Audit and Tax Compliance in Malaysia

What is a statutory audit?

A statutory audit is a legally mandated examination of a company's financial statements and records conducted by an independent licensed auditor. In Malaysia, this requirement is governed primarily by the Companies Act 2016, which mandates that most companies prepare and submit audited financial statements annually to the Companies Commission of Malaysia (SSM). The statutory audit serves multiple critical functions:

Quinn Lu

Senior Associate, International Business Advisory

Independent verification that financial statements present a true and fair view of the company's financial position.
Compliance assurance with Malaysian Financial Reporting Standards (MFRS) or Malaysian Private Entities Reporting Standards (MPERS).
Stakeholder confidence for investors, creditors, regulators, and other interested parties.
Legal compliance with the Companies Act 2016 and related regulations.

Under Section 267 of the Companies Act 2016, companies must appoint at least one auditor who is:

Approved by the Ministry of Finance.
Registered with the Malaysian Institute of Accountants (MIA).
Independent and qualified under the Accountants Act 1967.

Tax audits in Malaysia, distinct from statutory audits under the Companies Act 2016, are conducted by the Inland Revenue Board (IRBM or LHDN) to verify income tax compliance per the Income Tax Act 1967, focusing on tax returns, deductions, and records for up to seven prior years rather than financial statement "true and fair view" verification by independent MIA auditors.

Selection occurs via risk-based analytics (e.g., data mismatches or high-risk sectors), triggering a Notification Letter requiring documents within 14-30 days; audits proceed as desk reviews or on-site field visits with interviews and walkthroughs, limited to relevant tax records like computations and invoices. IRBM issues proposed adjustments within 90 days (extendable), allowing taxpayer responses, settlements, or appeals, with penalties (35-55% plus interest) for underpayments—emphasizing proactive compliance beyond statutory audit's stakeholder assurance role.

Difference between audit and compliance requirements

While often used interchangeably, audit and compliance represent distinct but interconnected concepts.

Audit is a subset of compliance. A company can be audit-compliant but fail other regulatory requirements, such as timely annual return submission or beneficial ownership disclosure.

Why audit compliance matters for Malaysian companies

Legal obligation and penalty avoidance

Non-compliance with audit requirements exposes companies and directors to significant penalties:

Offense	Penalty	Legal Basis
Failure to lodge audited financial statements	Up to RM 50,000 + RM 1,000/day (continuing offense)	Section 259(1), Companies Act 2016
Failure to appoint auditor	Fine and potential director liability	Section 267, Companies Act 2016
Late annual return submission	Compounds and suspension risk	Section 68, Companies Act 2016
False beneficial ownership information	Up to RM 3 million- or 10-years imprisonment or both	Section 56, Companies Act 2016

Access to finance and investment

Banks, investors, and financial institutions require audited financial statements as a prerequisite for:

Loan applications and credit facilities.
Investment funding rounds.
Government grants and incentives.
Partnership agreements.

Reputational integrity

SSM maintains public records of compliance history. Companies with consistent non-compliance face:

Reputational damage.
Loss of stakeholder trust.
Difficulty attracting talent and partners.
Potential striking off from the SSM register.

Director personal liability

Under the Companies Act 2016, directors can be personally liable for company non-compliance, including:

Monetary fines.
Disqualification from directorships (Section 198).
Criminal prosecution in severe cases.

Legal framework

Companies Act 2016

The Companies Act 2016 is the foundation of Malaysia’s audit and financial reporting requirements. It outlines the responsibilities of company directors to prepare accurate financial statements within six months of the financial year-end, in line with approved accounting standards such as MFRS or MPERS.

Companies must share these financial statements with their members and submit them to the Companies Commission of Malaysia (SSM) within specific timeframes. Non-compliance can lead to financial penalties. The Act also requires the appointment of qualified and approved auditors, who are responsible for verifying that proper accounting records are kept and that the company’s financial position is fairly presented.

Malaysian Accounting Standards Board (MASB) requirements

The Malaysian Accounting Standards Board (MASB), established under the Financial Reporting Act 1997, is responsible for developing and issuing accounting standards in Malaysia. These standards ensure consistency and transparency in financial reporting across different types of entities.

MASB issues two main frameworks: the Malaysian Financial Reporting Standards (MFRS) and the Malaysian Private Entities Reporting Standards (MPERS). MFRS is fully aligned with international standards (IFRS) and is mandatory for public interest entities such as listed companies, banks, insurers, and other large corporations regulated by the Securities Commission or Bank Negara Malaysia.

