Risk Advisory · Risk Advisory Services
Risk-Based Internal Audits
Most internal audit functions fail quietly — not because they lack effort, but because they audit the same processes every year regardless of where the organisation's real exposure has shifted.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Most internal audit functions fail quietly — not because they lack effort, but because they audit the same processes every year regardless of where the organisation's real exposure has shifted. A Risk-Based Internal Audit reverses that default: instead of a fixed rotation of departments, the annual audit plan is built from a current risk assessment, so audit hours go to the areas most likely to hurt the business — a customer-concentration blind spot, a control gap in a fast-growing business line, a vendor payment process that has outgrown its original design. At PNPC Global, we have delivered internal audit and risk advisory engagements to Indian and UAE businesses since 1986, drawing on the ICAI's Standards on Internal Audit and Section 138 of the Companies Act 2013 read with Rule 13 of the Companies (Accounts) Rules, 2014. We build audit plans the Audit Committee actually uses to make decisions — not a checklist exercise that repeats the same findings every year.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
A Risk-Based Internal Audit (RBIA) is an approach to internal auditing in which the scope, depth, and frequency of audit coverage are determined by a structured risk assessment of the organisation, rather than a fixed cyclical rotation through every department or process in a set sequence. Under a traditional, compliance-driven internal audit model, every function gets broadly equal audit attention on a rolling multi-year cycle regardless of its actual risk profile. Under RBIA, high-risk areas — a business line with weak historical controls, a process with recent turnover in key personnel, a function handling a disproportionate share of cash or high-value transactions — receive more frequent and deeper audit coverage, while genuinely low-risk, stable areas receive lighter-touch review. The result is an audit function whose findings management and the Audit Committee treat as material, because the areas audited are demonstrably the areas where something could actually go wrong.
In India, internal audit is a statutory requirement for a defined class of companies under Section 138 of the Companies Act 2013 read with Rule 13 of the Companies (Accounts) Rules, 2014 — covering every listed company, and every unlisted public company and private company that crosses prescribed thresholds of paid-up share capital, turnover, borrowings, or outstanding deposits. The Institute of Chartered Accountants of India (ICAI) has issued Standards on Internal Audit (SIAs) that establish the professional framework internal auditors are expected to follow, including SIA 130 on Risk Management and SIA 220 on Conducting Overall Internal Audit Planning, which together direct that the internal audit plan be developed based on a documented risk assessment rather than an arbitrary or purely historical scope. Even for companies below the Section 138 threshold, an increasing number of boards, lenders, and institutional investors expect a functioning internal audit process as part of standard governance practice — particularly once external funding, multi-location operations, or a growing employee base increase the organisation's inherent risk profile.
The mechanics of RBIA rest on a small number of core building blocks: a risk assessment (often, though not always, informed by or coordinated with an Enterprise Risk Management exercise) that identifies and rates the organisation's key risks across financial, operational, compliance, and fraud categories; a risk-based audit universe that maps every auditable entity, process, or location against its risk rating; a risk-weighted annual audit plan, approved by the Audit Committee, that allocates available audit hours to the highest-risk areas first; individual audit engagements that test the design and operating effectiveness of controls addressing the specific risks in scope; and a structured reporting and follow-up mechanism that tracks management action on findings until they are genuinely closed, not just acknowledged. A well-run RBIA function typically reports functionally to the Audit Committee and administratively to the CEO or a designated senior executive, preserving the independence that Section 138 and the ICAI Standards require.
RBIA is deliberately distinct from — but works closely alongside — statutory audit, Enterprise Risk Management (ERM), and Internal Financial Controls (IFC) review. The statutory auditor forms an opinion on whether the financial statements present a true and fair view, largely through year-end testing; internal audit runs continuously through the year and covers operational and compliance areas well beyond the scope of financial reporting. ERM identifies and prioritises the organisation's risk universe at the strategic and enterprise level; RBIA takes that risk view (or builds its own where no formal ERM function exists) and converts it into a concrete, hour-by-hour audit testing plan. IFC review under Section 134(5)(e) focuses narrowly on controls over financial reporting; RBIA's scope is broader, covering operational efficiency, compliance with internal policy, and fraud risk alongside financial controls. Getting this sequencing right — risk assessment first, audit plan built from it second, testing and reporting third — is what separates an internal audit function the Audit Committee treats as a genuine early-warning system from one that produces a thick annual report nobody meaningfully acts on.
