A statutory audit is a fixed annual obligation for companies, but in recent years it has become more demanding. Auditors now have to comment on a long checklist of matters under CARO, and the law expects your accounting software to maintain an audit trail of every change. Here's what each requirement is and what it means for a private company.
Reviewed by CA Harika Chebolu, FCA · Last updated 2026-06-15
Quick answer
Most private limited companies must have their accounts audited, keep an audit trail in their accounting software, and have the auditor report under CARO. Here's how these pieces fit together.
Every company, however small, must get its financial statements audited each year by an independent chartered accountant. This is separate from any tax audit and applies regardless of turnover or profit. The auditor examines your books, vouches transactions, and gives an opinion on whether the accounts show a true and fair view. The board appoints the auditor, the shareholders confirm the appointment, and the audited accounts are then adopted at the annual general meeting and filed with the Registrar. Plan for the audit well before your filing deadlines, because a delayed audit delays everything downstream.
Companies are now expected to use accounting software that records an audit trail — an edit log that captures each change made to a transaction, with the date of the change, and that cannot be switched off. The point is to make after-the-fact alteration of records visible. In practice this means choosing software that has the feature, keeping it enabled throughout the year, and retaining the logs. Your auditor is required to report on whether the audit trail feature was used and operated through the year, so a setting that was turned off for part of the period will be visible in the audit report.
CARO is a set of additional matters the auditor must specifically comment on, over and above the main opinion. It covers things like the company's fixed assets and their physical verification, inventory, loans given and taken, statutory dues, defaults to lenders, related-party dealings, and several governance and fraud-related points. CARO does not apply to every company — certain small private companies are outside its scope — but where it applies, the auditor's report carries a detailed annexure addressing each clause. Knowing in advance whether CARO applies to you helps you keep the underlying records the auditor will ask for.
A smooth audit is mostly about preparation. Keep your ledgers reconciled, your bank statements matched, your fixed-asset register updated, and your statutory dues — taxes, provident fund and the like — paid and documented. Maintain supporting vouchers and contracts so transactions can be verified. Make sure related-party transactions, loans and advances are properly recorded and approved, because these are exactly the areas CARO directs attention to. The more organised your records are, the fewer queries you will field and the lower your audit cost is likely to be.
Once the audit is done, the financial statements and the auditor's report — including the CARO annexure and the audit-trail comment where applicable — are approved by the board, adopted by shareholders and filed with the Registrar. A clean report is the goal, but if the auditor raises qualifications or adverse remarks, take them seriously and fix the underlying issues, because they stay on the public record and can affect lenders, investors and future audits. Treat the audit as an annual health check rather than a box-ticking exercise.
Yes — a statutory audit is mandatory for every company regardless of size, turnover or profit. This is different from a tax audit, which is triggered by turnover. Even a dormant company with little activity must have its accounts audited and filed.
It is an automatic edit log in your accounting software that records changes to your records and cannot be disabled. You are expected to keep it enabled throughout the year and retain the logs, and your auditor must report on whether it was used and operated through the period.
Not to every company — certain small private companies are exempt, but where CARO applies the auditor must report on a detailed checklist. Whether it applies depends on your company's profile, so confirm your position early and keep the records each clause looks at.
Not sure what your company's audit, audit-trail and CARO obligations are this year? Write to the firm and we'll review your position and get you ready for a clean audit.