In contrast, MPERS is a simplified framework tailored for private limited companies without public accountability. It is based on the IFRS for SMEs, incorporating some local adaptations, and was most recently updated in October 2025 to align with the latest global version.

In general, MFRS applies to entities with higher public accountability and more complex reporting needs, while MPERS offers a simpler and more flexible approach suitable for smaller private companies. Although private entities may choose to adopt MFRS for more comprehensive reporting, they cannot revert to MPERS later without valid justification.

Suruhanjaya Syarikat Malaysia (SSM) and LHDN regulations

The Suruhanjaya Syarikat Malaysia (SSM), or Companies Commission of Malaysia, serves as the primary regulator overseeing corporate governance and compliance in the country. It is responsible for company incorporation and registration, enforcing the Companies Act 2016, maintaining corporate records and public registers, and investigating or prosecuting instances of non-compliance.

To remain compliant, companies must meet several key SSM requirements. These include filing their annual return within 30 days of the company’s anniversary date, submitting audited or unaudited financial statements within 30 days of circulation to members, and updating their beneficial ownership records within 14 days of any change. Additionally, companies are required to maintain statutory registers of members, directors, secretaries, and beneficial owners in accordance with the Act.

Lembaga Hasil Dalam Negeri (LHDN) – Inland Revenue Board

The Inland Revenue Board of Malaysia (LHDN/IRBM) oversees tax compliance by requiring:

Submission of corporate tax returns (Form C) within seven months of the financial year-end.
Audited financial statements for tax assessment purposes.
Proper maintenance of accounting records for seven years.
Transfer pricing documentation for related-party transactions.

While the Companies Commission of Malaysia (SSM) mandates audits for corporate governance, LHDN requires audited accounts for tax assessment, resulting in dual compliance obligations, even for some audit-exempt companies. Other key regulatory bodies overseeing audit compliance include:

Malaysian Institute of Accountants (MIA).
Securities Commission Malaysia (SC).
Bank Negara Malaysia (BNM).
Audit Oversight Board (AOB).

Latest trends and regulatory updates

Revised audit exemption criteria (Effective 1 January 2025)

The Companies Commission of Malaysia (SSM) implemented Practice Directive No. 10/2024, introducing significantly expanded audit exemption thresholds aimed at reducing compliance costs for small and medium enterprises (SMEs).

New Exemption Thresholds (Phased Implementation)

Criteria	Phase 1 (2025)	Phase 2 (2026)	Phase 3 (2027 onwards)
Annual Revenue	≤ RM1,000,000	≤ RM2,000,000	≤ RM3,000,000
Total Assets	≤ RM1,000,000	≤ RM2,000,000	≤ RM3,000,000
Number of Employees	≤ 10	≤ 20	≤ 30

Companies must meet any two out of three criteria for the current and two preceding financial years. An estimated 42 percent of active companies may qualify for audit exemption under the final phase criteria, significantly reducing audit costs for eligible SMEs.

Enhanced beneficial ownership reporting

As of 1 April 2024, Malaysia mandated enhanced beneficial ownership (BO) disclosure requirements through the Companies (Amendment) Act 2024:

Expanded BO definition: Includes individuals with ultimate effective control (not just shareholding).
Mandatory e-BOS submission: All companies must submit BO information electronically.
Public access facility: Launched 28 January 2025, allowing authorized parties to access BO information.

SSM Intensified Enforcement

SSM announced a phased enforcement timeline for non-compliant companies:

July 2025: Show-cause letters to non-compliant company secretaries
August 2025: Issuance of compounds under Section 259(1)
Post-September 2025: Full enforcement actions including striking off

MBRS 2.0 and Digital Filing Enhancements

The Malaysian Business Reporting System (MBRS) 2.0 streamlines annual return and financial statement submissions, with Phase 3 implemented in May 2025, including mandatory BO information for Limited Liability Partnerships (LLPs).

Which companies are required to be audited in Malaysia?

Private Limited Companies (Sdn. Bhd.)

All private limited companies (Sdn. Bhd.) incorporated under the Companies Act 2016 are required to appoint an auditor and prepare audited financial statements annually, unless they qualify for audit exemption.

Obligations:

Appoint auditor at any time before the first Annual General Meeting (AGM).
Prepare financial statements within 6 months of financial year-end.
Circulate audited statements to shareholders.
Lodge with SSM within prescribed timelines.

Audit Exemption Available: Private companies meeting specific size thresholds (discussed in detail below) may apply for audit exemption starting 1 January 2025 under Practice Directive No. 10/2024.

Public Limited Companies

All public companies (listed and unlisted) are mandated to conduct statutory audits without exception, regardless of size or revenue. Additional Requirements for Listed Companies:

Quarterly financial reporting.
Compliance with Bursa Malaysia Listing Requirements.
Enhanced corporate governance disclosures.
Audit committee establishment and oversight.

