Statutory Audit Workflow: Complete Start-to-Finish Guide for Indian CA Firms [2026]

Published: March 24, 2026
Category: Audit Procedures
Read Time: 22 minutes
Author: CORAA Team

---

Introduction

The statutory audit is the cornerstone of the Indian chartered accountancy profession. Every CA firm, from sole proprietors handling 20 audits to mid-size firms managing 200, follows essentially the same workflow: accept the engagement, plan the audit, perform fieldwork, complete the audit, issue the report, and assemble the documentation.

Yet the quality of execution varies enormously. NFRA inspection findings consistently highlight the same deficiencies: inadequate risk assessment, insufficient documentation of planning decisions, incomplete substantive procedures, and poor quality of audit evidence. These are not failures of intent. They are failures of process, of workflow discipline and of systematic execution.

This guide documents the complete statutory audit workflow from start to finish, with specific references to the Standards on Auditing (SA), CARO 2020 requirements, and practical guidance on how technology transforms each phase. It is designed as both a reference document for experienced practitioners and a training resource for audit teams.

Table of Contents

1. Phase 1: Engagement Acceptance
2. Phase 2: Audit Planning
3. Phase 3: Fieldwork and Substantive Procedures
4. Phase 4: Audit Completion
5. Phase 5: Reporting
6. Phase 6: Documentation and File Assembly
7. Engagement Timeline and Staffing
8. Technology and Transformation

---

Phase 1: Engagement Acceptance {#phase-1-engagement-acceptance}

Every statutory audit begins with a decision: should the firm accept this engagement? This decision is governed by SA 220 (Quality Management for an Audit of Financial Statements), the firm's quality management policies under SQM 1, and the ICAI's ethical requirements.

Client Risk Assessment

Before accepting any new engagement or continuing an existing one, assess the client risk profile. Consider the following factors:

Integrity of Management: Is there reason to doubt the integrity of the entity's management or those charged with governance? Red flags include prior instances of fraud, litigation with previous auditors, pressure to issue unmodified opinions despite issues, and reluctance to provide information.

Competence of the Firm: Does the firm have the competence, capability, and resources to perform the audit? This includes industry-specific knowledge (for example, auditing a bank requires specialized expertise), staff availability during the engagement period, and access to specialists if needed.

Compliance with Ethical Requirements: Can the firm comply with independence requirements? Check for financial interests in the entity, business relationships, personal relationships with management, and provision of non-audit services that could impair independence. For company audits under the Companies Act 2013, Section 141 disqualifications must be checked.

Predecessor Auditor Communication: For new engagements, communicate with the predecessor auditor as required by SA 210 and the ICAI's Code of Ethics. Ascertain whether there are professional reasons that the predecessor would want to bring to your attention.

Document the risk assessment in a client acceptance or continuance form. This documentation is a SQM 1 requirement and is reviewed during peer reviews and NFRA inspections.

Engagement Letter

Issue an engagement letter that complies with SA 210 (Agreeing the Terms of Audit Engagements). The letter must include:

• The objective and scope of the audit
• The responsibilities of the auditor (forming an opinion on the financial statements)
• The responsibilities of management (preparation of financial statements, maintaining internal controls, providing access to information)
• Identification of the applicable financial reporting framework (Ind AS, Indian GAAP, or Schedule III of the Companies Act as applicable)
• Reference to the expected form and content of the audit report
• A statement that an audit conducted in accordance with SAs does not guarantee detection of all material misstatements due to fraud

For recurring audits, assess whether the engagement letter needs to be updated based on changed circumstances (new standards, changes in entity structure, changes in scope).

Independence Check

Perform a formal independence assessment covering all partners and staff assigned to the engagement. For company audits, verify compliance with Section 141 and 144 of the Companies Act 2013, which prescribe specific disqualifications and prohibited services.

Document the independence assessment. This is not a formality. NFRA has issued findings against firms for inadequate independence documentation.

Phase 2: Audit Planning {#phase-2-audit-planning}

Audit planning is where the quality of the entire engagement is determined. A well-planned audit is efficient, thorough, and defensible. A poorly planned audit leads to scope gaps, missed risks, and rework.