When a Risk-Based Internal Audit is the right approach
Company falls within the Section 138 / Rule 13 threshold for mandatory internal audit — every listed company, and unlisted public or private companies crossing the prescribed paid-up capital, turnover, borrowing, or deposit thresholds
Existing internal audit function follows a fixed departmental rotation that has not changed in years, and findings have become repetitive and low-value to the Audit Committee
Rapid growth, a new business line, new geography, or a recent acquisition has changed the organisation's risk profile faster than the audit plan has kept pace
Recent fraud incident, control failure, or near-miss that has prompted the Board or Audit Committee to ask whether audit hours are actually going to the areas of greatest exposure
Private equity or institutional investors on the cap table who expect a documented, risk-prioritised internal audit function as part of governance reporting
Preparing for IPO, where SEBI ICDR and post-listing LODR obligations make a functioning, risk-based internal audit process a pre-listing governance expectation
Multi-location or multi-entity operations where audit resources are limited relative to the number of locations, and prioritisation genuinely matters
Audit Committee or Board seeking a more defensible, risk-justified basis for the scope and coverage of the annual internal audit plan presented for approval
Existing internal audit team wants to formally adopt ICAI's Standards on Internal Audit (SIA 130 risk assessment methodology and SIA 220 risk-based planning) rather than an informal or ad hoc planning approach
When a different approach may be more proportionate
Very small private company well below the Section 138 / Rule 13 thresholds, with simple single-location operations and no near-term fundraising or listing plans — a lighter periodic financial review may be adequate rather than a formal RBIA function
Organisation has no risk assessment or risk register of any kind and no interest in building one — a compliance-based internal audit covering statutory-mandated areas may be a more realistic starting point before layering on risk-based prioritisation
The immediate need is a one-time investigation into a specific suspected fraud or irregularity — a targeted forensic investigation is a faster, more precise fit than standing up a full annual risk-based audit plan
Business primarily needs Internal Financial Controls (IFC) documented and tested for statutory audit purposes under Section 134(5)(e) — an IFC design and testing engagement is the more precise scope, though it is a natural complement to RBIA
Very early-stage startup with a handful of employees and no institutional investors — founder-level oversight of the small number of financial processes in place is often sufficient until the organisation scales
Risk-Based Internal Audit vs related assurance and audit functions
| Feature | Risk-Based Internal Audit (RBIA) | Traditional Cyclical Internal Audit | Statutory (Financial) Audit | Enterprise Risk Management (ERM) | Forensic Investigation |
|---|---|---|---|---|---|
| Primary objective | Test controls in the areas of highest current risk, prioritised by a documented risk assessment | Test controls across all departments in a fixed rotational sequence, largely irrespective of risk | Form an opinion on whether financial statements present a true and fair view | Identify, assess, prioritise, and treat enterprise-wide risk to strategic objectives | Investigate a specific suspected fraud, irregularity, or breach after the fact |
| Governing framework | Section 138 + Rule 13, ICAI Standards on Internal Audit (SIA 130 risk assessment, SIA 220 planning) | Section 138 + Rule 13 (same statute, weaker methodology) | Companies Act Sections 139-148, Standards on Auditing (ICAI/SA) | ISO 31000:2018, COSO ERM (2017), SEBI LODR Reg. 21 | Engagement-specific — no single governing statute |
| Who owns it | Internal Audit function, reporting functionally to the Audit Committee | Internal Audit function, often reporting operationally rather than functionally | Independent statutory auditor appointed under Section 139 | Risk Management Committee / CRO, reporting to the Board | Forensic team engaged directly by the Board or Audit Committee |
| Basis for scope | Risk assessment output — likelihood and impact ratings drive audit hours | Historical rotation schedule, often unchanged year to year | Materiality and audit risk assessment under Standards on Auditing | Full enterprise risk universe across strategic, operational, financial, compliance categories | Specific allegation, tip-off, or detected anomaly |
| Typical output | Risk-weighted annual audit plan, rated findings reports, tracked management action plans | Departmental audit reports, often repetitive year over year | Audit opinion, management letter, IFC opinion under Section 143(3)(i) | Board-approved risk policy, risk register, heat map, mitigation plans | Investigation report with findings, quantum of loss, and recommended action |
| Mandatory for | Listed companies; unlisted public/private companies above Rule 13 thresholds (methodology is a professional standard, not separately mandated) | Same statutory trigger as RBIA — the requirement is for internal audit, not for a specific methodology | All companies incorporated under the Companies Act | Top 1,000 listed companies by market cap under SEBI LODR Reg. 21; expected practice for others | Not mandated — undertaken on a case-by-case basis |
| Frequency | Continuous through the year per the risk-weighted annual plan, replanned periodically | Continuous through the year per the fixed rotational plan | Annual, aligned to the financial year-end | Continuous monitoring; formal Board reporting typically quarterly | One-off, triggered by a specific event |
| Relationship to RBIA | — | A less risk-responsive variant of the same statutory function | Often relies on internal audit's control testing as part of its own risk assessment | Frequently the direct input that shapes the risk-based audit plan | May be triggered by findings that surface during an RBIA engagement |
These functions overlap in places but serve distinct purposes — a mature governance framework typically runs ERM as the risk-identification layer, RBIA as the assurance layer that tests whether controls over those risks are actually working, statutory audit as the independent financial-statement opinion, and forensic investigation as the targeted response when a specific issue surfaces. The right combination for your organisation should be confirmed with a practising CA based on your Section 138 applicability, risk profile, and existing governance maturity.
