NFRA and the Reality of Inspection Findings
NFRA inspection findings at Indian CA firms consistently fall into five categories: incomplete audit documentation, generic risk assessments not linked to client-specific data, untested internal controls, inadequate going concern analysis, and superficial EQC reviews. Nearly all of these failures share one root cause — documentation written after the fact rather than produced contemporaneously as procedures are performed.
The National Financial Reporting Authority (NFRA) began conducting audit quality inspections of listed company auditors under Section 132 of the Companies Act, 2013. Since 2022, NFRA has released detailed inspection reports identifying systemic failures in audit quality at Indian CA firms — including some of the largest practices.
Reading these reports is both sobering and useful. Sobering because the failures are basic. Useful because they reveal exactly what NFRA looks for — and almost all of it can be addressed with better documentation practices and automation.
This article summarises the five most consistent themes from NFRA inspection reports and explains how audit automation directly addresses each.
Finding 1: Insufficient or Incomplete Audit Documentation
Insufficient audit documentation is NFRA's most cited finding — working papers that describe procedures as "performed" without showing what was done, sampling rationale that is absent or unverifiable, and files that appear reconstructed after the audit concluded. NFRA's standard requires the file to be self-contained: a reviewer who was not part of the engagement must be able to understand what was done and why.
What NFRA Found
Across multiple inspection reports, NFRA found that firms could not produce adequate documentation to support their audit conclusions. Key findings included:
- Working papers existed but did not explain why the auditor reached particular conclusions
- Procedures were described as "performed" without evidence of what was actually done
- Sampling methodology was not documented
- Review notes and sign-offs were absent
- Documentation appeared to have been prepared after the audit was completed (backdating indicators)
NFRA's position: the audit file must be self-contained. A reviewer who was not part of the engagement should be able to review the file and understand what was done, what was found, and why the auditor concluded what they concluded.
How Automation Prevents It
AI-generated working papers with automatic audit trails: When CORAA runs a ledger scrutiny or reconciliation procedure, it automatically generates a working paper that includes:
- Exact data used (with import timestamp)
- Rules applied (with version number)
- Every exception found (with source transaction reference)
- Resolution status of each exception
- Final conclusion template for auditor sign-off
The result is a working paper that is self-documenting by construction. The "what was done" question is answered automatically. The auditor's role is to add the "why we concluded" layer — which is genuine professional judgement that cannot and should not be automated.
Timestamps and version control: CORAA records when each procedure was performed and by whom. Backdating concerns disappear because the system records the actual execution time.
Finding 2: Inadequate Assessment of Significant Risks
Inadequate risk assessment means identifying "revenue" or "related parties" as significant risks without explaining why these are risks for this specific client. NFRA found that risk workpapers were often identical across different clients in different industries, with no demonstrable link between assessed risks and the procedures actually performed during the engagement.
What NFRA Found
NFRA inspection reports frequently cite failures in risk assessment — specifically:
- Firms identified "revenue", "related parties", and "going concern" as significant risks without explaining why these are risks for this specific client
- Risk assessment workpapers were generic templates that appeared the same across different clients in different industries
- Audit procedures were not demonstrably linked to the identified risks
- Auditors could not show that their procedures changed in response to assessed risks
The standard: risk assessment must be client-specific. The risks identified must drive the procedures performed. If the procedures would have been the same regardless of the risk assessment, the risk assessment served no purpose.
How Automation Prevents It
Data-driven risk identification: When CORAA analyses a client's ledger, it surfaces actual data-based risk signals — unusual transaction patterns, period-end spikes, high-value related party entries, reconciliation mismatches. These are not generic risks; they are specific to this client's data.
Linking exceptions to audit procedures: CORAA's exception reports become the documented basis for specific audit procedures. If the scrutiny agent flags a ₹40L round-number payment to an unfamiliar vendor, that specific finding drives a specific procedure (vouching that payment). The link between "what the data showed" and "what we tested" is explicit.
Risk-based sample selection: Instead of random sampling, CORAA selects samples based on risk criteria derived from the actual data. The sampling working paper shows exactly which risk factors led to each item's selection.
Finding 3: Inadequate Testing of Internal Controls
What NFRA Found
Several NFRA reports found that firms:
- Claimed reliance on internal controls without actually testing them
- Applied the same control assessment year after year without fresh evaluation
- Did not document how the control assessment affected substantive testing
- Failed to identify IT general controls as part of the control environment
This is particularly significant because firms that rely on controls to reduce substantive testing must have evidence that the controls are actually operating effectively — not just designed effectively.
How Automation Prevents It
Continuous control monitoring: For firms that implement CORAA's continuous audit module, segregation of duties violations, unusual access patterns, and transaction approval bypasses are flagged in real time throughout the year. This generates a year's worth of control testing evidence — not a one-time walkthrough.
