Quick guide: This intro helps businesses check whether they must appoint a licensed auditor for their financial statements under the Companies Act 2016, as enforced by the Companies Commission of Malaysia (SSM).
Most companies must follow audit requirements unless they meet an exemption. Since January 1, 2025, private firms qualify if they satisfy any two of three limits across the current and two prior financial years: annual revenue ≤ RM3,000,000; total assets ≤ RM3,000,000; or employees ≤ 30.
Legacy paths still allow exemptions for dormant or zero-revenue cases under specific conditions. Public entities keep stricter rules, including mandatory AGMs and different filing timelines.
Financial statements must follow MFRS or MPERS and be filed digitally via MBRS (XBRL). Non-compliance can lead to fines up to RM30,000 or imprisonment for severe breaches. Use this buyer’s guide to quickly confirm requirements, plan compliance, and avoid penalties.
Key Takeaways
- Private firms may be exempt if they meet two of three 2025 limits across three years.
- SSM enforces rules set by the Companies Act 2016; public firms face stricter duties.
- Financial reporting follows MFRS/MPERS and MBRS (XBRL) digital filing.
- Legacy exemptions cover dormant or zero-revenue scenarios in narrow cases.
- Non-compliance risks include fines and possible imprisonment for serious breaches.
Buyer’s Guide Overview: What “audit required” means for Malaysian businesses today
This buyer’s guide clarifies when statutory reviews of financial records apply to Malaysian firms.
Key regulators set the rules. The companies act 2016, enforced by the companies commission malaysia, requires most companies to have their accounts checked by a Ministry of Finance‑approved auditor.
Private companies may qualify for audit exemption if they meet exemption criteria. Certain private companies follow MPERS while entities with public accountability use MFRS. All audit work must follow Malaysian Approved Standards on Auditing issued by MIA.
Private firms no longer must hold AGMs, though public companies still do. Whether an audit is required depends on records, statements, and the two‑of‑three test introduced for 2025.
| Item | Who | Standard | Action |
|---|---|---|---|
| Public firms | Listed or public interest | MFRS | Annual audited statements, AGM |
| Private firms | Many small businesses | MPERS | Prepare accounts; check if exemption applies |
| Exempt eligible | Certain private companies | MPERS / simplified reporting | Maintain records; file as required |
- Follow regulations set by companies commission and audit standards.
- Keep clear accounts and prepare director’s report and statements annually.
- Map your status early so you can plan submissions without surprises.
Regulatory Basics: Companies Act 2016, SSM oversight, and who must be audited
The act 2016 sets clear expectations: nearly all firms must appoint an approved auditor, subject to narrow exceptions.
Who the rules cover
Under companies act 2016, companies must engage a Ministry of Finance‑approved auditor and prepare audited financial statements unless a valid exemption applies.
Public versus private
Public companies face stricter duties. They must hold annual general meetings and lodge accounts on a tighter schedule.
Private companies no longer need an AGM. Their auditor appointment and filings occur without that meeting, though records still must be kept.
Standards and filings
Financial reporting follows MFRS or MPERS as applicable. Audits use Malaysian Approved Standards on Auditing issued by MIA.
All statements and accounts are filed to companies commission malaysia via MBRS in XBRL format.
Timelines and practice
Private firms must finalise financial statements within six months of the financial year‑end.
Public firms must prepare statements within 30 days after the AGM, which itself must occur within six months of year‑end.
| Type | Obligation | Standard | Deadline |
|---|---|---|---|
| Public company | Appoint auditor; audited statements; hold AGM | MFRS; MIA auditing standards | AGM within 6 months; statements within 30 days after AGM |
| Private company | Appoint auditor unless exempt; prepare statements | MPERS or MFRS | Statements within 6 months of financial year‑end |
| Exempt eligible | Maintain records; may avoid audit if criteria met | MPERS / simplified reporting | Follow SSM filing rules; MBRS where required |
- Know obligations under the companies act and follow SSM regulations.
- Apply correct standards so audits meet professional requirements.
- Plan calendar by financial year and auditor availability for smooth compliance across years.
When Does a Company Need an Audit in Malaysia? (Threshold Explained)
Certain private entities qualify to skip statutory checks if they satisfy defined exemption tests. Read on for legacy paths, the 2025 update, who is excluded, and what happens when you outgrow limits.
