Bank Audit Guide: RBI Concurrent and Statutory Audit for CA Firms [2026]
Bank audits occupy a distinct position in the Indian audit landscape. They are among the most technically demanding engagements a CA firm can undertake, requiring familiarity with RBI circulars, Basel III norms, complex financial instruments, and a regulatory framework that changes frequently and carries real enforcement consequences. For firms that build competence in this area, bank audits also represent some of the most stable and well-compensated engagements available.
This guide covers the full spectrum of bank audit engagements — statutory audit, concurrent audit, revenue audit, stock audit, and LFAR — with practical detail on RBI appointment norms, key audit areas, documentation requirements, and common inspection findings. The objective is to give CA firms a working reference for planning, executing, and reporting on bank audit engagements.
Types of Bank Audits in India
The term "bank audit" covers several distinct engagement types, each with different scopes, appointment mechanisms, and reporting requirements. Understanding these distinctions is essential before accepting any bank audit engagement.
Statutory Audit of Banks
The statutory audit of a bank is the annual audit of the bank's financial statements under Section 30 of the Banking Regulation Act, 1949. For public sector banks, the appointment is made by the bank's board from a panel approved by the RBI. For private sector banks, the appointment follows the Companies Act route but still requires RBI approval.
The statutory auditor of a bank is responsible for expressing an opinion on the bank's financial statements, compliance with RBI directions, and adherence to accounting standards. The scope is comprehensive — it covers the entire balance sheet, profit and loss account, cash flow statement, and all related disclosures.
For banks with multiple branches, the statutory audit is conducted through a branch audit system. The central statutory auditor (CSA) relies on branch auditors appointed to individual branches. The CSA consolidates branch audit reports, reviews significant branches directly, and issues the main audit report. This structure makes SA 600 (Using the Work of Another Auditor) directly relevant — understanding how to rely on branch auditors' work while maintaining overall audit quality is fundamental to bank statutory audits.
Concurrent Audit
Concurrent audit is a continuous examination of financial transactions on a daily or near-real-time basis. Unlike statutory audit, which is retrospective, concurrent audit is designed to provide contemporaneous assurance that the bank's transactions comply with internal policies, RBI guidelines, and applicable regulations.
The RBI mandates concurrent audit for all commercial banks. The scope and coverage depend on the bank's size, branch categorisation, and risk profile. Typically, concurrent audit covers high-risk branches, large branches, treasury operations, and branches with significant advances or foreign exchange business.
Concurrent auditors are appointed by the bank's board on the recommendation of the audit committee. The engagement is typically for one year, renewable based on performance evaluation. Concurrent audit fees are determined by the bank, often based on RBI guidelines or internal benchmarks.
Revenue Audit
Revenue audit focuses specifically on examining the accuracy and completeness of a bank's income recognition. The primary objective is to verify that the bank has correctly recognised interest income on advances, investments, and other earning assets — and equally important, that it has correctly reversed income on non-performing assets.
Revenue auditors verify the application of interest rates, the calculation of penal interest, the levy of service charges, and the recognition of fee-based income. This engagement requires detailed knowledge of the bank's core banking system and the parameterisation of interest calculations.
Stock Audit
Stock audit (also called inventory audit) is the physical verification and valuation of inventories pledged or hypothecated to the bank as security for loans. Stock auditors visit borrower premises, physically verify stocks, assess their condition and quality, verify insurance coverage, and confirm that the declared stock value is reasonable.
Stock audit is particularly important for working capital finance secured against current assets. The stock auditor's report directly influences the bank's assessment of drawing power and the adequacy of security coverage.
LFAR — Long Form Audit Report
The Long Form Audit Report is a detailed supplementary report submitted by statutory auditors and branch auditors to the bank's management and the RBI. LFAR goes far beyond the standard audit report — it contains specific observations on 21 broad areas covering virtually every aspect of the bank's branch operations.
The LFAR format is prescribed by RBI and updated periodically. It requires auditors to comment specifically on advances (including NPA classification), investments, deposits, internal controls, housekeeping, compliance with RBI guidelines, and information technology systems.
RBI Guidelines on Appointment and Eligibility
The RBI maintains strict eligibility criteria for firms seeking bank audit appointments. These norms are updated regularly, and firms must verify current requirements each year.
Firm Size and Composition Requirements
For statutory audit of public sector banks, the RBI requires firms to meet minimum criteria regarding the number of partners, number of qualified CAs, and standing of the firm. As of recent RBI guidelines, firms typically need a minimum of four partners with at least four years of standing and relevant audit experience. Some categories of banks require larger firms.
The RBI also considers the firm's audit experience, particularly experience with banking or financial sector audits. Firms with prior bank audit experience receive preference in the empanelment process.
