What is CA Tushar Makkar known for?

CA Tushar Makkar is known for being AIR 47 in CA Final and creating India's largest audit community.

What services does CA Tushar Makkar offer?

He offers audit resources, courses, and expertise to chartered accountants.

How to Do Internal Audit Step-by-Step

Learn how to do internal audit step-by-step with this practical guide designed for CA students and finance professionals in India. This blog covers the complete internal audit process, including audit planning, risk assessment, Risk Control Matrix (RCM), walkthroughs, control testing, data analysis, and internal audit report preparation.
Understand real-world internal audit steps used in companies and Big 4 firms. If you’re searching for internal audit checklist, internal audit examples, or how internal audit works in practice, this guide gives you complete clarity. Perfect for building strong audit concepts, improving practical knowledge, and preparing for audit roles, articleship, and finance careers.

13 April, 2026

If you're a CA student, a practicing chartered accountant, or a commerce professional, internal audit is one topic you cannot afford to ignore. Whether you're preparing for your ICAI exams, doing articleship, or working with a company's finance team understanding how internal audit actually works on the ground is crucial.

What Is an Internal Audit, and Why Should You Care?

Let's start simple. An internal audit is basically a health check-up of a company done by someone inside (or appointed by) the organisation itself. Think of it like this: when you go to a doctor for a routine check-up, the doctor isn't waiting for you to fall sick. He's proactively checking blood pressure, sugar levels, cholesterol to catch problems before they become serious. Internal audit works the same way for a business. It checks whether:

The company's processes are working as they should
Internal controls are strong enough to prevent fraud or errors
Rules, policies, and regulations are being followed
Resources (money, manpower, assets) are being used efficiently

In India, the Companies Act, 2013 under Section 138 mandates certain classes of companies to appoint an internal auditor. So as a CA or commerce professional, this is not just theory — it's a real-world responsibility you will likely encounter.

How to Do an Internal Audit: Step-by-Step Process

Step 1: Initial Preparation and Appointment
Everything starts with paperwork, and that's not a bad thing. Before any actual audit work begins, the board of the company must formally approve the appointment of the internal auditor. This gives the engagement its legal and official standing.
Once approved, both the auditor and the management sign an Engagement Letter a document that spells out the terms of the audit: what's covered, the timeline, fees, and responsibilities on both sides. Think of it as a contract that keeps everyone on the same page.
If this is a new client, this is also when the senior partner or manager gives the audit team a basic briefing on the client what business they're in, how they operate, any known risk areas. You don't walk into a new company completely blind.

Step 2: Resource Planning

Now that the engagement is confirmed, it's time to plan the team. How many people are needed? Who will lead the fieldwork? Who reviews? Who is the manager and who is the partner on the engagement?
A kick-off meeting is held internally — the team, the manager, and the partner sit together. The partner sets the tone: here's the client, here's what we need to achieve, here's the timeline, and here are the key risks to watch out for.
As a CA articleship student, this is often the meeting where you first understand the full picture of an engagement before the real work begins.

Step 3: Defining the Audit Scope

What Exactly Are We Looking At? This is one of the most important steps. You cannot audit everything so you need to identify the critical areas that need the most attention. Common audit areas in Indian companies include:

Order to Cash (O2C) — from a customer placing an order to the company receiving payment
Procure to Pay (P2P) — from raising a purchase requisition to making vendor payment
Payroll Processing
Inventory Management

For example, if a manufacturing company in Gujarat has recently seen a rise in vendor complaints and delayed payments, the Procure to Pay process becomes an obvious priority area. Once the scope is drafted, it's shared with the client for their agreement. No surprises — the client knows exactly what's being audited.

Step 4: Data Requests and Process Understanding

Once the scope is agreed upon, the audit team prepares an initial data request list a list of documents, reports, and records the client needs to provide. This could include sales registers, purchase registers, vendor master lists, employee data, approval matrices, and so on.
More importantly, the team conducts process understanding sessions meetings with the actual process owners. If you're auditing the Order to Cash process, you sit with the Sales Head or the Finance Manager and walk through the entire process from start to finish.
These sessions help you understand how things actually work, not just how they're supposed to work on paper. That gap between the two is exactly where audit findings are born.

This is the stage where most students feel confused because internal audit is rarely taught practically. In my Master Blaster on Internal Audit, I’ve broken down these exact steps with real examples so you can understand how audits actually happen in real companies.

Step 5: Conducting Walkthroughs

After understanding the process, the next step is creating a walkthrough document. Here, the auditor picks one transaction say, one customer order and traces it through the entire process from start to finish.
Did the order get a credit approval before dispatch? Was the invoice raised correctly? Was payment received and matched to the invoice in the system?
This is also called design testing you're testing whether the process is designed properly, not just whether individual controls work. It's like checking whether the recipe is correct before tasting the dish.

