Internal Audit Process India: Step-by-Step Guide for Beginners 2026
What Is Internal Audit and Why Does It Matter in India?
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps organizations accomplish their objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
For accounting professionals in India, internal audit has emerged as one of the fastest-growing career domains. The demand is driven by regulatory mandates under the Companies Act 2013, increasing corporate governance expectations from SEBI, the expansion of Global Capability Centers that require internal audit support for parent companies, and the growing complexity of business operations across digital, financial, and operational environments.
Unlike external or statutory audit, which focuses on providing an opinion on financial statements, internal audit has a broader mandate. It examines operational efficiency, compliance with policies and regulations, reliability of financial and management information, safeguarding of assets, and the achievement of strategic objectives. Internal auditors are essentially the organization's in-house control consultants.
The Internal Audit Process: A Bird's Eye View
The internal audit process is cyclical and continuous. It is not a one-time exercise but an ongoing program that typically follows an annual audit plan approved by the audit committee. The complete cycle consists of eight interconnected phases that build upon each other.
Phase one is understanding the business, which involves gaining knowledge of the organization's industry, operations, risk appetite, and control environment. Phase two is risk assessment, where the auditor identifies and evaluates risks across all business functions. Phase three is audit planning, where specific audit engagements are scoped, resourced, and scheduled. Phase four is developing the audit program, which creates the detailed testing procedures for each audit engagement. Phase five is fieldwork, where the actual testing and evidence gathering occurs. Phase six is documentation, where all work performed is recorded in working papers. Phase seven is reporting, where findings, conclusions, and recommendations are communicated to management and the audit committee. Phase eight is follow-up, where the implementation of agreed-upon corrective actions is monitored and verified.
Each phase has defined inputs, processes, and outputs. The quality of work in each phase directly impacts the next. Poor planning leads to inefficient fieldwork. Inadequate documentation undermines the credibility of findings. Weak follow-up renders the entire audit exercise meaningless. Understanding this interconnection is essential for any professional entering the internal audit field.
Legal Framework for Internal Audit in India
Internal audit in India operates within a robust legal and regulatory framework. The primary legislation is the Companies Act 2013, supplemented by SEBI regulations for listed companies and sector-specific requirements from regulators like RBI, IRDAI, and SEBI.
Section 138: Companies Act 2013
Section 138 of the Companies Act 2013, read with Rule 13 of the Companies (Accounts) Rules 2014, mandates the appointment of an internal auditor for the following categories of companies. Every listed company must have an internal auditor. Every unlisted public company is required to appoint an internal auditor if its turnover during the preceding financial year is INR 200 crore or more, or if its outstanding loans or borrowings from banks or public financial institutions exceed INR 100 crore at any point during the preceding financial year. Every private company must appoint an internal auditor if its turnover during the preceding financial year is INR 200 crore or more, or if its outstanding loans or borrowings from banks or public financial institutions exceed INR 100 crore at any point during the preceding financial year.
The internal auditor may be a Chartered Accountant, a Cost Accountant, or such other professional as decided by the Board of Directors. The internal auditor may be an individual or a partnership firm or a body corporate. The term of the internal auditor is determined by the Board, and unlike statutory auditors, there is no mandatory rotation requirement for internal auditors under the Companies Act.
SEBI LODR Regulations
For listed companies, the SEBI Listing Obligations and Disclosure Requirements (LODR) Regulations 2015 impose additional requirements. Regulation 18 mandates the constitution of an audit committee that oversees the internal audit function. The audit committee must review the adequacy of the internal audit function, including its structure, staffing, coverage, and frequency. It must discuss findings with the internal auditor and ensure that management takes corrective action on significant audit observations.
Standards on Internal Audit (SIA)
The Institute of Chartered Accountants of India (ICAI) has issued Standards on Internal Audit (SIA) that provide the professional framework for conducting internal audits. These include SIA 1 on planning an internal audit, SIA 2 on basic principles governing internal audit, SIA 3 on documentation, SIA 4 on reporting, SIA 5 on sampling, SIA 6 on analytical procedures, SIA 7 on reliance on the work of an expert, SIA 10 on knowledge of the entity and its environment, and SIA 11 on consideration of fraud in an internal audit. These standards are supplementary to the International Standards for the Professional Practice of Internal Auditing issued by the IIA.
