Contents of Transition cum Amendment Module for May 2018 Exams

Module Chapter Chapter Name Topic Name Page No. Relevant for Relevant for
No. No. New Syllabus Old Syllabus
I 1 Quality Control % SA 700 (Revised), 701, 705 (Revised) & 706 (Revised) Already Covered in Yes Yes
Engagement Standards Old Books
2 Audit Strategy, Planning & Audit Execution 01 - 01 Yes Yes
programming
3 Risk Assessment and Internal Internal Control Structure 02 - 02 Yes Yes
Control Key Components to assess and Evaluate Control Environment 02 - 02 Yes Yes
Framework of Internal Controls (COSO, COBIT, COCO, SOX-404) 02 - 05 Yes Yes
6 Audit in an Automated 06 – 14 Yes No
Environment
II 7 Professional Ethics Overview of Code of Ethics 15 - 15 Yes Yes
Fundamental Principles to be followed by an Accountant 15 - 17 Yes Yes
Threats in Compliance of Fundamental Principles and 17 - 19 Yes Yes
Safeguards
III 8 Company Audit Audit of LLP 20 - 22 Yes No
IV 18 Audit under Fiscal Laws Clause 31 of Form 3CD 23 – 24 Yes Yes
Audit under GST Laws 24 – 27 Yes Yes
20 Investigation and Due Forensic Audit 28 – 34 Yes No
diligence
21 Peer Review Quality review 35 – 46 Yes No
22 Special Audit Assignments Audit of Stock and Debtors (Unit Inspection) 47 – 49 Yes No
V 24 Audit of Insurance Companies Audit Procedures in case of Life Insurance Business 50 – 54 Yes No
25 Audit of NBFC Prudential Norms 55 – 56 Yes No
28 Audit of PSU Elements and Principles of PSU Auditing 57 - 58 Yes Yes
Chapter 2 –
Audit Strategy, Planning & Programming

STAGES OF AUDIT EXECUTION

Stage - I Execution  In order to carry out the audit in an effective, efficient & timely manner,
Planning auditors need to plan the work and a detailed audit program should be
prepared covering the audit objectives, scope and audit approach.
 During execution planning, auditor should consider the manpower
requirement, qualification of members of ET, time factor etc.
Stage - II Risk and Control Auditor need to conduct a detailed assessment of risk and control as per
Evaluation requirements of SA 315. Steps involved in assessment of risk are:
 List the risk that need to be reviewed for each segment of audit.
 Capture for each risk the controls that exist or those that are needed
 Determine the steps required to test the effectiveness of each controls.
Note: While making Risk & Control assessment auditor need to consider the
Materiality levels.
Stage - III Testing  As required by SA 330, auditor should test the operating effectiveness of the
controls to determine whether controls are operating as designed.
 Auditor should perform appropriate substantative procedures (Tests of
Details and SAP) so as to collect sufficient appropriate audit evidences w.r.t.
completeness, accuracy and validity of accounting data.
Stage - IV Reporting  The auditor should review and assess the conclusions drawn from the audit
evidence obtained as the basis for the expression of an opinion on the F.S. The
opinion so farmed should be expressed in the form of audit report as required
by SA 700.
 Auditor’s report should contain a clear written expression of opinion on the
financial statements taken as a whole.

Page 1 of 58
Chapter 3 –
Risk Assessment and Internal Control
Internal Control
Internal Internal Control structure in an organization is referred to as the policies and procedures
Control established by the entity to provide reasonable assurance that the objectives are achieved.
structure The control structure in an organization basically has the following components:
1. Control Environment - Control environment covers the effect of various factors like
management attitude; awareness and actions for establishing, enhancing or mitigating the
effectiveness of specific policies and procedures.
2. Accounting System - Accounting system means the process by which transactions are
processed for maintaining financial records. Accounting system identifies, assemble, analyze,
calculate, classify, record, summarize and report transactions and other events.
3. Control Procedure - Policies and procedures means those policies and procedures in
addition to the control environment and accounting systems which the management has
established to achieve the entity’s specific objectives. Such Policies and Procedures cover the
followings:
 Segregation of duties.
 Authorisation of Transactions.
 Adequacy of records and documents.
 Accountability and safeguarding of assets.
 Independent checks.
Key 1. Enterprise Risk Management: Organization having robust processes to identify & mitigate
components to risks across the entity & its periodical review will assist in early identification of weaknesses
assess and in internal control and taking effective control measures. In such entities, surprises of failures
evaluate the in controls is likely to be few.
control 2. Segregation of Job Responsibilities: Segregation of duties is an important element of
environment control which ensures that no two commercial activities should be conducted by the same
person.
3. Job Rotation in Sensitive Areas: In key commercial functions, job rotation is regularly
followed to avoid degeneration of controls.
4. Documents of delegation of Financial Powers: Document on delegation of powers allows
controls to be clearly operated without being dependant on individuals.
5. IT based Controls: In an IT Environment, it is much easier to embed controls through the
system instead of being human dependant. The failure rate for IT embedded controls is likely
to be low, is likely to have better audit trail & is thus easier to monitor.
Frameworks of COSO Framework COSO Framework is designed to be used by organizations to assess the
Internal effectiveness of the system of internal control to achieve objectives as
Controls determined by management. The Framework lists three categories of
objectives as below:

Page 2 of 58
 (a) Operations Objectives: Operation objectives are related to the
effectiveness and efficiency of the entity’s operations, including
operational and financial performance goals, and safeguarding of
assets.
(b) Reporting Objectives: Reporting objectives are related to internal
and external financial and non-financial reporting to stakeholders,
which would encompass reliability, timeliness, transparency, or
other terms as established by regulators, standard setters, or the
entity’s policies.
(c) Compliance objectives: Compliance objective are related to the
entity’s compliance with applicable laws and regulations.
Components and Principles prescribed by COSO Framework
Committee of Sponsoring Organizations of the Treadway Commission
(COSO) framework includes 17 principles representing the fundamental
concepts associates with its five components. These components and the
associates principles are:
Components Principles
Risk 1. Demonstrates commitment to integrity and
Assessment ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority, and
responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
Control 6. Specifies suitable objectives
Environment 7. Identifies and analyses risk
8. Assesses fraud risk
9. Identifies and analyses significant change
Control 10. Selects and develops control activities
Activities 11. Selects and develops general controls over
technology
12. Deploys through policies and procedures
Monitoring 13. Uses relevant information
14. Communicates internally
15. Communicates externally
Information and 16. Conducts ongoing and/or separate
Communication evaluations
17. Evaluates and communicate deficiencies
CoCO The CoCo (criteria of control) framework was first published by
the Canadian Institute of Chartered Accountants in 1995. This model
builds on COSO and is thought by some to be more concrete and user-

Page 3 of 58
 friendly. CoCo describes internal control as actions that foster the best
result for an organization. These actions, which contribute to the
achievement of the organization’s objectives, focus on:
 effectiveness and efficiency of operations;
 reliability of internal and external reporting;
 compliance with applicable laws and regulations and internal
policies.
CoCo indicates that control comprises: “Those elements of an
organization (including its resources, systems, processes, culture,
structure, and tasks) that, taken together, support people in the
achievement of the organization’s objectives.”
The CoCo framework outlines criteria for effective control in the
following four areas:
 Purpose
 Commitment
 Capability
 Monitoring and Learning
In order to assess whether controls exist and are operating effectively,
each criterion would be examined to identify the controls that are in
place to address them.
COBIT  COBIT stands for Control Objectives for Information and Related
Technology. It is a framework created by the ISACA (Information
Systems Audit and Control Association) for IT governance and
management. It is meant to be a supportive tool for managers and
allows bridging the crucial gap between technical issues, business
risks and control requirements.
 Business managers are equipped with a model to deliver value to the
organization and practice better risk management practices
associated with the IT processes.
 It is a control model that guarantees the integrity of the information
system. Today, COBIT is used globally by all managers who are
responsible for the IT business processes. It is a thoroughly
recognized guideline that can be applied to any organization across
industries.
 Overall, COBIT ensures quality, control and reliability of information
systems in organization, which is also the most important aspect of
every modern business.
SOX – Sec. 404 SOX Section 404 (Sarbanes-Oxley Act Section 404) mandates that all
publicly-traded companies must establish internal controls and
procedures for financial reporting and must document, test and maintain
those controls and procedures to ensure their effectiveness.

Page 4 of 58
 The purpose of SOX is to reduce the possibilities of corporate fraud by
increasing the stringency of procedures and requirements for financial
reporting.
The SEC rules and PCAOB standard require that:
 Management perform a formal assessment of its controls over
financial reporting including tests that confirm the design and
operating effectiveness of the controls.
 Management include in its annual report an assessment of Internal
Controls over Financial Reporting.
 The external auditors provide two opinions as part of a single
integrated audit of the company:
1. An independent opinion on the effectiveness of the system of
Internal Controls over Financial Reporting.
2. The traditional opinion on the financial statements.

Important Questions
Q. No. 1: Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework includes
17 principles representing the fundamental concepts associates with its five components. List these
principles.
HINT: Refer COSO Framework
Q. No. 2: Write a short note on: Control Objectives for Information and Related Technology (CoBIT)
Framework.
HINT: Refer CoBIT Framework.

Page 5 of 58
Chapter 6 -
Audit in an Automated Environment

Meaning & Components of Automated Environment

Meaning Automated Environment may be defined as a system within an overall business environment
which comprise of people, processes and technology.
 Automated Environment is The Investment portfolio of Life Insurance companies
comprise of Shareholders’ funds and Policyholders’ funds.
 Policyholders’ funds can further be segregated as linked and non - linked. Investment
regulations are prescribed for different categories of investments.
IRDA (Investment) regulations, 2000 gives details of the pattern in which Funds of the Life
Insurance business, should be kept invested at any given point of timedriven by Computer based
systems with a number of layers (components) used.
Components 1. Business Applications like Tally, Tally ERP, SAR R/3, Business Suite.
of Automated 2. Database like Oracle 12g, MS-SQL Server.
Environment 3. Operating Systems like Windows, UNIX.
4. Storage Devices like disks, tapes, NAS (Network attached Storage).
5. Network devices like switches, routers.
6. Networks like LAN, WAN, VPN etc.
7. Physical and Environmental Components like CCTVs, temperature controls, firefighting
equipment etc.
Real-Time  Real Time Environment is a type of automated environment in which business operations and
Environment transactions are initiated, processed and recorded on a real-time basis, i.e. immediately on
their occurrence.
 Examples of Such environments are Airlines and Railway Reservations, Core Banking,
E-Commerce, ERP etc.
 Real Time Environment facilitates anytime, anywhere transactions to take place. For this
purpose, it is essential to have the systems, networks and applications available during all
times.
IT Components 1. Applications like ERP, Core Banking Etc.
required in 2. Middleware like web servers
Real Time 3. Networks like WAN, Internet hosting.
Environment 4. Hardware like Data centers, storage devices, power supply etc.

Auditing in an Automated Environment

Understanding As required by SA 315, auditor is required to obtain an understanding of the entity and its
of Automated environment as a part of Risk Assessment procedure to identify and assess Risk of Material
Environment Misstatements. In an automated environment, auditor is required to obtain an understating of the
following:

Page 6 of 58
 1. Applications being used by the entity;
2. IT infrastructure components for each of the application;
3. Organisation structure and governance;
4. Policies, procedures and processes followed;
5. IT risks and controls.
Documenting As required by SA 230, auditor is required to document the understanding of a company
the automated environment.
understanding
Considerations 1. Risk Assessment Consider risk arising from use of IT Systems.
of automated 2. Understanding of the Consider use of IT Systems and Applications.
environment Business
in different 3. Assessing Entity Level Consider aspects related to
stages of Audit Controls  understanding and review of IT Governance.
 Segregation of duties,
 Review of General IT Controls and Application Controls.
4. Assessing Process Consider aspects relating to Risks and Controls with each process,
Level Controls sub-process and activity.
5. Testing of Reports & Consider the evaluation of control deficiencies using Data
Information produced by the
Analytics.
entity at completion stage

Important Questions
Q. No. 1: SA 315 requires the auditor to obtain an understanding of the entity and its environment as a part
of Risk Assessment procedure to identify and assess Risk of Material Misstatements. List the areas of
which auditor is required to obtain understating in an automated environment.
HINT: Refer the topic “Understanding of Automated Environment”.
Q. No. 2: In a controls-based audit, the audit approach can be classified into three broad phases comprising
of planning, execution, and completion. In this approach, the considerations of automated
environment will be relevant at every phase. Comment.
HINT: Refer the topic “Considerations of automated environment in different stages of Audit”

Enterprise Risk Management

Risk  Risk is the possibility that something could go wrong, which in turn prevents an entity from
achieving business objectives.
 Due to increased use of technology, new regulatory requirements, globalization etc, most of the
business operate in a dynamic environment, due to which associated risks to business have
also increased and a need arises to manage those risks.
Examples of 1 Market Risks 5 Operational Risk
Risk 2 Regulatory and Compliance 6 Credit Risk
Risks
3 Technology Risks 7 Environmental Risks
4 Financial reporting Risks 8 Product Risks

Page 7 of 58
Risk Risk Management is a combination of people, processes, tools and techniques through which an
management entity identifies, assess, respond, mitigate and monitor risks.
Enterprise ERM is a formal program that is implemented across an enterprise for enabling risk management.
Risk In many countries, companies are required to have a formal ERM Program as a statutory
Management requirement.
(ERM) In India, Sec. 134(3) of Companies Act, 2013 requires the Board of Directors to include in their
report a statement indicating development and implementation of a risk management policy for
the company including identification therein of elements of risk, if any, which in the opinion of the
Board may threaten the existence of the company.
Risk Risk Assessment Process is the most critical component of ERM. The entity’s risk assessment
Assessment process forms the basis for how management determines the risks to be managed.
Process Steps involved Step 1 - Define Business Objectives and Goals.
in Risk Step 2 - Identify events that affect achievement of business objectives.
Assessment Step 3 - Assess likelihood and impact.
Process Step 4 - Respond and mitigate risks.
Step 5 - Assess Residual Risks.
Considerations 1. Qualitative and Quantitative Factors;
of Risk 2. Definition of Key Performance and Risk Indicators;
Assessment 3. Risk Appetite;
Process 4. Risk Scores, Scales and Maps;
5. Use of Data & Metrics;
6. Benchmarking.
ERM vs Scope of an ERM program is much broader than an internal control framework as it encompasses
Internal both internal and external factors that are relevant to business strategy, governance, business
Control process and transaction and activity level.
Scope of an internal control framework is generally limited to financial reporting, operations and
compliance risks associated with an account balance, business process, transaction and activity
level, which form a sub -set of the overall enterprise risks.
Existence of an appropriate system of internal control does not by itself provide an assurance to
the Management that the entity has developed and implemented an appropriate risk management
policy.
Hence, it can be concluded that Internal control framework of a company is not separate, it is an
integral part of an ERM program.
Commonly The most common framework that is suitable for implementing an effective ERM is the COSO
used Enterprise Risk Management – Integrated Framework developed by the Committee of Sponsoring
framework for Organisations (COSO) in 2004 and subsequently updated in 2016 to address the changes in
ERM business environment.
Besides COSO framework, another widely available framework is the ISO 31000 Risk Management
standard published by the International Organization for Standardization.