Legacy exemptions: dormant, zero-revenue, and tight thresholds
Dormant status can grant an audit exemption if no accounting transactions occurred since incorporation, or the firm was dormant in the current and immediate past financial years.
Zero‑revenue relief is strict: revenue must equal zero and total assets must not exceed RM300,000 across the current financial year and the past two.
Older threshold-qualified rules capped revenue at RM100,000, assets at RM300,000, and employees at five for the same multi‑year period.
2025 update: two-of-three test
From January 1, 2025, exemption hinges on meeting any two of three criteria across the current financial year and the past two financial years: revenue ≤ RM3,000,000; total assets ≤ RM3,000,000; employees ≤ 30.
| Rule | Legacy limits | 2025 two-of-three |
|---|---|---|
| Revenue | ≤ RM100,000 | ≤ RM3,000,000 |
| Total assets | ≤ RM300,000 | ≤ RM3,000,000 |
| Employees | ≤ 5 | ≤ 30 |
Exclusions and ceasing to qualify
Exemptions do not apply to public companies, a private company that is a subsidiary of a public company, foreign companies, or certain private companies that lodge a section 260 certificate under the act 2016.
If growth pushes the company past any applicable limit, the exemption stops going forward. The firm stays exempt only for years it met the exemption criteria; audits are required thereafter.
- Practical tip: keep clear records of revenue, total assets, and employees for the current financial year and the past two to prove exemption status.
How to determine your audit position this year: A practical path to compliance
Start by pulling together your firm’s revenue, asset totals, and headcount for the last three reporting periods. Use year-end figures so each year is measured the same way.
Your data checklist
- Record revenue for the current financial period and the past two financial years.
- List total assets from the statement of financial position for each year.
- Note number employees at each year‑end; use payroll or headcount records.
Edge cases
Dormant since incorporation follows legacy rules and differs from temporary inactivity. Zero‑revenue firms must still meet the legacy asset test to qualify for exemption criteria.
If an audit is required
If your company fails the two‑of‑three test, shortlist a Ministry of Finance‑approved auditor with MBRS/XBRL experience. Prepare statements under MFRS or MPERS and allow time for audit fieldwork so you can meet the six‑month filing window.
Practical tip: SMEs should keep a running file of the past two comparisons, current financial calculations, and supporting schedules to prove audit exemption or speed up compliance if an auditor is needed.
Staying compliant beyond the threshold: Financial statements, MBRS/XBRL, and penalties
Meeting exemption tests is only one step; staying compliant means preparing and filing the right documents on time and in the correct format.
Preparing and lodging
Annual submissions commonly include the director’s report, financial statements, statements by directors, paid-up capital details, a statutory declaration by the responsible officer, and the auditor’s report where applicable. Assemble these items early to reduce last-minute errors.
MBRS requires XBRL conversion for digital lodgement to SSM. Convert your accounts into XBRL and validate the file before submission to avoid rejections. Even exempt private companies must keep accurate accounts and file via MBRS when required.
Deadlines and consequences
Private companies must prepare financial statements within six months of the financial year-end. Public companies finalise statements within 30 days after the AGM, which itself must occur within six months of year-end.
Late submission of statements risks fines up to RM2,000. Failure to submit audited financial statements can lead to fines up to RM30,000 or imprisonment up to five years. Keep consistent standards and clear records of assets and disclosures, especially when comparing figures across two financial years.
- Checklist: director’s report, financial statements, auditors’ report (if audited), statutory declaration, paid‑up capital details.
- File via MBRS: convert to XBRL and validate before upload.
- Track deadlines: add year-end close, MBRS window, and two-year comparisons to your compliance calendar.
Conclusion
Plan now: confirm whether revenue, assets and headcount keep your firm within exemption limits across three years. ,
The 2025 two-of-three rule lets qualifying private companies skip statutory checks if they meet two of: revenue ≤ RM3,000,000; total assets ≤ RM3,000,000; or employees ≤ 30 across the current and past two financial years.
Remember that public entities and certain subsidiaries remain outside this relief. Prepare statements under MFRS or MPERS, lodge via MBRS, and follow the companies act and act 2016 requirements to avoid fines or worse.