International Standards: IIA Framework
The Institute of Internal Auditors (IIA) provides the globally recognized framework through the International Professional Practices Framework (IPPF). This includes the Definition of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and Implementation and Supplemental Guidance. Indian internal auditors working for MNCs, GCCs, and global organizations are expected to follow IIA standards. The CIA (Certified Internal Auditor) credential from IIA is considered the global benchmark for internal audit professionals.
Step 1: Audit Planning and Scoping
Audit planning is the foundation of an effective internal audit engagement. It typically consumes 20 to 30 percent of the total audit effort and directly determines the quality of fieldwork and reporting. Planning occurs at two levels: the annual audit plan level and the individual engagement level.
Annual Audit Plan
The annual audit plan is a strategic document that outlines all audit engagements planned for the financial year. It is prepared by the Chief Audit Executive or the lead internal auditor and approved by the audit committee. The plan considers the organization's risk profile, regulatory requirements, management priorities, available audit resources, prior year audit findings, changes in the business environment, and emerging risks.
A typical annual audit plan for a medium-sized Indian company might include 15 to 25 audit engagements covering areas such as procurement, revenue cycle, payroll, fixed assets, treasury, IT general controls, regulatory compliance, branch operations, inventory management, and special investigations. The plan allocates audit days to each engagement based on its risk rating and complexity.
Individual Engagement Planning
For each audit engagement, the planning process involves several critical steps. First, the auditor conducts a preliminary survey to understand the area being audited. This includes reviewing organizational charts, policy manuals, process flowcharts, previous audit reports, management reports, and relevant regulations. The auditor may also conduct walkthroughs of key processes to understand how transactions flow through the system.
Second, the auditor defines the audit objectives. These should be specific, measurable, and aligned with the overall purpose of the engagement. Common objectives include assessing the adequacy and effectiveness of internal controls, verifying compliance with policies and regulations, evaluating operational efficiency, and detecting errors or fraud. Each objective must be translated into testable propositions.
Third, the auditor determines the scope of the engagement. Scope defines the boundaries of the audit in terms of time period, geographic locations, business units, processes, and transactions to be covered. Scope limitations must be documented and communicated to management. Scope creep, where the audit gradually expands beyond its original boundaries, is a common challenge that must be managed through disciplined planning.
Fourth, the auditor prepares a resource plan including the team composition, skills required, estimated audit days, and timeline. Specialized audits may require team members with specific skills such as IT auditing, forensic accounting, or industry-specific knowledge. The engagement partner or manager reviews and approves the plan before fieldwork begins.
Engagement Letter and Terms of Reference
For external internal audit firms engaged by companies, a formal engagement letter is essential. This document specifies the objectives, scope, methodology, timeline, deliverables, fees, access requirements, confidentiality obligations, and reporting lines. For in-house internal audit teams, a terms of reference or audit charter serves a similar purpose, setting out the authority, responsibilities, and scope of the internal audit function.
Step 2: Risk Assessment Process
Risk assessment is the cornerstone of a risk-based internal audit approach. It determines which areas receive the most audit attention and resources. A well-executed risk assessment ensures that the internal audit function delivers maximum value by focusing on the areas that pose the greatest threats to the organization.
Understanding Risk in the Audit Context
In internal auditing, risk is defined as the possibility of an event occurring that will have an impact on the achievement of objectives. Risks can be strategic (affecting long-term goals), operational (affecting day-to-day processes), financial (affecting the accuracy of financial reporting), and compliance-related (affecting adherence to laws and regulations).
The auditor assesses both inherent risk and residual risk. Inherent risk is the level of risk before any controls are applied. Residual risk is the level of risk remaining after controls are implemented. The gap between inherent and residual risk represents the effectiveness of the organization's internal control framework.
Risk Assessment Methodology
A structured risk assessment methodology typically involves four steps. First, risk identification, where the auditor creates a comprehensive inventory of risks across all business functions. Sources of risk information include management interviews, industry benchmarks, regulatory requirements, loss data, incident reports, and external risk databases.
Second, risk analysis, where each identified risk is evaluated based on two dimensions: likelihood (the probability of the risk materializing) and impact (the consequence if it does occur). Likelihood is typically rated on a scale of 1 to 5, from rare to almost certain. Impact is rated on a similar scale, from insignificant to catastrophic. The risk score is calculated as likelihood multiplied by impact.