Understanding the Entity and Its Environment (SA 315)

SA 315 (Identifying and Assessing the Risks of Material Misstatement) requires the auditor to obtain an understanding of:

The Entity: Nature of the entity (manufacturing, trading, services), ownership structure, governance structure, business model, revenue streams, key customers and suppliers, and significant contracts.

The Industry: Industry-specific risks and regulatory requirements. For example, a pharmaceutical company faces regulatory risk from drug pricing controls, while a real estate company faces revenue recognition complexity under percentage-of-completion.

The Applicable Financial Reporting Framework: Whether the entity reports under Ind AS, Indian GAAP, or both. This affects revenue recognition, financial instrument measurement, lease accounting, and numerous other areas.

Internal Controls: Understand the entity's internal control environment including the control activities relevant to the audit. For smaller entities, this may be brief. For larger entities, it involves documenting information systems, authorization procedures, segregation of duties, and monitoring activities.

Prior Year Matters: Review prior year audit files for significant findings, control weaknesses, areas requiring special attention, and management letter points that remain unresolved.

Materiality Determination (SA 320)

SA 320 (Materiality in Planning and Performing an Audit) requires the auditor to determine materiality at two levels:

Overall Materiality: The amount below which misstatements, individually or in aggregate, would not influence the economic decisions of users. Common benchmarks for Indian statutory audits include 1% to 2% of total revenue for manufacturing or trading companies, 5% to 10% of profit before tax for profitable entities, 1% to 2% of total assets for balance sheet focused entities, and 0.5% to 1% of total expenses for not-for-profit entities.

Performance Materiality: Set below overall materiality to reduce the probability that aggregate uncorrected and undetected misstatements exceed overall materiality. Typically 50% to 75% of overall materiality, depending on the assessed risk. Higher-risk engagements warrant a lower performance materiality.

Clearly Trivial Threshold: Below which misstatements are clearly trivial and need not be accumulated. Typically 3% to 5% of overall materiality.

Document the materiality determination, including the benchmark selected, the rationale for the benchmark, and any qualitative factors considered.

Risk Assessment

Based on the understanding of the entity and the materiality determination, assess the risks of material misstatement at two levels:

Financial Statement Level: Risks that relate pervasively to the financial statements as a whole. Examples include management override of controls, going concern doubts, entity-wide fraud risk, and pervasive internal control weaknesses.

Assertion Level: Risks relating to specific classes of transactions, account balances, and disclosures. For each material financial statement area, assess the risk of misstatement for each relevant assertion (existence, completeness, accuracy, valuation, rights and obligations, classification, presentation).

SA 240 (The Auditor's Responsibilities Relating to Fraud) requires that the risk of material misstatement due to fraud in revenue recognition be treated as a significant risk unless the auditor has evidence to the contrary. This presumption applies to every statutory audit.

Audit Strategy Memo

Prepare an audit strategy memo that documents:

• Overall audit strategy (timing of procedures, direction of effort, resource allocation)
• Key areas of audit focus and why
• Materiality levels
• Risk assessment summary
• Planned responses to assessed risks (nature, timing, and extent of further audit procedures)
• Team composition and responsibilities
• Planned use of the work of others (internal auditors, experts)
• Engagement timeline

This memo is the roadmap for the entire engagement. It should be reviewed and approved by the engagement partner before fieldwork begins.

Phase 3: Fieldwork and Substantive Procedures {#phase-3-fieldwork}

Fieldwork is where audit evidence is gathered. The nature, timing, and extent of procedures depend on the risk assessment performed during planning.

Revenue Testing

Revenue is a significant risk area in virtually every statutory audit per SA 240. Substantive procedures include:

Analytical Procedures: Compare current year revenue with prior year on a monthly basis. Investigate unusual fluctuations. Compute the gross profit ratio and compare with prior year and industry benchmarks. Analyze revenue by product, customer, or geography to identify unusual patterns.

