Audit & Assurance · Internal & Operational Audits
Internal Audit
Internal Audit is management's own early-warning system — the function that finds control gaps, process leakage, and compliance exposure before your statutory auditor, your board, or a regulator does.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Internal Audit is management's own early-warning system — the function that finds control gaps, process leakage, and compliance exposure before your statutory auditor, your board, or a regulator does. At PNPC Global, we design and execute risk-based internal audit programmes that go well beyond a compliance checklist. We map your actual risk universe, test the controls that matter most to your business, and report findings in a form your Audit Committee and management can act on immediately. For companies where internal audit is mandatory under Section 138 of the Companies Act 2013, and for those where it is simply good governance, we deliver a function that earns its keep every quarter.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
Internal Audit is an independent, objective assurance and consulting activity designed to add value to and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control, and governance processes — the definition adopted by the Institute of Internal Auditors (IIA) and reflected in the Standards on Internal Audit (SIA) issued by the Institute of Chartered Accountants of India (ICAI). Unlike statutory audit, which expresses an opinion on whether financial statements present a true and fair view for the benefit of external stakeholders, internal audit exists for management and the Audit Committee — it looks forward at risk and process design, not just backward at recorded transactions.
In India, internal audit moved from a matter of management discretion to a statutory obligation for a defined class of companies with Section 138 of the Companies Act 2013, read with Rule 13 of the Companies (Accounts) Rules, 2014. Every listed company must appoint an internal auditor. Unlisted public companies must appoint one if they cross prescribed thresholds of paid-up share capital, turnover, outstanding loans/borrowings, or outstanding deposits. Private companies must appoint one if they cross prescribed thresholds of turnover or outstanding loans/borrowings from banks or financial institutions. The internal auditor may be a Chartered Accountant, a Cost Accountant, or such other professional as the Board may decide, and may or may not be an employee of the company. Even where the statutory threshold is not crossed, an increasing number of boards, private equity investors, and lenders expect a functioning internal audit programme as a condition of good governance and, in many cases, as a covenant of the funding or credit agreement itself.
A well-designed internal audit programme is risk-based, not a rote annual walk-through of every department. It begins with a documented risk assessment covering financial, operational, compliance, fraud, IT, and strategic risk — and builds an annual audit plan, approved by the Audit Committee, that allocates audit hours to the areas of highest residual risk. Standard audit areas typically include procure-to-pay, order-to-cash, inventory and fixed assets, payroll and HR, treasury and banking, IT general controls and cybersecurity, statutory and tax compliance, related-party transactions, and any process specific to the entity's industry — manufacturing shop-floor controls, real estate project accounting, NBFC lending operations, or e-commerce reconciliation, for example.
The function reports functionally to the Audit Committee (or the Board, where no Audit Committee is mandated) and administratively to management — a reporting-line design intended to preserve independence. Findings are typically rated by severity (High/Medium/Low or Critical/Major/Minor), tracked to closure through a formal action-tracker, and summarised each quarter for the Audit Committee. Over a 12–18 month cycle, a mature internal audit function shifts management's posture from reactive firefighting to proactive risk management — and gives the Board defensible evidence, under Section 134(5) of the Companies Act, that the company has an adequate internal financial controls system operating effectively.
When Internal Audit is essential
Statutory threshold crossed under Section 138 read with Rule 13 — listed company, or a public/private company exceeding the prescribed turnover, paid-up capital, or borrowing thresholds — appointment is mandatory, not optional
Private equity or venture capital investors on the cap table — most institutional investors require a functioning internal audit programme as part of their governance and reporting covenants
Multi-location or multi-entity operations where management cannot personally observe every branch, warehouse, or subsidiary — internal audit becomes management's eyes and ears at scale
Recent or suspected instances of fraud, inventory shrinkage, cash leakage, or unexplained margin erosion — a targeted or forensic-leaning internal audit isolates root cause
Preparing for a fundraise, acquisition, or IPO — clean internal controls and a documented audit trail materially de-risk due diligence and reduce valuation-adjustment negotiations
Rapid headcount or revenue growth that has outpaced the maturity of internal processes and approval controls — a common inflection point where informal controls quietly break down
Banking covenants or loan agreements that specifically require an internal audit function or periodic internal control certification as a condition of the facility
Board or Audit Committee seeking independent assurance on the design and operating effectiveness of Internal Financial Controls (IFC) under Section 134(5)(e) of the Companies Act
When a lighter-touch alternative may fit better
Very early-stage startup with a handful of transactions per month and no institutional investors — a periodic management review or a light-touch process walkthrough may be more proportionate than a full internal audit programme