Foreign and branch offices

Foreign Companies registered in Malaysia under Part VII of the Companies Act 2016 must:

Appoint a local agent.
Lodge annual accounts with SSM.
Ensure accounts are audited in accordance with approved accounting standards.
File audited accounts within 30 days of lodgement in home country or within 12 months of financial year-end, whichever is earlier.

Branch offices may submit:

Audited accounts of the parent company (acceptable if prepared under recognized accounting standards).
And Malaysian branch financial statements.

Audit exemption criteria in Malaysia

Small companies

Audit Exemption Criteria Table
Financial Year	Revenue Threshold	Asset Threshold	Employee Threshold	Qualifying Condition
2025	≤ RM1,000,000	≤ RM1,000,000	≤ 10 employees	Meet any 2 of 3 criteria
2026	≤ RM2,000,000	≤ RM2,000,000	≤ 20 employees	Meet any 2 of 3 criteria
2027 onwards	≤ RM3,000,000	≤ RM3,000,000	≤ 30 employees	Meet any 2 of 3 criteria

Thresholds must be met for the current financial year and the two preceding financial years.

Example: A company with financial year ending 31 December 2025 must meet the criteria for FYE 2025, 2024, and 2023 to be exempt in 2025.

Dormant companies

Eligibility Criteria:

Company has been dormant since incorporation, OR
Company has been dormant during current and previous financial year.

Newly Incorporated Companies

Special Provisions:

Companies incorporated during the financial year are not required to file annual return in the calendar year of incorporation (Section 68(1)).
First financial statements must be prepared within 18 months of incorporation.
Audit obligation begins from first financial year-end.

Practical Timeline Example:

Company incorporated: 15 March 2025.
First financial year-end: 31 December 2025 (within 18 months of incorporation).
First annual return due: 15 March 2026 (anniversary date).

How to apply for audit exemption and documentation required

Step 1: Assess Eligibility

Calculate revenue, assets, and employee count for current and two preceding years.
Verify that company meets any two out of three criteria consistently.

Step 2: Board Resolution

Directors must pass a resolution electing for audit exemption.
Document rationale and eligibility assessment.

Step 3: Prepare Unaudited Financial Statements

Financial statements must still comply with MPERS or MFRS.
Prepared by a professional accountant qualified under Accountants Act 1967.
Accountant must confirm compliance with approved accounting standards.

Step 4: Lodge with SSM

Submit through Malaysian Business Reporting System (MBRS).
Include:

Unaudited financial statements.
Directors' report.
Certificate of compliance (Section 254).

Lodge within 30 days of circulation to members.

Required documentation:

Completed MBRS filing forms.
Unaudited financial statements (balance sheet, profit/loss, notes).
Directors' report.
Certificate from directors confirming audit exemption eligibility.
Professional accountant's confirmation of compliance.

When exemption can be revoked by SSM

Audit exemption is automatically revoked if:

Company no longer meets the qualifying criteria (breaches thresholds in any subsequent year).
Company ceases to be dormant (commences trading or other disqualifying transactions).
Company becomes a subsidiary of a public company.
Company is required by regulatory authorities (e.g., Bank Negara, Securities Commission) to submit audited accounts.
Shareholders holding ≥10 percent of total votes request an audit (Section 266).

SSM may revoke exemption if:

False or misleading information provided in exemption application.
Company's financial position poses public interest concern.
Company under investigation for financial irregularities.

Company must immediately appoint an auditor and prepare audited financial statements for the relevant financial year. Even if eligible for audit exemption, banks and lenders may still require audited financial statements as a condition for:

Loan facilities.
Credit lines.
Trade financing.

Beneficial ownership and transparency requirements

A beneficial owner is a natural person (not a company or trust) who meets one or more of the following criteria:

Criteria A: Holds directly or indirectly ≥20 percent of the shares.
Criteria B: Holds directly or indirectly ≥20 percent of the voting shares.
Criteria C: Has the right to exercise ultimate effective control over the company or its directors/management (whether formal or informal).
Criteria D: Has the right or power to directly or indirectly appoint or remove director(s) holding majority voting rights.
Criteria E: Is a member and, under agreement with another member, controls alone a majority of voting rights.
Criteria F: Holds <20 percent of shares/voting shares but exercises significant control or influence over the company.

Criteria C and F significantly broaden BO identification beyond simple shareholding, capturing individuals who exert de facto control through informal influence, contractual rights, or other mechanisms.