Rotation Norms
The RBI enforces strict rotation of bank auditors. For statutory auditors of banks, the current norm is a maximum tenure of three consecutive years for public sector banks and a similar period for private sector banks, followed by a mandatory cooling-off period. The cooling-off period prevents the same firm from auditing the same bank for a specified number of years after completing its maximum tenure.
For concurrent auditors, rotation norms vary by bank but typically follow a three-year maximum with a cooling-off period. Some banks rotate concurrent auditors annually based on performance evaluation.
Empanelment Process
Firms seeking bank audit appointments must empanel with the RBI through the annual empanelment exercise. The RBI issues guidelines each year specifying eligibility criteria, documentation requirements, and the empanelment window. Firms apply through the RBI's online portal, submitting details of partners, audit experience, infrastructure, and other qualifying criteria.
Once empanelled, firms are placed in categories (typically Category I through IV) based on their size and capability. The category determines which class of bank the firm is eligible to audit.
Independence and Conflict Requirements
The RBI enforces independence requirements that go beyond the standard chartered accountant regulations. Firms and their partners must not have borrowing relationships with the bank being audited (beyond normal credit card or housing loan limits), must not hold shares in the bank, and must not have any direct or indirect business relationship that could compromise independence.
These requirements extend to the firm's network and associated entities. Any connection between the audit firm and the bank's promoters, directors, or senior management can disqualify the firm.
Key Audit Areas in Bank Audits
Bank audits require technical competence across several specialised areas. The following sections cover the most critical audit areas that every bank auditor must address thoroughly.
NPA Classification and Provisioning — IRAC Norms
Non-performing asset classification is the single most consequential area in bank audits. The Income Recognition, Asset Classification, and Provisioning (IRAC) norms issued by the RBI determine when a loan must be classified as non-performing and how much provision the bank must hold against it.
Under IRAC norms, an asset becomes non-performing when interest or principal payment remains overdue for more than 90 days (for most loan categories). Once classified as NPA, the asset must be further categorised as sub-standard (NPA for up to 12 months), doubtful (NPA for more than 12 months), or loss (where the bank or auditor has identified the asset as uncollectible).
Provisioning percentages increase with the severity of classification: 15% for sub-standard assets (25% for unsecured), 25% to 100% for doubtful assets depending on the period and security coverage, and 100% for loss assets.
The auditor must independently verify NPA classification by examining borrower accounts, assessing repayment patterns, evaluating restructuring proposals, and identifying potential NPAs that the bank may have overlooked or misclassified. This verification extends to NPA upgradation — ensuring that accounts upgraded from NPA to standard have genuinely resumed regular repayment.
Investment Portfolio — HTM, AFS, and HFT
Banks classify their investment portfolios into three categories: Held to Maturity (HTM), Available for Sale (AFS), and Held for Trading (HFT). Each category has distinct valuation rules, provisioning requirements, and profit recognition norms.
HTM investments are carried at acquisition cost (subject to amortisation of premium over the remaining maturity). AFS investments are marked to market periodically, with net depreciation charged to the profit and loss account. HFT investments are marked to market daily or at very frequent intervals.
The auditor must verify the appropriateness of categorisation, ensure that shifts between categories comply with RBI limits and conditions, verify mark-to-market valuations, and confirm that the bank has not parked investments in HTM to avoid marking unrealised losses. The RBI caps HTM holdings at a specified percentage of the bank's total investments, and this limit must be verified.
Priority Sector Lending Compliance
Under RBI guidelines, banks must lend a specified percentage of their Adjusted Net Bank Credit (ANBC) to priority sectors, including agriculture, micro and small enterprises, weaker sections, education, housing, and other specified categories. The current target is 40% of ANBC for domestic banks.
The auditor must verify that the bank's priority sector classification is accurate — that loans claimed as priority sector actually meet the RBI's definition. Misclassification of priority sector lending is a common finding in RBI inspections and can result in penalties including mandatory deposits in RIDF (Rural Infrastructure Development Fund) at below-market rates.
KYC and AML Compliance
Know Your Customer and Anti-Money Laundering compliance is a critical area in bank audits, particularly for concurrent auditors who examine new account opening procedures on a daily basis.
The auditor verifies that the bank has obtained and verified customer identity documents, performed customer due diligence appropriate to the risk category, filed suspicious transaction reports (STRs) and cash transaction reports (CTRs) with the Financial Intelligence Unit (FIU-IND), and maintained transaction records for the prescribed period.
AML compliance failures carry severe regulatory consequences, including monetary penalties, restrictions on business operations, and personal liability for compliance officers. The auditor's role in flagging KYC/AML weaknesses is therefore critical.
