Internal Audit

Definition

Internal audit is an independent, objective assurance and consulting activity within an organization, designed to add value and improve operations by helping the organization accomplish its objectives through a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes. Under Section 138 of the Companies Act, 2013, internal audit is mandatory for: listed companies, unlisted public companies with paid-up capital above Rs 50 crore or turnover above Rs 200 crore or outstanding loans or borrowings above Rs 100 crore, and private companies with turnover above Rs 200 crore or outstanding loans or borrowings above Rs 100 crore. The internal auditor can be a Chartered Accountant (whether in practice or not), a Cost Accountant, or any other professional as decided by the Board, subject to such person being independent of management.

The scope and methodology of internal audit in India have evolved significantly from the traditional compliance-based approach to a risk-based internal audit (RBIA) model recommended by the Institute of Chartered Accountants of India (ICAI) and the Institute of Internal Auditors (IIA). Under RBIA, the internal audit plan is based on a systematic assessment of organizational risks (strategic, operational, financial, compliance, and IT risks) prioritizing high-risk areas for deeper examination. Internal auditors evaluate the design and operating effectiveness of internal controls, test financial transactions for accuracy and authorization, assess compliance with policies and regulations, detect fraud indicators, and provide actionable recommendations to management and the Board's Audit Committee. The Audit Committee of the Board is responsible for overseeing the internal audit function, approving the internal audit plan, reviewing reports, and ensuring management action on findings.

For financial sector entities (banks, NBFCs, insurance companies, and stock brokers) internal audit standards are issued by their respective regulators (RBI, IRDAI, SEBI) and are significantly more prescriptive than for general companies. RBI requires banks to implement Risk-Based Internal Audit (RBIA) and has specified detailed guidelines on audit frequency by risk category, audit staffing, reporting lines, and follow-up of audit findings. Technology audits have become a critical component of internal audit programs given the increasing dependence on IT systems and the risks of cybersecurity breaches, data privacy violations, and application control failures. Companies using ERP systems, cloud platforms, and automation tools must include IT General Controls (ITGC) and Application Controls in their internal audit scope.

Key Points

• Section 138 of the Companies Act mandates internal audit for listed companies and unlisted companies above specified thresholds of paid-up capital, turnover, or borrowings.
• The internal auditor reports to the Audit Committee of the Board, providing independence from management and ensuring unfiltered reporting of control deficiencies.
• Risk-Based Internal Audit (RBIA) prioritizes high-risk areas using a systematic risk assessment, replacing the traditional tick-box compliance approach.
• For banks and NBFCs, RBI's RBIA guidelines specify audit frequency by risk category, required staffing levels, and follow-up timelines for audit findings.
• IT General Controls (ITGC) and application controls are increasingly critical components of internal audit programs for ERP-dependent and digitally-enabled organizations.
• Internal audit findings and management responses are reviewed by the Audit Committee, which has oversight responsibility for the internal audit function under the Companies Act.