HomeServicesAudit & AssuranceInternal Audit

Audit & Assurance · Internal & Operational Audits

Internal Audit

Internal Audit is management's own early-warning system — the function that finds control gaps, process leakage, and compliance exposure before your statutory auditor, your board, or a regulator does.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Internal Audit is management's own early-warning system — the function that finds control gaps, process leakage, and compliance exposure before your statutory auditor, your board, or a regulator does. At PNPC Global, we design and execute risk-based internal audit programmes that go well beyond a compliance checklist. We map your actual risk universe, test the controls that matter most to your business, and report findings in a form your Audit Committee and management can act on immediately. For companies where internal audit is mandatory under Section 138 of the Companies Act 2013, and for those where it is simply good governance, we deliver a function that earns its keep every quarter.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Internal Audit is

Internal Audit is an independent, objective assurance and consulting activity designed to add value to and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control, and governance processes — the definition adopted by the Institute of Internal Auditors (IIA) and reflected in the Standards on Internal Audit (SIA) issued by the Institute of Chartered Accountants of India (ICAI). Unlike statutory audit, which expresses an opinion on whether financial statements present a true and fair view for the benefit of external stakeholders, internal audit exists for management and the Audit Committee — it looks forward at risk and process design, not just backward at recorded transactions.

In India, internal audit moved from a matter of management discretion to a statutory obligation for a defined class of companies with Section 138 of the Companies Act 2013, read with Rule 13 of the Companies (Accounts) Rules, 2014. Every listed company must appoint an internal auditor. Unlisted public companies must appoint one if they cross prescribed thresholds of paid-up share capital, turnover, outstanding loans/borrowings, or outstanding deposits. Private companies must appoint one if they cross prescribed thresholds of turnover or outstanding loans/borrowings from banks or financial institutions. The internal auditor may be a Chartered Accountant, a Cost Accountant, or such other professional as the Board may decide, and may or may not be an employee of the company. Even where the statutory threshold is not crossed, an increasing number of boards, private equity investors, and lenders expect a functioning internal audit programme as a condition of good governance and, in many cases, as a covenant of the funding or credit agreement itself.

A well-designed internal audit programme is risk-based, not a rote annual walk-through of every department. It begins with a documented risk assessment covering financial, operational, compliance, fraud, IT, and strategic risk — and builds an annual audit plan, approved by the Audit Committee, that allocates audit hours to the areas of highest residual risk. Standard audit areas typically include procure-to-pay, order-to-cash, inventory and fixed assets, payroll and HR, treasury and banking, IT general controls and cybersecurity, statutory and tax compliance, related-party transactions, and any process specific to the entity's industry — manufacturing shop-floor controls, real estate project accounting, NBFC lending operations, or e-commerce reconciliation, for example.

The function reports functionally to the Audit Committee (or the Board, where no Audit Committee is mandated) and administratively to management — a reporting-line design intended to preserve independence. Findings are typically rated by severity (High/Medium/Low or Critical/Major/Minor), tracked to closure through a formal action-tracker, and summarised each quarter for the Audit Committee. Over a 12–18 month cycle, a mature internal audit function shifts management's posture from reactive firefighting to proactive risk management — and gives the Board defensible evidence, under Section 134(5) of the Companies Act, that the company has an adequate internal financial controls system operating effectively.

When Internal Audit is essential

Statutory threshold crossed under Section 138 read with Rule 13 — listed company, or a public/private company exceeding the prescribed turnover, paid-up capital, or borrowing thresholds — appointment is mandatory, not optional

Private equity or venture capital investors on the cap table — most institutional investors require a functioning internal audit programme as part of their governance and reporting covenants

Multi-location or multi-entity operations where management cannot personally observe every branch, warehouse, or subsidiary — internal audit becomes management's eyes and ears at scale

Recent or suspected instances of fraud, inventory shrinkage, cash leakage, or unexplained margin erosion — a targeted or forensic-leaning internal audit isolates root cause

Preparing for a fundraise, acquisition, or IPO — clean internal controls and a documented audit trail materially de-risk due diligence and reduce valuation-adjustment negotiations

Rapid headcount or revenue growth that has outpaced the maturity of internal processes and approval controls — a common inflection point where informal controls quietly break down

Banking covenants or loan agreements that specifically require an internal audit function or periodic internal control certification as a condition of the facility

Board or Audit Committee seeking independent assurance on the design and operating effectiveness of Internal Financial Controls (IFC) under Section 134(5)(e) of the Companies Act

When a lighter-touch alternative may fit better

Very early-stage startup with a handful of transactions per month and no institutional investors — a periodic management review or a light-touch process walkthrough may be more proportionate than a full internal audit programme

Small private company well below the Section 138/Rule 13 thresholds with simple, single-location operations — a strong month-end close and a good statutory audit may provide sufficient assurance for now

One-off due diligence need ahead of a specific transaction — a scoped financial or operational due diligence engagement is often more appropriate than standing up a recurring internal audit function

Organisation needs help designing controls from scratch rather than testing existing ones — an internal financial controls (IFC) design and documentation engagement should typically precede or run alongside the first audit cycle

Business is looking purely for statutory/tax compliance verification — a compliance health-check or statutory audit support engagement may be the more precise fit than a full risk-based internal audit

