Why an entity should have internal audit function whether or not statutorily required?

Internal audit is an independent management function involving continuous and critical appraisal of the functioning of an entity. The objective of independent management function is to suggest improvements and add value to and strengthen the overall governance mechanism of the entity. It also includes strengthening entity's strategic risk management and internal control system.


Stages in evolution of modern internal audit in India


  • As an extended arm of external audit

In the initial stages, internal audit started as an extended arm of an external / statutory audit of financial statements. The main function of internal audit at this stage was verifying the reliability of the financial information included in the financial statements. The internal audit function in this stage could not add much value to functioning of the entity.


  • As a cross check of the information and transactions

In this stage, internal audit was also required to test non-financial information and transactions in terms of their correctness and compliance with the laid down policies and procedures.


  • As a probity police for the transactions

At this stage, the internal audit came to be more concerned about the probity aspects of the transactions especially those involving liquid and highly movable assets such as cash, stocks, etc.


  • As a backbone of a sound corporate governance system

As the global economy surged forward full steam, the need for having a full-fledged, strategically directed internal audit emerged as an inevitable service that could assist management in decision making, moving away from being merely a police on financial transactions. Thus, the modern internal audit emerged where it was established as a separate function, in house or outsourced, with clearly laid down missions and objectives to be achieved. 


Statutory requirements for internal audit in India


  • Clause 49 of listing agreement by SEBI for the listed companies pertaining to Role of Audit Committee w.e.f. 2005:


The Audit Committee shall mandatorily review the following information:


  1. Management discussion and analysis of financial condition and results of operations;
  2. Statement of significant related party transactions (as defined by the audit committee) submitted by management;
  3. Management letters / letters of internal control weaknesses issued by the statutory auditors;
  4. Internal audit reports relating to internal control weaknesses; and
  5. The appointment, removal and terms of remuneration of the Chief internal auditor shall be subject to review by the Audit Committee.
  6. The Audit Committee is also required to discuss with the internal auditors any significant findings and follow up thereon.

The CEO/CFO is required to certify to the Board of Directors that:

  1. They accept responsibility for effectiveness of internal controls and that they have disclosed to the auditors and the Audit Committee deficiencies in the design and operation of the internal controls and steps taken for rectification of the same.


  1. They have indicated to the Audit Committee and the internal as well as external auditors as to the following aspects:


  1. significant changes in internal control during the year;
  2. significant changes in accounting policies during the year and that the same have been disclosed in the notes to the financial statements; and
  3. instances of significant fraud of which they have become aware and the Involvement therein, if any, of the management or an employee having a significant role in the company’s internal control system.


  • Section 138(1) of Companies Act 2013 (Refer rule 13)

Company Type

Criteria as per previous financial year

Turnover during previous FY

Paid-up Capital during previous FY

Outstanding loans and borrowing from bank and PFI at any time during previous FY


Deposits at any time during previous FY

Listed Companies

Internal audit is Mandatory for all listed companies, irrespective of any criterion

Unlisted Public


200 crore rupees

or more

50 crore rupees or


exceeding 100

crore rupees or more

25 crore rupees or


Every Private


200 crore rupees

or more

Not Applicable

exceeding 100

crore rupees or more

Not Applicable


  • CARO 2020 on Internal Audit Requirement

As per clause XIV of CARO 2020, an external auditor should consider the following points while preparing the audit report of a company.

  1. whether the company has an internal audit system commensurate with the size and nature of its business;
  2. whether the reports of the Internal Auditors for the period under audit were considered by the statutory auditor;


Need for internal audit even if statutorily not required

  • Due to increased size and complexity of the Business
  • Due to enhanced compliance requirements of an entity
  • For better risk management and internal control
  • Due to unconventional business model
  • Due to intensive use of information technology
  • Due to stringent norms mandated by regulators to protect investors
  • Due to increasingly competitive environment for the business
  • For delegation of authority & power
  • To build resilience & sustainability


Skills to be Possessed by an Internal Auditor

  • Must possess an expertise necessary to evaluate the management control system.
  • Must have a basic knowledge about the technology and commercial practices followed by the entity.
  • Must possess knowledge of commerce, laws, taxation, cost accounting, economics, quantitative methods and ERP systems.
  • Ability to deal with people and an understanding of management principles and techniques.
  • Should maintain the confidentiality of such information which he acquired during the course of audit.



Deliverables from Internal Audit

  • Independent review and appraisal of control systems across the organization 
  • Ascertainment of the extent of compliance of policies, procedures, regulations and legislations. Checking compliance management systems of an organization. 
  • Facilitate good practices in management of risk. This requires systems for ascertaining, measuring, managing and where possible mitigation of the risk. 
  • Achieve savings by identifying waste, inefficiency and duplication of effort across the organization. 
  • Structuring programs and activities such that company assets are safeguarded and there are internal checking systems which minimize the possibility for reducing fraud / early warning signals for identifying fraud.



In modern business environment, the internal audit function has become a major support function for management, the Audit Committee, the Board of Directors, the external auditors, and other key stakeholders. When properly designed and implemented, the internal audit function can achieve the desired objective.


Connect with Strateworks Solutions