HomeServicesRisk AdvisoryRisk-Based Internal Audits

Risk Advisory · Risk Advisory Services

Risk-Based Internal Audits

Most internal audit functions fail quietly — not because they lack effort, but because they audit the same processes every year regardless of where the organisation's real exposure has shifted.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Most internal audit functions fail quietly — not because they lack effort, but because they audit the same processes every year regardless of where the organisation's real exposure has shifted. A Risk-Based Internal Audit reverses that default: instead of a fixed rotation of departments, the annual audit plan is built from a current risk assessment, so audit hours go to the areas most likely to hurt the business — a customer-concentration blind spot, a control gap in a fast-growing business line, a vendor payment process that has outgrown its original design. At PNPC Global, we have delivered internal audit and risk advisory engagements to Indian and UAE businesses since 1986, drawing on the ICAI's Standards on Internal Audit and Section 138 of the Companies Act 2013 read with Rule 13 of the Companies (Accounts) Rules, 2014. We build audit plans the Audit Committee actually uses to make decisions — not a checklist exercise that repeats the same findings every year.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Risk-Based Internal Audits is

A Risk-Based Internal Audit (RBIA) is an approach to internal auditing in which the scope, depth, and frequency of audit coverage are determined by a structured risk assessment of the organisation, rather than a fixed cyclical rotation through every department or process in a set sequence. Under a traditional, compliance-driven internal audit model, every function gets broadly equal audit attention on a rolling multi-year cycle regardless of its actual risk profile. Under RBIA, high-risk areas — a business line with weak historical controls, a process with recent turnover in key personnel, a function handling a disproportionate share of cash or high-value transactions — receive more frequent and deeper audit coverage, while genuinely low-risk, stable areas receive lighter-touch review. The result is an audit function whose findings management and the Audit Committee treat as material, because the areas audited are demonstrably the areas where something could actually go wrong.

In India, internal audit is a statutory requirement for a defined class of companies under Section 138 of the Companies Act 2013 read with Rule 13 of the Companies (Accounts) Rules, 2014 — covering every listed company, and every unlisted public company and private company that crosses prescribed thresholds of paid-up share capital, turnover, borrowings, or outstanding deposits. The Institute of Chartered Accountants of India (ICAI) has issued Standards on Internal Audit (SIAs) that establish the professional framework internal auditors are expected to follow, including SIA 130 on Risk Management and SIA 220 on Conducting Overall Internal Audit Planning, which together direct that the internal audit plan be developed based on a documented risk assessment rather than an arbitrary or purely historical scope. Even for companies below the Section 138 threshold, an increasing number of boards, lenders, and institutional investors expect a functioning internal audit process as part of standard governance practice — particularly once external funding, multi-location operations, or a growing employee base increase the organisation's inherent risk profile.

The mechanics of RBIA rest on a small number of core building blocks: a risk assessment (often, though not always, informed by or coordinated with an Enterprise Risk Management exercise) that identifies and rates the organisation's key risks across financial, operational, compliance, and fraud categories; a risk-based audit universe that maps every auditable entity, process, or location against its risk rating; a risk-weighted annual audit plan, approved by the Audit Committee, that allocates available audit hours to the highest-risk areas first; individual audit engagements that test the design and operating effectiveness of controls addressing the specific risks in scope; and a structured reporting and follow-up mechanism that tracks management action on findings until they are genuinely closed, not just acknowledged. A well-run RBIA function typically reports functionally to the Audit Committee and administratively to the CEO or a designated senior executive, preserving the independence that Section 138 and the ICAI Standards require.

RBIA is deliberately distinct from — but works closely alongside — statutory audit, Enterprise Risk Management (ERM), and Internal Financial Controls (IFC) review. The statutory auditor forms an opinion on whether the financial statements present a true and fair view, largely through year-end testing; internal audit runs continuously through the year and covers operational and compliance areas well beyond the scope of financial reporting. ERM identifies and prioritises the organisation's risk universe at the strategic and enterprise level; RBIA takes that risk view (or builds its own where no formal ERM function exists) and converts it into a concrete, hour-by-hour audit testing plan. IFC review under Section 134(5)(e) focuses narrowly on controls over financial reporting; RBIA's scope is broader, covering operational efficiency, compliance with internal policy, and fraud risk alongside financial controls. Getting this sequencing right — risk assessment first, audit plan built from it second, testing and reporting third — is what separates an internal audit function the Audit Committee treats as a genuine early-warning system from one that produces a thick annual report nobody meaningfully acts on.

When a Risk-Based Internal Audit is the right approach

Company falls within the Section 138 / Rule 13 threshold for mandatory internal audit — every listed company, and unlisted public or private companies crossing the prescribed paid-up capital, turnover, borrowing, or deposit thresholds

Existing internal audit function follows a fixed departmental rotation that has not changed in years, and findings have become repetitive and low-value to the Audit Committee

Rapid growth, a new business line, new geography, or a recent acquisition has changed the organisation's risk profile faster than the audit plan has kept pace

Recent fraud incident, control failure, or near-miss that has prompted the Board or Audit Committee to ask whether audit hours are actually going to the areas of greatest exposure

Private equity or institutional investors on the cap table who expect a documented, risk-prioritised internal audit function as part of governance reporting

Preparing for IPO, where SEBI ICDR and post-listing LODR obligations make a functioning, risk-based internal audit process a pre-listing governance expectation

Multi-location or multi-entity operations where audit resources are limited relative to the number of locations, and prioritisation genuinely matters

Audit Committee or Board seeking a more defensible, risk-justified basis for the scope and coverage of the annual internal audit plan presented for approval

Existing internal audit team wants to formally adopt ICAI's Standards on Internal Audit (SIA 130 risk assessment methodology and SIA 220 risk-based planning) rather than an informal or ad hoc planning approach

