Exposure Draft of SIA 230, Internal Audit Evidence

Editor4 15 Oct 2025 231 Views 0 comment Print CA, CS, CMA | News

The Standard on Internal Audit (SIA) 230 establishes a structured approach for the collection, evaluation, and documentation of Internal Audit Evidence, which encompasses all information used by the auditor to form conclusions on governance, risk management, and internal controls. The central objective is to ensure the evidence obtained is sufficient, appropriate, reliable, relevant, and timely to support the audit opinion and provide reasonable assurance. To meet this requirement, the standard mandates the use of various audit procedures, including Inquiry, Observation, Inspection, Confirmation, Recalculation, Reperformance, Analytical Procedures, and Data Analytics/CAATs. These procedures must align with the risk assessment and be designed to test both the design effectiveness and operational effectiveness of controls. Where the entire population cannot be tested, auditors must employ appropriate sampling techniques (such as risk-based or statistical sampling). The standard stresses the need for rigorous documentation, requiring working papers to completely and accurately record the procedures performed, risks addressed, findings, root cause analysis, and test results, ensuring the evidence is conclusive and facilitates quality review and conformance with professional standards. This standard applies to all general internal audit assignments but excludes formal fraud investigations.

The Institute of Chartered Accountants of India

Standard on Internal Audit

(SIA) 230

Internal Audit Evidence^**

1. Introduction

1.1 “Internal Audit Evidence” refers to all the information used by the Internal Auditor in arriving at the conclusions on which the auditor’s report is based. It includes both information collected from underlying entity records and processes, as well as information from the performance of various audit activities and testing procedures.

1.2 Internal audit assignments require performing procedures to achieve the engagement objectives. This involves gathering relevant information, performing analysis and evaluations to produce sufficient and appropriate audit evidence which enables internal auditors to:

provide reasonable assurance, and identify potential weaknesses in governance, risk management, and internal controls.
determine the root cause, effects and significance of the findings.
Formulate corrective and preventive recommendations to develop action to be taken by Management.
Determine conclusion based on audit evidence obtained.

1.3 This Standard provides a structured approach for executing internal audit assignments, ensuring relevance, consistency, effectiveness, and compliance with professional Standards on Internal Audit.

1.4 This Standard explains certain key requirements in the process of collection, retention and subsequent review of internal audit evidence.

1.5 Scope: This Standard applies to all internal audit assignments and covers the execution of audit procedures, including testing, sampling, and analytical techniques. Further, the manner in which the audit evidence is to be gathered from the performance of audit activities and testing procedures (e.g., sampling techniques, data analytics, etc.) are subject matter of this Standard. Types of audit evidence and its possible sources are therefore covered in this Standard.

The Forensic Accounting and Investigation Standards (FAIS) issued by ICAI are specifically applicable to fraud investigations, where evidence is collected and presented to support legal or judicial proceedings. In such cases, Standard on Internal Audit (SIA) 230, Internal Audit Evidence, are not applicable, as the nature, purpose, and evidentiary requirements differ significantly from those of an internal audit.

2. Effective Date

2.1 This Standard shall be applicable for internal audits commencing on or after a date to be notified by the Council of the Institute.

3. Objectives

3.1 The objective of this Standard is to establish a structured and consistent approach to the execution of internal audit procedures that ensures consistency, comprehensiveness, efficiency, effectiveness, and adherence to professional standards. This Standard aims to ensure that internal audit procedures are conducted in accordance with the overall internal audit engagement plan, stakeholder expectations, and the principles laid down by the Institute of Chartered Accountants of India (ICAI).

3.2 The overall objective of conducting fieldwork and obtaining appropriate and reliable evidence is to allow the Internal Auditor to form an opinion on the outcome of the audit procedures completed. The audit evidence must be sufficient, reliable, relevant, and timely collected from credible sources, directly related to the audit objectives and adequate to support the audit opinion. The evidence must stand on its own and does not require further clarification or additional information to reach the same conclusion.

3.3 The objectives of gathering appropriate and reliable audit evidence is to:

(a) Confirm the nature, timing and sufficiency of the audit procedures undertaken as per the internal audit plan and terms of engagement.

(b) Obtain and document sufficient, relevant, and reliable evidence to support audit findings and conclusions.

(d) Engage constructively with auditee personnel to facilitate the accurate understanding of processes and validation of audit observations.

(e) Maintain a high standard of documentation to support supervision, review, and subsequent reference.

(f) establish that the work performed is in conformance with the applicable pronouncements of the Institute of Chartered Accountants of India.

4. Requirements

4.1 Performing Audit Procedures (Refer Para. A1)

Types of Audit Procedures

To achieve audit objectives, the internal auditor shall perform a combination of audit procedures, including:

Inquiry: Obtaining information i.e. data, documents, reports, registration, Policies, etc., from process owners and management.

