ICSI Auditing Standards

Zappy’s First International Award

Zappy’s first International Accreditation from United Kingdom. Zappy has won the 2021 Business Excellence Awards for Best Corporate Management Consulting Company – Southern India from Acquisition International, United Kingdom.

In this edition, we will be seeing about the ICSI Auditing Standards. Considering the length of the Article, News Bites section will not be present in this edition.

CEO CS Saranya Deivasigamani,

CEO


ICSI Auditing Standards

The Institute of Company Secretaries of India (ICSI) has issued four Auditing Standards applicable on the Audit Engagements accepted by the Auditor on 28th September, 2020  which is now made mandatory w.e.f. 1st April, 2021.

The 4 standards are –

  • CSAS-1 Auditing Standard on Audit Engagement
  • CSAS-2 Auditing Standard on Audit Process and Documentation
  • CSAS-3 Auditing Standard on Forming of Opinion
  • CSAS-4 Auditing Standard on Secretarial Audit

Particulars

CSAS-1

CSAS-2

CSAS-3

CSAS-4

Scope

The Standard deals with the Auditor’s role and responsibilities with respect to an Audit Engagement and the process of entering into an understanding/agreement with the Appointing Authority for the purpose of audit.

The Standard deals with responsibilities and duties of the Auditor with respect to Audit Process in conducting audit and maintaining proper audit documents.

The Standard deals with basis and manner for forming Auditor’s opinion on subject matter of the audit.

The Standard deals with basis and manner for carrying out the Secretarial Audit.

Applicability

The Auditor undertaking Audit Engagement under any statute.

The Auditor undertaking Audit Engagement under any statute.

The Auditor undertaking Audit Engagement under any statute.

The Auditor undertaking Secretarial Audit under Section 204 of the Companies Act, 2013 and rules made thereunder.

Effective

Recommendatory for Audit Engagements accepted by the Auditor on or after 1st July, 2019 and mandatory on or after 1st April, 2021.

The Company Secretaries has to perform various Audits, Reports, Certifications and Engage in various activities in Companies as required under the statutes.

The ICSI Audit Standards (CSAS) 1 to 3 deals with the Audits that shall be conducted under any standards and CSAS 4 deals exclusively for the Secretarial Audit to be Conducted as per the Companies Act, 2013 under Section 204 of the Act and rules made thereunder.

CSAS 4 should adhere to the Auditing Standards on – (a) Audit Engagement (CSAS-1); (b) Audit Process and Documentation (CSAS-2); and (c) Forming of Opinion (CSAS-3).

CSAS-1

Audit Engagement Process

Appointment

The appointment of Auditor shall be made in the manner prescribed in the applicable laws, act, rules, regulations, standards and guidelines or in case no such manner has been prescribed, such appointment shall be made in the manner determined by the Appointing Authority.

The Auditor shall submit a Certificate to the Appointing Authority confirming eligibility for appointment as Auditor.

The Auditor shall obtain an Audit Engagement Letter along with a copy of the resolution, if any, passed by the CSAS-1 – Auditing Standard on Audit Engagement and the Appointing Authority and shall provide acceptance to the Appointing Authority.

Communication to the Predecessor or Previous Auditor

As per the standards, the Auditor shall communicate in writing to the Predecessor or Previous Auditor, if any, before accepting the Audit Engagement.

Limits on Audit Engagements 

Limits as prescribed in the statute will be applicable to the Auditor.

Conflict of Interest

The Auditor shall not have any substantial conflict of interest with the Auditee. Any conflict of interest, other than substantial conflict of interest, must be disclosed by the Auditor before accepting the Audit Engagement or as soon as the Auditor becomes aware of the same, as the case may be.

Confidentiality

The Auditor shall not disclose the information obtained during the course of Audit without proper and specific authority or unless there is a legal obligation or duty to disclose.

The Auditor shall not use or share with any person any information obtained except for the purposes of audit.

The Auditor shall take all reasonable steps to ensure that employees, staff and other team members of the Auditor and persons engaged by the Auditor to provide advice or assistance during the conduct of audit, shall also adhere to the Auditor’s duty of confidentiality.

Changes in terms of engagement

The Auditor shall not agree to a change in the terms of the Audit Engagement where there is no reasonable justification for doing so.

If before completion of the assignment, the Auditor is requested by the Appointing Authority to change the scope of engagement, resulting in a lower level of assurance, the Auditor shall consider the appropriateness of carrying out the same.

If the terms of the Audit Engagement are changed, the Auditor and the Appointing Authority shall agree on the new terms of the engagement by way of a supplementary/revised engagement letter or any other suitable form in writing.