Small private company well below the Section 138/Rule 13 thresholds with simple, single-location operations — a strong month-end close and a good statutory audit may provide sufficient assurance for now
One-off due diligence need ahead of a specific transaction — a scoped financial or operational due diligence engagement is often more appropriate than standing up a recurring internal audit function
Organisation needs help designing controls from scratch rather than testing existing ones — an internal financial controls (IFC) design and documentation engagement should typically precede or run alongside the first audit cycle
Business is looking purely for statutory/tax compliance verification — a compliance health-check or statutory audit support engagement may be the more precise fit than a full risk-based internal audit
Internal Audit vs other assurance and review functions
| Feature | Internal Audit | Statutory Audit | Concurrent/Bank Audit | Forensic Audit | Tax Audit |
|---|---|---|---|---|---|
| Primary objective | Assurance + improvement on risk, controls, governance | Opinion on true and fair view of financial statements | Real-time transaction-level compliance check (mainly banks/NBFCs) | Investigate suspected fraud or financial irregularity | Verify compliance with Income-tax Act reporting requirements |
| Governing framework | Section 138 + Rule 13, Standards on Internal Audit (ICAI) | Section 139–148, Standards on Auditing (SA), Companies Act | RBI/regulator guidelines, bank's own concurrent audit policy | Engagement-specific scope, often court/regulator-directed | Tax audit provisions of the applicable Income-tax law, Form 3CA/3CB-3CD |
| Who appoints | Board, on Audit Committee recommendation | Shareholders at AGM, on Board recommendation | Bank/NBFC management or RBI mandate | Board, investor, lender, or regulator, as the situation demands | Board / proprietor / partners |
| Reporting line | Audit Committee (functional) + management (administrative) | Shareholders, via the Board | Bank's Audit Committee / RBI as required | Whoever commissioned the engagement | Tax authorities, via the assessee |
| Frequency | Continuous / quarterly cycles per approved annual plan | Annual, at financial year end | Monthly or quarterly, per RBI/bank policy | As triggered — not recurring by default | Annual, alongside the tax return |
| Mandatory for | Listed cos; public/private cos above Rule 13 thresholds | Every company registered under the Companies Act | Banks and NBFCs per RBI directives | Not statutorily mandatory — triggered by suspicion or requirement | Businesses/professionals above prescribed turnover limits |
| Scope focus | Risk-based — processes, controls, governance, compliance, IT | Financial statement assertions — accuracy, completeness, valuation | Transaction-level regulatory and process compliance | Specific allegation or irregularity, often with forensic evidence standards | Tax computation accuracy, prescribed particulars in Form 3CD |
| Outcome | Audit Committee report with rated findings and action tracker | Independent Auditor's Report with an opinion | Concurrent audit report to bank management/RBI | Investigation report, potentially usable in legal proceedings | Tax audit report filed with the Income-tax Department |
| Independence model | Functional independence from operations; may be in-house or outsourced | Statutorily independent — Section 144 bars the statutory auditor from also rendering internal audit services to the same company | Independent of the branch/unit being audited | Independent of the parties under investigation | Independent chartered accountant, distinct from statutory auditor in most cases |
These functions are frequently complementary rather than substitutable — a mature governance framework typically runs statutory audit, internal audit, and tax audit in parallel, each serving a distinct stakeholder and objective. Applicability thresholds and the precise scope for your entity should be confirmed with a practising CA based on your specific financial parameters and sector.
| # | Stage & What PNPC Does | What Generic Providers Skip | Timeline |
|---|---|---|---|
| 1 | Applicability & Readiness Assessment | We first confirm whether Section 138/Rule 13 makes internal audit mandatory for your company — checking paid-up capital, turnover, and borrowing/deposit thresholds — and separately assess whether it is advisable even if not mandatory, given your investor base, lending covenants, or operational complexity. Generic providers often skip this and simply propose a standard package regardless of fit. | Week 1 |
| 2 | Entity & Risk Universe Mapping | We build a complete map of your business — entities, locations, functions, and key processes — as the foundation for the risk assessment. For multi-location or multi-entity groups, this determines which locations get audited in which cycle, not just a generic 'head office only' scope. | Week 1–2 |
| 3 | Risk Assessment & Materiality Setting | A structured risk assessment across financial, operational, compliance, fraud, IT, and strategic risk categories — rating each identified risk by likelihood and impact. This is the single most important step that separates a genuine risk-based internal audit from a rote checklist exercise, and it is the step most frequently rushed or skipped by low-cost providers. | Week 2–3 |
| 4 | Annual Internal Audit Plan — Audit Committee Approval | We draft the annual internal audit plan mapping audit hours to the highest-risk areas, present it to the Audit Committee (or Board) for review and formal approval, and align the plan to Section 138 requirements and any lender/investor covenant obligations. A plan not approved by the Audit Committee weakens its governance value and its defensibility in any subsequent scrutiny. | Week 3–4 |