Testing of Details:

• Select a sample of sales transactions and vouch to supporting documents (sales orders, delivery challans, invoices, acknowledgments)
• Verify cutoff by testing transactions near the year-end for proper period recording
• Test credit notes for authorization, validity, and proper period recording
• For significant contracts, verify revenue recognition against the applicable standard (Ind AS 115 for Ind AS entities, AS 9 for IGAAP entities)
• Verify sales returns and assess whether the provision for returns is adequate

Confirmations: For significant receivable balances, obtain direct confirmation from customers (positive confirmation for large balances, negative confirmation for smaller balances as appropriate).

Purchases and Payables Testing

Analytical Procedures: Compare purchase patterns with revenue trends. An increase in purchases without corresponding revenue growth warrants investigation. Analyze creditor ageing for unusual patterns.

Testing of Details:

• Select a sample of purchase transactions and vouch to supporting documents (purchase orders, goods received notes, supplier invoices, payment vouchers)
• Perform three-way matching (PO, GRN, invoice) for a sample of purchases
• Test for unrecorded liabilities by examining post year-end payments and matching to year-end creditors
• Verify cutoff by testing purchases near the year-end
• Check for duplicate invoice payments (same supplier, same amount, same period)

Cash and Bank Testing

Bank Reconciliation: Obtain bank reconciliation statements as at the balance sheet date for all bank accounts. Verify reconciling items by tracing to subsequent clearance. Obtain bank confirmations for all accounts including nil-balance accounts and accounts closed during the year.

Cash Verification: For entities with significant cash balances, verify the cash balance as at the year-end through a surprise cash count or through management's representation supported by a cash certificate.

Testing of Details:

• Vouch large and unusual bank transactions to supporting documents
• Verify bank charges and interest for reasonableness
• Check for window dressing (large receipts before year-end that are returned soon after)
• Verify fixed deposit balances with bank confirmations and interest income calculations

Fixed Asset Testing

Verification of Additions: Vouch capital expenditure additions to supporting documents (invoices, contracts, board resolutions for significant purchases). Verify that amounts capitalized meet the recognition criteria under the applicable standard.

Verification of Disposals: Vouch disposals to sale deeds, board resolutions, and receipt vouchers. Verify the profit or loss on disposal is correctly computed.

Depreciation Testing: Verify depreciation rates against the Companies Act (Schedule II) or the entity's accounting policy. Recompute depreciation for selected assets. Verify the depreciation method is applied consistently.

Physical Verification: Review the entity's fixed asset physical verification report. For a sample of assets, verify physical existence against the fixed asset register.

Inventory Testing

Physical Observation: Attend the entity's physical inventory count, either at the year-end or at an interim date. Perform test counts. Observe count procedures for compliance with proper inventory management practices.

Valuation Testing: Test inventory valuation for a sample of items. Verify that inventory is valued at the lower of cost and net realizable value. Check costing methodology (FIFO, weighted average) for consistency with the stated policy.

Cutoff Testing: Verify that goods received and dispatched near the year-end are recorded in the correct period. Cross-check the last goods received notes and the last dispatch documents with inventory and sales or purchase records.

Provisions and Estimates Testing

Employee Benefits: For entities with significant employee benefit obligations (gratuity, leave encashment, provident fund), verify the actuarial valuation report, check the assumptions used (discount rate, salary escalation rate, attrition rate), and verify the computation.

Provision for Bad Debts: Review the entity's policy for providing against doubtful debts. Test the computation by verifying the ageing analysis and assessing the reasonableness of the provision.

Contingent Liabilities: Obtain a list of pending litigation and claims from management. Obtain legal opinions where necessary. Assess whether provisions or disclosures are required under AS 29 or Ind AS 37.

Related Party Transactions (SA 550)

SA 550 (Related Parties) requires the auditor to obtain sufficient appropriate audit evidence about related party relationships and transactions.

• Obtain the list of related parties from management
• Verify the list against MCA records, annual returns, and share registers
• Identify related party transactions by reviewing ledger accounts and board minutes
• Verify that related party transactions are at arm's length where required
• Verify disclosures are complete and in accordance with AS 18 or Ind AS 24

Analytical Procedures (SA 520)

SA 520 (Analytical Procedures) requires analytical procedures as substantive procedures when the auditor determines they would be effective. These include:

• Ratio analysis comparing current year with prior year and industry benchmarks
• Trend analysis over three to five years
• Reasonableness tests (for example, computing expected interest income from average deposits and interest rate, and comparing with actual)
• Disaggregated analysis (monthly, product-wise, location-wise)

Document the expectation, the threshold for investigation, the actual result, and the conclusion for each analytical procedure. This documentation is frequently found insufficient in NFRA inspections.

