05 May 2026 · 8 min read · Internal Audit · CA Dheeraj Somani

How to scope an internal audit for a mid-sized manufacturer.

Our practice, in detail.

1. Why scoping decides the value of the year.

An internal-audit programme is a commitment to look at a finite slice of the business over a finite number of weeks. Get the slice right and every cycle produces findings the management can act on. Get it wrong and twelve months disappear into work the audit committee does not need.

Scoping is the only opportunity each year for the audit committee, the CFO and the IA team to align on what the next twelve months should look at. Done well, the conversation takes a day. Done poorly, the conversation never happens and the IA team chooses areas based on what they remember from last year, what is easy to access, or what the auditors mention in passing.

2. Building the risk universe.

The risk universe is a structured inventory of the risks the business faces, mapped to processes, owners and existing controls. For a mid-sized manufacturer (think ₹100 to 500 Cr turnover, one or two plants, 200 to 800 employees), the universe usually covers eight or nine process groups:

  • Procure to Pay. Vendor onboarding, PO issuance, GRN, three-way match, payment processing, vendor reconciliations.
  • Order to Cash. Customer credit assessment, order acceptance, dispatch, invoicing, receivables collection, dispute management.
  • Inventory and Production. Raw material receipt, WIP tracking, production posting, finished goods, physical verification, scrap accounting.
  • Hire to Retire. Recruitment, onboarding, payroll, statutory deductions (PF, ESI, PT), full and final settlement, contract-labour management.
  • Fixed Assets. Capex approval, capitalisation, physical verification, retirement, depreciation policy compliance.
  • Treasury and Borrowings. Bank reconciliations, working-capital sanctions, term-loan covenants, hedging positions.
  • Statutory Compliance. Direct tax (TDS, advance tax), indirect tax (GST), labour laws (factory licences, environment clearances), MCA filings.
  • IT General Controls. Access management, change management, backup and disaster recovery, vendor management for the ERP.
  • MIS and Reporting. Quality of management reports, reconciliations between operational and financial data, segment reporting.

For each process group, the IA team interviews the process owner, reviews the SOP (or documents one if none exists), maps the key controls, and identifies the risks that could realistically materialise.

3. Scoring risks (the matrix that works).

Each identified risk is scored on two dimensions:

  • Likelihood: probability of occurrence in the next 12 months, rated 1 (rare) to 5 (almost certain).
  • Impact: the financial, operational, compliance or reputational impact if the risk materialises, rated 1 (negligible) to 5 (catastrophic).

Likelihood and impact are multiplied to give an inherent risk score. Then we apply a control-effectiveness adjustment: if existing controls are strong, divide by 2. If existing controls are weak or absent, multiply by 1.5. The result is a residual risk score per risk, on a 1 to 50 range.

Risks with a residual score above 20 are audited annually. Risks scoring 10 to 20 are audited on an 18 to 24 month cycle. Below 10, audited every 30 to 36 months. The discipline is to be explicit and consistent, not to be precise to the second decimal.

4. The 24-month rolling calendar.

We do not plan a 12-month audit calendar; we plan 24 months, refreshed annually. This forces the conversation about rotation: which areas are due, which areas are off-cycle this year, and where new risks (e.g. a new ERP, a new plant, an acquisition) need an extraordinary review.

A typical quarterly mix for a mid-sized manufacturer:

  • Q1: Procure to Pay (high-risk, audited every cycle) + an IT General Controls deep-dive.
  • Q2: Inventory and Production (peak production season, real-time audit) + Statutory Compliance review.
  • Q3: Order to Cash + Fixed Assets verification at year-end approach.
  • Q4: Annual IFC review + the follow-up on prior-year observations.

Standalone risk-event reviews (a new vendor onboarded above a threshold, a new plant commissioned, a fraud allegation) are inserted into the calendar as needed, without disturbing the planned cycles.

5. The data-extract conversation.

The most expensive mistake in internal audit is not asking for the data extracts at scoping. By the time fieldwork starts, the IT team is busy, the data takes three weeks to assemble, and the audit either compresses to two weeks of useful work or runs over by a month.

At scoping, we agree the standing data extracts the IT team will refresh every quarter:

  • GL trial balance (period under review).
  • Vendor master, customer master, employee master (full population).
  • PO register, GRN register, invoice register, payment register (period under review).
  • Inventory ledger including movement (period under review).
  • Bank statements and reconciliations (period under review).
  • Payroll register.

These extracts are agreed once with the CFO and the IT head, and then refreshed by IT on a fixed calendar before each cycle. The IA team should not be chasing data the week the fieldwork starts.

6. The scoping memo, in one page.

The output of the scoping exercise is a one-page memo that the audit committee approves. It contains:

  • The risk universe (process-group summary).
  • The risks rated above the audit threshold.
  • The 24-month audit calendar with cycles assigned to each in-scope area.
  • The audit fee and the agreed audit-team composition.
  • Sign-off from the audit committee chair.

Everything else (detailed risk register, process flowcharts, RCMs) lives in the working files. The audit committee approves on the basis of the one-page memo. They will not approve on the basis of a forty-page risk-assessment document, and they should not be asked to.

Frequently asked

Should the internal auditor or management own the risk universe?

Management owns the risks; internal audit owns the audit risk universe and the testing programme. The two should align: the risks management has identified and is managing should be the risks the audit programme tests. Where the IA team identifies risks that management has not, the scoping conversation surfaces this and the audit committee decides how to address the gap.

How often should the scoping memo be refreshed?

Annually for the formal refresh, with quarterly check-ins to insert ad-hoc reviews (new plants, acquisitions, fraud allegations) into the calendar without disturbing the rotation.

What if the management does not have an SOP for a process?

The first cycle of audit for that process includes documenting the SOP. The SOP becomes a deliverable from the audit, owned by the process owner after the engagement, and forms the baseline against which future audits are run.

How long does a scoping exercise take for a mid-sized manufacturer?

Three to four working days of interviews and document review, followed by a half-day workshop with the CFO and the audit committee chair to finalise the risk universe and the 24-month calendar. Refresh of the scope in subsequent years takes a day.

Can we use last year's risk universe as a starting point?

Yes, and we usually do. The annual scoping refresh updates last year's universe rather than building from scratch. The discipline is to actively challenge each risk (still relevant? still rated correctly? new risks to add?) rather than rolling forward without thought.

CA Dheeraj Somani
CA Dheeraj Somani
Founder & Proprietor · D Somani & Associates · More about the firm →

Related notes