CA FINAL AUDIT MAY 21 UPDATES

Note : These are few minor additions /updates done via MAY 2021 Study
Material. Other additions have already been incorporated in the concept
book.

1.Risk Assessment and Internal Control

1.1 Steps for Risk Identification (NEW ADDITION)

➢ Assess the significance of the assessed risk, impact of its occurrence and also revise
the materiality accordingly for the specific account balance.

➢ Determine the likelihood for assessed risk to occur and its impact on our auditing
procedures.

➢ Document the assertions that are effected.

➢ Consider the impact of the risk on each of the assertions

➢ (completeness, existence, accuracy, validity, valuation and presentation) relevant to

the account balance, class of transactions, or disclosure.

➢ Identify the degree of Significant risks that would require separate attention and
response by the auditor. Planned audit procedures should directly address these risks.
1|Page BY CA Sanidhya Saraf
 CA FINAL AUDIT MAY 21 UPDATES

➢ Enquire and document the management’s response.

➢ Consider the nature of the internal control system in place and its possible
effectiveness in mitigating the risks involved. Ensure the controls :

❖ Routine in nature (occur daily) or periodic such as monthly.

❖ Designed to prevent or detect and correct errors.

❖ Manual or automated.

➢ Consider any unique characteristics of the risk.

➢ Consider the existence of any particular characteristics (inherent risks) in the class of
transactions, account balance or disclosure that need to be addressed in designing
further audit procedures.

➢ Examples could include high value inventory, complex contractual agreements,

absence of a paper trail on certain transaction streams or a large percentage of
sales coming from a single customer.

Possible potential misstatements – Indicators (NEW ADDITION)

Existence Recording Cut-off

Completeness • Fictitious or Procedure
•Transactions not unauthorised • Source
idenified. transactions entered • Transactions
documents that occur in
on source documents captured one period
•Source • Source documents inaccurately
documents not
are recorded
overstated • Processing of in another
prepared • Transactions transactions period.
duplicated on source inaccurate
•Source documents • Inaccuarte
documents not
captured • Capture of Source adjustments
documents duplicated made in
• Invalid source subsidiary
•Rejected Source
documents not documents captured ledgers
represented on subsidiary ledgers

2|Page BY CA Sanidhya Saraf

 CA FINAL AUDIT MAY 21 UPDATES

1.2 General Steps in the Conduct of Risk Based Audit (Revised )

The auditor’s objective in a risk-based audit is to obtain reasonable assurance that no material
misstatements whether caused by fraud or errors exist in the financial statements.

This involves the following three key steps:

1) Assessing the risks of material misstatement in the financial statements

2) Designing and performing further audit procedures that respond to assessed risks and
reduce the risks of material misstatements in the financial statements to an
acceptably low level; and
3) Issuing an appropriate audit report based on the audit findings.

The risk-based audit process is presented in three distinct phases: Risk assessment, Risk
response; and Reporting.

1. Risk Assessment

The risk assessment phase of the audit involves the following steps:
• Performing client acceptance or continuance procedures;
• Planning the overall engagement;
• Performing risk assessment procedures to understand the business and identify inherent
and control risks;
• Identifying relevant internal control procedures and assessing their design and
implementation (those controls that would prevent material misstatements from occurring or
detect and correct misstatements after they have occurred);
• Assessing the risks of material misstatement in the financial statements;
• Identifying the significant risks that require special audit consideration and those risks for
which substantive procedures alone are not sufficient;
• Communicating any material weaknesses in the design and implementation of internal
control to management and those charged with governance; and
• Making an informed assessment of the risks of material misstatement at the financial
statement level and at the assertion level.

3|Page BY CA Sanidhya Saraf

 CA FINAL AUDIT MAY 21 UPDATES

2. Risk response

This phase of the audit is to design and perform further audit procedures that respond to the
assessed risks of material misstatement and will provide the evidence necessary to support
the audit opinion.

4|Page BY CA Sanidhya Saraf

 CA FINAL AUDIT MAY 21 UPDATES

Some of the matters the auditor should consider when planning the audit
procedures include:
• Assertions that cannot be addressed by substantive procedures alone. This
can occur where there is highly automated processing of transactions with
little or no manual intervention.
• Existence of internal control that, if tested, could reduce the need/scope for
other substantive procedures.
• The potential for substantive analytical procedures that would reduce the
need/scope for other types of procedures.
• The need to incorporate an element of unpredictability in procedures
performed.
• The need to perform further audit procedures to address the potential for
management override of controls or other fraud scenarios.
• The need to perform specific procedures to address “significant risks” that
have been identified.

