Compliance Audit: When Mandatory and How to Comply Under Law
Every listed company in India and every public company above prescribed thresholds must undergo a compliance audit each financial year. Introduced by Section 204 of the Companies Act, 2013, the compliance audit is a compliance verification mechanism conducted by an independent Compliance Professional in Practice (CSP). The audit examines whether the company has complied with the Companies Act, SEBI regulations, FEMA provisions, compliance standards, and other applicable laws during the financial year. The auditor issues a report in Form MR-3, which is annexed to the Board's Report and filed with the Registrar of Companies. Failure to conduct a mandatory compliance audit attracts a penalty of ₹1 lakh to ₹5 lakh on the company, its officers, and the auditor. This guide covers the complete framework - applicability criteria, the MR-3 report format, the audit process, timelines, penalties, exemptions, and a compliance checklist to help your company stay on track.
- Compliance audit under Section 204 is mandatory for listed companies and public companies with paid-up capital of ₹50 crore or more, or turnover of ₹250 crore or more
- Only a Compliance Professional in Practice (CSP) with a valid Professional Qualification Certificate of Practice can conduct the audit
- The audit report is filed in Form MR-3 and annexed to the Board's Report under Section 134(3)(f)
- SEBI separately mandates an Annual Corporate Compliance Report (ASCR) for all listed entities
- Penalty for non-compliance: ₹1 lakh to ₹5 lakh each on the company, officers in default, and the CSP
- The audit covers the Companies Act, SEBI regulations, FEMA, Compliance Standards SS-1 and SS-2, and industry-specific laws
What is a Compliance Audit?
A compliance audit is an independent examination of a company's compliance with laws, rules, regulations, and procedural requirements governing its corporate operations. Unlike a statutory audit conducted by a Tax Professional that focuses on financial statements, the compliance audit focuses on legal and regulatory compliance. It answers a fundamental question: has the company followed the law in its corporate governance, board procedures, shareholder dealings, regulatory filings, and statutory obligations?
The concept was formally introduced in Section 204 of the Companies Act, 2013 - a provision that had no equivalent under the earlier Companies Act, 1956. The inclusion of compliance audit reflected the government's recognition that financial audits alone are insufficient to ensure corporate governance. Companies can have clean financial statements while being materially non-compliant with corporate laws, SEBI regulations, or environmental and labour statutes.
Scope of a Compliance Audit
The compliance audit covers a broad spectrum of legal compliance:
- Companies Act, 2013: All provisions including board composition, meetings, related party transactions, deposits, charges, and annual filings
- SEBI Regulations: LODR, Takeover Code, Insider Trading, and Issue of Capital regulations (for listed companies)
- FEMA: Foreign Exchange Management Act provisions for companies with foreign investment or cross-border transactions
- Compliance Standards: SS-1 (Board Meetings) and SS-2 (General Meetings) issued by the relevant professional body
- Industry-specific laws: Sector regulators' requirements (RBI for NBFCs, IRDAI for insurers, TRAI for telecom companies)
- Other applicable laws: Labour laws, environmental laws, tax laws, and other statutes as agreed with the auditor
Legal Framework: Section 204 and Rule 9
Section 204(1) of the Companies Act, 2013 states that every listed company and a company belonging to such other class of companies as may be prescribed shall annex with its Board's Report a compliance audit report, given by a compliance professional in practice, in the prescribed form. The prescribed form is Form MR-3, and the prescribed class of companies is defined in Rule 9 of the Companies (Appointment and Remuneration of Managerial Personnel) Rules, 2014.
Key Provisions at a Glance
| Provision | Subject | Details |
|---|---|---|
| Section 204(1) | Mandate for compliance audit | Prescribed companies must annex MR-3 report with Board's Report |
| Section 204(2) | Auditor's right to information | Company must provide all books, papers, and explanations to the compliance auditor |
| Section 204(3) | Reporting obligation | Auditor must report non-compliance to the Board; if not rectified, escalate to the regulator and Central Government |
| Section 204(4) | Penalty | ₹1 lakh to ₹5 lakh on company, officers in default, and the CSP |
| Rule 9 | Class of companies | Listed companies + public companies with ₹50 crore paid-up capital or ₹250 crore turnover |
| Section 134(3)(f) | Board's Report | Board's Report must include the compliance audit report as an annexure |
Section 204(3) creates a dual accountability mechanism. If the compliance auditor identifies material non-compliance during the audit, they must first report it to the Board of Directors. If the Board does not take corrective action within a reasonable time, the auditor is required to escalate the matter to the regulator (the regulatory body) and potentially to the Central Government. The company is answerable to its auditor, and the auditor is answerable to the regulator.