When a different approach may be more proportionate

Very small private company well below the Section 138 / Rule 13 thresholds, with simple single-location operations and no near-term fundraising or listing plans — a lighter periodic financial review may be adequate rather than a formal RBIA function

Organisation has no risk assessment or risk register of any kind and no interest in building one — a compliance-based internal audit covering statutory-mandated areas may be a more realistic starting point before layering on risk-based prioritisation

The immediate need is a one-time investigation into a specific suspected fraud or irregularity — a targeted forensic investigation is a faster, more precise fit than standing up a full annual risk-based audit plan

Business primarily needs Internal Financial Controls (IFC) documented and tested for statutory audit purposes under Section 134(5)(e) — an IFC design and testing engagement is the more precise scope, though it is a natural complement to RBIA

Very early-stage startup with a handful of employees and no institutional investors — founder-level oversight of the small number of financial processes in place is often sufficient until the organisation scales

Structure Comparison

Risk-Based Internal Audit vs related assurance and audit functions

FeatureRisk-Based Internal Audit (RBIA)Traditional Cyclical Internal AuditStatutory (Financial) AuditEnterprise Risk Management (ERM)Forensic Investigation
Primary objectiveTest controls in the areas of highest current risk, prioritised by a documented risk assessmentTest controls across all departments in a fixed rotational sequence, largely irrespective of riskForm an opinion on whether financial statements present a true and fair viewIdentify, assess, prioritise, and treat enterprise-wide risk to strategic objectivesInvestigate a specific suspected fraud, irregularity, or breach after the fact
Governing frameworkSection 138 + Rule 13, ICAI Standards on Internal Audit (SIA 130 risk assessment, SIA 220 planning)Section 138 + Rule 13 (same statute, weaker methodology)Companies Act Sections 139-148, Standards on Auditing (ICAI/SA)ISO 31000:2018, COSO ERM (2017), SEBI LODR Reg. 21Engagement-specific — no single governing statute
Who owns itInternal Audit function, reporting functionally to the Audit CommitteeInternal Audit function, often reporting operationally rather than functionallyIndependent statutory auditor appointed under Section 139Risk Management Committee / CRO, reporting to the BoardForensic team engaged directly by the Board or Audit Committee
Basis for scopeRisk assessment output — likelihood and impact ratings drive audit hoursHistorical rotation schedule, often unchanged year to yearMateriality and audit risk assessment under Standards on AuditingFull enterprise risk universe across strategic, operational, financial, compliance categoriesSpecific allegation, tip-off, or detected anomaly
Typical outputRisk-weighted annual audit plan, rated findings reports, tracked management action plansDepartmental audit reports, often repetitive year over yearAudit opinion, management letter, IFC opinion under Section 143(3)(i)Board-approved risk policy, risk register, heat map, mitigation plansInvestigation report with findings, quantum of loss, and recommended action
Mandatory forListed companies; unlisted public/private companies above Rule 13 thresholds (methodology is a professional standard, not separately mandated)Same statutory trigger as RBIA — the requirement is for internal audit, not for a specific methodologyAll companies incorporated under the Companies ActTop 1,000 listed companies by market cap under SEBI LODR Reg. 21; expected practice for othersNot mandated — undertaken on a case-by-case basis
FrequencyContinuous through the year per the risk-weighted annual plan, replanned periodicallyContinuous through the year per the fixed rotational planAnnual, aligned to the financial year-endContinuous monitoring; formal Board reporting typically quarterlyOne-off, triggered by a specific event
Relationship to RBIAA less risk-responsive variant of the same statutory functionOften relies on internal audit's control testing as part of its own risk assessmentFrequently the direct input that shapes the risk-based audit planMay be triggered by findings that surface during an RBIA engagement

These functions overlap in places but serve distinct purposes — a mature governance framework typically runs ERM as the risk-identification layer, RBIA as the assurance layer that tests whether controls over those risks are actually working, statutory audit as the independent financial-statement opinion, and forensic investigation as the targeted response when a specific issue surfaces. The right combination for your organisation should be confirmed with a practising CA based on your Section 138 applicability, risk profile, and existing governance maturity.

