Think of internal audit as the company's own in-house health check — a continuous process of reviewing whether the business is following its own rules, managing risks, and keeping its finances in order. Section 138 makes this mandatory for certain companies, so it is no longer optional even if the promoters feel everything is running smoothly.
Who must appoint an internal auditor? Not every company — only prescribed classes of companies as defined under Rule 13 of the Companies (Accounts) Rules, 2014. The trigger conditions are: listed companies; unlisted public companies with paid-up share capital ≥ ₹50 crore OR turnover ≥ ₹200 crore OR outstanding loans/borrowings from banks/FIs ≥ ₹100 crore OR outstanding deposits ≥ ₹25 crore; and private companies with turnover ≥ ₹200 crore OR outstanding loans/borrowings ≥ ₹100 crore. If a company crosses any one of these thresholds, it is in. This is asked frequently as a 4-mark question — memorise the thresholds.
Who can be appointed? The internal auditor must be a Chartered Accountant (whether in practice or not), a Cost Accountant, or any other professional the Board decides is suitable — so even an MBA or engineer could qualify if the Board resolves it. Crucially, the internal auditor can be an employee of the company or an outside firm. The Central Government has the power to prescribe the manner and intervals of conducting the audit and how findings are reported to the Board. In practice, the Audit Committee (where it exists) or the Board itself sets the scope, frequency, and format of internal audit reports.