PKC Management Consulting


internal audit for public companies - PKC

Internal Audit for Public Companies in India: PKC’s Guide for 2025 

Posted On : , Expert verified

Internal audit for public companies in India is needed to comply with the law, protect itself from risk, fraud, and operational failure.

Whether you’re listed on the NSE/BSE or managing a large unlisted entity, understanding the internal audit process, applicability, and reporting structure is a must. This guide makes all of this simple. 

Applicability of Internal Audit for Public Companies

Internal audits are mandatory for listed companies and certain unlisted public companies in India. 

For unlisted companies, internal audits are required if they meet certain financial thresholds outlined by the Companies Act, 2013. Here’s what you need to know:

Legal Mandate from the Companies Act, 2013

Section 138 of the Companies Act, 2013 read with Rule 13 of the Companies (Accounts) Rules, 2014 mandates internal audits for certain companies.

Listed Public Companies

If your company is listed on a stock exchange (NSE/BSE), internal audit is always compulsory.

This rule is non-negotiable under SEBI Listing Obligations & Disclosure Requirements (LODR).

Thresholds for Applicability

A public company (including unlisted public companies) must appoint an internal auditor if it meets ANY ONE of the following thresholds in the preceding financial year:

  • Turnover: ₹200 crore or more.
  • Paid-up Share Capital: ₹50 crore or more.
  • Outstanding Loans/Borrowings: Exceeding ₹100 crore from banks/public financial institutions at any point during the preceding financial year.
  • Outstanding Deposits: ₹25 crore or more at any point during the preceding financial year.

These thresholds are based on the company’s last audited financial statements. 

Appointment Requirements

An internal auditor can be :

  • A Chartered Accountant (CA) or Cost Accountant (CMA), or
  • Any other professional approved by the Board.

The internal auditor reports directly to the Audit Committee (for listed/public companies) or the Board.

Scope and Implementation

The audit committee collaborates with the internal auditor to define the audit’s scope, methodology, and frequency.

Internal auditors evaluate financial accuracy, compliance, risk management, and anti-fraud mechanisms.

Penalties for Non-Compliance

Failure to appoint an internal auditor can result in a fine of up to ₹10,000, plus ₹1,000 per day for continuing default, under Section 138 of the Companies Act, 2013. 

Officers in default are also liable for similar penalties.

Importance of Internal Audit for Public Companies

In India, the importance of internal audit for public companies goes way beyond regulatory compliance. Here’s why it’s critical:

1.. Enhanced Corporate Governance

Internal audits provide independent assurance of financial reporting, controls, and ethics.

The auditors directly report to the Board/Audit Committee (Section 177), strengthening accountability.

2. Risk Management

Internal audits flag  operational, financial, and strategic risks (e.g., fraud, cyber threats, process gaps).

They are your first line of defense and help uncover suspicious transactions, flag policy violations and spot gaps in controls

They also offer recommendations and corrective actions to minimize losses.

3. Operational Efficiency

By helping identify redundancies, control gaps, and cost leaks, internal audits help companies ensure assets/infrastructure are used effectively.

Auditors can recommend process improvements and eliminate bottlenecks. This leads to better operations and lower costs over time.

4. Legal and Regulatory Compliance

Public companies are under the scanner of authorities including SEBI, MCA, stock exchanges and tax authorities. 

Missing a regulation can lead to fines, penalties, and bad press. A solid internal audit ensures you’re staying within the legal boundaries.

5. Fraud Prevention & Detection

Internal audits act like early warning systems. They uncover irregularities (e.g., fund diversion, corruption) through transaction testing.

Additionally, they have a deterrent effect. When internal audits are regular and effectively conducted, they discourage malpractice.

In case fraud occurs, they also support investigations.

6. Financial Integrity

Accurate reporting in internal audits validates financial data accuracy before external audits.

They help maintain documentation for statutory auditors.

7. Investor and Stakeholder Confidence

Internal audits for public companies boost confidence of stakeholders by signalling that risks and governance are taken seriously by the company. 