Treasury Operations
Treasury operations encompass the bank's dealings in money market instruments, government securities, foreign exchange, derivatives, and proprietary trading. This is a high-risk area due to the volume and velocity of transactions, the complexity of instruments traded, and the potential for significant losses from market risk.
The auditor must verify that treasury operations comply with the bank's board-approved investment policy, that exposure limits (counterparty, instrument, duration) are observed, that deal slips are properly authorised, that front-office and back-office functions are adequately segregated, and that reconciliations between the dealing room records and the back-office accounting system are performed daily.
For concurrent auditors at treasury branches, daily verification of deals, confirmation matching, and profit or loss computation is a core responsibility.
IT Audit Requirements
The RBI has progressively strengthened IT audit requirements for banks. Bank auditors must assess the bank's information technology environment, including core banking system controls, access controls, data integrity, business continuity planning, and cybersecurity measures.
For statutory auditors, IT audit is an integral part of the overall audit — the auditor must understand and test IT general controls and application controls that are relevant to financial reporting. For concurrent auditors, IT-related checks include verifying user access management, monitoring system-generated exceptions, and ensuring that data entry controls in the core banking system are functioning correctly.
Capital Adequacy — CRAR
The Capital to Risk-Weighted Assets Ratio (CRAR) is a fundamental regulatory metric. Under Basel III norms as implemented by the RBI, banks must maintain minimum capital adequacy ratios: Common Equity Tier 1 (CET1) of 5.5%, Tier 1 capital of 7%, and total capital of 9% (including the capital conservation buffer).
The auditor must verify the computation of risk-weighted assets (credit risk, market risk, and operational risk), the classification and eligibility of capital instruments, and the accuracy of the CRAR computation. Given that CRAR breaches can trigger regulatory intervention up to and including restrictions on business operations, the accuracy of this computation is critical.
Statutory Audit vs. Concurrent Audit vs. Revenue Audit — Scope Comparison
| Aspect | Statutory Audit | Concurrent Audit | Revenue Audit |
|---|---|---|---|
| Objective | Opinion on financial statements | Contemporaneous assurance on transaction compliance | Verify accuracy of income recognition |
| Frequency | Annual | Daily/weekly (ongoing) | Periodic (quarterly/half-yearly) |
| Appointment | RBI panel / Board | Bank's Audit Committee | Bank management |
| Reporting | Audit report + LFAR to Board and RBI | Monthly report to bank management and audit committee | Report to management |
| Coverage | Entire bank (via branch auditors) | Assigned branches/treasury | All branches (sample basis) |
| Key focus | Balance sheet, P&L, compliance, LFAR responses | Daily transactions, policy compliance, exception monitoring | Interest income, charges, fee income, NPA income reversal |
| Standards applicable | SAs, Banking Regulation Act, RBI guidelines | Bank's concurrent audit manual, RBI guidelines | Bank's internal guidelines, RBI income recognition norms |
| Duration | 3-4 months (branch + central) | Continuous (12 months) | 2-4 weeks per assignment |
| Rotation | 3 years max + cooling off | Typically 1-3 years | No formal rotation |
LFAR Requirements — The 21 Sections
The LFAR requires detailed commentary across 21 broad sections. Each section demands specific, factual observations — not generic statements. The principal areas include:
- Advances — Classification accuracy, documentation completeness, security perfection, NPA identification, and provisioning adequacy
- Investments — Portfolio classification, valuation, broken period interest, and non-performing investments
- Deposits — Interest computation accuracy, unclaimed deposits, dormant accounts, and TDS compliance
- Housekeeping — Reconciliation of inter-branch accounts, inter-bank entries, suspense accounts, and nostro/vostro accounts
- Fraud monitoring — Instances of fraud reported and unreported, internal controls against fraud, and compliance with RBI fraud reporting framework
- Internal controls — Adequacy of internal control systems, segregation of duties, and dual authorisation requirements
- Compliance with RBI guidelines — Specific observations on compliance with priority sector, IRAC norms, KYC/AML, exposure limits, and other regulatory requirements
- Information technology — IT governance, access controls, data backup, disaster recovery, and cybersecurity measures
- Other matters — Insurance of assets, legal compliance, and any other matters the auditor considers significant
Each LFAR observation must be specific and quantified where possible. Stating "housekeeping needs improvement" is insufficient — the LFAR must state the number and value of reconciliation entries, the age of outstanding items, and the specific reconciliation that is overdue.
Concurrent Audit Procedures — Daily and Weekly Checks
Concurrent audit follows a structured programme of daily, weekly, and monthly verification activities. The specific scope depends on the type of branch and the concurrent audit manual issued by the bank.