Structure Comparison

Internal Audit vs other assurance and review functions

FeatureInternal AuditStatutory AuditConcurrent/Bank AuditForensic AuditTax Audit
Primary objectiveAssurance + improvement on risk, controls, governanceOpinion on true and fair view of financial statementsReal-time transaction-level compliance check (mainly banks/NBFCs)Investigate suspected fraud or financial irregularityVerify compliance with Income-tax Act reporting requirements
Governing frameworkSection 138 + Rule 13, Standards on Internal Audit (ICAI)Section 139–148, Standards on Auditing (SA), Companies ActRBI/regulator guidelines, bank's own concurrent audit policyEngagement-specific scope, often court/regulator-directedTax audit provisions of the applicable Income-tax law, Form 3CA/3CB-3CD
Who appointsBoard, on Audit Committee recommendationShareholders at AGM, on Board recommendationBank/NBFC management or RBI mandateBoard, investor, lender, or regulator, as the situation demandsBoard / proprietor / partners
Reporting lineAudit Committee (functional) + management (administrative)Shareholders, via the BoardBank's Audit Committee / RBI as requiredWhoever commissioned the engagementTax authorities, via the assessee
FrequencyContinuous / quarterly cycles per approved annual planAnnual, at financial year endMonthly or quarterly, per RBI/bank policyAs triggered — not recurring by defaultAnnual, alongside the tax return
Mandatory forListed cos; public/private cos above Rule 13 thresholdsEvery company registered under the Companies ActBanks and NBFCs per RBI directivesNot statutorily mandatory — triggered by suspicion or requirementBusinesses/professionals above prescribed turnover limits
Scope focusRisk-based — processes, controls, governance, compliance, ITFinancial statement assertions — accuracy, completeness, valuationTransaction-level regulatory and process complianceSpecific allegation or irregularity, often with forensic evidence standardsTax computation accuracy, prescribed particulars in Form 3CD
OutcomeAudit Committee report with rated findings and action trackerIndependent Auditor's Report with an opinionConcurrent audit report to bank management/RBIInvestigation report, potentially usable in legal proceedingsTax audit report filed with the Income-tax Department
Independence modelFunctional independence from operations; may be in-house or outsourcedStatutorily independent — Section 144 bars the statutory auditor from also rendering internal audit services to the same companyIndependent of the branch/unit being auditedIndependent of the parties under investigationIndependent chartered accountant, distinct from statutory auditor in most cases

These functions are frequently complementary rather than substitutable — a mature governance framework typically runs statutory audit, internal audit, and tax audit in parallel, each serving a distinct stakeholder and objective. Applicability thresholds and the precise scope for your entity should be confirmed with a practising CA based on your specific financial parameters and sector.

How it works
#Stage & What PNPC DoesWhat Generic Providers SkipTimeline
1Applicability & Readiness AssessmentWe first confirm whether Section 138/Rule 13 makes internal audit mandatory for your company — checking paid-up capital, turnover, and borrowing/deposit thresholds — and separately assess whether it is advisable even if not mandatory, given your investor base, lending covenants, or operational complexity. Generic providers often skip this and simply propose a standard package regardless of fit.Week 1
2Entity & Risk Universe MappingWe build a complete map of your business — entities, locations, functions, and key processes — as the foundation for the risk assessment. For multi-location or multi-entity groups, this determines which locations get audited in which cycle, not just a generic 'head office only' scope.Week 1–2
3Risk Assessment & Materiality SettingA structured risk assessment across financial, operational, compliance, fraud, IT, and strategic risk categories — rating each identified risk by likelihood and impact. This is the single most important step that separates a genuine risk-based internal audit from a rote checklist exercise, and it is the step most frequently rushed or skipped by low-cost providers.Week 2–3
4Annual Internal Audit Plan — Audit Committee ApprovalWe draft the annual internal audit plan mapping audit hours to the highest-risk areas, present it to the Audit Committee (or Board) for review and formal approval, and align the plan to Section 138 requirements and any lender/investor covenant obligations. A plan not approved by the Audit Committee weakens its governance value and its defensibility in any subsequent scrutiny.Week 3–4
5Internal Audit Charter & Terms of EngagementWe formalise the audit charter — scope, authority, independence, reporting lines, and access rights — signed off by the Audit Committee. This document protects the internal auditor's independence and gives the function the standing to escalate findings without being overridden by the department being audited.Week 4
6Process Walkthroughs & Control DocumentationFor each area in the plan, we document the 'as-is' process — who does what, what approvals exist, what system controls are configured — before testing anything. Many providers skip documentation and jump straight to sample testing, which produces findings without the process context needed to fix root cause.Ongoing, per cycle
7Control Testing — Design & Operating EffectivenessWe test whether controls are designed correctly and whether they actually operated as intended across the period under review — using a statistically reasoned sample size, not a token 3–5 transaction sample. Both design gaps and operating failures are reported separately, because the remediation is different for each.Ongoing, per cycle
8Fieldwork — Substantive Procedures & Data AnalyticsWhere useful, we apply data analytics across full transaction populations (not just samples) to identify outliers, duplicate payments, unusual journal entries, and process exceptions — a level of coverage a manual-only review cannot achieve.Per audit cycle
9Findings Rating & Draft ReportEvery finding is rated by severity (Critical / High / Medium / Low), linked to the specific risk and control it relates to, and accompanied by a practical, implementable recommendation — not a generic 'strengthen controls' comment. Draft reports are shared with process owners for factual validation before finalisation.2–3 weeks per cycle
10Management Response & Action PlanWe require a documented management response to every finding — agree, partially agree, or disagree, with reasons — and a committed remediation timeline and owner for each accepted finding. This converts the report from a static document into an actionable governance tool.1–2 weeks post-draft
11Audit Committee PresentationWe present the finalised report directly to the Audit Committee — walking through key findings, risk ratings, and management's action plan — and respond to Committee questions in real time. This is where an internal audit function earns its credibility with the Board.Per quarterly cycle
12Follow-up & Closure TrackingOpen findings from every cycle are carried into a live action tracker and re-tested in the subsequent cycle to confirm actual closure — not just a management assertion that the issue is 'resolved'. Persistently open high-risk findings are specifically flagged for escalation.Ongoing, every cycle
13Annual Plan Refresh & Continuous ImprovementAt year-end, the risk assessment and audit plan are refreshed based on the year's findings, business changes, and emerging risks — internal audit is a living programme, not a static annual exercise repeated unchanged year after year.Annually, ahead of the new cycle

Realistic timeline: 3–4 weeks from engagement to Audit Committee-approved annual plan; individual audit cycles typically run 3–6 weeks from fieldwork start to Audit Committee presentation, depending on scope and number of locations. Ongoing programmes typically run in quarterly cycles aligned to Audit Committee meeting frequency.

