Internal Audit Applicability in India: Rules, Thresholds, and Business Impact Explained

Many businesses still see internal audit as a compliance formality. The audit gets completed, reports are filed, and the process ends there. But internal audit applicability is not just about meeting a legal requirement under the Companies Act, 2013. It also affects how your company identifies risks, monitors controls, and handles operational gaps before they become larger problems.

A delayed approval, repeated policy exception, or unresolved audit finding can point to deeper control issues inside the business. That is one reason why internal audit is required even in companies that already have external audits in place. Understanding internal audit applicability helps you determine whether your business falls under the prescribed thresholds and what responsibilities come with it.

Internal Audit Meaning and Its Role in Modern Businesses

Internal audit means reviewing your company’s financial, operational, and compliance processes to identify gaps and control failures. It helps you assess whether your policies work in actual business operations or only exist in documentation.

Many businesses conduct audits only to satisfy compliance requirements. That approach often misses deeper issues. A repeated approval bypass, delayed reconciliation, or unresolved vendor discrepancy can continue for months without proper internal review.

This is why internal audit is required in growing businesses. It helps you identify risks early and improve accountability across departments.

A typical internal audit reviews:

• Financial controls and reporting processes

• Compliance with internal policies and regulations

• Procurement and vendor management workflows

• Approval hierarchies and access controls

• Operational gaps and recurring exceptions

• Fraud risks and control weaknesses

Internal audit meaning has changed over time. Companies now use internal audits to monitor operational discipline, track unresolved findings, and improve governance visibility across the organization.

What Is Internal Audit Applicability Under the Companies Act, 2013?

Internal audit applicability in India is governed by Section 138 of the Companies Act, 2013 and Rule 13 of the Companies (Accounts) Rules, 2014. These provisions define which companies must appoint an internal auditor and conduct internal audits based on specific financial thresholds.

Many businesses assume audit is mandatory for all the companies. That is not entirely accurate in the context of internal audits. Internal audit applicability depends on factors such as turnover, borrowings, paid-up share capital, and outstanding deposits.

The law applies differently across company types:

For example, a private company may fall under internal audit requirements if it crosses the prescribed turnover or borrowing limits during a financial year. These internal audit limits help regulators identify companies with higher operational and financial exposure.

You should not treat internal audit applicability as a one-time compliance check. As your business grows, your reporting structure, operational complexity, and financial risks also change. A company that was outside the threshold two years ago may now fall under mandatory internal audit requirements.

Internal Audit Applicability for Private Companies

Internal audit applicability for private companies depends on financial thresholds defined under the Companies Act, 2013. If your company crosses specific borrowing or turnover limits, you must appoint an internal auditor and conduct periodic internal audits.

Turnover and Borrowing Thresholds

A private company falls under internal audit requirement if it has:

• Turnover of ₹200 crore or more during the previous financial year

• Outstanding loans or borrowings from banks or public financial institutions exceeding ₹100 crore at any point during the financial year

These internal audit limits apply even if your company is not publicly listed.

Is Audit Mandatory for All Private Companies?

Many businesses assume audit is mandatory for all the companies. That statement only applies partly to statutory audits. Every registered company must conduct a statutory audit, but internal audit applicability applies only when prescribed thresholds are crossed.

Internal Audit vs Statutory Audit

A statutory audit focuses on financial statement accuracy and regulatory reporting. An internal audit reviews controls, processes, approvals, and operational risks inside your business.

This difference matters as companies grow. A statutory audit tells you whether financial records are correct. An internal audit helps you identify where operational failures, weak controls, or recurring process gaps may exist before they affect the business.

Why Internal Audit Is Required Beyond Compliance

Many companies approach internal audits only as a legal requirement. The audit gets completed, findings get documented, and the report gets archived until the next cycle. That approach creates gaps your business may not notice immediately.

This is one reason why internal audit is required beyond compliance.

An internal audit helps you identify control failures before they turn into financial, operational, or regulatory issues. It reviews whether approvals work correctly, whether vendor payments follow defined processes, and whether employees bypass controls during daily operations.

A strong internal audit function also improves visibility across your business. It helps you monitor:

• Fraud risks and unusual transactions

• Vendor and procurement irregularities

• Delayed reconciliations and unresolved exceptions

• Policy violations and access control issues

• ERP audit trails and approval workflows

• Recurring findings that remain unresolved across audit cycles

Many organizations face a larger problem called compliance theatre. Policies exist on paper, but teams do not follow them consistently. Controls become fragmented across departments, and audits turn reactive instead of preventive.

