Skip to main content

Audit · forensic

Forensic audit: process, techniques, and when it applies.

Not a statutory audit with a stricter tone — a different exercise, with a different objective, a different standard of evidence, and a different audience for the final report. Here's how the process actually runs, for practising CAs advising a client or accepting the engagement.

  • Reviewed July 2026
  • 7 min read
  • CA Anil Agarwal & the TatvaBooks team

What is a forensic audit?

A forensic audit is an examination of an entity's financial records carried out for a specific purpose — usually to establish whether fraud, misstatement or diversion of funds occurred, how it happened, who was involved, and what the financial impact was. Unlike a statutory audit, it is not a recurring, calendar-driven exercise required by law for every covered entity. It is commissioned for a reason, scoped narrowly around that reason, and conducted with the expectation that the findings may be used in a legal, disciplinary or regulatory proceeding.

The word "forensic" signals the standard the work is held to: evidence gathered and documented in a way that can support a claim, a dismissal, a recovery suit, or a regulatory finding — not just an opinion on financial statements as a whole.

How it differs from a statutory audit

The two are sometimes confused because both involve examining books of account, but they answer different questions and are built on different premises.

Statutory audit Forensic audit
Objective Form an opinion on whether the financial statements give a true and fair view. Establish specific facts — did a defalcation, misstatement or diversion of funds occur, how, and how much.
Trigger Statutory requirement — runs every year for every covered entity, regardless of suspicion. A specific reason — suspected fraud, a whistleblower complaint, a lender or regulator requiring it, or a dispute between stakeholders.
Scope The financial statements as a whole, tested on a sample and materiality basis. Narrow and deep — the specific transactions, accounts, period or individuals the engagement is scoped to examine.
Standard of evidence Reasonable assurance, sufficient for an audit opinion under the Standards on Auditing. Evidence gathered and preserved with a view to standing up in a legal, disciplinary or regulatory proceeding — chain of custody matters.
Output Auditor's report with an opinion, annexed to the financial statements. A detailed findings report — facts, methodology, quantification of loss/impact — often addressed to management, the Board, a lender or an investigating authority.
Mindset Professional scepticism, applied consistently across the engagement. Investigative — actively looking for how controls were overridden or evidence concealed, not just testing whether controls operated.

A statutory audit is designed to give reasonable assurance on the financial statements as a whole, applying professional scepticism consistently — it is not designed to hunt for fraud in every corner of the ledger. It can, and often does, surface something that looks wrong; what happens next — a forensic audit — is a separate, deliberately scoped engagement. See our internal audit vs statutory audit page for how the third related function fits in.

Common triggers for a forensic audit

  • Suspected fraud or defalcation — a whistleblower complaint, an anomaly the internal audit function flags, or a pattern management itself notices (unexplained stock shortages, recurring round-tripped entries, vendor payments that don't match delivery).
  • Lender requirement — a bank or NBFC commissions or requires a forensic audit before restructuring a facility, on suspicion of diversion of funds, or as part of a fraud classification review under RBI's fraud reporting framework.
  • Regulatory investigation — direction from SEBI, the Registrar of Companies / SFIO, an income tax or GST authority, or another regulator with jurisdiction over the entity.
  • Shareholder or partner disputes — one set of stakeholders wants an independent view of what happened to funds or assets before litigation, arbitration, or an exit negotiation.
  • Pre-transaction due diligence — an acquirer or investor wants assurance beyond standard financial due diligence before closing a deal.

Who commissions the engagement — the Board, a lender, a regulator, or one party to a dispute — shapes everything downstream: the scope, what access you're given, and who the final report is addressed to. Get this in writing in the engagement letter before starting fieldwork.

The typical forensic audit process

The exact steps vary by engagement, but a forensic audit generally moves through four stages:

  • 1. Scoping and evidence preservation. Define precisely what is being investigated — which entities, transactions, accounts, individuals and time period. Immediately secure relevant records (physical documents, accounting system data, emails, system access logs) before they can be altered or lost. Where digital evidence is involved, this often means taking forensic images of systems rather than working off live data, and logging who accessed what and when from that point forward.
  • 2. Data analysis. Reconstruct the transaction trail — from source document to ledger entry to financial statement line — testing for the specific pattern under investigation: fictitious vendors, round-tripping, unauthorised journal entries, cash leakage, inventory manipulation, or related-party transactions not at arm's length. This stage typically combines document examination, data analytics on the full transaction population (not just a sample), and interviews with relevant personnel.
  • 3. Quantification. Where the investigation confirms an irregularity, quantify its financial impact as precisely as the evidence allows — the amount diverted, the overstatement, the period over which it occurred — since this figure is usually central to any recovery action, insurance claim, or regulatory submission that follows.
  • 4. Reporting for potential legal use. Document findings, methodology and the evidentiary basis for each conclusion in a report written with the expectation that it may be scrutinised in a legal, disciplinary or regulatory setting — not just read internally. This means being explicit about what was and wasn't examined, distinguishing established fact from inference, and maintaining a clear chain of custody for every piece of evidence relied upon.

