Internal Audit in India — Strengthen Your Business Controls

While the statutory audit is about compliance — verifying that financial statements are correct — the Internal Audit is about improvement. It is an independent, systematic evaluation of a business's operations, internal controls, risk management processes, and governance framework — with the goal of identifying weaknesses and recommending improvements before they lead to losses, fraud, or compliance failures. For growing businesses in India, a robust internal audit function is one of the most powerful tools for operational excellence. This guide explains internal audit comprehensively.

1. What is an Internal Audit?

Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, internal controls, and governance processes.

Unlike the statutory audit (which is external and mandatory), the internal audit can be conducted by an internal team or outsourced to a CA firm. It is not a legal requirement for all businesses — but it is mandatory for certain categories under the Companies Act (listed companies, certain public companies, and companies above specified turnover/loan thresholds must appoint an Internal Auditor).

2. Who is Required to Have an Internal Audit?

Section 138 of the Companies Act and the Internal Audit Rules make internal audit mandatory for:

• Listed companies — all listed companies on any stock exchange
• Unlisted Public Companies with: paid-up capital ≥ ₹50 crore, or turnover ≥ ₹200 crore, or outstanding loans/borrowings ≥ ₹100 crore, or outstanding deposits ≥ ₹25 crore
• Private Limited Companies with: turnover ≥ ₹200 crore, or outstanding loans/borrowings ≥ ₹100 crore

Even for businesses below these thresholds, engaging a CA firm for periodic internal audits is considered a best practice — especially for businesses with multiple locations, large cash transactions, high inventory, or rapid growth.

3. Scope of Internal Audit — What Areas Are Covered

Financial Controls Audit:

• Verification of accounting entries, approvals, and authorisations
• Bank reconciliation and cash management controls
• Payment process controls — duplicate payment checks, unauthorised payments
• Revenue recognition and billing accuracy

Procurement and Purchase Audit:

• Purchase order process — whether proper approvals exist before purchases
• Vendor selection and pricing controls
• GRN (Goods Receipt Note) process — whether goods received match purchase orders
• Vendor payment terms compliance

Inventory and Stock Audit:

• Physical stock count vs system records
• Slow-moving, obsolete, or damaged stock identification
• Stock movement controls — inward, outward, inter-branch transfers
• Valuation methodology compliance

Payroll and HR Audit:

• Ghost employee detection — payroll vs actual employee verification
• Salary computation accuracy — overtime, allowances, deductions
• PF, ESI, TDS deduction and deposit compliance
• Leave and attendance management controls

Sales and Collection Audit:

• Sales invoice accuracy and completeness
• Credit approval process — whether credit limits and terms are followed
• Collection process — receipts matched to invoices, bank deposits verified
• Discount and credit note authorization controls

IT and System Controls:

• Access controls — who can post, approve, and delete entries in accounting software
• Data backup and recovery procedures
• System audit trails — can all transactions be traced?

4. The Internal Audit Process

• Planning: Understand the business, identify risk areas, define audit scope, prepare audit programme.
• Fieldwork: Collect documents, test controls, perform sample verification, interview key personnel.
• Finding Identification: Document control weaknesses, process gaps, and deviations from policy.
• Draft Report: Prepare detailed findings with root cause analysis and practical recommendations.
• Management Response: Share draft report with management — they provide their response and action plan for each finding.
• Final Report: Issued to management/audit committee — each finding rated by risk level (high/medium/low) and corrective action timeline agreed.
• Follow-Up: In the next audit cycle, verify whether previous findings have been remediated.

5. Benefits of a Strong Internal Audit Function

• Fraud Prevention: Robust controls and periodic audits deter fraud and detect it early — protecting business assets.
• Operational Efficiency: Identifies bottlenecks, redundant processes, and control gaps — recommendations improve efficiency.
• Compliance Assurance: Ensures GST, TDS, labour law, and other statutory compliance is being maintained consistently.
• Shareholder/Investor Confidence: Investors and banks view businesses with strong internal audit processes as lower-risk.
• Statutory Audit Facilitation: Clean internal controls make the statutory audit faster and cheaper — fewer queries, less sampling.
• Board Governance: Audit Committee of the Board receives internal audit reports — enabling informed governance.