Document Checklist
Corporate & Governance Documents

Certificate of Incorporation, Memorandum & Articles of Association — to understand entity structure, objects, and any specific governance provisions

Latest shareholding pattern and group/holding structure chart, including all subsidiaries and associate entities within scope

Board and Audit Committee composition, terms of reference, and minutes of the last 4–6 meetings

Existing internal audit charter, if any, and any prior year internal audit reports and closure status

Delegation of Authority (DOA) matrix — approval limits by role, transaction type, and value

Financial & Accounting Records

Trial balance, general ledger extracts, and financial statements for the period(s) under review

Chart of accounts and accounting policies manual

Bank statements and bank reconciliation statements for all operating accounts

Fixed asset register and depreciation schedule

Statutory auditor's report and management letter from the most recent statutory audit, where available

Process & Operational Documentation

Standard Operating Procedures (SOPs) for key processes in scope — procurement, sales, inventory, payroll, treasury

Organisation chart and job descriptions for functions being audited, to map segregation of duties

Sample purchase orders, sales invoices, goods receipt notes, and delivery challans for the sampling period

System access matrix — who has access to which ERP/accounting modules and at what permission level

List of related-party transactions and supporting Board/shareholder approvals under Section 188

Compliance & Statutory Records

GST returns (GSTR-1, GSTR-3B, GSTR-9) and reconciliation with books for the period under review

TDS returns and challans, and reconciliation with Form 26AS

PF, ESI, and Professional Tax challans and returns, where applicable

Copies of licences, registrations, and regulatory approvals relevant to the entity's sector

Details of any pending litigation, show-cause notices, or regulatory correspondence

IT & Systems Environment

List of ERP/accounting systems, key business applications, and hosting environment (on-premise/cloud)

IT policy documents — access control, data backup, business continuity/disaster recovery, if any exist

User access review reports and evidence of periodic access recertification

Details of any data breach, system downtime, or cybersecurity incident in the period under review

HR & Payroll

Employee master data, payroll register, and salary structure for the sample period

Employee onboarding and exit checklists, and evidence of background verification where applicable

Leave, reimbursement, and expense claim policies and sample claim records

Details of any employee-related investigations, disciplinary action, or whistleblower complaints received under the vigil mechanism

Prior Audit & Risk Records

Previous internal audit reports (if any) and status of action items from prior cycles

Fraud risk register or any documented instances of fraud, theft, or irregularity in past years

Whistleblower/vigil mechanism policy and log of complaints received and their resolution status

Insurance policies covering fidelity, D&O, and business assets — for risk-assessment cross-reference

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Applicability AssessmentCompany crosses Rule 13 thresholds, raises PE/VC funding, or Board decides on voluntary adoptionWe assess Section 138/Rule 13 applicability precisely against your latest financials and borrowing position, and advise on voluntary adoption where investor or lender expectations warrant it even below the statutory threshold.Mandatory appointment missed → non-compliance with Section 138, exposure flagged in statutory audit report and MCA scrutiny; investor/lender covenant breach if voluntarily committed but not delivered.
Charter & Plan ApprovalInternal auditor appointedAudit charter drafted for Audit Committee sign-off; risk assessment conducted; annual audit plan built and approved before fieldwork begins.No approved charter/plan → internal audit lacks formal standing, findings can be dismissed by process owners, Audit Committee has no basis to hold management accountable.
First Audit CycleKick-off of fieldwork per approved planProcess walkthroughs, control testing, and substantive procedures executed per the plan; findings rated and validated with process owners before finalisation.Rushed or checklist-only fieldwork → high-risk control gaps go undetected until they surface as losses, fraud, or statutory audit qualifications.
Reporting & Audit Committee ReviewDraft report finalisedFindings presented to the Audit Committee with clear risk ratings, root-cause analysis, and management's committed action plan.Findings not escalated to the Audit Committee → the Board has no independent visibility into control weaknesses, undermining the Section 134(5) internal financial controls certification.
Remediation & Follow-upManagement commits to action planOpen items tracked to closure and re-tested in the next cycle; persistently unresolved high-risk items specifically flagged for escalation.Findings repeatedly closed 'on paper' without real remediation → the same control failure recurs, and repeat findings damage the credibility of both management and the audit function.
Annual Cycle RefreshFinancial year end / Audit Committee calendarRisk assessment and audit plan refreshed for the new year based on findings, business changes (new locations, products, systems), and emerging risks.Static, unchanged audit plan year after year → the function drifts into a compliance ritual and stops adding real assurance value as the business evolves.
Scale-Up / M&A / IPO ReadinessFundraise, acquisition, or listing process beginsInternal audit scope extended to cover newly acquired entities, IPO-readiness control gaps identified early, and internal financial controls (IFC) documentation strengthened ahead of due diligence.Weak or undocumented internal controls discovered during diligence → valuation adjustments, deal delays, or onerous post-closing indemnities imposed by the counterparty.
Fraud or Irregularity DetectedInternal audit or whistleblower flags suspected fraudScope escalated to a focused or forensic-leaning review; findings documented to a standard usable in disciplinary, legal, or insurance-claim proceedings where required.Suspected fraud not investigated with appropriate rigour → evidence degrades, recovery becomes harder, and the matter can resurface as a statutory audit qualification or regulatory issue.