Page 8 of 58
 Important Questions
Q. No. 3: Briefly describe the various stages of a Risk Assessment process.
HINT: Refer the topic “Risk Assessment Process”.
Q. No. 4: Write short note on: Enterprise Risk Management.
HINT: Refer the topic “ERM and Commonly used framework for ERM”

Assessing IT Related Risks and Controls

Considerations As required by SA 315 & SA 330, auditor should understand, assess and respond to the risks within
in assessing IT an entity including those risks that pertain to use of IT Systems and application in an automated
Risks environment. Auditor should consider the following while assessing IT risks:
1. Entity Level Entity Level Risks (Pervasive Risks) are related to Governance, Organization
Risks and Management of IT and requires examination of following aspects:
(a) Whether management established an IT Security Policy;
(b) Whether policy is being communicated to all employees;
(c) Whether relevant training has been provided to employees; and
(d) Whether management monitor the adherence of the established policies.
2. Process Process Level Risks are related to Risks in the IT Processes and Procedures
Level Risks being followed and requires examination of following aspects:
(a) Whether unauthorized changes to IT Systems application being
prevented and detected in a timely manner; and
(b) Whether user access to systems commensurate with roles and
responsibilities of the user.
3. Transaction Transaction Level Risks are related to IT Risks at each layer of the automated
Level Risks environment and requires examination of following aspects:
(a) Whether direct data changes to databases prevented; and
(b) Whether strong passwords used in the operating system.
Controls As per SA 315, use of IT affects the way that control activities are implemented. From the auditor’s
required to perspective, controls over IT systems are effective when they maintain the integrity of information
mitigate IT and the security of the data such systems process, and include general IT controls, application
Risks controls and IT Dependent Controls.
1. General IT General IT-controls are policies and procedures that relate to many
Controls applications and support the effective functioning of application controls.
They apply to mainframe, mini frame, and end-user environments. General IT-
controls that maintain the integrity of information and security of data
commonly include controls over the following:
1. Data center and network operations.
2. System software acquisition, change and maintenance.
3. Program change.
4. Access security.
5. Application system acquisition, development, and maintenance.

Page 9 of 58
 2. Application  Application controls are manual or automated procedures that typically
Controls operate at a business process level and apply to the processing of
individual applications.
 Application controls can be preventive or detective in nature and are
designed to ensure the integrity of the accounting records.
 Accordingly, application controls relate to procedures used to initiate,
record, process and report transactions or other financial data. These
controls help ensure that transactions occurred, are authorised, and are
completely and accurately recorded and processed.
 Examples of Application controls include the following:
1. Edit checks and Validation of input data,
2. Sequence Number checks.
3. Limit Checks.
4. Reasonable Checks.
5. Mandatory Data Fields.
3. IT  These are manual controls that make use of some form of data or
Dependent information or report produced from IT systems and applications.
Controls  Though the control is performed manually, the design and effectiveness of
such controls depend on the reliability of source data.

Important Questions
Q. No. 5: Write short note on: general IT Controls.
HINT: Refer the topic “General IT Controls”.
Q. No. 6: Describe application controls and give three examples of automated application controls.
HINT: Refer the topic “Application Controls”.

Evaluating Controls at Entity Level and Process Level

Components As per SA 315, internal control system within an entity comprises of following components:
of Internal (a) Control Environment
Control (b) Entity’s Risk Assessment Process.
System (c) Information Systems and Communication.
(d) Control Activities relevant to Audit.
(e) Monitoring.
From the perspective of an automated environment, Information & Communication component is
considered to be the most relevant component of internal control System. In relation to
Information & Communication, auditor is required to obtain an understanding of:
 how business processes operate;
 information systems used in the processing of business transactions and activities;
 risks and controls pertaining to the information systems and underlying infrastructure;
 reliability of information generated from systems.

Page 10 of 58
Entity Level Characteristics  Entity Level controls also known as pervasive controls operate across an
Controls entity at all levels of management, i.e. from top management to lower
(ELCs) management.
 Entity Level Controls are considered to a part of a company’s internal
control framework and related to components of Internal Control other
than control activities. It means that Entity Level Controls are related to
(a) Control Environment
(b) Entity’s Risk Assessment Process.
(c) Information Systems and Communication.
(d) Monitoring.
 Entity level controls are subjective by nature and therefore require
application of more professional judgement in their evaluation and testing.
Types Direct ELCs Direct ELCs operate at a level of business process to
prevent, detect or correct a misstatement in a timely
manner. Examples of Direct ELCs are:
 Business performance reviews;
 Monitoring of effectiveness of control by Internal
Audit function.
Indirect ELCs Indirect ELCs do not relate to any specific business
process, transaction or account balance and therefore,
cannot prevent, detect or correct misstatements.
Indirect ELCs contribute indirectly to the effective
operation of direct ELCs. Examples of Indirect ELCs are:
 Company code of conduct;
 Human resource policies;
 Job roles & responsibilities.
Testing of ELCs  As a part of audit engagement, auditors are required to understand,
evaluate and validate the entity level controls. Result of testing entity level
controls could have an impact on the NTE of other audit procedures
including testing of controls.
 When the ELCs at a company are effective, the auditor may consider
reducing the number of samples in the TOCs and vice versa.
 In small organisations, the ELCs may not be formally documented and
hence, auditor should design audit procedures accordingly to obtain
evidence of the existence and effectiveness of entity level controls.
Process level  Process Level Controls primarily focus on control activities and the monitoring of those
Controls activities at the process level.
 Examples of Process Level Controls are: approvals, authorizations, verifications and
reconciliations, etc.

Page 11 of 58
 Testing of  SA 315 require the auditor to understand the business process that makes
Process Level up an account balance or financial statement line item.
Controls  Understanding the business process helps the auditor in identification of
risks and controls within each process, sub-process and activity.
 The auditor should document this understanding of the company’s
business process and flow of transactions in the audit file in accordance
with SA 230.

Important Questions
Q. No. 7: Distinguish between: Direct Entity Level Controls and Indirect Entity Level Controls.
HINT: Refer the topic “Entity Level Controls”.

Data Analytics
Concept of  Data analytics is an analytical process by which meaning information is generated and
Data Analytics prepared from raw system data using processes, tools, and techniques.
 In an automated environment, various insights can be extracted from operational, financial,
and other forms of electronic data internal or external to the organization
 The data so extracted is useful for preparation of management information system (MIS)
reports and electronic dashboards that give a high-level snapshot of business performance.
 The data analytics methods used in an audit are known as Computer Assisted Auditing
Techniques or CAATs.
Application of In an automated environment, auditors can apply the concept of data analytics for several aspects
Data Analytics of an audit including the following:
1. Preliminary Analytics;
2. Risk Assessment;
3. Control Testing;
4. Non-Standard Journal Analysis;
5. Evaluation of Deficiencies;
6. Fraud Risk assessment.
Steps involved Step – 1 Understand Business Environment including IT.
in using Data Step – 2 Defines the Objectives and Criteria against which subject matter will be
Analytics evaluated.
Step – 3 Identify Source and Format of Data
Step – 4 Extract Data
Step – 5 Verify, Completeness, accuracy and Validity of extracted Data
Step – 6 Apply Criteria on data extracted.
Step – 7 Validate and Confirm results
Step - 8 Document the results and Report the conclusions.

Important Questions
Q. No. 8: What is Data Analytics. When auditing in an automated environment, auditors can apply the
concepts of data analytics for several aspects of an audit. State those aspects.
HINT: Refer the topic “Concept of Data Analytics and Application of Data Analytics”.

Page 12 of 58
Standards, Guidelines and Procedures – to be adhered to while auditing in an automated
environment
Standards on AASB of ICAI issues various standards which are required to be followed while auditing the
Auditing (SA) financial statements of an entity.
Sec. 143(3)(i) Section 143(3)(i) of Companies Act 2013 requires statutory auditors to provide an Independent
of Companies Opinion on the Design and Operating Effectiveness of Internal Financial Controls Over Financial
Act, 2013 Reporting (IFC-FR) of the company as at Balance Sheet date.
For this purpose, ICAI issued a Guidance Note on Audit of Internal Financial Controls Over
Financial Reporting which provides the guidelines and procedures for reporting on IFC.
Section 404 of Section 404 of Sarbanes Oxley Act of 2002 requires public listed companies to implement, assess
SOX Act, 2002 and ensure effectiveness of internal controls over financial reporting.
Auditors of such companies are required to express an independent opinion on the design and
operating effectiveness of internal controls over financial reporting (ICFR).
Points to remember
SOX Act of 2002 is a requirement in America. Similar legal &statutory requirements over
internal controls exist in other countries including Japan, China, European Countries, etc.
ISO ISO 27001:2013 is the Information Security Management System (ISMS) standard issued by the
27001:2013 International Organization for Standardization (ISO).
This standard provides the framework, guidelines and procedures for implementing information
security and related controls in a company.
ITIL and ISO ITIL (Information Technology Infrastructure Library) and ISO 20000 provide a set of best practice
20000 processes and procedures for IT service management in a company. Some of the areas that could
be relevant to audit includes change management, incident management, problem management,
IT operations, IT asset management etc.
PCI-DSS  The Payment Card Industry – Data Security Standard, is the most widely adopted information
security standard for the payment cards industry.
 Any entity that is involved in the storage, retrieval, transmission or handling of credit
card/debit card information are required to implement the security controls in accordance
with this standard.
SSAE 18 Statements on Standards for Attest Engagements (SSAE) 18 is issued by AICPA and effective from
01.05.2017 (Supersedes SSAE 16) requires the organizations to issue their System and
Organization Controls (SOC) Report under the SSAE-18 standard in SOC 1, SOC 2 and SOC3 reports.
 SOC 1 for reporting on controls at a service organization relevant to user entities’ internal
control over financial reporting (ICFR).
 SOC 2 and SOC 3 for reporting on controls at a service organization relevant to security,
availability, processing integrity, confidentiality or privacy i.e., controls other than ICFR.
CoBIT Control Objectives for Information and Related Technologies is best practice IT Governance and
Management framework published by Information Systems Audit and Control Association.
It provides the required tools, resources and guidelines that are relevant to IT governance, risk,
compliance and information security.

Page 13 of 58
CSF Cyber security Framework published by the National Institute of Standards and Technology is one
of the most popular framework for improving critical infrastructure cyber security, which
provides a set of standards and best practices for companies to manage cyber security risks.

Important Questions
Q. No. 9: When auditing in an automated environment the auditor should be aware, adhere to and be guided
by the various standards, guidelines and procedures that may be relevant to both audit and the
automated environment. Briefly describe any four such standards.
HINT: Refer the topic “Standards, Guidelines and Procedures – to be adhered to while auditing in an
automated environment”

Page 14 of 58
Chapter 7 –
Professional Ethics (Code of Ethics)

Overview of Code of Ethics (COE)

Chapter Sections Title
1 100-150 General Application of the
Code
2 200-290 Professional Accountants
in Public Practice
3 300-350 Professional Accountants
in Service
Coverage
100 - Introduction and Fundamental Principles
110 - Integrity
120 - Objectivity
130 - Professional Competence and Due Care
140 - Confidentiality
150 - Professional Behaviour
200 - Introduction
210 - Professional Appointment
220 - Conflicts of Interest
230 - Second Opinions
240 - Fees and Other Types of Remuneration
250 - Marketing Professional Services
260 - Gifts and Hospitality
270 - Custody of Client Assets
280 - Objectivity – All Services
290 - Independence – Assurance Engagements
300 - Introduction
310 - Potential Conflicts
320 - Preparation and Reporting of Information
330 - Acting with Sufficient Expertise
340 - Financial Interests
350 - Inducements

Fundamental Principles to be followed by an Accountant

Fundamental Integrity A professional accountant should be straightforward and honest in all
Principles professional and business relationships.
– Sec. 100 of Objectivity A professional accountant should not allow bias, conflict of interest or
COE undue influence of others to override professional judgments.
Professional  A professional accountant has a continuing duty to maintain
Competence professional knowledge and skill at the level required to ensure that a
and Due Care client or employer receives competent professional service based on
current developments in practice, legislation and techniques.

