The revised CAG directions issued under section 143(5) of the Companies Act, 2013 for accounts finalised after 17 October 2025 significantly expand the statutory auditor’s reporting responsibilities for Government and Government-controlled companies by introducing focused, mandatory reporting on fair valuation of post-retirement benefit investments, IT systems and cyber security, grants and subsidies, risk management (including data assets), and compliance with specified regulators’ requirements.
Auditors must treat these directions as integral to the main audit, apply relevant Standards on Auditing, build clause-specific audit procedures and documentation, and exercise professional judgement in assessing materiality and the impact of deviations on the true and fair view, determining whether such matters warrant modified opinions or Emphasis of Matter paragraphs, while maintaining heightened sensitivity to public-interest and stewardship considerations inherent in PSU and Government audits.
A Practical Guide for Statutory Auditors of Govt and Government-Controlled Companies
(Applicable to accounts finalised after 17 October 2025)
| Area / Clause | What CAG Requires | What Statutory Auditors Should Do |
|---|---|---|
| Overall scope (Section 143(5)) | Mandatory reporting on compliance with CAG directions, actions taken and impact on financial statements; report addressed to shareholders and submitted to CAG | Treat the CAG report as integral to the main audit; apply relevant SAs and evaluate whether issues affect true and fair view |
| Clause I – Post-retirement benefit investments | Assess fair valuation of all plan investments (quoted/unquoted, direct or through trusts) and report methodology, reasonableness and deviations | Identify defined benefit plans, test valuation as an accounting estimate under SA 540, use experts if needed, obtain specific management representations |
| Clause II(A) – IT processing of transactions | Report whether all accounting transactions are processed through IT systems; disclose exceptions and impact | Understand IT and manual processes under SA 315, identify spreadsheet/manual interventions, obtain representations and report implications |
| Clause II(B) – IT controls over financial reporting | Comment on review of IT controls significant to financial reporting and material weaknesses | Evaluate GITCs and application controls, leverage IT audit reports, report material weaknesses using ICAI formats |
| Clause II(C) – Cyber security | Report on cyber security reviews conducted and material issues affecting financial reporting | Understand scope and findings of cyber reviews, assess impact on accounting records, obtain written representations |
| Clause III – Grants and subsidies | Confirm proper accounting, utilisation as per terms, and correct treatment of interest/refunds | Analyse grant terms, test recognition, utilisation and disclosures under Ind AS 20/AS 12, apply lower materiality due to public interest |
| Clause IV(a) – Risk management policy | State whether key risks are identified and a risk management policy exists, considering global best practices | Verify existence of Board-approved policy and risk register; rely on management representation for global frameworks used |
| Clause IV(b) – Data assets | Report whether data assets are identified and valued appropriately | Determine whether data-related intangibles are recognised under Ind AS 38/AS 26; evaluate valuation and impairment where applicable |
| Clause V – Regulatory compliance | Report compliance with specified regulators (SEBI, DIPAM, MCA, DPE, RBI, TRAI, CERT-IN, MeitY, NPCI) | Obtain a legal/regulatory compliance statement, perform risk-based checks, highlight deviations factually |
| Reporting impact | Enhanced transparency and accountability in PSU audits | Link adverse comments to audit opinion under SA 705/706; decide between modification and Emphasis of Matter |
Overall Purpose and Scope of the Revised Directions
Section 143(5) of the Companies Act, 2013 empowers the Comptroller and Auditor General of India (CAG) to issue mandatory directions to statutory auditors of Government companies and other Government-owned or Government-controlled entities. Auditors are required not only to comply with these directions but also to report on compliance, the action taken, and the impact on the financial statements.
The report under section 143(5):
- Is addressed to the shareholders but
- Is submitted to the CAG, and
- Is supplemental to and integral with the main audit report.
The revised directions, issued through CAG letters dated 23 May 2025 and 17 October 2025, significantly enhance the depth and focus of reporting. They introduce structured reporting across five thematic areas:
- Fair valuation of post-retirement benefit investments
- IT systems and cyber security
- Grants and subsidies
- Risk management (including data assets)
- Compliance with specified regulators’ requirements
Auditors must apply the Standards on Auditing throughout—particularly SA 315, SA 330, SA 500, SA 540, SA 620, SA 705, SA 706, SA 230, SA 250 and SA 560—and exercise professional judgement in determining whether matters reported under the CAG directions necessitate a modified audit opinion or can be addressed through an Emphasis of Matter.
