ICAI Alignment Memo — Veloxis

Date: 2026-05-24 From: CA Krishna Gujarathi, Managing Partner, VKG & Associates Subject: Professional alignment of the Veloxis platform with the Institute of Chartered Accountants of India ("ICAI") regulatory framework

This memo records how the Veloxis platform fits inside the ICAI regulatory framework that governs every professional act of VKG & Associates ("the Firm") and every Chartered Accountant in practice. It is the standing reference for: a) firm partners considering whether a Veloxis output may be relied upon, b) clients of the firm who ask how Veloxis interacts with the auditor's professional duties, c) any future ICAI Peer Review or Quality Review Board review of the Firm.

The memo is read with the underlying Chartered Accountants Act, 1949; the ICAI Council Decisions and Notifications; the ICAI Code of Ethics (Volumes I and II); the Standards on Auditing (SAs); the Standards on Quality Management (SQMs); and the relevant Guidance Notes.

1. Veloxis is a tool, not a professional

Veloxis assists Chartered Accountants in the work of statutory audit, tax audit, ITR filing, internal audit, and related engagements. It does not issue any professional opinion, certificate, or signature in its own name.

Every professional act — the audit opinion under §143 of the Companies Act, 2013, the tax-audit report under §44AB of the Income-tax Act, 1961, the certificate under any allied law — remains the personal responsibility of the partner or proprietor who signs it. Veloxis is the instrument by which that partner gathers and documents evidence; Veloxis is not the partner.

This is consistent with:

  • SA 200 — overall objectives of the independent auditor; professional judgement remains with the auditor.
  • ICAI Code of Ethics, Section 100.5(c) — professional competence and due care; competence is exercised by the human, supported by tools.
  • The Chartered Accountants Act, 1949 §§2(2), 7, and 24A read together — only a member in practice may sign documents required by law to be signed by a Chartered Accountant. (Note: §132 of the Companies Act, 2013 governs the National Financial Reporting Authority, not the Chartered Accountants Act.)

2. Confidentiality

Veloxis is built to enforce ICAI's confidentiality duty (Code of Ethics, Second Schedule, Part I, Clause 1).

Controls in place:

  • All client data is stored on the Firm's server, accessible only through the Veloxis Platform under the Firm's RBAC controls.
  • Cross-engagement leakage is prevented by Postgres row-level security ("RLS") on every per-engagement table.
  • Outbound traffic to external AI providers is restricted to the pseudonymised tokenised text described in docs/legal/ai-usage-disclosure.md. The plaintext name of a client or a counterparty does not leave the Firm's server.
  • The TokenMap — the only path back from a pseudonym to the real plaintext — is engagement-scoped and AES-256-GCM encrypted at rest under a key derived from the firm key.
  • Every login, every state-changing action, and every AI call is logged for the SA 230 working-paper period.

These controls implement the duty of confidentiality "in practice and in appearance" — both the substance of confidentiality (data is not disclosed) and the documentation that proves it (working papers + AIPrivacyLog).

3. Documentation — SA 230

SA 230 requires sufficient appropriate documentation of the audit performed. Veloxis is designed so the audit file inside the platform discharges this duty:

  • Every checklist item carries a documented conclusion, a documented preparer, a documented reviewer, and a documented sign-off.
  • Working papers may be generated as PDF / DOCX / XLSX outputs at any time and are content-hashed at generation.
  • AI suggestions, where used, are timestamped and included in the working-paper file as part of the audit trail. Auditors document the conclusion drawn from the AI suggestion as they would for any other audit procedure.
  • Working papers are retained for not less than seven years from the date of the auditor's report, as required by SA 230 ¶A23 and reinforced by §128(5) of the Companies Act, 2013 for the company.

The reconciliation between the SA 230 seven-year retention and the DPDP Act's "delete when purpose is served" is set out in the Data Retention Policy.

4. Audit opinion and AI assistance

Where Smart Check, the Ask Tool, the AI Advisor, or any AI-assisted drafting helper is used in producing an engagement deliverable, the working-paper file records:

  • The timestamped record of the AI call.
  • The auditor-side question and the auditor-side response (with pseudonyms reversed to real names).
  • The reviewing partner's manual review of the AI suggestion, with sign-off or rejection.

The signing partner is responsible for evaluating the AI suggestion as evidence under SA 500 ("Audit Evidence"). AI output is not treated as more reliable evidence than human-prepared evidence. The auditor exercises professional scepticism, corroborates with primary sources where appropriate, and forms an independent opinion.

This treatment is consistent with the direction of the ICAI Auditing and Assurance Standards Board ("AASB") on the use of technology in audits. The Firm will conform to any binding AASB pronouncement on AI use as and when issued.

5. Independence

Veloxis is the Firm's own technology. It is not a service offered to audit clients of the Firm. There is therefore no self-review, advocacy, familiarity, or self-interest threat arising from the Firm's use of Veloxis on a client's audit.