Page 15 of 58
  A professional accountant should act diligently and in accordance with
applicable technical and professional standards while providing
professional services.
Confidentiality A professional accountant should respect the confidentiality of information
acquired as a result of professional and employment relationships and
should not disclose any such information to third parties without proper
and specific authority unless there is a legal or professional right or duty to
disclose.
Professional A professional accountant should comply with relevant laws and
Behavior regulations and should avoid any action that discredits the profession.
Integrity – Sec.  The principle of integrity imposes an obligation on all professional accountants to be
110 of COE straightforward and honest in professional and employment relationships. Integrity also
implies fair dealing and maintaining an impartial attitude and truthfulness.
 A professional accountant should not be associated with reports, returns, communications or
other information where he believes that the information:
(a) Contains a materially false or misleading statement;
(b) Contains statements or information furnished negligently; or
(c) Omits or obscures any information required to be included where such omission or
obscurity would be misleading.
Objectivity –  The principle of objectivity imposes an obligation on all professional accountants not to
Sec. 120 of COE compromise their professional duty or while in service judgment because of bias, conflict of
interest or the undue influence of others.
 A professional accountant may be exposed to situations that may impair objectivity. It is
impracticable to define and prescribe all such situations. Relationships that bias or unduly
influence the professional judgment of the professional accountant should be avoided.
Professional The principle of professional competence and due care imposes the following obligations on
Competence and professional accountants:
Due Care – Sec. (a) To maintain professional knowledge and skill at the level required to ensure that the clients
130 of COE or employers receive competent professional service; and
(b) To act diligently in accordance with applicable technical and professional standards while
providing professional services.
Confidentiality – The principle of confidentiality imposes an obligation on professional accountants to refrain
Sec. 140 of COE from:
(a) Disclosing outside the firm or employing organization information acquired as a result of
professional and employment relationships without proper and specific authority or unless
there is a legal or professional right or duty to disclose; and
(b) Using information acquired as a result of professional and employment relationships to
their personal advantage or the advantage of third parties.
Circumstances (a) Disclosure is permitted by law and is authorized by the client or the
where employer;
(b) Disclosure is required by law, for example:

Page 16 of 58
 disclosure is (i) Production of documents or other provision of evidence in the
appropriate course of legal proceedings; or
(ii) Disclosure to the appropriate public authorities of infringements
of the law that come to light.
(c) There is a professional duty or right to disclose, when not prohibited
by law:
(i) To comply with requirement of peer review or quality review
(ii) To respond to an inquiry or investigation by a regulatory body;
(iii) To protect the professional interests of a professional accountant
in legal proceedings; or
(iv) To comply with technical standards and ethical requirements.
Considerations In deciding whether to disclose confidential information, professional
before accountants should consider the following points:
disclosing (a) Whether the interests of all parties, including third parties whose
information interests may be affected, could be harmed if the client or employer
consents to the disclosure of information by the professional
accountant;
(b) Whether all the relevant information is known and substantiated, to
the extent it is practicable; and
(c) The type of communication that is expected and to whom it is
addressed; in particular, professional accountants should be satisfied
that the parties to whom the communication is addressed are
appropriate recipients.
Professional  The principle of professional behaviour imposes an obligation on professional accountants
Behaviour to comply with relevant laws and regulations and avoid any action that may bring discredit
– Sec. 150 of to the profession.
COE  The professional accountants should act in a manner consistent with the reputation of the
profession and refrain from any conduct which might bring disrepute to the profession.

Threats in Compliance of Fundamental Principles and Safeguards

Threats Self-interest It may occur as a result of the financial or other interests of a professional
involves in threats accountant or of a relative
compliance – Self-review It may occur when a previous judgment needs to be re- evaluated by the
Sec. 100 of COE threats professional accountant responsible for that judgment.
Advocacy It may occur when a professional accountant promotes a position or opinion
threats to the point that subsequent objectivity may be compromised.
Familiarity It may occur when, because of a relationship, a professional accountant
threats becomes too sympathetic to the interests of others.
Intimidation It may occur when a professional accountant may be deterred from acting
threats objectively by threats, actual or perceived.

Page 17 of 58
Circumstances Self-Interest (a) A financial interest in a client or jointly holding a financial interest with
that may create Threats a client.
Threats (b) Undue dependence on total fees from a client.
(c) Having a close business relationship with a client.
(d) Concern about the possibility of losing a client.
(e) Potential employment with a client
(f) A loan to or from an assurance client or any of its directors or officers.
Self-review (a) Reporting on the operation of financial information systems after being
threats involved in their designing or implementation.
(b) Having prepared the original data used to generate records that are the
subject matter of the engagement.
(c) A member of the engagement team is being associated with the client
as a director or officer.
(d) A member of the engagement team is being employed by the client in a
position to exert direct and significant influence over the subject
matter of the engagement.
(e) Performing a service for a client that directly affects the subject matter
of engagement.
Advocacy (a) Promoting shares in a listed entity when that entity is a financial
Threats statement audit client.
(b) Acting as a representative on behalf of an assurance client in litigation
or disputes with third parties.
Familiarity (a) A member of the engagement team is a relative of a director or officer
Threats of the client.
(b) A member of the engagement team is a relative of an employee of the
client who is in a position to exert direct and significant influence over
the subject matter of the engagement.
(c) A former partner of the firm being a director or officer of the client or
an employee in a position to exert direct and significant influence over
the subject matter of the engagement.
(d) Accepting gifts or preferential treatment from a client.
(e) Long association of senior personnel with the assurance client.
Intimidation (a) Being threatened with dismissal or replacement in relation to a client
Threats engagement.
(b) Being threatened with litigation.
(c) Being pressured to reduce inappropriately the extent of work
performed in order to reduce fees.
Safeguards that Safeguards 1. Educational, training and experience requirements for entry into the
may eliminate created by the profession.
or reduce profession, 2. Continuing professional development requirements.
threats legislation or 3. Corporate governance regulations.
4. Professional standards.

Page 18 of 58
Regulation to 5. Professional or regulatory monitoring and disciplinary procedures.
reduce threats 6. External review by a legally empowered third party of the reports,
returns, communications or information produced by a professional
accountant.
Safeguards in In the work environment, the relevant safeguards will vary depending on
the work the circumstances. Work environment safeguards comprise firm-wide
environment safeguards and engagement specific safeguards.
Firm-wide safeguards in the work environment
(a) Leadership of the firm that stresses the importance of compliance with
the fundamental principles and establishes the expectation that
members of an assurance team will act in the public interest.
(b) Policies and procedures to implement and monitor quality control of
engagements.
(c) Documented policies regarding identification of threats to compliance
with the fundamental principles and the application of safeguards to
eliminate or reduce the threats.
(d) Documented independence policies regarding identification of threats
to independence and application of safeguards to eliminate or reduce
the threats.
(e) Documented internal policies and procedures requiring compliance
with the fundamental principles.
(f) Timely communication of a firm’s policies and procedures, including
any changes to them, to all partners and professional staff.
(g) training and education on such policies and procedures.
(h) Designating a member of senior management to be responsible for
overseeing the adequate functioning of the firm’s quality control
system.
(i) A disciplinary mechanism to promote compliance with policies and
procedures.
(j) Published policies and procedures to encourage and empower staff to
communicate to senior levels within the firm any issue relating to
compliance with the fundamental principles that concerns them.
Engagement-specific safeguards in the work environment
(a) Involving an additional professional accountant to review the work
done or otherwise advise as necessary.
(b) Consulting an independent third party, such as a committee of
independent directors, a professional regulatory body or another
professional accountant.
(c) Discussing ethical issues with TCWG of the client.
(d) Disclosing to TCWG of the client the nature of services provided and
extent of fees charged.
(e) Rotating senior assurance team personnel.

Page 19 of 58
Chapter 8 -
Company Audit

Salient Features of Audit of Limited Liability Partnerships (LLP Audit)

Maintenance of Books of  LLP shall maintain such proper books of account as may be prescribed
books of Accounts relating to its affairs for each year of its existence.
account, other  Books may be maintained on cash basis or accrual basis and according
records and to double entry system of accounting.
audit, etc – Sec.  Books shall be maintained at registered office for such period as may be
34 of LLP Act, prescribed.
2008 Rule 24 of LLP Rules, 2009
 The books of account shall contain:
(a) particulars of all sums of money received and expended by the
LLP and the matters in respect of which the receipt and
expenditure takes place;
(b) a record of the assets and liabilities of the LLP;
(c) statements of cost of goods purchased, inventories, WIP, finished
goods and cost of goods sold; and
(d) any other particulars which the partners may decide.
 The books of account which a LLP is required to keep shall be preserved
for eight years from the date on which they are made.
Statement of  Every LLP shall, within a period of six months from the end of each
Account and financial year, prepare a Statement of Account and Solvency for the said
Solvency financial year in prescribed form, and such statement shall be signed by
the designated partners of the LLP.
 Statement of Account and Solvency shall be filed with the Registrar
every year in such form and manner and accompanied by prescribed
fees.
Rule 24 of LLP Rules, 2009
 Statement of Account and Solvency shall be filed in Form 8 with the
Registrar, within a period of 30 days from the end of 6 months of the
financial year to which the Statement of Account and Solvency relates.
Audit of Accounts of LLP shall be audited in accordance with such rules as may be
Accounts prescribed.
Rule 24 of LLP Rules, 2009
Requirement of  A LLP whose turnover does not exceed, in any
Audit financial year, Rs. 40 Lacs, or whose contribution
does not exceed Rs. 25 Lacs shall not be required
to get its accounts audited.
 If partners of such LLP decide to get the accounts
of such LLP audited, the accounts shall be audited
in accordance with these rules.

Page 20 of 58
Eligibility for A person shall not be qualified for appointment as an
auditor auditor of a LLP unless he is a Chartered Accountant in
practice.
Period of Auditor of a LLP shall be appointed for each financial
Appointment year of the LLP for auditing its accounts.
Appointment of The designated partners may appoint an auditor:
auditor by (a) at any time for the first financial year but before
designated the end of the first financial year,
partner (b) at least 30 days prior to the end of each financial
year (other than the first financial year),
(c) to fill a casual vacancy in the office of auditor,
including in the case when the turnover or
contribution of a LLP exceeds the limits, or
(d) to fill up the vacancy caused by removal of an
auditor.
Appointment of Partners may appoint an auditor where the designated
auditor by partners have power to appoint and have failed to
partner appoint.
Tenure of Auditor shall hold office in accordance with the terms
Auditor of his or their appointment and shall continue to hold
such office till the period
(a) the new auditors are appointed, or
(b) they are re-appointed.
Advantage/Purpose/Need of Audit
(a) Detection of errors & frauds
(b) Verification of financial statements
(c) Resolving disputed among the partners in relation to accounting
matters.
(d) Arranging finance from banks & financial institutions.
(e) Improved management of the LLP
(f) Settlement of accounts between partners at the time of admission,
death, retirement, insolvency, insanity, etc
Auditor’s duty regarding Audit of LLP
(a) Auditor should obtain instructions in writing as to the work to be
performed by him.
(b) Auditor should read the LLP agreement & note the following
provisions
 Nature of the business of LLP
 Capital contributed by each partner
 Interest in respect of capital contributions
 Duration of partnership
 Drawings allowed to the partners
 Salaries, commission etc payable to partners
 Rights & duties of partners

Page 21 of 58
  Method of settlement of accounts between partners at the time of
admission, retirement, admission etc.
 Any loans advanced by the partners
 Profit sharing ratio
(c) Auditor should report (a) Whether the records reflects true and fair
view (b) Whether he obtains all information & explanation (c) whether
any restriction/limitation imposed upon him.
(d) If minute book is being maintained, auditor shall refer it for any
resolution passed regarding the accounts.
Annual Return –  Every LLP shall file an annual return duly authenticated with the Registrar within 60 days
Sec. 35 of closure of its financial year in such form and manner and accompanied by such fee as may
be prescribed.
 Annual return with the Registrar shall be filed in Form 11.
Inspection of Documents to (a) Incorporation document,
documents kept be made (b) Names of partners and changes, if any, made therein,
by Registrar – available for (c) Statement of Account and Solvency and
Sec. 36 inspection (d) Annual return filed with the Registrar
Who can Any Person
inspect
Fees of ` 50.
inspection
Power of  In order to obtain any information as the Registrar may consider necessary for the purposes
Registrar to of carrying out the provisions of this Act, the Registrar may require any person including
obtain any present or former partner or designated partner or employee of a limited liability
information – partnership to answer any question or make any declaration or supply any details or
Sec. 38 particulars in writing to him within a reasonable period.
 In case such persons does not answer such question or make such declaration or supply
such details or particulars asked for by the Registrar within a reasonable time or time given
by the Registrar or when the Registrar is not satisfied with the reply or declaration or details
or particulars provided by such person, the Registrar shall have power to summon that
person to appear before him or an inspector or any other public officer whom the Registrar
may designate, to answer any such question or make such declaration or supply such details,
as the case may be.

Important Questions – Audit of LLP

1 Write a short note on: Books of Accounts to be maintained by a Limited Liability Partnership.
HINT: Refer Sec. 34 of LLP Act, 2008 and Rule 24 of LLP Rules, 2009
2 Write a short note on: Staturtoy provisions as to Audit of Limited Liability partnerships.
HINT: Refer Sec. 34 of LLP Act, 2008 and Rule 24 of LLP Rules, 2009.
3 List the benefits that arise to LLP from getting the accounts audited.
HINT: Refer the topic “Advantage/Purpose/Need of Audit”
4 Briefly describe the auditor’s duty regarding audit of LLP
HINT: Refer the topic “Auditor’s duty regarding audit of LLP”.

Page 22 of 58
Chapter 18 -
Audit under Fiscal laws

Form 3CD
31. (a)* Particulars of each loan or deposit in an amount exceeding the limit specified in section 269SS taken or
accepted during the previous year:
(i) name, address and permanent account number (if available with the assessee) of the lender or
depositor;
(ii) amount of loan or deposit taken or accepted;
(iii) whether the loan or deposit was squared up during the previous year;
(iv) maximum amount outstanding in the account at any time during the previous year;
(v) whether the loan or deposit was taken or accepted by cheque or bank draft or use of electronic
clearing system through a bank account;
(vi) in case the loan or deposit was taken or accepted by cheque or bank draft, whether the same was
taken or accepted by an account payee cheque or an account payee bank draft.
*(These particulars need not be given in the case of a Government company, a banking company or a
corporation established by a Central, State or Provincial Act.)
(b)* Particulars of each specified sum in an amount exceeding the limit specified in section 269SS taken or
accepted during the previous year:
(i) name, address and Permanent Account Number (if available with the assessee) of the person from
whom specified sum is received;
(ii) amount of specified sum taken or accepted;
(iii) whether the specified sum was taken or accepted by cheque or bank draft or use of electronic
clearing system through a bank account;
(iv) in case the specified sum was taken or accepted by cheque or bank draft, whether the same was
taken or accepted by an account payee cheque or an account payee bank draft.
*(These Particularsneed not be given in the case of a Government company, a banking company or a
corporation established by the Central, State or Provincial Act.)
(c) Particulars of each repayment of loan or deposit or any specified advance in an amount exceeding the limit
specified in section 269T made during the previous year:
(i) name, address and Permanent Account Number (if available with the assessee) of the payee;
(ii) amount of the repayment;
(iii) maximum amount outstanding in the account at any time during the previous year;
(iv) whether the repayment was made by cheque or bank draft or use of electronic clearing system
through a bank account;
(v) in case the repayment was made by cheque or bank draft, whether the same was taken or accepted
by an account payee cheque or an account payee bank draft.

