Internal Audit Applicability: Is It Mandatory for Your Business To Appoint Internal Auditior?
A founder was preparing documents for a funding discussion when one question suddenly changed the mood in the room: “Have you complied with the applicability of internal audit?”
He had no answer. Like many business owners, he assumed an internal audit was only for large listed companies. Later, he found out that private companies can also fall under mandatory internal audit rules once certain turnover or borrowing limits are crossed.
That is where many businesses struggle. The rules sound technical, the thresholds create confusion, and people often mix up statutory audit with internal audit. By the time they understand the compliance requirement, deadlines may already be close.
This blog breaks down the applicability of internal audit in simple words. We will discuss who needs an internal auditor, threshold limits under the Companies Act, applicability for private companies and startups, common mistakes businesses make, and what companies should know in 2026.
What is Internal Audit?
Internal audit is a process where a qualified professional reviews your company’s internal systems, finances, operations, compliance, and risk, and gives suggestions for improvement. The aim is to ensure everything is in order and running as expected.
This is not the same as a statutory audit (done at year-end). Internal audits happen throughout the year and are often tailored to your business needs.
Think of it as a preventive health check-up for your company, regular, independent, and useful.
Why Does the Internal Audit Applicability Matter?
Many businesses treat internal audit like just another compliance requirement. That mindset usually changes once a real operational problem appears.
A weak approval system can quietly increase unnecessary expenses for months. Poor inventory tracking may create losses that nobody notices immediately. Small compliance gaps can become major issues during investor due diligence or lender reviews.
That is why the applicability of internal audit matters beyond legal compliance.
Yes, the Companies Act makes internal audit mandatory for companies. But in 2026, businesses are also using internal audits to:
- strengthen governance,
- improve operational control,
- reduce fraud risk,
- prepare for fundraising,
- and build investor confidence.
Even startups below mandatory thresholds are voluntarily adopting internal audit systems because governance expectations have changed significantly.
The Legal Framework: Section 138 of the Companies Act, 2013
The Companies Act, 2013 (Section 138) and Rule 13 of the Companies (Accounts) Rules, 2014 lay down when internal audits become mandatory.
According to this rule, certain companies must appoint a Chartered Accountant, Cost Accountant, or any other qualified professional to carry out an internal audit. This rule came into effect from 1st April 2014.
Now let’s talk about internal audit applicability limits.
Latest Internal Audit Compliance Updates in 2026
There has not been a major change in internal audit threshold limits recently, but businesses are facing much higher compliance expectations in 2026.
1. Increased Governance Demands
In 2026, businesses will be watched more closely. Investors, lenders and even larger clients want to see that a company has the right internal controls in place before they move forward with funding or collaborations.
2. More Documentation Consideration
Today, many organisations are more cautious than they have been about clearances, compliance documentation and financial documents. Lack of documentation or poor documentation can cause headaches very rapidly during audits, investor checks or due diligence conversations.
3. Audits Led by Technology
Many businesses are no longer managing internal audits manually like before. Instead of checking everything on spreadsheets and paperwork alone, companies now use ERP systems, automated reports, and smart audit tools to make tracking easier and identify issues much faster.
4.Startup compliance changes
Starting from 2026, internal audit is becoming more prevalent for startups, MSMEs and family-run firms, especially for organizations preparing for development, finance or expansion.
What Are The Key Roles of An Internal Auditor?
- Risk Assessment – Assess the effectiveness of the company’s risk management system and identify potential risks.
- Compliance – Ensure the organization complies with relevant laws, regulations, and policies.
- Internal controls – It also assesses the internal control that protects the company’s assets and aims to strengthen them.
- Fraud detection and prevention – They play a crucial role in safeguarding the company’s assets by detecting and preventing fraudulent activities.