Clause I – Fair Valuation of Investments for Post-Retirement Benefits
Direction
Auditors must assess the fair valuation of all investments—quoted and unquoted—held directly by the company or through trusts, for post-retirement employee benefits. The auditor’s report should include a brief note covering:
- The valuation approach adopted
- Reasonableness of valuation
- Compliance with applicable accounting standards and regulations
- Any material deviations or misstatements
Key Guidance for CAs in Practice
Identify the nature of employee benefit plans
The clause is primarily relevant where the company has defined benefit obligations under Ind AS 19 or AS 15, supported by plan assets. Defined contribution plans usually do not give rise to valuation complexities of plan assets.
Determine whether investments qualify as “plan assets”
Auditors should evaluate whether investments meet the definition of plan assets. If they do not, they may need to be treated as company assets, requiring normal balance-sheet recognition rather than offsetting against employee benefit obligations.
Treat valuation as an accounting estimate (SA 540)
Fair valuation involves significant judgement and must be audited as an accounting estimate:
- Understand and test management’s valuation models and methodologies
- Assess key assumptions and data inputs
- Evaluate internal controls over valuation processes
Use experts where required (SA 620)
For complex or material unquoted investments, auditors may rely on valuation experts. Their competence, capabilities and objectivity, as well as the adequacy of their work, must be evaluated.
Obtain tailored management representations
Representations should specifically cover:
- Complete list of investments (direct and through trusts)
- Valuation basis for quoted and unquoted instruments
- Compliance with accounting standards and regulatory requirements
- Disclosure of known deviations or misstatements
Documentation and reporting
Robust working papers are critical. Auditors should use ICAI’s clause-wise illustrative reporting formats, choosing between clean reporting or reporting with deviations.
Clause II – Accounting Transactions and IT Systems (Including Cyber Security)
Direction
Auditors must report:
- Whether all accounting transactions are processed through IT systems
- Whether IT controls significant to financial reporting have been reviewed
- Whether cyber security reviews have been carried out and whether material issues have been reported
- The implications and financial impact where transactions are processed outside IT systems
A. Whether All Accounting Transactions Are Processed Through IT Systems
Using SA 315, auditors should obtain a thorough understanding of the company’s information system and related business processes, including:
- Classes of transactions
- How transactions are initiated, authorised, recorded and posted
- Accounting records and supporting documentation
- Processes for non-routine transactions and journal entries
Manual processes and spreadsheets
Where spreadsheets or manual records drive accounting entries—such as payroll adjustments, PPE capitalisation, actuarial journals or consolidation entries—these are considered outside the IT system and must be reported along with their implications for data integrity and financial reporting.
Service organisations
If third-party service providers are used, auditors should consider SAE 3402 reports or equivalent assurance.
Management representations
Obtain written confirmation that all accounting transactions are processed through specified IT systems, with explicit disclosure of any exceptions.
Reporting
Use CAG-prescribed standard wordings for:
- Full IT-based processing
- Processing with disclosed exceptions and impact
- Other fact patterns
B. Review of IT Controls Significant to Financial Reporting
The focus is on identifying material weaknesses in internal financial controls over financial reporting, as per the ICAI Guidance Note on IFC.
Auditors should understand and, where relevant, test:
General IT Controls (GITCs)
- Logical access controls
- Program change controls
- System development and acquisition controls
- Data centre and network operations
Application controls
- Input controls
- Processing controls
- Output and interface controls
ensuring completeness, accuracy, authorisation and integrity of financial data.
Auditors may rely on their own work, IT specialists’ work, or credible management/third-party reports.
Representations and reporting
Management should confirm the design and operating effectiveness of IT controls and disclose material weaknesses. Reporting should follow ICAI’s illustrative formats, clearly stating whether any weaknesses could lead to material misstatement.
C. Cyber Security Reviews
Auditors are not expected to perform a cyber security audit. Their responsibility is to understand and report on cyber security reviews conducted by management or specialists and assess whether findings have a material bearing on financial reporting.
Auditors should obtain details of:
- Cyber audits, VAPT, network and application security testing
- Cloud, ICS/IoT and data security reviews
- Red-team exercises and forensic readiness assessments
- SBOM/QBOM/AIBOM-related reviews
Written representations should cover cyber incidents, scope of reviews, key findings, remediation status and any impact on accounting records or financial reporting.