How it works
#Stage & What PNPC DoesWhat Generic Providers SkipTimeline
1Applicability & Scoping AssessmentWe first confirm whether internal audit is mandatory for your company under Section 138 read with Rule 13 — checking paid-up capital, turnover, outstanding borrowings, and outstanding deposits against the prescribed thresholds — and separately assess whether a risk-based approach adds value even where a basic internal audit function already exists but runs on a purely rotational basis.Week 1
2Risk Assessment Input GatheringWhere a current Enterprise Risk Management risk register exists, we use it as a primary input. Where none exists, we run a focused risk identification exercise specifically to inform the audit plan — structured interviews with the CEO, CFO, and function heads, review of prior audit findings, statutory auditor's management letter, and any known control weaknesses — rather than starting the audit plan from a blank template.Week 1–3
3Audit Universe MappingEvery auditable entity, process, location, and business cycle is catalogued — procurement, revenue, payroll, treasury, IT, inventory, fixed assets, related-party transactions, and any sector-specific processes — so nothing material is left outside the scope of consideration when risk-weighting is applied.Week 2–3
4Risk Rating of the Audit UniverseEach item in the audit universe is scored on likelihood and impact using a consistent methodology aligned to ICAI's SIA 130 (Risk Management) and SIA 220 (Conducting Overall Internal Audit Planning) — factoring in transaction volume and value, complexity, history of past findings, quality of existing controls, fraud susceptibility, and regulatory exposure — producing a defensible ranking rather than a scope decided by who shouts loudest at planning.Week 3–4
5Risk-Weighted Annual Audit Plan DraftingAvailable audit hours (whether an in-house team, a co-sourced arrangement, or fully outsourced to PNPC) are allocated against the risk-rated universe — high-risk areas get more frequent, deeper coverage; low-risk, stable areas get lighter or less frequent review. The draft plan explicitly documents the risk rationale behind every allocation, so the Audit Committee can see why hours were assigned where they were.Week 4–5
6Audit Committee Presentation & ApprovalThe risk-weighted plan is presented to the Audit Committee for review, challenge, and formal approval — including discussion of any areas the Committee believes carry higher risk than the initial assessment reflects. This is also where the reporting cadence for the year is agreed.Week 5–6
7Individual Audit Engagement PlanningFor each audit in the approved plan, a specific engagement scope, objectives, and testing approach is documented before fieldwork begins — mapped explicitly to the risks that justified the audit's inclusion in the plan, so testing stays focused on what actually matters rather than drifting into a generic control checklist.Ongoing, per audit cycle
8Fieldwork & Control TestingTesting of control design and operating effectiveness — walkthroughs, sample testing, data analytics where volumes support it, and interviews with process owners — executed against the specific risks identified for that audit area, with findings rated by severity as they are identified rather than batched until the final report.2–6 weeks per audit, depending on scope
9Draft Findings & Management ResponseDraft findings are shared with process owners and management before finalisation — giving management the opportunity to provide context, propose remediation timelines, and correct any factual inaccuracy — a step that strengthens the credibility and actionability of the final report rather than surprising management at Audit Committee presentation.1–2 weeks per audit
10Final Report & Audit Committee PresentationThe final report — rated findings, root cause analysis, management's response and committed action plan, and target closure dates — is presented to the Audit Committee, with PNPC available to answer questions directly rather than relying on management to relay technical findings second-hand.Per Audit Committee meeting cycle, typically quarterly
11Follow-Up & Closure TrackingOpen findings are tracked to actual closure — not marked closed on management's assertion alone, but verified through follow-up testing where the finding's severity warrants it. Recurring or unresolved findings are explicitly flagged to the Audit Committee rather than quietly rolled forward year after year.Ongoing, tracked at each Committee meeting
12Mid-Year Plan RefreshThe risk assessment underlying the audit plan is revisited mid-cycle — new risks (an acquisition, a new regulation, a control failure elsewhere in the business) can shift audit priorities mid-year, and a purely static annual plan misses this. We formally reassess and, where warranted, re-prioritise the remaining plan.Mid-year, per Committee cycle
13Annual Plan RenewalThe full risk assessment, audit universe, and risk-weighted plan are refreshed for the new financial year — incorporating the prior year's findings, changes in the business, and emerging risk categories — so the plan evolves with the organisation rather than being recycled from the previous year with minor edits.Annually, ahead of the new financial year

Realistic timeline: a first-generation risk-based audit plan — from risk assessment input gathering through Audit Committee-approved annual plan — typically takes 4-6 weeks. Individual audit engagements within the approved plan typically run 2-6 weeks each depending on scope and process complexity, with fieldwork and reporting continuing through the year on the agreed cadence, usually aligned to quarterly Audit Committee meetings.

Document Checklist
Corporate & Governance Documents

Certificate of Incorporation, latest audited financial statements, and confirmation of paid-up capital, turnover, borrowings, and deposits to verify Section 138 / Rule 13 applicability

Audit Committee composition and terms of reference, including confirmation of the internal audit function's reporting line

Minutes of the last 4-6 Audit Committee meetings, particularly any prior discussion of internal audit scope, findings, or resourcing

Existing internal audit charter or policy, if any, and the prior year's internal audit plan and reports

Organisation chart with reporting lines for key business functions, locations, and subsidiaries in scope

Risk Assessment Inputs

Existing Enterprise Risk Management risk register or risk assessment, if one exists, to use as a primary input to the audit universe

Statutory auditor's management letter and Internal Financial Controls (IFC) observations from the most recent audit

Details of any past fraud incidents, near-misses, whistle-blower complaints, or control failures over the past 2-3 years

Any prior third-party risk assessment, due diligence report, or regulator inspection findings

List of major contracts, customer concentration, and vendor/supplier concentration (top 10 by value)

Financial & Transaction Records

Latest audited financial statements and management accounts for the most recent 2-3 years

Trial balance and general ledger extracts for the areas likely to be in scope of the audit universe

Details of related-party transactions and the process for their identification and Board approval

Bank statements, loan agreements, and details of any financial covenants tied to lending facilities

Fixed asset register and details of any recent capital expenditure or asset disposals

Process & Operational Documentation

Standard Operating Procedures (SOPs) for key business cycles — procurement, revenue/order-to-cash, payroll, treasury, inventory — where documented

Delegation of Authority (DOA) matrix — approval limits by role, transaction type, and value

Details of any recent process changes, system implementations, or ERP migrations that may have altered control design

Organisational headcount and any recent turnover in key finance, procurement, or operational roles

List of all locations, branches, warehouses, or plants, with an indication of relative transaction volume or risk

IT & Systems Environment

List of key IT systems, ERP, and business applications relevant to the processes in scope, with access-control ownership details

User access review records or evidence of periodic access recertification, if performed

Details of any recent cybersecurity incidents or IT control weaknesses identified by prior audits

System-generated reports or data extracts available for use in audit testing and data analytics

Compliance & Regulatory Records

List of licences, registrations, and regulatory approvals applicable to the entity's sector and locations

Compliance tracker or calendar, if one exists, and any instances of non-compliance, penalties, or regulatory correspondence in recent years

Sector-specific regulatory findings — RBI, SEBI, IRDAI, or other regulator communications, as applicable

Prior year statutory audit report, Board's Report, and Corporate Governance Report (for listed entities), to cross-reference disclosed risk and control commentary