Audit procedures designed to address the assessed risks could include a mixture of:
• Tests of the operational effectiveness of internal control; and
• Substantive procedures such as tests of details and analytical procedures.

Before the conclusion of the audit, based on the results of substantive

procedures and other audit evidence obtained by the auditor, the
auditor should consider whether the assessment of control risk is
confirmed. In case of deviations from the prescribed accounting and
internal control systems, the auditor would make specific inquiries to
consider their implications. Where, on the basis of such inquiries, the
auditor concludes that the deviations are such that the preliminary
assessment of control risk is not supported, he would amend the same
unless the audit evidence obtained from other tests of control supports
that assessment. Where the auditor concludes that the assessed level of
control risk needs to be revised, he would modify the nature, timing and
extent of his planned substantive procedures.

5|Page BY CA Sanidhya Saraf

 CA FINAL AUDIT MAY 21 UPDATES

3. Reporting

The final phase of the audit is to assess the audit evidence obtained and determine whether
it is sufficient and appropriate to reduce the risks of material misstatement in the financial
statements to an acceptably low level.

It is important at this stage to determine:

• If there had been a change in the assessed level of risk;

• Whether conclusions drawn from work performed are appropriate; and
• If any suspicious circumstances have been encountered.
Any additional risks should be appropriately assessed, and further audit procedures performed
as required.

When all procedures have been performed and conclusions reached:

• Audit findings should be reported to management and those charged with governance;
and
• An audit opinion should be formed, and a decision made on the appropriate wording for
the auditor’s report.

6|Page BY CA Sanidhya Saraf

 CA FINAL AUDIT MAY 21 UPDATES

2. Internal Audit

1.Definition of Internal Audit:

As defined in Framework Governing Internal Audits, “Internal Audit provides

independent assurance on the effectiveness of internal controls and risk management
processes to enhance governance and achieve organisational objectives.”

The Framework also indicates the nature of internal audit services may go beyond
assurance to include an advisory (consulting) role. Further, the internal auditing need
not to be confined financial transactions only. The objectives and scope of Internal
Audit Function as per SA 610, “Using the Work of an Internal Auditor” may include:

• Monitoring of internal controls;

• Examination of financial and operating information

• Review of operating activities

• Review of compliance with laws and regulations

• Risk management

• Governance

2. INTEGRITY, OBJECTIVITY AND INDEPENDENCE OF INTERNAL

AUDITOR
There is a set of core principles fundamental to the internal audit function and activities.
These basic principles of internal audit are critical to achieving the desired objectives as set
out in the Definition of Internal Audit. The Basic Principles of Internal Audit are a set of core
principles fundamental to the function and activity of internal audit.

1. The Internal Auditor shall be free from any undue influences which force him to
deviate from the truth. This independence shall be not only in mind but also in
appearance. Also, the internal auditor shall resist any undue pressure or interference
in establishing the scope of the assignments or the manner in which these are
conducted and reported, in case these deviate from set objectives.

2. The independence of the internal audit function as a whole, and the Internal
Auditor within the organisation, plays a large part in establishing the independence
of the Internal Auditor. The overall organisation structure of key personnel, the
position and reporting of the Chief Internal Auditor within this structure, along with
the powers and authority which is derived from superiors further establishes the
independence of the Internal Auditor.

7|Page BY CA Sanidhya Saraf

 CA FINAL AUDIT MAY 21 UPDATES

3. The Internal Auditor shall be honest, truthful and be a person of high integrity.
He shall operate in a highly professional manner and seen to be fair in all his
dealings. He shall avoid all conflicts of interest and not seek to derive any undue
personal benefit or advantage from his position.

Examples:

(i) To avoid any conflict of interest, the internal auditor should not review an
activity for which he was previously responsible. It is also expected from the
management to take steps necessary for providing an environment conducive to
enable the internal auditor to discharge his responsibilities independently and
also report his findings without any management interference.

(ii) In the case of a listed company, the internal auditor may be required to report
directly to those charged with governance, such as the Audit Committee instead
of the Chief Executive Officer or the Chief Financial Officer. The internal
auditor should immediately bring any actual or apparent conflict of interest to
the attention of the appropriate level of management so that necessary
corrective action may be taken.

3. INTERNAL AUDIT REPORT (IMPORTANT)

As per Standard on Internal Audit (SIA) 370 Reporting Results, reporting of internal audit
results is generally undertaken in two stages:

At the end of a particular audit assignment, an “Internal Audit Report”

covering a specific area, function or part of the entity is prepared by the
Internal Auditor highlighting key observations arising from those assignments.
This report is generally issued with details of the manner in which the
assignment was conducted and the key findings from the audit procedures
undertaken. This report is issued to the auditee, with copies shared with local
and executive management, as agreed during the planning phase.