Do You Need Internal Audit? Quick Decision Tool
Use this simple checklist.
| Question | If Yes |
|---|---|
| Is your company listed? | Internal audit mandatory |
| Is turnover above ₹200 crore? | Internal audit may apply |
| Are borrowings above ₹100 crore? | Applicability likely triggered |
| Are deposits above ₹25 crore? | Check compliance immediately |
| Are you preparing for fundraising? | Internal audit strongly recommended |
| Is your business scaling rapidly? | Governance review recommended |
Expert Insight: If you are a ₹150 Crore company (legally exempt), but your Statutory Auditor feels your operations are complex, they may still flag the absence of an internal audit as a “weakness in internal financial controls.” This can lead to a qualified audit report, which negatively impacts your CIBIL MSME Rank and future loan eligibility.
Internal Audit Applicability: Who Must Appoint an Internal Auditor?
The internal audit applicability limits depend on the type of company and some financial thresholds. Here’s a breakdown:
1. Listed Companies
If your company is listed on a stock exchange, then an internal audit is compulsory. No exceptions.
As per the recent update from SEBI for listed companies in India, RPTs (Related-Party Transactions) for listed companies now require certification by the CEO and CFO to the audit committee. This is to confirm that the terms between them are in the company’s best interest.
2. Unlisted Public Companies
If your unlisted public company fits any of the below, you must appoint an internal auditor:
- Turnover of ₹200 crore or more during the last financial year
- Paid-up share capital of ₹50 crore or more during the last financial year
- Outstanding loans or borrowings from banks or public financial institutions exceeding ₹100 crore at any point in time during the last financial year
- Outstanding deposits of ₹25 crore or more at any point in time during the last financial year
Even if you meet just one of these, the applicability of internal audit kicks in.
3. Private Companies
In the case of private limited companies, internal audit becomes mandatory if:
- Turnover is ₹200 crore or more during the last financial year, OR
- Loans or borrowings from banks or public financial institutions exceeded ₹100 crore at any point of time during the last financial year
Notice that for private companies, only two factors are checked: turnover and loans. If you meet either one, an internal audit is required.
Internal Audit Applicability: LLP vs Private Limited vs Public Companies
| Company Type | Is Internal Audit Mandatory? | Applicability Criteria | Key Insights |
|---|---|---|---|
| LLP (Limited Liability Partnership) | Not mandatory under the Companies Act | No specific internal audit requirement under the LLP Act | LLPs may still conduct an internal audit voluntarily for governance, lenders, or investor requirements |
| Private Limited Company | Mandatory if any one threshold is met | – Turnover ≥ ₹200 crore in the previous FY – Loans/Borrowings ≥ ₹100 crore at any time during the previous FY | Small and early-stage startups usually fall outside mandatory limits. Compliance is triggered mainly for mid- to large-sized private companies |
| Unlisted Public Company | Mandatory if any one threshold is met | – Paid-up Share Capital ≥ ₹50 crore – Turnover ≥ ₹200 crore – Loans/Borrowings ≥ ₹100 crore at any time – Deposits ≥ ₹25 crore at any time | Most growing public companies fall under mandatory internal audit due to wider compliance expectations |
| Listed Public Company | Always mandatory | No financial threshold — applies automatically once listed | Listed entities have the strictest governance norms; internal audit is compulsory, irrespective of size |
Internal Audit Applicability: Voluntary vs Mandatory Compliance
Many companies that aren’t legally bound still go for internal audits. Why? Because the benefits are real. Internal audit helps:
- Find weaknesses before they become costly problems.
- Ensure compliance with tax laws and regulations.
- Improve decision-making with clear data.
- Boost investor confidence
This is one reason why internal audit for startups, MSMEs, and even family-run businesses is becoming more common in 2026.
Internal audit isn’t a cost—it's a compass. It tells you where risks hide, and where your business can grow smarter
Applicability of Internal Financial Control & Reporting (ICFR)
Alongside internal audit, there’s another requirement under Section 134(5) of the Companies Act: internal financial control (IFC). All companies are expected to develop proper IFC systems to ensure reliable financial reporting.