The suggested tabular disclosure (area reviewed, date, and level of deficiencies) should be used in reporting.
Clause III – Grants and Subsidies
Direction
Auditors must report whether:
- Grants and subsidies under specific schemes have been properly accounted for
- They have been utilised in accordance with terms and conditions
- Interest on grants has been accounted for as per grant terms
- Deviations, if any, exist
Practical Audit Approach
Identify applicable framework
Determine whether Ind AS 20 or AS 12 applies and analyse each grant’s terms—purpose, milestones, utilisation conditions, refund and interest clauses.
Understand controls and risks
Key risks include premature recognition, capital–revenue misclassification, diversion or delay of utilisation, and incorrect treatment of interest.
Assertion-level procedures
- Existence/completeness: reconcile sanction orders with GL; obtain confirmations for material grants
- Accuracy/valuation: recompute amortisation or asset-cost offsets
- Cut-off: trace year-end receipts to bank statements
- Compliance/utilisation: vouch utilisation to sanctioned purposes; review utilisation certificates and progress reports
- Interest/refunds: recompute interest and verify correct accounting
- Disclosure: verify scheme-wise disclosures
Given the public-interest sensitivity, auditors should apply lower materiality thresholds and consider attribute sampling or MUS.
Management representations and reporting
Representations should confirm completeness, proper accounting, exclusive utilisation, correct interest treatment and full disclosure. Reporting should follow ICAI’s specimen formats for full compliance, partial compliance or “no grants received”.
Clause IV – Risk Areas, Risk Management Policy and Data Assets
Clause IV(a): Identification of Key Risks and Risk Management Policy
Auditors must report whether key risks have been identified and whether a Risk Management Policy has been formulated, considering global best practices.
Audit focus
The auditor’s responsibility remains limited to risks relevant to material misstatement under SA 315 and SA 330—not to opine on the entire ERM framework.
Procedures
- Verify existence of a Board-approved risk management policy and risk register
- Assess whether identified risks broadly align with the auditor’s understanding
- Significant omissions (e.g. cyber or regulatory risks) may warrant non-affirmative reporting
On “global best practices”, auditors may rely on management representations regarding frameworks used (e.g. COSO-ERM, ISO 31000).
Clause IV(b): Data Assets and Their Valuation
This clause primarily concerns data-related intangible assets recognised under Ind AS 38 or AS 26.
First step
Determine whether any such assets are recognised. If none, the auditor may state that no data assets have been identified or valued under the applicable framework.
Where recognised, evaluate
- Recognition criteria
- Subsequent measurement and amortisation
- Impairment testing under Ind AS 36/AS 28
- Valuation methodologies and assumptions
Experts may be used under SA 620 where valuation is complex.
Reporting should follow the suggested variants: identified and valued, identified but not valued, or not identified.
Clause V – Compliance with Specified Laws and Regulations
Direction
Auditors must report on compliance with regulations of SEBI, DIPAM, MCA, DPE, RBI, TRAI, CERT-IN, MeitY and NPCI, wherever applicable, and highlight deviations.
Audit Response
While SA 250 provides the framework, this clause requires a factual reporting on compliance with specified regimes, beyond only those non-compliances that cause material misstatement.
Auditors should leverage:
- Management’s responsibility under section 134(5)(f)
- Company Secretary’s role and reports under section 205
Management inputs
Obtain a comprehensive list of applicable laws and a Legal and Regulatory Compliance Statement detailing compliance status, evidence and consequences of non-compliance.
Audit procedures
Perform risk-based checks using filings, secretarial audit reports, internal audit reports and regulatory correspondence.
Reporting
Use ICAI’s standard wordings for full compliance or compliance except for listed deviations, cross-referencing secretarial audit where relevant.
Using the ICAI Guide in Practice
The ICAI Technical Guide should be treated as a direction-wise audit program and reporting aid, supplementing—not replacing—the Companies Act and the Standards on Auditing.
Best practices include:
- Maintaining clause-specific workpapers documenting objectives, procedures, evidence and conclusions
- Calibrating materiality qualitatively, especially for grants, IT/cyber issues and regulatory compliance
- Always linking adverse or non-affirmative comments back to their impact on the true and fair view, and deciding—under SA 705 and SA 706—whether a modified opinion or an Emphasis of Matter is required
In substance, the revised CAG directions significantly deepen the auditor’s public-interest and stewardship role. A disciplined, standards-aligned and well-documented response is essential—not only for regulatory compliance, but also for maintaining audit quality and credibility in Government and PSU audits.
