Is the APR Audit of Your Foreign Subsidiary a Full Audit — Or Can the Scope Be Limited?

APR under FEMA may require a full audit, not a limited review. See how control, host-country laws, and RBI rules determine the correct audit approach.

Accorp Compliance Team

Accorp Compliance Team

Our team of compliance experts specializes in PCI DSS, SOC 2, and other security frameworks to help businesses achieve and maintain compliance.

Follow meLinkedIn

Every year, around September or October, the same conversation happens with clients who have a wholly owned subsidiary or JV abroad: "The APR is just an RBI reporting form — does the auditor really need to do a full audit? Can't we just get a limited review done? A full audit means the auditor is testing everything, it'll take weeks, and the invoice will be three times a review."

It's a fair question. It's also one where the answer is stricter than most clients — and, frankly, some practitioners — expect.

Our position: where the Indian entity has "control" over the foreign entity, the APR must be based on a full-fledged audit conducted per the applicable auditing standards of the host country. There is no regulatory or professional basis to reduce the scope of that audit just because its end-use is an Indian FEMA filing rather than a local statutory filing.

Here's the technical reasoning, not just the conclusion.

Where the requirement actually comes from

The audit requirement for APR isn't buried in guidance or a circular — it's in the regulation itself. Regulation 22(2)(a) of the Foreign Exchange Management (Overseas Investment) Regulations, 2022 (FEMA 400) states plainly: "The APR shall be based on the audited financial statements of the foreign entity."

There is exactly one carve-out, in the proviso immediately after: unaudited financials are acceptable only if both of the following are true simultaneously —

  1. The person resident in India does not have "control" over the foreign entity, and

  2. The law of the host jurisdiction does not mandate a statutory audit for that entity.

If either condition fails — you have control, or the host country requires an audit regardless of your control — audited financial statements are mandatory. Full stop. This isn't discretionary, and it isn't something a board resolution, an engagement letter caveat, or a mutual understanding between client and auditor can override. RBI's own regulatory language treats "control" and "host-country audit mandate" as bright-line triggers, not factors to be weighed.

So the real question clients are actually asking isn't "do we need an audit" — that's already answered by the regulation. What they're really asking is: once an audit is required, can the auditor scale down the procedures to make it cheaper and faster?

Why "audited financial statements" is not a flexible term

This is where the misunderstanding happens, and it's worth being precise about the vocabulary, because auditing standards — ISA (International Standards on Auditing), US GAAS, UK ISAs (UK), or the equivalent local standards in the host country — draw a hard line between two categories of engagement:

An audit (reasonable assurance engagement) requires the auditor to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level, and express a positive opinion that the financial statements are free from material misstatement. This means: understanding the entity and its environment, assessing and responding to risks of material misstatement, testing internal controls where reliance is placed on them, performing substantive procedures over material account balances and transactions, evaluating going concern, reviewing subsequent events, and obtaining management representations — the full architecture of ISA 200 through ISA 700 (or the host country's equivalent standard set).

A review (limited assurance engagement, e.g., under ISRE 2400) is a fundamentally different — and lesser — engagement. It relies primarily on analytical procedures and inquiry, expresses only negative assurance ("nothing has come to our attention"), and explicitly does not involve the risk-assessment and substantive testing architecture of a full audit.

These are not two points on the same spectrum where an auditor can pick a comfortable middle ground. They are categorically different engagements governed by different standards, producing different reports, and giving different levels of assurance. A review report is not "audited financial statements," regardless of how thorough the reviewer is or how the engagement is billed. If Regulation 22(2)(a) says "audited," a review-standard engagement does not satisfy it — not because RBI has issued a clarification saying so, but because the terms have fixed technical meanings under the very auditing standards the regulation implicitly incorporates by using the word "audit."

The same logic rules out any informal middle ground — an "agreed-upon procedures" engagement, a management-prepared certification dressed up with an accountant's signature, or an audit performed with a materiality threshold inflated specifically to reduce testing volume "because it's only for a regulatory filing." None of these produce audited financial statements in the sense the regulation requires.

