Education

Internal Audit Checklist For Manufacturing, Fmcg & It : A Practical Guide For Ca Professionals

By CA Tushar Makkar 11 Apr, 2026 45

If you've just landed your first internal audit assignment at a factory, an FMCG company, or an IT firm — you're probably wondering: where do I even start? Don't worry. This guide breaks it all down in simple language, with real examples from Indian businesses.

Let's be honest — internal audit can feel overwhelming, especially when every industry has its own rules, risks, and quirks. A biscuit company is nothing like a software firm. And auditing a steel plant is a completely different world from auditing an IT services company.

But here's the good news: once you understand what to look for in each sector, the checklist almost writes itself. So let's walk through the three most common industries you'll encounter as a CA or internal auditor in India — Manufacturing, FMCG, and IT — and build a solid internal audit checklist for each.

First, a quick reminder: as per Section 138 of the Companies Act, 2013, internal audit is mandatory for certain companies — including listed companies and those meeting specific turnover or loan thresholds. So this isn't just best practice; it's often a legal requirement.

🏭 Internal Audit Checklist for Manufacturing Companies

Think about a company like Tata Steel or Mahindra's auto plant. There are raw materials coming in, machines running, workers on the floor, finished goods going out — and all of this needs to be tracked, controlled, and verified. Manufacturing audits are about making sure nothing falls through the cracks.

1. Production & Operations

This is the heart of any manufacturing audit. You want to check whether production is happening efficiently and as per plan.

  • Are production targets being met? Compare actual vs. budgeted output.
  • Is there a Bill of Materials (BOM) for each product, and is it being followed?
  • Are machine downtime records maintained? What's the idle time percentage?
  • Is there a preventive maintenance schedule for equipment?
  • Are rejection and rework rates tracked? What's being done to reduce them?

Real Example: In a packaging company in Pune, an auditor found that 8% of finished goods were being scrapped due to a calibration issue in one machine — but nobody had flagged it for months because there was no daily rejection tracking system.

2. Inventory & Stores Management

Inventory fraud is very common in manufacturing. Excess stock, ghost stock, and unrecorded scrap are all classic red flags.

  • Are physical stock counts done regularly and matched with system records?
  • Is slow-moving or obsolete inventory identified and provisioned for?
  • Is material issued only against proper Material Requisition Slips (MRS)?
  • Is scrap disposal being properly recorded and accounted for?
  • Are gate entry/exit records maintained for inward and outward movement?

3. Statutory & Legal Compliance

This is where manufacturing companies get into trouble most often — ignoring compliance until the government shows up.

  • Is the Factories Act license valid and displayed on-site?
  • Are PF, ESIC, and Labour Welfare Fund contributions paid on time?
  • Is GST on goods and job work being correctly applied?
  • Are Pollution Control Board (PCB) consents up to date?
  • Are fire safety audits and annual returns under the Factories Act done?

🛒 Internal Audit Checklist for FMCG Companies

Imagine auditing Hindustan Unilever, Parle, or a regional dairy brand. FMCG companies move products at lightning speed — high volume, thin margins, short shelf life. The risks here are mostly around distribution, expiry, scheme misuse, and trade fraud.

1. Sales & Distribution Controls

In FMCG, the distribution channel is everything. Stockists, super stockists, retailers — money flows through many hands, which means there are many places for leakage.

  • Are trade discounts and schemes being given as per approved policy?
  • Are secondary sales figures reconciled with primary sales to distributors?
  • Is there a process to detect fake claims for sales return credits?
  • Are expired or near-expiry goods being tracked and recalled on time?
  • Is van sales/field force activity verified against outlet visit records?

Real Example: A mid-size FMCG company in Mumbai discovered that distributors in two districts were claiming sales return credits for products that were never actually returned. The scheme had gone undetected for two years because secondary sales weren't being verified independently.

2. FSSAI & Quality Compliance

For any food product company, FSSAI compliance is non-negotiable. One slip here can mean a product recall — which is extremely costly and reputationally damaging.