| # | Stage & What PNPC Does | What Generic Providers Skip | Timeline |
|---|---|---|---|
| 1 | Applicability & Scoping Assessment | We first confirm whether internal audit is mandatory for your company under Section 138 read with Rule 13 — checking paid-up capital, turnover, outstanding borrowings, and outstanding deposits against the prescribed thresholds — and separately assess whether a risk-based approach adds value even where a basic internal audit function already exists but runs on a purely rotational basis. | Week 1 |
| 2 | Risk Assessment Input Gathering | Where a current Enterprise Risk Management risk register exists, we use it as a primary input. Where none exists, we run a focused risk identification exercise specifically to inform the audit plan — structured interviews with the CEO, CFO, and function heads, review of prior audit findings, statutory auditor's management letter, and any known control weaknesses — rather than starting the audit plan from a blank template. | Week 1–3 |
| 3 | Audit Universe Mapping | Every auditable entity, process, location, and business cycle is catalogued — procurement, revenue, payroll, treasury, IT, inventory, fixed assets, related-party transactions, and any sector-specific processes — so nothing material is left outside the scope of consideration when risk-weighting is applied. | Week 2–3 |
| 4 | Risk Rating of the Audit Universe | Each item in the audit universe is scored on likelihood and impact using a consistent methodology aligned to ICAI's SIA 130 (Risk Management) and SIA 220 (Conducting Overall Internal Audit Planning) — factoring in transaction volume and value, complexity, history of past findings, quality of existing controls, fraud susceptibility, and regulatory exposure — producing a defensible ranking rather than a scope decided by who shouts loudest at planning. | Week 3–4 |
| 5 | Risk-Weighted Annual Audit Plan Drafting | Available audit hours (whether an in-house team, a co-sourced arrangement, or fully outsourced to PNPC) are allocated against the risk-rated universe — high-risk areas get more frequent, deeper coverage; low-risk, stable areas get lighter or less frequent review. The draft plan explicitly documents the risk rationale behind every allocation, so the Audit Committee can see why hours were assigned where they were. | Week 4–5 |
| 6 | Audit Committee Presentation & Approval | The risk-weighted plan is presented to the Audit Committee for review, challenge, and formal approval — including discussion of any areas the Committee believes carry higher risk than the initial assessment reflects. This is also where the reporting cadence for the year is agreed. | Week 5–6 |
| 7 | Individual Audit Engagement Planning | For each audit in the approved plan, a specific engagement scope, objectives, and testing approach is documented before fieldwork begins — mapped explicitly to the risks that justified the audit's inclusion in the plan, so testing stays focused on what actually matters rather than drifting into a generic control checklist. | Ongoing, per audit cycle |
| 8 | Fieldwork & Control Testing | Testing of control design and operating effectiveness — walkthroughs, sample testing, data analytics where volumes support it, and interviews with process owners — executed against the specific risks identified for that audit area, with findings rated by severity as they are identified rather than batched until the final report. | 2–6 weeks per audit, depending on scope |
| 9 | Draft Findings & Management Response | Draft findings are shared with process owners and management before finalisation — giving management the opportunity to provide context, propose remediation timelines, and correct any factual inaccuracy — a step that strengthens the credibility and actionability of the final report rather than surprising management at Audit Committee presentation. | 1–2 weeks per audit |
| 10 | Final Report & Audit Committee Presentation | The final report — rated findings, root cause analysis, management's response and committed action plan, and target closure dates — is presented to the Audit Committee, with PNPC available to answer questions directly rather than relying on management to relay technical findings second-hand. | Per Audit Committee meeting cycle, typically quarterly |
| 11 | Follow-Up & Closure Tracking | Open findings are tracked to actual closure — not marked closed on management's assertion alone, but verified through follow-up testing where the finding's severity warrants it. Recurring or unresolved findings are explicitly flagged to the Audit Committee rather than quietly rolled forward year after year. | Ongoing, tracked at each Committee meeting |
| 12 | Mid-Year Plan Refresh | The risk assessment underlying the audit plan is revisited mid-cycle — new risks (an acquisition, a new regulation, a control failure elsewhere in the business) can shift audit priorities mid-year, and a purely static annual plan misses this. We formally reassess and, where warranted, re-prioritise the remaining plan. | Mid-year, per Committee cycle |
| 13 | Annual Plan Renewal | The full risk assessment, audit universe, and risk-weighted plan are refreshed for the new financial year — incorporating the prior year's findings, changes in the business, and emerging risk categories — so the plan evolves with the organisation rather than being recycled from the previous year with minor edits. | Annually, ahead of the new financial year |
Realistic timeline: a first-generation risk-based audit plan — from risk assessment input gathering through Audit Committee-approved annual plan — typically takes 4-6 weeks. Individual audit engagements within the approved plan typically run 2-6 weeks each depending on scope and process complexity, with fieldwork and reporting continuing through the year on the agreed cadence, usually aligned to quarterly Audit Committee meetings.