FAQs on revised CAG directions under section 143(5) of the Companies Act, 2013
What are the revised CAG directions under section 143(5) of the Companies Act, 2013?
The revised directions are mandatory audit instructions issued by the CAG through letters dated 23 May 2025 and 17 October 2025, requiring enhanced reporting by statutory auditors of Government and Government-controlled companies on specific focus areas.
From which date are the revised CAG directions applicable?
They apply to financial statements of Government companies and other Government-owned or controlled entities that are finalised on or after 17 October 2025.
What is the objective of reporting under section 143(5)?
The objective is to ensure enhanced transparency, accountability and stewardship by requiring auditors to report on compliance with CAG directions, actions taken by the company and their impact on the financial statements.
Is the report under section 143(5) separate from the main audit report?
The report is supplemental but integral to the main audit report; it is addressed to shareholders and submitted to the CAG, and its contents may influence the audit opinion.
What are the five key themes introduced by the revised directions?
The themes are fair valuation of post-retirement benefit investments, IT systems and cyber security, grants and subsidies, risk management including data assets, and compliance with specified laws and regulators.
Which Standards on Auditing are particularly relevant for responding to the revised directions?
Key standards include SA 315, SA 330, SA 500, SA 540, SA 620, SA 705, SA 706, SA 230, SA 250 and SA 560, applied with professional judgement.
How should auditors respond to Clause I on post-retirement benefit investments?
Auditors should focus on defined benefit plans, assess whether investments qualify as plan assets, audit fair valuation as an accounting estimate under SA 540, use experts where required and report methodology, reasonableness and deviations.
What does Clause II require regarding IT systems and accounting transactions?
Auditors must report whether all accounting transactions are processed through IT systems, identify any manual or spreadsheet-driven processes, and explain their implications for integrity of accounts and financial reporting.
Are auditors required to conduct a cyber security audit under Clause II?
No, auditors are not required to perform a cyber security audit; they must understand and report on cyber security reviews conducted by management or specialists and assess their impact on financial reporting.
How should grants and subsidies be audited under Clause III?
Auditors should analyse grant terms, apply Ind AS 20 or AS 12 as applicable, test recognition, utilisation, interest or refund treatment, verify disclosures and report any deviations from conditions.
What is the auditor’s responsibility under Clause IV relating to risk management?
Auditors must verify whether key risks have been identified and a risk management policy exists, focusing on risks relevant to material misstatement rather than opining on the entire ERM framework.
What are data assets for the purpose of Clause IV(b)?
Data assets generally refer to data-related intangible assets recognised in the financial statements under Ind AS 38 or AS 26, such as internally developed databases or proprietary datasets.
What if the company has not recognised any data assets?
If no data-related intangibles are recognised under the applicable accounting framework, the auditor may report that no data assets have been identified or valued.
Which regulators are covered under Clause V on compliance?
The clause covers SEBI, DIPAM, MCA, DPE, RBI, TRAI, CERT-IN, MeitY and NPCI, wherever applicable to the company.
Does Clause V go beyond the requirements of SA 250?
Yes, it requires factual reporting on compliance with specified regulatory regimes, even if non-compliance does not directly result in material misstatement of the financial statements.
How should auditors obtain comfort on regulatory compliance?
Auditors should rely on management’s compliance systems, company secretary reports, legal and regulatory compliance statements and perform risk-based verification of key filings and communications.
How should materiality be applied for CAG direction reporting?
Materiality should be calibrated qualitatively as well as quantitatively, considering the public-interest and stewardship focus, especially for grants, IT and cyber issues and regulatory compliance.
When do issues reported under CAG directions affect the audit opinion?
If adverse or non-affirmative comments indicate a material impact on the true and fair view, auditors must consider modification of the opinion under SA 705; otherwise, an Emphasis of Matter under SA 706 may be appropriate.
What is the role of the ICAI Technical Guide in implementing these directions?
The Technical Guide serves as a clause-wise audit program and reporting aid that supplements, but does not replace, the Companies Act and the Standards on Auditing.
What is the key takeaway for statutory auditors of PSUs and Government companies?
Auditors must adopt a structured, well-documented and standards-aligned approach, recognising that the revised CAG directions significantly deepen the auditor’s public-interest and accountability role.
Leave a Reply
You must be logged in to post a comment.