Third, risk evaluation, where risks are ranked and categorized into high, medium, and low categories based on their scores. High-risk areas receive priority in the audit plan and more extensive testing. Medium-risk areas receive standard audit coverage. Low-risk areas may be audited on a rotational basis or through analytical procedures only.
Fourth, risk response assessment, where the auditor evaluates the controls that management has implemented to mitigate identified risks. This includes preventive controls (designed to stop errors or irregularities before they occur), detective controls (designed to identify errors after they occur), and corrective controls (designed to fix errors once detected). The auditor assesses whether the control design is adequate and whether the controls are operating effectively.
Building a Risk Assessment Matrix
The output of the risk assessment is typically presented in a risk assessment matrix or heat map. This visual tool plots risks on a grid with likelihood on one axis and impact on the other. Risks in the top-right quadrant (high likelihood, high impact) are categorized as critical and require immediate audit attention. Risks in the bottom-left quadrant (low likelihood, low impact) may not require dedicated audit resources.
A practical risk assessment matrix for an Indian manufacturing company might identify the following high-risk areas: revenue recognition policies, inventory valuation and obsolescence, related party transactions, GST compliance, transfer pricing documentation, IT access controls and cybersecurity, vendor fraud in procurement, and labor law compliance. Each of these areas would be assigned a risk score and prioritized accordingly in the annual audit plan.
Step 3: Developing the Audit Program
The audit program is the detailed roadmap for conducting fieldwork. It translates audit objectives into specific testing procedures and serves as a guide for the audit team during execution. A well-designed audit program ensures consistent, thorough, and efficient fieldwork.
Components of an Audit Program
A comprehensive audit program includes the following elements. The engagement overview section states the audit objectives, scope, period under review, and key contacts. The process understanding section documents the business process being audited, including narrative descriptions, flowcharts, and key controls identified during planning. The risk and control matrix section maps identified risks to specific controls and defines the testing approach for each control.
The testing procedures section is the core of the audit program. It specifies, for each control or audit objective, the nature of the test (inquiry, observation, inspection, re-performance, or analytical procedure), the timing of the test (interim or year-end), the extent of the test (sample size or coverage), and the expected results. The resource allocation section assigns specific procedures to team members with estimated hours.
Types of Audit Tests
Internal auditors use two primary categories of testing. Compliance tests, also known as tests of controls, evaluate whether internal controls are functioning as designed. For example, testing whether all purchase orders above INR 5 lakhs have been authorized by the designated authority, whether bank reconciliations are prepared monthly and reviewed by the finance manager, whether employee access rights in the ERP system are reviewed quarterly, and whether physical inventory counts are conducted semi-annually as per policy.
Substantive tests verify the accuracy, completeness, and validity of financial data and transactions. These include vouching (tracing recorded transactions to supporting documents), verification (confirming that assets exist and liabilities are real), analytical procedures (comparing financial data against expectations based on prior periods, budgets, or industry benchmarks), and confirmation (obtaining direct third-party verification of balances or transactions).
Sampling Methodology
Since it is impractical to test every transaction, internal auditors use sampling techniques. Statistical sampling uses mathematical methods to select a representative sample and project results to the entire population. Common methods include random sampling, systematic sampling, and monetary unit sampling. Non-statistical or judgmental sampling relies on the auditor's professional judgment to select items for testing. This is often used for testing controls or investigating specific anomalies.
The sample size depends on the population size, the expected error rate, the desired confidence level, and the tolerable deviation rate. For a population of 10,000 purchase orders with an expected deviation rate of 2% and a confidence level of 95%, a statistical sample of approximately 150 items would be required. However, for smaller populations or lower-risk areas, judgmental samples of 25 to 50 items are common in Indian internal audit practice.
Step 4: Fieldwork and Testing Methods
Fieldwork is where the audit plan comes to life. It involves executing the testing procedures defined in the audit program, gathering evidence, and identifying findings. Fieldwork is typically the most time-intensive phase, consuming 40 to 50 percent of the total audit effort.
Evidence Gathering Techniques
The auditor employs multiple techniques to gather sufficient and appropriate audit evidence. Physical inspection involves examining tangible assets, documents, and records. For inventory audits, the auditor conducts physical counts and reconciles them to book records. For fixed asset audits, the auditor verifies the existence and condition of assets through physical verification.
Observation involves watching processes and procedures as they are performed in real time. The auditor might observe the cashier's handling of collections, the warehouse receiving process, or the IT team's incident response procedures. Observation provides evidence that controls exist and are being followed, but it is limited to the point in time when the observation occurs.
