Scope of Internal Audit in India: What UK Businesses Need to Know

Introduction: Why UK Businesses Need to Understand India's Internal Audit Framework

UK businesses entering India often assume internal audit operates on familiar principles, similar to the voluntary "comply or explain" framework they know from the UK Corporate Governance Code. However, India's framework is fundamentally different: internal audit is a statutory requirement under Section 138 of the Companies Act 2013, with mandatory financial thresholds and civil penalties for non-compliance.

This distinction matters. While UK finance directors treat internal audit as a discretionary governance improvement for private companies, in India it becomes a legal obligation the moment your subsidiary crosses specific turnover or borrowing thresholds.

With UK outward FDI stock in India reaching £19.1 billion at end-2024 and approximately 8,800 UK businesses exporting to India, a growing number of UK-owned Indian entities will face these requirements as they scale.

This article covers the scope, applicability, and compliance obligations of internal audit in India for UK-owned Indian subsidiaries — including which companies are caught by the law, what areas get audited, and what non-compliance costs.

TLDR

  • Internal audit is mandatory under Section 138 of the Companies Act 2013, not optional governance
  • Private Limited Companies (most common UK subsidiary structure) must conduct internal audits if turnover reaches ₹200 crore or borrowings exceed ₹100 crore
  • Scope covers procurement, financial controls, compliance, IT, and risk management — defined by the Board or Audit Committee
  • This is a statutory legal requirement, not merely a governance best practice
  • Non-compliance carries penalties up to ₹2 lakh for the company and ₹50,000 per officer under Section 450

What Is Internal Audit Under Indian Law?

Internal audit in India is a formal, independent review of a company's internal systems, financial controls, compliance processes, and operational risks. It's defined under Section 138 of the Companies Act 2013 and Rule 13 of the Companies (Accounts) Rules 2014. Section 138(1) uses the phrase "shall be required," establishing this as a mandatory legal obligation for qualifying companies — not a voluntary governance practice.

Internal Audit vs. Statutory Audit

These are distinct functions:

  • Statutory audit certifies financial statements for regulatory purposes, conducted annually by an external auditor appointed at the AGM
  • Internal audit is a continuous operational assurance function focused on risk management, process efficiency, and internal controls — reported to the Board or Audit Committee

Section 144(b) explicitly prohibits the statutory auditor from also conducting internal audit for the same company. UK groups accustomed to bundling audit services must engage separate firms for their Indian subsidiaries.

Governing Bodies and Standards

India's internal audit profession operates under two institutional frameworks:

  • ICAI (Institute of Chartered Accountants of India): Issues Standards on Internal Audit (SIA) through its Internal Audit Standards Board, plus industry-specific guides covering sectors such as hotels, BPO, and stockbrokers. ICAI standards carry direct regulatory weight for CA practitioners in India.
  • IIA India (Institute of Internal Auditors India): Promotes the Certified Internal Auditor (CIA) qualification and follows the IIA's International Professional Practices Framework (IPPF) and Global Internal Audit Standards — frameworks that align with what UK audit committees typically follow.

This dual structure means your Indian subsidiary's internal audit function may draw on both frameworks depending on the auditor's professional background.

Is Internal Audit Mandatory for Your Indian Entity? Thresholds UK Businesses Must Know

Mandatory internal audit applicability depends on your entity's legal structure and whether it crosses specific financial thresholds in the preceding financial year. Even one qualifying criterion triggers the requirement.

Private Limited Companies (Most Common UK Subsidiary Structure)

Most UK companies establishing an Indian presence use a Private Limited Company structure. Internal audit becomes mandatory if either threshold is met:

Trigger Threshold Measurement
Turnover ₹200 crore or more Preceding financial year
Borrowings Exceeding ₹100 crore At any point during preceding FY

India private limited company internal audit mandatory thresholds turnover borrowings comparison

The borrowings threshold uses "at any point of time" language. If your UK parent routes ₹105 crore through an Indian bank facility to fund initial operations — even temporarily — you trigger the mandate regardless of turnover level.