On a periodic basis, at the close of a plan period, a comprehensive report of all

the internal audit activities covering the entity and the plan period is prepared
by the Chief Internal Auditor (or the Engagement Partner, in case of external
service provider). Such reporting is normally done on a quarterly basis and
submitted to the highest governing authority responsible for internal audits,
generally the Audit Committee. Some part of the aforementioned Internal
Audit Reports may form part of the periodic (e.g. Quarterly) report shared
with the Audit Committee.

8|Page BY CA Sanidhya Saraf

 CA FINAL AUDIT MAY 21 UPDATES

This Standard on Internal Audit (SIA) deals with the internal auditor’s responsibility to issue
only the first type of reports, the Internal Audit Report pertaining to specific audit
assignments and not to the periodic (e.g. Quarterly) reporting for the whole entity as per the
Annual/Quarterly audit plan.

On the basis of the internal audit work completed, the Internal Auditor shall issue a clear, well
documented Internal Audit Report which includes the following key elements:

(a) An overview of the objectives, scope and approach of the

audit assignments;

(b)The fact that an internal audit has been conducted in

accordance the Standards of Internal Audit;

(c) An executive summary of key observations covering all

important aspects, and specific to the scope of the assignment;

(d) A summary of the corrective actions required (or

agreed by management) for each observation; and

(e)Nature of assurance, if any, which can be derived from

the observations.

The content and form of the Internal Audit Report are to be

established by the Internal Auditor based on his best professional judgement, in consultation with
the auditee and, if necessary, with inputs from other key stakeholders. No internal audit report
shall be issued in final form unless a written draft of the report has previously been shared
with the auditee.

The internal audit report shall be issued within a reasonable time frame from the completion of
the internal audit work.

9|Page BY CA Sanidhya Saraf

 CA FINAL AUDIT MAY 21 UPDATES

1. Basis of Internal Audit Report: Each internal audit report is prepared on the basis of the audit
procedures conducted and the analysis of the audit evidence gathered. Conclusions reached shall
be based on all the findings rather than on a few deviations or issues noted. Controls operating
effectively have their own importance and should be acknowledged, while the risk and
significance of observations noted have a role to play in prioritising the matters to be reported.

2. Conducted in Accordance with SIAs: Where the internal audit is conducted in compliance
with the Standards of Internal Audit, (within the Framework governing Internal Audits), and the
internal auditor can substantiate the same with supporting evidence and documentation, the
internal audit report shall include a statement confirming that “the internal audit was conducted
in accordance with the Standards of Internal Audit issued by the Institute of Chartered
Accountants of India”.

3. Content and Format of Internal Audit Report: The manner in which the internal audit report
is drafted and presented is a matter of professional judgment and choice and could be influenced
by the preferences of the recipients. The SIA does not mandate any particular format or list of
contents since the Internal Auditor is expected to exercise his best professional judgement on
matters regarding how and what to report. Where some level of assurance is being provided,
the form and content of the report shall be as per SIA 380, “Issuing Assurance Reports”.

4. Documentation: To confirm compliance of audit procedures with this SIA, the list of documents
required is as follows:

(a) Copies of draft and final internal audit reports to be maintained,

appropriately cross referenced to specific observations.

(b) If appropriate, management action plans may be counter signed by

respective management personnel.

Follow-up
As per SIA 390 Monitoring and Reporting of Prior Audit Issues, the Chief Internal Auditor is
responsible for continuously monitoring the closure of prior audit issues through timely
implementation of action plans included in past audits. This shall be done with a formal
monitoring process, elements of which are pre-agreed with management and those charged with
governance. The responsibility to implement the action plans remains with the management.

In monitoring and reporting of prior audit issues, the responsibility of the Internal Auditor
isusually in the form of an “Action Taken Report (ATR) of previous audits”.

The term “Monitoring and Reporting” used in this Standard refers to the periodic tracking
of issues raised during prior audits and evaluation of the corrective actions undertaken by
the auditee to resolve them and to report any open and pending matters to the management

10 | P a g e BY CA Sanidhya Saraf
 CA FINAL AUDIT MAY 21 UPDATES

and those charged with governance (e.g. the Audit Committee).

3. AUDIT OF BANKS
3.1 Stress Testing

RBI has required that all commercial banks (excluding RRBs and LABs) shall put in place a
Board approved ‘Stress Testing framework’ to suit their individual requirements which would
integrate into their risk management systems. Stress tests are designed to understand whether
a bank has enough capital to survive plausible adverse economic conditions and to maintain
enough buffer to stay afloat under extreme scenarios.

