Table of Contents
- I. Introduction
- II. Legal and Regulatory Framework Governing Internal Audit in India
- III. Internal Audit vs. Internal Check: Clearing the Confusion
- IV. Internal Audit vs. Statutory Audit: Distinct but Connected
- V. The Evolving Scope of Internal Audit: Modern-Day Relevance
- VI. Addressing Practical Deviations in Internal Audit
- VII. Conclusion and Way Forward
I. Introduction
The scope and role of auditors in India have undergone a significant transformation in today’s complex business environment. Heightened regulatory scrutiny, expanding risk landscapes, and rising stakeholder expectations have added new dimensions to governance and control frameworks. In this context, internal audit, often perceived to be a statutory requirement or a routine checking mechanism, is now expected to deliver far more than compliance assurance.
A well-structured internal audit function serves as a critical pillar of corporate governance. It provides independent assurance on the adequacy and effectiveness of internal controls and evaluates whether business processes operate in alignment with strategic objectives.
For Chartered Accountants (CAs), a practical understanding of internal audit is essential, as organisations increasingly rely on internal auditors to bridge gaps between governance intent and operational execution.
II. Legal and Regulatory Framework Governing Internal Audit in India
The applicability of internal audit in India is driven by a combination of statutory provisions and regulator-specific expectations. The statutory framework governing internal audit in India is laid down under Section 138 of the Companies Act, 2013, read with Rule 13 of the Companies (Accounts) Rules, 2014.
Contrary to common perception, internal audit is not mandatory for all companies. It applies only to specified classes of entities based on listing status and prescribed financial thresholds.
Internal audit is mandatory for:
- Every listed company;
- Unlisted public companies meeting criteria relating to paid-up capital, turnover, borrowings, or deposits; and
- Private companies meeting specified turnover or borrowing thresholds.
In addition to the Companies Act, internal audit requirements also arise from sectoral regulations. Banking companies, Non-Banking Financial Companies (NBFCs), and insurance companies are subject to internal audit mandates issued by the Reserve Bank of India (RBI) and the Insurance Regulatory and Development Authority of India (IRDAI), often prescribing scope, frequency, and reporting requirements.
III. Internal Audit vs. Internal Check: Clearing the Confusion
‘Internal check’ refers to the built-in controls embedded in day-to-day operations, designed to prevent and detect errors, fraud, and other irregularities by ensuring that no single individual has complete control over a transaction. In contrast, ‘internal audit’ is an independent appraisal that evaluates whether these internal checks are adequate, properly designed, and operating effectively. While internal checks focus on prevention and detection within routine activities, internal audit provides assurance through periodic review. Therefore, internal check and internal audit are complementary but not interchangeable.
IV. Internal Audit vs. Statutory Audit: Distinct but Connected
While both involve examination and verification, their objectives and scopes differ significantly.
‘Internal audit’ focuses on evaluating the effectiveness of internal controls, risk management, and operational processes, with the primary purpose of improving organisational efficiency and supporting management in achieving objectives. In contrast, a ‘statutory audit’ is conducted to fulfil a legal requirement, and its primary objective is to express an independent opinion on whether the financial statements present a true and fair view, thereby providing assurance to shareholders and other external stakeholders.
The interaction between these two functions is recognised under Standard on Auditing (SA) 610 – Using the Work of Internal Auditors, which permits statutory auditors to rely on internal audit work, subject to appropriate evaluation. This reinforces their distinct yet interconnected roles.
V. The Evolving Scope of Internal Audit: Modern-Day Relevance
Traditionally, internal audit has been associated with financial verification and compliance testing, both of which continue to remain relevant. However, in the current environment, its scope has expanded to provide continuous, risk-focused assurance and insights that support informed decision-making.
Globally accepted internal audit frameworks, such as those issued by the Institute of Internal Auditors (IIA), have also influenced this shift towards risk-based and value-oriented internal audit functions, particularly in large and multinational organisations.
A. Risk-based and strategy-aligned audits
Audit planning is increasingly aligned with key business risks, governance priorities, and strategic objectives rather than fixed audit cycles. Internal auditors are expected to respond dynamically to changes in the operating and regulatory environment.
Outcome: Ensures audit focus remains relevant and meets the governance expectations.
B. Evaluation of controls and operating effectiveness
The emphasis has shifted from checking the mere existence of controls to assessing whether controls are appropriately designed and consistently operating in support of sound governance and risk management. This enables identification of systemic weaknesses rather than isolated lapses.
Outcome: Strengthens the reliability and sustainability of the internal control framework.
C. Advisory role without compromising independence
While internal auditors provide improvement-oriented recommendations on processes, controls, and governance practices, their role as independent assurance providers remains paramount. Maintaining this balance is critical to credibility.
Outcome: Enhances governance outcomes without diluting objectivity.
D. Internal audit as the third line of defence responsibility
In every organisation, risks are addressed at different levels. Those involved in execution manage risks by following processes and applying controls in their day-to-day activities, while the next layer responsible for policymaking and supervision sets the overall oversight mechanisms. Internal audit functions as the third line of defence, independently assessing whether these processes and controls are adequate and whether they are effective in practice and reporting to those charged with governance.
Outcome: Reinforces accountability and ensures disciplined risk ownership across the organisation.
VI. Addressing Practical Deviations in Internal Audit
Despite its strategic importance, internal audit functions frequently encounter practical challenges that limit their effectiveness.
VII. Conclusion and Way Forward
Internal audit today stands at a critical juncture, representing a convergence of assurance and insight. While independence and objectivity remain non-negotiable, internal auditors are increasingly expected to contribute to operational efficiency, risk resilience, and effective governance.
For Chartered Accountants, this evolving role demands a broader skill set beyond accounting and compliance. Internal auditors must develop stakeholder management skills and technological proficiency, including the use of data analytics and understanding of digital controls.
Ultimately, the credibility and enduring value of internal audit vests in the auditor’s integrity, professional judgement, and ability to adapt to a changing business environment while preserving independence.
Contributors
CA N Srilatha Bhat – LinkedIn
Kuldeep Sarma – LinkedIn
Poonam Vernekar – LinkedIn
blog_upadhya