Unlisted Public Companies

Unlisted public companies face four alternative triggers. Meeting any one makes internal audit mandatory:

  • Paid-up share capital of ₹50 crore or more
  • Turnover of ₹200 crore or more
  • Outstanding loans/borrowings exceeding ₹100 crore
  • Outstanding deposits of ₹25 crore or more

The lower deposits threshold (₹25 crore vs. ₹100 crore for borrowings) reflects stricter regulatory oversight of public deposits.

Listed Companies and LLPs

Listed companies: All listed companies must appoint an internal auditor — no threshold, no exceptions.

LLPs: Limited Liability Partnerships are governed by the LLP Act 2008, which contains no mandatory internal audit provision. LLPs conducting statutory audits under Rule 24 are still exempt from internal audit requirements under the Companies Act.

An LLP structure avoids Section 138 entirely — though it brings its own trade-offs, including restrictions on foreign investment and profit distribution flexibility worth evaluating before incorporation.

Penalties for Non-Compliance

Section 450 (amended 2020) imposes administrative penalties for non-compliance:

  • Base penalty: ₹10,000 for the company and each officer in default
  • Continuing default: ₹1,000 per day
  • Maximum cap: ₹2,00,000 for the company, ₹50,000 per officer

Post-2020, these are administrative penalties enforced through the In-House Adjudication Mechanism under Section 454, not criminal fines requiring court proceedings. They apply per officer and accumulate daily — a three-director subsidiary running a 60-day default could face ₹1,80,000 in officer penalties alone, before the company-level cap is applied.

The Scope of Internal Audit in India: What Gets Examined

Unlike the UK — where internal audit scope is shaped purely by board-level risk appetite — India's Rule 13(2) establishes a formal governance mechanism:

"The Audit Committee of the company or the Board shall, in consultation with the Internal Auditor, formulate the scope, functioning, periodicity and methodology."

Key Implications

  • Frequency is not legally prescribed — companies set their own cadence (quarterly, half-yearly, or otherwise) based on size and complexity
  • Scope is decided at entity level, allowing each organisation to tailor coverage to its specific risk profile
  • The internal auditor must be consulted — the Board cannot unilaterally impose scope without that input

Typical Functional Areas Covered

Order-to-Cash (Revenue Cycle):

  • Revenue recognition processes
  • Customer credit management
  • Collections and receivables reconciliation

Procure-to-Pay:

  • Vendor selection and onboarding
  • Purchase order controls
  • Payment authorisation and processing

Fixed Assets Management:

  • Asset capitalisation and depreciation
  • Physical verification procedures
  • Disposal controls

Book Closure and Financial Reporting:

  • Month-end/quarter-end close processes
  • Journal entry controls
  • Management reporting accuracy

Statutory Compliance Reviews:

  • GST return filing and reconciliation
  • TDS compliance and deposits
  • Labour law adherence

Treasury and Banking:

  • Cash management controls
  • Bank reconciliation procedures
  • Foreign exchange exposure management

Inventory Management:

  • Stock verification and valuation
  • Warehouse controls
  • Obsolescence reviews

These seven areas form the standard foundation. For UK-owned entities, however, one further area consistently appears in scope.

Seven core internal audit functional areas for India subsidiary compliance coverage overview

Transfer Pricing and Inter-Company Transactions

For UK-owned entities, transfer pricing compliance is a critical additional area.

While not explicitly mandated within internal audit scope, India's transfer pricing regulations under the Income Tax Act require international transactions between associated enterprises to be conducted at arm's length. Internal audit provides ongoing monitoring between statutory audit cycles.

VJM Global routinely includes transfer pricing reviews in internal audit engagements for UK subsidiaries, covering benchmarking studies, documentation compliance, and risk assessments to ensure intra-group transactions meet regulatory requirements.

IT and Information Technology General Controls (ITGC)

ICAI's Digital Accounting and Assurance Board issued an Exposure Draft of Information Systems Audit Standards (ISAS) in December 2025, establishing requirements for auditing IT controls. This is particularly relevant for UK businesses operating in tech, fintech, or e-commerce.

ITGC assessments typically cover:

  • Data integrity and backup procedures
  • System access controls and user permissions
  • Cybersecurity governance
  • Change management protocols
  • Business continuity planning

Once finalised, ISAS will be mandatory for ICAI members conducting IS audit engagements.

