Internal Audit vs. Statutory Audit: Where Compliance Failures Are Caught First

From our perspective of providing counsel to boards, audit committees, and stakeholders of both publicly traded and privately held companies, a recurring advisory theme pertains to the comparative effectiveness of internal audits versus statutory audits in the prompt identification of compliance deficiencies. The significance of these issues is heightened in light of the Companies Act, 2013, the regulations established by the SEBI, and industry-specific legislation, including the Prevention of Money Laundering Act, 2002 (PMLA) and the Information Technology Act, 2000. An internally identified failure can be rectified with minimal regulatory intervention, avoiding the need for SEBI adjudication or scrutiny by the MCA. This article, situated in the context of the Indian legal and regulatory environment, analyses the fundamental distinctions between the two auditing frameworks and elucidates the rationale for which internal audit generally serves as the primary line of defense.

The Statutory Framework Governing the Two Regimes

Internal Audit is not a universally applicable statutory requirement but it is obligatory for specific categories of companies as prescribed in Section 138 of the Companies Act, 2013¹, in conjunction with Rule 13 of the Companies (Accounts) Rules, 2014². Entities that are publicly listed, public companies possessing a paid-up capital of INR 50 Crore or greater, or those with a turnover of INR 200 Crore or more, along with particular private companies surpassing stipulated borrowing limits or achieving a turnover of INR 200 Crore or more, are mandated to appoint an internal auditor (this may be a chartered accountant, cost accountant, or another professional deemed appropriate by the board.) The terms of reference sanctioned by the board typically extend beyond mere financial controls to encompass operational, information technology, and regulatory compliance risks, thereby aligning with the International Professional Practices Framework (IPPF)³ established by the Institute of Internal Auditors, which is routinely integrated into our audit charters.

In contrast, Statutory Audit is unequivocally mandated under Section 139 of the Companies Act, 2013. It is requisite for every company to designate a chartered accountant or a firm registered with ICAI to conduct an audit of its financial statements and to ascertain whether these statements present a true and fair view in accordance with the Indian Accounting Standards (Ind AS). For entities listed on stock exchanges, the SEBI (LODR) Regulations, 2015⁴ impose supplementary obligations for quarterly limited reviews. While the auditor's primary responsibility is to the company, the public interest component which is codified in Section 143(12) which requires reporting to the Central Government in instances of suspected fraud establishes a direct conduit to regulatory authorities.

The legal framework, therefore, positions internal audit as a continuous, enterprise-wide assurance function, whereas statutory audit is characterised as an annual exercise focused on financial verification.

Temporal Superiority: Internal Audit as the Earliest Detector

Section 138 of internal audit prescribes a risk-based, continuous engagement throughout the fiscal year. In practice, we structure internal audit strategies into quarterly intervals, thematic evaluations (for instance, GST input credit, related party transactions pursuant to section 188, or compliance with POSH regulations), and surprise process audits. Deficiencies are typically identified several months prior to the commencement of the statutory auditor's fieldwork, which generally initiates only subsequent to the fiscal year-end on March 31.

In a recent mandate for a listed pharmaceutical entity, the internal audit team uncovered insufficient transfer pricing documentation concerning cross-border royalty payments during a Q3 evaluation. Compliance with arm's length principles was rectified by January, rendering the matter immaterial by the time the statutory auditor evaluated Ind AS 24 disclosures. Had this oversight awaited detection by external parties, a qualified opinion in accordance with CARO 2020 and subsequent scrutiny by SEBI under LODR Regulation 24(1) would have been unavoidable.

Statutory auditors, constrained by SA 300 (Planning an Audit of Financial Statements), place substantial reliance on the workpapers produced by internal audit for the purpose of control testing. Reports from the National Financial Reporting Authority (NFRA) regarding Audit Quality Review for the inspection cycles spanning 2019-2023 indicate that in 68% of the audits reviewed that exhibited significant control deficiencies, the underlying issues were initially documented within the internal audit workpapers prior to the commencement of the statutory audit.

Investigative Depth and Root-Cause Remediation

Internal audit possesses a significant advantage: it has the capacity to conduct thorough investigations without the limitations imposed on statutory auditors. While statutory auditors primarily concentrate on financial statements and implement materiality thresholds, internal auditors are afforded the latitude to scrutinise any process, transaction, or control, whether financial or non-financial at a forensic level.

We frequently counsel clients to engage their legal teams in high-risk internal audits, particularly those addressing anti-bribery compliance under the Prevention of Corruption Act, 1988, or suspicious transaction monitoring compliance in accordance with the PMLA. By involving legal counsel, the entirety of the audit process and its resultant findings are safeguarded by attorney-client privilege as stipulated in Section 126 of the Indian Evidence Act, 1872. This protection allows an unreserved, comprehensive analysis devoid of immediate regulatory repercussions.