For listed and unlisted public companies and the below-mentioned Private Companies, the applicability of internal financial control reporting is mandatory. They must state in their board report whether IFC systems are adequate and working properly.
Applicability of IFC for Private Companies:
- Which is not a small company or a one-person Company; or
- Has a turnover of more than 50 crore as per the latest audited financial statement, or borrowings of more than 25 crore from a bank or financial institutions or any body corporate at any point in time during the financial year; or
- Which has committed a default in filing the financial statements under section 137 of the Companies Act, 2013, or an annual return under section 92 of the Companies Act, 2013.
Internal Financial Control (IFC) Applicability Matrix
| Company Type | Trigger Criteria | Thresholds | IFC Reporting Mandatory? | Remarks & Insights |
|---|---|---|---|---|
| Listed Company | All listed entities as per Companies Act, 2013 | No financial threshold; applies automatically once listed | Yes | Must report in Board’s Report under Section 134(5) on adequacy and operating effectiveness of IFC |
| Unlisted Public Company | Turnover, borrowings, or filing defaults | Any ONE of the following: Turnover > ₹50 crore (latest audited FS) Borrowings > ₹25 crore from bank/FI/body corporate at any time in FY Default in filing financial statements under Sec. 137 or annual return under Sec. 92 | Yes | IFC ensures effective internal controls over financial reporting; separate from internal audit requirements |
| Private Company | Not a small company/OPC OR financial triggers met | Any ONE of the following: Turnover > ₹50 crore (latest audited FS) Borrowings > ₹25 crore from bank/FI/body corporate at any time in FY Default in filing under Sec. 137 or Sec. 92 | Yes | Small companies and OPCs exempt unless thresholds crossed or defaults made |
| Small Company / OPC | Meets criteria under Sec. 2(85) or Sec. 2(62) | Exempt unless thresholds above are crossed | No | May still voluntarily adopt IFC for governance improvements |
| Voluntary IFC Implementation | Board decision or best-practice adoption | No legal threshold | Optional | Often adopted by growing businesses to prepare for future compliance needs |
How Did M S N A & Associates Performed Risk Based Internal Audit?
Understanding Internal Audit Applicability and Eligibility of Internal Auditors
The Companies Act gives companies some flexibility. The internal auditor can be:
- A Chartered Accountant (CA)
- A Cost Accountant
- Or any other professional decided by the Board
They can either be an employee of the company or an external consultant. However, they cannot be the same person doing your statutory audit. There must be independence. M S N A & Associates LLP offers internal auditing services in India. Talk to our team today if you want any assistance with Internal Auditing for your company.
How To Appoint Internal Auditor?
Appointing an internal auditor isn’t a complex process, but it must follow the proper steps to stay compliant with the applicability of internal audit rules.
- First, the company must get written consent from the proposed auditor.
- Then, a board resolution should be passed in a meeting. If required, Form MGT-14 must be filed with the Registrar of Companies (ROC).
- After that, a formal appointment letter is issued, clearly stating the scope, time period, and fees.
If there’s an audit committee, they must approve the appointment before it’s finalized.
Internal Audit Applicability Under Companies Act: Penalties for Non-Compliance
If your business is required to have an internal audit and you skip it, penalties can follow.
As per Section 450 of the Companies Act:
- The company and every officer responsible can be fined ₹10,000
- If the issue continues, there’s a daily fine of ₹1,000
- The total penalty can go up to ₹2,00,000
In short, non-compliance isn’t worth the risk, especially when internal audits can actually protect your business.
What Is The Scope and Frequency of Internal Audit Under Internal Audit Applicability?
There’s no fixed format when it comes to internal audits. The scope and frequency usually depend on what the company needs and are decided by the Board or Audit Committee.
As per the applicability of internal audit, businesses can choose to conduct audits quarterly, half-yearly, or even monthly, based on their size and complexity.