Page 23 of 58
 (d) Particulars of repayment of loan or deposit or any specified advance in an amount exceeding the limit
specified in section 269T received otherwise than by a cheque or bank draft or use of electronic clearing
system through a bank account during the previous year:
(i) name, address and Permanent Account Number (if available with the assessee) of the payer;
(ii) amount of loan or deposit or any specified advance received otherwise than by a cheque or bank
draft or use of electronic clearing system through a bank account during the previous year.
(e) Particulars of repayment of loan or deposit or any specified advance in an amount exceeding the limit
specified in section 269T received by a cheque or bank draft which is not an account payee cheque or
account payee bank draft during the previous year:
(i) name, address and Permanent Account Number (if available with the assessee) of the payer;
(ii) amount of loan or deposit or any specified advance received by a cheque or a bank draft which is not
an account payee cheque or account payee bank draft during the previous year.

Audit under GST Laws

Definition of Audit means the examination of records, returns and other documents maintained or
Audit furnished by the registered person under this Act or the rules made thereunder or under any
– Sec. 2(13) of other law for the time being in forceto verify the correctness of
CGST Act, 2017  turnover declared,
 taxes paid,
 refund claimed and input tax credit availed, and
 to assess his compliance with the provisions of this Act or the rules made thereunder;
Points to Remember
Definition of Audit under CGST is a very wide term which not only includes examination
of records, returns and documents maintained under this Act, but also includes records,
documents and returns maintained under other law.
Types of Audit
Audit under GST
under GST
Regime
(3 types) Audit by taxable Person Audit by GST Authorities
(if threshold > ` 2 Cr.)

File Audited Returns General Audit Special Audit by a CA

+ nominated by Commissioner
Audited Accounts (Order by
+ Commissioner) (Order by Deputy/Asst.
Reconciliation Statements Commissioner)

Audit based on Every registered person whose turnover during a financial year exceeds the
turnover – Sec. prescribed limit shall get his accounts audited by a Chartered Accountant or
35(5) of CGST a Cost Accountantand shall submit
Act, 2017  a copy of the audited annual accounts,
 the reconciliation statement u/s 44(2) and
 such other documents in such form and manner as may be prescribed.

Page 24 of 58
 Points to Remember
 Rule 80(3) of CGST Rules, 2017: Every registered person whose
aggregate turnover during a financial year exceeds ` 2Cr. shall get
his accounts audited and he shall furnish a copy of audited annual
accounts and a reconciliation statement, duly certified, in FORM
GSTR-9C.
 Sec. 44(2) - Every registered person who is required to get his
accounts audited in accordance with the provisions of Sec. 35(5)
shall furnish, electronically, the annual return along with a copy of
the audited annual accounts and a reconciliation statement,
reconciling the value of supplies declared in the return furnished
for the financial year with the audited annual F.S., and such other
particulars as may be prescribed.
Audit by Tax  The Commissioner or any officer authorised by him, by way of a general
Authorities – or a specific order, may undertake audit of any registered person for such
Sec. 65 of CGST period, at such frequency and in such manner as may be prescribed.
Act, 2017  Audit may be conducted at the place of business of the registered person
or in their office.
 The registered person shall be informed by way of a notice not less than
15 working days prior to the conduct of audit in such manner as may be
prescribed.
 Audit shall be completed within a period of 3 months from the date of
commencement of the audit. However, is Commissioner is satisfied that
audit in respect of such registered person cannot be completed within 3
months, he may, for the reasons to be recorded in writing, extend the
period by a further period not exceeding six months.
 On conclusion of audit, the proper officer shall, within 30 days, inform
the registered person, whose records are audited, about the findings, his
rights and obligations and the reasons for such findings.
 If the audit results in detection of tax not paid or short paid or
erroneously refunded, or input tax credit wrongly availed or utilised, the
proper officer may initiate action under section 73 or section 74.
Special Audit – Directions for  If at any stage of scrutiny, inquiry, investigation or
Sec. 66 of CGST Special Audit any other proceedings, any officer not below the
Act, 2017 rank of Assistant Commissioner, having regard to
the nature and complexity of the case and the
interest of revenue, is of the opinion that the value
has not been correctly declared or the credit availed
is not within the normal limits, he may, with the
prior approval of the Commissioner, direct such
registered person by a communication in writing to

Page 25 of 58
 get his records including books of account examined
and audited by a chartered accountant or a cost
accountant as may be nominated by the
Commissioner.
 Direction shall be issued in FORM GST ADT-03.
Time limit for The chartered accountant or cost accountant so
completion of nominated shall, within the period of 90 days, submit a
Audit report of such audit duly signed and certified by him to
the said Assistant Commissioner mentioning therein
such other particulars as may be specified.
Extension of Assistant Commissioner may,
Time Limit  on an application made to him in this behalf by the
registered person or the chartered accountant or
cost accountant
or
 for any material and sufficient reason,
extend the said period by a further period of 90 days
Opportunity to  The registered person shall be given an opportunity
the registered of being heard in respect of any material gathered on
person the basis of special audit which is proposed to be
used in any proceedings against him under this Act
or the rules made thereunder.
 The registered person shall be informed of the
findings of the special audit in FORM GST ADT-04.
Audit Expenses Expenses of examination and audit, including the
and remuneration of such chartered accountant or cost
Remuneration accountant, shall be determined and paid by the
Commissioner and such determination shall be final.
Action on basis Where the special audit conducted results in detection
of Audit Report of tax not paid or short paid or erroneously refunded, or
input tax credit wrongly availed or utilised, the proper
officer may initiate action under section 73 or section
74.
Practices to be Auditor should evaluate internal control so as to identify the areas to be focused. For this
adopted for purpose, following practices may be adopted:
GST Audit (1) Auditor may verify the following:
(a) Statutory Audit report which has specific disclosure w.r.t. to maintenance of record,
stock and fixed assets.
(b) Information System Audit report and the Internal Audit Report.
(2) Internal Control questionnaire may be designed for GST compliance.

Page 26 of 58
 (3) Generalised audit software may be used for GST audit which would ensure adoption of
modern practice of risk based audit.
(4) Reconciliation of the books of account or reports from the ERP’s to the return is also useful.
(5) Trial balance should be reviewed for detecting any set off of expenses against incomes.
(6) Purchases/expenses are to be reviewed to examine applicability of reverse charge applicable
to goods/services.
(7) Reconciliation of foreign exchange outgo would also be necessary to identify the liability of
import of services.
(8) Ratio analysis may also provide important information on areas of noncompliance.

Format of GST Form GST ADT-04

Audit report Reference No. :
Date :
To,
--------------------------------------------
GSTIN ………………………………
Name ………………………………….
Address ………………………………
Information of Findings upon Special Audit
Your books of account and records for the F.Y………………..…. has been examined by .…………..
(chartered accountant/cost accountant) and this Audit Report is prepared on the basis of
information available/documents furnished by you and the findings/discrepancies are as
under:
Short payment of Integrated tax Central tax State/UT tax Cess
Tax
Interest
Any other amount
[Upload pdf file containing audit observation]
You are directed to discharge your statutory liabilities in this regard as per the provisions
of the Act and the rules made thereunder, failing which proceedings as deemed fit may be
initiated against you under the provisions of the Act.
Signature ......................................
Name ………………………………..
Designation ………………………...

Important Questions
Q. No. 1: Define the term Audit under CGST Act. Describe the statutory requirements of audit under CGST Act
based on threshold limit.
Q. No. 2: Briefly discuss the provisions given under section 66 regarding special audit required under CGST
Act.
Q. No. 3: List the best practice that can be adopted for GST Audit.
Q. No. 4: Write short note on: Format for GST Audit Report.

Page 27 of 58
Chapter 20 -
Investigation and Due Diligence

Forensic Audit
Concept of  'Forensic' means' suitable for use in a court of law' and it is to that standard and potential
Forensic outcome that forensic accountants generally have to work
Accounting  Forensic accounting can be described as a specialized field of accountancy which investigates
and Audit fraud and analyse financial information to be used in legal proceedings. Forensic accounting
uses accounting, auditing, and investigative skills to conduct investigations into theft and fraud.
It encompasses both Litigation Support and Investigative Accounting.
 Forensic audit can be defined as an examination of evidence regarding an assertion to
determine its correspondence to established criteria carried out in a manner suitable to the
court.
 Forensic accounting does involve elaborate inquiry and investigation into the transactional
typicality of the connected issues and events, the job of forensic audit is to provide a double
check on the consistency issues, questions that the counsel may ask in the context of arguing
in courts.
Framework
of Forensic Forensic Accounting & Auditing Framework
Accounting
and Auditing

Accounting Auditing and Assurance Investigation Science

 Looking beyond Numbers  Risk Assessment and  Fixation of Direction of

while examining Financial
Reporting and Business
Information Systems.
 Compliance of GAAPs and
IFRS/ Regional Standards.
 Reframing of Accounts
Based on Legality and
GAAPs.
Analytical Procedures.
 Designing and Performing
Extended Audit Procedures
 Compliance of Standards of
Auditing, where applicable.
 Introspective & Skeptical
Mindset for Reviewing
Transactions and Deals.
Investigation on Realistic
Basis.
 Gathering Evidences and
clues through Scientific and
Latest Investigation
Techniques.
 Analysis of Psychological
Behaviour of Human.
 Evidence Documentation
for Legal Proceedings.

 Litigation Consultancy- Jointly working with Lawyers and Clients engaged in litigation
to provide expert advice regarding evidence and strategic proceedings.
• Computer Forensic- Providing assistance in Electronic Data Recovery and Retrieval.
• Expert Witness- Providing Evidence and Preparation of Formal Reports for filing in
the Court of Law.

Page 28 of 58
Objectives of 1. To use the forensic accountant’s conclusions to facilitate a settlement, claim, or jury award by
Forensic reducing the financial component as an area of continuing debate
Accounting & 2. To avoid fraud and theft
Audit 3. To restore the downgraded public confidence
4. To formulate and establish a comprehensive corporate governance policy
5. To create a positive work environment
A forensic accountant can ensure the integrity and transparency of financial statements by actively
investigating for fraud, identifying areas of risk and associated fraud symptoms and a good fraud
prevention program can help to create a positive working environment where employees do not
indulge themselves to abuse their responsibilities.
Forensic
Audit vs. Basis Forensic Audit Financial Audit
Other Audits Meaning Examination of evidence regarding an Examination of Financial
assertion to determine its Information so as to express an
correspondence to established criteria opinion on true and fair view of state
carried out in a manner suitable to the of affairs and financial results.
court.
Objective To determine whether fraud has taken To express an opinion on true and
place. fair view.
Frequency No specific period. Generally carried out for a financial
year.
Techniques Investigative and substantive Risk based with the help of
compliance & substantive
procedures.
Extent In-depth checking. Test Checking based
Verification Verification of suspected / selected items All assets and liabilities are verified
of Asset and is done where misappropriation is with the help of audit procedures or
liabilities suspected. management
certificate/representation.
Areas of Forensic Auditor is generally involved in the below mentioned areas of work:
Forensic Fraud Detection Area of Fraud detection comprises of:
Audit  Investigating and analyzing financial evidence.
 Detecting financial frauds
 Tracing misappropriated funds.
Fraud Area of fraud prevention comprises of:
prevention  Reviewing internal controls to verify their adequacy
 Providing consultation in the development and implementation of an
internal control framework aligned to an organization's risk profile
Computer Area of Computer forensics comprises of developing computerized
Forensics applications to assist in the recovery, analysis and presentation of financial
evidence.

Page 29 of 58
 Expert Area of Expert testimony comprises of
Testimony  Assisting in legal proceedings,
 Testifying in court as an expert witness
 Preparing visual aids to support trial evidence.
Forensic Forensic Forensic Auditors can be engaged in public practice or employed by
Auditor Auditors  Insurance companies,
engaged by  Banks,
 Police forces,
 Lawyers
 Government agencies and
 Other organizations.
Importance of Forensic Auditors can resolve the matters by combining accounting
Forensic knowledge & experience with respect to:
Auditors  Fraud Prevention
 Fraud Detection
 Risk Management
Services 1. Criminal Investigation
rendered by 2. Professional Negligence Cases
Forensic 3. Arbitration service:
Auditors 4. Fraud Investigation and Risk/Control Reviews
5. Settlement of insurance claims
6. Dispute settlement
Characteristics Forensic Auditor must possess following characteristics:
of Forensic 1. Strong Visualization and Imagination
Auditor 2. Curiosity and Persistence
3. Detail-oriented and Inquisitiveness
4. Creativity and Out of the Box Thinking
5. Discretion, Rationalisation and Skepticism
6. Confidence and Sound professional judgement.
Skills to be Forensic Auditor must possess skills related with the followings:
possessed by 1. Standards of Auditing, Auditing Procedures and related methodologies
forensic auditor 2. Accounting & Business reporting systems
3. IT and Data Analytics
4. Criminology, Legal Framework, Litigation processes & procedures
5. Investigative Techniques and Evidence gathering
6. Network of professional contacts in related fields' viz. enforcement,
regulatory bodies, law, industry, peers etc.
Process of Step 1 - • Meeting with the client and accepting the engagement: In order to
Forensic Initialisation understand important facts, players and issues etc., the investigator must
Audit meet the client. It is to be considered initially that whether his firm has the
necessary skills and experience to accept the work.