| 5 | Internal Audit Charter & Terms of Engagement | We formalise the audit charter — scope, authority, independence, reporting lines, and access rights — signed off by the Audit Committee. This document protects the internal auditor's independence and gives the function the standing to escalate findings without being overridden by the department being audited. | Week 4 |
| 6 | Process Walkthroughs & Control Documentation | For each area in the plan, we document the 'as-is' process — who does what, what approvals exist, what system controls are configured — before testing anything. Many providers skip documentation and jump straight to sample testing, which produces findings without the process context needed to fix root cause. | Ongoing, per cycle |
| 7 | Control Testing — Design & Operating Effectiveness | We test whether controls are designed correctly and whether they actually operated as intended across the period under review — using a statistically reasoned sample size, not a token 3–5 transaction sample. Both design gaps and operating failures are reported separately, because the remediation is different for each. | Ongoing, per cycle |
| 8 | Fieldwork — Substantive Procedures & Data Analytics | Where useful, we apply data analytics across full transaction populations (not just samples) to identify outliers, duplicate payments, unusual journal entries, and process exceptions — a level of coverage a manual-only review cannot achieve. | Per audit cycle |
| 9 | Findings Rating & Draft Report | Every finding is rated by severity (Critical / High / Medium / Low), linked to the specific risk and control it relates to, and accompanied by a practical, implementable recommendation — not a generic 'strengthen controls' comment. Draft reports are shared with process owners for factual validation before finalisation. | 2–3 weeks per cycle |
| 10 | Management Response & Action Plan | We require a documented management response to every finding — agree, partially agree, or disagree, with reasons — and a committed remediation timeline and owner for each accepted finding. This converts the report from a static document into an actionable governance tool. | 1–2 weeks post-draft |
| 11 | Audit Committee Presentation | We present the finalised report directly to the Audit Committee — walking through key findings, risk ratings, and management's action plan — and respond to Committee questions in real time. This is where an internal audit function earns its credibility with the Board. | Per quarterly cycle |
| 12 | Follow-up & Closure Tracking | Open findings from every cycle are carried into a live action tracker and re-tested in the subsequent cycle to confirm actual closure — not just a management assertion that the issue is 'resolved'. Persistently open high-risk findings are specifically flagged for escalation. | Ongoing, every cycle |
| 13 | Annual Plan Refresh & Continuous Improvement | At year-end, the risk assessment and audit plan are refreshed based on the year's findings, business changes, and emerging risks — internal audit is a living programme, not a static annual exercise repeated unchanged year after year. | Annually, ahead of the new cycle |
Realistic timeline: 3–4 weeks from engagement to Audit Committee-approved annual plan; individual audit cycles typically run 3–6 weeks from fieldwork start to Audit Committee presentation, depending on scope and number of locations. Ongoing programmes typically run in quarterly cycles aligned to Audit Committee meeting frequency.
Certificate of Incorporation, Memorandum & Articles of Association — to understand entity structure, objects, and any specific governance provisions
Latest shareholding pattern and group/holding structure chart, including all subsidiaries and associate entities within scope
Board and Audit Committee composition, terms of reference, and minutes of the last 4–6 meetings
Existing internal audit charter, if any, and any prior year internal audit reports and closure status
Delegation of Authority (DOA) matrix — approval limits by role, transaction type, and value
Trial balance, general ledger extracts, and financial statements for the period(s) under review
Chart of accounts and accounting policies manual
Bank statements and bank reconciliation statements for all operating accounts
Fixed asset register and depreciation schedule
Statutory auditor's report and management letter from the most recent statutory audit, where available
Standard Operating Procedures (SOPs) for key processes in scope — procurement, sales, inventory, payroll, treasury
Organisation chart and job descriptions for functions being audited, to map segregation of duties
Sample purchase orders, sales invoices, goods receipt notes, and delivery challans for the sampling period
System access matrix — who has access to which ERP/accounting modules and at what permission level
List of related-party transactions and supporting Board/shareholder approvals under Section 188
GST returns (GSTR-1, GSTR-3B, GSTR-9) and reconciliation with books for the period under review
TDS returns and challans, and reconciliation with Form 26AS
PF, ESI, and Professional Tax challans and returns, where applicable
Copies of licences, registrations, and regulatory approvals relevant to the entity's sector
Details of any pending litigation, show-cause notices, or regulatory correspondence
List of ERP/accounting systems, key business applications, and hosting environment (on-premise/cloud)
IT policy documents — access control, data backup, business continuity/disaster recovery, if any exist
User access review reports and evidence of periodic access recertification
Details of any data breach, system downtime, or cybersecurity incident in the period under review
Employee master data, payroll register, and salary structure for the sample period
Employee onboarding and exit checklists, and evidence of background verification where applicable
Leave, reimbursement, and expense claim policies and sample claim records
Details of any employee-related investigations, disciplinary action, or whistleblower complaints received under the vigil mechanism