Certificate of Incorporation, latest audited financial statements, and confirmation of paid-up capital, turnover, borrowings, and deposits to verify Section 138 / Rule 13 applicability
Audit Committee composition and terms of reference, including confirmation of the internal audit function's reporting line
Minutes of the last 4-6 Audit Committee meetings, particularly any prior discussion of internal audit scope, findings, or resourcing
Existing internal audit charter or policy, if any, and the prior year's internal audit plan and reports
Organisation chart with reporting lines for key business functions, locations, and subsidiaries in scope
Existing Enterprise Risk Management risk register or risk assessment, if one exists, to use as a primary input to the audit universe
Statutory auditor's management letter and Internal Financial Controls (IFC) observations from the most recent audit
Details of any past fraud incidents, near-misses, whistle-blower complaints, or control failures over the past 2-3 years
Any prior third-party risk assessment, due diligence report, or regulator inspection findings
List of major contracts, customer concentration, and vendor/supplier concentration (top 10 by value)
Latest audited financial statements and management accounts for the most recent 2-3 years
Trial balance and general ledger extracts for the areas likely to be in scope of the audit universe
Details of related-party transactions and the process for their identification and Board approval
Bank statements, loan agreements, and details of any financial covenants tied to lending facilities
Fixed asset register and details of any recent capital expenditure or asset disposals
Standard Operating Procedures (SOPs) for key business cycles — procurement, revenue/order-to-cash, payroll, treasury, inventory — where documented
Delegation of Authority (DOA) matrix — approval limits by role, transaction type, and value
Details of any recent process changes, system implementations, or ERP migrations that may have altered control design
Organisational headcount and any recent turnover in key finance, procurement, or operational roles
List of all locations, branches, warehouses, or plants, with an indication of relative transaction volume or risk
List of key IT systems, ERP, and business applications relevant to the processes in scope, with access-control ownership details
User access review records or evidence of periodic access recertification, if performed
Details of any recent cybersecurity incidents or IT control weaknesses identified by prior audits
System-generated reports or data extracts available for use in audit testing and data analytics
List of licences, registrations, and regulatory approvals applicable to the entity's sector and locations
Compliance tracker or calendar, if one exists, and any instances of non-compliance, penalties, or regulatory correspondence in recent years
Sector-specific regulatory findings — RBI, SEBI, IRDAI, or other regulator communications, as applicable
Prior year statutory audit report, Board's Report, and Corporate Governance Report (for listed entities), to cross-reference disclosed risk and control commentary
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Applicability Assessment (Month 1) | Crossing Section 138 / Rule 13 thresholds, or Board decision to formalise internal audit | Confirm statutory applicability against paid-up capital, turnover, borrowing, and deposit thresholds; assess whether an existing rotational internal audit function should transition to a risk-based methodology. | Non-compliance with a mandatory statutory requirement — a company that crosses the Rule 13 thresholds without appointing an internal auditor is in breach of Section 138, which can draw regulatory and Audit Committee scrutiny. |
| Risk Assessment & Plan Design (Month 1-2) | Annual planning cycle or first-time RBIA adoption | Risk assessment input gathering, audit universe mapping, and a risk-weighted annual plan built around the organisation's actual current exposure — not a template rotation carried forward unchanged from prior years. | An audit plan that reallocates the same hours to the same low-risk departments year after year, leaving genuinely high-risk areas under-audited or entirely unaudited. |
| Audit Committee Approval (Month 2) | Scheduled Committee meeting | Present the risk-weighted plan with explicit rationale for hour allocation, inviting Committee challenge and formal approval — establishing a defensible, documented basis for the year's audit scope. | A plan approved without genuine Committee engagement provides no real governance value and offers little defence if a significant risk later materialises in an under-audited area. |
| Fieldwork & Reporting Cycle (Ongoing) | Approved annual plan | Individual audits executed against documented objectives tied to specific risks, with draft findings shared with management before finalisation and rated findings reported to the Audit Committee each cycle. | Findings that are vague, unrated, or not linked to a clear root cause get deprioritised by management and recur in the following year's audit, undermining confidence in the function. |
| Follow-Up & Closure Tracking (Ongoing) | Findings issued in prior audits | Open findings tracked to verified closure, with recurring or stale findings explicitly escalated to the Audit Committee rather than silently rolled forward. | Unresolved findings accumulate year over year, and a control gap flagged multiple times but never fixed becomes indefensible if it later results in a loss event or regulatory issue. |
| Mid-Year Risk Refresh | New risk event, acquisition, regulatory change, or business shift | Reassessment of the risk profile mid-cycle and, where warranted, re-prioritisation of the remaining audit plan to reflect the organisation's current — not six-months-stale — risk picture. | A static annual plan that ignores a material mid-year change in the business misses the audit coverage that would have been most valuable precisely when it was needed. |
| Annual Plan Renewal | Financial year-end / new planning cycle | Full refresh of the risk assessment, audit universe, and risk-weighted plan, incorporating the prior year's findings and the organisation's current risk landscape into the next year's scope. | An audit function that never evolves its methodology stagnates into a compliance ritual, losing the Audit Committee's confidence and its ability to function as a genuine early-warning mechanism. |
| Scale-Up / Listing Event | IPO preparation, new fundraising round, or crossing further governance thresholds | Acceleration of internal audit maturity — broader audit universe coverage, more formal Committee reporting, and readiness for the scrutiny that comes with public-market or new institutional-investor governance expectations. | Governance gaps surfacing during IPO or investor due diligence at the worst possible time, causing valuation adjustments, delayed timelines, or additional post-listing remediation commitments. |
What exactly is a Risk-Based Internal Audit, in plain terms?