CSAS –2

Audit Planning

The Auditor shall make audit plan to conduct audit as per the terms of Audit Engagement.

Audit planning means establishing and developing an overall audit process, including but not limited to:

  • Identification of broad audit areas;
  • Seeking previous audit findings and observations from the Management and the Predecessor or Previous Auditor, in case of change of Auditor;
  • Determination of subject matters and audit areas requiring special attention, when considered necessary;
  • Risk Assessment and Materiality;
  • Audit technique;
  • Allocation of audit resources for the audit; and
  • Preparation of audit schedule.

The audit shall be planned in a manner which ensures that qualitative audit is carried out in an efficient, effective and timely manner. Audit planning shall ensure that appropriate attention is accorded to crucial areas of audit and significant issues are identified in a timely manner.

The Auditor shall plan the audit with professional scepticism so that it is possible to exercise professional judgment in an objective manner.

The Auditor shall adhere to the audit plan. The audit plan may be modified, if circumstances so warrant.

Risk Assessment

Risk assessment of the Auditee with respect to and connected/relevant to the Audit Engagement shall be done considering industrial & business environment, organisational structure and compliance requirements.

The Auditor shall evaluate high risk areas and activities of the Auditee relating to: a. Internal control systems and processes of the Auditee for adherence to the constitutional documents, applicable laws, acts, rules, regulations and standards; b. Transparency, prudence and probity; and c. Changes or Attrition in the compliance team and frequency of such changes and attrition.

Information about the Auditee

The Auditor shall obtain sufficient information about the Auditee that is relevant for conduct of audit and forming an opinion and its expression.

Audit Check-lists

The Auditor shall use systematic and comprehensive audit check-lists for carrying out the audit and to verify the compliance requirements.

Collection and Verification of Audit Evidence

The Auditor shall verify compliance with applicable laws, act, rules, regulations and standards. Deviation, if any, shall be recorded and obtain complete, relevant and necessary evidence to support the opinion.

The process of gathering and evaluating evidence shall continue until the Auditor is satisfied that sufficient and appropriate evidence exists to provide a basis for formation of the Audit Opinion.

Third Party Confirmation

The Auditor shall obtain confirmations from third party(ies), wherever required, with respect to information which is related to such party(ies).

Analysis of Audit Evidence

The Auditor shall evaluate the Audit Evidence to arrive at the conclusion.

While evaluating evidence, if the Auditor finds that Audit Evidence is conflicting, the Auditor shall assess the extent and credibility of conflicting evidence in order to reach a conclusion or collect more evidence to resolve the conflict.

Documentation

The Auditor shall adequately document the Audit Evidence in working papers, including the basis and extent of planning, work performed and the findings of audit.

The Audit Documents shall contain sufficient information to enable an Auditor, having no previous connection with the audit, to ascertain from such documents, the significant findings and conclusions of the Auditor.

Audit Documents shall take place throughout the audit process. Working papers shall be complete and appropriately detailed to provide a clear trail of the audit. Audit Documentation shall be properly indexed, referenced with and supplemented by the set of working papers.

The Auditor shall also document discussions with the Management with respect to significant matters in respect of which written record is not available.

Record Keeping and Retention

The Auditor shall establish policies and procedures for retention of Audit Documents.

The Audit Documents shall be collated for records within a period of 45 days from the date of signing of Auditor’s Report.

The Audit Documents shall be maintained in physical or electronic form and retained for a period of 8 years from the date of signing of Auditor’s Report. 

CSAS-3

Process for forming of opinion

The Auditor shall consider Materiality while forming his opinion and adhere to: the principle of completeness, the principle of objectivity, the principle of timeliness and the principle of a contradictory process.

Judgment, Clarification and Conflicting Interpretation

The Auditor may consider various judgments, clarifications, opinion, conflicting interpretations while framing the opinion to the best of his professional acumen.

Precedence and Practices

The Auditor shall adhere to generally accepted precedence and practices in relation to forming of an opinion as may be available from historical perspective of any kind of audit.

Third Party Report or Opinion

The Auditor shall adhere to the following while forming an opinion based on Third Party reports or opinions:

  • The Auditor shall indicate the fact of use of Third Party report or opinion and shall also record the circumstances necessitating the use of third party report or opinion;
  • The Auditor shall indicate the fact if Third Party report or opinion is provided by the Auditee;
  • The Auditor shall consider the important findings/ observation of Third Party;
  • The Auditor shall, if necessary and feasible, carry out a supplemental test to check veracity of the Third Party report or opinion. 