Internal audit is not a one-time filing but a recurring governance cycle spanning the life of the company — each phase feeds the next, and skipping a phase (particularly follow-up and closure tracking) is where most internal audit programmes lose their value over time.

Frequently asked
What exactly is Internal Audit, in plain terms?

It is an independent review — conducted by a Chartered Accountant or a qualified professional — of how well your company's processes, controls, and risk management actually work in practice, not just on paper. Where a statutory audit checks whether your financial statements are accurate, internal audit checks whether the processes that produce those numbers, and the controls that protect your assets and compliance position, are sound. It reports to your Audit Committee or Board, not to external shareholders, and its purpose is improvement as much as assurance.

Practitioner noteFounders and CFOs often confuse internal audit with statutory audit because both involve a CA reviewing the books. The mandate, the reporting line, and the objective are fundamentally different — and conflating the two is one of the most common governance gaps we see at first engagement.
Is Internal Audit mandatory for my company?

It depends on your company type and financial parameters under Section 138 of the Companies Act 2013 read with Rule 13 of the Companies (Accounts) Rules, 2014. Every listed company must appoint an internal auditor. Unlisted public companies must appoint one on crossing prescribed thresholds of paid-up share capital, turnover, outstanding loans/borrowings from banks or financial institutions, or outstanding deposits. Private companies must appoint one on crossing prescribed thresholds of turnover, or outstanding loans/borrowings from banks or financial institutions. The precise threshold figures are set out in Rule 13 and should be checked against your latest audited financials — we do this assessment as the first step of every engagement.

Practitioner noteWe frequently find companies that crossed the Rule 13 threshold a year or two ago and never appointed an internal auditor — usually because no one was tracking it against the latest financials. This is flagged by statutory auditors in their report and is worth resolving proactively rather than waiting to be caught.
Who can be appointed as the Internal Auditor under the Companies Act?

Under Section 138, the internal auditor may be a Chartered Accountant (whether engaged in practice or not), a Cost Accountant, or such other professional as the Board may decide. The internal auditor may or may not be an employee of the company. In practice, most companies either appoint an external CA firm (an outsourced or co-sourced model) or build an in-house internal audit team led by a qualified professional, sometimes supplemented by an external firm for specialist areas like IT audit or forensic review.

Practitioner noteThe outsourced model with a practising CA firm is common for mid-sized companies because it delivers independence, a breadth of cross-industry experience, and avoids the cost of a full in-house team. We also work in a co-sourced model — supplementing an existing in-house team for specific high-risk areas or peak-period bandwidth.
Can the statutory auditor also act as the internal auditor of the same company?

No. Section 144 of the Companies Act 2013 explicitly prohibits an auditor appointed under Section 139 (statutory auditor) from rendering internal audit services to the company, directly or indirectly, whether the service is provided by the auditor themselves or through a related entity. This is one of the specified non-audit services barred to preserve auditor independence.

Practitioner noteThis restriction applies to the appointed statutory auditor and its network entities — not to every CA firm in general. A company can appoint one CA firm as its statutory auditor and a completely separate CA firm, including PNPC, as its internal auditor, without any conflict.
How is Internal Audit different from a Statutory Audit?

Statutory audit is a legally mandated annual examination of financial statements, resulting in an opinion addressed to shareholders on whether the statements present a true and fair view, governed by the Standards on Auditing and reported under Section 143. Internal audit is a continuous, risk-based assurance and consulting function reporting to the Audit Committee/Board, governed by the Standards on Internal Audit issued by ICAI, and its scope covers process design, control effectiveness, compliance, fraud risk, and operational efficiency — well beyond financial statement assertions alone. The two functions are complementary: a well-run internal audit programme materially reduces the surprises a statutory auditor finds at year end.

Practitioner noteBoards sometimes assume that a clean statutory audit report means controls are strong. It does not — statutory audit tests materiality at the financial statement level and uses sampling designed for that purpose; it is not designed to catch every process-level control gap that internal audit is specifically built to find.
What is the difference between Internal Audit and Internal Financial Controls (IFC) testing?

Internal Financial Controls (IFC), as referenced in Section 134(5)(e) and tested by the statutory auditor under Section 143(3)(i) for applicable companies, focuses specifically on controls over financial reporting — ensuring the accuracy and reliability of financial statements and safeguarding of assets from that lens. Internal Audit has a broader mandate covering operational efficiency, compliance, fraud risk, IT controls, and strategic risk, in addition to financial controls. In practice, the two overlap significantly, and a well-designed internal audit programme often generates the evidence base that supports the company's own IFC assertion and the statutory auditor's IFC opinion.

Practitioner noteWe often structure the first year of an internal audit engagement to explicitly build out IFC documentation alongside the risk-based audit plan — this gives management defensible support for the Section 134(5) directors' responsibility statement and reduces friction with the statutory auditor's IFC testing.
How does PNPC decide what to audit each year?

We start with a structured risk assessment across financial, operational, compliance, fraud, IT, and strategic risk categories specific to your business and sector — not a generic template. Each identified risk is rated by likelihood and impact, and the annual audit plan allocates audit hours to the highest-residual-risk areas first. The plan is presented to and approved by your Audit Committee before fieldwork begins, and it is refreshed annually as your business, systems, and risk profile evolve.

Practitioner noteA checklist audit — the same 40-point list applied to every client regardless of industry — is the single biggest quality gap we see when reviewing incoming clients' prior internal audit reports. Risk assessment is not a formality; it is the entire value proposition of a genuinely risk-based programme.
How often are internal audits conducted — annually, or more frequently?