Phase 4: Audit Completion {#phase-4-completion}

The completion phase bridges fieldwork and reporting. Several critical procedures must be performed before the opinion can be formed.

Subsequent Events (SA 560)

SA 560 (Subsequent Events) requires the auditor to perform procedures designed to obtain sufficient appropriate audit evidence that all events occurring between the date of the financial statements and the date of the auditor's report that require adjustment or disclosure have been identified.

Procedures include:

• Reviewing minutes of meetings of the board and shareholders held after the year-end
• Reading the entity's latest interim financial statements
• Inquiring of management about subsequent events
• Reviewing correspondence with legal counsel
• Checking for events such as significant bad debts, litigation developments, inventory write-downs, or business disruptions after the year-end

Going Concern (SA 570)

SA 570 (Going Concern) requires the auditor to evaluate management's assessment of the entity's ability to continue as a going concern.

Consider whether events or conditions exist that cast significant doubt on the going concern assumption:

• Net liability or net current liability position
• Inability to pay debts as they fall due
• Denial or withdrawal of credit by suppliers
• Operating losses, negative operating cash flows
• Breach of loan covenants
• Loss of a major market, customer, or supplier
• Legal or regulatory proceedings that could threaten the entity's existence

If significant doubt exists, evaluate management's plans to address the situation and assess whether adequate disclosures are made. If the going concern basis is inappropriate, issue an adverse opinion.

Management Representations (SA 580)

SA 580 (Written Representations) requires the auditor to obtain written representations from management acknowledging their responsibility for the financial statements, the completeness of information provided, and specific representations on matters significant to the audit.

The representation letter must be signed by the CEO and CFO (or equivalent) and dated as of the date of the auditor's report. It should cover:

• Responsibility for fair presentation of financial statements
• Completeness of information provided
• All transactions have been recorded
• Related party transactions and relationships have been disclosed
• There are no violations of laws or regulations
• Events subsequent to the balance sheet date have been properly accounted for
• No frauds involving management or employees have occurred

Accumulated Misstatements

Before forming the opinion, accumulate all identified misstatements (both corrected and uncorrected). For uncorrected misstatements, assess whether they are material individually or in aggregate. Communicate uncorrected misstatements to those charged with governance and request that they be corrected.

SA 450 (Evaluation of Misstatements Identified during the Audit) requires this evaluation before the opinion is formed. If management refuses to correct material misstatements, consider the impact on the audit opinion.

Partner Review

The engagement partner must review the audit documentation and the financial statements before the report is signed. For audits subject to engagement quality control review (EQCR) under SQM 1, the EQCR must be completed before the report is dated.

The partner review covers:

• Significant judgments made during the engagement
• Conclusions reached, especially in areas of significant risk
• Appropriateness of the overall audit strategy and audit plan
• Evaluation of the firm's independence
• Appropriateness of the proposed audit report

Phase 5: Reporting {#phase-5-reporting}

Forming the Audit Opinion (SA 700)

SA 700 (Forming an Opinion and Reporting on Financial Statements) requires the auditor to form an opinion on whether the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework.

Unmodified Opinion: Issued when the financial statements give a true and fair view in accordance with the applicable framework and there are no material misstatements.

Modifications to the Opinion (SA 705)

SA 705 (Modifications to the Opinion in the Independent Auditor's Report) prescribes three types of modified opinions:

Qualified Opinion: When the auditor concludes that misstatements are material but not pervasive to the financial statements, or the auditor is unable to obtain sufficient appropriate audit evidence and the possible effects are material but not pervasive.

Adverse Opinion: When the auditor concludes that misstatements are both material and pervasive to the financial statements.

Disclaimer of Opinion: When the auditor is unable to obtain sufficient appropriate audit evidence and the possible effects are both material and pervasive.