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Applicability Assessment (Month 1)Crossing Section 138 / Rule 13 thresholds, or Board decision to formalise internal auditConfirm statutory applicability against paid-up capital, turnover, borrowing, and deposit thresholds; assess whether an existing rotational internal audit function should transition to a risk-based methodology.Non-compliance with a mandatory statutory requirement — a company that crosses the Rule 13 thresholds without appointing an internal auditor is in breach of Section 138, which can draw regulatory and Audit Committee scrutiny.
Risk Assessment & Plan Design (Month 1-2)Annual planning cycle or first-time RBIA adoptionRisk assessment input gathering, audit universe mapping, and a risk-weighted annual plan built around the organisation's actual current exposure — not a template rotation carried forward unchanged from prior years.An audit plan that reallocates the same hours to the same low-risk departments year after year, leaving genuinely high-risk areas under-audited or entirely unaudited.
Audit Committee Approval (Month 2)Scheduled Committee meetingPresent the risk-weighted plan with explicit rationale for hour allocation, inviting Committee challenge and formal approval — establishing a defensible, documented basis for the year's audit scope.A plan approved without genuine Committee engagement provides no real governance value and offers little defence if a significant risk later materialises in an under-audited area.
Fieldwork & Reporting Cycle (Ongoing)Approved annual planIndividual audits executed against documented objectives tied to specific risks, with draft findings shared with management before finalisation and rated findings reported to the Audit Committee each cycle.Findings that are vague, unrated, or not linked to a clear root cause get deprioritised by management and recur in the following year's audit, undermining confidence in the function.
Follow-Up & Closure Tracking (Ongoing)Findings issued in prior auditsOpen findings tracked to verified closure, with recurring or stale findings explicitly escalated to the Audit Committee rather than silently rolled forward.Unresolved findings accumulate year over year, and a control gap flagged multiple times but never fixed becomes indefensible if it later results in a loss event or regulatory issue.
Mid-Year Risk RefreshNew risk event, acquisition, regulatory change, or business shiftReassessment of the risk profile mid-cycle and, where warranted, re-prioritisation of the remaining audit plan to reflect the organisation's current — not six-months-stale — risk picture.A static annual plan that ignores a material mid-year change in the business misses the audit coverage that would have been most valuable precisely when it was needed.
Annual Plan RenewalFinancial year-end / new planning cycleFull refresh of the risk assessment, audit universe, and risk-weighted plan, incorporating the prior year's findings and the organisation's current risk landscape into the next year's scope.An audit function that never evolves its methodology stagnates into a compliance ritual, losing the Audit Committee's confidence and its ability to function as a genuine early-warning mechanism.
Scale-Up / Listing EventIPO preparation, new fundraising round, or crossing further governance thresholdsAcceleration of internal audit maturity — broader audit universe coverage, more formal Committee reporting, and readiness for the scrutiny that comes with public-market or new institutional-investor governance expectations.Governance gaps surfacing during IPO or investor due diligence at the worst possible time, causing valuation adjustments, delayed timelines, or additional post-listing remediation commitments.
Frequently asked
What exactly is a Risk-Based Internal Audit, in plain terms?

It is an internal audit function where the areas you audit, and how deeply you audit them, are decided by where the organisation's actual risk is highest — not by a fixed rotation that gives every department roughly equal attention regardless of how risky it actually is. A risk assessment identifies which processes, locations, or business lines are most likely to have control gaps or fraud exposure, and the annual audit plan allocates the available hours accordingly.

Practitioner noteThe single biggest difference we see between a risk-based plan and a rotational one is Audit Committee engagement — when members can see the risk rationale behind every hour allocated, questions get sharper and findings get taken more seriously.
Is internal audit mandatory for my company under Indian law?

Yes, for a defined class of companies. Section 138 of the Companies Act 2013 read with Rule 13 of the Companies (Accounts) Rules, 2014 mandates internal audit for every listed company, and for unlisted public companies and private companies that cross prescribed thresholds of paid-up share capital, turnover, outstanding loans or borrowings from banks or financial institutions, or outstanding deposits — measured as at the end of the preceding financial year. Companies below these thresholds are not statutorily required to appoint an internal auditor, though many still choose to for governance and lender-confidence reasons.

Practitioner noteWe check applicability precisely against the prescribed Rule 13 thresholds — not against a general sense of 'the company feels big enough now.' Getting this wrong in either direction either creates a compliance gap or an unnecessary cost.
Who can be appointed as an internal auditor under Section 138?

The internal auditor may be a Chartered Accountant (whether in practice or not), a Cost Accountant, or such other professional as the Board may decide, and may be an individual, a partnership firm, or a body corporate — but the person appointed must not have any conflict of interest that compromises independence, such as being the same firm that also serves as the company's statutory auditor for the relevant year.

Practitioner noteFor companies where PNPC also provides other advisory or accounting services, we structure the internal audit engagement to maintain clear independence from any function it will be testing — this is a discipline we apply proactively, not just when a conflict is pointed out.
How is a risk-based audit plan different from what our current internal auditor already does?

The difference is in the starting point. A traditional cyclical plan typically starts from a list of departments or locations and rotates through them on a fixed schedule — procurement this year, payroll next year, and so on — largely irrespective of which area actually carries the most risk right now. A risk-based plan starts from a documented risk assessment, ranks the audit universe by likelihood and impact, and allocates audit hours so higher-risk areas get more frequent and deeper coverage. Many internal audit functions already claim to be risk-based informally, but without a documented risk assessment behind the plan, it is difficult to demonstrate this to the Audit Committee or defend the scope choices made.

Practitioner noteWe often find an existing internal audit team that already knows, informally, where the real risk sits — the value we add is turning that informal knowledge into a documented, defensible risk assessment that the Audit Committee can interrogate and approve with confidence.
What are ICAI's SIA 130 and SIA 220, and why do they matter for RBIA?