When is Compliance Audit Mandatory?
Compliance audit is mandatory for specific classes of companies based on their listing status, paid-up capital, and turnover. The thresholds are verified against the company's audited financial statements for the preceding financial year.
Mandatory Applicability Criteria
| Category | Criteria | Legal Basis |
|---|---|---|
| Listed Companies | Every company listed on any recognized stock exchange (BSE, NSE) | Section 204(1) - no threshold; applies to all listed entities |
| Public Companies (Capital) | Paid-up share capital of ₹50 crore or more | Rule 9(a) of Companies (Appointment and Remuneration of Managerial Personnel) Rules, 2014 |
| Public Companies (Turnover) | Turnover of ₹250 crore or more | Rule 9(b) of Companies (Appointment and Remuneration of Managerial Personnel) Rules, 2014 |
| Material Subsidiaries of Listed Companies | Material unlisted subsidiaries of listed entities | Regulation 24A of SEBI (LODR) Regulations, 2015 |
How to Determine Applicability
Applicability is assessed against the audited financial statements of the immediately preceding financial year. If a public company's paid-up capital crosses ₹50 crore during FY 2025-26, the compliance audit becomes mandatory starting FY 2026-27. The thresholds operate on an "either/or" basis - a company meeting either the capital threshold or the turnover threshold must comply.
For Private Limited Companies, the compliance audit requirement does not directly apply under Section 204 and Rule 9. However, if a private company is a material subsidiary of a listed company, SEBI's LODR regulations extend the requirement. Companies voluntarily adopting compliance audits also signal stronger governance standards to investors and lenders.
Public companies often assume that the ₹50 crore and ₹250 crore thresholds must both be met simultaneously. This is incorrect. Meeting either threshold - paid-up capital of ₹50 crore or turnover of ₹250 crore - triggers the compliance audit requirement. Check both figures independently against your latest audited financials.
Who Can Conduct a Compliance Audit?
Section 204 is explicit: the compliance audit can only be conducted by a Compliance Professional in Practice (CSP). Tax Professionals, Cost Accountants, and advocates cannot conduct this audit. The restriction ensures that the auditor has specialized training in corporate law, SEBI regulations, and governance procedures.
Qualifications and Eligibility
- Membership of the regulator: The auditor must be a member of the regulatory bodies
- Certificate of Practice (COP): Must hold a valid COP issued under applicable regulations
- Independence: Must not be an employee, officer, or director of the company being audited
- Peer review: The regulator recommends that compliance auditors undergo peer review to maintain quality standards
Appointment Process
The Board of Directors appoints the compliance auditor by passing a board resolution. The appointment is typically made at the beginning of the financial year or soon after the AGM. The terms of engagement - scope of audit, access to records, fees, and reporting timelines - are documented in an engagement letter signed by both parties. The company must provide the CSP with unrestricted access to all books, papers, minutes, forms, returns, and other documents as required under Section 204(2).
If your company needs support with compliance management beyond the compliance audit, Virtual CFO services cover financial compliance, statutory filings, and board advisory - working alongside your compliance auditor to ensure comprehensive coverage.
Form MR-3: Compliance Audit Report Format
Form MR-3 is the standardized format for the compliance audit report prescribed under Rule 9. It serves as the auditor's formal opinion on the company's compliance status and follows a structured format covering specific areas of law and regulation.
