Harun Raaj & AssociatesHarun Raaj & Associates
audit

Internal Audit Under Section 138 of Companies Act 2013: Who Must Do It and What It Must Cover

Section 138 of the Companies Act 2013 mandates internal audit for certain companies based on turnover and paid-up capital thresholds. This post clarifies who must comply, what the audit scope covers, and the statutory obligations for audit committees.

CH

CA Harun Raaj

Chartered Accountant · Harun Raaj & Associates

Section 138: The Mandatory Internal Audit Rule

Internal audit under Section 138 of the Companies Act 2013 is not optional--it's a statutory duty for qualifying companies. Yet many business owners remain unclear about who must conduct it, what it must examine, and how it differs from statutory audit.

I'll walk you through the exact thresholds, the scope of work, and what your audit committee must oversee.

Who Must Have an Internal Audit Under Section 138?

The Companies (Accounts) Rules 2014 specify two categories of companies that must appoint an internal auditor:

Category 1: Every Company Except These

Every company incorporated under the Companies Act 2013 must have an internal audit except:

  • One-person companies (OPC)
  • Small companies (as defined in the Rules)
  • Companies exempt by notification of the Ministry of Corporate Affairs

Category 2: If Your Turnover or Paid-Up Capital Exceeds Thresholds

Even if you fall into an exempt category, you must appoint an internal auditor if your financial metrics exceed these limits (as per the Rules, last revised in 2020):

  • Turnover exceeds Rs.100 crore in the preceding financial year, OR
  • Paid-up capital exceeds Rs.10 crore at any point during the financial year

If either threshold is crossed, the exemption is lost immediately for that year and onwards.

Who Can Be Appointed as Internal Auditor?

Section 138 does not stipulate that the internal auditor must be a Chartered Accountant, but best practice and audit committee governance typically demand it. The auditor must be independent--not someone in management, board, or audit committee. The appointment and remuneration are decided by the board on the recommendation of the audit committee.

What Must the Internal Audit Cover?

The scope is defined in Rule 13 of the Companies (Accounts) Rules 2014. The internal auditor must examine and report on:

1. Compliance with Laws and Regulations

  • Whether the company complies with the Companies Act 2013, Income Tax Act 1961, GST laws, FEMA regulations, and other applicable statutes
  • Violations and corrective steps taken

2. Financial and Operational Systems

  • Design and effectiveness of internal controls
  • Risk management frameworks
  • Whether systems ensure proper safeguarding of assets
  • Accuracy and reliability of financial records and management information

3. Efficiency of Operations

  • Whether business operations are conducted efficiently
  • Adherence to internal policies and procedures
  • Cost-effectiveness of resource utilization

4. Quality of Performance

  • Achievement of organizational objectives
  • Whether performance meets strategic goals

5. Specific High-Risk Areas (when applicable)

  • Related-party transactions
  • Capex and investment decisions
  • Inventory and receivables management
  • Debt and interest compliance
  • Tax compliance (direct and indirect)

Reporting Structure and Audit Committee Role

The internal auditor reports directly to the audit committee, not to management. This is critical--it ensures independence. The audit committee must:

  • Review the internal audit plan annually
  • Monitor the auditor's independence and objectivity
  • Discuss significant findings and management's response
  • Ensure the auditor has unhindered access to records, personnel, and assets

The audit committee then reports to the board and shareholders through the Board's Report and the Corporate Governance report (in the financial statements).

Frequency and Reporting Timeline

The internal auditor typically:

  • Conducts audit procedures during the financial year (continuous or periodic)
  • Prepares reports on findings, usually monthly or quarterly
  • Submits an annual internal audit report before the end of the financial year
  • Reports to the audit committee, which then informs the board

Unlike statutory audit (which reports only at year-end), internal audit is an ongoing governance function.

Key Pitfalls Companies Miss

  • Appointing a non-independent person as internal auditor (e.g., a manager wearing two hats)--this defeats the purpose
  • Failing to brief the auditor on high-risk areas and management concerns
  • Ignoring internal audit findings--the audit committee must actively monitor follow-up
  • Conflating internal audit with statutory audit--they serve different purposes
  • Not documenting the audit plan and scope approval by the audit committee

Recent Practical Guidance

The ICAI has issued guidance on internal audit standards aligned with international standards. While not mandatory, many leading companies follow these for best practice. The audit committee should ensure the internal audit function operates under these principles:

  • Independence in fact and appearance
  • Professional competence (CA/CPA qualified)
  • Systematic methodology (risk-based audit plan)
  • Documented evidence and audit trails

What If Your Company Doesn't Qualify Yet?

If you're a small company or OPC below the thresholds, internal audit is not statutory. However, if you plan to:

  • Seek PE/VC funding
  • Go public (IPO)
  • Exceed the turnover/capital thresholds

...then appointing an internal auditor proactively demonstrates governance maturity and reduces risk.

Bottom Line

Section 138 is not a checkbox. A robust internal audit function protects your company by identifying control gaps, ensuring compliance, and improving operational efficiency--long before the statutory auditor arrives. Your audit committee's active engagement with internal audit findings is the real driver of governance value.

I'm CA Harun Raaj, Visakhapatnam. If you need clarity on internal audit scope, audit committee duties, or compliance with Section 138, reach out--I'm here to help you build governance that actually works.

Topics:internal-auditsection-138companies-act-2013audit-committeecomplianceturnover-thresholdpaid-up-capital

Need help with this?

Our team handles the paperwork. You focus on your business.