Internal audit in India: a 2026 guide for promoters & audit committees.
The natural extension of internal audit.
1. What is an internal audit, really?
An internal audit is an independent, structured review of how your business actually runs - its processes, its controls, its risks, and its compliance posture. It is not a statutory requirement for most companies, and it is not the same as the statutory audit your CA does each year for the books.
The statutory audit asks: are the financial statements true and fair? The internal audit asks a different and more useful question: is the business operating the way the board thinks it is?
A risk-based audit checks whether the wheels are turning. The internal audit you actually want checks whether the cart is going in the right direction.
2. Why now (and what's changed)
Three things have moved the demand for thoughtful internal audit:
- The shift to Internal Financial Controls reporting under the Companies Act, 2013 (s. 134(5)(e), 143(3)(i)) made the board's responsibility explicit. The board has to say the IFCs are adequate. The auditor has to opine on whether they're operating effectively. Somewhere in between, someone has to actually do the work - and that someone is internal audit.
- The maturation of audit committees in promoter-led businesses. Five years ago, the audit committee was often a formality. In 2026, the better ones run a real agenda: they read the internal-audit report, they push back, they ask for follow-up. That changes what an IA report needs to look like.
- The rise of data-led work. Internal audit no longer needs to sample. With reasonable data access, an IA can test the full population - every vendor master entry, every transaction over a threshold, every employee reimbursement. Sampling is becoming a tool of last resort, not first.
3. What a good internal audit function looks like
The shorthand we use internally is: a good IA function changes a decision in the next quarter. If a quarterly internal audit doesn't change a vendor approval, a process, an SOP, a delegation matrix, an MIS practice - it has produced a file, not an audit.
Specifically, a good IA function:
- Has a risk universe documented and reviewed annually, with each risk mapped to processes, owners and controls.
- Runs walk-throughs for any process being audited for the first time - not just substantive testing.
- Uses full-population analytics where data permits.
- Produces an executive summary that fits on one page, with detail in the body and evidence in the working files - not the other way round.
- Closes each cycle with a follow-through review the next quarter, verifying which findings were actually implemented.
4. Scoping the risk universe
The single most under-appreciated step in internal audit is scoping. Done well, it determines the value of the next twelve months of work. Done poorly, it locks in a year of irrelevant fieldwork.
The exercise has three parts. Identify the risks - financial, operational, compliance, strategic, technology. Score them - likelihood × impact, adjusted for control coverage. Rotate them into a 24- or 36-month audit calendar so high-risk processes are touched annually and lower-risk processes on cycle.
We always run this with the audit committee in the room. It is the only time of year the audit committee has the chance to influence what gets looked at - and it is far more useful than reviewing reports after the fact.
5. How to brief your internal auditor
If you are a promoter, a CFO or an audit committee member commissioning an internal audit, here is the briefing template we wish more clients used:
- What you want changed. A decision, a process, an MIS line item. Not "audit everything."
- What you suspect. Be specific. "I think vendor onboarding is loose." "I think reimbursements are being approved without proof." "I think we're losing GST credits."
- What's off-limits or sensitive. Some areas are political. Tell the auditor.
- How you want it reported. Executive summary first. Detailed observations second. No long preamble, no copy-pasted standards references.
- Who they can talk to. Set the access. Without it, fieldwork stalls in week two.
6. The report you should be receiving
A good internal audit report has the same basic structure every time:
- Executive summary (1 page). Three sections: what we did, what we found, what we recommend. No more.
- Findings register. Each finding in a fixed grammar: Observation · Root cause · Risk implication · Quantified impact · Recommendation · Management response · Owner · Target date.
- Annexures. Evidence, walk-through notes, data tables.
If a quarterly audit report runs to 80 pages, somebody has been padding. The audit committee will not read it.
7. The follow-through that matters most
Internal audit value is mostly destroyed in the gap between the report and the follow-up. The report identifies the change; nothing else will make it happen unless someone returns to verify implementation.
The mechanism we use: every observation has an owner and a target date in the findings register. The next quarter's audit opens with a 30-minute review of the prior quarter's observations - implemented, in progress, deferred (with reason). The audit committee receives this register at every meeting.
Audit committees that adopt this rhythm see their finding-closure rates rise from ~40% to over 80% within four quarters. That is the entire value of internal audit, made visible.
A short closing note.
If you have read this far, you are almost certainly thinking about whether the IA function inside your business - or the IA firm you commission - is doing the work this guide describes. The fastest way to find out is to ask for the last four executive summaries and the open findings register. If those two artefacts are not crisp, the IA function is not what it should be.
For a conversation about scoping or restructuring an internal audit, write to info@dsomani.in.
Frequently asked
Is internal audit mandatory in India?
Internal audit is mandatory for prescribed classes of companies under section 138 of the Companies Act, 2013 (listed companies, certain unlisted public companies, and certain private companies based on turnover, borrowings or paid-up capital). The Act allows the IA to be conducted by a CA, a Cost Accountant, or such other professional as the board decides.
How is internal audit different from statutory audit?
The statutory audit opines on whether the financial statements show a true and fair view, under the framework of the Companies Act and the auditing standards. The internal audit reviews processes, controls and risks across the business, with findings reported to management and the audit committee. The two audits are independent and complementary; the same firm typically does not perform both for the same client.
How often should an internal audit be run?
For most listed entities and mid-to-large promoter-led businesses, internal audit is run quarterly, with a 24- or 36-month audit calendar that rotates processes through. IFC reviews are typically annual. The cadence depends on the size of the business and the risk profile.
Who should the internal auditor report to?
The internal auditor should report functionally to the audit committee (or where there is none, to the board), and administratively to senior management (typically the CFO or the MD). This dual reporting protects independence.
What should I look for when picking an internal-audit firm?
Three things: (i) whether the partner - not just an associate - leads the engagement; (ii) whether the firm produces short, decision-led reports rather than padded ones; and (iii) whether the firm has a follow-through mechanism to verify implementation of past findings. Ask for a redacted sample report and the partner's CV.