Automated control exception reports: Controls failures (same user authorising and approving, payments processed outside business hours, manual journal entries to bank accounts) are flagged automatically. Auditors have documented evidence of control performance, not just design.
Year-over-year comparison: Because CORAA tracks exceptions across periods, auditors can show whether controls are improving or deteriorating — which is exactly the kind of trend analysis that distinguishes meaningful control assessment from rubber-stamping.
Finding 4: Inadequate Documentation for Going Concern Assessment
What NFRA Found
Going concern failures were among the most serious findings in NFRA reports. Common issues:
- No documented going concern assessment for clients with obvious financial stress indicators (negative equity, covenant breaches, declining revenue)
- Assessment present but based only on management's representations without independent corroboration
- No analysis of whether management's plans to address going concern doubts were feasible
- Inconsistency between the going concern conclusion and other audit findings (e.g., auditor notes liquidity concerns in working papers but issues unmodified report)
How Automation Prevents It
Automated financial ratio monitoring: CORAA's analytical procedures module tracks key going concern indicators: current ratio, debt service coverage, working capital trend, revenue growth/decline, and creditor ageing. Deterioration flags automatically trigger a going concern risk indicator.
Consistent data across the file: Because CORAA's analysis feeds all working papers from the same data source, the financial ratios in the going concern assessment are consistent with the ratios in other analytical procedures. Inconsistency (a common NFRA finding) becomes structurally impossible.
Historical trend visibility: CORAA allows comparison of current period data against prior periods. An auditor assessing going concern can see a three-year trend in liquidity ratios without manually reconstructing it.
Note: The going concern conclusion itself remains entirely the auditor's professional judgement. Automation supports the evidence gathering — it does not replace the assessment.
Finding 5: Inadequate Audit Quality Reviews (EQC/EQCM)
What NFRA Found
Engagement Quality Control (EQC) reviews were either:
- Not performed for engagements where they were required (listed entities, high-risk clients)
- Performed but not documented — the EQCM had signed off without a recorded review
- Performed superficially — the review note simply confirmed the partner's conclusions without independent assessment
- Performed after the audit report was issued (a clear violation — review must be pre-issuance)
Under SQM1, this becomes an EQCM (Engagement Quality Control Monitor) requirement. The documentation standard is even higher than under SQC1.
How Automation Prevents It
Standardised EQCM documentation templates: CORAA provides EQCM review memo templates that pre-populate with engagement data — client name, engagement partner, significant risk areas identified, key conclusions reached. The EQCM adds their assessment and sign-off.
Timestamped review records: CORAA's system records when the EQCM review was completed. Pre-issuance confirmation is automatically tracked — if the audit report is dated before the EQCM sign-off, the system flags the discrepancy.
Working paper completeness check: Before the engagement is marked "complete" in CORAA, the system checks that mandatory procedures have been documented and signed off. EQCM appointment and sign-off are part of this checklist.
Consistency between audit file and EQCM review: Because the EQCM reviews a digitally-generated, data-linked file (not a manually assembled folder), the significant matters the EQCM must review are explicitly flagged in the system. The review is structured, not open-ended.
The Common Thread: Documentation Produced Contemporaneously
What runs through all five NFRA findings is a single principle: documentation must be produced contemporaneously — as the work is done, not reconstructed afterward.
Historically, CA firms have relied on auditors to write up their work after completing procedures. In a busy engagement with time pressure, this leads to condensed, incomplete, or reconstructed documentation.
AI-native audit platforms flip this dynamic. When CORAA runs a procedure, the documentation is generated at the same time as the work. The working paper is not a summary written afterward — it is the record of the procedure itself.
This single architectural difference addresses the core of most NFRA documentation findings.
Acting on This Before Your Next Inspection
If your firm has listed company clients, you are subject to NFRA inspection. Preparation means:
- Review your last three engagement files against the five findings above. Where are your gaps?
- Identify which procedures are manual and underdocumented — typically ledger scrutiny, reconciliations, sampling methodology
- Implement AI-native tools that generate documentation as a by-product of the procedure itself
- Build your SQM1 QMS with monitoring and remediation processes that demonstrate continuous quality improvement
NFRA's inspection programme is expanding. More firms will receive inspection visits in coming years. The firms that will emerge well are those that demonstrate systematic, documented, reproducible audit quality — which is exactly what automation enables.
Related Articles
Get weekly audit insights
Practical guides on audit automation, SQM1 compliance, and Ind AS procedures — delivered to 2,000+ CA professionals every Friday.
No spam. Unsubscribe any time.
Topics