Observation: Physically observing internal controls and operational procedures as they are being observed or observing a control attribute while it is being executed by the management.

Inspection: Involves the examination of documentation (physical or electronic), system records, and tangible assets to obtain reliable audit evidence regarding their authenticity, condition, and compliance with internal controls or regulatory requirements.

Confirmation: The process of obtaining direct verification from external parties (e.g. banks, customers, vendors etc.) to substantiate balances and transactions.

Recalculation: It involves independently verifying the accuracy of computations performed by the process or system under audit. It may be applied to both financial and operational data and serves to validate input-output logic, detect control failures, and assess the reliability of automated or manual systems.

Reperformance: The auditor independently re-executes a control or procedure to assess its existence and effectiveness.

Analytical Procedures: Identifying relationships, trends, variances, and anomalies in financial and operational data. These procedures are instrumental in highlighting unusual patterns or fluctuations, which can guide risk-based auditing. They are especially useful in identifying periods or segments for stratified sampling, thereby enhancing audit efficiency and directing attention to areas with significant or unexpected movements.

Data Analytics / Computer-Assisted Audit Techniques (CAATs): Using data analytics tools to perform procedures such as pattern recognition, large-scale recalculations, sampling, and exception testing. Enhances coverage and improves audit efficiency and accuracy, especially with large datasets.

Execution of Audit Procedures
Internal auditors shall ensure that:

Audit procedures align with risk assessments and engagement objectives.
Select and apply appropriate Audit Procedures. The procedures shall be clearly documented, detailing the approach, execution, and findings.
Gather sufficient and appropriate evidence.
Document work performed.
Test Controls and Processes.
Evaluate audit results and identify exceptions. Any exceptions or variances identified during testing shall be further investigated.
Engage with process owners and Management.
Ensure compliance with professional standards.
Incorporate real-time status tracking and checkpoint reviews to monitor fieldwork progress, re-align priorities, and address blockers without waiting until final reporting.
Where testing relies on auditee-generated extracts or system reports, internal auditors shall validate system logic and assess data extraction controls for integrity. Preferably obtain access to relevant systems for direct data extracts.
Conduct opening and closing meeting with relevant stakeholders.

Internal Controls Testing

Testing shall cover both design effectiveness (whether the control is well-designed) and operational effectiveness. (whether the control is functioning as intended)
Control deficiencies and weaknesses shall be documented and discussed with relevant stakeholders.

Transaction and Process Testing

Internal auditors shall use appropriate sampling techniques to test transactions for compliance and accuracy.
Key business processes shall be reviewed to identify inefficiencies and risks.

4.2 Sampling and Analytical Procedures (Refer Para. A2) Sampling Procedures

Sampling techniques shall be used where it is impractical to audit the entire population.
Sample sizes may be sufficient and appropriate to draw reasonable conclusions.
Sample selection may be based on:

Risk-based sampling: Prioritizing high-risk areas.

Statistical sampling: Using probabilistic techniques for objectivity. Judgmental sampling: Selecting based on auditor expertise. Stratified sampling: Ensuring the sample represents key subgroups.

Monetary Unit Sampling (MUS): Used for auditing transactions with high monetary value, ensuring larger transactions are prioritized in sampling.

Random Sampling: Each element has an equal and independent chance of selection.

Analytical Procedures

Analytical procedures are a critical component of audit procedure and serve as an effective means of identifying anomalies, assessing trends, and evaluating the reasonableness of data. These procedures support risk assessment, enhance audit efficiency, and contribute to the development of informed audit conclusions. Internal auditors shall apply analytical procedures throughout the audit cycle— specifically during planning and execution stage, and reporting—to support professional judgment assess the risks of material misstatement and detect potential red flags.

The following analytical procedures may be employed, depending on the nature and scope of the audit assignment:

Ratio Analysis: Comparing key financial and operational ratios over time or against benchmarks to identify deviations from expected norms. (e.g., gross margin ratio, current ratio, inventory turnover)
Trend Analysis: Reviewing historical data across periods to detect unusual patterns, fluctuations, or emerging risks that may indicate control failures or process inefficiencies.
Data Analytics: Utilizing computer-assisted audit techniques (CAATs), business intelligence tools, or other specialized software to analyse large or complex datasets for outliers, duplication, fraud indicators, predictive estimates, consideration of relationships between financial & non-financial information or transactional anomalies.
Benchmarking: Comparing company performance indicators or process efficiency metrics against industry standards, peer organizations, or internally established benchmarks to identify performance gaps.

Sampling and analytics outcomes that materially affect conclusions shall be independently reviewed, especially where automated tools or scripts are deployed. Internal auditors shall retain script logic or algorithm assumptions for re-performance purposes.