The internal audit may cover areas like:
- Order to Cash
- Procure to Pay (Procurement)
- Fixed Assets Management
- Book Closure Process
- Statutory Compliance
- Treasury and Banking operations
- Inventory Management
- Information Technology General Controls
- Any other risks perceived by management
Penalties for Non-compliance with Internal audits
The Companies Act 2013 has no specific penalty section for non-compliance with internal audits mandated under Section 138. However, Section 450 applies in such cases.
- The company and any officer deemed responsible for non-compliance can be penalised.
- The initial penalty can be up to ₹10,000.
- If the non-compliance continues, an additional fine of ₹1,000 can be levied for each additional day.
- Offences under Section 450 are compoundable. This means the company can approach the relevant authority and settle the penalty without going to court.
Common Mistakes Businesses Make in Internal Audit Compliance
Many businesses misunderstand internal audit applicability, which can lead to non-compliance and operational risks. Here are some of the most common mistakes:
1. Assuming Internal Audit Applies Only to Large or Listed Companies
Many companies believe internal audits are only for listed entities. In reality, even private and unlisted public companies must comply if they cross specific financial thresholds.
2. Ignoring Borrowing-Based Applicability
Businesses often track turnover but overlook loan or borrowing limits. Internal audit can become mandatory solely because borrowings exceed ₹100 crore, even if turnover is low.
3. Confusing Internal Audit with Statutory Audit
Some companies assume that a statutory audit covers everything. However, internal audit is continuous and focuses on risk management, controls, and process improvement, making it fundamentally different.
4. Delaying Appointment of Internal Auditor
Companies sometimes wait until the financial year-end or after crossing thresholds. This delay can lead to compliance gaps and potential penalties.
5. Appointing the Same Auditor for Internal and Statutory Audit
Independence is critical. Assigning the same person for both roles violates governance principles and weakens audit effectiveness.
6. Treating Internal Audit as a One-Time Activity
Internal audit is not a one-time exercise. Businesses that conduct it only occasionally miss out on continuous monitoring and early risk detection.
7. Not Defining Audit Scope Clearly
Without a clear scope, internal audits become ineffective. Companies often fail to identify key risk areas like procurement, revenue cycles, or compliance functions.
8. Ignoring Documentation and Follow-Ups
Even when audits are conducted, some businesses fail to properly document findings or implement corrective actions, thereby reducing the value of the audit process.
Final Thoughts on the Internal Audit Applicability for Your Business
If your business meets any of the conditions we discussed, the internal audit applicability isn’t optional; it’s the law. But even if it’s not mandatory, an internal audit offers real value. It gives you better oversight, improved financial control, and peace of mind.
Not sure if your company falls under the internal audit limits? Firms like ours can guide you through the rules and help you stay compliant, without making things complicated.
FAQs Related To Internal Audit Applicability
What is the turnover limit for internal audit applicability?
The turnover threshold is ₹200 crore for certain private and unlisted public companies.
Does the borrowing amount affect internal audit applicability?
Yes, it does. If your turnover is below the limit, internal audit may still become compulsory if your company’s borrowings cross ₹100 crore.
How often can internal audits be conducted?
There are no rules for this. Most firms perform internal audits on a quarterly, semi-annual or operational risk basis.
What if a corporation ignores internal audit applicability?
The company may face penalties, compliance issues, and governance risks under the Companies Act
Get Expert Help with Internal Audit Compliance
Discover more from MSNA & Associates LLP
Subscribe to get the latest posts sent to your email.
Pingback: How Internal Audit Is Conducted? Founder's Go-To Checklist
Pingback: 7 Essential Internal Controls for Manufacturing Companies in India
Pingback: Internal Audit for IT Firms: Essential Guidelines for Better Compliance - MSNA & Associates LLP
Pingback: AI and Auditing: Smarter Risk Detection with Human Oversight - MSNA & Associates LLP