What is CA Tushar Makkar known for?

CA Tushar Makkar is known for being AIR 47 in CA Final and creating India's largest audit community.

What services does CA Tushar Makkar offer?

He offers audit resources, courses, and expertise to chartered accountants.

Internal Audit Checklist

A complete step-by-step internal audit checklist for Chartered Accountants covering IPPF 2024, COSO framework, risk assessment, internal controls testing, compliance verification, and reporting. This practical guide helps CAs conduct structured, risk-based internal audits aligned with Companies Act 2013 requirements and global standards.

17 February, 2026

Introduction

Let's be honest. Most internal audit checklists floating around the internet look like they were written in a rush. They cover the basics, skip the foundations, and leave out the frameworks that actually give your audit structure and credibility.
This guide is different. It is written for practising Chartered Accountants and audit professionals in India who want to do internal audit the right way — from planning through reporting. No shortcuts. No fluff. Everything that belongs in a proper internal audit, in the order it should actually happen.

What Is Internal Audit and Who Needs It?

Before jumping into the checklist, let’s understand what internal audit actually means.
Internal audit is an independent and objective review of a company’s operations, financial controls, risk management, and compliance systems. It is very different from a statutory audit. A statutory audit looks backward and gives an opinion on financial statements. Internal audit is forward-looking — it identifies risks, evaluates whether controls are working, and highlights issues before they become serious problems.
Under Section 138 of the Companies Act, 2013, internal audit is mandatory for:

Every listed company
Every unlisted public company with:

Paid-up share capital ≥ ₹50 crore
Turnover ≥ ₹200 crore
Outstanding loans/borrowings ≥ ₹100 crore
Outstanding deposits ≥ ₹25 crore

Every private limited company with:

Turnover ≥ ₹200 crore
Outstanding loans/borrowings ≥ ₹100 crore

Even when not mandatory, internal audit is increasingly expected by lenders and investors. For many companies, it has become a governance necessity rather than just a legal requirement.

The Frameworks Behind a Good Internal Audit

A serious internal auditor does not just rely on checklists. The work must be structured around globally accepted frameworks. Two are especially important — and highly relevant for Indian CAs.
IPPF — International Professional Practices Framework
Issued by the Institute of Internal Auditors, the 2024 IPPF (effective January 9, 2025) replaced the 2017 version and is now the global benchmark for internal audit practice.
Think of IPPF as the rulebook. It guides how internal audits should be planned, executed, and reported. ICAI’s guidance in India is closely aligned with it.
The 2024 IPPF has three parts:

Global Internal Audit Standards (mandatory; built on 15 principles across five domains)
Topical Requirements (mandatory for specific risk areas)
Global Guidance (recommended implementation support)

For an Indian CA, IPPF provides professional credibility. When you issue an internal audit report, you are expected to follow recognized standards — IPPF gives that foundation.
COSO ICIF — Internal Control Integrated Framework
The COSO Internal Control – Integrated Framework (2013) remains the most widely used framework globally, including by Big Four and mid-sized firms in India.
COSO is built on five components. An internal auditor’s job is not just to test controls but to assess whether these components are present and functioning together.
1. Control Environment The tone at the top. Does management genuinely respect controls? Are ethics, independence, accountability, and whistleblower mechanisms real or just on paper?
2. Risk Assessment Are business objectives defined? Are risks — including fraud risk — formally identified and evaluated?
3. Control Activities Approvals, reconciliations, segregation of duties, system controls — the operational safeguards most people associate with internal audit.
4. Information & Communication Is accurate information reaching the right people? Do employees understand their control responsibilities?
5. Monitoring Are controls periodically reviewed? Are deficiencies tracked and corrected?
Example: A well-known manufacturing company in India had strong Control Activities on paper — three-quote policy, PO approvals, goods receipt notes — but the Control Environment was weak. The owner's son could override any control without documentation. No amount of checklist testing would have caught this without looking at the tone at the top first.

Phase 1: KYC and Engagement Understanding Checklist

Before you test a single control, understand who you are auditing and what you are responsible for.
Start with basic legal and structural clarity:

Obtain Certificate of Incorporation
Review Memorandum & Articles of Association
Check whether activities align with the objects clause
Study organization chart and reporting hierarchy
Identify key management personnel — who approves purchases, who controls cash, who authorizes payments
Review latest audited financial statements
Review previous internal audit reports for repeat findings

Now move to engagement clarity:

Sign and document the engagement letter (scope, period, frequency)
Review Audit Committee terms of reference (if applicable)
Check for regulatory notices or compliance issues in the past year

This phase prevents scope disputes and ensures you are not auditing blindly.