The Institute of Chartered Accountants of India has issued a suite of Standards on Internal Audit (SIAs), revised and re-numbered into a 100-series (key concepts) and 200-series (internal audit management) structure. SIA 130 (Risk Management) sets out how internal audit should evaluate the entity's risk management process, and SIA 220 (Conducting Overall Internal Audit Planning) directs that the internal audit plan be developed from a structured, documented risk assessment rather than an arbitrary or purely historical scope. Read together, these standards give the audit plan a professional, defensible basis that stands up to Audit Committee, statutory auditor, and — where relevant — regulator scrutiny.

Practitioner noteWe build our risk assessment methodology explicitly around the SIA 130 / SIA 220 structure — likelihood and impact scoring, documented rationale for scope decisions — so the audit plan we present is grounded in recognised professional standards, not an in-house methodology we cannot point to externally.
Does PNPC provide internal audit as a fully outsourced service, or only co-sourced with our in-house team?

Both models are available. For companies without an internal audit function, PNPC can serve as the fully outsourced internal auditor — covering risk assessment, plan design, fieldwork, reporting, and follow-up. For companies with an existing internal audit team that needs additional capacity, specialist skills (IT audit, forensic techniques, sector-specific expertise), or an independent risk assessment methodology overlay, PNPC works in a co-sourced model alongside the in-house team.

Practitioner noteCo-sourcing works particularly well where an in-house team has strong institutional knowledge of the business but limited exposure to a structured, standards-based risk assessment methodology — we bring the framework, they bring the context, and the combination produces a stronger plan than either working alone.
How often should the risk assessment behind the audit plan be updated?

The risk assessment underlying the annual plan should be formally refreshed at least once a year, ahead of the new financial year's planning cycle, and should also be revisited mid-year if a material event changes the organisation's risk profile — an acquisition, a new business line, a significant control failure elsewhere in the business, or a major regulatory change. A risk assessment done once and never revisited quickly becomes stale and misdirects audit hours toward risks that may no longer be the most material ones.

Practitioner noteWe build a mid-year risk refresh into every RBIA engagement by default rather than treating it as an optional add-on — the businesses we work with rarely stay static for a full 12 months without some change worth reflecting in the plan.
How does the internal auditor's independence work if PNPC also does our accounting or tax work?

Independence is a genuine professional requirement, not a formality. Where PNPC provides accounting, payroll, or tax compliance services to a client, we do not also serve as that client's internal auditor over the same functions — doing so would mean auditing our own work, which compromises the value and credibility of the audit. We structure engagements to avoid this conflict, either by having a different PNPC team with appropriate independence safeguards handle internal audit, or by recommending an alternative arrangement where the conflict cannot be adequately managed.

Practitioner noteWe are direct with clients about this trade-off upfront rather than discovering a conflict mid-engagement. Independence is not negotiable — it is the entire basis on which an Audit Committee can rely on the findings.
What does a typical Risk-Based Internal Audit engagement cost?

Cost depends on company size, the number of locations and business lines in the audit universe, sector complexity, and whether the engagement is fully outsourced or co-sourced with an existing in-house team. PNPC agrees a fixed, written scope and fee before any engagement begins, typically structured around the annual audit plan's total hours, with the risk assessment and plan design phase priced separately from the ongoing fieldwork and reporting cycle.

Practitioner noteWe do not quote a headline number without first understanding the audit universe — a single-location private company and a five-location manufacturing group are simply not comparable engagements, and pretending otherwise with a generic price does a disservice to both.
What happens if the risk assessment identifies more high-risk areas than our available audit hours can cover?

This is a common and entirely expected outcome, particularly in the first year of adopting a risk-based approach — it usually means audit hours were previously spread too thin across low-risk areas. The response is not to audit everything superficially, but to present the Audit Committee with an honest picture: the highest-priority risks that will be covered within the current budget, and the residual risk in areas that will not be covered this cycle, so the Committee can make an informed decision — accept the residual risk, increase the audit budget, or extend the timeline for full-universe coverage across multiple years.

Practitioner noteWe consider this one of the most valuable conversations an RBIA engagement produces — many Audit Committees have never explicitly seen, in one place, which risks are and are not being covered by the current audit budget.
Can a Risk-Based Internal Audit help detect fraud?

RBIA is preventive and diagnostic — it tests whether the controls designed to prevent or detect fraud are actually operating effectively, and a risk-based approach specifically increases scrutiny in areas with higher fraud susceptibility (cash handling, related-party transactions, procurement with limited segregation of duties). It is not, however, a substitute for a targeted forensic investigation once a specific fraud is suspected or detected — at that point, a dedicated forensic engagement with its own investigative methodology and evidentiary standards is the appropriate response.

Practitioner noteWe have seen RBIA fieldwork surface anomalies that, on closer look, warranted a separate forensic engagement — the two functions complement each other well when the internal audit team knows when to hand off rather than trying to investigate a suspected fraud within the normal audit testing process.
How does RBIA interact with our Enterprise Risk Management function, if we have one?

Where a formal ERM function exists, its risk register is a natural and valuable primary input to the internal audit's own risk assessment and audit universe — the highest-priority enterprise risks should directly inform which areas get the most audit attention. Internal audit's control testing, in turn, provides evidence back to ERM about whether the controls assumed to mitigate specific risks are actually working, refining the residual risk scores in the risk register. The two functions are meant to reinforce each other, not operate as disconnected exercises.

Practitioner noteWhere we run both ERM and internal audit for a client, we deliberately sequence the ERM risk assessment ahead of the internal audit planning cycle each year — the audit plan is measurably sharper when it is built on a current, Board-reviewed risk register rather than a standalone internal audit risk assessment done in isolation.
We don't have a formal ERM function. Can PNPC still build a risk-based audit plan?

