Internal Audit Services in India –
Section 138 Compliance, ICFR Support & Risk-Based Reviews From a Trusted Internal Audit Firm
Mid-size and large companies face growing operational complexity every year. Sound internal audit services are no longer optional — Section 138 of the Companies Act 2013 mandates internal audit for specified companies, and even smaller businesses use internal audit to catch leakage, plug control gaps, and protect cash flow. We deliver risk-based internal audit services across India at N D Savla & Associates.
Overview
Risk-Based Internal Audit Services Across India
Our internal audit firm covers Section 138 internal audit compliance, ICFR support, fraud-risk reviews, and process-level testing. Every engagement aligns with the ICAI Standards on Internal Audit and the Three Lines of Defence model — bringing practical risk insight rather than a checklist exercise. Our work cross-links naturally with statutory audit, GST audit, and income tax audit cycles, so the entire annual assurance calendar moves on a single coordinated workplan.
What It Does
What Internal Audit Actually Does
Internal audit is an independent, objective review of financial, operational, and compliance processes inside a company. Its purpose is to evaluate the effectiveness of internal controls, risk management, and governance — protecting the business from preventable losses long before the statutory audit catches them. The work follows the ICAI Standards on Internal Audit (SIAs) and supports management responsibility under Section 134(5)(e) of the Companies Act 2013:
- Independent assurance — internal audit sits in the Third Line of Defence, separate from operational management (First Line) and risk / compliance (Second Line)
- Reports directly to the Audit Committee — not to the function being audited, so findings carry weight at Board level
- Continuous coverage — runs through the year (quarterly, monthly, or rolling cycles), not at year-end like statutory audit
- Wider scope than statutory audit — covers operations, compliance, fraud risk, and process effectiveness in addition to financial controls
- Section 138 compliance — every mandated internal audit produces a written report to the Audit Committee or Board
- ICAI Standards on Internal Audit (SIAs) — the professional benchmark every credible internal audit firm operates within
- Three Lines of Defence model — the global governance framework anchoring the internal audit function
Applicability — FY 2025-26
Section 138 Internal Audit Thresholds
Section 138 of the Companies Act 2013, read with Rule 13 of the Companies (Accounts) Rules 2014, prescribes who must appoint an internal auditor. The threshold test is based on the previous financial year — and even one of the listed conditions being met is enough to trigger Section 138 internal audit obligation:
- Listed companies — always required, no threshold applies (Section 138 + Rule 13(1)(i))
- Unlisted public companies — paid-up capital ≥ ₹50 crore, OR turnover ≥ ₹200 crore, OR outstanding bank borrowings ≥ ₹100 crore at any time during previous FY, OR outstanding deposits ≥ ₹25 crore (Rule 13(1)(ii))
- Private companies — turnover ≥ ₹200 crore during previous FY, OR outstanding bank/PFI borrowings ≥ ₹100 crore at any time during previous FY (Rule 13(1)(iii))
- Borrowing test — point-in-time — checks the position at any time during the previous year; the company falls under Section 138 even if borrowings reduce later
- Producer companies / OPCs / Section 8 companies — not mandated under Section 138, but voluntary internal audit often used for governance
- LLPs and partnership firms — no statutory mandate; voluntary engagement only
- Voluntary engagements — many growing startups, family-run mid-size companies, and PE-backed entities engage internal audit services to professionalise controls and support investor due diligence
Many private companies miss the borrowing-point-in-time nuance and end up non-compliant. Our team begins every engagement with a formal applicability check so no trigger is missed for the current financial year.
Internal vs Statutory Audit
Two Audits, Two Different Mandates
Many businesses confuse internal audit with statutory audit. The two serve very different purposes — and most large companies need both. The cards below summarise the core distinction.
Internal Audit (Section 138)
Purpose: Evaluates internal controls, processes, and risk management. Frequency: Continuous — quarterly, monthly, or rolling cycles. Reports to: Audit Committee or Board of Directors. Mandate: Section 138 of the Companies Act 2013 read with Rule 13. Auditor eligibility: CA, Cost Accountant, or any other qualified professional decided by the Board. Standards: ICAI Standards on Internal Audit (SIAs). Coverage: Operations, compliance, fraud risk, financial process, IT, ICFR — wider than statutory scope.
Statutory Audit (Section 139)
Purpose: Reports a true and fair view of financial statements. Frequency: Annual, at year-end. Reports to: Members (shareholders) of the company. Mandate: Section 139 of the Companies Act 2013, with Section 143 reporting. Auditor eligibility: Only Chartered Accountant in practice. Standards: Standards on Auditing (SAs) issued by ICAI. Coverage: Financial statements and disclosures, plus CARO 2020 paragraphs and Section 143(12) fraud reporting.
Scope of Coverage
The Six Coverage Areas in Every Engagement
Our internal audit services follow a risk-based audit plan covering financial, operational, compliance, fraud, ICFR, and IT control areas. The scope is reviewed every year based on changes in business, risk environment, and Audit Committee priorities.
Procure-to-Pay, Order-to-Cash, Payroll, Treasury, Financial Close — sample testing of journal entries, vendor payments, receivables, and bank reconciliations.