Page 30 of 58
 • Performing conflict check: In order to achieve objectivity, a conflict of
interest check should be carried out as soon as the relevant parties are
established.
• Performing initial investigation: It is generally desired to perform an
initial action plan prior to developing a detailed plan. Such initial action
plan will help to formulate subsequent planning to be based upon more
complete and comprehensive understanding of the situation.
Step 2 – • This is to be developed based on the meeting with the client and carrying
Planning the out the initial investigation scanner on the subjects to be investigated.
audit • This action plan will set out the objectives to be achieved and the
methodologies to be adopted. The investigation team must carefully take
into consideration the objectives to be achieved and plan their work
accordingly.
Step 3 – • It involves obtaining relevant documents, economic information, tracing
Collection of different assets/ persons/unaccounted records, meeting with other
Evidences experts, statutory and internal auditors of the client.
• The evidences gathered should be sufficient to ultimately identify and
prove the fraudster(s) and the mechanism adopted for such frauds.
Step 4 – The actual analysis to be performed will solely depend upon the nature of the
Performing assignment. This may include:
Analysis • Summarisation of a large number of transactions.
• Performing robust procedures to trace unidentified assets.
• Calculating the economic damages and if required, the loss of goodwill.
• Estimating the present value of the financial losses or frauds involved in
case such irregularities or frauds took place for a long period of time.
• Performing the statistical regression or sensitivity analysis of the frauds
etc.
• Using various computerized application softwares and graphs etc. to
explain and analyse the frauds.
Step 5 – The report generally includes various sections describing the nature of the
Reporting assignment, scope, approaches utilized, findings, opinions and limitations.
Report is generally submitted to the appointing authority.
Step 6 – Court • The investigation is likely to lead to legal proceedings against the suspect,
Proceedings • The evidence gathered during the investigation will need to be presented
at court, and team members may be called to court to describe the
evidence they have gathered and to explain how the suspect was
identified.
Techniques Benchmarking Comparing one financial period with another or the performance of one cost
of Forensic centre, or business unit, with another, overall business performance with its
Audit standards defined.
Analytical Tools Trend Analysis and Ratio Analysis may be used to identify any abnormal
trends and changes.

Page 31 of 58
 Digital Digital investigations are complex techniques and require support from
Techniques trained digital investigators. Digital techniques comprise of close scrutiny of
relevant emails, accounting records, phone logs and. Before applying digital
techniques like obtaining data from email etc. the forensic auditor should take
appropriate legal advice so that it doesn’t amount to invasion of privacy.
CAATs CAATs known as Computer-assisted audit techniques are computer programs
that the auditors use as part of the audit procedures to process data of audit
significance contained in a client’s information systems, without depending on
him.
System analysis To examine the systems in place and identifying any weaknesses that could be
opportunities for the fraudsters.
Common Common Software Tools like spreadsheets (MS Excel), RDBMS (MS Access)
Software Tool and Report writers (Crystal reports) are widely accepted due to their instant
availability and lower costs.
Data Mining It is a set of assisted techniques designed to automatically mine large volumes
Techniques of data for new, hidden or unexpected information or patterns.
Forensic Meaning  An Audit report is a medium through which an auditor expresses his
Audit Report opinion under audit. It is an important part of the audit as it provides the
results of the audit conducted by the auditor.
 Forensic Audit Report is nothing but statements of observation gathered
& considered while proving conclusive evidence.
Points to be kept 1. Clear headedness: While preparing the report, auditor should be clear as
in mind to what is the purpose of reporting, to whom the report is directed, logical
presentation.
2. Understandability: While preparing the report auditor should keep the
reader uppermost in mind, hence the report should be written in an
understandable and simple language.
3. Unbiased approach: Audit report should be prepared without being
biased.
4. Impact of the report: Auditor should consider the probable reaction to
reporting whether action or decision will follow in quickest possible time
or to be treated as of academic interest only.
5. Proper sequencing: Various elements (i.e. facts and figures) of report
should be in proper sequences
Factors to be 1. Nature of business of the entity.
considered 2. Nature of subject or aspect examined.
while 3. Persons for whom the report is intended.
presenting 4. Purpose for which the report is prepared
report 5. Management attitude, directives and needs.
6. Approach and calibre of Forensic auditor.
7. Extent of details required by management and persons for whom report is
prepared.

Page 32 of 58
 Contents of The contents of the report may vary depending on the situation, the nature
Forensic Audit and extent of the frauds and irregularities involved. The generalised form of
Report such forensic accounting investigation report is given below:
1. Title of the Report
2. Executive Summary
3. Background of Engagement
 Origin
 Objectives of Engagement
 Proposed Outputs of the Assignment
 Implementation Approaches
4. Analysis of the Risks Involved
 Internal Environment Risks
 External Environment Risks
 Political and Legal Scenario
 Risks from Customers, Suppliers and Competitors etc.
 Business Process and Human Resources Management
 Market, Operational and Technological Risks
 Others
5. Evidence of Risk Events
6. Analysis and Findings
7. Audit Recommendations
 Logical Framework Approach
 Preconditions and Risks
8. Implementation of Recommendations
 Budget Considerations
 Stakeholders to be Engaged
9. List of Annexures

Important Questions
Q. No. 1: Differentiate between Forensic Audit and Financial Audit.
Q. No. 2: Forensic Auditors can be engaged in public practice or employed by insurance companies, banks,
police forces, government agencies and other organizations. Briefly mentioned the areas in which
forensic auditor can render the services.
Q. No. 3: Enumerate the steps to be undertaken in case of forensic audit process.
Q. No. 4: Briefly describe the techniques that a forensic auditor may use.

Page 33 of 58
 Flow Chart of Forensic/Investigative Accounting
Planning Accounting, Auditing & Investigation Reporting

Initial Meeting with No

Client Sufficient Expand Boundaries &
Information? Scope

Consider Terms of Initial Assessment & Yes

the Engagements
Review of Information
Verify information Preparation for Legal
with objectives Proceeding &
Submission in Court
Agree subject Collection of (if needed)
matters and Scope of Information
Investigation (Quantitative & Obtain Evidences for
Qualitative Legal Proceeding

Prepare Purpose, Corrective,

Objectives, Key Assessment of Risks Preventive Actions &
Issues & Activities and Internal Control Follow-up Review
Statement
Sufficient &
Review of documents Appropriate
and Records Evidences?
Identify Final Forensic
Investigation Yes No Engagement Report
Boundaries and Interviewing key
Risks informants (including Expand Investigation
experts) or Change
Methodology
Develop Action
Plan &Programme Discussion with
Site/ Facility Inspection Lawyers, Experts,
or visit Panel Members

Evaluation of Analysis
Selection of & Findings
Approaches Recognise Issues
Prepare Draft Report

Yes Documentation of
Established/ Communicate Evidence
Standard? Objective and
Approaches to Key
Team Personal
No
Yes
Unique
Specific?

Page 34 of 58
Chapter 21 -
Peer Review and Quality review

Meaning, Objectives and Scope of Quality Review

Introduction SQC 1 “Quality Control for Firms that perform Audits and Reviews of Historical Financial
Information, and Other Assurance and Related Services Engagements” requires that a
practitioner firm should establish a system of quality control designed to provide it with
reasonable assurance that the firm and its personnel comply with professional standards and
regulatory and legal requirements, and that reports issued by the firm or engagement partner(s)
are appropriate in the circumstances.
Government of India has, in exercise of the powers conferred u/s 28A of the Chartered
Accountants Act, 1949, constituted a Quality Review Board (QRB) to perform the following
functions u/s 28B of the Chartered Accountants Act, 1949:
(a) to make recommendations to the Council with regard to the quality of services provided by
the members of the Institute;
(b) to review the quality of services provided by the members of the Institute including audit
services; and
(c) to guide the members of the Institute to improve the quality of services and adherence to
the various statutory and other regulatory requirements.
Government of India has also issued ‘Chartered Accountants (Procedures of Meetings of QRB, and
Terms and Conditions of Service and Allowances of the Chairperson and Members of the Board)
Rules, 2006’.
In terms of the Rule 6, the QRB has issued the ‘Procedure for Quality Review of Audit Services
of Audit Firms’ (the ‘Procedure’).
Objectives of  Quality Review is directed towards evaluation of audit quality and adherence to various
Quality Review statutory and other regulatory requirements.
(as stated in  It would involve assessment of the work of auditors while carrying out their audit function so
Report on that the Board is able to assess
Audit Quality (a) the quality of audit and reporting by the Statutory auditors; and
Review) (b) the quality control framework adopted by the Statutory auditors/Audit firms in
conducting audit.
 Quality reviews initiated by the QRB are designed to identify and address weaknesses and
deficiencies related to how the audits were performed by the Audit firms. To achieve that goal,
quality reviews included reviews of certain aspects of selected statutory audits performed by
the firm and reviews of other matters related to the firm’s quality control system.
 In the course of reviewing aspects of selected audits, a review may identify ways in which a
particular audit is deficient, including failures by the firm to identify, or to address
appropriately, aspects in which an entity’s financial statements do not present fairly the
financial position or the results of operations in conformity with the applicable Generally
Accepted Accounting Principles (GAAP) and other technical standards.
 It is not the purpose of a review, however, to review all of a firm’s audits or to identify every
aspect in which a reviewed audit is deficient. Accordingly, a review should not be understood
to provide any assurance that the firm’s audits, or its clients’ financial statements or reporting
thereon, are free of any deficiencies.

Page 35 of 58
Scope of The scope of the quality review includes
Quality Review (a) Compliance with Technical Reviewer appointed by QRB is required to examine whether the
Technical Engagement Partner has ensured compliance with the applicable
Standards technical standards in India and other applicable professional and
ethical standards and requirements.
(b) Compliance Technical Reviewer appointed by QRB is required to examine whether the
with Law and Engagement Partner has ensured compliance with the relevant laws and
Regulations regulations
(c) Implementation Technical Reviewer appointed by QRB is required to examine whether the
of Quality Audit firm has implemented a system of quality control as envisaged by
Control System SQC 1.
Meaning of Technical Standards
The term “Technical Standards” include:
1. Accounting Standards issued by the ICAI and Accounting Standards notified u/s 133 of
Companies Act, 2013;
2. Quality Control and Engagement Standards issued by the ICAI;
3. Framework for the Preparation and Presentation of Financial Statements.
4. Statements issued by the Institute of Chartered Accountants of India;
5. Guidance Notes on accounting and auditing aspects issued by the ICAI;
6. Notifications/Directions issued by the ICAI including those of a self-regulatory nature;
7. Provisions of the various relevant Statutes and/or Regulations which are applicable in the
context of the specific engagements being reviewed.
8. Code of Ethics issued by ICAI.
Important Questions
Q. No. 1: Write short note on: Objectives of Quality Review.
Q. No. 2: Write short note on: Scope of Quality Review.

Quality Review Board – Establishment, Composition, Functions and Procedures

Establishment (a) The C.G. Shall, by notification, constitute a QRB consisting of a (a) Chairperson, (b) 5 Members
&Composition – nominated by the Council and 5 Members nominated by the Central Government.
Sec. 28A of CA (b) The Chairperson and Members of QRB shall be appointed from amongst the persons of
Act, 1949 eminence having experience in the field of law, economics, business, finance or accountancy.
Functions of (a) to make recommendations to the Council with regard to the quality of services provided by
QRB– Sec. 28B the members.
(b) to review the quality of services provided by the members of the Institute including audit
services, and
(c) to guide the Members of the Institute to improve the quality of services and adherence to the
various statutory and other regulatory requirements.

Page 36 of 58
Procedures to Rule 6 of Chartered Accountants Procedures of Meetings of Quality Review Board, and Terms and
be followed by Conditions of Service and Allowances of the Chairperson and Members of the Board Rules, 2006
the QRB specifies that the Board may, in discharge of its functions:
(a) evaluate and review the quality of work and services provided by the members of the
Institute in such manner as it may decide;
(b) lay down the procedure of evaluation criteria to evaluate various services being provided
by the members of the Institute and to select, in such manner and form as it may decide, the
individuals and firms rendering such services for review;
(c) call for information from the Institute, the Council or its Committees, Members, Clients of
members or other persons or organizations, in such form and manner as it may decide;
(d) invite experts to provide expert/technical advice or opinion or analysis on any matter or
issue which the Board may feel relevant for the purpose of assessing the quality of work
and services offered by the members of the Institute;
(e) make recommendations to the Council to guide the members of the Institute to improve
their professional competence and qualifications, quality of work and services offered and
adherence to various statutory and other regulatory requirements and other matters
related thereto.
Important Questions
Q. No. 3: Write short note on: Procedures to be followed by the Quality Review Board in discharge of its
functions.
HINT: Refer the topic “Procedures to be followed by the Quality Review Board”

Quality Review Process

Essentials Quality of a quality review may be affected by below mentioned factors:
required for (a) Knowledge &experience of technical reviewer
quality of (b) Time devoted by technical reviewer
Quality Review (c) Composition of quality review team
Process (d) Understanding of objective and scope of work
(e) Monitoring, direction and supervision of the quality review team by the technical reviewer
Stages Involved
in Quality 1 Selection of Audit Firm and Technical Reviewer to conduct Quality Review and sending
Review Offer Letter of Engagement to the Technical Reviewer.
Assignment 2 Technical Reviewer to convey his acceptance of Letter of Engagement by sending
necessary declarations for meeting eligibility conditions and furnishing statement of
confidentiality by the Technical Reviewer and his assistant/s, if any.
3 Intimation to the Audit Firm about the proposed Quality Review and acceptance of the
assignment by the Technical Reviewer. Also marking a copy of the intimation to the
Technical Reviewer.
4 Technical Reviewer to send the specified Quality Review Program General
Questionnaire to the Audit firm for filling-up and call for additional information from the
Audit Firm, if required.

