Content authored by practitioners with experience at Amazon India, Intuit QuickBooks, and the Tata Group. Meet the team →
A CA firm running 30 to 80 statutory audits in a financial year must execute each engagement under the full SA 200 to SA 720 standards architecture, produce a defensible working paper file for every audit, retain those files for 7 years under SQC 1, and stand ready for ICAI peer review every 3 to 5 years — and any thin file, missing risk assessment, or undated workpaper exposes the partner to disciplinary risk.
Standardise a 12 to 18 template working paper file mapped to each SA, anchor planning in a documented risk assessment (SA 315) with materiality (SA 320), execute substantive testing through sampling memos (SA 530) and lead schedules, capture audit evidence under SA 500, archive every workpaper dated and cross-referenced for 7-year retention under SQC 1, and run an internal mock peer review every 36 months to identify and close gaps before the ICAI review.
Engagement file template library covering all 12 to 18 workpaper types, materiality formula (typically 0.5 to 1 percent of revenue or 5 to 10 percent of profit before tax), sampling rubric (monetary unit or attribute sampling per SA 530), audit programme keyed to financial statement assertions, partner review checklist with sign-off points, and a controlled electronic archive with 7-year retention plus version history.
A complete, defensible statutory audit file per engagement — engagement letter through signed audit opinion — with full SA 200 to SA 720 evidence trail, partner sign-off at every gate, 7-year SQC 1 archival in place, and the firm passing ICAI peer review without observations on documentation or evidence quality.
Statutory audit execution in a CA firm is the disciplined application of the ICAI Standards on Auditing to a client’s financial statements, producing a documented, evidence-backed opinion. A firm running 30 to 80 statutory audits a year cannot improvise — every engagement file looks the same because the SA architecture is the same. This guide walks through the standards from SA 200 to SA 720, the audit programme structure, the working paper templates the firm maintains, the 7-year retention regime under SQC 1, and how to ready a file for ICAI peer review.
Quick Reference: SA 200 to SA 720 Standards Architecture
| Standard | Purpose | Working paper artifact |
|---|---|---|
| SA 200 | Overall objectives of the independent auditor | Engagement file index and auditor’s overall objectives memo |
| SA 230 | Audit documentation requirements | Workpaper indexing, cross-referencing, and dating discipline |
| SA 240 | Auditor’s responsibility for fraud | Fraud risk assessment memo and journal entry testing workpaper |
| SA 315 | Identifying and assessing risks of material misstatement | Risk assessment matrix by assertion and account balance |
| SA 330 | Auditor’s responses to assessed risks | Audit programme linking risks to substantive procedures |
| SA 500 | Audit evidence | Evidence file with source documents, confirmations, and reconciliations |
| SA 700 | Forming an opinion and reporting on financial statements | Opinion drafting workpaper and signed audit report |
| SA 720 | Auditor’s responsibilities relating to other information | Other information review memo for the annual report |
How Is the SA 200-720 Standards Architecture Applied?
Every statutory audit file is built around the SA architecture. SA 200 sits at the top — it defines the overall objective of the auditor as obtaining reasonable assurance that the financial statements as a whole are free from material misstatement. SA 210 follows immediately with the engagement letter, signed before any work starts. SA 230 then governs how every subsequent workpaper is prepared, dated, indexed, and cross-referenced.
The risk-based audit method is anchored in SA 315 and SA 330. SA 315 requires the auditor to identify and assess risks of material misstatement at both the financial statement level and the assertion level. SA 330 then requires the auditor to design responses — substantive procedures and tests of controls — that address each assessed risk. Materiality under SA 320 calibrates the risk threshold. Sampling under SA 530 determines how many transactions are tested.
SA 500 underpins everything in the substantive testing phase. The auditor must obtain sufficient appropriate audit evidence — and the workpaper file must show what evidence was obtained, from whom, and why it is appropriate. SA 700 then governs the opinion. SA 720 addresses the other information published alongside the audited financial statements, such as the directors’ report and management discussion and analysis.
What Is the Audit Programme Structure?