Previous internal audit reports (if any) and status of action items from prior cycles
Fraud risk register or any documented instances of fraud, theft, or irregularity in past years
Whistleblower/vigil mechanism policy and log of complaints received and their resolution status
Insurance policies covering fidelity, D&O, and business assets — for risk-assessment cross-reference
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Applicability Assessment | Company crosses Rule 13 thresholds, raises PE/VC funding, or Board decides on voluntary adoption | We assess Section 138/Rule 13 applicability precisely against your latest financials and borrowing position, and advise on voluntary adoption where investor or lender expectations warrant it even below the statutory threshold. | Mandatory appointment missed → non-compliance with Section 138, exposure flagged in statutory audit report and MCA scrutiny; investor/lender covenant breach if voluntarily committed but not delivered. |
| Charter & Plan Approval | Internal auditor appointed | Audit charter drafted for Audit Committee sign-off; risk assessment conducted; annual audit plan built and approved before fieldwork begins. | No approved charter/plan → internal audit lacks formal standing, findings can be dismissed by process owners, Audit Committee has no basis to hold management accountable. |
| First Audit Cycle | Kick-off of fieldwork per approved plan | Process walkthroughs, control testing, and substantive procedures executed per the plan; findings rated and validated with process owners before finalisation. | Rushed or checklist-only fieldwork → high-risk control gaps go undetected until they surface as losses, fraud, or statutory audit qualifications. |
| Reporting & Audit Committee Review | Draft report finalised | Findings presented to the Audit Committee with clear risk ratings, root-cause analysis, and management's committed action plan. | Findings not escalated to the Audit Committee → the Board has no independent visibility into control weaknesses, undermining the Section 134(5) internal financial controls certification. |
| Remediation & Follow-up | Management commits to action plan | Open items tracked to closure and re-tested in the next cycle; persistently unresolved high-risk items specifically flagged for escalation. | Findings repeatedly closed 'on paper' without real remediation → the same control failure recurs, and repeat findings damage the credibility of both management and the audit function. |
| Annual Cycle Refresh | Financial year end / Audit Committee calendar | Risk assessment and audit plan refreshed for the new year based on findings, business changes (new locations, products, systems), and emerging risks. | Static, unchanged audit plan year after year → the function drifts into a compliance ritual and stops adding real assurance value as the business evolves. |
| Scale-Up / M&A / IPO Readiness | Fundraise, acquisition, or listing process begins | Internal audit scope extended to cover newly acquired entities, IPO-readiness control gaps identified early, and internal financial controls (IFC) documentation strengthened ahead of due diligence. | Weak or undocumented internal controls discovered during diligence → valuation adjustments, deal delays, or onerous post-closing indemnities imposed by the counterparty. |
| Fraud or Irregularity Detected | Internal audit or whistleblower flags suspected fraud | Scope escalated to a focused or forensic-leaning review; findings documented to a standard usable in disciplinary, legal, or insurance-claim proceedings where required. | Suspected fraud not investigated with appropriate rigour → evidence degrades, recovery becomes harder, and the matter can resurface as a statutory audit qualification or regulatory issue. |
Internal audit is not a one-time filing but a recurring governance cycle spanning the life of the company — each phase feeds the next, and skipping a phase (particularly follow-up and closure tracking) is where most internal audit programmes lose their value over time.
What exactly is Internal Audit, in plain terms?
It is an independent review — conducted by a Chartered Accountant or a qualified professional — of how well your company's processes, controls, and risk management actually work in practice, not just on paper. Where a statutory audit checks whether your financial statements are accurate, internal audit checks whether the processes that produce those numbers, and the controls that protect your assets and compliance position, are sound. It reports to your Audit Committee or Board, not to external shareholders, and its purpose is improvement as much as assurance.
Is Internal Audit mandatory for my company?
It depends on your company type and financial parameters under Section 138 of the Companies Act 2013 read with Rule 13 of the Companies (Accounts) Rules, 2014. Every listed company must appoint an internal auditor. Unlisted public companies must appoint one on crossing prescribed thresholds of paid-up share capital, turnover, outstanding loans/borrowings from banks or financial institutions, or outstanding deposits. Private companies must appoint one on crossing prescribed thresholds of turnover, or outstanding loans/borrowings from banks or financial institutions. The precise threshold figures are set out in Rule 13 and should be checked against your latest audited financials — we do this assessment as the first step of every engagement.
Who can be appointed as the Internal Auditor under the Companies Act?
Under Section 138, the internal auditor may be a Chartered Accountant (whether engaged in practice or not), a Cost Accountant, or such other professional as the Board may decide. The internal auditor may or may not be an employee of the company. In practice, most companies either appoint an external CA firm (an outsourced or co-sourced model) or build an in-house internal audit team led by a qualified professional, sometimes supplemented by an external firm for specialist areas like IT audit or forensic review.