Inquiry involves asking questions of knowledgeable individuals within and outside the organization. The auditor conducts structured interviews with process owners, department heads, and operational staff to understand procedures, identify control gaps, and corroborate other evidence. Inquiry alone is not sufficient audit evidence and must be corroborated with other techniques.
Confirmation involves obtaining written responses from third parties. The auditor may confirm account balances with banks, receivable balances with customers, payable balances with vendors, or terms of agreements with counterparties. Confirmations provide highly reliable evidence because they come from external, independent sources.
Recalculation involves independently verifying mathematical computations. The auditor recalculates depreciation charges, interest accruals, tax provisions, inventory valuations, and other calculations to verify their accuracy. Re-performance involves independently executing procedures or controls that were originally performed by the entity's personnel.
Analytical procedures involve evaluating financial information through the study of plausible relationships among financial and non-financial data. Common analytical procedures include trend analysis (comparing current year figures with prior periods), ratio analysis (computing key financial ratios and comparing them with benchmarks), and reasonableness testing (comparing actual results with budgets or forecasts and investigating significant variances).
Conducting Walkthroughs
A walkthrough traces a single transaction from its origin through the entire process to its final recording in the financial statements. For a purchase-to-pay walkthrough, the auditor would follow one purchase requisition from its creation, through approval, vendor selection, purchase order generation, goods receipt, invoice matching, payment processing, and accounting entry. Walkthroughs help the auditor understand the process, identify key controls and control gaps, and design appropriate testing procedures.
Identifying and Documenting Findings
During fieldwork, the auditor identifies deviations from expected results. Each finding is documented using the CCER framework. The Condition describes what was found, the factual observation. The Criteria states the benchmark or standard against which the condition is evaluated. The Cause explains why the deviation occurred. The Effect describes the actual or potential impact of the finding. The Recommendation proposes corrective action to address the root cause.
Findings are categorized by severity. Critical findings indicate material control weaknesses that could result in significant financial loss, regulatory penalties, or reputational damage. High findings represent significant control deficiencies that require prompt corrective action. Medium findings are moderate issues that should be addressed within a reasonable timeframe. Low findings are minor observations or opportunities for improvement.
Step 5: Working Papers Documentation
Working papers are the backbone of the audit. They provide evidence that the audit was conducted in accordance with professional standards, support the auditor's findings and conclusions, facilitate review and supervision, and serve as a reference for future audits.
Structure of Working Papers
Working papers are typically organized in a structured file system. The permanent file contains information of continuing relevance, including the audit charter, organization charts, copies of key policies, prior year audit reports, and the entity's regulatory filings. The current file contains documentation specific to the current engagement, including the audit plan, audit program, evidence gathered during fieldwork, findings, and the draft report.
Within the current file, documentation is organized by audit area or process. Each section contains the audit program with sign-offs for completed procedures, supporting schedules and analyses, copies of relevant documents and records, test results with conclusions, and cross-references to findings in the audit report.
Documentation Standards
SIA 3 issued by ICAI and IIA Standard 2330 prescribe the following documentation standards. Working papers must be complete, meaning they contain sufficient information to enable an experienced auditor who had no previous connection with the audit to understand the nature, timing, and extent of procedures performed, the results of those procedures, and the evidence obtained. Working papers must be accurate, legible, and properly referenced. Each working paper must include the name of the entity, the audit area, the period covered, the preparer's initials and date, the reviewer's initials and date, and a clear conclusion.
In modern practice, most working papers are maintained electronically using audit management software. Paper-based documentation is increasingly rare, except for copies of physical documents that cannot be scanned. Electronic working papers offer advantages in terms of standardization, searchability, version control, and remote access.
Review Process
Working papers undergo multiple levels of review. The preparer (audit staff) creates the documentation and performs the initial quality check. The reviewer (audit manager or engagement partner) reviews the work for completeness, accuracy, and adequacy of evidence. The reviewer challenges assumptions, questions conclusions, and ensures that findings are properly supported. Review notes are documented and resolved before the audit report is finalized. This review process is critical for maintaining audit quality and ensuring consistency across the team.
Step 6: Audit Reporting
The audit report is the primary deliverable of the internal audit engagement. It communicates findings, conclusions, and recommendations to management and the audit committee. An effective report drives action and adds value to the organization.