Structure of the MR-3 Report
- Identification: Company name, CIN, registered office, financial year covered, and auditor details
- Scope statement: Description of the audit scope including Acts, rules, regulations, and standards examined
- Compliance verification: Area-wise compliance status covering the Companies Act, SEBI regulations (if applicable), FEMA, compliance standards, and industry-specific laws
- Board process review: Verification that board composition, committees, meetings, and decision-making processes comply with legal requirements
- Systems and processes check: Assessment of whether adequate systems and processes exist for monitoring compliance
- Auditor's opinion: Clean opinion, qualified opinion, or adverse opinion on overall compliance
- Observations and qualifications: Specific non-compliance items with details, impact assessment, and recommendations
Types of Audit Opinions
| Opinion Type | Meaning | Impact on Company |
|---|---|---|
| Unqualified (Clean) | Company has substantially complied with all applicable laws and regulations | No adverse implications; signals strong governance to investors and regulators |
| Qualified | Company has complied in most areas but specific non-compliance items exist | Board must explain each qualification in the annual report; regulators may review |
| Adverse | Material and pervasive non-compliance affecting the company's governance framework | Serious regulatory consequences; ROC/SEBI inspection likely; investor confidence impacted |
Under Section 134(3)(f), the Board of Directors must include the compliance audit report as an annexure to the Board's Report. If the MR-3 report contains qualifications or observations, the Board must provide point-by-point explanations for each qualification. Attaching the report without addressing qualifications is a compliance failure in itself.
Step-by-Step Compliance Audit Process
The compliance audit follows a structured 5-phase process from appointment through final reporting. Each phase has specific deliverables and timelines that both the company and the auditor must coordinate on.
Phase 1: Appointment and Engagement
The Board passes a resolution appointing the CSP as compliance auditor. The engagement letter defines the scope, financial year, access requirements, fee, and reporting deadline. The compliance professional or compliance officer is designated as the primary liaison for the audit.
Phase 2: Planning and Document Collection
The auditor prepares a detailed audit plan and issues a document request list to the company. This includes minutes of board meetings, committee meetings, general meetings, statutory registers, ROC filings, SEBI filings (if listed), FEMA declarations, and copies of all forms filed during the financial year. The company typically has 15 to 20 working days to compile and submit documents.
Phase 3: Compliance Verification
The auditor examines each document against legal requirements. Board meeting frequency, quorum, agenda items, and resolution formats are checked against Standard SS-1. General meeting procedures are verified against Standard SS-2. ROC annual filings are verified for timeliness and accuracy. SEBI compliance is checked for listed entities. This phase involves extensive cross-referencing and typically takes 20 to 30 working days.
Phase 4: Management Discussion
The auditor shares preliminary findings with the company's management team, giving the company an opportunity to provide clarifications, additional documents, or evidence of compliance. The auditor cannot overlook genuine non-compliance, but this phase ensures that the final report is factually accurate and does not contain errors based on incomplete information.
Phase 5: Report Preparation and Submission
The auditor prepares the Form MR-3 report with a clean, qualified, or adverse opinion. The signed report is submitted to the Board before the AGM date. The Board reviews the report, prepares explanations for any qualifications, and annexes the MR-3 to the Board's Report under Section 134(3)(f). The Board's Report, including the compliance audit annexure, is filed with the ROC as part of the annual return.
Get Expert Compliance Audit Assistance
IncorpX connects you with qualified Compliance Professionals in Practice for compliance audit, MR-3 reporting, and ongoing compliance management.
Timeline and Compliance Calendar for Compliance Audit
The compliance audit timeline is tied to the company's financial year-end and AGM schedule. For companies following the standard April-to-March financial year, these are the key milestones:
| Activity | Deadline | Responsibility |
|---|---|---|
| Appoint compliance auditor for current FY | April (beginning of financial year) | Board of Directors |
| Provide audit documents to CSP | Within 30 days of FY-end (by April 30) | Compliance Professional / Compliance Officer |
| Compliance audit fieldwork | May to July | Compliance Auditor (CSP) |
| Preliminary findings shared with management | July (before AGM notice period) | Compliance Auditor (CSP) |
| Final MR-3 report submitted to Board | August (before Board meeting to approve annual report) | Compliance Auditor (CSP) |
| Board approves annual report with MR-3 annexure | August / September | Board of Directors |
| AGM held; annual report presented to shareholders | By September 30 | Board of Directors |
| File annual return (MGT-7) and financial statements (AOC-4) with ROC | Within 30/60 days of AGM | Compliance Professional |
For listed companies, an additional timeline applies under SEBI: the Annual Corporate Compliance Report (ASCR) must be filed with the stock exchange within 60 days of the financial year-end (by May 30 for March year-end companies). This is a separate submission from the MR-3 report and follows the regulatory body-prescribed ASCR format.
Penalties for Non-Compliance Under Section 204
Section 204(4) of the Companies Act, 2013 (as amended by the Companies Amendment Act, 2020) prescribes civil penalties for failure to comply with the compliance audit requirement. The 2021 decriminalization converted this from a criminal fine to an administrative penalty, but the financial impact remains significant.