Can the statutory auditor also act as the internal auditor of the same company?
No. Section 144 of the Companies Act 2013 explicitly prohibits an auditor appointed under Section 139 (statutory auditor) from rendering internal audit services to the company, directly or indirectly, whether the service is provided by the auditor themselves or through a related entity. This is one of the specified non-audit services barred to preserve auditor independence.
How is Internal Audit different from a Statutory Audit?
Statutory audit is a legally mandated annual examination of financial statements, resulting in an opinion addressed to shareholders on whether the statements present a true and fair view, governed by the Standards on Auditing and reported under Section 143. Internal audit is a continuous, risk-based assurance and consulting function reporting to the Audit Committee/Board, governed by the Standards on Internal Audit issued by ICAI, and its scope covers process design, control effectiveness, compliance, fraud risk, and operational efficiency — well beyond financial statement assertions alone. The two functions are complementary: a well-run internal audit programme materially reduces the surprises a statutory auditor finds at year end.
What is the difference between Internal Audit and Internal Financial Controls (IFC) testing?
Internal Financial Controls (IFC), as referenced in Section 134(5)(e) and tested by the statutory auditor under Section 143(3)(i) for applicable companies, focuses specifically on controls over financial reporting — ensuring the accuracy and reliability of financial statements and safeguarding of assets from that lens. Internal Audit has a broader mandate covering operational efficiency, compliance, fraud risk, IT controls, and strategic risk, in addition to financial controls. In practice, the two overlap significantly, and a well-designed internal audit programme often generates the evidence base that supports the company's own IFC assertion and the statutory auditor's IFC opinion.
How does PNPC decide what to audit each year?
We start with a structured risk assessment across financial, operational, compliance, fraud, IT, and strategic risk categories specific to your business and sector — not a generic template. Each identified risk is rated by likelihood and impact, and the annual audit plan allocates audit hours to the highest-residual-risk areas first. The plan is presented to and approved by your Audit Committee before fieldwork begins, and it is refreshed annually as your business, systems, and risk profile evolve.
How often are internal audits conducted — annually, or more frequently?
Most companies run internal audit in quarterly cycles aligned to their Audit Committee meeting calendar — each cycle covering a defined set of locations, processes, or entities from the annual plan, with findings reported to the Committee each quarter. Higher-risk areas or higher-risk entities within a group may be audited more than once a year; lower-risk, stable areas may be covered once annually or even once every two years, depending on the risk assessment. A purely annual, once-a-year internal audit is common for smaller companies but generally provides less timely assurance than a quarterly cycle.
What does a typical Internal Audit report look like?
A well-structured internal audit report includes: an executive summary for the Audit Committee, the scope and period covered, a risk-rated list of findings (typically Critical/High/Medium/Low), the root cause of each finding, a specific and implementable recommendation, management's response (agree/partially agree/disagree, with reasons), a committed remediation owner and timeline for each accepted finding, and a status update on findings carried forward from prior cycles. The report should be specific to your processes and systems — not generic boilerplate language that could apply to any company.
What happens if internal audit findings are not remediated?
Open findings are carried forward into the next audit cycle and re-tested to verify actual closure, not just a management assertion. Persistently unresolved high-risk findings are specifically flagged for escalation to the Audit Committee and, where warranted, to the Board. Unremediated control weaknesses can also surface independently — as a statutory audit qualification, a material weakness noted in the Section 143(3)(i) internal financial controls opinion, an actual loss event, or a regulatory finding — at which point the cost of the original gap is usually far higher than the cost of timely remediation would have been.
Does Internal Audit help prevent or detect fraud?
Internal audit is not primarily a fraud investigation function, but a well-designed risk-based programme — particularly one incorporating fraud risk assessment, segregation-of-duties testing, and data analytics across full transaction populations — meaningfully increases the likelihood that fraud indicators are identified early, before losses compound. Where internal audit identifies a red flag suggesting fraud, the appropriate response is to escalate and, if warranted, commission a focused or forensic review with an appropriately elevated evidentiary standard — internal audit procedures alone are not typically designed or documented to the standard required for legal or disciplinary proceedings.
What is the Standards on Internal Audit (SIA), and does PNPC follow them?
The Standards on Internal Audit (SIA) are issued by the Institute of Chartered Accountants of India (ICAI) through its Internal Audit Standards Board, providing a structured framework covering planning, risk assessment, evidence, documentation, reporting, and quality control for internal audit engagements conducted by Chartered Accountants in India. PNPC's internal audit methodology is built around this framework, adapted to each client's size, sector, and risk profile.