Data analytics used for testing shall be clearly mapped to audit objectives and procedures; standalone exploratory analysis shall not substitute formal audit testing unless justified and approved. The outcome of such an analysis inevitably should be verified with the underlying documents, other evidence to confirm conclusions, at least on a sample basis. This methodology should be appropriately disclosed in the reports.

Where analytical procedures indicate unusual variances, trends, or inconsistencies, the internal auditor shall investigate the underlying causes and consider the need for additional audit procedures to achieve the audit objective. The findings from such analyses shall be documented and incorporated into audit conclusions and recommendations.

4.3 Audit Evidence and Documentation (Refer Para. A3)

Audit evidence shall be sufficient, appropriate, reliable, relevant, and useful to support conclusions.
Evidence collected through various audit procedures shall be complementary and relevant to the objectives of the audit procedure conducted.
The evidence shall be obtained from reliable sources ensuring consistency between various evidence collected.
Digital and electronic audit evidence, i.e. system logs, automated reports should be considered equivalent to physical records when they meet reliability standards.
Working papers shall completely and accurately document:
- Objectives and scope of the Audit.
- Risk Assessment: Evaluation of relevant information to identify and prioritize risks that may impact Strategic, Operations, Compliance, and Reporting objectives.
- Sampling Approach and Selection.
- Audit procedures performed and risks addressed.
- Observations and findings.
- Root cause (when possible) and risk or potential exposure.
- Analytical procedures employed, Test results and supporting evidence.
- Criteria used to evaluate the findings.
- Evidence of communication to appropriate parties including management’s responses to potential observations.
- Written management representations, where necessary.
- Internal audit rejoinders, where appropriate, are documented to clearly articulate the internal auditor’s position or response to an observation.
All evidence must be retained in accordance with professional Standards on Internal Audit and organizational policies. Any audit evidence obtained through interviews or oral responses shall be documented and, where materially relied upon, validated through follow-up documentation or formal confirmation. System-generated audit trails (e.g., logs of user actions, workflow approvals) shall be leveraged, where relevant, as reliable forms of evidence and embedded in work papers for control walkthroughs.

*****

Application and Other Explanatory Material

A1. Performing Audit Procedures (Refer Para. 4.1):

Audit procedures should focus on specific risks and objectives.
Control testing should include both design effectiveness and operational effectiveness.
A crucial part of audit fieldwork is careful observation. Paying close attention to ongoing activities helps determine whether internal controls are properly followed.
Obtain confirmation from the entity’s field personnel responsible for the observations to avoid any contradictions when reporting findings to management.
Internal auditors should understand and use technologies that improve the efficiency and effectiveness of analyses, such as software applications that enable testing of an entire population rather than just a sample.
Internal Audit professionals shall enhance their skills and continue training in new/ emerging technologies like RPA, AI, Process mining, Blockchain OCR recognition etc. and leverage them to enhance efficiency & effectiveness of audit tests carried out with an aim to audit at population level instead of auditing at a sample level.

A2. Sampling and Analytical Procedures (Refer Para. 4.2):

Analytical procedures provide deeper insights into trends, enabling early risk identification.
Internal auditors shall evaluate the reliability and consistency of audit evidence obtained from different sources.
If initial analysis do not provide sufficient evidence to support a potential engagement finding, internal auditors must exercise due professional care when determining whether additional analysis are required.
The extent of reliance on the results on sampling and analytical procedures will depend upon materiality of items involved, other internal audit procedures directed towards same internal audit objectives, accuracy with which the expected results of analytical procedures can be predicted and assessment of inherent and control risks.
Internal auditors shall pre-define thresholds for exceptions (e.g., monetary or frequency-based triggers) and ensure consistency in escalation and reporting of such exceptions across auditable units.
Where automated tools are used, internal auditors must test the completeness and accuracy of data imported into those tools and document reconciliations performed, if any.

A3. Audit Evidence and Documentation (Refer Para. 4.3): Evidence is collected either from the underlying company’s books, records, systems and processes or through the performance of audit activities and testing procedures. Documents supporting transactions (e.g., bills/invoices) or business arrangements (e.g., contracts/ agreements) are examples of evidence from company’s underlying records. Evidence gathered through audit procedures may include one or more of the techniques, like: inspection, observation, inquiry, external confirmation, recalculation, re-performance, analytical procedures and the use of expert opinion, where necessary.

To enhance clarity and rigor, audit evidence is explicitly classified into the following categories:

Physical (e.g., assets observed during inventory count)

Source: Direct observation or physical inspection by the internal auditor.

Documentary (e.g., invoices, contracts)

Source: Company records, files, third-party documentation, or official correspondence.

Analytical (e.g., ratio or trend analyses)

Source: Internal auditor’s own calculations or data analytics using financial and operational data extracted from the company’s systems.