Why AD banks won't accept a scaled-down scope

This isn't a theoretical reading of the regulation — it plays out in practice at the AD bank review stage. We've already seen AD banks push back on APRs where the audit was technically completed but performed by an auditor not licensed in the host jurisdiction, precisely because RBI's past ODI clarifications flagged this as non-compliant with host-country audit law. The same scrutiny extends to scope: an AD bank reviewing officer, or RBI in a subsequent scrutiny, is not evaluating whether your auditor felt confident in the numbers — they're evaluating whether the report on file is, in form and substance, an audit opinion issued under the host country's recognized auditing standards. A scope-limited engagement that doesn't meet that bar creates exactly the kind of compliance gap that turns into a compounding proceeding later, at a cost far higher than the audit fee it was meant to save.

The cost concern is real — but the lever is elsewhere

None of this means there's no way to manage the cost and effort burden. There is — it's just not scope reduction. The legitimate levers are:

  • Use the exemption where it genuinely applies. If the Indian entity does not have control (common in minority-stake JVs) and the host country itself doesn't mandate an audit for an entity of that size, the unaudited-plus-certification route under the proviso is entirely valid — that's the leverage the regulation actually gives you, and it's worth confirming control status precisely rather than assuming it.

  • Align the audit timing with existing obligations. If the foreign entity already prepares financials for local corporate tax filing, structuring the APR audit around that same reporting package avoids duplicating data-gathering effort, even though the audit procedures themselves stay full-scope.

  • Use a coordinated auditor network. Where the Indian parent's auditor has a member firm or correspondent in the host country, a coordinated engagement reduces the duplication of "understanding the entity" work between the Indian and foreign-side teams — the audit is still full-scope locally, but the overall engagement runs more efficiently.

  • Start early. December 31 is a fixed deadline with no extensions. Most of the "we need to rush and cut corners" pressure clients feel is a timeline problem, not an audit-scope problem — engaging the foreign entity's auditor by October, rather than in the first week of December, removes most of the perceived need to compress procedures.

What's not on this list — and what we won't sign off on — is treating "it's just for RBI" as a reason to narrow what the host-country auditor actually tests.

The short answer

If your Indian entity has control over the foreign subsidiary, the APR audit is a full-fledged audit under the auditing standards applicable in the host country — not a lighter-touch compliance exercise invented for FEMA's convenience. The word "audit" in Regulation 22(2)(a) carries its full technical meaning, and there's no provision — not in the regulation, not in practice at the AD bank level — that allows the scope to be reduced because the report's ultimate destination is an Indian regulatory filing rather than a local one.

Coordinating an APR audit across your foreign subsidiary's jurisdiction and your AD bank's expectations? We manage the full loop — from engaging or coordinating with the host-country auditor to certifying repatriation of dues and filing Form ODI Part II before December 31.

Learn More- https://accorppartners.com/services/cpa-services/apr

Also Read

Over 500+ clients have chosen Accorp for their compliance, tax, and risk assurance needs.

My Foreign Subsidiary's Financial Year Doesn't End March 31 — When Is My APR Actually Due?
Blog

My Foreign Subsidiary's Financial Year Doesn't End March 31 — When Is My APR Actually Due?

Read More about My Foreign Subsidiary's Financial Year Doesn't End March 31 — When Is My APR Actually Due?
Can You File APR on Provisional Financials and Send the Audited Version Later?
Blog

Can You File APR on Provisional Financials and Send the Audited Version Later?

Read More about Can You File APR on Provisional Financials and Send the Audited Version Later?
LRS vs ODI — Which Route Should an Indian Founder Use to Fund Their Foreign Company
Blog

LRS vs ODI — Which Route Should an Indian Founder Use to Fund Their Foreign Company

Read More about LRS vs ODI — Which Route Should an Indian Founder Use to Fund Their Foreign Company
How to Change Your Business Name in the USA (2026 Guide)
Blog

How to Change Your Business Name in the USA (2026 Guide)

Read More about How to Change Your Business Name in the USA (2026 Guide)
What Is a Registered Agent and Why Your LLC Needs One
Blog

What Is a Registered Agent and Why Your LLC Needs One

Read More about What Is a Registered Agent and Why Your LLC Needs One