Can Internal Audit be outsourced entirely, or does the company need its own team?
Both models are legally valid and common in practice. A fully outsourced model — where an external CA firm like PNPC serves as the entire internal audit function — is common for mid-sized companies without the scale to justify a dedicated in-house team, and it also brings independence and cross-industry benchmarking. A co-sourced model — an in-house internal audit head supplemented by an external firm for specialist areas (IT audit, forensic reviews, specific high-risk locations) or for peak-period capacity — suits larger organisations. A fully in-house model is more common for large listed companies with the scale to justify a dedicated internal audit department led by a Chief Internal Auditor.
How much does an Internal Audit engagement with PNPC cost?
PNPC prices internal audit engagements based on the scope agreed in the annual audit plan — the number of locations/entities, the audit areas covered, the frequency of cycles, and the complexity of your systems and operations. We provide a written scope and fee proposal before any engagement begins, typically structured as an annual retainer covering the agreed number of audit cycles. We do not price on a generic 'per company' basis because the actual work required varies enormously between a single-location services business and a multi-location manufacturing group.
Why should we engage PNPC for Internal Audit rather than a lower-cost provider?
A genuinely risk-based internal audit function requires practising CAs who understand both the statutory framework and your specific business and sector — not a generic checklist applied uniformly across clients. PNPC has been a practising CA firm since 1986, with teams across Chennai, Bangalore, Hyderabad, and Dubai. We build a documented risk assessment specific to your business before setting the audit plan, present findings directly to your Audit Committee, track every finding to actual closure with re-testing (not a self-certified 'resolved' status), and stay engaged year-round as your business and risk profile evolve — not as a once-a-year filing exercise.
Does a small private company benefit from a voluntary Internal Audit even if not legally required?
Often, yes — particularly where the company has multiple locations the founder cannot personally oversee, has taken on institutional investors who expect governance discipline, has experienced rapid growth that has outpaced its informal controls, or is preparing for a future fundraise or acquisition. A scoped, proportionate internal audit — even a lighter-touch annual review rather than a full quarterly programme — can identify control gaps and process inefficiencies well before they become costly. The right scope and frequency should be proportionate to the company's actual risk profile, not a one-size package.
What is the role of the Audit Committee in Internal Audit?
Under Section 177 of the Companies Act 2013, the Audit Committee (mandatory for listed companies and certain classes of public companies) is responsible for overseeing the internal audit function — reviewing and approving the annual audit plan, reviewing findings and management responses, monitoring the adequacy of internal controls, and evaluating the internal audit function's effectiveness. Where a company is not statutorily required to have an Audit Committee, the Board typically performs this oversight role directly.
How does Internal Audit interact with IT systems and cybersecurity?
IT general controls — user access management, change management, data backup, and system security configuration — are a standard component of a modern risk-based internal audit plan, because financial and operational controls increasingly depend on the integrity of the underlying systems. Where the risk assessment identifies elevated cybersecurity or IT risk, the audit plan may include a dedicated IT audit or cybersecurity review, potentially involving specialist technical resources in addition to the core internal audit team.
What is a risk-based internal audit approach, and why does it matter?
A risk-based approach allocates audit time and depth in proportion to the actual risk each area poses to the organisation, determined through a structured, documented risk assessment — rather than auditing every department equally, or repeating the same fixed checklist every year regardless of what has changed in the business. It ensures that scarce audit hours are spent where a control failure would cause the most damage, and that the audit plan evolves as new risks emerge (a new product line, a new location, a new system) rather than staying static.
What is sampling in Internal Audit, and how does PNPC size its samples?
Because it is usually impractical to test every single transaction in a process, internal audit relies on sampling — testing a representative subset of transactions to draw a defensible conclusion about the population as a whole. Sample sizes are set based on the population size, the risk rating of the process, and the desired confidence level — not an arbitrary fixed number like 'we test 5 invoices.' Where the volume and system access allow, we supplement sampling with full-population data analytics to identify specific outliers and exceptions that a sample alone might miss.
How does Internal Audit handle related-party transactions?
Related-party transactions are a standard high-risk area in any internal audit plan, given the requirements of Section 188 of the Companies Act and the potential for related-party dealings to be used to move value out of the company on non-arm's-length terms. Internal audit typically tests whether related-party transactions have the required Board/Audit Committee/shareholder approvals, whether pricing is on an arm's-length or otherwise justified basis, and whether the disclosures in the financial statements and related-party register are complete and accurate.
Can Internal Audit cover subsidiaries and group entities, not just the parent company?
Yes, and for groups with multiple entities this is often essential — control weaknesses at a subsidiary can create financial or reputational exposure for the entire group, and consolidated financial statements depend on the integrity of each entity's underlying records. The annual audit plan should explicitly map which entities and locations are in scope for each cycle, based on their individual risk profile, rather than defaulting to parent-company-only coverage.
