About Internal Audit
Internal audit risk-based audit Section 138 Companies Act process and control review compliance audit. Forms handled: Internal Audit Report, Section 138, Risk Matrix. Legal basis: Section 138 Companies Act and SA 610.
Plain-English glossary for this service
Form Internal Audit Report is the statutory form prescribed for internal audit engagements under the applicable Act. It carries the information set required by the prescribed authority and follows the timeline set by the relevant section or rule.
board-level reporting is a recurring compliance risk in internal audit engagements. Identifying it early in the workflow lets the practitioner mitigate the exposure before it ripens into an adverse statutory consequence.
Form Section 138 is the statutory form prescribed for internal audit engagements under the applicable Act. It carries the information set required by the prescribed authority and follows the timeline set by the relevant section or rule.
control gap reporting is a recurring compliance risk in internal audit engagements. Identifying it early in the workflow lets the practitioner mitigate the exposure before it ripens into an adverse statutory consequence.
Form Risk Matrix is the statutory form prescribed for internal audit engagements under the applicable Act. It carries the information set required by the prescribed authority and follows the timeline set by the relevant section or rule.
Companies Section 138 is the operative provision of the Companies Act that governs internal audit in the present context. It sets the substantive obligation, the procedural pathway and the consequences of non-compliance.
materiality threshold is a recurring compliance risk in internal audit engagements. Identifying it early in the workflow lets the practitioner mitigate the exposure before it ripens into an adverse statutory consequence.
Operative provisions cited on this page
Every claim on this page can be traced back to a section or rule below.
Section 138 requires prescribed classes of companies to appoint an internal auditor to conduct a periodic internal audit of the functions and activities of the company. The internal auditor may be a chartered accountant, a cost accountant, or such other professional as the Board decides, and may be an individual, a partnership firm or a body corporate. The auditor need not be an employee of the company. The Central Government prescribes the manner and intervals of the audit through rules made under sub-section (2). This is the operative provision that distinguishes internal audit from the statutory audit under Section 143 and the tax audit under Section 44AB of the Income-tax Act 1961.
View sourceRule 13 sets out which companies must appoint an internal auditor. Every listed company is covered. An unlisted public company is covered if it had paid-up share capital of fifty crore rupees or more, or turnover of two hundred crore rupees or more, or outstanding loans or borrowings from banks or public financial institutions of one hundred crore rupees or more, or outstanding deposits of twenty-five crore rupees or more, during the preceding financial year. A private company is covered if turnover was two hundred crore rupees or more, or outstanding loans or borrowings from banks or public financial institutions were one hundred crore rupees or more. Under sub-rule (2) the Board, in consultation with the internal auditor and the audit committee, formulates the scope, functioning, periodicity and methodology.
View sourceSection 177 governs the Audit Committee, which prescribed companies must constitute. The committee's terms of reference expressly include evaluation of internal financial controls and risk management systems and reviewing the adequacy of the internal audit function, including the structure of the internal audit department, staffing and seniority of the official heading it, reporting structure, coverage and frequency of internal audit. The committee also discusses with internal auditors any significant findings and follow-up. Where no audit committee exists, the Board discharges this oversight. This is why the internal audit report is directed to the audit committee or Board rather than filed with the Registrar.
View sourceThe Companies (Auditor's Report) Order 2020 requires the statutory auditor to state whether the company has an internal audit system commensurate with the size and nature of its business, and whether the reports of the internal auditors for the period under audit were considered by the statutory auditor. An adverse or qualified comment here signals to lenders, investors and regulators that internal controls are weak. This clause is a practical driver for maintaining a documented, functioning internal audit even where the strict Rule 13 thresholds are borderline, because the statutory auditor must form and disclose a view.
View sourceThe Institute of Chartered Accountants of India has issued the Framework Governing Internal Audits together with a series of Standards on Internal Audit (SIA) that guide the planning, evidence gathering, documentation, supervision and reporting of an internal audit assignment. These standards promote a risk-based internal audit approach, define the nature of assurance provided, and address internal controls, fraud consideration and communication with those charged with governance. While the SIAs are recommendatory for members, they represent the accepted professional benchmark and are frequently referenced when the Board or audit committee assesses the quality and independence of the internal audit function.
View sourceSection 143(3)(i) requires the statutory auditor to report on whether the company has an adequate internal financial controls system with reference to financial statements and its operating effectiveness. Although this is a statutory-audit reporting obligation, a robust internal audit function is the primary way management builds and tests those controls during the year. Internal audit findings on control design and operating effectiveness feed directly into management's own assessment and reduce the risk of a modified opinion. This connection explains why internal audit scope commonly maps to the internal financial controls over financial reporting framework.
View sourceIn the case of a listed company, Section 134(5)(e) requires the directors' responsibility statement in the Board's report to confirm that the directors had laid down internal financial controls to be followed by the company and that such controls are adequate and operating effectively. Internal audit provides the ongoing, independent evidence that lets directors make this representation with confidence. A weak or absent internal audit function leaves the Board exposed when it signs this statement, tying the internal audit engagement directly to directors' accountability.
View sourceSection 450 is the residuary penalty provision. Where a company or officer contravenes a provision of the Act, or a rule made under it, for which no specific penalty is separately provided, the company and every officer in default are liable to a penalty of ten thousand rupees, and in the case of a continuing contravention a further penalty of one thousand rupees for each day the contravention continues, subject to a maximum of two lakh rupees for a company and fifty thousand rupees for an officer. Because Section 138 and Rule 13 do not carry a bespoke penalty, failure to appoint an internal auditor when required is enforced through Section 450.
View sourceForms used in this engagement
Records the Board's decision to appoint a chartered accountant, cost accountant or other professional as internal auditor and fixes the terms of engagement. Unlike the statutory auditor, appointment of an internal auditor is not filed with the Registrar in Form ADT-1; it is a Board minute kept in the company's records.
Where a Board resolution relating to the appointment or terms of an internal auditor falls within the matters requiring filing under Section 179(3) and the Companies (Meetings and Powers of Board) Rules 2014, it is filed in Form MGT-14. Private companies are exempt from filing many Section 179(3) resolutions, so this applies selectively.
Sets out the purpose, authority, independence, scope, reporting line and periodicity of the internal audit function, agreed between the Board, audit committee and internal auditor. It operationalises Rule 13(2) and aligns the engagement with the ICAI Framework Governing Internal Audits.
Documents the risk assessment, auditable units, coverage and calendar for the year so that higher-risk processes receive priority. Prepared under the Standards on Internal Audit dealing with planning, it forms the basis on which the audit committee monitors coverage and frequency.
Communicates observations, root causes, risk ratings and recommendations to the audit committee or Board. Prepared in line with the Standards on Internal Audit dealing with reporting, it drives management action-taken reports and feeds the internal financial controls assessment.
Evidence that the audit committee reviewed the adequacy of the internal audit function, discussed significant findings with the internal auditor and monitored follow-up, as required by Section 177. These minutes support the directors' responsibility statement and the statutory auditor's CARO reporting.
Compliance deadlines that matter
Miss any of these and the next consequence kicks in automatically.
Internal vs Statutory
Three named tax practitioners — not a faceless outsourcer
B.Com, CA Inter, GST Practitioner. 15+ years and 500+ Chennai engagements. Leads the notice-reply and CMA project-report practice.
B.Com. 15+ years in statutory and ROC compliance, partnership-firm matters, and audit-support engagements.
B.Com, M.Com. 5+ years on monthly GST returns, GSTR-2B reconciliation, and ASMT-10 first-touch responses.