POSH Audits in India: Laws, Best Practices, and Pitfalls

A practical guide to POSH audits in India: legal requirements, audit checklists, best practices, and the compliance pitfalls HR teams often miss.
POSH Audits in India: Laws, Best Practices, and Pitfalls
Kumari Shreya
Wednesday July 01, 2026
10 min Read

Share

For over a decade, most Indian employers treated POSH compliance as a documentation exercise: constitute an Internal Committee (IC), file a policy, run an annual training, and file the annual report. The Supreme Court’s directions in Aureliano Fernandes v. State of Goa changed that assumption. Since May 2023, the Court has repeatedly ordered nationwide surveys to check whether ICs even exist, and its August 2025 order pushed States and Union Territories to complete district-wise verification by September 23, 2025.

Around the same time, the Ministry of Corporate Affairs made POSH disclosure a board-level obligation. Together, these developments have pushed POSH compliance from an HR file into something that regulators, boards, and courts now expect employers to actively audit.

What A POSH Audit Actually Means

The Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013, or the POSH Act, does not use the word “audit” anywhere in its text. What it does require, through Sections 4, 19, and 21, is that employers constitute a valid IC, draft and circulate a policy, and file annual data on complaints and awareness activity.

A POSH audit is the structured exercise of checking whether these obligations are being met in practice, not just on paper. It compares what the organisation says it has done against what its records, timelines, and IC functioning actually show. Ungender’s audit process guide frames this distinction clearly: a compliance review checks documents; a functional audit checks whether the redressal system actually works when tested.

The Legal Framework Behind POSH Audits

Auditors, whether internal HR teams or external consultants, generally map their review against the following statutory anchors.

Provision Requirement Relevance To An Audit
Section 4, POSH Act Every workplace with 10 or more employees must constitute an IC Confirms the IC exists, has a valid Presiding Officer, and includes an external member
Section 19, POSH Act; Rule 13 Employer must formulate and disseminate an anti-sexual harassment policy Checks whether the policy is current, accessible, and matches actual practice
Section 21 and 22, POSH Act; Rule 14 IC must prepare an annual report on complaints received, disposed, and pending, plus awareness activity Verifies the report was filed on time and matches underlying case records
Section 26, POSH Act Penalty for non-compliance Up to ₹50,000 for a first default, doubling on repeat default, with possible cancellation of business licence, per Rule 14 guidance
Companies (Accounts) Second Amendment Rules, 2025 (MCA) Board’s Report must disclose POSH complaint data via Form AOC-4 Confirms the board-level disclosure reconciles with the IC’s own figures

For a full breakdown of how the IC’s composition and tenure rules work, TPB’s guide to Internal Committee composition under POSH is the starting reference most auditors can use.

Why POSH Audits Have Become Unavoidable

Three developments over the past three years explain why audits have moved from optional good practice to expected governance behaviour.

  • Judicial pressure: In Aureliano Fernandes, the Supreme Court called POSH implementation “lamentable” in parts of the private sector and ordered States to survey whether workplaces even have a constituted IC. Follow-up orders in December 2024 and August 2025 kept the pressure on, with district officers now tasked with verification.
  • Board-level disclosure: The MCA’s amendment, effective July 14, 2025, extended detailed POSH disclosure requirements to companies incorporated under the Companies Act, 2013, a base of roughly 1.6 million companies. A board that signs off on a disclosure it cannot verify is now carrying legal exposure it did not carry before 2025.
  • Sector-specific scrutiny: Following the TCS Nashik case, the IT employees’ body NITES formally sought a state-wide audit of POSH compliance across Maharashtra’s IT and ITES sector, and the scrutiny has since spread to other large employers in the region.

What A Structured POSH Audit Should Examine

A workplace audit typically works through the same core areas, regardless of whether it is conducted internally or by an external consultant:

  • IC validity: Current composition, whether the Presiding Officer and external member meet statutory criteria, and whether the committee’s three-year tenure has lapsed.
  • Policy currency: Whether the policy reflects the Act’s expansive definition of “workplace,” covering remote work, client sites, and digital communication channels.
  • Training records: Attendance logs and content for both employee awareness sessions and IC-specific orientation.
  • Complaint handling and documentation: Case files, inquiry notes, and evidence that the 90-day inquiry window and the employer’s 60-day action window were respected.
  • Annual reporting accuracy: Whether the IC’s internal figures match what was filed with the District Officer and, where applicable, the board’s AOC-4 disclosure.
  • Registration and display: Whether the IC is registered on the SHe-Box portal and whether the required notices are actually visible to employees, not just filed once and forgotten.

Understanding the breakdown of jurisdiction between the IC and the Local Committee is useful here too, since audits at multi-location or smaller establishments often need to confirm which forum actually applies.

Best Practices For Conducting A POSH Audit

  • Set a cadence, not a one-off. Annual audits aligned to the reporting cycle are the minimum; organisations in high-scrutiny sectors are increasingly running quarterly internal reviews between the annual exercise.
  • Combine internal checks with periodic external review. Internal HR reviews catch day-to-day drift, but an external or third-party audit adds independence, particularly useful when the IC’s own composition or HR’s role is in question.
  • Centralise records across locations. Organisations with multiple offices often keep POSH records separately at each site, which makes it difficult to spot patterns such as repeat complaints involving the same team or manager.
  • Treat a zero-complaint year as something to document, not celebrate. A “nil” report is valid only if it is backed by evidence that awareness programmes ran and reporting channels were functioning, not simply an absence of paperwork.
  • Keep the audit function separate from HR when HR itself could be a respondent. As TPB has covered in HR Can’t Investigate Itself, a case involving an HR employee needs a route that does not run back through HR.