Risk-Based Audit Approach

ICAI's Technical Guide on Risk-Based Internal Audit (second edition, March 2026) sets the current standard: auditors prioritise high-risk areas identified through structured risk assessment, rather than applying uniform checklists.

This approach directly aligns with IIA Global Standards and the IPPF framework — the same methodological foundation used across UK internal audit practice. The practical implication for UK finance teams: the audit logic will feel familiar, even if the statutory trigger and local compliance areas do not.

Types of Internal Audit UK Businesses Should Know

Types of Internal Audit UK Businesses Should Know

Four Primary Types

Financial Audit: Reviews accuracy of financial records, accounting controls, and compliance with accounting standards. Ensures transactions are properly recorded and financial statements are reliable.

Operational/Process Audit: Examines efficiency of business processes and workflows. Identifies bottlenecks, redundancies, and opportunities for automation or improvement.

Compliance Audit: Assesses adherence to Indian laws including GST, Companies Act provisions, labour regulations, and industry-specific requirements. For UK subsidiaries, this is especially critical given India's complex tax and regulatory landscape.

IT Audit: Evaluates security and integrity of technology systems, including ITGC, data protection, and system reliability.

Risk-Based Internal Audit (RBIA)

RBIA is the most widely adopted approach in India today — and the one UK audit committees will find most familiar. Instead of auditing every function, auditors:

  1. Assess the organisation's risk universe
  2. Prioritise audit effort on high-risk areas
  3. Provide forward-looking insights for governance strengthening
  4. Focus on risk management effectiveness

The methodology follows IIA global standards, and its emphasis on root cause analysis means audit outputs focus on system improvement — not just transaction-level findings. VJM Global applies RBIA across Indian subsidiary engagements, structuring reports in a format that integrates with group-level governance requirements.

Integrated Audits

Some Indian companies conduct Integrated Audits that combine financial, operational, and IT audit elements in a single engagement. For UK multinational groups, this format is often the most practical — it delivers holistic assurance over the Indian subsidiary while producing outputs that map directly to group-level reporting requirements.

How Indian Internal Audit Differs from UK Expectations

Dimension India UK
Legal basis Companies Act 2013 (statute) Corporate Governance Code (principles)
Applicability Private and public companies meeting thresholds Premium listed companies only
Private companies Covered if turnover ≥ ₹200cr or borrowings > ₹100cr Not covered; voluntary guidance
Enforcement Administrative penalty (Section 450/454) Disclosure-based ("comply or explain")
Auditor qualification CA, Cost Accountant, or Board-approved professional No statutory requirement
Statutory auditor bar Explicit prohibition (Section 144) Ethical Standards for listed; no statute for private

India versus UK internal audit framework side-by-side regulatory comparison infographic

Fundamental Structural Difference

In the UK, internal audit is largely principles-based, driven by the Corporate Governance Code and IIA standards without prescriptive legal thresholds for most private companies. India makes it a statutory requirement with specific mandatory thresholds — meaning non-compliance carries legal, not just governance, consequences.

The UK Corporate Governance Code 2024 addresses internal audit under Provisions 25 and 26, requiring audit committees to monitor effectiveness or explain annually why no function exists. This applies only to premium listed companies. India's framework captures private companies above specified financial thresholds through primary legislation.

Auditor Qualifications

India's internal auditor must be an ICAI-qualified Chartered Accountant, a Cost Accountant, or a professional approved by the Board. UK internal auditors typically hold CIA, ACCA, or CIMA qualifications with no statutory mandate.

Section 144(b) also requires the statutory auditor and internal auditor to be separate individuals or firms. UK finance teams structuring their Indian audit function need to account for this separation explicitly.

Reporting Lines

Both jurisdictions direct internal audit reports to the Board of Directors or Audit Committee (not to shareholders or external regulators). UK parent companies should ensure their Indian subsidiary's audit findings are escalated appropriately to group-level governance structures.

Internal Financial Controls (IFC)

IFC obligations under the Companies Act operate on two tracks:

  • Section 134(5): Directors of all companies must confirm that Internal Financial Controls are adequate and operating effectively — no size exemption applies.
  • Section 143(3)(i): The statutory auditor must report on IFC adequacy for companies above specific thresholds (turnover above ₹50 crore or borrowings above ₹25 crore for private companies).