  • Is the FSSAI license valid and displayed at all manufacturing units?
  • Are batch testing records and lab reports maintained?
  • Are labelling requirements (MRP, expiry date, allergen info) being followed?
  • Are Good Manufacturing Practices (GMP) being implemented on the shop floor?
  • Is there a written recall procedure in place?

3. Promotions & Trade Spend Audit

FMCG companies spend crores on trade promotions every year — in-store branding, free goods, cashback to retailers. This is a high-risk area for internal audit.

  • Are promotional schemes approved by a competent authority before launch?
  • Is there post-scheme reconciliation to verify actual vs. planned spend?
  • Are visibility claims (shelf space, POSM) verified by field audit teams?
  • Is marketing reimbursement to distributors supported by proper invoices?

💻 Internal Audit Checklist for IT Companies

Now let's shift gears completely. Think of auditing Infosys, a mid-size IT services firm in Hyderabad, or even a startup with 200 engineers. Here, there are no machines or raw materials — the biggest assets are people, data, and contracts. The risks are completely different.

1. Revenue Recognition & Project Billing

This is the trickiest part of an IT audit. Revenue in IT is often milestone-based or time-and-material — and the rules under Ind AS 115 are very specific.

  • Is revenue being recognised as per the terms in client contracts?
  • Are unbilled revenue and deferred revenue being correctly classified?
  • Are timesheets filled and approved before billing is raised?
  • Are change orders/scope changes approved before work begins?
  • Are project cost overruns identified and escalated in time?

2. Human Resources & Payroll

In IT, payroll is usually the biggest cost — and also a high-risk area. Ghost employees, incorrect variable pay calculations, and TDS defaults are common issues.

  • Is the payroll reconciled with the HR headcount master monthly?
  • Are background verification checks done for all new hires?
  • Are TDS deductions calculated correctly, especially for variable pay and perks?
  • Is employee data removed from systems promptly after resignation?
  • Are reimbursements (internet, mobile, fuel) verified against actual bills?

3. IT & Data Security Controls

An IT company auditing its own IT controls might sound funny — but this is actually one of the most important areas. Data breaches can kill a company's reputation and trigger massive penalties.

  • Are access controls in place — does each employee only access what they need?
  • Are privileged/admin access rights reviewed periodically?
  • Is there a documented incident response plan for data breaches?
  • Are data backup and disaster recovery processes tested regularly?
  • Is the company compliant with client NDAs and data privacy agreements?

Real Example: During an internal audit of a Bengaluru-based IT services firm, the auditor found that 23 former employees still had active login credentials three months after leaving the company. This was a serious data security and client contractual risk that had gone completely unnoticed.

Common Audit Areas Across All Three Industries

No matter which industry you're auditing, some things remain constant. A good internal auditor always checks:

  • GST Compliance: Returns filed on time? ITC correctly claimed and reconciled with GSTR-2B?
  • Related Party Transactions: Loans, purchases, or sales with promoter companies — are these at arm's length?
  • Fixed Assets: Are assets physically verified? Are additions and disposals correctly recorded?
  • Bank & Cash: Are bank reconciliation statements prepared monthly? Any unusual transactions?
  • ICFR (Internal Controls over Financial Reporting): Are controls documented and operating effectively?

Pro Tip for CA Students: The ICAI has published a detailed "Internal Audit Checklist (2024 Edition)" based on a Risk Control Matrix. It's freely available on the ICAI website. Make it your first download before any internal audit assignment. It covers everything from purchase-to-pay, order-to-cash, HR payroll, and GST to treasury management.

Before You Start Your Next Audit…

The best internal auditors are not just people who tick boxes. They're the ones who ask "why?" when something doesn't add up. A checklist is your starting point — not your destination.

In Manufacturing, follow the material. In FMCG, follow the scheme money. In IT, follow the data and the timesheet. That's where the real stories are hiding.

And remember — every finding you document is not just a risk flagged. It's a problem solved for the business. That's the real value a CA brings to internal audit.