Form of an Opinion

The opinion can be Unmodified Opinion or Modified Opinion. The Auditor shall express an unmodified opinion when based on Audit Evidence, the Auditor concludes that: a. there is due compliance with the applicable laws in terms of timelines and process; and b. the Records as relevant for the audit verified by him as a whole are free from Misstatement and maintained in accordance with the applicable laws.

The Auditor shall express modified opinion when the Auditor concludes that: (a) based on the Audit Evidence obtained, there is non-compliance with the applicable laws in terms of timelines or process; or (b) based on the Audit Evidence obtained, the Records as a whole are not free from Misstatement; or are not maintained in accordance with applicable laws; or (c) the Auditor is unable to obtain sufficient and appropriate Audit Evidence to conclude that there is due compliance with the applicable laws in terms of timelines and process; or (d) the Auditor is unable to obtain sufficient and appropriate Audit Evidence to conclude that the Records as a whole are free from Misstatement; or are maintained in accordance with applicable laws.

Whenever the Auditor expresses a modified opinion or disclaims an opinion, the text of the opinion shall be either in italics or bold letters.

Limitation

If, after accepting the Audit Engagement, the Appointing Authority imposes a limitation on the scope of the audit which, in the opinion of the Auditor, is likely to result in the need to express a modified opinion or to disclaim an opinion, the Auditor shall request the Appointing Authority to remove the limitation.

If the Appointing Authority refuses or fails to remove the limitation, the Auditor shall communicate the matter to the Management and determine on alternative procedures.

If the Auditor is unable to obtain sufficient and appropriate Audit Evidence, the Auditor shall determine the implications as follows: a. If the Auditor concludes that the possible effects of unavailable Audit Evidence could be non-material, the Auditor shall modify the opinion; or b. If the Auditor concludes that the possible effects of unavailable Audit Evidence could be material, the Auditor shall express disclaimer of opinion. 

Auditor’s Responsibility

The Auditor’s Report shall include a section with the heading “Auditor’s Responsibility”. Auditor’s Report shall state that the responsibility of the Auditor is to express opinion on the compliance with the applicable laws and maintenance of records based on audit.

Auditor’s Report shall state that due to the inherent limitations of an audit including internal, financial and operating controls, there is an unavoidable risk that some Misstatements or material non-compliances may not be detected, even though the audit is properly planned and performed in accordance with the Standards.

Format of Report

The report shall be addressed to the Appointing Authority unless otherwise specified in the Audit Engagement Letter or provided in the applicable law. The report shall be detailed enough to serve its intended purpose. Where specific formats are prescribed, those formats shall be followed for reporting. If any information cannot be appropriately placed within the paragraphs of the report, it shall be given in form of annexure(s).

Signature block shall mention the name of the audit firm along with the registration number, if any, the name of the Auditor, certificate of practice number, the membership number of the Auditor, specifying whether associate or fellow member, as applicable. The Auditor shall clearly mention date and place of signing the report, in case report is signed by two different persons on different dates or different places; same shall be mentioned in the report.

CSAS-4

Identification and segregation of applicable laws

The Auditor shall take note of the industry specific laws and other laws as may be applicable to the Auditee based on the identification/segregation by the Management and his own verification.

Verification of corporate conduct and compliance of laws

Identification of Events/Corporate Actions

The Auditor shall identify events/corporate actions that took place during the audit period. The identification shall be made by reviewing the website of the regulators, website of the Auditee, statutory records including books and papers, interaction with the Management and in any other appropriate manner.

Verification of Compliance

The Auditor shall verify all event and calendar based compliances from the Records of the Auditee, database or website of the regulators and other relevant sources.

Board Composition

The Auditor shall verify compliance of the Companies Act, 2013, SEBI (Listing Obligations and Disclosure Requirements) Regulations 2015, agreement with Lenders/Investors, Articles of Association and provisions of other Acts / rules/ regulations, guidelines and policies, board decisions, shareholders decisions, as may be applicable to the Auditee with regard to:

  • Overall composition of the Board including the minimum and maximum strength of the Board.
  • Optimum combination of the Board including proportion of executive, non-executive, independent, non-independent, retiring, non- retiring, woman and nominee director.
  • Eligibility criteria including disqualifications of directors.
  • The constitution and composition of Committees of the Board.

Board Processes

The Auditor shall verify that the decisions of the Board and its Committees are taken and recorded in compliance with applicable laws, rules, regulations, guidelines, standards and defined internal processes, if any.

