AI for RBI Bank Audit: Concurrent, Statutory & the FREE-AI Framework

Published: March 18, 2026
Category: Compliance Guides
Read Time: 15 minutes
Author: CORAA Team

---

Introduction

Every year, the Reserve Bank of India appoints thousands of Chartered Accountants to conduct statutory branch audits of public sector and cooperative banks. Alongside these statutory audits, banks maintain concurrent audit functions that operate continuously, revenue audits that verify income recognition, and information systems audits that assess technology controls. The Long Form Audit Report (LFAR) requirements alone run into dozens of detailed questions covering advances, investments, deposits, foreign exchange transactions, and internal controls.

For most CA firms handling bank branch audits, the challenge is not competence — it is volume. A single large bank branch may have thousands of advance accounts requiring NPA classification verification, hundreds of forex transactions needing FEMA compliance checks, and years of priority sector lending data that must be validated against RBI norms. The traditional approach of sampling a fraction of these transactions and extrapolating results leaves significant audit risk on the table.

In August 2025, the RBI released its FREE-AI (Framework for Responsible and Ethical Enablement of Artificial Intelligence) report — a framework that signals both the regulator's openness to AI adoption in the financial sector and the guardrails it expects. For auditors, this creates both an opportunity and a new compliance dimension: AI can dramatically improve bank audit coverage, but its use must align with the principles the regulator has now codified.

This guide covers the bank audit landscape in India, the current pain points faced by auditors, what the FREE-AI framework means for audit practitioners, and where AI can be practically applied across different types of bank audits.

---

Table of Contents

1. The Bank Audit Landscape in India
2. Current Pain Points in Bank Branch Audits
3. RBI's FREE-AI Framework: What Auditors Need to Know
4. AI Applications by Bank Audit Type
5. NPA Classification and IRAC Norms: The Core AI Use Case
6. Priority Sector Lending Verification with AI
7. Forex Transaction Compliance
8. Implementation Considerations for Audit Firms
9. Compliance Requirements When Using AI in Bank Audits
10. Common Questions
11. Conclusion

---

The Bank Audit Landscape in India

Bank audits in India operate under a layered structure that is unique in its complexity. Understanding these layers is essential before discussing where AI fits.

Statutory Branch Audit

RBI selects and appoints statutory branch auditors (SBAs) for public sector banks. These auditors examine individual branches and report on advances, deposits, investments, contingent liabilities, and compliance with RBI circulars. The branch auditor's report feeds into the central statutory audit conducted by the bank's main auditors.

Key deliverables include:

• Branch audit report covering financial statements of the branch
• Long Form Audit Report (LFAR) — a detailed questionnaire prescribed by RBI covering advances classification, provisioning, documentation, KYC compliance, and internal controls
• Tax audit report for the branch (where applicable)

The ICAI's Guidance Note on Audit of Banks (2025 Edition) provides the authoritative reference for conducting these audits, covering everything from verification of advances to assessment of IT controls.

Concurrent Audit

Concurrent audit is a continuous examination of financial transactions on a daily or periodic basis. The RBI's guidelines on concurrent audit systems in commercial banks require that the scope should encompass all significant areas of a branch's operations, with particular emphasis on:

• Cash and bank balances verification
• Advances — sanction, disbursement, and monitoring
• Revenue leakage identification
• Housekeeping and compliance with internal circulars
• KYC and Anti-Money Laundering (AML) verification

The ICAI Manual on Concurrent Audit of Banks (2023 Edition) provides the operational framework, incorporating the latest RBI circulars and directions.

Revenue Audit

Revenue audit focuses specifically on whether the bank branch is correctly recognizing income — interest on advances, processing fees, commission, exchange earnings, and locker rent. It verifies that income is not prematurely recognized and that reversals on NPA accounts are correctly processed.

Information Systems (IS) Audit

RBI requires banks to maintain IS audit functions with CISA-qualified professionals. The IS audit covers:

• Core Banking Solution (CBS) controls
• Access controls and segregation of duties
• Data integrity in financial reporting
• Cybersecurity posture

The RBI's Cyber Security and IT Examination (CSITE) cell in Mumbai oversees the supervisory side of IT examinations, and banks must report cyber incidents to CSITE within prescribed timelines. While CSITE is an RBI-conducted supervisory inspection, the external IS auditor's work feeds into the overall control assurance framework.

RBI Inspection

Separate from all the above, RBI conducts its own inspections of bank branches — the Annual Financial Inspection (AFI) and Risk-Based Supervision (RBS) assessments. These are not conducted by external auditors but by RBI's own inspection teams. However, findings from these inspections often create additional work for statutory and concurrent auditors in subsequent periods.

