Chintan Mehuriya (Left) & Jaya Sharma-Singhania (Right)



The term audit is derived from the Latin term ‘audire’ which means to hear. In early days an auditor used to listen to the accounts read over by an accountant in order to check them.

Auditing is as old as accounting. It was in use in all ancient countries such as Mesopotamia, Greece, Egypt. Rome, U.K. and India. The Vedas contain reference to accounts and auditing. Arthasashthra by Kautilya detailed rules for accounting and auditing of public finances.

The original objective of auditing was to detect and prevent errors and frauds.

Auditing evolved and grew rapidly after the industrial revolution in the 18th century with the growth of the joint stock companies the ownership and management became separate. The shareholders who were the owners needed a report from an independent expert on the accounts of the company managed by the board of directors who were the employees. The objective of audit shifted and audit was expected to ascertain whether the accounts were true and fair rather than detection of errors and frauds.

In India the Companies Act 1913 made audit of company accounts compulsory.

With the increase in the size of the companies and the volume of transactions the main objective of audit shifted to ascertaining whether the accounts were true and fair rather than true and correct. Hence the emphasis was not on arithmetical accuracy but on a fair representation of the financial efforts.

The Companies Act, 1913 also prescribed for the first time the qualification of auditors.

The International Accounting Standards Committee and the Accounting Standard board of the Institute of Chartered Accountants of India have developed standard accounting and auditing practices to guide them. Accountants and auditors in the day to day work.

The later developments in auditing pertain to the use of computers in accounting and auditing.

In conclusion it can be said that auditing has come a long way from hearing of accounts to taking the help of computers to examine computerized accounts.


With the implementation of Companies Act, 2013, the Ministry of Corporate Affairs has notified the provisions of Internal Audit of Companies. Internal audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity’s strategic risk management and internal control system.

image 1


> Companies Act, 2013:

According to section 138 of Companies Act — (1) Such class or classes of companies as may be prescribed shall be required to appoint an internal auditor, who shall either be a chartered accountant or a cost accountant, or such other professional as may be decided by the Board to conduct internal audit of the functions and activities of the company. (2) The Central Government may, by rules, prescribe the manner and the intervals in which the internal audit shall be conducted and reported to the Board.

According to Section 138 of the Act, Internal auditor shall be either:-

  • Chartered Accountant (every registered member of ICAI) or firm of CAs or
  • Cost Accountant (member of Institute of Cost & Works accountant of India) or
  • Company Secretary (member of ICSI) or,
  • Other professionals which are employees of the company.

Internal auditor can be appointed by board of the company. Private Limited Company cannot be appointed as Internal Auditors.

> Companies (Auditor’s Report) Order, 2003:

The Central Government, in terms of the power vested under Section 227(4A) of the Companies Act, 1956 had notified the Companies (Auditor’s Report) Order, 2003. Clause (vii) of the said 2003 order requires the auditor to report as follows: “whether in case of listed companies and/ or other companies having paid-up capital and reserves exceeding Rs. 50 lakhs as at the commencement of the financial year concerned, or having an average annual turnover exceeding five Crore rupees for a period of three consecutive financial years immediately preceding the financial year concerned, whether the company has an internal audit system commensurate with its size and nature of its business.”

Though the clause does not by itself mandate internal audit in the subjected companies, yet a company to which the same is applicable, would incur a negative remark from the auditor if it does not have an internal audit system.

image 2

Thus, it is amply evident from the above that the management, especially the functional management as well as the Audit Committee needs extensive support from the internal audit function to give it the primary assurance about controls and compliances before giving the required reports/ certificates or to appropriately review the necessary aspects and make informed decisions.