System and Process

System and process broadly refers to the framework of legal and procedural compliances of the Auditee including but not limited to internal regulations, control, guidance and governance. The Auditor shall assess the efficacy and adequacy of the system and processes of the Auditee commensurate with its size and operation for verifying compliance of applicable laws, rules, regulations, standards, guidelines and defined internal processes, if any by:

Reviewing records maintained by the Auditee.

Understanding compliance responsibility centers, control points, matrix, flow of information, escalation of non-compliances to different levels, reporting of any noncompliance.

Assessing compliance mechanism and understanding its extent, coverage and severity mapping. The Auditor shall also assess compliance manual/standard operating procedures, if any, available with the Auditee.

Analysing instances of show cause notices received, prosecution initiated, fine or penalties levied, imprisonment ordered, qualification, adverse remark or observations in the statutory, internal or industry specific audit, orders passed by regulatory bodies or judicial/quasi-judicial authorities.

Detection of Fraud

The Auditor shall exercise professional judgment and maintain professional scepticism throughout the planning and performance of the audit to detect and report the fraud envisaged under the provisions of Section 143(12) of the Companies Act, 2013 read with Companies (Audit and Auditors) Rules, 2014.

During the course of the audit, if the Auditor suspects commission of any fraud, he shall endeavour to collect further evidence for the same. The suspicion may arise on perusal of internal control systems, complaint under whistle blower mechanism and reports of the other auditors, etc.

The Auditor shall ensure to collect sufficient evidence which substantiates his suspicion of the commission of the fraud against the Auditee by its employees and officers.

Reporting of Fraud

If the Auditor has sufficient reason to believe that there is commission of fraud and have justifiable grounds for the same, he shall report to Audit Committee/Board/Central Government as per the process laid down under the Companies Act, 2013 and include the same in Secretarial Audit Report.

The Auditor shall verify whether the Audit Committee/ Board has given any comments on the fraud reported by the auditors in their report in terms of the provisions of the Companies Act, 2013.

The Auditor shall verify if the fraud detected by other Auditor has been reported to the Audit Committee/Central Government and report the same in the Secretarial Audit Report.

Identification and Reporting of the events/actions having major bearing on Auditee’s affairs

It shall be the duty of the Auditor to identify and report in the Secretarial Audit Report all events/actions having major bearing on the Auditee’s affairs in pursuance of the applicable laws, act, rules, regulations, guidelines, standards, etc.

An event/action shall be considered as having major bearing on Auditee’s affairs if it affects its going concern or alters the charter or capital structure or management or business operation or control, etc.

List of Audits under various Statutes

Following is an illustrative list of Audits which may be undertaken by a Company Secretary under various Statutes:

Type of Audit

Act/ Regulation

Section/ Regulation

Auditee

Secretarial Audit

Companies Act, 2013

204

Company

Secretarial Audit

SEBI (LODR) Regulations 2015

24A

Listed Entities

Internal Audit

Companies Act, 2013

138

Company

Audit of Depository Participants

SEBI (Depositories and Participants) Regulations 2018 read with SEBI circular no. SEBI/ HO/MRD/ DOP2-DSA2/ CIR/P/2019/22 dated January 23, 2019

76

Sole Proprietorship, Partnership Firm, LLP, Company

Internal Audit of Stock Brokers

SEBI (Stock and subbroker) Regulations 1993

SEBI circular no. MIRSD/ DPSIII/ Cir-26/ 08

Sole Proprietorship, HUF, Partnership Firm, LLP, Company

Internal Audit of Investment Advisors

SEBI (Investment Advisors) Regulations 2013

19(3)

Sole Proprietorship, Partnership Firm, LLP, Company

Internal Audit of Portfolio Managers

SEBI (Portfolio Managers) Regulations 1993

SEBI circular no. IMD/PMS/ CIR/1/21727/ 03 dated November 18, 2003

Body Corporate

Internal Audit of Credit Rating Agencies

SEBI (Credit Rating Agencies) Regulations 1999

SEBI circular no.MRD/ CRA/ CIR01/2010 dated January 06, 2010

Public FI, Banks (Domestic and Foreign operating in India), Foreign Credit Rating Agency, Company, Body Corporate

Internal Audit of Research Analysts

SEBI (Research Analysts) Regulation 2014

25(3)

Sole Proprietorship, Partnership Firm, LLP, Company.


Legal Terms

Noscitur A Sociis

Latin—“it is known from its associates.” A word whose meaning is uncertain, questionable or doubtful can be understood and defined by its association with surrounding words and its context.