Procurement, inventory, manufacturing, dispatch, and customer service — actual practice compared against documented SOPs; integrates with our BPR practice.
GST, TDS, Income Tax, FEMA, labour laws, industry licences — late filings, wrong rates, and penalty exposure flagged before the regulator does.
Segregation of duties, vendor master integrity, expense reimbursement patterns, ghost employee risk — escalates to forensic investigation when indicators emerge.
Design and operating effectiveness testing under Sections 134(5)(e) and 143(3)(i); Risk Control Matrix mapping each control to a financial assertion.
User access, ERP role segregation, master data integrity, audit trail logs under Rule 3(1) of the Companies (Accounts) Rules — plus spreadsheet controls.
Our Methodology
The Four-Step Methodology Aligned With ICAI SIAs
Every engagement runs on a clear plan that the Audit Committee can sign off in advance. The four-step methodology below is aligned with ICAI Standards on Internal Audit, with industry-specific tailoring built into the plan.
Step 1 — Risk Assessment & Annual Audit Plan
Business processes mapped to risks; risks ranked by likelihood and impact; risk-based annual audit plan drafted and submitted to the Audit Committee for approval before fieldwork begins. Plan is reviewed quarterly and refreshed against changes in business and risk environment.
Step 2 — Process Walkthroughs & Control Mapping
Each in-scope process walked through with the responsible owner; actual practice documented; key controls identified; Risk Control Matrix updated. Control gaps surface even before formal testing begins, enabling early remediation discussions with management.
Step 3 — Testing & Sampling
Controls tested using statistical and judgemental sampling — authorisation, segregation, reconciliation, exception monitoring. Data analytics covers full populations for high-volume areas like payments, journal entries, and master data changes — uncovering exceptions that sampling alone would miss.
Step 4 — Reporting & Follow-Up to Closure
Clear report issued with findings, root cause, and management action plan. Report goes to the Audit Committee. Every action item tracked to closure in the next quarter — internal audit drives measurable improvement, not paper findings.
Industry Tailoring & Client Profile
Listed companies aligned with SEBI LODR governance; manufacturing / trading firms with operational, inventory, and warehouse audit; NBFCs aligned with RBI master directions and concurrent audit cycles; PE / VC-backed startups with proportionate plans for due-diligence readiness; NGOs and Section 8 companies with donor-grade FCRA coverage.
Looking for a Reliable Internal Audit Firm? Build Stronger Controls With N D Savla & Associates.
End-to-end internal audit services across India for listed, unlisted, and private companies — Section 138 internal audit, ICFR & IFC support, process audit, compliance audit, fraud-risk review, Risk Control Matrix, and Audit Committee reporting. Trusted internal audit India partner for the FY 2025-26 cycle.
Ready to plan your FY 2025-26 internal audit calendar?
Talk to our team about Section 138 compliance, risk-based audit planning, ICFR testing, and Audit Committee reporting — under one integrated workplan.
Get in TouchF.A.Q.
Yes, for specified companies. Section 138 of the Companies Act 2013, read with Rule 13 of the Companies (Accounts) Rules 2014, makes Section 138 internal audit mandatory for every listed company. Additionally, unlisted public companies crossing capital, turnover, borrowing, or deposit thresholds must appoint an internal auditor. Furthermore, private companies above ₹200 crore turnover or ₹100 crore borrowing must comply. Our Audit under Companies Act page covers the linked statutory audit framework.
Statutory audit reports on the truth and fairness of financial statements at year-end. Internal audit services run continuously through the year. Moreover, internal audit covers operations, compliance, fraud risk, and process effectiveness. The internal audit firm reports to the Audit Committee or Board, while the statutory auditor reports to shareholders. Both audits are complementary — our Audit & Assurance practice delivers both under one engagement structure.
A private company must appoint an internal auditor when turnover during the previous financial year is ₹200 crore or more. Alternatively, outstanding loans or borrowings from banks or PFIs above ₹100 crore at any point in the previous year also triggers Section 138 internal audit. Either threshold being crossed is enough. Our ICFR & IFC support page covers the related internal control framework.
Frequency depends on the company’s size, risk profile, and Audit Committee preference. Most mid-size and large internal audit India engagements follow a quarterly cycle. High-volume businesses such as banks and large NBFCs use continuous Section 138 internal audit, often integrated with concurrent audit. Therefore, the Board approves the internal audit plan and frequency at the start of every financial year.
Yes. Internal audit services routinely test the design and operating effectiveness of internal financial controls under Section 134(5)(e) and Section 143(3)(i). Furthermore, our internal audit firm uses a structured Risk Control Matrix to map controls to financial assertions. As a result, the statutory auditor relies on internal audit work, which reduces overall audit cost.
Yes. Although Section 138 internal audit may not apply, many startups and PE-backed businesses voluntarily engage an internal audit firm. Additionally, our internal audit India team designs proportionate audit plans for early-stage and mid-market companies. The work supports investor due diligence, builds scale-ready controls, and links naturally with our SOP implementation practice.