Most companies run internal audit in quarterly cycles aligned to their Audit Committee meeting calendar — each cycle covering a defined set of locations, processes, or entities from the annual plan, with findings reported to the Committee each quarter. Higher-risk areas or higher-risk entities within a group may be audited more than once a year; lower-risk, stable areas may be covered once annually or even once every two years, depending on the risk assessment. A purely annual, once-a-year internal audit is common for smaller companies but generally provides less timely assurance than a quarterly cycle.

Practitioner noteWe recommend quarterly cycles wherever the Audit Committee meets quarterly — findings lose relevance and remediation urgency when reported only once a year, by which point the exposure may have persisted for many months.
What does a typical Internal Audit report look like?

A well-structured internal audit report includes: an executive summary for the Audit Committee, the scope and period covered, a risk-rated list of findings (typically Critical/High/Medium/Low), the root cause of each finding, a specific and implementable recommendation, management's response (agree/partially agree/disagree, with reasons), a committed remediation owner and timeline for each accepted finding, and a status update on findings carried forward from prior cycles. The report should be specific to your processes and systems — not generic boilerplate language that could apply to any company.

Practitioner noteWe insist on a documented management response to every single finding before a report is finalised — 'no response' or a vague verbal acknowledgement is not acceptable. This discipline is what converts the report from a filing exercise into a genuine governance tool the Audit Committee can act on.
What happens if internal audit findings are not remediated?

Open findings are carried forward into the next audit cycle and re-tested to verify actual closure, not just a management assertion. Persistently unresolved high-risk findings are specifically flagged for escalation to the Audit Committee and, where warranted, to the Board. Unremediated control weaknesses can also surface independently — as a statutory audit qualification, a material weakness noted in the Section 143(3)(i) internal financial controls opinion, an actual loss event, or a regulatory finding — at which point the cost of the original gap is usually far higher than the cost of timely remediation would have been.

Practitioner noteThe pattern we see most often with new clients coming from a lower-cost provider: the same finding appears, worded almost identically, in three consecutive years of reports, with no real follow-up testing to confirm closure. That is not internal audit adding value — it is a paperwork exercise.
Does Internal Audit help prevent or detect fraud?

Internal audit is not primarily a fraud investigation function, but a well-designed risk-based programme — particularly one incorporating fraud risk assessment, segregation-of-duties testing, and data analytics across full transaction populations — meaningfully increases the likelihood that fraud indicators are identified early, before losses compound. Where internal audit identifies a red flag suggesting fraud, the appropriate response is to escalate and, if warranted, commission a focused or forensic review with an appropriately elevated evidentiary standard — internal audit procedures alone are not typically designed or documented to the standard required for legal or disciplinary proceedings.

Practitioner noteWe build a fraud risk register into the risk assessment for every client, specific to their industry's known fraud patterns — inventory shrinkage in retail/FMCG, fictitious vendors in services businesses, ghost employees in payroll, and round-tripping in related-party transactions are recurring patterns we specifically test for.
What is the Standards on Internal Audit (SIA), and does PNPC follow them?

The Standards on Internal Audit (SIA) are issued by the Institute of Chartered Accountants of India (ICAI) through its Internal Audit Standards Board, providing a structured framework covering planning, risk assessment, evidence, documentation, reporting, and quality control for internal audit engagements conducted by Chartered Accountants in India. PNPC's internal audit methodology is built around this framework, adapted to each client's size, sector, and risk profile.

Practitioner noteAsk any internal audit provider whether their methodology is aligned to the ICAI Standards on Internal Audit, and ask to see a sample de-identified report. The quality gap between a genuinely SIA-aligned methodology and an ad hoc checklist approach is usually visible in the first report you read.
Can Internal Audit be outsourced entirely, or does the company need its own team?

Both models are legally valid and common in practice. A fully outsourced model — where an external CA firm like PNPC serves as the entire internal audit function — is common for mid-sized companies without the scale to justify a dedicated in-house team, and it also brings independence and cross-industry benchmarking. A co-sourced model — an in-house internal audit head supplemented by an external firm for specialist areas (IT audit, forensic reviews, specific high-risk locations) or for peak-period capacity — suits larger organisations. A fully in-house model is more common for large listed companies with the scale to justify a dedicated internal audit department led by a Chief Internal Auditor.

Practitioner noteWe work in all three models depending on client size and maturity. For companies just crossing the Section 138 threshold, a fully outsourced model is usually the fastest and most cost-effective way to become compliant without a lengthy hiring process.
How much does an Internal Audit engagement with PNPC cost?

PNPC prices internal audit engagements based on the scope agreed in the annual audit plan — the number of locations/entities, the audit areas covered, the frequency of cycles, and the complexity of your systems and operations. We provide a written scope and fee proposal before any engagement begins, typically structured as an annual retainer covering the agreed number of audit cycles. We do not price on a generic 'per company' basis because the actual work required varies enormously between a single-location services business and a multi-location manufacturing group.

Practitioner noteBe cautious of internal audit proposals priced as a flat, very low fee regardless of scope — the fee compression usually shows up as reduced sample sizes, skipped risk assessment, and generic findings. Ask what specifically is included in the quoted fee before comparing providers on price alone.
Why should we engage PNPC for Internal Audit rather than a lower-cost provider?

A genuinely risk-based internal audit function requires practising CAs who understand both the statutory framework and your specific business and sector — not a generic checklist applied uniformly across clients. PNPC has been a practising CA firm since 1986, with teams across Chennai, Bangalore, Hyderabad, and Dubai. We build a documented risk assessment specific to your business before setting the audit plan, present findings directly to your Audit Committee, track every finding to actual closure with re-testing (not a self-certified 'resolved' status), and stay engaged year-round as your business and risk profile evolve — not as a once-a-year filing exercise.