Yes. A full enterprise-wide ERM programme is not a prerequisite for RBIA. Where no formal ERM function exists, we run a scoped risk identification exercise specifically to inform the audit plan — structured interviews with the CEO, CFO, and function heads, review of prior audit findings and the statutory auditor's management letter, and assessment of transaction volume, complexity, and control history across the audit universe. This produces a defensible risk-weighted plan without requiring the organisation to first build a separate, full ERM framework.

Practitioner noteMany of our RBIA clients build their first structured risk view specifically through this process — it often becomes the starting point for a more formal ERM function later, once the value of a documented risk assessment becomes clear to the Board.
What should the Audit Committee actually see in each internal audit report?

A well-structured internal audit report includes: the specific objective and scope of the audit and the risks it was designed to address, rated findings (typically categorised by severity — high, medium, low), root cause analysis rather than just a description of the symptom, management's response and committed remediation timeline for each finding, and status of previously reported findings that remain open. This gives the Committee a complete, actionable picture rather than a narrative report that is difficult to act on.

Practitioner noteWe insist on root cause analysis, not just symptom description, for every finding above low severity — 'invoices were approved without three-way matching' is a symptom; 'the ERP was configured without a mandatory three-way match control at go-live' is the root cause that actually gets fixed.
How long does it take to move from an ad hoc or rotational internal audit approach to a fully risk-based one?

For a company with reasonable process documentation and management availability for interviews, a first risk-weighted annual audit plan — from risk assessment input gathering through Audit Committee approval — typically takes 4-6 weeks. The methodology itself is embedded from the first planning cycle; the benefits compound over subsequent years as the risk assessment is refined and the historical findings data feeds back into future prioritisation.

Practitioner noteWe resist compressing the risk assessment phase to meet an aggressive timeline for the first plan — a rushed risk assessment produces a plan that looks risk-based on paper but is not meaningfully different from a rotational one in practice.
What is 'co-sourcing' and when does it make sense over a fully in-house or fully outsourced model?

Co-sourcing means the company retains its own internal audit team or function, and engages an external firm like PNPC to supplement it — typically for specialist skills the in-house team lacks (IT audit, data analytics, forensic techniques), additional capacity during peak audit periods, or an independent risk assessment methodology overlay. It tends to make sense for mid-sized to large companies with an existing internal audit team that has strong institutional knowledge but gaps in specific technical areas or bandwidth, where a fully outsourced model would discard valuable in-house context, and a purely in-house model would leave real capability gaps unaddressed.

Practitioner noteWe scope co-sourcing engagements explicitly around the gap, rather than a vague 'help out where needed' arrangement — usually specific specialist audits (IT general controls, treasury, related-party transactions) or specific capacity during a busy quarter.
Can PNPC support internal audit for our UAE entity as well as our Indian entity?

Yes. PNPC operates from Chennai, Bangalore, Hyderabad, and Dubai. For groups with both Indian and UAE entities, we build a coordinated audit universe and risk assessment that captures cross-border risk correlation — intercompany transaction controls, transfer pricing documentation risk, UAE Corporate Tax and VAT compliance risk, and jurisdiction-specific regulatory risk — rather than running two disconnected, entity-level audit plans that miss how a control gap in one jurisdiction can affect the other.

Practitioner noteIntercompany and related-party transaction testing is one of the areas where a single team covering both jurisdictions adds the most value — we can trace a transaction on both sides of the India-UAE relationship rather than relying on two separate firms to reconcile their findings after the fact.
Does a company below the Section 138 threshold still benefit from a Risk-Based Internal Audit?

It can, though the case for it is proportionality-driven rather than statutory. Private equity or venture capital investors increasingly expect a documented internal audit or control-review process as part of governance reporting even pre-threshold. Lenders and rating agencies factor internal control maturity into credit assessments. And practically, a scoped risk assessment and a lighter-touch periodic review of the highest-risk processes — even without a full annual audit plan — can catch control gaps before they become losses. For a small, single-location company with no institutional capital and no near-term growth plans, this is often disproportionate, and a periodic financial review may suffice instead.

Practitioner noteWe are candid about proportionality here — a full risk-based audit programme for a small, simple business adds cost without proportional value. We scope a lighter review where that is genuinely the better fit, rather than defaulting to the larger engagement.
What is the difference between 'inherent risk' and 'residual risk' when rating the audit universe?

Inherent risk is the level of risk in a process or area before considering any existing controls — for example, cash handling is inherently high-risk regardless of how well it is controlled. Residual risk is what remains after existing controls are factored in — a process with high inherent risk but strong, well-tested controls may have low residual risk and warrant lighter audit coverage, while a process with moderate inherent risk but weak or unproven controls may have high residual risk and warrant deeper testing. Rating the audit universe purely on inherent risk, without considering existing controls, misdirects audit hours toward areas that may already be well-managed.

Practitioner noteWe insist on evidence, not management assertion, when scoring existing controls for the residual risk calculation — 'we have a strong approval process' needs to be demonstrated, not simply stated, before it lowers a process's residual risk rating in the audit universe.
How does RBIA handle a business line or location that has never been audited before?

A previously unaudited area is not automatically treated as low priority simply because there is no findings history to reference — the risk assessment considers transaction volume and value, process maturity, personnel turnover, and inherent characteristics of the activity (cash-intensive, related-party exposure, regulatory complexity) even where there is no prior audit trail. In practice, a previously unaudited high-transaction-volume area often scores as high-priority precisely because there is no evidence yet that its controls are working.

Practitioner noteWe treat 'never been audited' as a risk factor in itself during universe rating, not a neutral data point — the absence of assurance is itself a form of exposure the Audit Committee should be aware of.
What data analytics techniques does PNPC use in risk-based audit fieldwork?