Phase 2: Audit Program Preparation

This is where professionalism begins. An Audit Program is not a random checklist — it is your structured roadmap.
Prepare the program as follows:

List all major processes: procurement, sales, payroll, inventory, fixed assets, treasury, IT, compliance
Rank areas as High / Medium / Low risk
Define audit objective for each process
Document specific test procedures
Decide sample selection method (random / judgmental / statistical)
Identify data requirements in advance
Allocate responsibility within the audit team
Get partner/CAE sign-off before fieldwork

Without a documented audit program, your audit lacks structure and defensibility.

Professionals who want to strengthen their approach beyond basic checklist testing often benefit from structured methodologies similar to those discussed in Master Blaster of Internal Audit, especially around risk assessment, RCM preparation, and report structuring.

Phase 3: Planning Meeting Preparation

Before fieldwork, hold a formal planning or kick-off meeting. Many skip this — serious auditors don’t.
Before the meeting:

Prepare an initial process questionnaire
Share it with the process owner
Collect policy and procedure documents
Obtain department-specific org chart
Identify ERP modules used (SAP, Tally, Oracle, etc.)
Review key management reports

During the meeting:

Confirm your understanding of the process
Ask about changes during the year
Discuss known issues or weaknesses
Agree on timelines and data-sharing protocols
Clarify escalation process
Document and circulate signed minutes

Often, this discussion changes your risk focus entirely.

Phase 4: Risk Assessment Checklist

You cannot audit everything deeply. Prioritize based on risk exposure.
Identify high-risk areas such as:

Procurement and vendor management
Sales and revenue recognition
Payroll processing
Cash and bank operations
Fixed assets
Statutary compliance (TDS, GST, PF, ESI)
Related party transactions
IT system controls

For each major process, prepare a Risk Control Matrix (RCM):

Process
Key risks
Existing controls
Control type (preventive/detective)
Test procedure
Findings

The RCM ensures your audit is risk-driven — not checklist-driven.

Phase 5: Internal Controls Testing — Area by Area

Now comes detailed testing. Focus on whether controls are properly designed and actually operating.
Procurement Controls

Is there a formal PR → PO → GRN → Invoice matching system?
Are multiple quotations obtained above threshold values?
Is there an approved vendor list?
Are POs approved as per delegation matrix?
Are debit/credit notes properly documented?

The objective: prevent unauthorized or inflated purchases.
Sales and Revenue Controls

Is there a credit approval matrix?
Are invoices reconciled with dispatch documents?
Is year-end cut-off clearly followed?
Are credit notes properly approved?
Is sales as per books reconciled with GST returns?
Is debtor ageing reviewed regularly?

Revenue manipulation risk must always be evaluated.

Payroll Controls

Is employee master properly approved?
Is attendance linked to payroll?
Are salary transfers through bank only?
Are PF, ESI, PT calculated and deposited on time?
Any risk of ghost employees?
Are full and final settlements approved?

Payroll fraud often hides in weak documentation.

As companies increasingly move toward Ind AS reporting, internal auditors must also understand areas like revenue recognition, financial instruments, and deferred tax — concepts that require deeper practical clarity similar to those explored in Master Blaster of Ind AS.

Cash and Bank Controls

Is petty cash policy defined?
Are surprise cash verifications conducted?
Are BRS prepared monthly and reviewed?
Any long-outstanding reconciling items?
Dual authorization for large payments?
Any cash payments above ₹20,000 (Section 40A(3))?

Weak bank controls override many other safeguards.

Inventory Controls

Is physical stock verification conducted regularly?
Are discrepancies investigated?
Is inventory valued at cost or NRV (whichever lower)?
Is obsolete stock identified and written off?
Are scrap sales properly accounted?

In manufacturing, analyze consumption ratios for abnormal variances.

Fixed Assets Controls

Is Fixed Asset Register updated?
Are capital expenditures properly approved?
Is depreciation calculated as per Schedule II?
Is physical verification conducted periodically?
Are disposals properly authorized and recorded?

Improper capitalization can artificially inflate profits.

Statutory Compliance Checklist
Direct Tax Compliance

Verify TDS deductions across key sections — 194C (contractors), 194J (professional fees), 194I (rent), 194Q (goods above threshold)
Check if cash payments above ₹20,000 per day to a single party have been made — these are disallowed under Section 40A(3)
Verify whether payments to related parties are at market value — excess payments get disallowed under Section 40A(2)
Check whether Form 15CA and 15CB have been uploaded for any payments made outside India

Interestingly, many compliance and governance observations in internal audit later become key reporting matters in statutory audits, which is why conceptual clarity in areas covered under Master Blaster of Statutory Audit strengthens overall audit judgment.

GST Compliance

Reconcile GSTR-3B with GSTR-2B for Input Tax Credit — mismatches must be flagged
Reconcile GSTR-1 with books of accounts for sales — check for unreported invoices
Verify whether ITC has been reversed for vendor invoices not paid within 180 days
Check whether credit notes issued to customers match debit notes received from vendors

Labour Law Compliance

Is PF and ESI computation correct — calculated on the right salary components?
Are contributions paid within due dates — PF by the 15th of the following month?
Check compliance with the Payment of Bonus Act and Gratuity Act
If contract labour is used, check compliance with the Contract Labour (Regulation and Abolition) Act, 1970

Related Party Transactions
Related party transactions (RPTs) are one of the highest-risk areas in Indian companies. The Companies Act, SEBI regulations (for listed companies), and Income Tax Act all have specific requirements around RPTs.