---

Current Pain Points in Bank Branch Audits

Volume vs. Time

A typical bank branch audit window is compressed — often 2 to 4 weeks. During this period, auditors must verify thousands of advance accounts, hundreds of deposit accounts, forex transactions, inter-branch reconciliation items, and compliance with dozens of RBI circulars that may have been issued during the audit period. Sampling is the default approach, but the sample sizes required for large branches strain small audit teams.

IRAC Norms Verification

Income Recognition, Asset Classification, and Provisioning (IRAC) norms — codified in RBI's Master Circular on Prudential Norms — form the core of advance verification. The auditor must independently verify:

• Whether each advance is correctly classified as Standard, Sub-Standard, Doubtful (D1, D2, D3), or Loss
• Whether the Days Past Due (DPD) calculation is accurate based on actual repayment records
• Whether provisioning rates applied match the required percentages for each asset category
• Whether income has been correctly reversed on accounts classified as NPA
• Whether accounts upgraded from NPA to Standard meet all criteria for upgradation

Doing this manually for a branch with 2,000+ advance accounts is practically impossible within the audit window.

Multiple Circular Compliance

RBI issues circulars throughout the year. During any given audit period, there may be new directions on restructuring norms, MSME classification changes, priority sector lending sub-targets, or revised exposure limits. The auditor must track and verify compliance with all applicable circulars — a task that grows more complex with each passing quarter.

Documentation Burden

The LFAR alone runs to dozens of pages. Add the branch financial statements, schedules, tax audit, and management letters, and the documentation requirement consumes a disproportionate share of the audit window — time that could be spent on substantive verification.

Inter-Branch Reconciliation

Large banks have thousands of branches, and inter-branch transactions must reconcile. Unreconciled entries that are aged beyond prescribed periods require investigation and potential provisioning. Identifying and classifying these items is tedious manual work.

---

RBI's FREE-AI Framework: What Auditors Need to Know

In August 2025, the RBI released the FREE-AI report — the Framework for Responsible and Ethical Enablement of Artificial Intelligence in the Financial Sector. While this framework is directed primarily at Regulated Entities (banks, NBFCs, payment operators), its implications for auditors are significant.

The Seven Sutras

The framework is built on seven guiding principles that the RBI calls "Sutras":

1. Trust is the Foundation — AI systems must be reliable, transparent, and inspire public confidence. For auditors, this means any AI tool used in the audit process must produce explainable, verifiable results.

2. People First — AI should support human decision-making but defer to human judgment. The auditor's professional judgment remains paramount; AI augments but does not replace it.

3. Innovation over Restraint — The RBI explicitly encourages responsible innovation rather than imposing blanket restrictions. This is a green signal for audit firms exploring AI adoption.

4. Fairness and Equity — AI outcomes should be non-discriminatory. In an audit context, this means AI-powered risk scoring should not introduce biases into sample selection or risk assessment.

5. Accountability — The entity deploying AI bears accountability. For audit firms, this means the signing partner remains responsible for audit quality regardless of whether procedures were performed manually or with AI assistance.

6. Understandable by Design — AI systems must be interpretable. Black-box models that produce conclusions without traceable logic are not acceptable. Audit tools must show their reasoning.

7. Safety, Resilience, and Sustainability — AI systems must be secure and resilient. Audit data processed through AI tools must be protected with the same rigor as any sensitive financial data.

Six Strategic Pillars and 26 Recommendations

The framework organizes its 26 recommendations across six pillars:

Innovation Enablement:

• Infrastructure — Building sector-wide data infrastructure and AI innovation sandboxes
• Policy — Clear institutional AI policies guiding adoption and risk management
• Capacity — Developing AI skills, knowledge sharing, and expertise

Risk Mitigation:

• Governance — Board-level accountability, lifecycle governance for AI models, vendor oversight
• Protection — Consumer disclosures, grievance mechanisms, fairness in AI-driven decisions
• Assurance — Independent audits, impact assessments, and evaluations of AI systems

What This Means for Bank Auditors

The Assurance pillar is directly relevant. As banks adopt AI for credit underwriting, fraud detection, and customer service (the RBI's survey found 20.8% of regulated entities are already deploying AI), auditors will need to:

• Audit AI systems themselves — Evaluate whether the bank's AI governance meets FREE-AI expectations
• Use AI as an audit tool — Apply AI to increase audit coverage and efficiency, provided the tools meet the framework's principles
• Report on AI-related risks — Assess whether AI adoption by the bank introduces new risks that should be disclosed

The framework also establishes the expectation of an AI Innovation Sandbox for the financial sector, integrated with the India AI Mission's AI Kosh platform. As this infrastructure develops, audit firms will need to understand how bank clients are using it.