Testimonial (e.g., management representations)

Source: Interviews, questionnaires, formal written statements, or minutes of meetings.

Electronic (e.g., logs, digital records, or electronic communications)

Source: IT systems, enterprise software, audit trails, emails, and digital databases.

Internal auditors are encouraged to apply automated tools and techniques—such as Computer-Assisted Audit Techniques (CAATs), data mining, and analytics—especially where large volumes of data are involved, to improve the coverage, efficiency, and reliability of the evidence obtained.

Sufficiency and appropriateness are inter-related and apply to evidence obtained. Sufficiency refers to the quantity or quantum of evidence gathered while appropriateness relates to its quality or relevance and reliability. Normally, the internal audit evidence is persuasive on its own and a number of evidential matters in aggregate, help make it conclusive in nature. The internal auditor must use professional judgement in evaluating whether the aggregate evidence collected is adequate to support findings. The rationale for accepting or rejecting any contradictory or inconsistent or unrelated evidence should be considered and appropriately documented.

The reliability of the audit evidence depends on its source – internal or external, its type and thoroughness and, may also depend on the timing of the audit procedures conducted.

Audit evidence shall be sufficient (factual and adequate), competent (reliable and relevant), and corroborated across independent sources. Where inconsistencies arise, or doubts exist regarding the reliability of information obtained, the internal auditor shall reassess and, where necessary, modify or extend audit procedures. In doing so, the internal auditor should consider factors such as source credibility, independence, and objectivity to evaluate the strength and reliability of the evidence before drawing conclusions.

1. Workpapers that contain automated summaries (e.g., pivot tables, BI dashboards) shall be locked or archived in non-editable formats to preserve the original audit evidence.

2. Documentation is important to provide evidence that the audit was carried out in accordance with the Standards on Internal Audit.

3. Documentation is essential to support audit findings and facilitate peer review.

M	T	W	T	F	S	S
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28

Enter your email Address

Exposure Draft of SIA 230, Internal Audit Evidence

Tags:

Join Taxguru’s Network for Latest updates on Income Tax, GST, Company Law, Corporate Laws and other related subjects.

Leave a Comment

Latest Posts

Violation of principles of natural justice and erroneous order cannot be reason to bypass alternative remedy

Trade Facilitation Measures within India’s Regulatory and Financial Framework

Tobacco Tax Overhaul 2026: GST Raised to 40% and RSP-Based Valuation Introduced

Open Garbage Bin & A Public Urinal In A Residential Area Violates Residents’ Right To Life: Delhi HC

Delhi HC Dismisses Reopening Based Solely on Audit Objection

GST Assessment Quashed as SCN Not Properly Served on Portal: Calcutta HC

Pre-Consultation Mandatory in Extended Limitation Cases for High-Value Excise/Service Tax Demands: Madras HC

Multiple GST SCNs Valid If Based on Distinct Discrepancies: Madras HC

Section 73, 74 & 74A: New Unified GST Demand Regime from FY 2024–25

GST’S effects on India’s federalism

Featured Posts

Open Garbage Bin & A Public Urinal In A Residential Area Violates Residents’ Right To Life: Delhi HC

Update on Advisory on Interest Collection and Related Enhancements in GSTR-3B

ITAT Deletes Section 68 Addition as AO Relied Solely on Generalized Penny Stock Report

Tax Audit under Income Tax Act 2025: Do You Know Physical Location & IP Address of Your Financial Data?

Income Tax Rule 205 Mandates Landlord Relationship Disclosure in HRA Claims

ROC Imposes Penalty for Delay in Filing DIR-12 After Company Secretary’s Resignation

Cash Deposits Cannot Be Treated as Unexplained Under Presumptive Tax Scheme: ITAT Kolkata

Mere Third-Party Excel Sheet Insufficient for Section 69 Addition: ITAT Chandigarh

200% Sec 270A Penalty Invalid for Failure to Specify Misreporting Limb: ITAT Delhi

200% Sec 270A Penalty Valid; Wrong VI-A deduction Misreporting; 270AA Immunity Denied

Popular Posts

Corporate Compliance Calendar for February 2026

Compliance Calendar for the Month of February 2026

Corporate Tax Rate Applicable for AY 2021-22, 2022-23, 2023-24, 2024-25, 2025-26 & 2026-27

February 2026 Tax Compliance Deadlines for Income Tax and GST

CAG: Empanelment of Chartered Accountant firms/LLPs for year 2026-2027

ICAI Empanelment to act as Observers at Examination Centres

180 Legal Compliances and Legal Updates for February 2026 in India

ICAI Revises CPE Rules: Seminar Hours Capped, Shorter Technical Sessions Allowed

Fast Track Merger under the Companies Act, 2013

Draft Income Tax Rules, 2026 – Major Changes in Employee Perquisites Valuation