Internal audit applicability should not be viewed only as a threshold-based obligation. As your operations grow, your internal audit requirement also becomes a governance and accountability requirement.

Audit Committee Applicability and Its Connection With Internal Audit

Audit committee applicability under the Companies Act, 2013 applies to specific classes of companies, particularly listed companies and certain public companies that meet prescribed thresholds. The audit committee oversees financial reporting, internal controls, risk management, and audit functions within the organization.

What Does an Audit Committee Do?

An audit committee reviews audit observations, monitors financial reporting processes, and tracks whether management addresses identified risks and control gaps.

How Internal Audit Supports the Audit Committee

Internal audit teams provide the audit committee with visibility into operational risks, compliance failures, unresolved findings, and process weaknesses across departments. Without regular internal audits, audit committees often rely only on periodic financial reporting.

Why Remediation Tracking Matters

Many companies document audit findings but fail to track corrective actions consistently. This creates recurring audit observations across multiple audit cycles. Mature governance depends on timely escalation, accountability, and remediation tracking, not just audit reports.

Internal audit applicability and audit committee applicability often work together as part of a broader governance structure focused on risk visibility and operational accountability.

Cost Audit Applicability vs Internal Audit Applicability

Many businesses confuse cost audit applicability with internal audit applicability because both involve audit processes under the Companies Act. However, their purpose, scope, and applicability are different.

Internal audit focuses on risk management, controls, compliance, and operational processes. Cost audit focuses on verifying cost records, cost accounting practices, and production-related expenses in specific industries.

Key Difference Between the Two

Where Cost Audit Applies

Cost audit applicability usually covers sectors such as:

• Manufacturing

• Pharmaceuticals

• Telecommunications

• Electricity and power

• Steel and cement

• Engineering and infrastructure

Why Businesses Often Confuse Them

Both audits involve compliance and reporting requirements, which leads many companies to treat them as the same process. But the objectives are different. A company audit under internal audit applicability reviews operational risks and internal controls. A cost audit reviews whether cost records accurately reflect production and operational expenses.

Common Mistakes Companies Make With Internal Audit Requirements

Many businesses meet internal audit requirements on paper but fail to use audits as an operational review mechanism. This creates recurring control gaps that continue across multiple audit cycles.

Treating Internal Audit as Yearly Paperwork

Some companies conduct audits only to satisfy internal audit applicability requirements. The audit gets completed once a year, reports are submitted, and findings receive little attention afterward.

Repeating the Same Findings

Repeated audit observations usually point to weak remediation processes. If the same issue appears every year, the problem is no longer the audit finding. The problem is lack of accountability.

Relying on Manual Evidence Collection

Manual tracking through emails, spreadsheets, and scattered documents slows down audits and increases the risk of missing records or inconsistent reporting.

Weak Follow-Through on Corrective Actions

Many organizations identify issues but fail to assign ownership or track remediation timelines. Without proper follow-through, internal audit requirements become a documentation exercise instead of a governance process.

Internal audit applicability should help businesses improve visibility into operational risks, not just maintain compliance records.

How Businesses Can Build a More Effective Internal Audit Function

Meeting internal audit applicability requirements is only the starting point. As operations grow, businesses need stronger visibility into controls, approvals, and unresolved risks across departments.

Move From Periodic Audits to Continuous Monitoring

Yearly audits often identify issues too late. Continuous monitoring helps you track exceptions, policy violations, and control gaps throughout the year instead of after the damage is done.

Use Integrated GRC Systems

Many companies still manage audits through spreadsheets, emails, and disconnected documents. Integrated GRC platforms help centralize audit workflows, evidence collection, and reporting in one system.

Improve Visibility Through Automation

Audit automation helps reduce manual tracking and repetitive follow-ups. It also improves consistency across audits and reduces dependency on scattered records.

Track Remediation and Accountability

A company audit becomes more effective when findings are linked to action owners, deadlines, and remediation tracking. Without accountability, unresolved findings often repeat across multiple audit cycles.

Conclusion

Internal audit applicability is not only about crossing a financial threshold under the Companies Act, 2013. It also reflects how prepared your business is to manage operational risks, monitor controls, and maintain accountability across teams.

Many companies meet the internal audit requirement but fail to act on recurring findings, weak controls, or unresolved process gaps. That reduces audits to a compliance exercise instead of a governance function.

Understanding why internal audit is required helps you look beyond regulatory obligations. Businesses that use internal audits effectively gain better visibility into operations, stronger control oversight, and clearer ownership of risks and corrective actions. Compliance may initiate the audit process, but long-term value depends on how consistently your business acts on audit insights.