Internal Vs. External Audit

Internal audit considers whether business practices are helping the business manage its risks and meet its strategic objectives – it can cover operational as well as financial matters. External audit considers whether the annual accounts give a ‘true and fair view’ and are prepared in accordance with legal requirements.
Internal auditors can be employed by the business or outsourced. While an accounting background is common, they can also come from other backgrounds. External auditors are an outside firm of accountants who are ‘Registered Auditors’ (not all accountancy firms are).
The internal audit agenda is set internally in the light of the business’s risks and objectives. The external audit firm will set its own program of work based on its assessment of the risks of the accounts being materially misstated.
Internal auditors report internally. Relevant managers will usually receive copies of reports as there will be recommendations that would have been discussed that they will need to act on. Ultimately internal auditors report to the audit committee (if there is one) or the Board so there is high level oversight. External auditors report primarily to the shareholders or the trustees for an unincorporated charity
Internal auditors provide a tailored report about how the risks and objectives (of the business area being audited) are being managed. There is a focus on helping the business move forward – so expect there to be recommendations for improvement. External auditors’ main report is in a format required by Auditing Standards and focuses on whether the accounts give a true and fair view and comply with legal requirements.  If other things come to light which the auditors think should be brought to the client’s attention they will be reported separately to the directors in a ‘management letter’.
The internal audit follow up will be agreed on a case by case basis. It can include looking to see whether recommendations have been implemented and/or consultative help to guide the implementation of recommendations. There is no external audit follow up, until the planning stage of the next year’s audit; when past issues should be considered.
In the UK private or charity sectors internal auditors’ reports are not published publicly. The main external auditors’ report will be publicly available. ‘Management letters’ are not publicly available.
Internal audit is discretionary. In the case of external audit legal requirements vary; although the trend has been towards more organizations being exempted from audit. However stakeholders such as the bank or investors may require you to have your accounts audited.




Professional Standards:

• Institute of Internal Auditors Standards for the Professional Practice of Internal Auditing (SPPIA)

• AICPA Generally Accepted Auditing Standards (GAAS)

• ISACA Standards IIA Code of Ethics

Certified Internal Auditor (CIA) Certified Information Systems Auditor (CISA)

Primarily evident in the Federal Sentencing Guidelines and the OIG Compliance Program Guidance. Additionally, guidance is evident relative to:


• Stark

• Others like JCAHO, state, etc…

• HCCA Code of Ethics

• HCCA Compliance Certification   Program

• Health Ethics Trust and related certification

High Level Focus: Corporate Governance, Risk and Control: IIA Definition – “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Corporate Governance, Ethics and Risk from a Regulatory Compliance Perspective.

Preserving corporate integrity and adherence to a code of organization ethics.

Primary focus from a risk standpoint: Driven by audit planning, which is based upon an organization-wide risk assessment. Driven by federal and state fraud and abuse investigative agendas, to include Stark, AKS, Intermediate Sanctions, and HIPAA Investigations. Also, by the law, ethics and other regulatory requirements, with consideration of the OIG work plan.
Activity Focus Audit/project based, periodic assurance based on concurrent or retrospective reviews. On-going monitoring and evaluation of the ethical culture and compliance with laws, regulations, policies and procedures. Also, ongoing training related to the above.
Relationship to Management: Independent with no operational responsibilities.

Does not own policies.

Consults on policy and other matters related to governance risk and control. Management is responsible for implementing internal controls.

Independent but with operational responsibility for administering the corporate compliance program. (i.e., owns the compliance program).

Individual with operational responsibilities may also be assigned responsibility for corporate compliance; if possible, best practice is for a compliance function to be independent of operational responsibilities.

May own policies (hotline, etc.). Consults on policy and other regulatory compliance matters. Management is responsible for ensuring compliance with laws, rules and regulations.



Expertise: Primarily with internal controls. Primarily in regulatory matters.
Impact on Internal Audit plan: Creates and executes. Provides advice and consultation. Provides input on the types of compliance risk that should be considered in audits.


Internal audit is a key component in the assurance structure of an organization.

All assurance mechanisms are important; co–ordination of the various assurance activities will provide a holistic assurance environment. Internal audit features prominently in that assurance environment.

Internal Audit is a cornerstone of good corporate governance in organizations and can play an important role to improve management and accountability, both financial and non–financial. Internal audit can be a pivotal activity to provide assurance to the board of directors, the audit committee, and the chief executive officer, and stakeholders that the organization is governed effectively.


Internal audit is a part of the organization, reporting structures are put in place to make it independent from the mainstream organization.

The internal audit function is established by authority of the board of directors (corporate sector) or the head of the organization (public sector) and its responsibilities are defined in an internal audit charter which is approved by the audit committee.