Practitioner noteClients who come to us after a low-cost internal audit provider almost always bring the same pattern: a generic risk assessment (or none at all), findings copy-pasted from a template with company name substituted, and no evidence of follow-up testing on prior findings. We rebuild the risk assessment from scratch in the first cycle for every such client.
Does a small private company benefit from a voluntary Internal Audit even if not legally required?

Often, yes — particularly where the company has multiple locations the founder cannot personally oversee, has taken on institutional investors who expect governance discipline, has experienced rapid growth that has outpaced its informal controls, or is preparing for a future fundraise or acquisition. A scoped, proportionate internal audit — even a lighter-touch annual review rather than a full quarterly programme — can identify control gaps and process inefficiencies well before they become costly. The right scope and frequency should be proportionate to the company's actual risk profile, not a one-size package.

Practitioner noteWe frequently recommend a lighter, targeted first-year engagement — covering the two or three highest-risk processes only — for smaller companies not yet at the statutory threshold, rather than a full-scale programme they do not yet need. This builds the governance habit without disproportionate cost.
What is the role of the Audit Committee in Internal Audit?

Under Section 177 of the Companies Act 2013, the Audit Committee (mandatory for listed companies and certain classes of public companies) is responsible for overseeing the internal audit function — reviewing and approving the annual audit plan, reviewing findings and management responses, monitoring the adequacy of internal controls, and evaluating the internal audit function's effectiveness. Where a company is not statutorily required to have an Audit Committee, the Board typically performs this oversight role directly.

Practitioner noteWe always recommend the internal auditor have a direct reporting line and unfettered access to the Audit Committee Chairman — not solely through the CFO or CEO, whose own function may be the subject of a given audit. This is a basic but frequently overlooked independence safeguard.
How does Internal Audit interact with IT systems and cybersecurity?

IT general controls — user access management, change management, data backup, and system security configuration — are a standard component of a modern risk-based internal audit plan, because financial and operational controls increasingly depend on the integrity of the underlying systems. Where the risk assessment identifies elevated cybersecurity or IT risk, the audit plan may include a dedicated IT audit or cybersecurity review, potentially involving specialist technical resources in addition to the core internal audit team.

Practitioner noteUser access reviews are one of the most consistently weak areas we find — former employees retaining system access months after exit, and finance staff holding conflicting approval rights within the ERP, are both common findings across industries.
What is a risk-based internal audit approach, and why does it matter?

A risk-based approach allocates audit time and depth in proportion to the actual risk each area poses to the organisation, determined through a structured, documented risk assessment — rather than auditing every department equally, or repeating the same fixed checklist every year regardless of what has changed in the business. It ensures that scarce audit hours are spent where a control failure would cause the most damage, and that the audit plan evolves as new risks emerge (a new product line, a new location, a new system) rather than staying static.

Practitioner noteThe single biggest determinant of whether an internal audit programme adds real value or becomes a compliance ritual is the quality and honesty of the risk assessment. We revisit it formally every year, not just at the start of the engagement.
What is sampling in Internal Audit, and how does PNPC size its samples?

Because it is usually impractical to test every single transaction in a process, internal audit relies on sampling — testing a representative subset of transactions to draw a defensible conclusion about the population as a whole. Sample sizes are set based on the population size, the risk rating of the process, and the desired confidence level — not an arbitrary fixed number like 'we test 5 invoices.' Where the volume and system access allow, we supplement sampling with full-population data analytics to identify specific outliers and exceptions that a sample alone might miss.

Practitioner noteA 'sample of 5' applied to a process with thousands of monthly transactions provides negligible assurance. We size samples using an accepted statistical or risk-based methodology and disclose the sample size and basis in every report so the Audit Committee can assess the level of assurance being provided.
How does Internal Audit handle related-party transactions?

Related-party transactions are a standard high-risk area in any internal audit plan, given the requirements of Section 188 of the Companies Act and the potential for related-party dealings to be used to move value out of the company on non-arm's-length terms. Internal audit typically tests whether related-party transactions have the required Board/Audit Committee/shareholder approvals, whether pricing is on an arm's-length or otherwise justified basis, and whether the disclosures in the financial statements and related-party register are complete and accurate.

Practitioner noteWe cross-check the related-party register against the actual General Ledger for unrecorded or misclassified related-party transactions — a common gap in fast-growing companies where a founder-owned vendor or property is not formally flagged as related in the accounting system.
Can Internal Audit cover subsidiaries and group entities, not just the parent company?

Yes, and for groups with multiple entities this is often essential — control weaknesses at a subsidiary can create financial or reputational exposure for the entire group, and consolidated financial statements depend on the integrity of each entity's underlying records. The annual audit plan should explicitly map which entities and locations are in scope for each cycle, based on their individual risk profile, rather than defaulting to parent-company-only coverage.

Practitioner noteFor clients with a UAE subsidiary or affiliate alongside their Indian entity, our Dubai office coordinates with the India-based audit team so the group's risk assessment and reporting are unified rather than split across two disconnected engagements.
What triggers an internal audit finding to be rated as 'Critical' or 'High' risk?

Rating criteria vary by firm but generally consider the potential financial impact, the likelihood of recurrence, whether the gap indicates a control that is completely absent (design failure) versus one that exists but was not followed on a given occasion (operating failure), and whether the issue has implications for regulatory compliance, fraud exposure, or the integrity of financial reporting. A missing approval on a single low-value transaction is typically rated differently from a systemic absence of segregation of duties in the payment process.

Practitioner noteWe calibrate and disclose our rating criteria to each client's Audit Committee at the start of the engagement, so ratings are consistent, defensible, and not subject to after-the-fact disagreement about severity.
What is the difference between a 'design deficiency' and an 'operating effectiveness' finding?