If, in future, the Firm offers Veloxis as a hosted service to other CA firms, the existing independence framework will be reviewed before that offer is made. This memo will be revised at that time.

6. Quality management — SQC 1 (currently applicable) and SQM 1 / SQM 2 (future-readiness)

The Firm currently maintains its system of quality control under the Standard on Quality Control ("SQC 1"), which remains the mandatory quality standard in India. ICAI has issued SQM 1 and SQM 2 as successor standards, but the effective date for mandatory application has been deferred (see ICAI Announcement on deferment). The Firm tracks the SQM 1/2 commencement notification and intends to migrate at the notified date.

Veloxis interacts with SQC 1 as follows, and is being designed so the migration to SQM 1/2 is incremental:

  • Leadership responsibilities (SQC 1.18-19) — the Managing Partner is the Plan owner for the Veloxis security policy, the privacy policy, the incident-response plan, and this memo.
  • Human resources + access (SQC 1.29-30) — Veloxis access is provisioned by the Managing Partner; capacity is reviewed alongside engagement plans.
  • Engagement performance (SQC 1.32-46) — Veloxis enforces preparer / reviewer / partner sign-off at each checklist stage and provides the consultation + review trail SQC 1 requires.
  • Engagement documentation assembly + retention (SQC 1.83 read with SA 230 ¶A21) — the Firm assembles the final audit file within sixty (60) days after the date of the auditor's report. Veloxis enforces a logical "file lock" on each engagement on the sixty-first day, after which working papers move to read-only status. The seven-year retention clock starts from the date of the auditor's report.
  • Monitoring + remediation (SQC 1.48-56) — incidents are logged under docs/incidents/ and remediated under the Incident Response Plan; monitoring findings feed the Firm's annual review.

7. Disciplinary risk and the partner's safeguards

A partner who signs a deliverable produced with Veloxis assistance carries the same disciplinary exposure as a partner who signs any other deliverable. The Firm's safeguards:

  1. Software is treated as a preparer's tool; conclusions are partner-reviewed.
  2. Every AI-assisted output has a recorded human review.
  3. Every checklist item has a manual override path; AI is never the sole source of an audit conclusion.
  4. The Privacy Pipeline is documented and reproducible; the Firm can demonstrate to ICAI Peer Review what was sent to which AI provider and what was received back.

8. Areas of evolving guidance

ICAI may issue binding pronouncements on any of the following over the life of Veloxis. The Firm tracks each and revises this memo when guidance changes:

  • AASB pronouncements on technology-assisted audit procedures and AI use.
  • Ethical Standards Board pronouncements on the use of generative AI by members in practice.
  • Council Decisions on confidentiality and electronic working papers.
  • ICAI Sustainable and Climate-related Standards (where the audit scope expands).

The Firm subscribes to ICAI's official communications channels and reviews them at the monthly partners' meeting.

8A. Signature provenance — CARO and IFC reports share the Auditor's Report block

(2026-05-25 addition.) The Auditor's Report under §143(2) of the Companies Act, 2013 is the primary professional deliverable on a statutory audit. Two annexures are issued with it under the same partner's signature:

  • CARO 2020 — issued as an annexure to the Auditor's Report per §143(11) read with the Companies (Auditor's Report) Order, 2020.
  • Report on Internal Financial Controls — issued under Section 143(3)(i) and Rule 11 of the Companies (Audit and Auditors) Rules, 2014, attached to the Auditor's Report.

ICAI requires the firm name, firm registration number (FRN), partner name, ICAI membership number, UDIN, place, and date to be identical across all three documents. Veloxis enforces this by storing those fields once — on the Audit Report dashboard's signature_block section — and reading them from there into the CARO and IFC report generators.

Files: src/lib/doc-gen/caro-report-gen.ts (signature block read), src/lib/doc-gen/ifc-report-gen.ts (signature block read), src/lib/doc-gen/audit-report-gen.ts (canonical writer).

This signature-sharing is the ONLY permitted cross-dashboard read in Veloxis. All other dashboards (CARO, IFC, ARI, Notes, PPE) are sealed workspaces that accept only user input made within themselves and feed only their respective reports. See docs/project/notes-data-architecture.md for the broader sealed-workspace principle.

9. Conclusion

Veloxis is a software tool that supports the Firm's chartered accountants in performing engagements faster and more consistently. It does not replace, displace, or dilute the personal professional responsibility of the partner who signs each engagement.

The Firm's existing professional duties — competence, due care, integrity, objectivity, confidentiality, and professional behaviour — apply equally to work done with Veloxis as to work done without it.

Where the platform's behaviour interacts directly with ICAI requirements, the Firm has built explicit controls and has documented them in the policies that accompany this memo. Where ICAI guidance evolves, the Firm will adapt the platform and the policies in response.

Veloxis is operated by VKG & Associates, Chartered Accountants. Concerns about this document may be raised with the Grievance Officer at krishna@vkg.co.in.