That kind of trust leads to higher stock valuations, faster fundraising and better corporate reputation. 

Internal Audit Checklist for Public Companies

Here’s a sample of what an internal audit checklist for public companies should look like:

Internal Audit Checklist for Public Companies – PKCDownload

Internal Audit Process in Indian Public Companies

The internal audit process for public companies is a structured and risk-based approach. Here’s a step-by-step breakdown:

Planning the Internal Audit

The internal auditor, along with the Audit Committee, prepares an audit plan for the year. It covers:

  • Risk Assessment: Identify key risks and prioritize auditable areas based on it. High risk areas like procurement, treasury take priority first.
  • Audit Scope & Objectives: Define coverage and align with regulatory requirements.
  • Resource Allocation: Assign internal audit  team with sector expertise.
  • Audit Calendar: Get it approved by the Audit Committee (for listed companies).

Fieldwork Phase

This is the main part of the internal audit where the auditors look for evidence of non-compliance, errors, or fraud through: 

  • Data Collection: Review policies, SOPs, transaction records, and previous audit reports.
  • Testing & Evidence Gathering: Sample, control and compliance testing
  • Interviews & Observations: Engage process owners to identify control gaps.
  • Documentation: Maintain working papers for all findings.

Data Analysis Phase

Once they have all the inputs, the auditors analyze evidence to identify gaps and root causes.

  • Quantitative Analysis: Use tools (ACL, IDEA) to detect anomalies 
  • Trend Analysis: Compare YoY data (e.g., “Travel expenses up 40% without policy change”).
  • Root Cause Identification: Link gaps to systemic issues (e.g., “Lack of vendor KYC leading to fraud risk”).
  • Benchmarking: Compare practices with industry standards 

Reporting Phase

Next step is to document findings and recommendations in the audit report.

  • Internal audit report format for public companies: Includes – summary of findings, risk ratings (high, medium, low), root causes of problems, recommendations for fixes
  • Report submission: Audit Committee and Board of Directors.

Management Response and Action Plan

Next is securing commitment from stakeholders of the company for corrective actions.

  • Management Discussion: Department heads propose action plans 
  • Formal response: Identifies action, owner and timeline
  • Audit Committee Review: Verify adequacy of plans (Sec. 177(4)(iv), Companies Act).
  • SEBI Mandate: High-risk gaps require resolution within 21 days (SEBI Circular 2021).

Follow-Up & Closure

The last step is to validate implementation and close findings.

  • Action Tracking: Maintain register 
  • Re-Testing: Verify corrective action
  • Audit Committee Reporting: Quarterly updates on pending items (SEBI LODR Reg. 18)
  • Closure: Sign-off after evidence validation
  • Penalties for Non-Compliance: Fines up to ₹5 lakh under Companies Act for unresolved critical gaps

Common Challenges in Internal Audit for Public Companies

Even though internal audit is essential, public companies often struggle to run it effectively.

Here’s a look at the top challenges:

  • Lack of Auditor Independence: Internal auditors may face pressure from management, compromising their objectivity and impartiality in assessing internal controls.
  • Management Override and Interference: Senior executives may influence or bypass audit processes, undermining the effectiveness of internal controls.
  • Weak Follow-Up on Audit Recommendations: Failure to track and ensure implementation of audit findings reduces the long-term impact of the audit function.
  • Siloed Communication: Poor collaboration between departments limits the internal audit’s access to critical information and holistic risk insights.
  • Lack of Whistleblower Trust: Employees may hesitate to report issues due to fear of retaliation or lack of faith in the system’s confidentiality and fairness.
  • Inadequate Resources and Staffing: Limited personnel and budget restrict the internal audit function’s ability to conduct thorough and timely audits.
  • Limited Use of Technology: Insufficient integration of data analytics and automation hampers audit efficiency and the ability to detect risks proactively.
  • SEBI LODR Complexity: Interpreting and complying with stringent timelines (e.g., 21-day closure for high-risk gaps) strain resources.
  • Overlapping Laws: Conflicting requirements from various regulations – MCA, SEBI, RBI, FEMA, and GST complicates – can cause confusion and increase compliance burdens.
  • Dynamic Regulations: Constant changes in regulatory requirements demand continuous updates to audit approaches and compliance frameworks.
  • Scope Creep: Expanding audit objectives without adequate planning or resources can dilute focus and reduce audit effectiveness.

