Internal audit, reframed.
Why we think the traditional internal audit is no longer enough.
Internal audit has changed more in the last five years than in the previous fifty. The audit committee is no longer asking only whether the controls work. It is asking whether the process itself is fit for the business that the company has become — whether revenue recognition still matches the way the company sells, whether procurement controls still match the way the company buys, whether the IT environment still matches the way the company operates. A risk-register that is reviewed once a year is no longer enough; the risks themselves are changing inside the year.
In that environment, an internal audit that simply tests controls against a documented framework is doing the easy half of the job. The harder half — and the half that creates value — is to step back, study the process end-to-end, ask what the process is for and propose the structural change that closes the gap. That is the audit we sign up for.
“We do not stop at a risk-based audit. We customise the entire engagement to produce the highest level of value addition for the promoter and the audit committee.”
Eight deliverables. One philosophy.
Process Review
A deep, end-to-end study of a business process — how it is designed, how it actually runs, where the leaks are.
Process Restructuring
Where the process itself is wrong for the business, we redesign it — accountability, hand-offs, approvals and information flows.
Process Re-engineering
Building a process from the ground up — for a new business line, a new ERP, or a new operating model.
Process Improvement
Small, targeted changes that lift throughput, control or compliance without disturbing the architecture.
Design & Operating Effectiveness
Independent testing of internal financial controls under section 143(3)(i) of the Companies Act, 2013.
Standalone Review of Financials
A focused review of the financial statements — material balances, judgemental areas, policies and disclosures.
Assessing Compliance Risk
Mapping the regulatory universe and testing where compliance is exposed — tax, FEMA, labour, environment, secretarial.
Audit-Committee Reporting
Reports written for the people who read them — short summaries, clear root cause and actionable recommendations.
Four steps. No drama.
Planning
Audit universe, risk assessment, data extracts and calendar — all agreed with the promoter before fieldwork begins.
Field work
Walk-throughs, control testing, data-analytic procedures on full populations where data is available.
Reporting
Short and readable. The executive summary fits on one page. Findings have root cause and a recommendation.
Closure
Findings are tracked across audit committee cycles. Open issues do not get re-discovered next year.
FAQs.
We are a private company. Do we actually need internal audit?
Two answers — the legal one and the useful one. Legally, internal audit is mandatory under section 138 of the Companies Act, 2013 for listed companies and for unlisted and private companies that cross specific thresholds of paid-up capital, turnover, borrowing or deposits. The useful answer is different: the question to ask is whether the promoter wants a watchdog inside the business. If the promoter wants someone independent monitoring processes, flagging compliance risk and suggesting structural improvements, internal audit pays for itself many times over — long before the section-138 threshold is crossed.
Our statutory auditor already covers controls. Why is internal audit separate?
The statutory audit is a once-a-year exercise focused on whether the financial statements give a true and fair view. It looks at controls only to the extent needed to support that opinion. Internal audit is an ongoing examination of the process itself — designed to fix things during the year, not flag them after.
What does a “good” internal audit report look like in your view?
Short enough that the audit committee actually reads it. Honest about root cause rather than symptom. Specific about who owns the fix and by when. And accompanied by an open-issues tracker that survives across audit cycles. A 150-page report that gets filed unread is a failure of internal audit, not a success.
You talk about value addition. What does that look like in practice?
In practice, it means the audit ends with a small number of changes the promoter approves at the next board meeting — a redesigned vendor on-boarding flow, a new approval matrix, a reset of credit limits, the introduction of a four-eyes rule in payments. Findings without changes are an audit; findings with changes are a partnership.
How is your work different for listed entities versus closely held manufacturing groups?
Listed entities have to satisfy the audit committee, SEBI Listing Regulations and the section 143(3)(i) IFC requirement. The work is calendar-driven and report-driven. Closely held manufacturing groups give us more room to focus on operational risk — material movement, inventory, vendor risk, statutory compliance at plant level. We adjust the audit programme to match, not the other way around.
If internal audit is on the agenda for the coming year, write to info@dsomani.in.