Internal Audit Services — controls that actually work.
Risk-based internal audit aligned with Section 138 of the Companies Act, Standards on Internal Audit (SIA), and the IIA framework — covering O2C, P2P, payroll, inventory, fixed assets, treasury, taxation, and statutory compliance cycles.
Internal audit is not a smaller version of statutory audit — it's a different discipline entirely. Statutory audit confirms whether the financial statements are right. Internal audit confirms whether the business is being run right. It looks at processes while they are operating, controls while they are being used, and risks before they have shown up in the numbers. The output is not an opinion on accounts. It's a list of things that need to change before they become someone else's audit qualification.
Section 138 of the Companies Act, 2013 made internal audit mandatory for listed companies and for unlisted public and private companies above prescribed thresholds. But the regulatory floor is the smaller part of the story. Family-run businesses, growing startups, group companies under fundraising, NBFCs, and trusts with grant funding all benefit from independent internal audit — sometimes more than their listed peers, because they don't have the internal scale to build the function themselves.
Our internal audit practice serves clients in two delivery models. Outsourced internal audit, where we run the function end-to-end with quarterly reports to the Audit Committee. Co-sourced internal audit, where we partner with an in-house team for specialist work — IT audit, forensic, data analytics, or peak season capacity. Both models are anchored in a risk-based annual plan, executed cycle by cycle, with clear accountability for remediation.
Internal Audit Services We Offer
Mandatory Internal Audit (Sec 138)
Statutory internal audit for listed and prescribed unlisted companies under Section 138 — Audit Committee reporting and Board updates.
Risk-Based Internal Audit
Annual plan driven by a risk register — audit coverage allocated in proportion to financial, fraud, and regulatory risk by process.
Process Audits
Cycle-wise audit across O2C, P2P, inventory, fixed assets, payroll, treasury, taxation, and period-end financial close.
Outsourced & Co-sourced IA
Full outsourced internal audit, or co-sourced delivery alongside an in-house team for specialist work and peak-season capacity.
Compliance & SOP Audit
Audit of compliance with internal policies, SOPs, statutory obligations, and contractual commitments — gap analysis with action plans.
IT & ERP General Controls
Audit of IT general controls, user access, change management, ERP master data, and integration with the financial reporting framework.
Internal Audit Charter
Drafting the IA Charter, defining reporting lines, independence, scope, and authority — approved by the Audit Committee or Board.
Audit Committee Reporting
Quarterly and annual Audit Committee packs — engagement-wise findings, status of prior-period actions, and forward-looking plan.
Our Internal Audit Process
IA Charter & Scope
Internal audit charter, reporting structure, scope definition, and Audit Committee approval of the engagement framework.
Risk Assessment & Plan
Risk register across processes and entities, ranked by impact and likelihood — leading to a risk-based annual audit plan.
Fieldwork by Cycle
Process-by-process execution — walk-throughs, control testing, sample-based substantive checks, and exception documentation.
Reporting & Remediation
Process-wise audit reports with risk-rated observations, agreed management action plans, and remediation timelines.
Audit Committee Reporting
Quarterly Audit Committee packs, follow-up tracker, prior-period closure status, and annual report with forward plan.
Why Internal Audit Matters
Frequently Asked Questions
Internal audit is an independent, objective assurance and consulting activity that evaluates the effectiveness of an organisation's risk management, internal controls, and governance processes. Unlike statutory audit which focuses on financial statements, internal audit is forward-looking and operational — its goal is to help management strengthen processes, prevent fraud, and ensure that controls actually work in practice.
Under Section 138 of the Companies Act, 2013, internal audit is mandatory for all listed companies and for unlisted public or private companies that cross prescribed thresholds of paid-up capital, turnover, borrowings, or deposits. The Board can appoint a Chartered Accountant, Cost Accountant, or other professional as internal auditor — the auditor reports to the Audit Committee where one exists, or directly to the Board.
Statutory audit is performed annually by an external Chartered Accountant to express an opinion on financial statements — it is historic and report-driven. Internal audit is performed on an ongoing basis throughout the year, focused on processes, controls, and risk — it is forward-looking and improvement-oriented. The statutory auditor often relies on internal audit work to plan and reduce the scope of the year-end audit.
Risk-based internal audit allocates audit effort in proportion to the actual risk in each business area — rather than auditing every process equally each year. The annual internal audit plan starts with a risk assessment that ranks processes by financial reporting impact, fraud risk, regulatory exposure, and management concern — and audit coverage flows from that ranking. High-risk areas may be audited multiple times a year, low-risk areas once every two to three years.
Outsourced internal audit is the full delegation of the internal audit function to an external firm — common for small and mid-sized companies that do not want to build an in-house team. Co-sourced internal audit is a hybrid model where the company maintains an in-house internal audit team but partners with an external firm for specialist skills (IT audit, forensic, data analytics) or for additional capacity at peak times.
Standard process cycles covered include order-to-cash (O2C — sales, billing, receivables), procure-to-pay (P2P — vendor selection, purchase, payables), inventory (receipt, storage, dispatch, write-offs), fixed assets (capitalisation, depreciation, disposal), payroll and HR, treasury and banking, taxation (direct, GST, TDS), statutory compliance, and the period-end financial close. The mix depends on the company's risk profile and prior audit findings.
Most internal audit functions report quarterly to the Audit Committee or Board, with monthly or rolling reports to management. Each completed engagement results in a process-specific audit report with observations, risk ratings, and management action plans. Annual reports consolidate the year's findings, status of prior-year actions, and the proposed plan for the coming year — supporting the Audit Committee's oversight responsibilities.
Internal audits in India are typically performed in line with the Standards on Internal Audit (SIA) issued by the ICAI and the International Professional Practices Framework (IPPF) issued by the IIA. The framework covers the internal audit charter, independence and objectivity, proficiency, risk-based planning, engagement performance, and communication of results — providing a consistent quality benchmark across engagements.
Set Up Your Internal Audit Function
Talk to our team about outsourced or co-sourced internal audit, a Section 138 engagement, or a one-time process audit — anchored in a risk-based plan and built for the Audit Committee.
Talk to an Internal Auditor or call +91 9819 000 511