Obtain a complete list of related parties — holding company, subsidiaries, associates, Key Managerial Persons (KMPs), and relatives of KMPs
Verify that all RPTs were identified, disclosed, and approved by the Audit Committee and Board in advance
Are RPTs at arm's length price? If not, Shareholders' approval is required under Section 188 of the Companies Act
Check whether Form AOC-2 (related party disclosure in the Director's Report) has been prepared and filed correctly
Verify whether loans to directors comply with Section 185 — these are generally prohibited unless specific exceptions apply
For listed companies, check compliance with SEBI Circular on RPTs (November 2021) — which significantly tightened RPT requirements

IT Controls and System Access
Most companies now run on ERP or accounting software. IT controls are no longer optional in any internal audit checklist for companies.

Are user access controls properly set — does each employee access only what their role requires?
Are there maker-checker systems in the software for financial transactions?
Have ex-employee system accesses been revoked? This is a surprisingly common and dangerous gap
Is there a regular data backup procedure for all financial records?
Is the MIS that management uses for decisions — accurate, timely, and reconciled with books?

Phase 6: Internal Audit Reporting

The report is where your work finally speaks. A good internal audit report does not just list problems — it tells a story about risk, root cause, and the path forward.
Report Structure
Each finding should cover:

Observation — what was found, with specifics, dates, and amounts where possible
Criteria — what should have happened (policy, law, or standard that was not followed)
Risk or Impact — what could go wrong if this is not fixed, quantify where possible
Root Cause — is it a process design gap, a people/training issue, or management override?
Recommendation — what should be done, by whom, and by when
Management Response — what does the process owner say and when will they fix it?

Report Quality Checklist

Is the executive summary clear enough for a Board member or Audit Committee member to read in five minutes?
Are findings rated by severity — Critical, High, Medium, or Low?
Does the report distinguish between design deficiencies (the control was never designed properly) and operating deficiencies (the control exists but is not being followed)?
Are repeat findings from previous reports clearly marked — repeat findings are a finding in themselves, signaling poor corrective action
Is the tone of the report factual and constructive — not accusatory?
Has the report been shared in draft form with management for their response before finalisation?
Are all findings and management responses documented in a Summary of Findings Register for tracking?

Common Mistakes in Internal Audit — and How to Avoid Them

Skipping the planning meeting — this leads to surprise data requests, department resistance, and missed risks
Not preparing an Audit Program — without it, your coverage is random and your file has no structure
Treating internal audit like statutory audit — the scope, mindset, and deliverable are different
Ignoring the Control Environment — testing controls in a company where the tone at the top is poor is like checking seat belts in a car with no brakes
Leaving CARO 2020-style thinking out of internal audit — many CAs are so conditioned by statutory audit that they forget internal audit has a much broader scope

Final Thoughts

Internal audit, done properly, is one of the most valuable things a CA can offer a company. It is not a compliance burden — it is the early warning system that catches problems before they become crises. It is the check that tells promoters and the Board whether the business is running the way they think it is.
Use this checklist as your complete framework. Layer it with IPPF standards for professional credibility. Structure your testing with COSO for depth. And always remember — the quality of your internal audit report reflects directly on the quality of your professional judgment.
The companies that take internal audit seriously grow better, get fewer regulatory notices, and face far fewer financial surprises. As a CA, your job is to help them get there.

Reference Link
Internal Audit Interview Questions- Crack your Interview in First attempt.
How to do an internal audit

Frequently Asked Questions

1. What is included in an internal audit checklist for companies?
An internal audit checklist includes risk assessment, procurement controls, sales and revenue controls, GST and TDS compliance, payroll verification, inventory checks, fixed asset verification, IT controls, and compliance under Section 138 of the Companies Act 2013. It focuses on control effectiveness and operational efficiency.

2. Is internal audit mandatory for private limited companies in India?
Yes, under Section 138 of the Companies Act 2013, internal audit is mandatory for certain classes of companies, including private limited companies meeting specified turnover or borrowing thresholds. The Board appoints the internal auditor, who can be a CA, Cost Accountant, or another qualified professional.

3. How is internal audit different from statutory audit?
A statutory audit is conducted annually to give an opinion on financial statements, while internal audit is continuous and focuses on risk management, internal controls, compliance, and operational efficiency. Internal audit is forward-looking and advisory in nature, whereas statutory audit is regulatory and opinion-based.

Abhishek Asalak
BBA Graduate | Emerging Business Professional

Internal Audit Checklist

You may also be interested in