Internal Audit Function

Section 138 of the Companies Act 2013, read with Rule 13 of the Companies (Accounts) Rules 2014, requires certain classes of companies to appoint an internal auditor. The provision applies to every listed company, every unlisted public company meeting specified thresholds of paid-up share capital or borrowings or turnover, and every private company meeting higher thresholds of borrowings or turnover. The internal auditor may be a chartered accountant, a cost accountant, or any other professional as decided by the board.

The internal audit function is distinct from the statutory audit. The statutory auditor is an external, independent professional appointed by shareholders to audit the annual financial statements and express an opinion on their truth and fairness. The internal auditor is primarily a management tool — an independent internal function that evaluates whether the company's risk management, governance, and internal control processes are adequate and functioning effectively. Despite being engaged by management, the internal auditor reports functionally to the audit committee to preserve independence.

The scope of internal audit work in an Indian listed company typically spans financial controls (reconciliations, authorisation limits, segregation of duties), operational controls (inventory management, procurement processes, manufacturing quality), compliance (adherence to laws and regulations, SEBI disclosures, related party transaction approvals), and information technology controls (access management, change management, cybersecurity). The audit committee approves the internal audit plan annually, reviews internal audit reports quarterly, and evaluates the adequacy of follow-up on audit observations by management.

SEBI's LODR Regulations require listed companies to have an internal audit function and mandate that the audit committee of the board review the adequacy and effectiveness of internal audit. The audit committee's terms of reference, as prescribed by SEBI, include reviewing the findings of internal investigations and examining the reasons for substantial defaults in the payment of depositors, debenture holders, shareholders, and creditors.

For investors assessing corporate governance, the quality of the internal audit function is a meaningful indicator. Weaknesses identified by internal auditors — particularly if systemic or recurring — that are inadequately addressed by management are early warning signals of potential financial irregularities or operational breakdowns. Companies with a strong, well-resourced, and independent internal audit function are generally better placed to detect and prevent fraud and error before they escalate into material misstatements.