---

AI Applications by Bank Audit Type

Statutory Branch Audit

Audit Area	Traditional Approach	AI-Enabled Approach
NPA Classification	Sample 10-15% of advances, verify DPD manually	Test 100% of advance accounts against IRAC norms using CBS data extract
Provisioning Adequacy	Recalculate provisions for sampled accounts	Compute required provisioning for entire portfolio, compare to actual
Income Recognition	Test interest income recognition on sampled NPAs	Verify interest reversal on all NPA accounts, flag exceptions
Priority Sector Classification	Verify classification of sampled PSL accounts	Match all PSL-tagged accounts against RBI's sub-category criteria
LFAR Preparation	Manual drafting from audit findings	Auto-populate LFAR sections from structured audit data

Concurrent Audit

Concurrent audit is arguably the most natural fit for AI, given its continuous nature:

• Daily transaction monitoring — AI can scan all transactions above threshold amounts, flag unusual patterns, and identify potential circular transactions or window-dressing entries
• Advance monitoring — Continuous tracking of SMA (Special Mention Account) classification, alerting when accounts approach NPA thresholds
• Revenue leakage detection — Automated comparison of interest charged vs. interest due based on sanction terms
• KYC gap identification — Pattern matching to identify accounts with incomplete or expired KYC documentation

Revenue Audit

• Interest calculation verification — Recompute interest on all advance and deposit accounts using sanctioned rates, identify deviations
• Fee and commission verification — Match fee income to underlying transactions, flag missing charges
• Penal interest validation — Verify penal interest application against sanctioned terms for delayed payments

IS Audit Support

While IS audit requires specialized cybersecurity expertise, AI can support:

• Access log analysis — Identify unusual login patterns, dormant user accounts with active privileges, and segregation of duty violations
• CBS data integrity checks — Compare CBS reports against underlying transaction records for consistency
• Audit trail verification — Ensure transaction trails are complete and unbroken

---

NPA Classification and IRAC Norms: The Core AI Use Case

NPA verification is the single highest-value application of AI in bank branch audits. Here is how the process works.

Understanding the Classification Framework

Under RBI's Master Circular on Prudential Norms on Income Recognition, Asset Classification and Provisioning, advances are classified as:

• Standard Assets — No default in repayment
• Sub-Standard Assets — NPA for a period not exceeding 12 months (for secured advances) or 18 months (for unsecured advances, prior to certain revisions)
• Doubtful Assets — NPA for more than 12 months. Sub-classified as D1 (up to 1 year), D2 (1-3 years), D3 (more than 3 years)
• Loss Assets — Identified as uncollectible by the bank, auditor, or RBI inspector, but not yet written off

How AI Performs 100% NPA Verification

Step 1: Data Extraction
Extract the complete advances database from the CBS, including:

• Account number, borrower name, sanction amount, outstanding balance
• Repayment schedule (due dates and amounts)
• Actual repayment history (dates and amounts credited)
• Current classification in the bank's records
• Security details and valuation dates

Step 2: DPD Computation
For each account, the AI engine computes Days Past Due by comparing actual repayments against the contractual schedule. This is a deterministic calculation — there is no machine learning ambiguity here. The rules are codified in RBI circulars.

Step 3: Classification Comparison
The computed classification based on DPD is compared against the bank's recorded classification. Exceptions fall into categories:

• Under-classified — The account should be in a worse category than recorded (this is the primary audit risk)
• Over-classified — The account is classified more conservatively than required (less common but relevant for profit manipulation analysis)
• Correctly classified — No exception

Step 4: Provisioning Gap Analysis
For each account, required provisioning is calculated based on the correct classification:

• Standard Assets: 0.25% to 1% depending on sector
• Sub-Standard: 15% (secured), 25% (unsecured)
• Doubtful: 25% to 100% depending on D1/D2/D3 and secured/unsecured portion
• Loss: 100%

The difference between required and actual provisioning gives the provisioning gap at both account level and aggregate level.

Step 5: Income Reversal Verification
For all accounts identified as NPA (either by the bank or by the AI-driven reclassification), the system verifies that interest income has been reversed as required by IRAC norms. Unreversed income on NPAs directly overstates reported profit.

