Companies Act Section 138

Companies Act Section 138- Internal Audit: Appointment, Scope, and Reporting Requirements

1. Requirement for Internal Audit and Applicability to Specific Classes of Companies

Under Section 138(1) of the Companies Act, 2013, certain specified classes of companies are legally required to appoint an internal auditor. The exact categories of companies that fall under this requirement are not stated directly in the Act itself but are prescribed separately by the Central Government through rules.

This means that not all companies are required to appoint an internal auditor only those falling within certain prescribed thresholds, such as companies having:

A specified turnover,

A specified paid-up capital,

Meeting certain loan, borrowing, or deposit thresholds, or

Operating within certain sectors or industries considered higher risk or more complex in nature.

2. Who Can Be Appointed as an Internal Auditor?

The company’s Board of Directors is responsible for appointing the internal auditor.

The individual or firm appointed as the internal auditor can be:

A Chartered Accountant (who may or may not be engaged in practice), or

A Cost Accountant (who may or may not be engaged in practice), or

Any other professional as decided by the Board, based on the company’s specific needs and the required skill set for internal audit.

This flexibility allows the Board to appoint professionals with expertise in areas relevant to the company’s operations, such as internal control systems, process reviews, risk management, and compliance monitoring.

3. Scope of Internal Audit - Functions and Activities Covered

The internal auditor’s primary responsibility is to conduct an internal audit of the functions and activities of the company.

This includes reviewing:

The internal financial controls implemented by the company.

The efficiency and effectiveness of operations, processes, and risk management frameworks.

Compliance with internal policies as well as external legal and regulatory requirements.

Identification of potential risks and providing recommendations to mitigate them.

Reviewing the adequacy and effectiveness of management information systems (MIS).

Assessing operational and strategic processes to identify inefficiencies, fraud risks, or areas requiring improvement.

Ensuring accuracy, timeliness, and reliability of financial and operational data being reported to the Board.

4. Frequency and Reporting of Internal Audit Findings

As per Section 138(2), the Central Government is empowered to prescribe rules that determine:

How the internal audit will be conducted.

The periodic intervals at which the internal audit should be conducted this could be quarterly, half-yearly, or annually depending on the size and nature of the company.

The format and content of the internal audit report.

The process for submitting and presenting the internal audit report to the Board of Directors.

Any further rules regarding how the Board should review and act upon the internal audit findings.

5. Purpose and Importance of Internal Audit

The purpose of having a dedicated internal auditor is to enhance corporate governance by:

Ensuring that the company’s internal controls are functioning effectively.

Providing independent and objective assurance to the Board regarding the adequacy and robustness of internal processes.

Helping companies proactively identify operational inefficiencies, control weaknesses, and compliance gaps before they escalate into larger issues.

Strengthening transparency and ensuring that risks are managed appropriately.

6. Board’s Responsibility Regarding Internal Audit Reports

Once the internal audit is completed and the internal audit report is submitted, the Board of Directors is expected to:

Review the findings in the internal audit report.

Take corrective action if any deficiencies, risks, or non-compliances are identified.

Monitor follow-up actions to ensure that all recommended improvements are properly implemented within a reasonable timeframe.