It is an internal audit function where the areas you audit, and how deeply you audit them, are decided by where the organisation's actual risk is highest — not by a fixed rotation that gives every department roughly equal attention regardless of how risky it actually is. A risk assessment identifies which processes, locations, or business lines are most likely to have control gaps or fraud exposure, and the annual audit plan allocates the available hours accordingly.
Is internal audit mandatory for my company under Indian law?
Yes, for a defined class of companies. Section 138 of the Companies Act 2013 read with Rule 13 of the Companies (Accounts) Rules, 2014 mandates internal audit for every listed company, and for unlisted public companies and private companies that cross prescribed thresholds of paid-up share capital, turnover, outstanding loans or borrowings from banks or financial institutions, or outstanding deposits — measured as at the end of the preceding financial year. Companies below these thresholds are not statutorily required to appoint an internal auditor, though many still choose to for governance and lender-confidence reasons.
Who can be appointed as an internal auditor under Section 138?
The internal auditor may be a Chartered Accountant (whether in practice or not), a Cost Accountant, or such other professional as the Board may decide, and may be an individual, a partnership firm, or a body corporate — but the person appointed must not have any conflict of interest that compromises independence, such as being the same firm that also serves as the company's statutory auditor for the relevant year.
How is a risk-based audit plan different from what our current internal auditor already does?
The difference is in the starting point. A traditional cyclical plan typically starts from a list of departments or locations and rotates through them on a fixed schedule — procurement this year, payroll next year, and so on — largely irrespective of which area actually carries the most risk right now. A risk-based plan starts from a documented risk assessment, ranks the audit universe by likelihood and impact, and allocates audit hours so higher-risk areas get more frequent and deeper coverage. Many internal audit functions already claim to be risk-based informally, but without a documented risk assessment behind the plan, it is difficult to demonstrate this to the Audit Committee or defend the scope choices made.
What are ICAI's SIA 130 and SIA 220, and why do they matter for RBIA?
The Institute of Chartered Accountants of India has issued a suite of Standards on Internal Audit (SIAs), revised and re-numbered into a 100-series (key concepts) and 200-series (internal audit management) structure. SIA 130 (Risk Management) sets out how internal audit should evaluate the entity's risk management process, and SIA 220 (Conducting Overall Internal Audit Planning) directs that the internal audit plan be developed from a structured, documented risk assessment rather than an arbitrary or purely historical scope. Read together, these standards give the audit plan a professional, defensible basis that stands up to Audit Committee, statutory auditor, and — where relevant — regulator scrutiny.
Does PNPC provide internal audit as a fully outsourced service, or only co-sourced with our in-house team?
Both models are available. For companies without an internal audit function, PNPC can serve as the fully outsourced internal auditor — covering risk assessment, plan design, fieldwork, reporting, and follow-up. For companies with an existing internal audit team that needs additional capacity, specialist skills (IT audit, forensic techniques, sector-specific expertise), or an independent risk assessment methodology overlay, PNPC works in a co-sourced model alongside the in-house team.
How often should the risk assessment behind the audit plan be updated?
The risk assessment underlying the annual plan should be formally refreshed at least once a year, ahead of the new financial year's planning cycle, and should also be revisited mid-year if a material event changes the organisation's risk profile — an acquisition, a new business line, a significant control failure elsewhere in the business, or a major regulatory change. A risk assessment done once and never revisited quickly becomes stale and misdirects audit hours toward risks that may no longer be the most material ones.
How does the internal auditor's independence work if PNPC also does our accounting or tax work?
Independence is a genuine professional requirement, not a formality. Where PNPC provides accounting, payroll, or tax compliance services to a client, we do not also serve as that client's internal auditor over the same functions — doing so would mean auditing our own work, which compromises the value and credibility of the audit. We structure engagements to avoid this conflict, either by having a different PNPC team with appropriate independence safeguards handle internal audit, or by recommending an alternative arrangement where the conflict cannot be adequately managed.
What does a typical Risk-Based Internal Audit engagement cost?
Cost depends on company size, the number of locations and business lines in the audit universe, sector complexity, and whether the engagement is fully outsourced or co-sourced with an existing in-house team. PNPC agrees a fixed, written scope and fee before any engagement begins, typically structured around the annual audit plan's total hours, with the risk assessment and plan design phase priced separately from the ongoing fieldwork and reporting cycle.