Internal audit is authorized for:

  • Full, free, and unrestricted access to all records, data, personnel, and assets at the time they are relevant for performance of its work.
  • Free and unrestricted access to the chair of the audit committee. Good practice reporting arrangements for internal audit are:

Functionally for operations to the audit committee through the chair.

  • Administratively to the chief executive officer.
  • Functional reporting generally involves the audit committee:
  • Reviewing and approving the internal audit charter.
  • Approving all decisions regarding performance evaluations, appointment, or removal of the chief audit executive.
  • Reviewing and approving the strategic internal audit plan, often for a 3–year period.
  • Reviewing and approving the annual internal audit plan.
  • Approving any changes to the annual internal audit plan.
  • Reviewing reports from internal audit on the results of internal audit engagements, audit–related activities, and other important matters.
  • Meeting privately with the chief audit executive at least once each year without the chief executive officer present.
  • Making inquiries of the chief audit executive to determine whether there is scope or budget limitations that impede the execution of internal audit responsibilities.

image 4


Internal auditing has historically been synonymous with the performance of financial audits, which seek to ensure an organization is using generally accepted accounting procedures (GAAP) to create and manage financial information through the review of financial statements. Businesses also recognize the need for other types of auditing that look beyond ledgers and balance sheets with respect to legal compliance, IT security, environmental, operational and performance oversight objectives:

Compliance Audits are used to evaluate an organization’s compliance with applicable laws, regulations, policies and procedures. Legal and policy requirements may be created by federal or state statute. An organization’s management or board of directors can also create compliance requirements internally.

Environmental Audits identify the impact of a company’s activities on the environment and determine whether the company is complying with environmental laws and regulations.

Information Technology Audits evaluate information management systems and computer databases to ensure that confidential customer information and proprietary intellectual property is secure. Information technology audits ensure that only authorized users are able to gain access to privileged information and that the information itself is accurate.

Performance Audits assess whether an organization is meeting the goals and objectives set forth by the board of directors. If the organization is not meeting its stated goals, the internal auditor will identify process shortfalls and make suggestions for improvement to the board of directors.

Operational Audits assess the overall efficiency and reliability of an organization’s control mechanisms. An essential component of operational auditing is the objective review of the way an organization allocates resources. If resources are not being used efficiently, the internal auditor will report these findings along with recommendations on how to reduce wasteful or inefficient resource allocation.


image 5


As defined by the Institute of Internal Auditors (IIA), “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Internal Auditors’ roles include monitoring, assessing, and analyzing organizational risk and controls; and reviewing and confirming information and compliance with policies, procedures, and laws. Working in partnership with management, internal auditors provide the board, the audit committee, and executive management assurance that risks are mitigated and that the organization’s corporate governance is strong and effective. And, when there is room for improvement, internal auditors make recommendations for enhancing processes, policies, and procedures.”


The internal auditor would often need to delegate work to assistants. The internal auditor should carefully direct, supervise and review the work delegated to assistants. Similarly, the internal auditor may also need to use the work performed by other auditors or experts. Though the internal auditor will be entitled to rely on the work performed by other auditors and experts, he should exercise adequate skill and care in ascertaining their competence and skills and also in evaluating, analyzing and using the results of the work performed by the experts. He must also look into the assumptions, if any, made by such other experts and obtain reasonable assurance that the work performed by other auditors and experts is adequate for his purposes.

He should be satisfied that he has no reasons to believe that he should not have relied on the work of the expert. The reliance placed on the work done by the assistants and/ or other auditors and experts notwithstanding, the internal auditor will continue to be responsible for forming his opinion on the areas/ processes being subject to internal audit or his findings.


Audit in simple words is the checking done in order to ensure whether the financial statements which are prepared by the company are correct or not. Auditing is compulsory for listed companies and it is done by the external auditor. However some companies also undertake internal audit which implies that company appoints some professional internal auditors to conduct audit of accounts as well as company’s systems and policies. Given below are some of the advantages and disadvantages of internal audit:-


1. The biggest advantage of internal audit is that it will lead to discovery of errors and therefore when external audit is done those errors which were discovered during internal audit would have been rectified by then.

2. Internal audit reduces the chances of frauds because top management cannot look after all things and many times top management is not competent enough to look into minute details of accounts whereas internal audit is carried out by professionals and they will be able to find out quickly where are the loopholes in company’s accounts and policies.