Page 37 of 58
 5 Technical Reviewer to carry out the Quality Review by visiting the office of the Audit
Firm by fixing the date as per mutual consent.
6 Technical Reviewer to send the preliminary report to Audit firm.
7 Audit firm to submit representation on the preliminary report to the Technical
Reviewer.
8 Technical Reviewer to submit final report alongwith a copy of Annual report of the
company/entity for the year, as specified, to the Board in the specified format, on their
(individual) letterhead, duly signed and dated within 45 days from the date of
acceptance of the assignment.
In addition, they shall also send a copy of their final report to the Statutory
Auditor/Audit firm, requesting the firm to send their submissions thereon to the Board
within 7 days of receipt of the final report with a copy to Technical Reviewer. Upon
receipt of their final submission, Technical Reviewer shall submit within next 7 days a
summary of their findings, reply of the audit firm thereon alongwith their final
comments in the specified format.
9 Quality Review Group to consider the report of the Technical Reviewer and responses
of the Audit firm and make recommendations to Quality Review Board.
10 Quality Review Board to consider the report of the Quality Review Group and decide.

Selection of The Board may decide the audit firms on the basis of following criteria:
Audit Firm and (a) Criteria based on companies whose accounts have been audited: In the initial stage, the
Technical audited accounts of companies having wider public interest, such as listed companies, may
reviewer be selected on the basis of one or more of the following:
• random selection;
• on account of being a part of a sector otherwise identified as being susceptible to risk on
the basis of market intelligence reports;
• regulatory concerns pointing towards stakeholder risks;
• reported fraud or likelihood of fraud;
• major non-compliances with provisions relating to disclosures under relevant statutes.
The Board may review the general purpose F.S. of the enterprises and the auditor’s report
thereon either suo moto or on a reference made to it by any regulatory body like RBI, SEBI,
IRDA, MCA etc.
The criteria for selection of general purpose F.S. of the PSUs may be separately determined
by the Board.
(b) Criteria based on Audit Firms auditing the accounts: Selection of audit firms should also
be made for review of their work on the basis of one or more of the following:
 random basis,
 the volume of work handled by them represented by the number and nature of clients,
 their involvement in sectors that may be identified as facing high risk, as well as on
account of their reported involvement in fraud or likelihood of fraud.
Audit firms auditing large as well as mid-cap/small cap companies may be selected for the
purpose.

Page 38 of 58
Execution Technical Reviewers for carrying out the quality review assignment, could undertake a
(On Site Visit) maximum of one on-site visit to the Statutory Audit firm which shall not extend beyond seven
days or, in exceptional circumstances, such other extended period, for specific reasons to be
recorded in writing, with the prior approval of the Chairperson, QRB, which shall not, in any case,
extend beyond 14 days.
For this purpose, they could also take the assistance of not more than three assistants who:
(a) shall be chartered accountant;
(b) do not attract any of the disqualifications prescribed under the CA Act, 1949;
(c) shall also have to sign the statement of confidentiality in a prescribed format;
(d) shall have no direct interface either with the audit firm under review or the Board;
(e) should have been working with them for atleast one year as a member/a partner in the CA
firm with them;
(f) should not have been associated with the Statutory auditor/audit firm under review and
the company/entity selected during last three financial years and/or thereafter.
Evaluation of If Technical reviewer or Quality Review team finds a non-compliance with
Findings one or more SAs or ASs or disclosure requirements as applicable to the
engagement, they are required to evaluate the finding in the light of the
following considerations:
(a) Responses given by the engagement team: Responses given by the
engagement team are important to determine the extent of non-
compliance. These responses help the Technical reviewer in
understanding the perspective and the circumstances in which the
audit procedures were carried out.
(b) Materiality of the items of the financial statements involved;
(c) Accounting and auditing practices under the legal and regulatory
framework applicable to the industry to which the audit client belongs;
and
(d) If the findings are related to non-compliance with the procedures
required to be performed in accordance with the SA, whether the
engagement team carried out alternative procedures to obtain
sufficient appropriate audit evidence in relation to the financial
statement assertion under question.
Reporting  The reviewer, after completion of his review, is required to submit a preliminary report to
the audit firm on the review of the quality of audit and reporting by the auditors in the general
purpose F.S. within the specified period of time before submitting the final report to the
Board.
 The Board may, however, extend the time limit for submission of preliminary review report.
The reviewer, based upon his satisfaction from the representation by the audit firm, may
decide to issue either an interim report or a final report to the Board.
 The reviewer should adhere to the principle requirements while preparing his report. The
requirements apply to the interim as well as the final reports of the reviewer

Page 39 of 58
 Reviewers, based on the conclusions drawn from the review, shall issue a preliminary report
and subsequently the final report. A clean report indicates that the reviewer is of the opinion
that the affairs are being conducted in a manner that ensures the quality of services rendered.
However, a reviewer may qualify the report due to one or more of the following:
(a) non-compliance with technical standards;
(b) non-compliance with relevant laws and regulations;
(c) quality control system design deficiency;
(d) non-compliance with quality control policies and procedures; or
(e) non-existence of adequate training programmes for staff.
Principle  Quality Review process enables the Technical Reviewers to express
Requirements of an opinion on whether the system of quality control for the
Reporting attestation services of the firm under review has been designed so
as to carry out professional attestation services assignments in a
manner that ensures compliance with the applicable Technical
standards and maintenance of the quality of attestation service
work they perform.
 The Technical Reviewer’s review would not necessarily disclose all
weaknesses in the quality of attestation work or all instances of lack
of compliance with applicable Technical Standards.
 There are inherent limitations in the effectiveness of any system of
quality control, departure from the system may occur and not be
detected.
 Projection of any evaluation of system of quality control to future
periods is subject to the risk that the system of quality controls may
become inadequate because of changes in conditions, or that the
degree of compliance with the policies and procedures may
deteriorate.In the process, the Technical Reviewers also identified
what they considered to be deficiencies and any defects in, or
criticisms of the firm’s quality control system.
Basic elements of The report should contain:
the Reviewer’s (a) Elements relating to audit quality of companies:
Report (i) A reference to the description of the scope of the review and
the period of review of audit firm conducted alongwith
existence of limitation(s), if any, on the review conducted with
reference to the scope as envisaged.
(ii) A statement indicating the instances of lack of compliance with
technical standards and other professional and ethical
standards.
(iii) A statement indicating the instances of lack of compliance with
relevant laws and regulations.

Page 40 of 58
 (b) Elements relating to quality control framework adopted by the
audit firm in conducting audit:
(i) An indication of whether the firm has implemented a system of
quality control with reference to the quality control standards.
(ii) A statement indicating that the system of quality control is the
responsibility of the reviewed firm.
(iii) An opinion on whether the reviewed firm’s system of quality
control has been designed to meet the requirements of the
quality control standards for attestation services and whether
it was complied with during the period reviewed to provide the
reviewer with reasonable assurance of complying with
technical standards in all material respects.
(iv) Where the reviewer concludes that a modification in the report
is necessary, a description of the reasons for modification. The
report of the reviewer should also contain the suggestions.
(v) A reference to the preliminary report.
(vi) An attachment which describes the quality review conducted
including an overview and information on planning and
performing the review.
The Quality Review Report should be issued on the reviewer’s
(individual) letterhead and signed by the reviewer. The report
should be addressed to the Board and should be dated as of the
date of the conclusion of the review.
Guidelines for In deciding on the type of report to be issued, a reviewer should
qualifying Review consider the evidence obtained and should document the overall
Report conclusions with respect to the year being reviewed in respect of
following matters:
(a) whether the policies and procedures that constitute the reviewed
firm’s system of quality control for its attestation services have
been designed to ensure quality control to provide the firm with
reasonable assurance of complying with technical standards.
(b) whether personnel of the reviewed firm complied with such
policies and procedures in order to provide the firm with
reasonable assurance of complying with technical standards.
(c) whether independence of audit firm/auditors is maintained in
conducting audit.
(d) whether the firm has instituted adequate mechanism for training of
staff.
(e) whether the audit firm ensures the availability of expertise and/or
experienced individuals for consultation with the consent of the
auditee.

Page 41 of 58
 (f) whether the skill and competence of assistants are considered
before assignment of attestation engagement.
(g) whether the progress of attestation service is monitored and work
performed by each assistant is reviewed by the service in charge
and necessary guidance is provided to assistants.
(h) whether the audit firm has established procedure to record the
audit plan, the nature, timing and extent of auditing procedures
performed and the conclusions drawn from the evidences obtained.
(i) whether the audit firm maintains the permanent file and the
current file as per the standards laid down by the ICAI.
(j) whether the audit firm verifies compliance with laws and
regulations to the extent it has material effect on financial
statement.
(k) whether the internal controls within the audit firm contribute
towards maintenance of quality of reporting.
Actions that The actions that the Board may recommend include:
may be (a) Referring the case to the Director (Discipline) of the Institute for necessary action under
recommended the Chartered Accountants Act, 1949;
by the Board (b) Informing the details of the non-compliance to the regulatory body relevant to the
enterprise;
(c) Intimating the Auditor as to the findings of the Report as well as action initiated under Para
25 (a) and/or (b);
(d) Consider the matter complete and inform the audit firm/auditor accordingly.

Important Questions
Q. No. 12: Step down the stages involves in the Quality Review Process.
Q. No. 13: What are the reporting responsibilities of the technical reviewer while carrying out a Quality
review assignment?
HINT: Refer the topic “Principle Requirements of Reporting”.
Q. No. 14: What are the consequences if the Quality review board notices major non-compliances with the
requirements of the Standards on quality control or standards on auditing or accounting
standards?
HINT: Refer the topic “Actions that may be recommended by the Board

Technical Reviewer
Objectives The scope & objective of the quality reviews conducted by the Technical Reviewers includes the
following:
(a) To examine whether the Statutory Auditor has ensured compliance with the applicable
technical standards in India and other applicable professional and ethical standards.
(b) To examine whether the Statutory Auditor has ensured compliance with the relevant laws
and regulations.
(c) To examine whether the Statutory Auditor/Audit firm has implemented a system of quality
control with reference to the applicable quality control standards.

Page 42 of 58
 (d) To examine whether the Statutory Auditor has considered SA 240, "The Auditors’
Responsibilities relating to Fraud in an Audit of Financial Statements" issued by the ICAI.
(e) To examine whether there is no material misstatement of assets and liabilities as at the
reporting date in respect of the company/entity audited by the Statutory Auditor/Audit firm.
Independence& To ensure independence and avoid conflict of interest, the eligibility conditions were specified
Qualification for carrying out the specified quality review assignment. Technical Reviewers are required to
submit a declaration of eligibility before starting the assignment on such conditions. The
conditions are:
(a) No disciplinary proceeding under the Chartered Accountants Act, 1949 is pending against
him/her or any disciplinary action under the Chartered Accountants Act, 1949/penal action
under any other law taken/pending against him/her during last 3 financial years and/or
thereafter.
(b) That he or his firm or any of the network firms or any of the partners of his firm or that of the
network firms is not the statutory auditor of the company, or have rendered any other
services to the said company/entity during last three financial years and/or thereafter.
(c) That he or his firm or any of the network firms or any of the partners of his firm or that of the
network firms is not having any association with the specified statutory audit firm, during
the last three financial years and/or thereafter.
(d) That he complies with all the eligibility conditions laid down for appointment as an auditor
of a company u/s 141(3) of the Companies Act, 2013 which apply mutatis mutandis in respect
of his review of the quality of statutory audit of the company/entity, as specified, so far as
applicable.
Empanelment To be empaneled with QRB, a member of the institute must satisfy the following criteria:
(a) He must have minimum 15 years of post-qualification experience as a CA and be currently
active in the practice of accounting and auditing;
(b) He should have handled as a signing partner/proprietor at least 3 statutory audit
assignments as a Central Statutory Auditor of Banks/Public Limited Companies/
Government Companies/Private Limited Companies having annual turnover of ` 50 Cr. and
above during the last 10 financial years; Provided that out of the aforesaid 3 statutory audit
assignments, at least one must be in respect of entities other than Private Limited Companies;
(c) He should not have any disciplinary proceeding under the Chartered Accountants Act, 1949
pending against him or any disciplinary action under the Chartered Accountants Act,
1949/penal action under any other law taken/pending against him during last three financial
years and/or thereafter.
(d) He should not currently be a Member of the QRB or ICAI’s Central Council/Regional
Council/Branch level Management Committee.
Confidentiality Statement of  QRB considers confidentiality of information pertaining to the quality
Confidentiality review assignments to be of paramount importance.
 Hence, Technical Reviewers are required to ensure that all information,
papers, materials, documents etc. relating to the company/audit firm,
as selected and assigned to them, that they will gain during the course
of assignment are kept in strict confidence.

Page 43 of 58
  Accordingly, they were required to send duly signed statement of
confidentiality including by each one of their assistants in a
prescribed format.
No conflict of  QRB also viewed that there should be no conflict of interest of all
interest those connected with the entire review process.
 The Board decided that all persons involved with the entire review
process including members of Board/Group, Technical Reviewers,
his/her assistants and QRB secretariat shall maintain confidentiality of
information obtained during reviews and also appropriately disclose
to the Board, from time to time, their interests or that of the partners
of their firm or their relatives, if any, in relation to statutory audit firm
being reviewed by Board or entity concerned whose audit was selected
for review.

Quality Review Groups

Constitution of  The Board may constitute one or more Quality Review Groups to conduct preliminary
Quality Review reviews of the general purpose financial statements, with a view to assessing the quality of
Groups audit and reporting by the auditors, in consultation with the Board. There could be two
categories of the Review Groups: (a) Industry Specific; and (b) Generic.
 Industry Specific Review Groups may be constituted for reviewing general purpose financial
statements of enterprises associated with a particular industry, for example, banking,
insurance, electricity, mutual funds, merchant bankers, etc.
 Each of the Review Group would be assisted by Technical Reviewer(s), who may be an
outsourced service provider. The job of the Technical Reviewer(s) would be to prepare a
report on the review of general purpose financial statements, with a view to assessing the
quality of audit and reporting by the auditors, and the review of quality control framework
adopted by the auditors/auditing firms in conducting audit.
Functioning of  The report prepared by the Technical Reviewer may be considered at the meetings of the
the Review Review Group.
Groups  The Review Group may also consult the Board on any issue, on which the Group feels that the
guidance of the Board is necessary.
 The Review Group may complete the review of cases referred to it and submit its report on
the same to the Board within the specified period of time. The Board may, however, extend
this time limit for submission of reports by the Review Group.
 The report of the Review Group shall expressly state the following:
(a) Particulars of the enterprise;
(b) A detailed description of the non-compliance with the matters stated in the Terms of
Reference of the Board, if any;
(c) A detailed description of the evidences that support the non-compliance; and
(d) Review Group’s recommendations about the actions that are required to be taken in a
particular case.