A design deficiency means the control, as designed, would not prevent or detect the risk it is meant to address even if performed exactly as intended — for example, an approval workflow that does not require a second signatory for high-value payments. An operating effectiveness finding means the control is properly designed, but was not consistently performed in practice during the period tested — for example, a required approval step exists in policy but was bypassed for certain transactions. The remediation for each is different: a design deficiency requires redesigning the control itself, while an operating effectiveness gap may require training, enforcement, or a system-based control to prevent bypass.

Practitioner noteConflating these two categories in a report is a common quality shortfall — it leads management to 'fix' the wrong thing. We report them separately in every finding so the remediation action is correctly targeted.
How does Internal Audit support a company preparing for an IPO or acquisition?

Investors and IPO due diligence teams place significant weight on the maturity of a company's internal controls and governance track record. A well-documented internal audit history — showing a genuine risk-based methodology, findings tracked to closure, and Audit Committee engagement over multiple cycles — is direct evidence of governance maturity that can materially smooth due diligence, reduce the scope of pre-deal control remediation demanded by the counterparty, and support the Internal Financial Controls disclosures required in an IPO prospectus.

Practitioner noteWe advise clients planning a fundraise or exit within 18–24 months to formalise and document their internal audit programme well ahead of the transaction — retrofitting governance evidence under diligence time pressure is far more expensive and far less convincing than a genuine multi-cycle track record.
What is a 'management letter' and how is it different from the main Internal Audit report?

In some engagements, in addition to the main risk-rated findings report presented to the Audit Committee, the internal auditor may issue a management letter to specific process owners — covering lower-severity observations, process improvement suggestions, or matters better addressed operationally rather than through Audit Committee escalation. Practice varies by firm; PNPC agrees the reporting structure — whether a single consolidated report or a main report plus a supplementary management letter — with each client's Audit Committee at the start of the engagement.

Practitioner noteWe generally recommend keeping all rated findings, including lower-severity ones, visible to the Audit Committee at least in summary form — a separate, less-visible management letter can become a place where recurring low-severity issues quietly accumulate without proper oversight.
Does PNPC use data analytics or is Internal Audit purely manual sampling?

Where the client's systems and data access permit, we apply data analytics across full transaction populations — for example, testing every journal entry in a period for unusual characteristics, every vendor payment for duplicate or split-invoice patterns, and every user access log for dormant or excessive privileges — rather than relying solely on a manual sample. This extends coverage well beyond what manual sampling alone can achieve, particularly for high-volume processes like accounts payable and payroll.

Practitioner noteFull-population analytics do not replace judgment-based process walkthroughs and control testing — they complement it. We use analytics to identify where to focus deeper manual testing, not as a substitute for understanding why a control exists in the first place.
What happens during the first Internal Audit cycle with a new client — is it different from later cycles?

The first cycle typically includes more foundational work — entity and process mapping, a full risk assessment from scratch (rather than a refresh of an existing one), documenting the Delegation of Authority matrix if one does not already exist in usable form, and agreeing the audit charter and reporting protocol with the Audit Committee. Findings in the first cycle also tend to be higher in volume, simply because many companies are being reviewed with this level of rigour for the first time. Subsequent cycles build on this foundation, focus more narrowly on the highest-risk areas identified, and specifically re-test prior findings for closure.

Practitioner noteWe set expectations with new clients that the first-cycle finding count is often higher than they anticipate — this is a function of thoroughness, not a sign that anything is unusually wrong. What matters is the trend across cycles as findings get remediated.
Can Internal Audit findings be shared with the statutory auditor?

Yes, and it is generally good practice for them to be shared, with the Audit Committee's knowledge. Statutory auditors frequently request internal audit reports as part of their own risk assessment and reliance considerations under the Standards on Auditing — a well-run internal audit function can, in some circumstances, allow the statutory auditor to place a degree of reliance on internal audit work for specific areas, which can reduce duplication of effort (though it never eliminates the statutory auditor's own independent responsibility and testing).

Practitioner noteWhere PNPC is not also the statutory auditor, we coordinate — with client consent — to share relevant internal audit findings with the statutory audit team ahead of year-end fieldwork, which frequently reduces the number of surprises and repeat information requests during the statutory audit.
Is Internal Audit relevant for NBFCs, and does PNPC handle sector-specific requirements?

Yes — NBFCs are subject to specific RBI directions on internal audit, including, for larger and systemically important NBFCs, a requirement for a Risk-Based Internal Audit (RBIA) framework aligned to RBI's guidelines, in addition to the Companies Act requirements applicable to them as companies. Internal audit scope for an NBFC typically includes lending operations, credit appraisal and sanctioning controls, asset classification and provisioning (NPA recognition), KYC/AML compliance, and treasury operations, alongside the standard corporate process areas.

Practitioner noteNBFC internal audit requires familiarity with RBI's specific master directions in addition to the Companies Act framework — we scope NBFC engagements with this dual regulatory lens applied from the outset, not bolted on afterward.
How does Internal Audit differ for a manufacturing company versus a services company?

For a manufacturing company, the risk assessment typically weights inventory management, shop-floor production controls, quality control documentation, fixed asset and capital expenditure controls, and factory-level statutory compliance (labour law, pollution control, factory licences) more heavily. For a services company, the emphasis usually shifts toward revenue recognition and unbilled revenue, employee cost and utilisation, client contract compliance, and data/IT controls given the more people- and systems-intensive nature of the business. The core methodology is the same — a documented, risk-based approach — but the specific audit areas and testing procedures are tailored to the sector.

