Tax audit

Statutory audit is conducted mainly keeping in view the information requirement of the
shareholders. But there are also other parties who are interested in the financial information
of the organization. One such interested party is the Tax Authority, who wants to know the
correct income of the assessee from the tax provisions point of view. With this objective, the
Income tax Act of 1961 has included a number of provisions, which require audit of
statements prepared for tax purposes.
Tax-audit refers to the audit of incomes and expenses or specific claims of deductions and
exemptions that are required to be computed as per the provisions of the Income tax Act. It is
required in addition to financial audit, which does not fulfil the specific requirement of the
tax authority. While preparing the books of accounts of the business or profession for the
purpose of income tax filing, the assessee has to comply with the provisions of Income-tax
Act, 1961 particularly from Sec. 28 to Sec. 44DB. The provisions in these sections deal with
the income from business or profession which is chargeable to tax, how such incomes are
computed, chargeability, various allowances or disallowances and the rate of depreciation on
the various assets held by the assessee, deduction for making investments, deductions for
making donations, treatment and tax compliances on borrowed capital, treatment and tax
incidence on bad debts, statutory funds, accounting methods etc.

Having regard to these provisions, the process of return processing by the Income tax
department becomes a cumbersome and time-consuming task. So, to help and assist the
assessing officer in computation of assessee’s total income in accordance with the tax laws,
audit u/s 44AB of Income-tax Act, 1961 is required. Further, Tax audit is also required to
ensure proper maintenance of books of accounts in accordance with the provisions of tax
laws and to ensure that tax liability has been discharged on time and there is no concealment
of income by the assessee.

Compulsory Tax Audit u/s 44AB

Every person who derives income by way of Business or Profession and maintains books of
accounts and has not opted for computation of income on presumptive basis under
section 44AD, 44ADA or 44AE of the Income-tax Act, 1961 has to get tax audit done
provided his income exceeds the prescribed threshold limit. The following persons are
required to get tax audit done in the given cases.

1. A person carrying on business if the total sales/ turnover exceeds Rs. 1 crore (or 5
crores - FY 2019-20 - if the taxpayer’s cash receipts are limited to 5% of the gross receipts
or turnover, and if the taxpayer’s cash payments are limited to 5% of the aggregate
payments) during the previous year relevant to assessment year.

2. A person carrying on profession if the Gross receipts exceeds Rs. 50 lakhs during the
previous year relevant to assessment year.

3. A person who has opted for computing profits and gains of business on presumptive basis
under section 44AD earlier and 5 years have not lapsed since then, but the assessee has opted
out of such presumptive income and his income exceeds the ceiling for chargeability of
income tax (i.e. Rs 1 crore), is also required to get tax audit done.

4. Where a person has opted for presumptive scheme under section 44ADA and he claims his
income lower than the deemed profits under presumptive taxation scheme and his income
exceeds the ceiling for chargeability of income tax (i.e. Rs 50 lakhs), is also required to get
tax audit done.

5.Tax audit is also mandatory for the assessees opting for presumptive scheme u/s 44AE,
44BB and 44BBB and claiming income lower than the deemed profits under presumptive
taxation scheme.

A person covered by section 44AB should get his accounts audited and should obtain the
audit report on or before 30th September of the relevant assessment year. However, if a
person is required to get his accounts audited under any other law for eg. statutory audit of
companies under company law provisions, the taxpayer need not get his accounts audited
again for income tax purposes. It is sufficient if accounts are audited under such other law
before the due date of filing the return. The taxpayer can furnish this prescribed audit report
under Income tax law. The Income-tax Authorities need confirmation whether the tax
provisions have been properly complied by an assessee.

Special Audit u/s 142(2A)

If, at any stage of the proceedings before him, the Assessing Officer, having regard to
--nature and complexity of the accounts,
--volume of the accounts,
--doubts about the correctness of the accounts,
--multiplicity of transactions in the accounts or specialised nature of business activity of the
assessee, and
--the interests of the revenue,
is of the opinion that it is necessary to do so, he may, with the previous approval of the
Commissioner or Chief Commissioner, direct the assessee to get the accounts audited by a
Chartered Accountant, nominated by the Chief Commissioner or Commissioner in this behalf
and to furnish a report of such audit in the prescribed form duly signed and verified by such
accountant and setting forth such particulars as may be prescribed and such other particulars
as the Assessing Officer may require.
Provided that the Assessing Officer shall not direct the assessee to get the accounts so
audited unless the assessee has been given a reasonable opportunity of being heard.
Provided that the Assessing Officer may, suo motu, or on an application made in this behalf
by the assessee and for any good and sufficient reason, extend the said period by such further
period or periods as he thinks fit; so, however, that the aggregate of the period originally
fixed and the period or periods so extended shall not, in any case, exceed 180 days from the
date on which the direction under sub-section (2A) is received by the assessee.
The expenses of, and incidental to, any audit under sub-section (2A) (including the
remuneration of the accountant) shall be determined by the Chief Commissioner or
Commissioner in accordance with such guidelines as may be prescribed and the expenses so
determined shall be paid by the Central Government.