3.2 BASEL III Framework

Basel III norms relate to the Capital Adequacy requirement compliance which the Bank
has to achieve as contained in the BASEL III accord. Basel capital adequacy norms are
meant for the protection of depositors and shareholders by prescriptive rules for measuring
capital adequacy, thereby evolving methods of determining regulatory capital and ensuring
efficient use of capital.

Basel III accord strengthens the regulation, supervision and risk management of the banking
sector. It is global regulatory standard on capital adequacy of banks, stress testing as well as market
liquidity risk.

The Basel III accord, aims at:

(a) improving the banking sector's ability to absorb shocks arising from financial and economic
stress, irrespective of reasons thereof;

(b) improving risk management and governance practices; and

(c) strengthening banks' transparency and disclosure standards.

4. Audit of LIC
Commission payable to Agent:

Insurance business is generally solicited by the Insurance agents. The remuneration of agent is paid
by way of commission which is calculated by applying percentage to premium collected by
him. Agency commission contributes towards significant portion of expenses incurred by the
Insurance Commission. Commission is payable towards generation of new business and towards
settlement of renewal premium.

11 | P a g e BY CA Sanidhya Saraf
 CA FINAL AUDIT MAY 21 UPDATES

Role of Auditor: (IMPORTANT) The Auditor during his review of Commission paid to
Agents should mainly consider the following:

➢ Review the system established by the Insurer with respect to calculation of commission to
eligible agents accurately and processing the same in timely manner.
➢ Review the commission payment system is in sync with the premium collection system.
➢ Check whether commission paid is within the limit prescribed under Insurance Act.
➢ Check whether commission is clawed-back on the cancelled policies.
➢ Check the completeness of commission processing system.

5. Audit Committee and Corporate Governance (IMPORTANT)

(i) Resignation of Statutory Auditors from Listed Entities and their Material
Subsidiaries:

Audit Committee of a listed entity, inter alia, has to make recommendations for the appointment,
remuneration and terms of appointment of auditors of a listed entity. Audit Committee is also
responsible for reviewing and monitoring the independence and performance of auditors and the
effectiveness of the audit process.

Clause A in Part A of Schedule Ill under Regulation 30(2) of SEBI LODR Regulations
requires detailed reasons to be disclosed by the listed entities to the stock exchanges in case of
resignation of the auditor of a listed entity as soon as possible but not later than twenty-four
hours of receipt of such reasons from the auditor.

Regulation 36(5) of the SEBI LODR Regulations lays down certain disclosures to be made part
of the notice to the shareholders for an AGM, where the statutory auditors are proposed to be
appointed/re-appointed, including their terms of appointment.

In light of the above, the conditions to be complied with upon resignation of the statutory
auditor of a listed entity/material subsidiary w.r.t. limited review / audit report as per SEBI
LODR Regulations, are as under:

A. All listed entities/material subsidiaries while appointing/re-

appointing an auditor shall ensure compliance with:

If the auditor resigns
within 45 days from
the end of a quarter of
a financial year, then
the auditor shall,
before such
resignation, issue the
limited review/ audit
report for such
quarter.
If the auditor resigns
after 45 days from the
end of a quarter of a
financial year, then the
auditor shall, before
such resignation, issue
the limited review/
audit report for such
quarter as well as the
next quarter.
if the auditor has signed the
limited review/ audit report
for the first three quarters of
a financial year, then the
auditor shall, before such
resignation, issue the limited
review/ audit report for the
last quarter of such financial
year as well as the audit
report for such financial year.

12 | P a g e BY CA Sanidhya Saraf
 CA FINAL AUDIT MAY 21 UPDATES

B. Other conditions relating to resignation shall include:

(i) Reporting of concerns with respect to the listed entity/its material subsidiary to the
Audit Committee:

a. In case of any concern with the management of the listed entity/material

subsidiary such as non-availability of information / non-cooperation by the
management which may hamper the audit process, the auditor shall approach
the Chairman of the Audit Committee of the listed entity and the Audit
Committee shall receive such concern directly and immediately without
specifically waiting for the quarterly Audit Committee meetings.

b. If auditor proposes to resign, all concerns with respect to the proposed

resignation, along with relevant documents shall be brought to the notice of
the Audit Committee.

If proposed resignation is due to non-receipt of information/explanation from the company, the

auditor shall inform the Audit Committee of the details of information/explanation sought and not
provided by the management, as applicable.

c. On receipt of such information from the auditor relating to the proposal to

resign as mentioned above, the Audit Committee/board of directors (In case an
entity is not mandated to have an Audit Committee, then the board of directors
of the entity shall ensure compliance), shall deliberate on the matter and
communicate its views to the management and the auditor.