Practical Impact

Consider a branch with 3,000 advance accounts. A manual audit might sample 300-400 accounts (10-13%). AI-driven testing covers all 3,000 accounts in a fraction of the time. In practice, this reveals:

• Accounts that slipped into NPA during the last few days of the audit period (often missed in sampling)
• Accounts where restructuring terms were not properly updated in the CBS
• Accounts where partial payments reduced the outstanding but did not cure the NPA status
• MSME accounts requiring classification under special dispensation circulars

---

Priority Sector Lending Verification with AI

Banks are required to meet RBI's Priority Sector Lending (PSL) targets — currently 40% of Adjusted Net Bank Credit (ANBC) for domestic scheduled commercial banks. The PSL framework, updated through RBI's Master Directions effective April 2025, includes sub-targets for agriculture, micro enterprises, weaker sections, and other categories.

The Verification Challenge

The branch auditor must verify that advances classified as priority sector actually meet the eligibility criteria. This includes:

• Loan amount limits — Different categories have different ceiling amounts
• End-use verification — The loan must be used for the stated purpose
• Borrower eligibility — Income limits for weaker sections, landholding limits for small and marginal farmers
• Classification under correct sub-category — Agriculture vs. micro enterprise vs. education, etc.

How AI Helps

AI can systematically test the entire PSL-tagged portfolio:

• Ceiling amount validation — Compare each loan amount against the prescribed limit for its PSL category
• Cross-referencing borrower data — Match borrower declarations against available data to verify eligibility
• Duplicate detection — As noted in RBI's guidelines, auditors must ensure that the same loan is not claimed as PSL by multiple entities. AI-based matching across datasets can identify potential double-counting
• Sub-target computation — Automatically compute whether the branch meets sub-targets for each PSL category, flagging shortfalls

---

Forex Transaction Compliance

For branches dealing in foreign exchange, the auditor must verify compliance with FEMA regulations, RBI's Master Directions on foreign exchange, and AD (Authorised Dealer) category permissions.

Key Verification Areas

• Transaction reporting — All forex transactions must be reported to RBI through prescribed returns
• Permissible transactions — Each transaction must fall within the permitted categories for the branch's AD license
• Rate application — Exchange rates applied should conform to the bank's treasury rates for the day
• Documentation — Underlying documents (invoices, shipping bills, Form A2) must support each transaction

AI Application

AI can scan the complete forex transaction register and:

• Flag transactions that lack corresponding underlying documentation references
• Identify rate deviations beyond the acceptable spread from treasury rates
• Match outward remittances against RBI's permissible purpose codes
• Detect patterns suggesting structuring (splitting transactions to avoid reporting thresholds)

---

Implementation Considerations for Audit Firms

Data Access and Format

Bank branch audits depend on data extracts from the CBS. The practical challenge is that different banks use different CBS platforms (Finacle, BaNCS, Flexcube, etc.), and data export formats vary. Audit firms need tools that can ingest data from multiple CBS formats — either through standardized templates or configurable parsers.

Engagement-Level Customization

Not all branches are the same. A rural branch focused on agricultural lending has a different risk profile than an urban branch handling large corporate accounts and forex. AI tools should allow auditors to configure the testing focus based on branch characteristics — prioritizing PSL verification for rural branches and forex compliance for urban ones.

Integration with LFAR Preparation

The most immediate time savings come from linking AI-driven testing results to LFAR preparation. If the AI has tested 100% of advances and computed NPA classifications, the LFAR sections on advances, provisioning, and income recognition can be substantially auto-drafted, with the auditor reviewing and applying judgment on exceptions.

Team Training

AI tools are only effective if the audit team knows how to interpret the output. Partners and managers need to understand what the AI is testing, what constitutes a genuine exception vs. a data quality issue, and how to document AI-assisted procedures in the audit file. Platforms like CORAA are designed to keep the auditor in control — presenting flagged exceptions for professional judgment rather than generating automated conclusions.

---

Compliance Requirements When Using AI in Bank Audits

SA 500 — Audit Evidence

Standard on Auditing 500, "Audit Evidence," requires that evidence be sufficient and appropriate. AI-generated outputs constitute audit evidence only if:

• The source data is reliable (CBS extract verified for completeness)
• The processing logic is understood and validated by the auditor
• The results are documented in a manner that supports the audit opinion

SA 530 — Audit Sampling

When AI enables 100% population testing, SA 530 on audit sampling becomes less directly relevant for those specific procedures — but the auditor must document why sampling was not used and confirm that the population tested was complete.

SA 315 — Risk Assessment

SA 315 (Identifying and Assessing the Risks of Material Misstatement) requires auditors to understand the entity's internal controls, including its IT environment. When the bank itself uses AI (for credit scoring, fraud detection, etc.), the auditor's risk assessment under SA 315 must now extend to understanding those AI systems — their governance, validation processes, and potential for error.