What triggers an internal audit finding to be rated as 'Critical' or 'High' risk?
Rating criteria vary by firm but generally consider the potential financial impact, the likelihood of recurrence, whether the gap indicates a control that is completely absent (design failure) versus one that exists but was not followed on a given occasion (operating failure), and whether the issue has implications for regulatory compliance, fraud exposure, or the integrity of financial reporting. A missing approval on a single low-value transaction is typically rated differently from a systemic absence of segregation of duties in the payment process.
What is the difference between a 'design deficiency' and an 'operating effectiveness' finding?
A design deficiency means the control, as designed, would not prevent or detect the risk it is meant to address even if performed exactly as intended — for example, an approval workflow that does not require a second signatory for high-value payments. An operating effectiveness finding means the control is properly designed, but was not consistently performed in practice during the period tested — for example, a required approval step exists in policy but was bypassed for certain transactions. The remediation for each is different: a design deficiency requires redesigning the control itself, while an operating effectiveness gap may require training, enforcement, or a system-based control to prevent bypass.
How does Internal Audit support a company preparing for an IPO or acquisition?
Investors and IPO due diligence teams place significant weight on the maturity of a company's internal controls and governance track record. A well-documented internal audit history — showing a genuine risk-based methodology, findings tracked to closure, and Audit Committee engagement over multiple cycles — is direct evidence of governance maturity that can materially smooth due diligence, reduce the scope of pre-deal control remediation demanded by the counterparty, and support the Internal Financial Controls disclosures required in an IPO prospectus.
What is a 'management letter' and how is it different from the main Internal Audit report?
In some engagements, in addition to the main risk-rated findings report presented to the Audit Committee, the internal auditor may issue a management letter to specific process owners — covering lower-severity observations, process improvement suggestions, or matters better addressed operationally rather than through Audit Committee escalation. Practice varies by firm; PNPC agrees the reporting structure — whether a single consolidated report or a main report plus a supplementary management letter — with each client's Audit Committee at the start of the engagement.
Does PNPC use data analytics or is Internal Audit purely manual sampling?
Where the client's systems and data access permit, we apply data analytics across full transaction populations — for example, testing every journal entry in a period for unusual characteristics, every vendor payment for duplicate or split-invoice patterns, and every user access log for dormant or excessive privileges — rather than relying solely on a manual sample. This extends coverage well beyond what manual sampling alone can achieve, particularly for high-volume processes like accounts payable and payroll.
What happens during the first Internal Audit cycle with a new client — is it different from later cycles?
The first cycle typically includes more foundational work — entity and process mapping, a full risk assessment from scratch (rather than a refresh of an existing one), documenting the Delegation of Authority matrix if one does not already exist in usable form, and agreeing the audit charter and reporting protocol with the Audit Committee. Findings in the first cycle also tend to be higher in volume, simply because many companies are being reviewed with this level of rigour for the first time. Subsequent cycles build on this foundation, focus more narrowly on the highest-risk areas identified, and specifically re-test prior findings for closure.
Can Internal Audit findings be shared with the statutory auditor?
Yes, and it is generally good practice for them to be shared, with the Audit Committee's knowledge. Statutory auditors frequently request internal audit reports as part of their own risk assessment and reliance considerations under the Standards on Auditing — a well-run internal audit function can, in some circumstances, allow the statutory auditor to place a degree of reliance on internal audit work for specific areas, which can reduce duplication of effort (though it never eliminates the statutory auditor's own independent responsibility and testing).
Is Internal Audit relevant for NBFCs, and does PNPC handle sector-specific requirements?
Yes — NBFCs are subject to specific RBI directions on internal audit, including, for larger and systemically important NBFCs, a requirement for a Risk-Based Internal Audit (RBIA) framework aligned to RBI's guidelines, in addition to the Companies Act requirements applicable to them as companies. Internal audit scope for an NBFC typically includes lending operations, credit appraisal and sanctioning controls, asset classification and provisioning (NPA recognition), KYC/AML compliance, and treasury operations, alongside the standard corporate process areas.
How does Internal Audit differ for a manufacturing company versus a services company?
For a manufacturing company, the risk assessment typically weights inventory management, shop-floor production controls, quality control documentation, fixed asset and capital expenditure controls, and factory-level statutory compliance (labour law, pollution control, factory licences) more heavily. For a services company, the emphasis usually shifts toward revenue recognition and unbilled revenue, employee cost and utilisation, client contract compliance, and data/IT controls given the more people- and systems-intensive nature of the business. The core methodology is the same — a documented, risk-based approach — but the specific audit areas and testing procedures are tailored to the sector.
What is co-sourcing, and when does it make sense over full outsourcing?
