Internal Audit Section in Companies Act, 2013
When people hear the words “internal audit,” the first reaction is usually:
“Audit? But our statutory audit is already done… why another one?”
That confusion is very common.
And that’s why Section 138 of the Companies Act, 2013, was created.
Internal audit is not about compliance for the sake of compliance. It’s about control, discipline, and catching mistakes ahead of the game.
Which Section Governs Internal Audit in the Companies Act, 2013?
The internal audit section in the Companies Act, 2013, is
👉 Section 138, read with
👉 Rule 13 of the Companies (Accounts) Rules, 2014
Together, these provisions:
- mandate internal audit for certain companies, and
- lay down which companies must appoint an internal auditor.
What Is an Internal Audit (in Simple Words)?
Internal audit means:
- a continuous, independent review of a company’s internal controls,
- processes, systems, and risk management,
- conducted during the year, not after it ends.
Unlike statutory audit:
- internal audit works inside the organization.
- focuses on process improvement, not just numbers,
- reports to management/audit committee.
Think of it as
“A health check-up, not a post-mortem.”
Why Did the Companies Act Introduce Section 138?
Earlier, internal audit was optional for most companies.
But over time, regulators realized:
- many failures happen within systems, not accounts.
- frauds grow when no one is watching operations regularly.
- A statutory audit alone is not enough.
So Section 138 was introduced to:
- strengthen internal controls,
- improve governance,
- reduce fraud and operational risk.
What Does Section 138 Actually Say?
In essence, Section 138 says:
Certain classes of companies shall appoint an internal auditor, who may be a chartered accountant, cost accountant, or other professional, to conduct an internal audit of the company.
It also says:
- The Board decides the scope, periodicity, and methodology of the internal audit.
So the law sets the obligation but gives flexibility in execution.
Which Companies Are Required to Appoint an Internal Auditor?
This is the most important practical question.
As per Rule 13, internal audit is mandatory for:
1. Listed Companies
All listed companies must appoint an internal auditor—no exceptions.
2. Certain Unlisted Public Companies
Internal audit is mandatory if any one of the following limits is crossed:
- Paid-up share capital ≥ ₹50 crore
- Turnover ≥ ₹200 crore
- Outstanding loans or borrowings ≥ ₹100 crore
- Outstanding deposits ≥ ₹25 crore
Even if one condition is met, an internal audit becomes compulsory.
3. Certain Private Companies
Yes—private companies are also covered.
Internal audit is mandatory if:
- turnover ≥ ₹200 crore, or
- outstanding loans or borrowings ≥ ₹100 crore
This surprises many founders—but it’s very much the law.
Internal Audit Applicability for Private Companies (Common Confusion)
Many private companies assume:
“Internal audit is only for listed companies.”
That is not true anymore.
Large private companies with:
- significant turnover, or
- heavy borrowings
are mandatorily required to appoint an internal auditor under Section 138.
Ignoring this often leads to MCA notices later.
Who Can Be Appointed as Internal Auditor?
Section 138 allows flexibility.
An internal auditor can be:
- a Chartered Accountant (CA)
- a Cost Accountant (CMA)
- any other professional decided by the Board
Important point:
- The internal auditor may or may not be an employee of the company.
However:
- A statutory auditor cannot act as an internal auditor (to preserve independence).
Time Limit for Appointment of Internal Auditor
The act itself does not specify a fixed number of days, but in practice:
- appointment should be made at the beginning of the financial year, or
- as soon as the company becomes applicable under Rule 13.
Delaying an appointment defeats the purpose of an “internal” audit.
What Does the Internal Auditor Actually Do?
Internal audit typically covers:
- internal controls
- operational efficiency
- compliance with laws
- risk management
- process gaps
- fraud indicators
It is not limited to accounting entries.
A good internal audit improves the business, not just compliance.
Who Decides the Scope of Internal Audit?
The Board of Directors decides:
- scope
- frequency
- methodology
For larger companies:
- The Audit Committee may be involved.
This means internal audit is:
- customised to the business,
- not a one-size-fits-all checklist.
Is the Internal Audit Report Filed With ROC?
No.
Internal audit reports are
- internal documents,
- placed before management/board,
- used for corrective action.
However:
- A statutory auditor may rely on internal audit findings.
Internal Audit vs Statutory Audit (Simple Comparison)
|
Internal Audit |
Statutory Audit |
|
Continuous |
Annual |
|
Focuses on systems |
Focuses on financial statements |
|
Preventive |
Detective |
|
Management-oriented |
Shareholder-oriented |
|
Section 138 |
Section 139 |
Both are important—but serve very different purposes.
Common Mistakes Companies Make
From real-world practice, these are frequent issues:
- assuming internal audit is optional
- appointing auditor only on paper
- delaying appointment till year-end
- limiting scope just to compliance
- ignoring internal audit observations
These mistakes defeat the whole objective of Section 138.
Why Internal Audit Is Actually Helpful (Not a Burden)
Companies that take internal audits seriously often:
- detect issues early
- improve cash flow
- reduce fraud risk
- strengthen controls
- impress lenders and investors
Many founders later say:
“We should have done this earlier.”
One-Line Summary
Internal audit under Section 138 of the Companies Act 2013 is a mandate for corporate governance for those companies for which it is prescribed to ensure avoidance of crises before they occur.
For expert assistance in determining internal audit applicability, appointing qualified internal auditors, and ensuring full compliance under Section 138 of the Companies Act, 2013, connect with experienced professionals at callmyca.com for reliable and practical corporate advisory support.