Page 44 of 58
Consideration  The Review Group’s Report on the quality of audit by the auditor of a Public-Sector
of the Reports Undertaking (PSU) should be furnished to the Office of C&AG and the C&AG’s comments shall
of the Review be considered by the Board along with the Report (on the particular PSU) of the Review
Groups Group.
 The reports of the Review Groups on the quality of audits by the auditors of enterprises
(other than PSUs) shall be placed before the Board for its consideration directly.
 The Board may, after due consideration of the report and comments of Office of C&AG,
wherever applicable, decide whether the recommendation made by the Review Group should
be accepted or otherwise.
 The Board may, suo moto, take such further action, as it may deem appropriate. If the Board
decides against the recommendations made by the Review Group in its report, the Board shall
record the reasons for doing so.

Miscellaneous Topics of Quality Review

Broad Checklist In addition to compliance with the statutory provisions and technical standards, the following
for Quality broad checklist may be considered for Quality Reviews:
Reviews 1. Whether the company has prepared and presented the financial statements in the format
relevant to it?
2. Examine the accounting policies of the enterprise.
 Are all the accounting policies in accordance with the requirements of the applicable
accounting standards and Guidance Notes, issued by the ICAI.
 Whether all significant accounting policies that should have been disclosed are
disclosed.
 Whether the auditor has appropriately dealt with in his report the deviations from
accounting standards.
3. Verify whether the disclosures required by the law/regulations, requirements prescribed
by the regulations and those required by the accounting standards have been made.
4. Where the audit report is qualified:
 Whether the qualifications have been made in a clear and unambiguous manner;
 Whether the qualifications made have been quantified? If not, whether adequate
justification is provided for the same;
 Whether the auditor has considered the overall effect of the qualifications on the true
and fair view presented by the financial statements.
5. Whether the auditor has complied with the requirements of the SA-700, The Auditor’s
Report on Financial Statements, and the Statement on Qualifications in Auditor’s Report, in
the preparation of audit report.
6. Examine the financial statements with a view to ascertain whether there is any unusual
accounting treatment/accounting entry? If yes, comment on how it has been dealt with in
the financial statements.
7. Does the auditor/audit firm have a policy to ensure independence, objectivity and integrity,
on the part of partners and staff? Who is responsible for this policy?
8. Does auditor monitor compliance with policies and procedures relating to independence?
9. Does the auditor/audit firm have an established recruitment policy? Does the auditor
conduct programmes for developing expertise in specialised areas and industries?

Page 45 of 58
 10. Does auditor/audit firm has established procedures for record retention, including security
aspects?
11. Does the auditor/audit firm evaluate the accounting and internal control systems of the
auditee?
12. Whether the procedures followed ensure that audit report is in accordance with the
relevant authoritative requirements or technical standards including accounting
standards?
Illustrative 1. SA 210 - The Audit firm has not issued the Engagement letter for the audit assignment,
Qualifications review of unaudited financial statements, assignment and corporate governance and other
on Non- certificate assignments.
Compliance 2. SA 220 - Periodic internal inspection for compliance with the firm’s independence policies
with Standards and procedures was not undertaken.
on Auditing 3. SA 230 - Documentation to show whether the audit firm has identified and assessed risks
of material misstatement, whether due to fraud or error, based on an understanding of the
entity and its environment was not in detail and in structured format.
4. SA 240 - It was difficult to conclude whether fraud risk factors were considered during the
audit of the Company’s financial statements. Audit process in relation to fraud inquiry
procedures were not performed and hence not documented.
5. SA 265 - There was no documentation to substantiate communication by the auditor with
management in writing, about significant deficiencies in internal control that the auditor
has communicated or intends to communicate to those charged with governance, unless it
would be inappropriate to communicate directly to management in the circumstances.
6. SA 299 - No formal records were maintained for discussion between the joint auditors.
7. SA 320 - No evaluation had been done to determine the materiality level for particular class
of transactions, account balances or disclosures.
8. SA 530 - Selection of samples was not on scientific basis and adhoc selections were made.
Illustrative 1. AS 1 - Company had not made disclosure in significant accounting policy about use of
Qualifications estimates.
on Non- 2. AS 2 - The description of certain inventories stated did not tally with the description as
Compliance mentioned in the Notes.
with Accounting 3. AS 3 - Closing cash and cash equivalent included fixed deposits maturating after 1 year and
Standards fund earmarked for unpaid dividend which was not cash and cash equivalent as per AS-3.
4. AS 9 - Accounting policy on revenue recognition did not capture the point of recognition
where significant risks and rewards were transferred.
5. AS 11 - Reconciliation of opening and closing balances of foreign currency translation
reserves had not been made in accordance to Para 40(b) of AS-11.
6. AS 15 - Enterprise had not complied with AS-15 since actuarial adjustments were not
included as part of employee benefits.
7. AS 19 - Company had not framed any accounting policy in relation to both Operating Leases
and Financial Leases.
8. AS 20 - Basic & Diluted Earnings per share had not been separately disclosed on the face of
the Statement of Profit and Loss as per AS-20, even though both were same.

Important Questions
Q. No. 15: Give examples of areas w.r.t. Standards of Auditing on which the reviewer may qualify the report?
HINT: Refer the topic “Illustrative Qualifications on Non-Compliance with Standards on Auditing”

Page 46 of 58
Chapter 22 -
Special Audit Assignments

Audit of Stock and Debtors (Unit Inspection)

Introduction Pre-sanctioning and Post Disbursements review, monitoring and supervision of advances in case
of banks include Unit Inspection that comprises of audit of stock and debtors. It may be carried
out either by Concurrent Auditors or by external auditors (empaneled with bank).
Scope of audit, extent of verification and format of reporting are prescribed by the Banks.
Purpose of unit (i) To verify the working of borrowal unit.
inspection (ii) To confirm correctness of statements and information furnished to the bank.
(iii) To ensure end use of funds provided by the bank as per terms of sanctions.
(iv) To ensure that the stock available is marketable and properly insured.
(v) To ensure that the book debts are not older and are recoverable.
Audit Process Preparation 1. List the locations to be visited.
for unit for 2. Verify the documents available with the bank like promissory note,
Inspection inspection sanction letter, mortgage deed, visit reports, insurance policy documents,
stock statements, debtors statement, etc.
3. List primary and secondary securities mortgaged/hypothecated/pledged
with the bank.
4. Verify the projections to estimate the stock levels and debtorsbalances at
the time of Inspection.
5. Verify previous monthly stock statements to identify movements in stocks.
6. Identify major debtors balances.
7. Make scrutiny of cash credit account to reveal diversion of funds, off
balance sheet items serviced to other lenders by the borrower.
8. Refer last inspection reports to note the defects already found and
responses thereto by the borrower.
9. Arrange to refer books of account of the borrower including excise record.
10. Understand process to know, how work in progress is valued.
11. Arrange for physical verification of stock at all locations.
12. Take current list of debtors and creditors including advances received and
paid.
Information 1. Nature of borrowing arrangements Sole finance or Consortium finance.
to be 2. Borrower’s information as to constitution, nature of business, nature of
collected Stock etc.
from branch 3. Information (Sanction limit, value of security, drawing power, outstanding
balance and extent of irregularity) about all types of advances, i.e., Term
Loans, CC, OD, Bill Discounting, Guarantees, LCs, etc.
4. Last Renewal or Review date.
5. Validity of sanction.
6. Documentation of the borrower for all loan accounts.
7. Creation of Charge, first charge, second charge and pari-passu charge.
8. Last available Balance confirmation.

Page 47 of 58
 9. Insurance cover for all Fixed and Current assets.
10. Interest application – rate, calculations and frequency.
11. Regularity of repayments.
12. Irregularities in the account like excess drawings.
13. Compliance of terms and Conditions of sanctions.
14. Information by the borrower of Recent Stock/book debt Statements and
Last Audited Financial Statements
15. Overdue bills, bank guarantees and LCs.
16. Invocation of Bank Guarantee – Reason for invocation and how adjusted.
17. Non reversal of Expired guarantees.
Information About Godown  Restricted access to godown.
to be  Security arrangements at godown.
collected at About Stock  General Storage condition of stock.
the time of  Reconciliation of stock available at the time of
visit Inspection with stock in books.
 ABC analysis of stock
 Method of stock valuation and comments of statutory
auditor’s thereon.
About  Production details such as Licensed capacity, installed
manufacturing capacity and actual capacity utilization.
and related  Details of stock sent out for job work.
stock records  Stock received for job work.
About Book  Party wise / Age wise break-up of book debt
Debts  Correctness of debtors ageing reported to bank.
 Average recovery time of book debts
Drawing  Drawing power is calculated by deducting unpaid stock,
Power stock under Bills, sock under packing credit,
Calculation obsolete/non-saleable stock, unrelated stock/old stock,
margin from aggregate value of Stock and Debtors
 Stock belonging to sister concerns
 Stock holding as a percentage of sales
 Any abnormal change in stock levels with reasons,
Finding of About Stock  Address of Godown or the borrower does not matches
Inspection with the documents available with the bank.
 Stock statement includes non-moving, slow moving or
non saleable stock.
 Valuation of stock not done properly.
 Safety arrangements are not adequate.
 Billing to sister concerns not supported by stock
movement.
 Differences in physical stock available and book stock.
About Debtors  Ageing of debtors indicating long outstanding debit
balances or irrecoverable balances.
 Advances received not deducted from debtors balances.

Page 48 of 58
  Debtors statement includes the amount written off in
the books.
 Request made to debtors to pay directly to the creditors
so as to avoid the margin required to adjust the default
in term loans.
About  Suppliers name on the bills and on the stock packing do
Creditors not tally thereby indicating either stock does not belong
to the borrower or the bills are fake.
 Actual creditors are substantially higher than as
reported to bank.
 Debit balances/Advances to creditors shown as
debtors.
Others 1. Drawing Power not properly calculated.
2. All sales receipts are not deposited in bank Account.
3. Bank accounts opened with other banks without
permission of the lending bank.
4. Multiple financing availed without permission of the
lending bank.
5. Change in constitution not informed to the bank, .
6. Insurance company not informed about temporary
change in location.
7. Transactions with related parties are not carried at
arm’s length prices.
8. Name plate of the bank not displayed outside and inside
the godown.
9. Excessive stock holding noticed in certain items, which
is not supported by business plan.
10. Cash sales not deposited in bank account.
11. Assets are not adequately insured.
12. Defects found in last inspection are not yet rectified.
Report (i) Report should be made in the format prescribed by the bank.
(ii) Before writing the report, adverse findings should be discussed with the
borrower and the bank officials.
(iii) Difficulties, if any faced by the auditor in carrying out the inspection needs
to be informed to the bank timely.
(iv) Inspection should be carried out within reasonable time and report should
be submitted timely.

Important Questions
Q. No. 1: Write short note on: Purposes of Unit Inspection.
Q. No. 2: List the information to be collected at the time of visit of unit inspection w.r.t. following:
(a) Stock
(b) Manufacturing and related stock records.
(c) Book Debts
(d) Drawing Power Calculation

Page 49 of 58
Chapter 24 -
Audit of Insurance Companies

Audit Procedures in case of Life Insurance Business

Actuarial The role of Actuaries in life insurance business is to concentrate on following key areas:
Process 1. Product Development/ Pricing and Experience analysis.
2. Model Development.
3. Statutory Valuations and reserving.
4. Business Planning.
5. Solvency management.
6. Management reporting on various business valuations and profitability models of the Life
Insurance business.
Role of Auditor
 To certify, whether the actuarial valuation of liabilities is duly certified by the appointed
actuary, including to the effect that the assumptions for such valuation are in accordance
with the guidelines and norms, if any, issued by the authority and/or the Actuarial
Society of India in concurrence with the IRDA.
 For this purpose, auditors generally rely on the Certificate issued by the Appointed
Actuary, certifying the Policy liabilities. However, he may discuss with the Actuaries with
respect to process followed and assumptions made by him before certifying the Policy
liabilities.
Underwriting Underwriting is the process of verifying the level of risk in each new entrant. Underwriter assesses
the risk and determines the premium to be charged. The function of the underwriter is to:
(a) acquire or to “write” business that will bring money to the insurance company, and
(b) to protect the company’s business from risks that they feel will make a loss.
Role of Auditor
 To review the process of acceptance of risk through the underwriting process.
 Evaluate and test the effectiveness of internal controls in place to ensure timely and
accurate Insurance policy, adherence to the IRDA Act and Rules and regulations made
thereunder.
Reinsurance It is a risk mitigating tool adopted by Insurer whereby the risk underwritten by one Insurer is
transferred partially to another Insurer.
Role of Auditor
(a) To check and confirm that reinsurance premium calculation and payment is in
accordance with the agreement with the reinsurer.
(b) To check whether necessary provision has been made for outstanding reinsurance
premium and is properly accounted for in books of accounts under respective heads.
(c) To verify the agreements entered with the reinsurer.
(d) To verify whether Insurer has adhered to the terms and conditions of the agreement.
(e) To verify payments made to the reinsurer.

