200 crore+, paid-up share capital Rs 50 crore+, outstanding loans/borrowings exceeding Rs 100 crore, or deposits Rs 25 crore+. Mumbai's large unlisted public companies in financial services, infrastructure, and real estate frequently cross these thresholds.

Private Companies Meeting Thresholds: Private companies with turnover Rs 200 crore+ or outstanding loans/borrowings exceeding Rs 100 crore. Mumbai's private company ecosystem - fintech, D2C brands, IT services, manufacturing - includes many companies that cross these thresholds during growth phases.

NBFCs and Financial Services (BKC, Nariman Point, Fort): RBI-regulated NBFCs have internal audit requirements under RBI Master Directions beyond the Companies Act mandate. With RBI headquartered at Fort, Mumbai NBFCs face the most direct regulatory supervision.

MNC Subsidiaries: Foreign holding companies require Indian subsidiaries in Mumbai to maintain internal audit aligned with COSO, SOX (US-listed parents), J-SOX (Japanese), and UK SOX equivalents.

Manufacturing (Andheri MIDC, Thane-Belapur) and Technology (BKC, Powai): Sector-specific audit needs covering inventory controls, IT general controls, data privacy, and cybersecurity. Even pre-threshold startups benefit from voluntary audit before investor due diligence. Consider Private Limited Company Registration with built-in governance framework.

Internal Audit Services Included by Patron in Mumbai

Service	What We Do
Risk-Based Internal Audit (COSO Framework)	Audit programme using COSO Internal Control Framework across five components. Sector-specific for BFSI, manufacturing, technology companies
Internal Financial Controls (IFC) Design and Testing	IFC framework design, control matrices, walkthroughs, operating effectiveness testing for clean statutory audit opinions under Section 143(3)(i)
Audit Committee and Board Reporting	Comprehensive reports with executive summaries, detailed findings, risk ratings, management responses, action timelines, and trend analysis
Process Walkthroughs and Documentation	End-to-end walkthroughs for procure-to-pay, order-to-cash, hire-to-retire, record-to-report, and IT general controls
Fraud Risk Assessment	Data analytics to identify anomalies in transactions, vendor payments, expense claims, and revenue entries
Compliance Audit	Companies Act, SEBI LODR, RBI directions, FEMA, GST, income tax, labour laws, and industry-specific regulations
SOX Compliance (MNC Subsidiaries)	Sarbanes-Oxley Section 404 ICFR design, testing, walkthroughs, and management testing for US-listed parent companies
Concurrent Audit (NBFC/Bank)	Real-time transaction verification for banking operations, treasury functions, and lending processes with daily/weekly reporting

Our Process

Internal Audit Process in Mumbai

Patron manages the complete internal audit lifecycle for Mumbai companies - from engagement and risk assessment to Audit Committee reporting and follow-up.

Step 1

Engagement and Scope Definition

Board or Audit Committee appoints Patron and formulates the scope, functioning, periodicity, and methodology. Engagement letter covers audit universe, risk assessment methodology, reporting frequency, team structure, and timelines. For listed companies, scope aligns with SEBI LODR. For NBFCs, with RBI Master Directions.

Board Resolution Scope Formulation

Engaged01

Step 2

Risk Assessment and Audit Planning

Entity-level risk assessment using COSO framework mapping operational, financial, compliance, and strategic risks. Risk register prepared. Annual internal audit plan approved by Audit Committee prioritising high-risk areas.

COSO Risk Map Audit Plan

Plan Approved02

Step 3

Process Walkthroughs and Control Documentation

Detailed process walkthroughs with process owners for each audit area. Key controls identified and documented in risk-control matrices. Control design evaluated for adequacy. Design gaps flagged immediately.

Walkthroughs RCM Documented

Controls Mapped03

Step 4

Control Testing and Fieldwork

Test operating effectiveness through inquiry, observation, inspection, and re-performance. Sample sizes based on risk rating and control frequency. Data analytics for high-volume transaction testing across AP, AR, payroll, and expenses.

Control Testing Data Analytics

Testing Done04

Step 5

Findings and Reporting to Audit Committee

Findings documented with condition, criteria, cause, effect, recommendation. Each finding risk-rated (critical/high/medium/low). Management responses obtained. Comprehensive reports presented to Audit Committee with trend analysis.

Risk-Rated Findings AC Presentation

Report Delivered05

Step 6

Follow-Up and Continuous Improvement

Subsequent audit cycles follow up on all prior findings to verify corrective actions. Open findings tracked and escalated. Audit programme continuously refined based on changes in risk profile, business environment, and regulatory landscape.