Daily Verification Activities
- Cash verification — Physical verification of vault cash against system balances
- Clearing verification — Review of clearing house transactions, return items, and outward clearing
- New advances sanctioned — Verification of sanction authority, documentation, and system entries
- Large value transactions — Review of transactions above specified thresholds for unusual patterns
- Treasury deals (at treasury branches) — Verification of deals executed, confirmation matching, and limit compliance
Weekly Verification Activities
- Advances portfolio review — Review of new NPAs identified, restructured accounts, and overdue accounts approaching NPA dates
- Deposit account opening — Verification of KYC compliance for new accounts opened during the week
- Staff accounts — Review of transactions in staff accounts for unusual activity
- System exceptions — Review of system-generated exception reports (override logs, transaction reversals, after-hours transactions)
Monthly Reporting
The concurrent auditor prepares a monthly report covering all observations, classified by severity (critical, major, minor). The report is submitted to the bank's audit committee through the internal audit department. The report must include quantified findings, specific instances, and references to violated policies or regulations.
Common RBI Inspection Findings
Understanding the findings that RBI inspectors commonly raise helps auditors focus their procedures on high-risk areas. Recurring RBI inspection findings include:
NPA classification failures — Accounts that should have been classified as NPA but were not, often due to irregular credits designed to prevent the 90-day overdue threshold from being triggered. This is the single most common and consequential finding.
Inadequate provisioning — Under-provisioning on NPAs, particularly doubtful assets where the security coverage has been overvalued, resulting in lower provisioning percentages than warranted.
Income recognition on NPAs — Failure to reverse interest income on accounts that have become non-performing, or premature recognition of interest income on restructured accounts.
Priority sector misclassification — Loans classified as priority sector that do not meet the RBI's definition, thereby inflating the bank's priority sector achievement figures.
KYC deficiencies — Incomplete customer due diligence, failure to update KYC records periodically (particularly for high-risk customers), and inadequate transaction monitoring.
Housekeeping lapses — Long-outstanding entries in inter-branch reconciliation, sundry creditors, suspense accounts, and clearing differences that obscure the true financial position.
Documentation Requirements
Bank audit documentation must meet the requirements of SA 230 (Audit Documentation) while also addressing the specific documentation expectations of the RBI.
For statutory audits, the working papers must support every observation in the LFAR, every adjustment proposed, and every conclusion reached on NPA classification, provisioning, and income recognition. The documentation should be detailed enough that an RBI inspector reviewing the audit file can understand the procedures performed, the evidence obtained, and the conclusions reached.
For concurrent audits, documentation includes daily work logs, exception reports, monthly reports, and the resolution status of previously reported findings. The concurrent auditor's working papers become part of the bank's internal control documentation and may be reviewed by the statutory auditor, internal auditor, and RBI inspectors.
Given the volume and complexity of bank audit documentation, firms should maintain their documentation practices in line with SA 230 audit documentation standards and ensure their quality management systems are robust enough to handle banking engagements in accordance with SQM 1 requirements.
Practical Recommendations for CA Firms
Build banking knowledge systematically. Bank audits require familiarity with RBI Master Directions, Basel III norms, core banking systems, and banking accounting practices. This knowledge cannot be acquired on the engagement — it must be built before accepting bank audit appointments.
Invest in the empanelment process. The RBI empanelment exercise is competitive. Firms should maintain updated records of partner qualifications, audit experience, and infrastructure. The empanelment application itself is an important document that must be prepared carefully.
Develop standardised procedures. Given the structured nature of bank audits, firms should develop standardised audit programmes for each type of bank audit engagement. These programmes should incorporate RBI-specific requirements that are not covered by standard audit programmes.
Understand the reliance framework. For statutory audits of banks, the central statutory auditor relies extensively on branch auditors. Understanding how to use SA 600 — Using the Work of Another Auditor in the banking context is essential for managing audit quality across dozens or hundreds of branches.
Monitor RBI circulars continuously. The RBI issues circulars and directions throughout the year that can materially affect audit procedures and findings. Firms must have a system for monitoring, cataloguing, and disseminating relevant RBI communications to audit teams.
Conclusion
Bank audits are technically demanding, heavily regulated, and require continuous investment in knowledge and systems. However, for firms that develop genuine competence in this area, bank audits provide consistent, well-compensated engagement opportunities and build the firm's reputation as a specialist in financial sector auditing.
The key to success in bank audits is not just technical knowledge — it is systematic preparation, disciplined documentation, and an unwavering commitment to regulatory compliance. The RBI's expectations of bank auditors are high, and rightfully so. Bank auditors serve as a critical external check on institutions that hold public deposits and underpin the country's financial system.
Firms that approach bank audits with the seriousness they deserve will find these engagements to be among the most professionally rewarding in practice.
Get weekly audit insights
Practical guides on audit automation, SQM1 compliance, and Ind AS procedures — delivered to 2,000+ CA professionals every Friday.
No spam. Unsubscribe any time.
Topics