What happens if the risk assessment identifies more high-risk areas than our available audit hours can cover?
This is a common and entirely expected outcome, particularly in the first year of adopting a risk-based approach — it usually means audit hours were previously spread too thin across low-risk areas. The response is not to audit everything superficially, but to present the Audit Committee with an honest picture: the highest-priority risks that will be covered within the current budget, and the residual risk in areas that will not be covered this cycle, so the Committee can make an informed decision — accept the residual risk, increase the audit budget, or extend the timeline for full-universe coverage across multiple years.
Can a Risk-Based Internal Audit help detect fraud?
RBIA is preventive and diagnostic — it tests whether the controls designed to prevent or detect fraud are actually operating effectively, and a risk-based approach specifically increases scrutiny in areas with higher fraud susceptibility (cash handling, related-party transactions, procurement with limited segregation of duties). It is not, however, a substitute for a targeted forensic investigation once a specific fraud is suspected or detected — at that point, a dedicated forensic engagement with its own investigative methodology and evidentiary standards is the appropriate response.
How does RBIA interact with our Enterprise Risk Management function, if we have one?
Where a formal ERM function exists, its risk register is a natural and valuable primary input to the internal audit's own risk assessment and audit universe — the highest-priority enterprise risks should directly inform which areas get the most audit attention. Internal audit's control testing, in turn, provides evidence back to ERM about whether the controls assumed to mitigate specific risks are actually working, refining the residual risk scores in the risk register. The two functions are meant to reinforce each other, not operate as disconnected exercises.
We don't have a formal ERM function. Can PNPC still build a risk-based audit plan?
Yes. A full enterprise-wide ERM programme is not a prerequisite for RBIA. Where no formal ERM function exists, we run a scoped risk identification exercise specifically to inform the audit plan — structured interviews with the CEO, CFO, and function heads, review of prior audit findings and the statutory auditor's management letter, and assessment of transaction volume, complexity, and control history across the audit universe. This produces a defensible risk-weighted plan without requiring the organisation to first build a separate, full ERM framework.
What should the Audit Committee actually see in each internal audit report?
A well-structured internal audit report includes: the specific objective and scope of the audit and the risks it was designed to address, rated findings (typically categorised by severity — high, medium, low), root cause analysis rather than just a description of the symptom, management's response and committed remediation timeline for each finding, and status of previously reported findings that remain open. This gives the Committee a complete, actionable picture rather than a narrative report that is difficult to act on.
How long does it take to move from an ad hoc or rotational internal audit approach to a fully risk-based one?
For a company with reasonable process documentation and management availability for interviews, a first risk-weighted annual audit plan — from risk assessment input gathering through Audit Committee approval — typically takes 4-6 weeks. The methodology itself is embedded from the first planning cycle; the benefits compound over subsequent years as the risk assessment is refined and the historical findings data feeds back into future prioritisation.
What is 'co-sourcing' and when does it make sense over a fully in-house or fully outsourced model?
Co-sourcing means the company retains its own internal audit team or function, and engages an external firm like PNPC to supplement it — typically for specialist skills the in-house team lacks (IT audit, data analytics, forensic techniques), additional capacity during peak audit periods, or an independent risk assessment methodology overlay. It tends to make sense for mid-sized to large companies with an existing internal audit team that has strong institutional knowledge but gaps in specific technical areas or bandwidth, where a fully outsourced model would discard valuable in-house context, and a purely in-house model would leave real capability gaps unaddressed.
Can PNPC support internal audit for our UAE entity as well as our Indian entity?
Yes. PNPC operates from Chennai, Bangalore, Hyderabad, and Dubai. For groups with both Indian and UAE entities, we build a coordinated audit universe and risk assessment that captures cross-border risk correlation — intercompany transaction controls, transfer pricing documentation risk, UAE Corporate Tax and VAT compliance risk, and jurisdiction-specific regulatory risk — rather than running two disconnected, entity-level audit plans that miss how a control gap in one jurisdiction can affect the other.
Does a company below the Section 138 threshold still benefit from a Risk-Based Internal Audit?
It can, though the case for it is proportionality-driven rather than statutory. Private equity or venture capital investors increasingly expect a documented internal audit or control-review process as part of governance reporting even pre-threshold. Lenders and rating agencies factor internal control maturity into credit assessments. And practically, a scoped risk assessment and a lighter-touch periodic review of the highest-risk processes — even without a full annual audit plan — can catch control gaps before they become losses. For a small, single-location company with no institutional capital and no near-term growth plans, this is often disproportionate, and a periodic financial review may suffice instead.
What is the difference between 'inherent risk' and 'residual risk' when rating the audit universe?
