Skip to content 
Internal Audit Services
Internal Audit Services under Companies Act, 2013
Enhance Control, Mitigate Risk: Strategic Internal Audit Services for Indian Companies
Beyond the mandatory annual checks, Internal Audit is a proactive management tool designed to evaluate and improve the effectiveness of your company’s risk management, internal controls, and governance processes. HVJ & Associates provides bespoke, risk-based Internal Audit services that comply with Section 138 of the Companies Act, 2013, while driving operational efficiency and strategic excellence.
What is Internal Audit (Section 138)?
The Internal Audit function, as mandated by Section 138 of the Companies Act, 2013, read with Rule 13 of the Companies (Accounts) Rules, 2014, is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.
Core Objectives (Focus on Management Value):
- Risk Management: Identifying and assessing operational, financial, and compliance risks proactively.
- Control Effectiveness: Evaluating the design and operating effectiveness of the company’s internal controls over all functions.
- Governance Enhancement: Recommending improvements to governance processes, ethical standards, and accountability.
- Operational Efficiency: Pinpointing bottlenecks, inefficiencies, and cost-saving opportunities within business processes.
- Fraud Prevention: Strengthening internal systems to deter, detect, and investigate potential fraud or errors.
Who can be an Internal Auditor?
As per Section 138, the Internal Auditor can be:
- A Chartered Accountant (CA) (whether in practice or not).
- A Cost Accountant (CMA).
- Such other professional as may be decided by the Board of Directors.
Importantly, the Statutory Auditor is strictly prohibited from also being the Internal Auditor (Section 144). The Internal Auditor can be an employee of the company or an external professional/firm.
Mandatory Internal Audit Applicability Thresholds (Section 138)
Internal Audit is mandatory for certain classes of companies in India, based on financial thresholds in the preceding financial year at any point in time.
1. Every Listed Company
Mandatory: Internal Audit is mandatory for all listed companies in India, irrespective of their size.
2. Unlisted Public Companies
Internal Audit is mandatory if any of the following criteria are met during the preceding financial year:
| Criteria | Threshold Limit |
|---|---|
| Paid-up Share Capital | ₹ 50 Crore or more |
| Turnover | ₹ 200 Crore or more |
| Outstanding Loans/Borrowings | Exceeding ₹ 100 Crore from banks or Public Financial Institutions |
| Outstanding Deposits | ₹ 25 Crore or more |
3. Private Limited Companies
Internal Audit is mandatory for a Private Limited Company if any of the following criteria are met during the preceding financial year:
| Criteria | Threshold Limit |
|---|---|
| Turnover | ₹ 200 Crore or more |
| Outstanding Loans/Borrowings | Exceeding ₹ 100 Crore from banks or Public Financial Institutions |
🔑 Key Consideration: Even if your company falls below the mandatory thresholds, opting for a Voluntary Internal Audit is a strategic move to prepare for growth, strengthen controls before an IPO, or reassure investors/lenders.
Our Risk-Based Internal Audit Scope
Unlike the financial statement focus of Statutory Audit, our Internal Audit scope is flexible, comprehensive, and determined in consultation with your Audit Committee/Board, based on a rigorous risk assessment.
| Audit Area | Focus & Deliverables | Value Addition |
|---|---|---|
| Operational Audits | Review of Procure-to-Pay (P2P), Order-to-Cash (O2C), Manufacturing/Service processes, and Inventory management. | Efficiency: Identifying process bottlenecks and recommending cost-saving solutions. |
| Financial Controls | Evaluation of internal checks, segregation of duties, cash & bank processes, and fixed asset management. | Assurance: Strengthening controls to improve financial reporting reliability (IFC readiness). |
| Compliance Audits | Review of adherence to critical laws (GST, TDS, Labour Laws, SEBI Regulations, internal policies). | Mitigation: Preventing penalties and ensuring adherence to regulatory frameworks. |
| IT & Security Audits | Assessing IT governance, data security, business continuity plans, and system access controls. | Protection: Safeguarding critical data and ensuring system resilience. |
| Forensic & Fraud Risk | Focused investigation into specific areas (e.g., related party transactions, vendor payments) to detect or deter irregularities. | Integrity: Protecting company assets and reputation. |
The Internal Audit Advantage (Cannibalization Strategy):
- Management Tool: Internal Audit reports to the Management/Board/Audit Committee to help them improve. (Statutory Audit reports to Shareholders).
- Continuous Review: Our audit periodicity is often quarterly or half-yearly, providing a continuous monitoring function, not just an annual snapshot.
- Actionable Insights: Our reports emphasize practical, future-focused recommendations and action plans, not just historical reporting.
The HVJ & Associates Internal Audit Methodology
We align our practice with global standards (IIA) while remaining anchored to the Indian regulatory environment.
- Risk Scoping (Planning): Understanding the entity’s strategic goals and identifying the key risks (Financial, Operational, Compliance, Strategic) across all functions.
- Fieldwork Execution: Data analysis, process walkthroughs, interviews, and detailed testing of controls in high-risk areas.
- Findings & Reporting: Developing clear, objective, and evidence-based findings, classifying observations by risk severity.
- Action Plan Development: Collaborating with process owners to define a practical Management Action Plan (MAP) with clear timelines for remediation.
- Follow-up & Monitoring: Continuous monitoring of the implementation of recommendations to ensure risks are effectively mitigated, providing assurance to the Board.
Consequences of Non-Compliance (Section 138)
Failure to appoint a mandatory Internal Auditor or follow the prescribed rules under Section 138 can lead to regulatory action:
- Penalties: The company and every officer in default may be liable for penalties under the Companies Act, 2013.
- Audit Committee Liability: Failure to ensure the proper functioning of the internal audit system may attract scrutiny from the Registrar of Companies (RoC).
- Stakeholder Concern: Non-compliance sends a negative signal to banks, investors, and potential partners regarding the company’s commitment to good corporate governance.
Next Step: Transform Compliance into Performance
If your company meets or is approaching the Section 138 thresholds, or if your management is seeking enhanced assurance and efficiency, a strategic Internal Audit is essential.
