Mon - Fri : 9:30 AM - 5:30 PM
admin@fintracadvisors.com
Talk To Our Expert
Have Any Questions?
Talk To Our Expert
Have Any Questions?
Fintrac Advisors
Fintrac Advisors Fintrac Advisors
Jul 11, 2026 .

Internal Audit Reporting to the Audit Committee: Best Practices, Cadence & Key Content

GST changes 2025

Jagrit Tenani

CA Jagrit Tenani has emerged as a seasoned professional in the domains of Risk-Based Audit, SoP Formulation and Implementation, Internal Audit, Statutory Audit, and Goods and Services Tax (GST).
His experience in the Corporate Audit Department of ITC Ltd. encompassed him with a keen awareness of the critical role that stringent internal controls play in ensuring organizational excellence and compliance.

Internal Audit Reporting to the Audit Committee: Cadence, Content, and Oversight Value

 

This redrafted note presents the topic in a more formal and board-ready manner, while preserving the practical tone of an experienced internal audit professional. It also identifies key enhancements that should be incorporated and points that may be omitted or moved to a separate paper for sharper focus on the principal subject of internal audit reporting to the audit committee.

Refined Draft

 

Strong governance depends on a disciplined reporting structure between the internal audit function and the audit committee. In well-governed entities, internal audit reporting is not a routine compliance ritual; it is an important mechanism through which the audit committee obtains assurance on control effectiveness, risk management, regulatory compliance, and the timeliness of corrective action.

Under the Companies Act, 2013, certain classes of companies are required to appoint an internal auditor, and the audit committee is expected to play an active role in shaping the scope and frequency of internal audit. The practical implication is that internal audit reporting should be designed around the audit committee calendar, with clear expectations on cadence, subject coverage, reporting thresholds, and action tracking.

Reporting cadence

 

Internal audit reporting should ordinarily be aligned with the audit committee’s scheduled meetings. A quarterly cadence is generally the most effective approach because it allows the committee to review completed audits, monitor unresolved issues, assess emerging risks, and refine audit priorities through the year.

A structured annual reporting cycle may be presented as follows:

  • Quarter 1: Review completion status of the prior year’s audit plan, discuss significant findings carried forward, and confirm whether the approved annual internal audit plan remains appropriate in light of current business developments.
  • Quarter 2: Present progress against the approved plan, highlight high-risk observations, evaluate management responsiveness, and discuss whether additional coverage is needed in areas such as information technology, treasury, procurement, related party processes, or statutory compliance.
  • Quarter 3: Review thematic issues and recurring control failures, reassess the risk universe for the balance period, and place before the committee the proposed internal audit plan for the ensuing financial year.
  • Quarter 4: Present an annual assurance summary covering audit coverage achieved, ageing of open observations, implementation effectiveness of corrective actions, recurring exceptions, and any concerns relating to the independence, competence, or resourcing of the internal audit function.

The central principle is consistency. Internal audit reporting should be a standing agenda item for each audit committee meeting, and the committee should receive updates not only on fresh observations but also on the closure discipline around earlier findings.

Content of the report

 

A professional internal audit report to the audit committee should be concise, analytical, and decision-oriented. It should not reproduce detailed working papers. Instead, it should give the committee a clear view of the areas reviewed, the significance of the observations, management’s responsiveness, and the residual risks that continue to remain with the organisation.

Each reporting pack should ordinarily contain the following:

  • Scope of audits completed during the period, including functions, units, processes, and audit objectives.
  • Executive summary of critical, high, and medium-risk observations with clear articulation of business impact.
  • Root cause analysis, wherever recurring or systemic deficiencies are noted.
  • Management responses and committed timelines for remediation.
  • Status of implementation of past audit observations, with specific identification of long-pending items.
  • Instances where agreed actions are delayed, diluted, or contested by management.
  • Matters requiring immediate escalation, including suspected fraud, control override, serious compliance failure, data breach, significant financial exposure, or matters indicating tone-at-the-top concerns.
  • Resource constraints or limitations in scope that may have affected audit coverage.

Where possible, the reporting pack should include a dashboard summarising the number of audits completed versus planned, ageing of open observations, distribution of findings by risk rating, and repeated observations by process owner or business vertical. Such presentation helps the audit committee move quickly from information receipt to focused challenge and oversight.

Quality of discussion before the audit committee

 

The value of internal audit reporting does not lie merely in circulation of the report; it lies equally in the quality of the discussion that follows. Audit committee members should use the reporting pack to ask whether deficiencies are isolated or systemic, whether management has addressed only the symptom or also the root cause, whether delays in closure indicate weak accountability, and whether similar risks may exist in areas not yet covered.

It is also advisable for the committee to periodically evaluate whether the internal audit function has adequate stature, independence, technical competence, and access to records and personnel. In mature governance environments, the committee may additionally hold a private discussion with the internal auditor, without operational management present, where sensitive matters require candid exchange.

Practical drafting tone

 

To reflect senior professional experience, the drafting should remain measured, precise, and free from excessive simplification. Expressions such as “red flag,” “firefighting,” or highly promotional phrasing may be replaced with language more commonly used in board papers, audit committee memoranda, or professional advisory notes.

The narrative should also avoid overexplaining elementary governance concepts unless the intended audience is clearly non-specialist. Where examples are used, they should illustrate consequence and oversight relevance, rather than sound anecdotal or informal.

Suggested Insertions

 

The following points are important and should be expressly included if not already developed sufficiently in the final document:

  • A distinction between reporting of individual audit observations and reporting on the overall health of the control environment.
  • A requirement to highlight repeat observations separately, because repeat findings often indicate ineffective remediation or weak management ownership.
  • Ageing analysis of open audit issues, preferably by risk rating and responsible function.
  • Explicit disclosure of scope limitations, management non-cooperation, or data access constraints affecting audit conclusions.
  • Escalation protocol for fraud indicators, whistle-blower matters, serious non-compliance, and control override by senior personnel.
  • Commentary on whether the approved internal audit plan remains risk-based and responsive to business change.
  • Periodic reporting on adequacy of internal audit resources, specialist support requirements, and independence safeguards.
  • Clear linkage between audit observations and business impact, including financial exposure, compliance exposure, reputational implications, and operational disruption.

Contact Info

Mon - Fri : 9:30 AM - 5:30 PM
admin@fintracadvisors.com

Our Presence

Kolkata
Bengaluru
Mumbai
Delaware