RBI's Expectations

While the FREE-AI framework does not currently impose specific requirements on external auditors, it establishes the regulatory direction. Audit firms that adopt AI tools should ensure:

• Data processed through AI tools is not stored beyond the engagement period unless required
• AI tool vendors meet basic information security standards
• Audit working papers clearly distinguish between AI-generated analysis and auditor judgment
• The signing partner can explain and defend any AI-assisted procedure if questioned by RBI or peer reviewers

ICAI's Standards on Quality Management (SQM)

SQM 1, effective from April 2023, requires firms to design quality management systems that address technology-related risks. If a firm uses AI tools in bank audits, the quality management system must address:

• Selection and validation of AI tools
• Ongoing monitoring of AI tool reliability
• Training of engagement teams
• Documentation standards for AI-assisted procedures

---

Common Questions

Can AI replace the statutory branch auditor?

No. The statutory branch auditor must be a qualified Chartered Accountant appointed by the bank (and for public sector banks, based on RBI's panel). AI is a tool that assists the auditor — it does not sign the audit report, exercise professional judgment on complex matters, or interact with branch management on sensitive findings. The FREE-AI framework explicitly states that accountability rests with the entity deploying AI, and the "People First" sutra requires that AI defer to human judgment.

How do I access CBS data for AI processing?

This is an engagement logistics issue. At the start of the audit, request a complete data dump from the CBS covering the audit period. Most CBS platforms (Finacle, BaNCS, Flexcube) support data exports in structured formats. Work with the bank's IT team to obtain exports of advances, deposits, investments, and transaction registers. Ensure the data extract is verified for completeness — total outstanding in the extract should tie to the branch's trial balance.

Is AI-driven NPA reclassification going to create conflicts with bank management?

Potentially, yes — which is exactly why it is valuable. If the AI identifies accounts that should be classified as NPA but are not, this is an audit finding that requires discussion with management and, if unresolved, reporting in the LFAR and branch audit report. The fact that 100% of accounts were tested (rather than a sample) strengthens the auditor's position in these discussions.

What about cooperative bank audits?

Cooperative banks — both State Cooperative Banks (StCBs) and District Central Cooperative Banks (DCCBs) — have similar audit requirements but often operate on older technology platforms. The ICAI's Guidance Note on Audit of StCBs and DCCBs provides the specific framework. AI tools can still be applied, but data extraction may require additional effort due to legacy systems.

Does the FREE-AI framework apply to my audit firm?

The FREE-AI framework is primarily directed at Regulated Entities (banks, NBFCs, payment aggregators). However, audit firms are indirectly affected because: (a) they will need to audit banks' AI governance, (b) the framework's principles represent good practice for any entity using AI in the financial sector, and (c) ICAI may incorporate FREE-AI considerations into future guidance for auditors.

---

Conclusion

Bank audits in India sit at the intersection of regulatory complexity, transaction volume, and compressed timelines. The traditional sampling-based approach was necessary when there was no alternative, but it leaves real audit risk — the under-classified NPA that falls outside the sample, the PSL account that does not meet eligibility criteria, the forex transaction with missing documentation.

AI changes this equation by making 100% population testing feasible for the highest-risk audit areas: NPA classification, provisioning adequacy, income recognition, and priority sector compliance. The RBI's FREE-AI framework, with its seven sutras and six strategic pillars, provides a principled foundation for how AI should be adopted — not just by banks, but by the broader financial ecosystem including auditors.

For CA firms handling bank audits, the practical path forward is incremental: start with NPA verification (the highest-value, most deterministic use case), extend to PSL and forex compliance, and build toward integrated AI-assisted audit workflows. The firms that invest in this capability now will handle larger bank audit mandates with better coverage, stronger findings, and more defensible audit files.

The tools exist. The regulatory framework supports adoption. The gap is in execution — and closing that gap is where audit quality improves.

---

Explore how AI-powered audit tools can strengthen your bank audit practice at coraa.ai.

Related Articles

• Bank Audit Guide: RBI Concurrent and Statutory Audit for CA Firms [2026]
• Audit Automation for NBFCs: AI-Powered Compliance for Non-Banking Financial Companies
• AI-Assisted Statutory Audit Workflow in India: An End-to-End Guide for CA Firms [2026]
• Preparing for NFRA Quality Review — AI-Powered Self-Assessment Guide
• 100% Ledger Testing: From Sampling to Comprehensive Coverage [2026]

About CORAA

CORAA is an AI-powered audit platform built for Indian CA firms. It automates audit procedures — from ledger testing and compliance verification to working paper generation — while keeping the auditor in control of professional judgment. Learn more at coraa.ai.