Where transaction volumes and system access support it, we use data analytics to test full populations rather than relying solely on sample-based testing — for example, analysing the complete general ledger for unusual journal entries, testing 100% of vendor payments against the approved vendor master for duplicate or fictitious vendor red flags, or reviewing the full population of expense claims against policy thresholds rather than a small sample. This increases the reliability of findings, particularly in high-transaction-volume areas identified as high-risk in the audit universe.

Practitioner noteData analytics adds the most value precisely in the high-risk areas the risk assessment flags — we prioritise building analytics capability into those specific audit engagements first, rather than applying it uniformly and thinly across the entire plan.
Can findings from a Risk-Based Internal Audit affect our statutory audit or IFC opinion?

They can be relevant. The statutory auditor's assessment of Internal Financial Controls over financial reporting under Section 143(3)(i) considers the overall control environment, and evidence from a well-documented internal audit function — including unresolved findings in financially significant areas — can inform the statutory auditor's own risk assessment and testing approach. A pattern of unresolved, financially material internal audit findings can, in some cases, contribute to a qualified or adverse IFC opinion if the underlying control weakness is not remediated.

Practitioner noteWe flag to clients, well before year-end, which open internal audit findings carry potential IFC significance — so remediation can be prioritised ahead of the statutory audit cycle rather than surfacing as a surprise during year-end fieldwork.
Who does the internal auditor report to, and does that affect independence?

For the function to be genuinely independent, the internal auditor should report functionally to the Audit Committee (for approval of the audit plan, findings, and resourcing) and only administratively — for practical matters like office logistics — to management, typically the CEO or another senior executive without a conflict of interest in the areas being audited. An internal audit function that reports solely to the CFO, for instance, faces an inherent independence tension when auditing finance-function controls.

Practitioner noteWe check this reporting line explicitly at the start of every engagement — where the historical practice has the internal auditor reporting solely to a function that is itself frequently in audit scope, we recommend restructuring the reporting line to the Audit Committee before proceeding.
What is the single most common mistake companies make with internal audit?

Treating it as a compliance checkbox rather than a genuine management tool — an annual rotational plan produced to satisfy Section 138, findings reported once and rarely followed up to actual closure, and an Audit Committee that receives the report but does not substantively engage with it. The symptoms are consistent: the same low-value findings repeat year after year, high-risk areas go unaudited for years at a stretch simply because they were not next in the rotation, and management treats the audit as an annual event to survive rather than an ongoing source of insight into where the business is exposed.

Practitioner noteEvery element of how we design an RBIA engagement — the risk-based scoping, the mid-year refresh, the closure tracking discipline — is built specifically to avoid this failure mode. A smaller, genuinely risk-focused plan that the Audit Committee actually engages with beats an elaborate rotational one that does not.
How does PNPC ensure audit findings actually get remediated and not just acknowledged?

Every finding is logged with a named owner and a committed remediation date agreed with management at the time the finding is reported — not left open-ended. Subsequent audit cycles specifically re-test previously open high and medium-severity findings to verify actual closure, rather than accepting management's word that an issue has been fixed. Findings that remain open past their committed date, or recur after being marked closed, are explicitly escalated to the Audit Committee with the history of prior commitments made and missed.

Practitioner noteWe have seen the escalation step alone change management behaviour — a finding that has quietly rolled forward for two years suddenly gets resourced and fixed once the Audit Committee sees, in one table, exactly how long it has been open and how many times a closure date was missed.
Does PNPC's Risk-Based Internal Audit engagement include IT general controls testing?

IT general controls — access management, change management, backup and recovery, and system interface controls — are included in the audit universe wherever the risk assessment identifies them as material, which is the case for most businesses running a core ERP or financial system today. Where deeper technical IT audit expertise is required (penetration testing, detailed cybersecurity architecture review), we scope this as a specialist add-on or coordinate with a specialist IT audit partner, while keeping the overall risk-based plan and Audit Committee reporting coordinated through a single engagement.

Practitioner noteIT general controls weaknesses — particularly around access provisioning and de-provisioning when employees join, move roles, or leave — are among the most consistently under-audited areas we encounter in first-time risk assessments, largely because they sit outside the traditional finance-department audit scope.
What's the difference between an internal audit finding and a statutory auditor's observation?

An internal audit finding arises from testing conducted under the company's own risk-based audit plan, covering financial, operational, compliance, and fraud-risk areas as prioritised by the risk assessment, and is reported to the Audit Committee as part of an ongoing, year-round function. A statutory auditor's observation arises from year-end testing conducted specifically to support the audit opinion on the financial statements, is narrower in scope (financial statement assertions and IFC over financial reporting), and is typically communicated once a year through the management letter alongside the audit report.

Practitioner noteWe often see internal audit findings from earlier in the year foreshadow a statutory auditor's observation at year-end on the same underlying control gap — when internal audit findings are actioned promptly, this overlap disappears, and the year-end audit typically runs more smoothly as a result.
How does PNPC handle internal audit for sector-regulated businesses, such as NBFCs or real estate developers?

For NBFCs, the risk assessment specifically incorporates RBI's risk-based supervision expectations, asset classification and provisioning discipline under Ind AS 109, credit concentration risk, and — depending on the NBFC's regulatory layer under RBI's Scale Based Regulation framework — any enhanced internal audit expectations that apply at that layer. For RERA-registered real estate developers, the audit universe specifically covers project-level escrow account compliance under Section 4(2)(l)(D) of the RERA Act, cost certification processes, and project-wise fund utilisation — categories a generic, non-sector-specific audit plan typically misses.

Practitioner noteSector-specific risk categories consistently produce the highest-value findings in our experience — a generic audit universe template applied to an NBFC or a real estate developer without these sector overlays leaves the areas regulators actually scrutinise under-covered.
Can the risk-based audit plan be adjusted mid-year if a new risk emerges?