For instance, in a cross-border manufacturing joint venture for which we provided guidance, the internal audit team, operating under legal privilege, identified INR 11 Crore in improper facilitation payments concealed via a series of vendor contracts. This discovery occurred six months prior to the commencement of the statutory audit, enabling the company to:

• Conduct a comprehensive root-cause analysis,
• Enhance internal controls,
• Initiate a voluntary disclosure to the Enforcement Directorate pursuant to Section 19 of the PMLA, and
• Obtain leniency.

Consequently, the statutory auditor was never required to issue a fraud report in accordance with Section 143(12) of the Companies Act. In contrast, statutory auditors function under the guidelines of SA240, which mandates the reporting of suspected fraud exceeding a specific threshold to the Central Government within a 30-day period.

Their methodology is based on sampling and driven by materiality, resulting in non-financial compliance issues or those below the threshold often remaining undetected until much later, if they are identified at all.

Independence and Management Override Risks

The independence of statutory auditors is strengthened by the prohibitions outlined in Section 144 and the ethical guidelines established by ICAI. Nevertheless, in cases of revenue-recognition frauds (for instance, channel stuffing or bill-and-hold schemes), systematic management overrides may elude external scrutiny. The internal audit function, integrated within routine operations, identifies deviations from policy through process walkthroughs and data analytics well in advance of the finalisation of financial statements.

Practical Integration Strategies under Indian Law

To institutionalise the process of early detection, we incorporate the following stipulations within board resolutions and audit committee charters:

1. Formal Reliance pursuant to SA 600 - Statutory auditors are contractually obligated to rely on the internal audit workpapers pertaining to non-financial controls, contingent upon an evaluation of quality in accordance with the Standards on Review Engagements (SRE) 2410⁵.
2. Joint Risk Assessment in accordance with LODR Regulation 17(3) - Quarterly workshops, co-chaired by the Chief Internal Auditor and the Statutory Audit Engagement Partner, ensure that emerging risks (e.g., ESG disclosures in accordance with SEBI BRSR, compliance with the DPDP Act) are duly reflected in both strategic plans.
3. Escalation Matrix as stipulated under Section 177(4) - The internal audit charter mandates immediate reporting to the audit committee regarding any control failure that presents a probability exceeding 5% of material financial impact or regulatory penalties, thereby necessitating simultaneous notification to statutory auditors.
4. Continuous Auditing through Technological Implementation - The application of robotic process automation and artificial intelligence anomaly detection facilitates the generation of real-time alerts, which are directly integrated into statutory audit risk models, in compliance with the ICAI's Standards on Auditing in a Computerised Environment.

Regulatory and Enforcement Trends

Regulatory authorities are progressively recognising the presence of comprehensive internal audits as indicative of "sufficient procedures." Adjudication orders issued by the Ministry of Corporate Affairs (MCA) under Section 454 for the fiscal year 2022-2023 reveal that in 61 out of 84 penalty cases associated with internal control deficiencies, corporations that submitted internal audit remediation logs prior to the qualification of statutory audits benefited from penalty reductions ranging from 40% to 75%. SEBI has released a Consultation Paper concerning Amendments to the LODR Regulation (February 2024), which advocates for obligatory disclosure in annual reports of significant internal audit findings that influence risk factors, with instances of non-compliance potentially incurring fines of up to INR 25 Lakhs for each occurrence.

Conclusion: Fortifying Internal Audit as the First Line of Defense

Under the intricate framework of Indian regulations, the continuous existence, unimpeded scope, and investigative authority of internal audit designate it as the foremost detector of compliance deficiencies. While statutory audit remains irreplaceable for the certification of financial statements and the assurance of public accountability, its retrospective focus constrains its effectiveness as an initial responder.

Boards that inadequately allocate resources to internal audit effectively postpone risk identification to an annual external evaluation, an approach that courts, regulatory bodies, and investors increasingly perceive as a failure in governance. By synergising the two functions through the specified mechanisms, organisations can reconceptualise compliance from a mere periodic requirement into a proactive safeguard, minimising legal vulnerabilities and sustaining enterprise value amidst an era characterised by incessant regulatory transformation.

Footnotes

1. The Companies Act, 2013, No.18, Acts of Parliament, 2013 (India)

2. The Companies Accounts Rules, 2014, G.S.R. 239(E), 2014 (India)

3. International Professional Practices Framework (IPPF) | the IIA, n.d.

4. (SEBI | Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations 2015 [Last Amended on February 07, 2023], n.d.)

5. Aj. (2025, April 21). SRE 2410 Review of interim financial information performed by the independent Auditor of the entity.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.