Audit in a Computerized Environment

Information Technology throughout the world has revolutionized and dramatically changed
the manner in which the business is conducted today. Computerization has a significant effect
on organization control, flow of document information processing and so on. Auditing in a
CIS environment even though has not changed the fundamental nature of auditing, it has
definitely caused substantial changes in the method of evidence collection and evaluation.
This also requires auditors to become knowledgeable about computer environment
(Hardware, software etc.) and keep pace with rapidly changing technology, even to the extent
of using sophisticated Audit software.

Challenges/Problems

1) Evidence collection: Collecting evidence on the reliability of a computer system is

often more complex than collecting evidence on the reliability of a manual system.
Hence auditors have to run through computer system themselves using Computer
Assisted Audit Techniques (CAATS) if they are to collect the necessary evidence.

2) Changes to Evidence Evaluation: Paper documents are inherently more reliable

because alterations are generally apparent or may be uncovered by forensic analysis.
By comparison, electronic documents in their uncontrolled state are highly vulnerable
to forgery and unauthorised change.

3) Skill competence: Auditors should have sufficient knowledge of the computerised

information system to perform such audit effectively. These skills may be limited
among auditors adopting traditional techniques of audit.

4) Risks in a network environment:

a) Threats to accountability: In a manual system, a person has to be physically
present to handle a paper document. It is not the same in a networked computer
system. In a network environment, an electronic document may be created,
accessed, read, amended, deleted or replaced from anywhere at any time and the
true identity of the person responsible may not be known.
b) Ease of amendment: Computer software and data are stored and transmitted in an
intangible form. They can be amended without any trace.
c) Ease of duplication: Computer files can be easily copied and made
indistinguishable from the original. It is particularly important to prevent and to
detect the duplication of electronic records which have financial value.
d) Internet risks: When an entity uses a private network for e-business, transactions
are transmitted between trading partners through a value-added network with
access only to the network’s trading partners. In contrast if e- business is
transacted over the Internet, which is a public network, the information being
transmitted is vulnerable to being intercepted, altered, lost, diverted or replaced.

5) Lack of segregation of duties: In manual accounting, every transaction would

probably be reviewed and processed by several people which is not the case in
Computer Information System (CIS). This may result in possibilities of frauds and
errors as a result of system or program faults. Once a fault is in a system, the system
processes incorrectly forever as no human intervention or review may be included in
the controls or the fault may simply not be visible as processing is not transparent e.g.
use of wrong price for the sale of commodities or using a wrong wage-rate while
paying wages and salaries to the employees
Controls: General & Application Controls
To minimize errors, disaster, computer crime, and breaches of security, special policies and
procedures must be incorporated into the design and implementation of information systems.
The combination of manual and automated measures that safeguard information systems and
ensure that they perform according to management standards is termed as controls. Controls
consist of all the methods, policies, and organizational procedures that ensure the safety of
the organization's assets, the accuracy and reliability of its accounting records, and
operational adherence to management standards.
Computer systems are controlled by a combination of general controls and application
controls. General controls govern the design, security, and use of computer programs and the
security of data files in general throughout the organization’s information technology
infrastructure. On the whole, general controls apply to all computerized applications and
consist of a combination of hardware, software, and manual procedures that create an overall
control environment. Application controls are specific controls unique to each computerized
application, such as payroll or order processing. They consist of controls applied from the
business functional area of a particular system and from programmed procedures.