Penalty Structure
| Party | Minimum Penalty | Maximum Penalty | Applicable When |
|---|---|---|---|
| The Company | ₹1 lakh | ₹5 lakh | Failure to conduct compliance audit or annex MR-3 to Board's Report |
| Every Officer in Default | ₹1 lakh | ₹5 lakh | Directors and KMPs responsible for the compliance failure |
| Compliance Professional in Practice | ₹1 lakh | ₹5 lakh | CSP who contravenes Section 204 provisions (e.g., false reporting) |
The total penalty exposure across all parties - company, directors, and CSP - can reach ₹15 lakh in a single financial year. For companies that fail to conduct compliance audits for multiple consecutive years, each year constitutes a separate contravention. A company in default for 3 financial years faces cumulative penalties of up to ₹45 lakh.
Beyond Financial Penalties
- ROC scrutiny: The Registrar of Companies can initiate inspection and investigation under Sections 206 to 209
- Disqualification risk: Directors of companies with filing defaults face disqualification under Section 164(2) for 5 years
- SEBI action: Listed companies face additional SEBI penalties, trading suspension, and potential delisting proceedings
- Investor confidence: Missing compliance audit reports in annual returns signal governance failures to investors conducting due diligence
Under Section 164(2), directors of companies that have not filed annual returns or financial statements for 3 consecutive years face disqualification for 5 years. Since the compliance audit report is part of the Board's Report annexed to annual filings, persistent failure to conduct the audit contributes to the filing default that triggers director disqualification.
SEBI Requirements: Compliance Audit for Listed Companies
Listed companies face a dual compliance audit framework - one under the Companies Act and another under SEBI regulations. Both operate independently and must be complied with separately.
Regulation 24A of SEBI (LODR) Regulations, 2015
Every listed entity must undertake a compliance audit and annex the report with the annual report. Additionally, material unlisted subsidiaries of listed entities must also undergo compliance audit. A subsidiary is "material" if its income or net worth exceeds 10% of the consolidated income or net worth of the listed parent entity.
Annual Corporate Compliance Report (ASCR)
SEBI Circular dated February 8, 2019 introduced the ASCR as a separate compliance requirement. The ASCR is filed with the stock exchange within 60 days of the financial year-end and covers compliance with all SEBI regulations applicable to the listed entity. The format is prescribed by the regulator and is more detailed than the MR-3 report for SEBI-specific compliance verification.
Disclosure Requirements
Listed companies must disclose in their annual report: (1) the compliance audit report, (2) qualifications or observations by the compliance auditor, (3) the Board's explanation for each qualification, and (4) the ASCR filing status. Non-disclosure attracts penalties from both the ROC (under the Companies Act) and SEBI (under LODR Regulations). For comprehensive corporate legal support, companies should ensure both frameworks are addressed simultaneously.
Exemptions and Special Provisions
The compliance audit requirement does not apply uniformly to all companies. Several categories are exempt or have relaxed obligations.
Companies Exempt from Mandatory Compliance Audit
- Private Limited Companies: Not covered under Rule 9 unless they are material subsidiaries of listed entities
- Small companies: Companies with paid-up capital up to ₹4 crore and turnover up to ₹40 crore are well below the ₹50 crore / ₹250 crore thresholds
- One Person Companies (OPCs): OPCs are private companies and do not meet the public company criterion
- LLPs: Limited Liability Partnerships are governed by the LLP Act, 2008 and fall outside the Companies Act framework
- Section 8 companies: Typically exempt unless they meet the prescribed thresholds (which is rare for non-profits)
- Government companies: May have separate audit mechanisms under the CAG framework
Voluntary Compliance Audit
Companies not mandated to undergo compliance audit can voluntarily adopt it as a governance best practice. Voluntary compliance audits are increasingly common among:
- Pre-IPO companies building a compliance track record before listing
- Companies seeking PE/VC funding where investors require governance due diligence
- Subsidiaries of multinational corporations adhering to parent company governance standards
- Companies approaching the ₹50 crore / ₹250 crore threshold that want to be audit-ready before the mandate applies
Voluntary compliance audits follow the same MR-3 format and process as mandatory audits. The only difference is that the report is not legally required to be annexed to the Board's Report, though companies can include it voluntarily.