If no BO can be identified, companies must report their senior management (typically CEO, CFO, Managing Director) as the BO of last resort.

Under Section 56 of the Companies Act 2016 (as amended by the Companies (Amendment) Act 2024), all Malaysian companies must:

Identify their beneficial owners (BOs).
Maintain a Register of Beneficial Owners at the registered office.
Report BO information to SSM through the Electronic Beneficial Ownership System (e-BOS).
Update the register and notify SSM within 14 days of any changes.

Beneficial ownership compliance for foreign shareholders

When a company has foreign corporate shareholders (e.g., a Singapore company holding shares in a Malaysian Sdn. Bhd.), the Malaysian company must look through the corporate structure to identify the ultimate natural person(s) with beneficial ownership.

Procedure:

Request BO information from the foreign corporate shareholder in writing.
The foreign entity must respond within 30 days with BO details.
Trace ownership through multiple corporate layers until natural person(s) identified.
If foreign entity refuses to provide information, report to SSM and record the refusal.

For foreign shareholders with multi-layered ownership (holding companies, trusts, nominees), companies must:

Obtain organizational charts and shareholder registers from foreign entities.
Identify ultimate beneficial owners meeting the 20 percent threshold (direct + indirect).
Document the chain of ownership in the BO register.
Update when changes occur at any level of the structure.

If the foreign shareholder is a listed company on a recognized stock exchange, the Malaysian company may report:

The senior management of the listed company (CEO, CFO); or,
State that BO information is publicly available through stock exchange disclosures.

Accounting standards and fiscal periods

The Malaysian Financial Reporting Standards (MFRS) and the Malaysian Private Entities Reporting Standards (MPERS) form the two main financial reporting frameworks in Malaysia. MFRS is fully aligned with the International Financial Reporting Standards (IFRS) and is mandatory for public interest entities (PIEs) such as listed companies, financial institutions, and large corporations. It features detailed disclosure, fair value measurement, and consolidation requirements—suitable for entities with complex transactions and higher public accountability.

In contrast, MPERS is a simplified framework based on the IFRS for SMEs, designed for private companies without public accountability. It offers reduced disclosure and simpler accounting treatments, making it easier for smaller entities to comply. The revised MPERS 2025, issued in October 2025, further aligns with international updates.

Malaysian companies also have flexibility in choosing their financial year-end (FYE), with common dates such as 31 December, 31 March, or 30 June. The choice often depends on business cycles, parent company alignment, tax planning, and audit scheduling. Any change in FYE must be approved by the board, reported to the Companies Commission of Malaysia (SSM) within 30 days, and communicated to auditors and the tax authority (LHDN).

Penalties for non-compliance in Malaysia

Type of Non-Compliance	Penalties	SSM Enforcement Actions / Additional Notes
Failure to lodge financial statements with SSM within 30 days after circulation	Company: Fine up to RM 50,000 Continuing offense: Additional RM 1,000 per day after conviction Every officer in default: Personally liable for similar fines	Issuance of compound notices Show-cause letters to company secretary Potential suspension of company secretary’s license Company may be struck off the register if non-compliance exceeds 3 years
Directors fail to prepare financial statements within 6 months of financial year-end	Each director: Fine up to RM 50,000, or imprisonment up to 3 years, or both Civil liability – Directors may be sued by members for losses caused by non-compliance	Reflects breach of directors’ fiduciary duties under the Companies Act.
Failure to keep and maintain proper accounting and other records	Company and every officer in default: Fine up to RM 50,000, or imprisonment up to 3 years, or both	Non-compliance may result in audit qualifications, regulatory investigations, and potential legal action by authorities or shareholders.

Specific register violations

Register	Offense	Penalty
Register of Members	Failure to maintain or update (Section 50)	Fine up to RM 50,000
Register of Directors	Failure to maintain or update (Section 57)	Fine up to RM 50,000
Register of Beneficial Owners	Failure to maintain (Section 56)	Fine up to RM 20,000 + RM 500/day continuing
Register of Beneficial Owners	False/misleading info (Section 56)	Fine up to RM 3,000,000 OR imprisonment up to 10 years OR both

Under the Companies Act 2016, directors are personally responsible for statutory compliance and may be disqualified for persistent filing defaults, bankruptcy, or convictions involving fraud or offenses under the Act, notwithstanding any delegation of duties. Disqualification generally prohibits acting as a director, promoter, or manager for up to five years, with breaches punishable by imprisonment of up to five years, fines of up to RM500,000, or both. To encourage compliance, the Companies Commission of Malaysia administers a compound regime allowing certain offenses to be settled without prosecution upon payment of prescribed sums, failing which court action may be taken.