Step 6: Review of the Risk Control Matrix (RCM)

The Risk Control Matrix (RCM) is a document that most mid-sized and large Indian companies maintain. It lists out all the key risks in each process and the controls that are supposed to address those risks.
For example, in the Procure to Pay process, a risk might be: "Payments may be made to fictitious vendors." The corresponding control might be: "All new vendors must be verified and approved by the Finance Head before being added to the vendor master."
The RCM becomes the auditor's map it tells you what risks exist and what controls are supposed to be in place. Your job is to test whether those controls are actually working.

Step 7: Testing Controls

This is where the real audit work happens. Using the RCM and your process understanding, you now test each control for the areas in scope.
Pick a sample of transactions and verify them. For the vendor verification control mentioned above, you might pull 25 recently added vendors and check was each one formally approved? Is there evidence of the approval? Was it done by the right person?
If 5 out of 25 were added without proper approval, that's a control failure and a finding worth reporting.

Step 8: Data Scrutiny and Issue Identification

Digging Into the Numbers Beyond control testing, good internal auditors also do data scrutiny a deep-dive analysis of the underlying data to spot anomalies. This includes reviewing:

Sales register — Are there any unusual discounts given? Transactions reversed frequently?
Purchase register — Any unusually high-value transactions with a single vendor?
Employee master data — Ghost employees on the payroll?
Vendor data — Duplicate vendors? Vendors with the same bank account as an employee?

In Indian companies, especially manufacturing or trading businesses, this data analysis often uncovers issues that control testing alone would miss like GST mismatches or TDS deduction gaps.

Step 9: Discuss Findings with the Client

Before anything is formally written up, the audit team sits with the client to discuss preliminary findings. This is an important professional courtesy and a practical one.
Sometimes, what looks like a gap has a valid explanation. Maybe the approval was taken verbally due to an emergency and documented later. Maybe the system shows a discrepancy but the physical records are accurate.
Findings that hold up even after the client's explanation become formal observations and are taken forward into the report. Issues that are satisfactorily explained are closed.

Step 10: Preparing the Internal Audit Report

Making It Count The Internal Audit Report is typically prepared in a presentation format (PPT) especially when it's going to the Board or Audit Committee. It should be crisp, visual, and easy to understand for senior management who don't want to read 40 pages of text. Each observation in the report should have:

The finding — What went wrong?
The risk — Why does it matter?
The recommendation — What should be done?
Management response — What does the client say they'll do about it?

The draft report is reviewed with the client's management team and the engagement partner before it's finalised. No finding should come as a shock to the client at the Board meeting.

Step 11: Presentation to the Board

The Final Milestone The last step is presenting the finalised Internal Audit Report to the Board of Directors or the Audit Committee. In listed companies in India, the Audit Committee is a mandatory body under SEBI regulations, and internal audit findings are a standing agenda item.
This presentation covers the key observations, the risks they pose to the business, and the action plan agreed upon with management. The Board asks questions, management commits to timelines, and the audit cycle is formally closed until the next one begins.

Common Mistakes to Avoid in Internal Audit

Ticking boxes without understanding the process — Audit is not a formality. Understand what you're checking.
Over-relying on management explanations — Always verify with evidence.
Writing vague recommendations — "Improve controls" means nothing. Be specific.
Skipping the follow-up — Real value is created only when issues are actually fixed.
Being adversarial — Internal audit is not about catching people. It's about helping the organisation improve.

Final Thoughts

The best internal auditors in India they're working for a Big 4 firm, a PSU, or an in-house team are those who understand the business first and audit second.
As a CA student or commerce professional, when you approach internal audit with genuine curiosity asking why things work the way they do, not just whether they comply you'll find that it becomes one of the most intellectually rewarding parts of your career.
Internal audit is not just about finding what's wrong. It's about helping organisations become more efficient, more transparent, and more resilient. And that's a role worth taking seriously.

Reference Links

Internal Audit Checklist
Internal Audit Interview Questions | Practical Answers to Crack CA Interviews First Attempt

FAQs

1. What is the purpose of an internal audit?
Ans. The purpose of an internal audit is to evaluate a company’s processes, internal controls, and risk management systems. It helps identify errors, fraud risks, inefficiencies, and compliance issues before they become serious problems. Internal audit also ensures that resources are used effectively and business operations run smoothly.

2. What are the main steps in the internal audit process?
Ans. The internal audit process typically includes planning and appointment, defining scope, understanding processes, preparing a Risk Control Matrix (RCM), conducting walkthroughs, testing controls, performing data analysis, identifying findings, reporting, and presenting to management or the audit committee. Follow-up is also an important step.

3. How can I learn internal audit practically as a CA student?
Ans. Most CA students struggle with internal audit because they lack practical exposure beyond theory. The best way is to understand real processes, working papers, and how auditors actually think. For structured learning, you can explore my Internal Audit masterclass, where I simplify the entire process with real-world examples.

4. Is internal audit important for CA students and freshers?
Ans. Yes, internal audit is extremely important for CA students and freshers. It builds practical understanding of business processes, risk management, and controls. Strong internal audit knowledge also improves your chances of getting shortlisted in Big 4 firms and other finance roles, as it is a core skill in real-world finance jobs.