Emphasis of Matter and Other Matter Paragraphs (SA 706)

SA 706 prescribes the use of Emphasis of Matter paragraphs to draw attention to matters appropriately presented in the financial statements that are fundamental to users' understanding, and Other Matter paragraphs for matters not presented in the financial statements that are relevant to users' understanding of the audit.

Common situations requiring Emphasis of Matter include significant uncertainty regarding going concern, changes in accounting policies, and significant subsequent events.

CARO 2020 Reporting

For company audits covered under the Companies (Auditor's Report) Order 2020, the auditor must report on 21 clauses covering:

• Fixed assets: maintenance of proper records, physical verification, title deeds, revaluation, and benami property
• Inventory: physical verification and discrepancies, working capital loans secured by inventory
• Loans: loans to related parties, terms prejudicial to company interest
• Compliance with Sections 185 and 186 of the Companies Act (loans, investments, guarantees)
• Deposits: compliance with directives
• Cost records: maintenance where required
• Statutory dues: regularity of deposit, disputed amounts
• Unrecorded income surrendered during tax assessments
• Defaults in repayment of loans
• Application of funds raised through public offer or preferential allotment
• Fraud reporting
• Nidhi company compliance
• Related party transaction compliance with Section 177 and 188
• Internal audit system adequacy
• Non-cash transactions with directors
• Registration under Section 45-IA of RBI Act
• Cash losses: current year and preceding year
• Resignation of statutory auditors
• Going concern: ability to meet financial obligations within one year
• CSR spending: transfer of unspent amounts
• Qualifications or adverse remarks in subsidiary company CARO reports

Each clause requires specific audit procedures. Document the procedures performed and the basis for the reporting statement on each clause.

Report Signing and Dating

The audit report is signed by the engagement partner (for firms) or the proprietor (for sole practitioners). The report date is the date on which the auditor has obtained sufficient appropriate audit evidence on which to base the opinion.

The report cannot be dated earlier than the date on which the financial statements are approved by the board of directors. For company audits, obtain a copy of the board resolution approving the financial statements before dating the report.

Phase 6: Documentation and File Assembly {#phase-6-documentation}

SA 230 Requirements

SA 230 (Audit Documentation) requires the auditor to prepare documentation that is sufficient to enable an experienced auditor, having no previous connection with the audit, to understand the nature, timing, and extent of audit procedures performed, the results of those procedures, the audit evidence obtained, and significant matters arising during the audit and the conclusions reached.

Documentation Standards

Every working paper must include:

• The name of the entity and the financial year
• The subject of the working paper
• The date the procedure was performed
• The name or initials of the team member who performed the work
• The name or initials of the reviewer
• The source of information examined
• The audit procedure performed
• The results and conclusion

File Assembly

Assemble the audit file within 60 days of the date of the auditor's report (SA 230 requirement). After the assembly date, the auditor must not delete or discard audit documentation. Any additions after the assembly date must document the specific reasons and be dated and initialed.

The audit file should be organized into:

Permanent File:

• Entity background, incorporation documents, material contracts
• Accounting policies summary
• Organization structure and key personnel
• Prior year significant matters carried forward

Current Year File:

• Engagement letter and acceptance documentation
• Planning documentation (strategy memo, materiality, risk assessment)
• Working papers organized by financial statement area
• Analytical procedures
• Completion section (subsequent events, going concern, management representations)
• Summary of uncorrected misstatements
• Audit report (signed copy)
• Communication with those charged with governance

Retention Period

Audit documentation must be retained for a minimum of eight years from the date of the auditor's report. For entities regulated by specific authorities (SEBI, RBI, IRDA), longer retention periods may apply.

Ensure physical security for paper files and data security for electronic files. Access must be restricted to authorized personnel.