Reasons PKC is Trusted for Public Company Internal Audits

✅ Specialized expertise in listed company regulatory frameworks

✅ Deep knowledge of Companies Act 2013 requirements

✅ SEBI compliance specialists with proven track record

✅ Technology-driven continuous monitoring and audit automation tools

✅ Comprehensive internal financial controls (IFC) assessment expertise

✅ Multi-disciplinary team of CAs, IT, and industry experts

✅ Board-ready audit reports with actionable insights

✅ Advanced data analytics for fraud detection capabilities

✅ Corporate governance and ESG compliance integration

✅ Customized audit programs based on company-specific risks

✅ Independent and objective third-party audit perspective

✅ ROI-focused audit approach maximizing operational efficiency

✅ Seamless coordination with statutory auditors and regulators

Internal Audit Reporting Structure for Public Companies in India 

Here’s an overview of the internal audit reporting structure for public companies: 

Who Does the Internal Auditor Report To?

The internal auditor reports to the Audit Committee, not directly to the management.

This is required under:

  • Section 177 of the Companies Act, 2013
  • SEBI (LODR) Regulations, 2015

This is because the Audit Committee is independent of executive management, which helps maintain the objectivity and credibility of audit findings.

Frequency of Reporting

Most companies follow a quarterly reporting schedule.

But depending on the company’s risk profile or regulatory requirements, reporting may also be half yearly or annually or even monthly for high-risk areas

Regular reporting keeps the Audit Committee informed and responsive.

What’s Included in an Internal Audit Report?

A standard internal audit report for public companies usually contains:

  • Executive Summary – Highlights key findings
  • Audit Objectives – Why the audit was done
  • Scope and Methodology – What was reviewed and how
  • Findings and Observations – Issues, errors, or risks detected
  • Risk Ratings – High, medium, or low risk
  • Recommendations – Fixes and preventive actions
  • Management Comments – Response from the concerned department
  • Action Plan – Who will fix what and by when

Every report should be clear, factual, and supported by evidence.

Reporting Tools and Systems

Technology makes audit reports more accurate and faster to generate. Many public companies now use digital tools like:

  • SAP Audit Management
  • AuditBoard
  • Excel dashboards with KPIs

These help automate report formatting, risk scoring and follow-up tracking. 

Frequently Asked Questions

  1. What is the purpose of internal audit in public companies?

The purpose is to evaluate and improve a company’s internal controls, risk management, and compliance with laws. It helps ensure transparency and protects the interests of shareholders.

  1. Is internal audit mandatory for all public companies in India?

Yes, internal audit is mandatory for listed public companies and also for unlisted public companies that meet certain financial thresholds under the Companies Act, 2013.

  1. Who appoints internal auditors in public companies?

Internal auditors are usually appointed by the Board of Directors, often based on the recommendation of the Audit Committee.

  1. What happens if internal audit is not done properly?

If internal audit is poorly conducted, it can lead to missed risks, regulatory penalties, fraud going undetected, and a loss of investor trust.

  1. Can the same firm do internal and statutory audits?

No, under Indian regulations, the same audit firm cannot perform both internal and statutory audits for the same company, to avoid conflicts of interest.

How PKC can help you

Your dream business is just a click away. Book a FREE 30 mins consulting.

Call us : +91 9176100095

Sign up for FREE consultation.

Related posts :

internal audit for manufacturing companies - PKCInternal Audit for Manufacturing Companies: Process, Checklist & More planning an internal audit - PKCPlanning an Internal Audit: Guide for 2025 (Free PDF- Checklist & Example) 

Fill out your details

    Want to Talk? Get a Call Back Today!
    +91 9176100095
    phone
    phone-2