Inherent risk is the level of risk in a process or area before considering any existing controls — for example, cash handling is inherently high-risk regardless of how well it is controlled. Residual risk is what remains after existing controls are factored in — a process with high inherent risk but strong, well-tested controls may have low residual risk and warrant lighter audit coverage, while a process with moderate inherent risk but weak or unproven controls may have high residual risk and warrant deeper testing. Rating the audit universe purely on inherent risk, without considering existing controls, misdirects audit hours toward areas that may already be well-managed.
How does RBIA handle a business line or location that has never been audited before?
A previously unaudited area is not automatically treated as low priority simply because there is no findings history to reference — the risk assessment considers transaction volume and value, process maturity, personnel turnover, and inherent characteristics of the activity (cash-intensive, related-party exposure, regulatory complexity) even where there is no prior audit trail. In practice, a previously unaudited high-transaction-volume area often scores as high-priority precisely because there is no evidence yet that its controls are working.
What data analytics techniques does PNPC use in risk-based audit fieldwork?
Where transaction volumes and system access support it, we use data analytics to test full populations rather than relying solely on sample-based testing — for example, analysing the complete general ledger for unusual journal entries, testing 100% of vendor payments against the approved vendor master for duplicate or fictitious vendor red flags, or reviewing the full population of expense claims against policy thresholds rather than a small sample. This increases the reliability of findings, particularly in high-transaction-volume areas identified as high-risk in the audit universe.
Can findings from a Risk-Based Internal Audit affect our statutory audit or IFC opinion?
They can be relevant. The statutory auditor's assessment of Internal Financial Controls over financial reporting under Section 143(3)(i) considers the overall control environment, and evidence from a well-documented internal audit function — including unresolved findings in financially significant areas — can inform the statutory auditor's own risk assessment and testing approach. A pattern of unresolved, financially material internal audit findings can, in some cases, contribute to a qualified or adverse IFC opinion if the underlying control weakness is not remediated.
Who does the internal auditor report to, and does that affect independence?
For the function to be genuinely independent, the internal auditor should report functionally to the Audit Committee (for approval of the audit plan, findings, and resourcing) and only administratively — for practical matters like office logistics — to management, typically the CEO or another senior executive without a conflict of interest in the areas being audited. An internal audit function that reports solely to the CFO, for instance, faces an inherent independence tension when auditing finance-function controls.
What is the single most common mistake companies make with internal audit?
Treating it as a compliance checkbox rather than a genuine management tool — an annual rotational plan produced to satisfy Section 138, findings reported once and rarely followed up to actual closure, and an Audit Committee that receives the report but does not substantively engage with it. The symptoms are consistent: the same low-value findings repeat year after year, high-risk areas go unaudited for years at a stretch simply because they were not next in the rotation, and management treats the audit as an annual event to survive rather than an ongoing source of insight into where the business is exposed.
How does PNPC ensure audit findings actually get remediated and not just acknowledged?
Every finding is logged with a named owner and a committed remediation date agreed with management at the time the finding is reported — not left open-ended. Subsequent audit cycles specifically re-test previously open high and medium-severity findings to verify actual closure, rather than accepting management's word that an issue has been fixed. Findings that remain open past their committed date, or recur after being marked closed, are explicitly escalated to the Audit Committee with the history of prior commitments made and missed.
Does PNPC's Risk-Based Internal Audit engagement include IT general controls testing?
IT general controls — access management, change management, backup and recovery, and system interface controls — are included in the audit universe wherever the risk assessment identifies them as material, which is the case for most businesses running a core ERP or financial system today. Where deeper technical IT audit expertise is required (penetration testing, detailed cybersecurity architecture review), we scope this as a specialist add-on or coordinate with a specialist IT audit partner, while keeping the overall risk-based plan and Audit Committee reporting coordinated through a single engagement.
What's the difference between an internal audit finding and a statutory auditor's observation?
An internal audit finding arises from testing conducted under the company's own risk-based audit plan, covering financial, operational, compliance, and fraud-risk areas as prioritised by the risk assessment, and is reported to the Audit Committee as part of an ongoing, year-round function. A statutory auditor's observation arises from year-end testing conducted specifically to support the audit opinion on the financial statements, is narrower in scope (financial statement assertions and IFC over financial reporting), and is typically communicated once a year through the management letter alongside the audit report.
How does PNPC handle internal audit for sector-regulated businesses, such as NBFCs or real estate developers?
For NBFCs, the risk assessment specifically incorporates RBI's risk-based supervision expectations, asset classification and provisioning discipline under Ind AS 109, credit concentration risk, and — depending on the NBFC's regulatory layer under RBI's Scale Based Regulation framework — any enhanced internal audit expectations that apply at that layer. For RERA-registered real estate developers, the audit universe specifically covers project-level escrow account compliance under Section 4(2)(l)(D) of the RERA Act, cost certification processes, and project-wise fund utilisation — categories a generic, non-sector-specific audit plan typically misses.
Can the risk-based audit plan be adjusted mid-year if a new risk emerges?