(ii) Disclaimer in case of non-receipt of information in accordance with the Standards of

Auditing as specified by ICAI/ NFRA.

The listed entity/ material subsidiary shall ensure that the conditions mentioned above in (A) and
(B) above are included in the terms of appointment of the statutory auditor at the time of
appointing/re-appointing the auditor. In case the auditor has already been appointed, the terms of
appointment shall be suitably modified to give effect to (A) and (B) above.

The practicing company secretary shall certify compliance by a listed entity on the
above in the prescribed annual secretarial compliance report.

13 | P a g e BY CA Sanidhya Saraf
 CA FINAL AUDIT MAY 21 UPDATES

Format of information to be
obtained from the statutory auditor
upon resignation

C. Obligations of the listed entity

and its material subsidiary:
Co-operation by listed entity and its
material subsidiary

Disclosure of Audit Committee's views

to the Stock Exchanges

Above provisions will not apply if the auditor is disqualified due to Section 141 of
the Companies Act, 2013.

(ii) Verification regarding Composition of Board [Regulation 17 and 17A]

The auditor shall ensure that the Chairperson of the board of the top 500 listed entities is - (a) a non-
executive director; (b) not related to the Managing Director or the Chief Executive Officer as per the
definition of the term “relative” defined under the Companies Act, 2013.

(iii) OBLIGATIONS WITH RESPECT TO EMPLOYEES INCLUDING SENIOR

MANAGEMENT, KEY MANAGERIAL PERSONS, DIRECTORS AND
PROMOTERS [REGULATIONS 17(2) TO 17(4), 17A, 25(5), 25(6), 26(1),26 (2), 26(4)
TO 26(6)]

The Board shall meet at least four times a year, with a maximum time gap of one hundred and twenty
days between any two meetings. The quorum for every meeting of the board of directors of the top
2,000 listed entities shall be one-third of its total strength or three directors, whichever is higher,
including at least one independent director. The participation of the directors by video conferencing or
by other audio-visual means shall also be counted for the purposes of such quorum. The top 2,000
entities shall be determined on the basis of market capitalisation, as at the end of the immediate
previous financial year.

The independent directors of the listed entity shall hold at least one meeting in a year,
without the presence of non-independent directors and members of the management and all
the independent directors shall strive to be present at such meeting. [Note: students are
advised to refer Obligations with respect to independent directors given in discussed in
Chapter 2: The Securities Exchange Board of India Act, 1992, and SEBI (Listing
Obligations and Disclosure Requirement) Regulations, 2015 of CA. Final Paper 4
Corporate and Economic Law Module]

14 | P a g e BY CA Sanidhya Saraf
 CA FINAL AUDIT MAY 21 UPDATES

The minimum information to be placed before the Board of Directors is specified in Part
A of Schedule II.

(iv) Compliance of SA 250, “Consideration of Laws and Regulations in an Audit of

Financial Statements”

It is the management’s responsibility to ensure that company operations are conducted in accordance
with laws and regulations. The responsibility for the prevention and detection of non- compliance
rests with the management.

The auditor shall obtain sufficient appropriate audit evidence regarding compliance with the
provisions of those laws and regulations generally recognised to have a direct effect on the
determination of material amounts and disclosures in the financial statements.

The auditor shall inquire of the management and, where appropriate, those charged with
governance, as to whether the entity is in compliance with other laws and regulations that may
have an effect on the financial statements and inspect correspondence, if any, with the relevant
licensing or regulatory authorities.

(v) Disclosure of events or information [Regulation 30(1), (5) (8)]

Every listed entity shall make disclosures of any events or information which, in the
opinion of the board of directors of the listed company, is material.

Board of of directors of the listed entity shall authorize one or more Key Managerial
Personnel for the purpose of determining materiality of an event or information and for
the purpose of making disclosures to stock exchange(s) under this regulation and the
contact details of such personnel shall be also disclosed to the stock exchange(s) and as
well as on the listed entity's website.

Such disclosures shall be hosted on the website of the listed entity for a minimum period
of five years and thereafter as per the archival policy of the listed entity, as disclosed on
its website.

(v) INFORMATION TO SHAREHOLDERS [REGULATION 36]

The listed entity shall send the soft copy of the full annual report to the shareholders
who have registered their email address(es) or hard copies of the salient features of all
the documents, as prescribed in section 136 of the Companies Act, 2013 or rules made
thereunder (unless the full annual has been specifically requested) where the email
address has not been registered, not less than twenty-one days before the annual general
meeting.

15 | P a g e BY CA Sanidhya Saraf