Engagement Timeline and Staffing {#timeline-staffing}

Typical Timeline for a Standard Statutory Audit

A statutory audit of a medium-sized company (turnover Rs 50 to 200 crore) typically follows this timeline:

Week 1: Planning (5-7 working days)

• Client data request and receipt
• Understanding the entity and environment updates
• Risk assessment update
• Materiality determination
• Audit strategy memo preparation
• Team briefing

Week 2-3: Fieldwork (10-12 working days)

• Data extraction and organization (or automated processing)
• Substantive testing across all financial statement areas
• Obtaining third-party confirmations
• Attending physical inventory count (if at year-end)
• Completing analytical procedures

Week 4: Completion (5-7 working days)

• Subsequent events review
• Going concern assessment
• Management representation letter
• Accumulated misstatement evaluation
• Draft audit report preparation
• Partner review
• EQCR (if applicable)
• Discussion with management on findings

Post-Fieldwork: Finalization (5-10 working days)

• Final version of financial statements from client
• CARO reporting finalization
• Report signing
• Filing with MCA (for companies)

Total: 4-6 weeks for a standard engagement

Staffing Allocation

Engagement Partner: Overall responsibility, risk assessment review, opinion formation, report signing. Typically involved 15 to 20% of total engagement hours.

Engagement Manager or Senior: Day-to-day supervision, review of working papers, coordination with client, completion procedures. Typically 25 to 30% of total engagement hours.

Audit Staff (Articles or Assistants): Execution of substantive procedures, data extraction, working paper preparation. Typically 50 to 60% of total engagement hours.

Specialists (if needed): Actuarial valuations, IT audit, tax specialists. Time varies by engagement.

Technology and Transformation {#technology-transformation}

Technology transforms every phase of the statutory audit workflow. Here is how:

Planning Phase

Automated risk assessment tools can analyze financial data patterns, industry trends, and entity-specific risk indicators to produce a preliminary risk assessment. While professional judgment remains essential, technology provides the data foundation for informed judgment.

Fieldwork Phase

This is where technology has the most dramatic impact. Traditional fieldwork involves manual data extraction, sample-based testing, and Excel-based working papers. Automated audit tools transform this through:

Full Population Testing: Instead of testing a sample of 60 transactions from a population of 10,000, AI agents test all 10,000 transactions. This eliminates sampling risk entirely and provides a level of assurance that sampling simply cannot match.

Automated Ledger Scrutiny: Every entry in every ledger is examined for anomalies, misclassifications, missing narrations, and unusual patterns.

Automated Reconciliation: Bank reconciliation, inter-company reconciliation, and GST reconciliation are performed automatically with complete matching and exception reporting.

Automated Analytical Procedures: Ratio analysis, trend analysis, and predictive analytics are computed automatically from the engagement data.

Completion Phase

Technology assists in aggregating findings, computing accumulated misstatements, and generating draft reports. However, the professional judgment required in this phase, evaluating going concern, assessing subsequent events, forming the opinion, remains firmly in the auditor's domain.

Documentation Phase

Electronic audit files with built-in cross-referencing, version control, and access logging address many of the SA 230 documentation requirements more effectively than paper files. The 60-day assembly deadline is easier to meet when working papers are generated and organized digitally throughout the engagement.

The Transformation in Practice

Firms that adopt technology-enabled audit workflows report consistent improvements:

• Engagement completion time reduced by 40 to 60%
• Audit coverage increased from sample-based to full population
• Documentation quality improved through standardized, automated working papers
• Staff productivity increased as routine data processing is automated
• Partner review time reduced because working papers are consistently formatted and cross-referenced

The statutory audit workflow itself does not change. The standards are the same. The procedures are the same. The professional judgment requirements are the same. What changes is the efficiency and thoroughness with which each step is executed.

Conclusion

The statutory audit workflow, from engagement acceptance through documentation, is a well-defined process governed by comprehensive standards. The challenge for CA firms is not knowing what to do but executing it consistently and thoroughly across every engagement.

This guide provides the framework. The SA 230 documentation guide covers documentation in detail. The CARO 2020 clause-by-clause guide addresses reporting requirements comprehensively. The SQM 1 and EQCM guide covers the quality management framework within which every audit must be conducted.

Together, these resources equip your firm to execute statutory audits that meet the highest standards of quality, efficiency, and professional responsibility.

---

Related Resources:

• SA 230 Audit Documentation Complete Guide
• CARO 2020 Complete Clause-by-Clause Guide
• SQM 1 and EQCM Complete Guide
• Audit Time Estimator