Page 50 of 58
Free Look  Free Look Cancellation is an option provided to the policyholder wherein he has a period of 15
Cancellation days from the date of receipt of the policy document to review the Terms & Conditions of the
(FLC) policy and in case of disagreement to any of the terms & conditions, he/ she has the option to
return the policy stating the reason for policy’s cancellation.
 FLC requests can be received through any mode - mail, fax and letters depending on insurer’s
policy. In case of written letters the signature of the policy holder should be matched with the
original proposal form.
 FLC request is processed only when the policy holder is not satisfied with the terms and
conditions of the policy document and not for any other reasons.
 FLC refund is paid either by cheque or in case the policy holder wants direct credit, then consent
for direct credit along with cancelled cheque for bank account details is submitted.
Role of Auditor
(a) To check and confirm that Free Look Cancellation requests are received within 15 days
from receipt of policy document by the policy holder.
(b) To verify signatures of the policy holder and processing of Free look cancellation request
within time defined by the insurer.
(c) To check recording of appropriate accounting entries for refund.
Policy Lapse  Discontinuation of the policy owing to non-payment of premium dues is known as lapse.
and Revival Lapsation affects all the stakeholders – the policy holder, agents and the insurer. A lapsed policy
ceases to provide insurance protection to the insured. It forfeits the benefits under the policy
and cost of new policy is higher. Agents do not get renewal premium commission if the policy
is lapsed.
 The terms and conditions of the policy stipulate, that where the premium is not paid within the
grace period, the policy lapses but may be revived during the life time of the life assured. Some
insurers do not allow revival, if the policy has remained in lapsed condition for more than
specified period. This is because of the possibility that the arrears of premiums on such a policy
would be too heavy and that it would be better to take out a fresh policy.
Role of Auditor
(a) To check and confirm that due dates are recorded and monitored properly and polices
are marked as “lapsed” on non -receipt of renewal premium within due dates/grace
period.
(b) In case of revival request, check whether adequate checks are in place for receipt of
outstanding amounts and adequate documents are obtained before reviving the policy.
Policy  Voluntary termination of the insurance contract before the expiry of the term of the contract is
Surrender known as surrender of policy. A policy becomes eligible for surrender on completion of 3 years
from the commencement of the policy provided that 3 years premium have been paid within
the due dates.
 The policy holder has to submit surrender request form duly signed off by him along with the
original policy document and the discharge voucher.

Page 51 of 58
 Role of Auditor
(a) To check and confirm that surrender requests are received from the policy holder only.
(b) To check that adequate controls are in place to ensure proper verification process for
checking of request, whether premiums are paid on regular basis.
(c) To check whether surrender amount is paid only to the policy holder and is paid only as
per terms and conditions mentioned in the policy document
(d) To check whether appropriate accounting entries are passed.
Premium Premium refers to consideration received by insurance company from the policy holder. Premium
Collection income is recognized as:
(1) New business premium – premium received for the first policy year and
(2) Renewal premium – premium received for subsequent policy years.
Premium received but not identifiable against any policy would be treated as ‘unallocated
premium’/‘suspense amount’.
Role of Auditor
Collection of (a) To check existence of appropriate mechanism to ensure all the
Premium collections are deposited into the Bank on timely basis.
(b) To check whether there is daily reconciliation process to
reconcile the amounts collected, entered into the system and
deposited into the bank.
Calculation of (a) To check that accounting system calculates premium amounts
Premium and its respective due dates correctly.
(b) To check that system is equipped to calculate all types of
premium modes correctly.
Recognition (a) To ensure that premium is recognised only on the basis of
of Income ‘Issued Policies’ and not on underwriting dates.
(b) To check that there is appropriate mechanism in place to
conduct reconciliation on daily basis and reconciling items, if
any, are rectified/ followed up.
Accounting of (a) To check, whether system has capability to identify regular and
‘Advance advance premium.
Premium’ (b) To check whether there is a process of applying advance
premium to a contract when premium is due.
Claims Primary objective of Audit of Life Insurance Companies is checking of accuracy of processing and
accounting of claims with focus on the following areas:
 Claims lodgement and processing
 Authority for approval of claims
 Review of payouts and disbursements
 Review of compliance to Statutory Requirements and applicable IRDA Regulations.
 Review of Reinsurance claims
 Review of reporting of claims.

Page 52 of 58
 Role of Auditor
(a) To review the standard policy document to ensure that the policy document prescribes
the minimum documentary evidence needed to support a claim.
(b) To ensure that the insurance company maintains a register of claims, in which every
claims are entered along with the necessary details.
(c) Review the reasons for the rejections, in case of rejection of claims.
(d) Ensure complete recording of all claims received.
(e) Ensure that appropriate provisioning has been carried out, in cases of claims intimated
but not paid.
(f) Ensure that cost of claims includes the claims settlement cost.
(g) Ensure that there is system of regular reconciliation is carried out between claims
management system and General ledger.
(h) Ensure that liability of claims should be booked net of reinsurance.
Investments  The Investment portfolio of Life Insurance companies comprise of Shareholders’ funds and
Policyholders’ funds.
 Policyholders’ funds can further be segregated as linked and non - linked. Investment
regulations are prescribed for different categories of investments.
 IRDA (Investment) regulations, 2000 gives details of the pattern in which Funds of the Life
Insurance business, should be kept invested at any given point of time.
Role of Auditor
(a) To review the management structure to ensure adequate segregation of duties between
Investment Front office, Mid Office and Back office.
(b) To review the operating procedures prescribed by the IRDA Regulations.
(c) To review of investment policy.
(d) To review the functioning and scope of Investment Committee.
(e) To check compliance of Investment regulations.
(f) To review cash management system to track funds available for investment considering
the settlement obligations and subscription and redemption of units, etc.
(g) To review fund wise reconciliation with investment accounts, bank, and custodian
records.
(h) To ensure that there is split between Shareholders’ and Policyholders’ funds, and
earmarking of securities between various funds namely Life (Participating & Non-
Participating), Pension & Group (Participating & Non-Participating) and Unit Linked
Fund.
(i) To review the arrangements and reconciliations of holdings with the insurer’s custodian.
(j) To review and check insurer’s Investment Accounting and valuation policy.
(k) To review the controls around personal dealings and insider trading.
Operating  All administrative expenses are broadly classified under 14 heads as mentioned in Schedule 3
Expenses forming part of Financial Statements given under Schedule A to the IRDA (Preparation of
Financial Statements and Auditor’s Report of Insurance Companies) Regulations, 2002.
 This Schedule is part of the Revenue Account to be prepared for insurance business.

Page 53 of 58
 Role of Auditor
(a) To ensure that operating expenses are first aggregated and then apportioned to the
Revenue Account of each class of business on a reasonable and equitable basis.
(b) To ensure that the accounting policy should clearly indicate the basis of apportionment
of these expenses to the respective Revenue Accounts (i.e., Participating and Non-
participating policies and in between Linked and Non-Linked business) along with the
certificate that all expenses of management, wherever incurred, directly or indirectly,
read with the accounting policy, have been fully debited to the respective Revenue
Account as expenses.

Important Questions
Q. No. 1: What are the steps to be taken while verifying the Premium of Life Insurance Company?
HINT: Refer the topic “Role of Auditor in Premium Collection”.
Q. No. 2: ABC & Co., Chartered Accountants are the Auditors of Just Care Life Insurance Company Limited.
Enumerate the steps to be taken by the auditor while verifying the "Investment".
HINT: Refer the topic “Role of Auditor in Verification of Investments”.
Q. No. 3: Briefly explain the term policy lapse and revival in case of Life Insurance Company and role of
auditor in verifying the same.
HINT: Refer the topic “Policy Lapse/Revival”.

Page 54 of 58
Chapter 25 -
Audit of NBFC

Prudential Norms
Capital  Every NBFC shall maintain a capital ratio consisting of Tier I and Tier II capital of its aggregate
Requirements risk weighted assets on-balance sheet and of risk adjusted value of off-balance sheet items,
which shall not be less than 15%.
 The Tier I capital in respect of applicable NBFCs (other than NBFC-MFI and IDF-NBFC), at any
point of time, shall not be less than 10%.
 NBFCs primarily engaged in lending against gold jewellery shall maintain a minimum Tier l
capital of 12%.
Income  The income recognition shall be based on recognised accounting principles.
Recognition  In case of NPA, income including interest/discount/hire charges/lease rentals etc. shall be
recognised only when it is actually realised.
 In case of NPA, any income recognised before the asset became NPA and remaining unrealised
shall be reversed.
Asset Every NBFC shall, after taking into account the degree of well-defined credit weaknesses and extent
Classification of dependence on collateral security for realisation, classify its lease/hire purchase assets, loans
and advances and any other forms of credit into the following classes, namely:
(a) Standard assets;
(b) Sub-standard assets;
(c) Doubtful assets; and
(d) Loss assets.
Standard The asset in respect of which, no default in repayment of principal or payment
Assets of interest is perceived and which does not disclose any problem or carry more
than normal risk attached to the business.
Substandard  An asset which has been classified as NPA for a period not exceeding 12
Assets months for the financial year ending March 31, 2018 and thereafter.
 An asset where the terms of the agreement regarding interest and/or
principal have been renegotiated or rescheduled or restructured after
commencement of operations, until the expiry of one year of satisfactory
performance under the renegotiated or rescheduled or restructured terms;
Doubtful  An Asset which remains a sub-standard asset for a period exceeding 12
assets months for the financial year ending March 31, 2018 and thereafter.
Loss Assets  An asset identified as loss asset by the applicable NBFC or its internal or
external auditor or by the Bank during the inspection of the applicable
NBFC, to the extent it is not written off by the applicable NBFC; and
 An asset which is adversely affected by a potential threat of non-
recoverability due to either erosion in the value of security or non-
availability of security or due to any fraudulent act or omission on the part
of the borrower.

Page 55 of 58
 Non- (a) an asset, in respect of which, interest has remained overdue for a period of
Performing 3 months or more;
Assets (b) a term loan inclusive of unpaid interest, when the instalment is overdue for
a period of 3 months or more or on which interest amount remained
overdue for a period of 3 months or more;
(c) a demand or call loan, which remained overdue for a period of 3 months or
more from the date of demand or call or on which interest amount remained
overdue for a period of 3 months or more;
(d) a bill which remains overdue for a period of 3 months or more;
(e) the interest in respect of a debt or the income on receivables under the head
‘other current assets’ in the nature of short term loans/advances, which
facility remained overdue for a period of 3 months or more;
(f) any dues on account of sale of assets or services rendered or reimbursement
of expenses incurred, which remained overdue for a period of 3 months or
more;
(g) the lease rental and hire purchase instalment, which has become overdue
for a period of 3 months or more;
(h) in respect of loans, advances and other credit facilities (including bills
purchased and discounted), the balance outstanding under the credit
facilities (including accrued interest) made available to the same
borrower/beneficiary when any of the above credit facilities becomes non-
performing asset.
Provisioning Standards Every applicable NBFC shall make provisions for standard assets at 0.40% by
Requirements Assets the end of March 2018 and thereafter, of the outstanding, which shall not be
reckoned for arriving at net NPAs.
The provision towards standard assets need not be netted from gross advances
but shall be shown separately as ‘Contingent Provisions against Standard
Assets’ in the balance sheet.
Substandard A general provision of 10 percent of total outstanding shall be made.
Assets
Doubtful Unsecured 100% to the extent to which the advance is not covered by
Assets portion the realisable value of the security.
Secured portion
Period for which the asset has been Percent of
considered as doubtful provision
Up to one year 20
One to three years 30
More than three years 50
Loss Assets The entire asset shall be written off. If the assets are permitted to remain in the
books for any reason,100% of the outstanding shall be provided for;

Page 56 of 58
Chapter 28 –
Audit of PSU

Elements and Principles of PSU Auditing

Elements of Parties  The auditor: In public sector auditing the role of auditor is fulfilled by
Audit Involved Supreme Audit Institution, India and by its personnel delegated with the
task of conducting audits.
 The responsible party: In public sector auditing, the relevant
responsibilities are determined by constitutional or legislative
arrangement. The responsible parties may be responsible for the subject
matter information, for managing the subject matter or for addressing
recommendations and may be individuals or organizations. Generally,
auditable entities and those charged with governance of the auditable
entities would be the responsible parties.
 Intended users: The intended users are the individuals, organizations or
classes thereof for whom the auditor prepares the audit report. The
intended users may be legislative or oversight bodies, TCWG or the general
public. The intended user is primarily the Parliament or the Legislature
which represents the citizens by determining the priorities of public
finance, purpose and content of public spending and income.
Subject Matter,  Subject matter refers to the information, condition or activity that is
Criteria and measured or evaluated against certain criteria.
Subject Matter  The criteria are the benchmarks used to evaluate the subject matter. Each
Information audit shall have criteria suitable to the circumstances of that audit. In
determining the suitability of criteria the auditor considers their relevance
and understandability for the intended users, as well as their completeness,
reliability and objectivity (neutrality, general acceptance and comparability
with criteria used in similar audits).
 Subject matter information refers to the outcome of evaluating or
measuring the subject matter against the criteria.
Types of There are two types of engagement: Attestation Engagements and Direct
Engagement Reporting Engagements.
 In attestation engagements, the responsible party measures the subject
matter against the criteria and presents the subject matter information, on
which the auditor then gathers sufficient and appropriate audit evidence to
provide a reasonable basis for expressing a conclusion.
 In direct reporting engagements, it is the auditor who measures or evaluates
the subject matter against the criteria.

Page 57 of 58
 Financial audits are always attestation engagements, as they are based on
financial information presented by the responsible party. Performance
audits and compliance audits are generally direct reporting engagements.
Principles of General (i) Ethics & Independence
PSU Auditing Principles (ii) Professional Judgement, due care and skepticism
(iii) Quality Control
(iv) Audit Team Management & Skill
(v) Audit Risk
(vi) Materiality
(vii) Documentation
(viii) Communication
Principles Planning an 1. Auditors shall obtain an understanding of the nature
relating to Audit of the entity/programme to be audited.
Auditing 2. Auditors shall conduct a risk assessment or problem
Process analysis and revise this as necessary in response to
the audit findings.
3. Auditors shall identify and assess the risks of fraud
relevant to the audit objectives.
4. Auditors shall plan their work to ensure that the audit
is conducted in an effective and efficient manner.
Conducting an 1. Auditors shall perform audit procedures that provide
Audit sufficient and appropriate audit evidence to support
the audit report
2. Auditors shall evaluate the audit evidence and draw
conclusions
Reporting & 1. Auditors shall prepare a report based on the
Follow-up conclusions reached.
2. Follow up on reported matter as relevant.

----------------------------------

Page 58 of 58