Distinct from statutory audits, internal audits are conducted at the behest of internal management in order to check the health of a company’s finances and analyze an organization’s operational efficiency. Internal audit is an independent function of management which entails the continuous and critical appraisal of the functioning of an entity, with a special focus on possible areas for improvement and how to strengthen and add value to an entity’s governance mechanisms.

The primary, but restricted, function of internal audit is to verify the reliability of information included in financial statements. This additionally entails the verification of non-financial information and transactions for accuracy and compliance with an entity’s policies and procedures.

The Need for Internal Audit

Maintaining a full-fledged and strategically directed internal audit department has emerged as a critical prerequisite for the forging of informed decisions by management. Evolving from a function for maintaining vigilance in financial transactions, internal audit has undeniably become the backbone of a sound corporate governance system.

As the conduct of business become increasingly international in scope, successfully navigating compliance with both local and foreign laws has become gradually more complex.

Internal auditors assist management with this task by providing a focus on risk management and the implementation of more stringent internal controls to manage prospective risks and vulnerabilities. Internal auditing teams enable management to direct efforts towards more risk-laden areas, thereby enhancing overall process efficiency, and adding value with an entity’s existing set of resources.


Information technology (IT) is invariable a key component of almost every activity carried out by an enterprise including the issuance of invoices and data management. With IT’s increasingly critical role, however, the threat of data theft or loss due to system failure or hacking/espionage has become ever more acute. Accompanying these new vulnerabilities comes a heightened need for internal auditors able to identify and mitigate IT-associated risks.


With these factors in mind, there are a number of key advantages associated with internal audit.

1. The internal audit function, as an independent operation, is carried out objectively.  This independence enables internal auditors to render an impartial and unbiased judgment essential to the proper conduct of business.

2. As a management function, internal audits are designed to serve management’s needs via constructive recommendations in areas such as resource utilization and regulatory compliance.

3. Risk management through internal audit enables management to effectively mitigate risk and other associated uncertainties, thereby enhancing an organization’s capacity to build value.

Statutory Mandates

There are two key clauses organizations should be mindful of when approaching internal audit.

Clause 49 of the Listing Agreement

Keeping the importance of the internal audit function in mind, the Securities and Exchange Board of India (SEBI) introduced specific mandatory and recommendatory corporate governance provisions in Clause 49 of the Listing Agreement applicable to listed entities.

As per Clause 49, an audit committee is required to review the following:

1. Whether in the entity, the internal audit function is being made functional in proper order by reviewing the structure of the internal audit department, personnel recruited and seniority of the official who shall be heading the department, frequency of audits and terms of remuneration of the chief internal auditor.

2. Internal audit reports relating to weaknesses found in internal controls.

3. The findings of any internal investigation by internal auditors into matters where there is a suspected fraud or irregularity, or a failure of internal control systems of a significant impact.

4. The CEO and the CFO are required to certify to the Board of Directors that they accept responsibility for the effectiveness of internal controls, and that they have disclosed to the auditors and the audit committee deficiencies in the operation of the internal controls, if any, and steps have been taken for their rectification.

The above clauses and others are part of the Listing Agreement, with which every entity listed on Indian stock exchanges must comply.

Section 177 of the Companies Act 2013 (Previously Section 292A of the Companies Act, 1956)

Section 177 of the Companies Act, 2013 requires the following to constitute an audit committee and require the internal auditor to attend and participate in the meetings of such audit committees:

1. Every listed company

2. Unlisted public companies with paid up capital not less than INR 10 crores (US$ 166,666)

3. All private limited companies with paid up share capital not less than INR 20 crores (US$ 333,333) or more

4. All companies with paid up share capital of below the threshold limit mentioned in (2) and (3) above, but with public borrowings from financial institutions, banks or public deposits of rupees INR 50 crores(US$ 833,333)  or more


It can additionally be concluded from the above that management as well as the audit committee needs extensive support from the internal audit department to provide a primary assurance about controls and compliances before giving the required reports/ certificates or to appropriately review the aspects necessary to make informed decisions.