Report Structure
A well-structured internal audit report includes the following sections. The executive summary provides a high-level overview of the audit scope, key findings, and overall conclusion. It is written for senior management and the audit committee, who may not read the detailed sections. The overall opinion states the auditor's assessment of the adequacy and effectiveness of internal controls in the area audited. Opinions are typically expressed as satisfactory, needs improvement, or unsatisfactory.
The detailed findings section presents each finding using the CCER format described earlier. Each finding includes the risk rating (critical, high, medium, or low), management's response (agreement or disagreement with the finding), the agreed-upon corrective action, the responsible person, and the target completion date. The appendices may include supporting data, benchmarks, process flowcharts, and detailed test results.
Report Writing Best Practices
Effective audit reports follow several principles. They are objective and balanced, presenting both weaknesses and strengths identified during the audit. They are factual and evidence-based, avoiding speculation or unsupported assertions. They are constructive, framing recommendations as improvements rather than criticisms. They are concise, using clear and direct language without unnecessary jargon. They are timely, issued promptly after fieldwork completion to maintain relevance.
The report should use visual elements such as risk rating dashboards, trend charts showing the evolution of findings over multiple audit cycles, and heat maps for the risk assessment. These visual elements make the report more accessible and actionable for non-audit audiences.
Exit Conference
Before issuing the final report, the auditor conducts an exit conference with management. This meeting serves to present the draft findings, validate factual accuracy, discuss management's response and corrective action plans, resolve any disagreements, and agree on timelines for remediation. The exit conference is a critical step that ensures the report is fair, accurate, and actionable. Any changes made as a result of the exit conference are documented in the final report.
Step 7: Follow-Up and Monitoring
The follow-up process ensures that management's corrective actions are implemented effectively and on time. Without robust follow-up, even the best audit findings remain just recommendations on paper, and the value of the internal audit function diminishes significantly.
Follow-Up Process
The follow-up process begins immediately after the audit report is issued. The auditor maintains a tracker of all open audit findings, categorized by risk rating, responsible person, and target completion date. At the agreed-upon date, the auditor verifies whether the corrective action has been implemented by reviewing evidence of implementation, such as updated policies, new controls, system configurations, or corrective transactions.
If the corrective action has been fully implemented and is operating effectively, the finding is closed. If the action has been partially implemented, the finding remains open with a revised target date. If no action has been taken despite the deadline passing, the finding is escalated. Escalation typically follows a defined protocol: first to the process owner's superior, then to the Chief Financial Officer, and finally to the audit committee.
Continuous Monitoring
Advanced internal audit functions implement continuous monitoring programs that supplement periodic audits. Continuous monitoring uses automated tools to test controls and detect anomalies on an ongoing basis. For example, continuous monitoring might automatically flag all journal entries exceeding INR 50 lakhs for review, identify duplicate payments in the accounts payable system, monitor access logs for unauthorized system access attempts, track vendor master file changes for potential fraud indicators, and compare actual expenditure against approved budgets in real time.
Continuous monitoring bridges the gap between periodic audits and provides near-real-time assurance over key risk areas. It is particularly valuable in organizations with high transaction volumes, such as banks, insurance companies, and large manufacturing enterprises.
Technology in Internal Audit: 2026 Landscape
Technology has fundamentally transformed the internal audit profession. In 2026, internal audit teams in India are leveraging a range of digital tools to increase coverage, improve efficiency, and deliver deeper insights.
Data Analytics
Data analytics is now a core competency for internal auditors. Instead of testing samples of 25 to 50 transactions, auditors can analyze entire populations of thousands or millions of transactions using tools like ACL Analytics, IDEA, Power BI, and Python-based scripts. Common analytics applications include Benford's Law analysis to detect anomalies in journal entries, duplicate detection algorithms for payments and invoices, stratification analysis to identify unusual patterns in expense claims, aging analysis for receivables and payables, and three-way match verification across purchase orders, goods receipts, and invoices.
Audit Management Software
Audit management platforms like TeamMate+, AuditBoard, Diligent HighBond, and Galvanize provide end-to-end workflow management for internal audit teams. These platforms support risk assessment and audit planning, audit program management, working paper documentation and review, findings tracking and follow-up, reporting and dashboards, and compliance with professional standards. In India, even mid-sized internal audit firms are adopting these platforms to improve quality and efficiency.