3. As internal audit is a constant procedure where records are checked regularly it ensures that accounting staff of a company keep the records up to date and are always vigilant.


1. Internal audits are not full proof in the sense that it cannot eliminate or catch all the frauds and therefore some chances of frauds happening even after internal audit is done is always there.

2. Since internal audit is done by the professionals who are outsiders chances are they have little or zero attachment towards the company and hence they will do it the work for money rather than for betterment of company.

3. Internal audit reports are not accepted by shareholders and therefore it is for only management use and company has to conduct external audit irrespective of fact whether it has conduct internal audit or not, therefore it results in additional costs for the company for hiring internal auditors.


The purpose, authority and responsibility of internal audit is defined in a charter that recognizes the professional standards and that is approved by the organization’s governing body and management.

Internal audit’s organizational independence and internal auditors’ objectivity are protected by direct reporting to the governing body.

Internal auditors undertake work only when they have the knowledge, skills and other competencies necessary. Professional qualifications and commitment to ongoing learning are essential.

The head of internal audit is responsible for creating an ongoing program of activities to ensure the quality of internal audit; to obtain periodic independent confirmation of its quality; and to strive to improve continuously.



  • Be courteous, cooperative, and professional. An angry auditor is not a friendly auditor who may be willing to negotiate possible findings should they arise.
  • Obtain a written notification of the audit or review. The notification letter should outline:

√ The audit scope;

√ The name of the auditor in charge;

√ Timing of the audit;

√ Requirements and expectations of the university.

  • Complete the External Auditor Registration Form and fax it to the Office of Internal audit
  • Forward a copy of the notification letter to the Office of Internal Audit (attention of the Assistant Vice President or Associate Director)
  • Obtain an Information Request List outlining all of the documentation needed by the auditors complete with due dates
  • Attend the audit entrance meeting scheduled by Internal Audit
  • Ask questions about anything requiring clarification at the entrance meeting
  • Provide all of the documentation requested on the Information Request List on time (e.g., or before the due date)
  • Be proactive. Notify the auditor of any request that cannot be met and the reason(s) therefore.
  • Some examples may include:

√ Other significant deadlines (e.g., year end closure, other reporting deadlines, student registration, etc.)

√ Staff shortages

√ Document no longer used or available (but provide a viable substitute)

√ System contingencies or restrictions for data (but discuss other viable alternatives)

If the auditor knows about any possible issues up front, they can deal with them more effectively as they proceed with the audit rather than reacting to them as they arise.

  • Assist the auditors with their specific requests. The longer it takes the auditors to complete their work, the longer they will be on campus.
  • Answer only the questions asked by the auditors.
  • Forward copies of all written communications received from the auditor to the Office of Internal Audit
  • Contact the Office of Internal Audit if any issues arise concerning the audit, the auditors, or possible findings as soon as they arise.
  • Be positive.


  • Don’t be rude. An angry auditor is not a friendly auditor who may be willing to negotiate possible findings should they arise.
  • Don’t spring any surprises on the auditor. Auditors don’t like surprises particularly if they have a potentially significant impact on the audit scope, potential findings, or the audit report.
  • Don’t provide any extraneous, unrequested information. If you are unsure about the information and how it may relate to the audit, but the auditor has not specifically requested it, consult with Internal Audit first and a decision will be made on how to proceed.


Ms. Jaya Sharma-Singhania

Mr. Chintan Mehuriya

(M/s. Jaya Sharma & Associates, Practicing Company Secretary, Mumbai)


The entire contents of this article have been prepared on the basis of relevant provisions and as per the information existing at the time of the preparation. Although care has been taken to ensure the accuracy, completeness and reliability of the information provided, I assume no responsibility therefore. Users of this information are expected to refer to the relevant existing provisions of applicable Laws. We assume no responsibility for the consequences of use of such information. in no event shall we shall be liable for any direct, indirect, special or incidental damage resulting from, arising out of or in connection with the use of the information. This is only a knowledge sharing initiative and author do not intend to solicit any business or profession.

 Read more about internal audit applicability here

Author Bio

More Under Company Law

Leave a Comment

Your email address will not be published. Required fields are marked *

Search Posts by Date

November 2020