Prior Finding F/U Programme Update

Continuous06

Documents and Information Required for Internal Audit

Company incorporation documents, MOA/AOA, Board resolution appointing internal auditor
Organisation chart and process flow documentation
Previous internal audit reports (if any) and management action status
Financial statements (current and prior year), trial balance, general ledger access
Chart of accounts and accounting policies
Bank statements and reconciliations
Fixed asset register
Accounts payable and receivable ageing reports
Inventory records and valuation documents
Payroll registers and employee master data
Procurement records, vendor master, purchase orders, GRN reports
Revenue records, contracts, invoicing data
Compliance register (applicable laws and regulations)
IT infrastructure documentation and access control logs
Previous statutory audit observations and management letter
Audit Committee meeting minutes (prior meetings)

Mumbai-specific tip: Mumbai companies subject to multiple regulators (Companies Act + SEBI + RBI + FEMA) should consolidate their compliance universe before the internal audit engagement begins. Patron maps all applicable regulatory requirements into a single compliance matrix, ensuring the internal audit covers the full regulatory landscape.

Common Internal Audit Challenges in Mumbai

Challenge	Impact	How Patron Accounting Solves It
Multi-Regulatory Complexity	Overlapping requirements from Companies Act, SEBI LODR, RBI, FEMA, GST, income tax, and industry regulators	Integrated audit programmes covering the complete regulatory universe for Mumbai entities
IFC Documentation Gaps	Controls work in practice but aren't formally documented in risk-control matrices or flowcharts for Section 143(3)(i)	Formalise IFC framework - document every key control, test it, ensure audit-ready before statutory audit
Management Resistance	Process owners view audit as adversarial rather than advisory	Position as value-addition. Root cause analysis helps understand systemic issues
IT Controls and Cybersecurity	Traditional programmes lack IT general controls and application controls coverage	Integrate IT audit modules covering access management, change management, backup, and data security
High-Volume Transaction Testing	Millions of transactions in BFSI, trading, e-commerce - manual sampling insufficient	Data analytics and CAAT tools to test entire populations for anomalies and exceptions

Internal Audit Service Fees in Mumbai

Fee Component	Amount
Patron Accounting Professional Fees (Internal Audit)	Starting from INR 9,999 (Exl GST and Govt. Charges)
Private Co (single location, turnover up to Rs 50 Cr)	From Rs 1,50,000/year (quarterly audit, key processes, IFC)
Unlisted Public / Private (turnover Rs 50-500 Cr)	From Rs 3,00,000/year (quarterly + process walkthroughs + compliance)
Listed Company / NBFC	From Rs 5,00,000+/year (risk-based + IFC + compliance + Audit Committee reporting)
MNC Subsidiary (SOX/global framework)	Custom (based on SOX scope, COSO, ICFR testing, global reporting)
Concurrent Audit (NBFC/Bank)	From Rs 2,00,000+ per branch/quarter

All fees and charges listed are indicative only and do not constitute a binding offer. Final amounts may vary depending on the volume of work and the complexity involved.

Professional service charges for drafting, filing, and representation are separate from the statutory fees. The exact fee depends on the complexity of the case, disputed amount, and number of hearings required. Contact us for a detailed quote.

Get a free Internal Audit Services in Mumbai consultation - Call +91 945 945 6700 or WhatsApp us. No-obligation assessment.

Internal Audit Engagement Timeline

Stage	Estimated Timeline
Scoping and Engagement	1-2 weeks
Risk Assessment and Audit Planning	2-3 weeks
Q1 Audit Cycle (Fieldwork + Reporting)	3-4 weeks
Q2-Q4 Audit Cycles	3-4 weeks each
Annual Summary Report	2 weeks (post-Q4)

Note: Internal audit is a continuous engagement, not a one-time event. Patron provides quarterly audit reports and is available year-round for ad-hoc reviews, special investigations, and management advisory. The Audit Committee reviews findings at each scheduled meeting.

Key Benefits

Why Choose Patron for Internal Audit in Mumbai

Co-Located with RoC Mumbai

Marine Lines office is at the same location as RoC Mumbai (Everest House). Company compliance filings related to audit observations handled immediately. Walking distance to BSE/RBI at Fort and SEBI at BKC.

Sector-Specific Audit Expertise

Industry-specific programmes - credit risk for NBFCs, inventory controls for manufacturers, revenue recognition for media, IT general controls for tech firms, project cost controls for real estate developers.

Central to All Mumbai Regulators

Easy reach of SEBI at BKC, RBI at Fort, BSE at Dalal Street, NSE at BKC, and ICAI at BKC. Faster resolution of audit-related compliance matters.

End-to-End Governance Support

Beyond internal audit: Audit Committee secretarial support, IFC framework design, ERM implementation, statutory audit coordination, tax compliance, and regulatory filings - all from one CA firm.

Trusted by Companies Across Mumbai

10,000+ Businesses Served | 4.9 Google Rating | 50,000+ Docs Filed | 15+ Years

"Patron handled our Pvt Ltd registration end-to-end. Zero paperwork hassle for our founding team." - Startup Founder, Pune

Trusted by Hyundai, Asian Paints, Bridgestone and businesses across India.

