India Inc rethinks internal audits amid data fraud, AI
Mumbai, Nov 17, 2025
Synopsis
The wave of recent fraud scandals has sparked an urgent call for a new era of internal audits. Businesses are transitioning from traditional methods to dynamic, real-time oversight that leverages technology to monitor risks as they arise. Experts suggest that this forward-thinking strategy is vital for mitigating potential losses.
A series of cases of fraud at companies like IndusInd Bank and Gensol, coupled with the explosion of data and artificial intelligence, is putting the spotlight on static, sample-based internal audits. Auditors say this conventional model is useful for compliance, but often lacks the real-time responsiveness modern companies need and ends up providing only lagging indicators, flagging risks after the damage is done.
Experts say the rapid digitisation that Corporate India has gone through over the last decade or so has led to a deluge of data flowing in from every part of the business and at a speed and scale that is increasingly making it tough to manage and track. At the same time, the enterprise technology stack is now an interconnected digital web of ERPs, CRMs and cloud platforms spread across multiple service providers, adding new risks and vulnerabilities to the business.
Conventional audits useful for compliance, but miss real-time risks, say auditors
"In the current dynamic business landscape, the conventional model of internal audit, which involves evaluating controls, processes and transactions, often lacks the agility and responsiveness that modern organisations demand. What is needed is adoption of real-time internal audit/continuous control monitoring, facilitated by technological advancements. That would be a significant shift in approach," said Sunil Bhadu, partner and India GRC (governance, risk and compliance) leader at PwC.
Internal auditors say periodic reviews done once a quarter or a year often end up being little more than hindsight tools. They point out that the nature of fraud has changed and is no longer just about control gaps or procedural lapses but increasingly about the absence of real-time control testing and continuous assurance mechanisms.
This is why many believe continuous controls monitoring (CCM) is becoming essential, helping companies change gears from reactive checks to proactive, data-driven oversight that flags risks as they emerge. "To use an analogy, it's like moving from an annual health check to wearing a real-time fitness tracker. Instead of waiting for a yearly report, you're constantly monitoring key indicators-your blood pressure, heart rate, and daily patterns-and taking corrective action almost instantly, rather than waiting for the quarter to end," said Ritesh Tiwari, partner and national leader, GRC Services, KPMG in India.
As companies adapt to a rapidly changing business environment, experts say internal auditors' expectations are shifting from just data validation to assessing embedded IT and manual controls, aligning with statutory audits' deeper scrutiny.
"India is still early in this journey, the direction is clear: assurance around technology, controls and AI ethics is fast becoming central to internal audit. With rising data volumes and complex operations, audit committees now demand assurance that systems have robust, built-in controls to reduce human error," said Peeyush Vaish, controls assurance leader & TMT leader, Deloitte India. "At the same time, AI assurance is emerging as a major global trend, with boards seeking confidence that AI algorithms are accurate, secure, unbiased and free from data leakages."
KPMG said it is already working with several clients to implement continuous controls monitoring and, in some cases, is involved in full end-to-end deployment. "CCM isn't merely about automating existing controls. It represents a fundamental shift in mindset where controls become living sensors embedded within business processes. These sensors continuously assess performance and risk in real time, making them part of the organisation's operating rhythm," said Tiwari.
But experts say audit committees must realise that shift to continuous monitoring does not deliver overnight returns and it typically takes a few quarters for the benefits to show.
KPMG's Tiwari said he advises clients that there is no need to boil the ocean and that the "80-20" rule (80% of the risks are concentrated in 20% of the areas) applies, so companies should begin with the 20-30% of processes that generate 70-80% of the value. "By phasing implementation and prioritising high-impact areas, organisations can secure early wins, establish proof of value and then scale gradually, with meaningful returns usually emerging within a few quarters," he said.
PwC's Bhadu said a number of the firm's internal audit clients have already begun bringing digital roadmaps, adoption initiatives, AI models and cybersecurity measures into the audit scope, and teams working on these mandates have been upskilling with the new capabilities needed to ensure regulatory and ethical standards are met.
Experts say that going forward, real-time internal audit, using technologies such as agentic AI, generative AI, machine learning, data analytics and cybersecurity tools, will continuously monitor organisational activities, point out problematic issues before they cause damage and will create a feedback loop that will help companies make adjustments and improve controls.
[The Economic Times]