Practitioner noteWe staff engagements with team members who have relevant sector exposure wherever possible — inventory and shop-floor controls require a genuinely different audit lens than SaaS revenue recognition or professional services utilisation, and a generalist checklist misses sector-specific risk in both directions.
What is co-sourcing, and when does it make sense over full outsourcing?

Co-sourcing is a hybrid model where a company retains its own in-house internal audit team or head, and engages an external firm like PNPC to supplement specific areas — such as specialist IT audit, a forensic-leaning review, coverage of a specific high-risk location, or additional bandwidth during peak reporting periods. It suits organisations large enough to justify an in-house function but that still want independent specialist input or capacity flexibility, without building every specialism in-house.

Practitioner noteWe work in co-sourced arrangements regularly, typically for the IT audit and forensic components of a broader in-house programme — these are the two areas where specialist skill gaps are most common even in otherwise well-staffed in-house internal audit teams.
Does PNPC provide Internal Audit services across India and the UAE?

Yes. PNPC operates from Chennai, Bangalore, and Hyderabad in India, and from Dubai in the UAE. For groups with operations or entities in both jurisdictions, we run a coordinated internal audit programme rather than splitting the engagement between two disconnected firms — the risk assessment, reporting cadence, and Audit Committee presentation are unified across the group, even where entity-specific regulatory context (Companies Act in India, UAE Commercial Companies Law and free zone regulations in the UAE) differs.

Practitioner noteFor India-UAE groups, we specifically look at intercompany transactions, transfer pricing documentation, and cross-border fund flows as a distinct risk area within the internal audit plan — this is where we most often find gaps when a group has previously used separate, uncoordinated advisors in each country.
What does the PNPC Internal Audit engagement package include?

A typical PNPC internal audit engagement includes: applicability and readiness assessment against Section 138/Rule 13; entity and process risk mapping specific to your business; a documented, Audit Committee-approved annual risk assessment and audit plan; a formal audit charter defining scope, authority, and reporting lines; process walkthroughs and control documentation; risk-based sample and/or full-population testing per cycle; a risk-rated findings report with root-cause analysis and specific recommendations; direct presentation to your Audit Committee each cycle; a live action tracker with follow-up re-testing of prior findings; and an annual refresh of the risk assessment and plan. The exact scope, number of cycles, and locations covered are agreed and priced in writing before the engagement begins.

Practitioner noteAsk any provider for a sample de-identified risk assessment and a sample finding write-up before engaging — this tells you far more about the actual quality of the programme than the proposal document alone.
Why PNPC Global
FeatureLow-Cost / Generic ProviderIn-House OnlyPNPC Global
Risk AssessmentGeneric template, rarely revisitedDepends entirely on in-house team's independence and bandwidthDocumented, business-specific risk assessment, refreshed every year, approved by the Audit Committee
IndependenceNominal — often limited engagement depthStructurally constrained — reports within the same organisation it auditsGenuinely independent external CA firm with a direct Audit Committee reporting line
Sampling MethodologyFixed, token sample sizes regardless of populationVaries by in-house team maturity and toolingRisk-based sample sizing, supplemented with full-population data analytics where feasible
Findings QualityGeneric, template-driven, minimal root-cause analysisCan be strong, but limited by internal politics and visibilitySpecific, root-caused, rated findings with implementable recommendations
Follow-up & ClosureRarely re-tested — 'closed' on management's word aloneDepends on team discipline and Audit Committee pressureEvery finding re-tested in the next cycle before being marked closed
Sector & Cross-Industry InsightLimited — one-size-fits-all methodologyDeep on own company, limited external benchmarkingCross-industry pattern recognition from decades of CA practice across sectors
India-UAE CoordinationNot offeredNot applicable unless group has its own multi-jurisdiction teamUnified programme across India and UAE entities from Chennai/Bangalore/Hyderabad and Dubai offices
Audit Committee EngagementReport emailed, limited live discussionDirect, but may lack external perspective and benchmarkingDirect presentation each cycle, with cross-industry context and candid escalation
Relationship ModelTransactional, priced to minimise scopeEmployment relationship — subject to internal reporting pressuresIndependent, practising-CA relationship — engagement continuity, not deal-by-deal pricing

What the PNPC package includes

  1. 01

    Section 138 / Rule 13 applicability assessment against your latest financials — mandatory or advisable, assessed precisely, not assumed

  2. 02

    Business-specific risk assessment across financial, operational, compliance, fraud, IT, and strategic risk categories

  3. 03

    Audit Committee-approved annual internal audit plan mapping audit hours to the highest-risk areas

  4. 04

    Formal internal audit charter defining scope, authority, independence, and reporting lines

  5. 05

    Process walkthroughs and control documentation before any testing begins

  6. 06

    Risk-based control testing — design and operating effectiveness, tested and reported separately

  7. 07

    Data analytics across full transaction populations where systems and access permit — not sampling alone

  8. 08

    Risk-rated findings report (Critical/High/Medium/Low) with root-cause analysis and specific, implementable recommendations

  9. 09

    Documented management response required for every finding before the report is finalised

  10. 10

    Direct presentation to your Audit Committee every audit cycle, with candid discussion — not just an emailed PDF

  11. 11

    Live action tracker with follow-up re-testing of every prior finding before it is marked closed

  12. 12

    Annual refresh of the risk assessment and audit plan as your business and risk profile evolve

  13. 13

    Coordinated India-UAE coverage for groups with entities in both jurisdictions

  14. 14

    Direct contact with your engagement CA — by phone and WhatsApp — not a support queue

Speak directly with a PNPC Chartered Accountant about your internal audit obligations and risk profile. Not a template checklist, not a once-a-year filing exercise — a practising CA firm that has been testing controls and reporting to Audit Committees since 1986, and that treats your risk register as seriously as you do.

← Back to Audit & Assurance
Talk to a CA