Key techniques used in forensic audits

  • Benchmarking. Comparing figures, ratios or patterns against a normal baseline — prior periods, similar branches or units, or industry norms — to identify what stands out. A sudden divergence in a specific expense head, vendor concentration, or margin at one location is often where the deeper trail starts.
  • Trail analysis (transaction tracing). Following a transaction end to end — source document, approval, ledger entry, bank movement, and downstream effect — to confirm it happened exactly as recorded, and to spot where the trail is broken, backdated, or inconsistent with supporting documents.
  • Full-population data analytics. Testing the entire transaction population for known fraud patterns (duplicate payments, round-number entries, transactions just below approval thresholds, weekend or after-hours postings) rather than relying on a sample, since a sample-based approach can miss the specific irregular transactions under investigation.
  • Related-party and vendor verification. Independently confirming that counterparties exist, are genuinely independent (or correctly disclosed as related), and that goods or services were actually delivered — a step that goes well beyond the confirmation procedures used in a statutory audit.
  • Digital forensics. Recovering and examining electronic evidence — emails, deleted files, system logs, access trails — usually with specialist support, since improperly handled digital evidence can be challenged on admissibility grounds later.

Practical notes for a practising CA

  • Get the engagement letter right before fieldwork starts. Record who commissioned the audit, the precise scope, the period covered, who the report is addressed to, and what access you have been given — scope creep is common in forensic work and needs to be documented as it happens, not absorbed silently.
  • Preserve evidence before you analyse it. The instinct to start reviewing data immediately can compromise a chain of custody that matters later. Secure and image records first.
  • Separate fact from inference in the report. A report that blurs "the ledger shows X" with "we believe X happened because..." is far weaker if challenged in a legal or regulatory setting. State what the evidence shows, then state the inference, clearly labelled as such.
  • Check independence and conflicts before accepting. If your firm has any prior relationship with the individuals under investigation, or with the party commissioning the audit that could compromise objectivity, address it upfront — a forensic report's credibility depends heavily on the investigator's independence.
  • Coordinate with legal counsel early, especially where the findings may support litigation, a regulatory filing, or an employee disciplinary action — the standard of documentation and the sequencing of steps (for example, when to involve law enforcement) often needs to align with legal strategy, not just audit methodology.

Verify current fraud-reporting timelines and regulatory requirements (RBI fraud classification norms, SEBI/MCA reporting triggers) on the relevant regulator's portal before advising a client — these are periodically revised.

Where TatvaBooks fits

A forensic audit moves faster when the underlying books are traceable from day one. TatvaBooks keeps an append-only activity log on every voucher — who created, edited or cancelled an entry, and when — alongside GSTR-2B reconciliation and a fixed asset register, so a transaction trail doesn't have to be reconstructed from scratch when an investigation is commissioned. See what's included on the for Chartered Accountants page.

Frequently asked questions

What is the difference between a forensic audit and a statutory audit?
A statutory audit is a recurring, law-mandated exercise that forms an opinion on whether financial statements give a true and fair view, tested on a sample and materiality basis. A forensic audit is triggered by a specific reason — suspected fraud, a lender's requirement, a regulatory direction, or a dispute — and investigates a defined set of transactions or a defined period in depth, with evidence gathered in a manner that can support legal or disciplinary action. A statutory audit is not designed to detect fraud; it may surface red flags that lead to a forensic audit being commissioned separately.
Who typically orders a forensic audit?
Common triggers are the Board or Audit Committee acting on a whistleblower complaint or an internal audit finding, a bank or NBFC as a condition before restructuring or continuing a facility, a regulator (SEBI, RBI, MCA/SFIO, or an income tax/GST authority) directing an investigation, or one set of shareholders/partners in a dispute with another. In each case the engagement letter should record who commissioned it and why — this shapes scope, access and who the final report goes to.
Is a forensic auditor required to be a Chartered Accountant?
There is no single statutory qualification that exclusively defines a 'forensic auditor' in India — engagements are commonly performed by Chartered Accountants, often those additionally holding a forensic accounting/fraud examination credential, working alongside legal counsel. What matters more than the label is that the person has the accounting, investigative and evidentiary rigour the engagement needs, and no conflict of interest with the parties under investigation. Confirm any specific eligibility or empanelment requirement with the commissioning authority (bank, regulator or court) before accepting the assignment.
Can findings from a forensic audit be used in court or before a regulator?
They can, but only if the evidence was gathered and preserved correctly from the start — original documents secured, system access logged, a clear chain of custody, and each step of the analysis documented so it can be reproduced and defended under cross-examination. This is the main practical difference from a statutory audit working paper file: assume from day one that the file may be tested in a legal or regulatory proceeding, and document accordingly.
How long does a forensic audit take?
It varies widely with scope — a narrowly defined single-transaction review can close in a few weeks, while a multi-year, multi-entity investigation involving digital forensics and third-party confirmations can run for several months. Duration is driven by the volume of data, cooperation from management and IT, and whether the scope expands as findings emerge — which is common in forensic work and should be flagged to the client early rather than absorbed silently into the original fee estimate.

Built for CA firms · India-hosted

Books with a trail already built in.

An append-only activity log, GSTR-2B matching and a fixed asset register in one place — so if an investigation is ever commissioned, the trail is already there.