The audit programme is the document that translates SA 330 responses into a tested checklist of procedures. A typical CA firm structures the programme by financial statement assertion (existence, completeness, valuation, rights and obligations, presentation) and by account balance or transaction class.
For a ₹120 Cr revenue private limited company audited under the Companies Act, the audit programme typically covers: revenue recognition (Ind AS 115 testing with cut-off and accrual analysis), trade receivables (confirmation circularisation under SA 505), inventory (physical observation and valuation under SA 501), fixed assets and CWIP (register reconciliation and existence verification), trade payables (vendor confirmation and unrecorded liability search), TDS and GST (statutory dues reconciliation with the TDS reconciliation software output and GSTR-3B vs GSTR-1 vs books match), related party transactions (Section 188 disclosure verification), and going concern assessment.
Each programme line item lists the procedure, the assertion it addresses, the sample size, the workpaper reference, the preparer, and the reviewer. The programme is signed off at the planning stage by the engagement partner and updated as substantive work progresses.
What Working Paper Templates Does a Firm Maintain?
A statutory audit working paper file contains 12 to 18 standardised templates that every engagement reuses. The structure makes peer review and internal quality review predictable.
| Workpaper template | Purpose | SA reference |
|---|---|---|
| Engagement acceptance and independence checklist | Document independence threats and safeguards | SA 210, Code of Ethics |
| Audit planning memorandum | Capture engagement scope, team, timing, key risks | SA 300 |
| Materiality computation | Overall materiality, performance materiality, clearly trivial threshold | SA 320 |
| Risk assessment matrix | Risks at assertion level with assessed inherent and control risk | SA 315 |
| Audit programme | Procedures by assertion linked to assessed risks | SA 330 |
| Sampling memorandum | Population, sample size, selection method, conclusions | SA 530 |
| Lead schedules | Grouping schedule per financial statement head with prior-year comparison | SA 230 |
| Substantive testing worksheets | Vouching, ledger scrutiny, reconciliations, confirmations | SA 500 |
| Statutory dues reconciliation | TDS, GST, PF, ESI ledger to challan reconciliation | SA 250, SA 500 |
| Management representation letter | Written representations on key matters | SA 580 |
| Communication with TCWG | Written communication of audit matters under SA 260 and deficiencies under SA 265 | SA 260, SA 265 |
| Going concern memorandum | Assessment of going concern assumption | SA 570 |
| Subsequent events review | Events after the reporting date | SA 560 |
| Partner review checklist | Engagement partner sign-off gates | SA 220 |
| Audit opinion drafting workpaper | Opinion type, key audit matters, emphasis of matter | SA 700, SA 701 |
Each workpaper is dated, initialled by the preparer, and reviewed by the manager and partner. Cross-references between workpapers (lead schedule to supporting substantive worksheet, sampling memo to tested transactions) are essential — a thin or uncross-referenced file is the most common ICAI peer review observation.
Worked Example: Partner-Supervised Audit of a ₹120 Cr Revenue Private Limited
Consider a Bangalore-based engineering services company with revenue of ₹120 Cr, 850 employees, 4 GSTINs across 3 states, 12 active bank accounts, and a Tally ERP9 + a payroll subsidiary system. The statutory audit for FY 2025-26 is staffed by 1 partner, 1 manager, 2 article assistants, and 1 senior associate. Total engagement hours budgeted: 320 hours. Partner involvement: 28 hours. Manager involvement: 70 hours. Field team: 222 hours.
Materiality is set at 0.75 percent of revenue, giving an overall materiality of ₹90 lakh. Performance materiality is set at 65 percent of overall materiality at ₹58.5 lakh. The clearly trivial threshold is ₹4.5 lakh.
Sampling sizes — revenue testing covers 60 invoices from a population of approximately 4,200 (monetary unit sampling weighted to large transactions); trade receivables circularisation covers 45 customers representing 72 percent of the year-end balance; vendor payments cover 80 transactions selected through stratified sampling. TDS testing covers a sample of 50 vendor payments across payment codes 1001, 1004, 1006, 1009, and 1010 to verify section classification.
Working paper count for the engagement: approximately 240 workpapers across 14 template types. The file is archived electronically with 7-year retention under SQC 1. Partner sign-off gates are recorded at the planning stage, the completion stage, and the report issuance stage.