Co-sourcing is a hybrid model where a company retains its own in-house internal audit team or head, and engages an external firm like PNPC to supplement specific areas — such as specialist IT audit, a forensic-leaning review, coverage of a specific high-risk location, or additional bandwidth during peak reporting periods. It suits organisations large enough to justify an in-house function but that still want independent specialist input or capacity flexibility, without building every specialism in-house.
Does PNPC provide Internal Audit services across India and the UAE?
Yes. PNPC operates from Chennai, Bangalore, and Hyderabad in India, and from Dubai in the UAE. For groups with operations or entities in both jurisdictions, we run a coordinated internal audit programme rather than splitting the engagement between two disconnected firms — the risk assessment, reporting cadence, and Audit Committee presentation are unified across the group, even where entity-specific regulatory context (Companies Act in India, UAE Commercial Companies Law and free zone regulations in the UAE) differs.
What does the PNPC Internal Audit engagement package include?
A typical PNPC internal audit engagement includes: applicability and readiness assessment against Section 138/Rule 13; entity and process risk mapping specific to your business; a documented, Audit Committee-approved annual risk assessment and audit plan; a formal audit charter defining scope, authority, and reporting lines; process walkthroughs and control documentation; risk-based sample and/or full-population testing per cycle; a risk-rated findings report with root-cause analysis and specific recommendations; direct presentation to your Audit Committee each cycle; a live action tracker with follow-up re-testing of prior findings; and an annual refresh of the risk assessment and plan. The exact scope, number of cycles, and locations covered are agreed and priced in writing before the engagement begins.
| Feature | Low-Cost / Generic Provider | In-House Only | PNPC Global |
|---|---|---|---|
| Risk Assessment | Generic template, rarely revisited | Depends entirely on in-house team's independence and bandwidth | Documented, business-specific risk assessment, refreshed every year, approved by the Audit Committee |
| Independence | Nominal — often limited engagement depth | Structurally constrained — reports within the same organisation it audits | Genuinely independent external CA firm with a direct Audit Committee reporting line |
| Sampling Methodology | Fixed, token sample sizes regardless of population | Varies by in-house team maturity and tooling | Risk-based sample sizing, supplemented with full-population data analytics where feasible |
| Findings Quality | Generic, template-driven, minimal root-cause analysis | Can be strong, but limited by internal politics and visibility | Specific, root-caused, rated findings with implementable recommendations |
| Follow-up & Closure | Rarely re-tested — 'closed' on management's word alone | Depends on team discipline and Audit Committee pressure | Every finding re-tested in the next cycle before being marked closed |
| Sector & Cross-Industry Insight | Limited — one-size-fits-all methodology | Deep on own company, limited external benchmarking | Cross-industry pattern recognition from decades of CA practice across sectors |
| India-UAE Coordination | Not offered | Not applicable unless group has its own multi-jurisdiction team | Unified programme across India and UAE entities from Chennai/Bangalore/Hyderabad and Dubai offices |
| Audit Committee Engagement | Report emailed, limited live discussion | Direct, but may lack external perspective and benchmarking | Direct presentation each cycle, with cross-industry context and candid escalation |
| Relationship Model | Transactional, priced to minimise scope | Employment relationship — subject to internal reporting pressures | Independent, practising-CA relationship — engagement continuity, not deal-by-deal pricing |
What the PNPC package includes
- 01
Section 138 / Rule 13 applicability assessment against your latest financials — mandatory or advisable, assessed precisely, not assumed
- 02
Business-specific risk assessment across financial, operational, compliance, fraud, IT, and strategic risk categories
- 03
Audit Committee-approved annual internal audit plan mapping audit hours to the highest-risk areas
- 04
Formal internal audit charter defining scope, authority, independence, and reporting lines
- 05
Process walkthroughs and control documentation before any testing begins
- 06
Risk-based control testing — design and operating effectiveness, tested and reported separately
- 07
Data analytics across full transaction populations where systems and access permit — not sampling alone
- 08
Risk-rated findings report (Critical/High/Medium/Low) with root-cause analysis and specific, implementable recommendations
- 09
Documented management response required for every finding before the report is finalised
- 10
Direct presentation to your Audit Committee every audit cycle, with candid discussion — not just an emailed PDF
- 11
Live action tracker with follow-up re-testing of every prior finding before it is marked closed
- 12
Annual refresh of the risk assessment and audit plan as your business and risk profile evolve
- 13
Coordinated India-UAE coverage for groups with entities in both jurisdictions
- 14
Direct contact with your engagement CA — by phone and WhatsApp — not a support queue
Speak directly with a PNPC Chartered Accountant about your internal audit obligations and risk profile. Not a template checklist, not a once-a-year filing exercise — a practising CA firm that has been testing controls and reporting to Audit Committees since 1986, and that treats your risk register as seriously as you do.