Internal Audit vs Statutory Audit

Factor	Internal Audit	Statutory Audit
Purpose	Evaluate and improve risk management, controls, and governance	Express opinion on financial statements (true and fair view)
Reports To	Audit Committee / Board / Management	Shareholders (through AGM)
Appointed By	Board of Directors	Shareholders at AGM
Governing Section	Section 138 + Rule 13	Sections 139-147
Scope	All functions - operational, financial, compliance, IT	Financial statements and IFC reporting
Frequency	Continuous / Quarterly / Periodic	Annual
Same Person?	No - statutory auditor cannot be internal auditor (Section 144(b))	No - internal auditor cannot be statutory auditor

Related Services

Patron offers comprehensive audit and compliance services for Mumbai companies:

Internal Audit in India - National internal audit services
Statutory Audit - Annual financial statement audit
Tax Audit - Section 44AB tax audit for businesses
GST Audit - GST compliance and reconciliation audit
Accounting Services - Full-service accounting for audit preparation
Company Annual Compliance - ROC filings and board compliance

Legal and Compliance Framework for Internal Audit in Mumbai

Governing Provisions:

Companies Act, 2013 - Section 138 (internal audit mandate), Section 143(3)(i) (IFC reporting), Section 144(b) (statutory auditor cannot be internal auditor), Section 177 (Audit Committee), Section 450 (penalty)
Companies (Accounts) Rules, 2014 - Rule 13 (thresholds for mandatory internal audit)
SEBI LODR - Regulations 17, 18, 22 for listed companies
RBI Master Direction on Internal Audit for NBFCs and Banks
COSO Internal Control Integrated Framework
ICAI Standards on Internal Audit (SIA)

Key Compliance:

Appoint internal auditor by Board resolution. Audit Committee to formulate scope
Internal audit report to Audit Committee at each meeting (quarterly for listed companies)
Board report to disclose IFC adequacy (Section 134(5)(e))
Non-compliance penalty: Section 450 - up to Rs 10,000 + Rs 1,000/day continuing default

FAQs - Internal Audit Services in Mumbai

Find answers to common questions about internal audit in Mumbai under the Companies Act 2013.

Quick Answers

Mumbai mein internal audit kab mandatory hai? Har listed company ke liye mandatory. Unlisted public: turnover Rs 200 Cr+ ya capital Rs 50 Cr+ ya loans Rs 100 Cr+ ya deposits Rs 25 Cr+. Private: turnover Rs 200 Cr+ ya loans Rs 100 Cr+. Section 138, Companies Act 2013.

Internal auditor kaun ban sakta hai? CA (ICAI), Cost Accountant (ICMAI), ya Board ke decision se koi bhi professional. Statutory auditor internal auditor nahi ban sakta (Section 144(b)).

Internal audit aur statutory audit mein kya farak hai? Internal audit management ke liye - controls, risk, governance check karta hai. Statutory audit shareholders ke liye - financial statements par opinion deta hai. Dono alag log karte hain.

Don't Operate Without Mandated Internal Audit in Mumbai

Mumbai companies operating without a mandated internal audit face compounding risks - Section 450 penalty (up to Rs 10,000 + Rs 1,000/day), SEBI scrutiny for listed companies, RBI action for NBFCs, adverse statutory auditor observations on IFC, weakened investor confidence, and exposure to operational and fraud risks. The COSO framework and ICAI Standards provide the methodology. The Audit Committee expects structured, risk-based reporting. Every quarter without internal audit is a quarter of unidentified risk.

Patron's Marine Lines office is ready to deploy - Call +91 945 945 6700 or WhatsApp us.

Get CA-Managed Internal Audit in Mumbai with Patron Accounting

Internal audit in Mumbai operates at the intersection of India's most demanding corporate governance environment. The city houses SEBI at BKC, RBI at Fort, BSE at Dalal Street, NSE at BKC, and RoC Mumbai at Everest House, Marine Lines - creating a regulatory density that requires every qualifying company to maintain robust internal controls and a structured internal audit function under Section 138.

Patron Accounting's Marine Lines office - co-located with RoC Mumbai and central to SEBI, RBI, BSE, and NSE - provides CA-managed internal audit covering COSO-based risk assessment, IFC design and testing, Audit Committee reporting, fraud risk assessment, compliance audit, SOX compliance for MNC subsidiaries, and sector-specific audit programmes for Mumbai's listed companies, financial services firms, manufacturers, technology companies, and growth-stage startups.

📞 Call +91 945 945 6700 💬 WhatsApp Us ✉️ Email Us

Book a Free Consultation - No Obligation.

Internal Audit Services Across India

Patron Accounting provides internal audit services in 8 major cities. Select your city below.

Pune

Maharashtra

Mumbai

Maharashtra

You're here

Related Services

End-to-end audit and compliance support in Mumbai

Trademark Registration

Content Created: 13 March 2026 | Last Updated: | Next Review: 13 September 2026 | Reviewed By: CA & CS Team, Patron Accounting LLP

This page is reviewed every 6 months (Freshness Tier 2) to incorporate ICAI standards updates, Companies Act amendments, SEBI/RBI circulars, and internal audit methodology developments. Content accuracy is verified by CA & CS Team, Patron Accounting LLP.

Join 5,000+ business owners. Get compliance due date alerts on WhatsApp. Join Free →