Yes, and it should be. A risk-based plan that is treated as fixed for the entire year defeats much of the purpose of the risk-based approach. PNPC builds a formal mid-year checkpoint into every RBIA engagement to reassess whether a new risk event — an acquisition, a regulatory change, a control failure discovered elsewhere, a significant personnel change in a key role — warrants reprioritising the remaining audit hours in the plan, with any material reallocation presented to the Audit Committee for approval.

Practitioner noteWe have reprioritised mid-year plans on short notice more than once when a client made an unplanned acquisition or experienced a significant fraud elsewhere in the group — the ability to redirect audit hours quickly is one of the practical advantages of a risk-based methodology over a rigid rotational schedule.
What qualifications does the team executing PNPC's Risk-Based Internal Audit engagements hold?

PNPC's internal audit engagements are led by practising Chartered Accountants with internal audit and risk advisory experience, supported by a team with relevant sector exposure and, where the engagement scope requires it, IT audit and data analytics capability. As a CA firm operating since 1986, our internal audit practice sits alongside statutory audit, tax, and advisory functions — bringing broader regulatory and financial reporting context to internal audit findings than a standalone internal-audit-only provider typically has available.

Practitioner noteOur internal auditors regularly draw on the firm's statutory audit and tax expertise when a finding touches financial reporting or tax exposure — a fixed-asset capitalisation control weakness, for instance, gets flagged with both its control and its tax-depreciation implications in view, not treated as a narrow, isolated observation.
Is there a minimum company size below which a Risk-Based Internal Audit doesn't make sense?

There is no fixed statutory size floor — Section 138 applicability is defined by the specific Rule 13 thresholds, not a general notion of company size. Below those thresholds, the decision becomes a proportionality judgement: a mid-sized private company with growing transaction volumes, multiple locations, or institutional investors on the cap table often benefits meaningfully from a scaled-down risk-based review, even without statutory compulsion, while a very small, simple, single-location business typically does not yet need the formality of a full annual risk-based audit plan.

Practitioner noteWe have built proportionate, right-sized risk-based reviews for companies below the statutory threshold purely because the founders wanted structured visibility into control gaps before they scaled further — the methodology does not require statutory compulsion to be worth applying well.
Why PNPC Global

How PNPC's Risk-Based Internal Audit engagement compares to alternatives

FeatureGeneric Outsourced Internal Audit VendorIn-House OnlyPNPC Global
Audit plan basisOften a standard checklist applied with minimal customisation to the client's actual risk profileDepends entirely on internal team's risk assessment maturity — often informal or absentDocumented risk assessment aligned to ICAI SIA 130 / SIA 220, tailored to your sector and current business changes
Regulatory groundingGeneral Section 138 compliance framing without deeper professional standards alignmentVariable — depends on internal team's regulatory currencyDirect alignment to Section 138, Rule 13, and ICAI Standards on Internal Audit, backed by practising CA expertise
Independence disciplineVariable — some vendors also provide other services to the same client without clear separationStructural independence tension where internal audit reports to a function it also auditsExplicit independence structuring — we do not audit functions we also serve in a conflicting advisory capacity
Findings follow-upOften limited to the annual report; closure verification frequently skippedDepends on internal bandwidth and continuity of ownership between audit cyclesStructured closure tracking with re-testing of high/medium findings and explicit escalation of stale items
Sector-specific coverageGeneric audit universe template applied across all client typesLimited to internal team's prior exposure to the sectorSector-specific risk categories built in — NBFC RBI supervision, RERA escrow compliance, and more
Cross-border / group capabilitySingle-jurisdiction focus, typically India-onlyLimited to internal team's jurisdictional exposureCoordinated India-UAE audit universe and risk assessment from offices in both jurisdictions
Integration with other assurance workStandalone deliverable, disconnected from statutory audit or ERMRequires internal coordination across functions, often informalInternal audit findings coordinated with statutory audit risk assessment and ERM risk register where those functions also exist
Cost structureOften priced per audit with limited transparency on total annual commitmentNo external fee, but hidden cost of internal time, tooling, and expertise gapsFixed, written fee for risk assessment and plan design; scoped fee for the annual fieldwork and reporting cycle

What the PNPC package includes

  1. 01

    Section 138 / Rule 13 applicability assessment against paid-up capital, turnover, borrowing, and deposit thresholds

  2. 02

    Risk assessment input gathering — stakeholder interviews, prior findings review, and ERM risk register integration where one exists

  3. 03

    Full audit universe mapping across financial, operational, compliance, and fraud-risk categories

  4. 04

    Risk-weighted annual audit plan design aligned to ICAI's Standards on Internal Audit (SIA 130 Risk Management, SIA 220 Internal Audit Planning)

  5. 05

    Audit Committee presentation and facilitation of plan approval, with explicit rationale for every hour allocation

  6. 06

    Individual audit engagement planning and fieldwork — walkthroughs, control testing, and data analytics where volumes support it

  7. 07

    Draft findings shared with management before finalisation, with root cause analysis for every material finding

  8. 08

    Rated findings reporting to the Audit Committee on an agreed cadence, typically quarterly

  9. 09

    Structured closure tracking with re-testing of high and medium-severity findings, and escalation of stale items

  10. 10

    Mid-year risk refresh and plan reprioritisation when material business or risk changes occur

  11. 11

    Full or co-sourced delivery model — either as your outsourced internal audit function or alongside your existing in-house team

  12. 12

    Sector-specific risk coverage for NBFCs, real estate/RERA developers, and other regulated business types

  13. 13

    Coordinated India-UAE audit universe for groups with cross-border operations, delivered from Chennai, Bangalore, Hyderabad, and Dubai

  14. 14

    Direct access to a practising CA for ad hoc control and risk queries between formal audit cycles

An internal audit plan that repeats the same findings every year protects no one. Talk to PNPC Global about building a Risk-Based Internal Audit function your Audit Committee will actually rely on.

← Back to Risk Advisory
Talk to a CA