A) General Controls: General controls include software controls, physical hardware

controls, computer operations controls, data security controls, controls over the
systems implementation process, and administrative controls

1) Software controls: Monitor the use of system software and prevent unauthorized
access of software programs, system software, and computer programs. System
software is an important control area because it performs overall control functions for
the programs that directly process data and data files.
2) Hardware controls: Ensure that computer hardware is physically secure and check
for equipment malfunction. Computer equipment should be specially protected
against fires and extremes of temperature and humidity. Organizations that are
dependent on their computers also must make provisions for backup or continued
operation to maintain constant service.
3) Computer Operations Controls: Oversee the work of the computer department to
ensure that programmed procedures are consistently and correctly applied to the
storage and processing of data. They include controls over the setup of computer
processing jobs and computer operations and backup and recovery procedures for
processing that ends abnormally.
4) Data security controls: Ensure that valuable business data files are not subject to
unauthorized access, change, or destruction while they are in use or in storage.
5) Implementation controls: Audit the systems development process at various points
to ensure that the process is properly controlled and managed. The systems
development audit looks for the presence of formal reviews by users and management
at various stages of development; the level of user involvement at each stage of
implementation; and the use of a formal cost-benefit methodology in establishing
system feasibility. The audit should look for the use of controls and quality assurance
techniques for program development, conversion, and testing and for complete and
thorough system, user, and operations documentation.
6) Administrative controls: Formalize standards, rules, procedures, and control
disciplines to ensure that the organization’s general and application controls are
properly executed and enforced. The most important administrative controls are (1)
segregation of functions, (2) written policies and procedures, and (3) supervision.
 B) Application Controls: Application controls include both automated and manual
procedures that ensure that only authorized data are completely and accurately
processed by that application. Application controls can be classified as (1) input
controls, (2) processing controls, and (3) output controls. Input controls check data for
accuracy and completeness when they enter the system. There are specific input
controls for input authorization, data conversion, data editing, and error handling.
Processing controls establish that data are complete and accurate during updating.
Run control totals, computer matching, and programmed edit checks are used as
processing controls. Output controls ensure that the results of computer processing are
accurate, complete, and properly distributed.
1) Control totals: (Input, Processing) Totals established beforehand for input and
processing transactions. These totals can range from a simple document count to
totals for quantity fields, such as total sales amount (for a batch of transactions).
Computer programs count the totals from transactions input or processed.
2) Edit checks: (Input) Programmed routines that can be performed to edit input data for
errors before they are processed. Transactions that do not meet edit criteria are
rejected. For example, data might be checked to make sure they are in the right format
(for instance, a nine-digit social security number should not contain any alphabetic
characters).
3) Computer matching: (Input, Processing) Matches input data with information held
on master or suspense files and notes unmatched items for investigation. For example,
a matching program might match employee time cards with a payroll master file and
report missing or duplicate time cards.
4) Run control totals: (Processing) Balance the total of transactions processed with
total number of transactions input.
5) Output controls: Audits of output reports to make sure that totals, formats, and
critical details are correct and reconcilable with input. Documentation specifying that
authorized recipients have received their reports, checks, or other critical documents.

***() Type of Application Control

CAATS
Computer Assisted Audit Techniques involve the use of computers in the process of an audit
rather than limiting it to an entirely manual approach. CAATS are defined as computer-based
tools and techniques, which facilitate auditors to increase their personal productivity as well
as that of audit function. CAATS are software tools for auditors to access, analyse and
interpret data and to draw an opinion for an audit objective.

Types of CAATS/ Software

1. Generalised Audit Software (GAS): These are also referred as Package
Programmes. GAS refers to generalised computer programmes designed to perform
data processing functions such as reading data, selecting and analysing information,
performing calculations, creating data files and reporting in a format specified by the
auditor. GAS is standard off-the-shelf audit software, which can be used across
enterprises and platforms.

2. Specialised Audit Software (SAS): These are also referred to as Purpose-Written

programmes. They perform audit tasks in specific circumstances. These are
specifically written for performing audit tests for specific type of applications. These
programmes may be developed by the auditor, the entity being audited or an outside
 programmer hired by the auditor. In some cases, the auditor may use an entity's
existing programmes in their original or modified state because it may be more
efficient than developing independent programmes.

3. Utility software: These are used by an entity to perform common data processing
functions, such as sorting, creating and printing files. Utility software also includes
utility programmes available in system programmes for performing debugging or
analysis of various aspects of usage/access. These programmes are generally not
designed for audit purposes but can be used for performing specific tests.

CAATS and more specifically audit software have the potential to enable auditors to
recognise computer as a tool to assist them in the audit process. Audit software give auditors
access to data in the medium in which it is stored, eliminating the boundaries of how it can be
audited. Once the auditors accept and learn how to use audit software, they will be in a better
position to create value addition in their audit. The greatest barrier in promoting use of audit
software is failure to recognise opportunities to use audit software for audit. Understanding
and recognising how CAATS can be used and knowing how to use audit software is most
critical to its effective use.