Robotic Process Automation (RPA)
RPA tools like UiPath, Automation Anywhere, and Blue Prism automate repetitive audit tasks such as data extraction from multiple systems, reconciliation of large datasets, standard compliance checks, and report generation. By automating routine work, RPA allows auditors to focus on higher-value activities like risk assessment, root cause analysis, and strategic recommendations.
Artificial Intelligence and Machine Learning
AI and ML are being applied in advanced internal audit functions for predictive risk assessment, natural language processing of contracts and regulatory documents, anomaly detection using unsupervised learning algorithms, and sentiment analysis of employee communications to identify potential fraud or compliance risks. While these applications are still emerging in most Indian organizations, large GCCs and multinational internal audit departments are actively piloting and deploying AI-powered audit tools.
Interactive Tool: Audit Risk Scoring Calculator
Use this tool to calculate the risk score for different audit areas in your organization. Input the likelihood and impact ratings for each area, and the tool will generate a risk heat map to prioritize your internal audit plan.
Audit Risk Scoring Tool
Internal Audit Standards: Quick Reference
| Standard | Issued By | Coverage | Applicability |
|---|---|---|---|
| SIA 1-18 | ICAI | Planning, documentation, reporting, fraud | Indian companies under Companies Act |
| IIA Standards (IPPF) | IIA | Attribute and performance standards | Global, MNCs, GCCs |
| COSO Framework | COSO | Internal control, ERM, fraud risk | US-listed companies, SOX compliance |
| SA 610 | ICAI/IAASB | Using work of internal auditors | Statutory auditor reliance on IA |
| ISO 19011:2018 | ISO | Management systems auditing | Quality and compliance audits |
Career Paths in Internal Audit: India 2026
Internal audit offers a diverse and rewarding career path for accounting professionals in India. The career trajectory typically follows a structured progression. Entry-level roles include Internal Audit Associate and Audit Analyst, with starting salaries of INR 4 to 7 LPA for CAs and INR 6 to 10 LPA for CIA or CPA holders. After three to five years, professionals move into Senior Internal Auditor or Audit Manager roles earning INR 10 to 20 LPA. At the senior level, positions such as Internal Audit Director, Chief Audit Executive, and VP of Internal Audit command packages of INR 25 to 60 LPA in large Indian corporations and MNCs.
GCCs and MNCs in India offer particularly attractive opportunities for internal auditors. Companies like Amazon, JP Morgan, Goldman Sachs, Deloitte, and HSBC have dedicated internal audit teams in India that support global operations. These roles often involve travel, exposure to international standards, and the opportunity to work on complex, cross-border audit engagements. CPA and CIA qualifications significantly enhance career prospects in these organizations.
The Big 4 firms (Deloitte, PwC, EY, and KPMG) have large internal audit and risk advisory practices in India. These firms provide internal audit services to a wide range of clients across industries. Working in Big 4 internal audit provides excellent training, broad exposure, and strong career progression opportunities. Starting salaries at Big 4 for internal audit roles range from INR 7 to 12 LPA, with rapid growth based on performance.
Frequently Asked Questions
The internal audit process in India follows a systematic cycle of eight steps: understanding the business and its environment, conducting risk assessment, developing the annual audit plan and individual engagement plans, creating the audit program with detailed testing procedures, executing fieldwork through compliance and substantive testing, documenting all work in working papers, issuing the audit report with findings and recommendations, and conducting follow-up to verify implementation of corrective actions. This process is governed by ICAI's Standards on Internal Audit (SIA) and aligns with the IIA's International Professional Practices Framework (IPPF).
Internal audit planning involves understanding the entity and its environment, reviewing previous audit reports, conducting a risk assessment to prioritize areas, defining audit objectives and scope, allocating team resources and timelines, preparing the audit program with detailed testing procedures, and obtaining management and audit committee approval. Planning typically takes 20-30% of total audit effort. Both the annual audit plan (strategic level) and individual engagement plans (tactical level) must be developed.
Compliance testing evaluates whether internal controls are operating effectively as designed. For example, checking whether purchase orders above INR 5 lakhs have required dual authorization. Substantive testing directly verifies the accuracy and completeness of financial data, such as vouching expense entries to supporting invoices or confirming bank balances. Compliance tests assess the process, while substantive tests assess the outcome. Most internal audits use a combination of both, with the mix depending on the auditor's assessment of control risk.