As POSH and DEI strategist Aparna Gonate put it, “the process should feel fair, kind and serious, not cold or scary.” That standard applies as much to the audit process itself as it does to individual inquiries.

Common Pitfalls That Surface During POSH Audits

Pitfall What It Looks Like Audit Fix
Expired or defective IC Tenure past three years, missing external member, or an internal appointee misclassified as external Cross-check appointment letters against the six IC red flags before the audit begins
Template policy Policy language copied from another organisation, silent on remote work or digital channels Line up the policy against current work arrangements, not the original drafting date
Undocumented training Sessions were run, but no attendance or content records survive Require signed logs and retained materials as a standing requirement, not an afterthought
Fragmented case records Different branches maintain separate, inconsistent complaint logs Move to a single centralised, time-stamped tracking system
Missed statutory timelines Inquiries running past 90 days, or employer action delayed beyond 60 days Flag pendency at 60 and 75 days, not only after the 90-day breach
Mismatched disclosures IC’s internal numbers do not tie back to the board’s AOC-4 filing Reconcile IC data with board disclosure figures before either is finalised
Reactive audits only Compliance gets reviewed only after a complaint escalates or a case goes public Build the audit into the annual reporting calendar, independent of any active case

What The Data Says About India’s Audit Readiness

The gap between formal compliance and functional compliance shows up clearly in available survey and disclosure data.

Metric Finding Source
Overall non-compliance with mandatory POSH requirements 31% of surveyed organisations, rising to 36% among Indian companies versus 25% among MNCs FICCI-EY survey, via SME Futures
IC members untrained 40% overall, 47% at Indian companies, 34% at MNCs FICCI-EY survey, via SME Futures
Statutory notices not displayed 44% of organisations overall, 71% among SMEs FICCI-EY survey, via SME Futures
Reported POSH cases across NSE-listed companies, FY14 to FY25 10,337 cases across 300 companies, a 974% rise over the period Ashoka University data, cited in TPB’s IC red flags coverage
Change in complaints and pendency, FY24 to FY25 16% rise in complaints and 28% rise in pending cases across 1,386 NSE-listed companies Udaiti Foundation dashboard, cited in TPB’s POSH Act guide
Workplaces and Local Committees registered on SHe-Box, as of March 2026 Over 1,61,000 workplaces and 777 Local Committees notified MWCD data, cited in TPB’s IC vs LC guide

Read together, the numbers suggest that formal compliance, having a policy and a committee on record, is now fairly widespread, while functional compliance, an IC that actually resolves cases within statutory timelines, still lags. That gap is precisely what a properly designed audit is built to surface.

In The End…

A POSH audit is not a certificate exercise. It is the mechanism by which an organisation finds out, before a court, a district officer, or a journalist does, whether its Internal Committee would survive scrutiny. The legal architecture behind it- IC constitution, policy currency, annual reporting, and now board-level disclosure- has grown more demanding every year since 2023.

Employers who build the audit into their annual calendar, keep records centralised, and treat a quiet year as a question rather than an answer, are the ones best placed to withstand the kind of scrutiny that has already reached India’s boardrooms.


FAQs


What is a POSH audit?

A POSH audit is a structured review of whether an organisation’s Internal Committee, policy, training records, complaint handling, and annual reporting are functioning as the POSH Act requires, rather than just existing on paper.

Is a POSH audit legally mandatory in India?

The POSH Act does not use the word “audit” or prescribe a mandatory audit cycle. However, Sections 21 and 22 require annual reporting, the 2025 MCA amendment requires board-level disclosure, and the Supreme Court’s directions in Aureliano Fernandes v. State of Goa have made verification a de facto requirement for most employers.

How often should a company conduct a POSH audit?

Most guidance recommends an annual audit aligned with the reporting cycle, with quarterly internal reviews for larger organisations or those in high-scrutiny sectors such as IT and ITES.

What documents does a POSH audit typically require?

Auditors generally review the IC’s constitution order and appointment letters, the current POSH policy, training attendance records, complaint and inquiry files, and past annual reports filed with the District Officer.

What happens if a company fails a POSH audit?

There is no separate penalty for “failing” an audit. The exposure comes from the underlying non-compliance an audit reveals, such as an invalid IC or a missed annual report, which can attract penalties of up to ₹50,000 under Section 26, doubling on repeat default, along with possible cancellation of the business licence.

Should a POSH audit be conducted internally or by an external party?

Both have a role. Internal reviews are useful for regular checks between reporting cycles, while periodic external audits add independence, which matters when the IC’s own composition or HR’s role in a case is in question.

Is a POSH audit the same as the POSH annual report?

No. The annual report under Section 21 is a specific statutory filing covering complaint numbers and awareness activity for the year. A POSH audit is a broader review that checks whether the systems generating that report, and the IC itself, are actually functioning.

Does a workplace with zero complaints still need a POSH audit?

Yes. A “nil” report is only credible if the audit can show that the IC was properly constituted, the policy was communicated, and awareness programmes actually ran during the year.

Author
//
Kumari Shreya
Content Specialist Shreya delights in conveying her ideas and thoughts through her words. She enjoys exploring the different sides of the HR world and how the industry’s impact on the Indian population is increasing by the day. When not immersed in writing or researching for her writing, you can find her passionately discussing her favorite stories and learning more about the history of the world.
Show More
latest news

trending

Subscribe To Our Newsletter

Never miss a story

By submitting your information, you will receive newsletters and promotional content and agree to our Terms of Use and Privacy Policy. You may unsubscribe at any time.

Tagged:

More of this topic

Subscribe To Our Newsletter

Never miss a story

By submitting your information, you will receive newsletters and promotional content and agree to our Terms of Use and Privacy Policy. You may unsubscribe at any time.