For smes planning growth, watch staff counts, sales and asset moves. Treat compliance as routine: tidy accounts, set deadlines, and seek help early so audits and filings become predictable and support long-term growth.
FAQ
What triggers a statutory audit under the Companies Act 2016?
The Companies Act 2016 requires annual audits for public companies and for private companies that do not meet audit exemption criteria. Private entities must undergo audit if they fail the two‑of‑three test across the current and previous two financial years: revenue above RM3,000,000, total assets above RM3,000,000, or more than 30 employees. If two of those limits are exceeded in any of those years, audited financial statements are mandatory.
Which entities are permanently excluded from claiming audit exemption?
Public companies, certain subsidiaries, licensed financial institutions, and foreign companies registered in Malaysia cannot claim the private‑company audit exemption. Other exclusions include companies required by regulators or specific legislation to produce audited accounts and entities holding public interest functions.
How does the two‑of‑three test work across financial years?
Apply the three metrics—revenue, total assets, and employee count—for the current financial year plus the two preceding years. If at least two metrics exceed the RM3,000,000 or 30‑employee thresholds in any of those years, the company loses exemption and must appoint a licensed auditor to prepare audited financial statements for that year.
Can a company be audit‑exempt if it has zero revenue or is dormant?
Dormant companies or those with zero revenue may qualify for exemption if they meet the two‑of‑three thresholds across the relevant years. However, dormant status must be genuine and properly documented. If the company has significant assets or employees despite zero revenue, it may still fail the test and require an audit.
What happens if a company crosses a threshold mid‑financial year?
Qualification is assessed by full financial‑year metrics. If the company breaches thresholds during a year, it may need audited accounts for that financial year. Directors should consult an auditor early and prepare to appoint one if projections indicate loss of exemption.
What financial reporting standards apply to audited statements?
Audited financial statements must follow Malaysian Financial Reporting Standards (MFRS) or the Malaysian Private Entities Reporting Standard (MPERS), depending on the company’s profile. Audits follow Malaysian Approved Standards on Auditing issued by the Malaysian Institute of Accountants.
What documents must be filed with SSM after an audit?
After audit, directors must lodge the audited financial statements and directors’ report with the Companies Commission of Malaysia (SSM). Many companies also need to submit accounts via MBRS/XBRL, depending on their size and classification, within statutory filing deadlines.
Who can perform statutory audits in Malaysia?
Only auditors licensed and approved under Malaysian law—typically members of a recognized professional body such as the Malaysian Institute of Accountants—may perform statutory audits. For certain regulated sectors, auditors may require additional approvals from the Ministry of Finance or other regulators.
What are the penalties for failing to prepare or file audited accounts?
Non‑compliance can lead to fines, director liability, and in severe cases, imprisonment. SSM enforces filing rules and may take action for late or absent audited statements. Timely engagement with an auditor and proactive reporting reduce risk of penalties.
How should a small business prepare if audit is required for the first time?
Start by compiling a clear data checklist: revenue records, detailed asset schedules, payroll and headcount records for the current and prior two financial years. Engage a licensed auditor early, align accounting records to MFRS or MPERS, and ensure directors’ reports and supporting schedules are ready for audit.
Does the RM3,000,000 threshold apply to consolidated or separate financial statements?
The assessment typically applies at the company level. For groups, rules consider whether the parent or subgroup is required to prepare consolidated accounts and whether subsidiaries fall under exclusions. Seek professional advice to determine treatment for group structures and consolidated thresholds.
Are there transitional rules for new thresholds introduced in 2025?
Updates rolled out in 2025 implemented the two‑of‑three test across the current and prior two years. Transitional arrangements may apply for companies with limited histories; directors should review SSM guidance and consult auditors to confirm application to their specific financial years.
How often must auditors be appointed and reported to SSM?
Auditors must be appointed annually at the company’s annual general meeting or by the board if permitted. Any change in auditor must be notified to SSM within prescribed timelines. Ensure engagement letters and statutory notices comply with Companies Act 2016 requirements.
What is the role of MBRS/XBRL in audited financial filing?
MBRS (Malaysian Business Reporting System) using XBRL is the mandated electronic filing format for many companies. Audited financial statements prepared under MFRS/MPERS often need MBRS/XBRL tagging for SSM lodgement. Verify SSM thresholds and filing categories to determine if MBRS submission applies.