Working papers are the documented evidence that supports an auditor's findings and conclusions. They include the audit program, checklists, flowcharts, copies of key documents, test results, interview notes, analytical computations, and draft reports. Good working papers are complete (sufficient for an uninvolved reviewer to understand the work), accurate, properly referenced, and signed by the preparer and reviewer. Most organizations now maintain electronic working papers using audit management software like TeamMate or AuditBoard.
Yes, Section 138 of the Companies Act 2013 mandates internal audit for certain categories of companies: every listed company, unlisted public companies with turnover of INR 200 crore or more or outstanding loans exceeding INR 100 crore, and private companies with turnover of INR 200 crore or more or outstanding loans exceeding INR 100 crore. The internal auditor must be a CA, Cost Accountant, or other professional as decided by the Board. Non-compliance can attract penalties under the Act.
A risk-based approach prioritizes audit activities based on risk levels rather than auditing everything equally. The auditor identifies all risks through risk assessment, evaluates each based on likelihood and impact, categorizes them as high, medium, or low, and allocates more resources to higher-risk areas. This approach ensures that the most significant risks receive the most attention, maximizing the value of the internal audit function. It is the recommended approach under both IIA Standards and ICAI's SIA framework.
Modern internal audit teams use data analytics tools (ACL Analytics, IDEA, Python, Power BI) for testing entire transaction populations, audit management software (TeamMate+, AuditBoard, Galvanize) for workflow management, RPA tools (UiPath, Automation Anywhere) for automating repetitive tasks, and increasingly AI and ML for predictive risk assessment and anomaly detection. Excel remains widely used but is being supplemented by specialized tools. GCCs and Big 4 firms in India are leading the adoption of advanced audit technology.
An effective internal audit report includes an executive summary for senior management, an overall opinion on internal control adequacy, detailed findings using the CCER format (Condition, Criteria, Cause, Effect, Recommendation), risk ratings for each finding, management responses with action plans and timelines, and supporting appendices. Keep language objective, factual, and constructive. Present findings from highest to lowest severity. Conduct an exit conference with management before finalizing the report to validate accuracy and agree on corrective actions.
CA (Chartered Accountant) is the most preferred qualification for internal audit in India. Other valued credentials include CIA (Certified Internal Auditor) from IIA, which is the global standard; US CPA for MNC and GCC roles; CMA for cost and management audit; CISA for IT audit; and CFE (Certified Fraud Examiner) for forensic audit. MBA Finance graduates also enter the field. For career advancement to leadership roles like Chief Audit Executive, a combination of professional qualifications, industry experience, and strong communication skills is essential.
Under Section 177 of the Companies Act 2013 and SEBI LODR Regulations, the audit committee approves the annual internal audit plan, reviews audit reports and findings, monitors implementation of corrective actions, evaluates the effectiveness of internal controls, ensures the independence of the internal auditor, and reports significant findings to the board. For listed companies, the committee must meet at least four times a year and consists primarily of independent directors. The internal auditor reports functionally to the audit committee to maintain independence from management.
Key Takeaways
- The internal audit process follows eight interconnected phases: understand the business, assess risks, plan the audit, develop the program, conduct fieldwork, document working papers, report findings, and follow up.
- Section 138 of the Companies Act 2013 mandates internal audit for listed companies, public companies with turnover over INR 200 crore, and private companies meeting specified thresholds.
- Risk-based auditing is the modern standard: prioritize audit resources based on likelihood and impact of risks rather than auditing everything equally.
- Compliance tests evaluate whether controls work as designed; substantive tests verify the accuracy and completeness of financial data. Use both together.
- Working papers must be complete, accurate, and reviewable. They serve as evidence of work performed and the basis for audit findings.
- Audit reports follow the CCER format: Condition, Criteria, Cause, Effect, and Recommendation. Categorize findings by severity.
- Follow-up is critical: without verifying corrective actions, audit findings are just recommendations on paper.
- Technology is transforming internal audit: data analytics, audit management software, RPA, and AI are now core tools.
- Career progression in internal audit: Associate (INR 4-10 LPA) to Manager (INR 10-20 LPA) to Director/CAE (INR 25-60 LPA).
- Key qualifications: CA, CIA, US CPA, CISA, and CFE. A combination of credentials and industry experience accelerates career growth.
Build Your Internal Audit Career
CorpReady Academy's Practical Training program gives you hands-on experience with real internal audit engagements, working papers, and reporting. Learn from practicing CAs and CIAs with Big 4 and GCC experience.