Yes, and it should be. A risk-based plan that is treated as fixed for the entire year defeats much of the purpose of the risk-based approach. PNPC builds a formal mid-year checkpoint into every RBIA engagement to reassess whether a new risk event — an acquisition, a regulatory change, a control failure discovered elsewhere, a significant personnel change in a key role — warrants reprioritising the remaining audit hours in the plan, with any material reallocation presented to the Audit Committee for approval.
What qualifications does the team executing PNPC's Risk-Based Internal Audit engagements hold?
PNPC's internal audit engagements are led by practising Chartered Accountants with internal audit and risk advisory experience, supported by a team with relevant sector exposure and, where the engagement scope requires it, IT audit and data analytics capability. As a CA firm operating since 1986, our internal audit practice sits alongside statutory audit, tax, and advisory functions — bringing broader regulatory and financial reporting context to internal audit findings than a standalone internal-audit-only provider typically has available.
Is there a minimum company size below which a Risk-Based Internal Audit doesn't make sense?
There is no fixed statutory size floor — Section 138 applicability is defined by the specific Rule 13 thresholds, not a general notion of company size. Below those thresholds, the decision becomes a proportionality judgement: a mid-sized private company with growing transaction volumes, multiple locations, or institutional investors on the cap table often benefits meaningfully from a scaled-down risk-based review, even without statutory compulsion, while a very small, simple, single-location business typically does not yet need the formality of a full annual risk-based audit plan.
How PNPC's Risk-Based Internal Audit engagement compares to alternatives
| Feature | Generic Outsourced Internal Audit Vendor | In-House Only | PNPC Global |
|---|---|---|---|
| Audit plan basis | Often a standard checklist applied with minimal customisation to the client's actual risk profile | Depends entirely on internal team's risk assessment maturity — often informal or absent | Documented risk assessment aligned to ICAI SIA 130 / SIA 220, tailored to your sector and current business changes |
| Regulatory grounding | General Section 138 compliance framing without deeper professional standards alignment | Variable — depends on internal team's regulatory currency | Direct alignment to Section 138, Rule 13, and ICAI Standards on Internal Audit, backed by practising CA expertise |
| Independence discipline | Variable — some vendors also provide other services to the same client without clear separation | Structural independence tension where internal audit reports to a function it also audits | Explicit independence structuring — we do not audit functions we also serve in a conflicting advisory capacity |
| Findings follow-up | Often limited to the annual report; closure verification frequently skipped | Depends on internal bandwidth and continuity of ownership between audit cycles | Structured closure tracking with re-testing of high/medium findings and explicit escalation of stale items |
| Sector-specific coverage | Generic audit universe template applied across all client types | Limited to internal team's prior exposure to the sector | Sector-specific risk categories built in — NBFC RBI supervision, RERA escrow compliance, and more |
| Cross-border / group capability | Single-jurisdiction focus, typically India-only | Limited to internal team's jurisdictional exposure | Coordinated India-UAE audit universe and risk assessment from offices in both jurisdictions |
| Integration with other assurance work | Standalone deliverable, disconnected from statutory audit or ERM | Requires internal coordination across functions, often informal | Internal audit findings coordinated with statutory audit risk assessment and ERM risk register where those functions also exist |
| Cost structure | Often priced per audit with limited transparency on total annual commitment | No external fee, but hidden cost of internal time, tooling, and expertise gaps | Fixed, written fee for risk assessment and plan design; scoped fee for the annual fieldwork and reporting cycle |
What the PNPC package includes
- 01
Section 138 / Rule 13 applicability assessment against paid-up capital, turnover, borrowing, and deposit thresholds
- 02
Risk assessment input gathering — stakeholder interviews, prior findings review, and ERM risk register integration where one exists
- 03
Full audit universe mapping across financial, operational, compliance, and fraud-risk categories
- 04
Risk-weighted annual audit plan design aligned to ICAI's Standards on Internal Audit (SIA 130 Risk Management, SIA 220 Internal Audit Planning)
- 05
Audit Committee presentation and facilitation of plan approval, with explicit rationale for every hour allocation
- 06
Individual audit engagement planning and fieldwork — walkthroughs, control testing, and data analytics where volumes support it
- 07
Draft findings shared with management before finalisation, with root cause analysis for every material finding
- 08
Rated findings reporting to the Audit Committee on an agreed cadence, typically quarterly
- 09
Structured closure tracking with re-testing of high and medium-severity findings, and escalation of stale items
- 10
Mid-year risk refresh and plan reprioritisation when material business or risk changes occur
- 11
Full or co-sourced delivery model — either as your outsourced internal audit function or alongside your existing in-house team
- 12
Sector-specific risk coverage for NBFCs, real estate/RERA developers, and other regulated business types
- 13
Coordinated India-UAE audit universe for groups with cross-border operations, delivered from Chennai, Bangalore, Hyderabad, and Dubai
- 14
Direct access to a practising CA for ad hoc control and risk queries between formal audit cycles
An internal audit plan that repeats the same findings every year protects no one. Talk to PNPC Global about building a Risk-Based Internal Audit function your Audit Committee will actually rely on.