Tax Overlay: TDS Payment Codes and Section 393 Disclosures
Statutory audit testing of vendor payments must verify TDS section classification against the 2026 payment code architecture. Each TDS challan carries a payment code from 1001 to 1092 (and corresponding TCS codes) that identifies the section under which tax is deducted — 1001 for Section 194C contractor payments, 1004 for sub-contractors, 1006 for Section 194J professional fees, 1009 for Section 194I rent, 1010 for Section 194H commission, and so on.
The auditor’s working paper captures the code-to-invoice mapping for the sample tested. A misclassification — for example, a Section 194J professional fee invoice paid with code 1001 — is documented as an observation. If material, it flows into the Form 3CD tax audit report (Clause 21 and Clause 34) and into the Section 393 or Section 394 disclosure paragraph of the audit report.
The Companies Act Section 143(3)(b) reporting obligation requires the auditor to state whether proper books of account have been kept, and Section 143(11) and the CARO 2020 reporting clauses require specific disclosures on statutory dues. The statutory dues reconciliation workpaper feeds directly into CARO Clause 3(vii) — undisputed statutory dues outstanding and disputed statutory dues. A reliable TDS and GST reconciliation source, such as reconciliation software India configured for multi-GSTIN testing, materially shortens this workpaper’s preparation time.
Estimate TDS Mismatches Before Statutory Audit Fieldwork
Before the audit team walks in, quantify the Form 26AS vs TDS receivable gap and the section-code mismatches across your client’s vendor ledger. The TDS Mismatch Estimator gives partners a quick read on the scope of statutory dues testing required.
Open the TDS Mismatch Estimator →How Long Are Working Papers Retained?
SQC 1 (Standard on Quality Control), issued by ICAI and applicable to all firms that perform audits and reviews of historical financial information, mandates a minimum 7-year retention of working papers from the date of the auditor’s report. For listed entities or any client with active or potential litigation exposure, firms typically extend retention to 10 years.
The retention archive — whether physical or electronic — must preserve the complete engagement file: engagement letter, planning memo, risk assessment, audit programme, sampling memos, all substantive testing workpapers, evidence files including bank confirmations and statutory dues reconciliations, management representation letter, written communications under SA 260 and SA 265, going concern memo, subsequent events review, partner review checklist, and the signed audit report. Electronic archives must preserve version history and the audit trail of who edited each workpaper and when.
A firm running 60 audits a year generates approximately 14,000 workpapers annually. A 7-year archive holds approximately 100,000 workpapers at steady state. This volume is unmanageable without a structured electronic archival system that indexes engagements by client, year, and standard reference.
How Do You Prepare for ICAI Peer Review?
ICAI peer review is the mandatory external quality control review of a CA firm’s audit engagements, conducted every 3 to 5 years depending on the firm’s category and client mix. The peer reviewer samples 5 to 10 completed audit engagements and assesses whether each file demonstrates SA 200 to SA 720 compliance.
A firm typically runs an internal mock peer review 6 to 9 months before the scheduled ICAI review. The mock review applies the ICAI peer review checklist to a sample of recent engagements and identifies gaps — undated workpapers, missing risk assessments, thin substantive testing files, absent management representation letters, unsigned partner review checklists. Gaps are remediated by either re-performing the work and supplementing the file (where permissible) or, more commonly, by tightening the firm’s standard templates and quality control processes for future engagements.
Peer review readiness rests on four pillars: (1) a documented SQC 1 quality control manual that the firm actually follows; (2) a standardised engagement file template library with the 12 to 18 workpaper types; (3) an evidence trail in every file showing engagement acceptance, risk assessment, sampling, substantive testing, partner review, and reporting; (4) a 7-year retention archive that is accessible, indexed, and intact. Firms that maintain these four pillars routinely pass peer review without observations on documentation quality.
The ICAI Standards on Auditing define the documentation and evidence requirements that govern every workpaper in the statutory audit file, and peer reviewers reference these standards directly when evaluating engagement files.
Frequently asked questions about statutory audit execution in CA firms in India are answered below.