IFC and internal audit are distinct legal requirements, but internal audit provides the ongoing assurance that supports the annual IFC declarations directors must sign off on. For UK parent companies, this means the internal audit calendar and the directors' sign-off cycle need to be coordinated — gaps between the two create compliance exposure.

Appointing an Internal Auditor for Your Indian Subsidiary

Appointment Process

The Board must pass a resolution appointing the internal auditor, with prior approval from the Audit Committee (if one exists). A formal appointment letter specifying scope, period, and fees must be issued.

Independence requirement: The appointed auditor cannot be the same person conducting the statutory audit — Section 144 makes this a legal requirement.

In-House vs. Outsourced

While companies may appoint an employee as internal auditor, many UK-owned subsidiaries opt for external firms given:

  • Specialist knowledge of India's regulatory landscape and compliance requirements
  • Reduced risk of internal bias, since employees may be reluctant to flag issues upward
  • Reporting alignment needed between the Indian subsidiary and the UK parent's audit committee

VJM Global has supported over 250 UK businesses across sectors including financial services, technology, and manufacturing. Their internal audit engagements cover both financial transactions and operational controls, using root cause analysis to identify process gaps and reduce error recurrence — a practical fit for UK parent companies managing subsidiary oversight from a distance.

VJM Global internal audit team reviewing subsidiary financial controls and compliance reports

Practical Due Diligence When Appointing

Before finalising an appointment, UK finance teams should work through a short checklist:

  • ICAI registration: Verify the auditor or firm holds current ICAI membership — this is a regulatory prerequisite.
  • Sector track record: Prioritise firms with direct experience in your subsidiary's industry (fintech, manufacturing, professional services).
  • Statutory separation: Confirm the internal auditor is distinct from whoever conducts your statutory audit.
  • UK reporting alignment: Agree upfront on report formats, escalation thresholds, and how findings will reach your UK audit committee or CFO.

Once appointed, a structured onboarding process keeps the engagement on track. VJM Global's approach, for example, moves through:

  • Initial consultation to map client needs and subsidiary structure
  • Scope definition aligned to regulatory and parent-company requirements
  • Dedicated team allocation with clear ownership
  • Reporting with follow-up reviews to confirm recommendations are acted on

Frequently Asked Questions

What is the scope of work for internal audit in India?

The Board or Audit Committee defines the scope in consultation with the internal auditor. It typically covers financial controls, procurement, GST/TDS compliance, fixed assets, IT controls, inventory, and risk management, scaled to the company's size and risk profile.

Is internal audit mandatory in India?

Yes, under Section 138 of the Companies Act 2013. It's mandatory for all listed companies, unlisted public companies meeting any one of four financial thresholds (capital ≥ ₹50cr, turnover ≥ ₹200cr, borrowings > ₹100cr, deposits ≥ ₹25cr), and private companies with turnover ≥ ₹200 crore or borrowings exceeding ₹100 crore.

What are the 4 types of internal audit?

The four main types are Financial Audit (records accuracy), Operational Audit (workflow efficiency), Compliance Audit (regulatory adherence), and IT Audit (technology security). Risk-Based Internal Audit (RBIA) is the overarching methodology most firms apply across all four.

What are the penalties for not complying with internal audit requirements in India?

Under Section 450 of the Companies Act, penalties start at ₹10,000, with a continuing fine of ₹1,000 per day — capped at ₹2,00,000 for the company and ₹50,000 per officer. These are administrative penalties enforced through the In-House Adjudication Mechanism, not criminal proceedings.

Can a UK parent company use its own auditor for its Indian subsidiary's internal audit?

No. The internal auditor must be an ICAI-qualified Chartered Accountant, Cost Accountant, or Board-approved professional operating in India. UK-based auditors cannot fulfil this role directly, though UK parent companies can appoint an Indian affiliate or co-sourced partner that reports back to the group audit function.

How does Indian internal audit differ from UK internal audit requirements?

India's internal audit is a statutory requirement under company law with defined thresholds and penalties, including private companies above specified limits. The UK's framework is principles-based and governance-driven, applying only to premium listed companies — making India's rules considerably more prescriptive.