Compliance Audit Checklist: Documents and Records
Preparation determines the efficiency and outcome of a compliance audit. Companies that maintain organized records throughout the year complete the audit faster and with fewer qualifications.
Corporate Records
- Certificate of Incorporation and Memorandum and Articles of Association
- Minutes of Board Meetings, Committee Meetings, and General Meetings for the entire financial year
- Attendance registers for all meetings
- Register of Members, Register of Directors, Register of KMPs
- Register of Charges, Register of Contracts, and Register of Loans and Investments
- Board resolutions and circular resolutions passed during the year
Statutory Filings
- Annual return (MGT-7/MGT-7A) and financial statements (AOC-4) filed with ROC
- All event-based forms filed during the year (DIR-12, SH-7, CHG-1, MGT-14, etc.)
- Director KYC filings (DIR-3 KYC)
- Auditor appointment form (ADT-1)
- DPT-3 return of deposits (if applicable)
SEBI Filings (Listed Companies)
- Quarterly corporate governance reports
- Shareholding pattern disclosures (Regulation 31)
- Related party transaction disclosures (Regulation 23)
- Insider trading compliance certificates
- Previous year's ASCR filing acknowledgment
Compliance Certificates
- FEMA compliance certificates for foreign investments (if applicable)
- Compliance certificates from functional heads (HR, Finance, Operations)
- CSR expenditure report and CSR committee minutes (if applicable)
- Related party transaction approvals and audit committee minutes
Maintaining a compliance calendar and tracking system throughout the year ensures that documents are audit-ready when the compliance auditor begins fieldwork. Companies that scramble to compile records after the financial year-end consistently face more qualifications than those with organized, real-time compliance records.
Create a shared digital folder with your compliance auditor at the beginning of the financial year. Upload board meeting minutes, ROC filing acknowledgments, and compliance certificates in real time as they are generated. This eliminates the document collection phase entirely and allows the auditor to begin fieldwork immediately after the year-end.
Compliance Audit vs Other Corporate Audits
Companies frequently confuse compliance audit with other compliance reviews. Here is how the compliance audit differs from statutory audit and internal audit.
| Parameter | Compliance Audit | Statutory Audit | Internal Audit |
|---|---|---|---|
| Legal Basis | Section 204, Companies Act | Section 143, Companies Act | Section 138, Companies Act |
| Focus Area | Legal and regulatory compliance | Financial statements accuracy | Internal controls and processes |
| Conducted By | Compliance Professional in Practice (CSP) | Tax Professional | Expert, Cost Accountant, or professional firm |
| Report Format | Form MR-3 | CARO 2020 + Audit Report | No prescribed format |
| Filed With | Annexed to Board's Report (ROC) | Filed with ROC as part of AOC-4 | Internal to the company |
| Applicability | Listed + prescribed public companies | All companies | Listed + prescribed companies |
| Penalty | ₹1 lakh to ₹5 lakh | ₹25,000 to ₹5 lakh | ₹25,000 to ₹5 lakh |
All 3 audits serve different purposes and cannot substitute for each other. A company that needs all 3 must appoint separate professionals for each role. The statutory auditor cannot also serve as the compliance auditor, and the internal auditor must be independent of both.
Summary
The compliance audit under Section 204 of the Companies Act, 2013 is a mandatory compliance requirement for listed companies and public companies with paid-up share capital of ₹50 crore or more or turnover of ₹250 crore or more. The audit must be conducted by an independent Compliance Professional in Practice holding a valid Professional Qualification Certificate of Practice, and the report must be issued in Form MR-3 and annexed to the Board's Report. Listed companies face additional requirements under SEBI's LODR Regulations, including the Annual Corporate Compliance Report filed with stock exchanges within 60 days of the financial year-end. The penalty for non-compliance is ₹1 lakh to ₹5 lakh on each defaulting party - the company, its officers, and the CSP - with cumulative exposure reaching ₹15 lakh per year. Companies approaching the prescribed thresholds should consider voluntary adoption of compliance audit as a governance best practice. Maintaining organized records throughout the year, appointing the compliance auditor early, and establishing a shared document repository with the auditor are the most effective strategies for achieving a clean, unqualified MR-3 report.
Ensure Your Company's Compliance Audit Compliance
From CSP appointment to MR-3 filing, IncorpX manages the complete compliance audit process. Get your compliance framework audit-ready with expert support.
