Audit guide · NBFC

NBFC audit

A practitioner’s guide to the audit of NBFCs registered with RBI — applicable Master Directions, IRACP norms, scale-based regulation, CIC framework, and the working papers that survive an RBI inspection.

Last reviewed 28 May 2026 · India regulatory framework

Authoritative sources

RBI Master Direction — NBFC Scale Based Regulation (Oct 2023, as updated)
RBI Master Direction — IRACP Norms (latest 2024 amendments)
Companies Act 2013 + CARO 2020 clause (xvi)
ICAI Technical Guide on Audit of NBFCs (latest edition)
Section 45-IA of the Reserve Bank of India Act 1934

Regulatory framework as of May 2026. Always verify the latest position on the authority’s site before relying on any specific rule for a filing.

1 · The regulatory landscape

Non-Banking Financial Companies are regulated by RBI under Section 45-IA of the RBI Act 1934. Since 1 October 2022, RBI’s Scale-Based Regulation (SBR) framework classifies NBFCs into four layers — Base Layer (NBFC-BL), Middle Layer (NBFC-ML), Upper Layer (NBFC-UL) and Top Layer (NBFC-TL) — with progressively more stringent regulation as the layer goes up.

The statutory audit of an NBFC follows the Companies Act 2013 framework, but with substantial overlay from RBI directions: capital adequacy (CRAR), Income Recognition, Asset Classification and Provisioning (IRACP), exposure norms, FX exposure controls, and reporting returns. CARO 2020 clause (xvi) specifically requires the auditor to verify CoR holding and conduct of NBFC activities without registration.

2 · Pre-engagement and acceptance

NBFC engagements have heightened acceptance considerations. The auditor must verify that the NBFC holds a valid Certificate of Registration (CoR) from RBI under Section 45-IA, has filed the latest year’s NBS returns, is not in the RBI’s prohibitive register, and has no pending show-cause notice that would affect going concern.

Independence test against the NBFC’s borrowing relationships
ICAI Empanelment requirements — RBI panel + ICAI MEF for deposit-taking and Upper Layer NBFCs
Engagement letter explicit on scope: statutory audit + LFAR (for select NBFCs) + tax audit if applicable
Group structure understanding — captive finance, fintech parent, NBFC-AA (account aggregator) classifications

3 · Risk assessment — what makes an NBFC audit different

The risk profile of an NBFC is dominated by credit risk on the asset side and concentration / liquidity risk on the liability side. The primary risks of material misstatement cluster around:

NPA classification accuracy — IRACP norms drive when an asset moves from Standard to SMA-0/1/2 to NPA, and the auditor must independently verify the classification against the day-past-due register and the borrower-level performance
Provisioning adequacy — IRACP-prescribed minimums apply to Standard / Sub-Standard / Doubtful (D1/D2/D3) / Loss assets, with Ind AS 109 ECL overlay for Ind AS-applicable NBFCs
Income recognition — interest income on NPA accounts must be reversed; restructured-account income recognition under RBI Resolution Framework rules
Fair value of investments — Ind AS 109 / Ind AS 113 for NBFCs reporting in Ind AS; MTM volatility for trading book
Off-balance-sheet exposures — guarantees, derivatives, securitisations — and the leverage / capital implications
Liquidity and ALM — Asset-Liability Management mismatches, structural liquidity ratios, RBI’s LCR requirements for systemically-important NBFCs
Co-lending arrangements — RBI’s 80:20 co-lending framework, related-party considerations

4 · Substantive procedures specific to NBFCs

Beyond the standard SA 500-540 procedures, NBFC audit calls for specific deep-dives:

IRACP classification test — sample-test loan accounts against the RBI day-past-due rules; check evergreening patterns (loan repaid on day 90 + fresh disbursement same week)
ECL model validation — Ind AS 109 three-stage classification, PD / LGD / EAD inputs, forward-looking adjustments, stage migration logic
CRAR computation — Tier 1 + Tier 2 capital, risk-weighted assets per RBI Master Direction; Tier 1 ≥ 9% / 10% / 15% depending on layer
Concentration limits — single borrower / group borrower exposure ceilings; capital market exposure cap
Securitisation accounting — true sale tests, MRR (Minimum Retention Requirement) compliance
Related-party transactions — Section 188 + Ind AS 24 + RBI Master Direction on related-party transactions for Upper Layer NBFCs
Liquidity coverage — LCR computation for ML / UL NBFCs (high-quality liquid assets vs net cash outflows)

5 · Reporting — what the audit produces

NBFC audit outputs go beyond the standard auditor’s report. The key deliverables:

Deliverable	Statutory basis	When
Statutory auditor’s report (SA 700)	Section 143 Companies Act 2013	Annual
CARO 2020 annexure (clause (xvi))	Section 143(11)	Annual
Long Form Audit Report (LFAR) — for prescribed NBFCs	RBI direction	Annual
Auditor certificate on NBS returns	RBI direction	Per return cycle
Concurrent audit reports — for deposit-taking / large NBFCs	RBI / NBFC policy	Monthly / quarterly
Asset Classification certificate	RBI IRACP	Annual
Tax audit Form 3CD	Section 44AB Income-tax Act	By 30 September

6 · Common audit pitfalls

NFRA orders and ICAI disciplinary proceedings on NBFC audits cluster around predictable failure patterns:

Acceptance of management classification of NPAs without independent day-past-due test
Inadequate audit evidence on ECL model assumptions (especially PD / LGD)
Failure to spot ever-greening through restructuring or fresh disbursement to settle overdue
Capital adequacy computed without questioning the asset-weight buckets used
Concurrent auditor findings not adequately considered by statutory auditor
Related-party transactions with the parent / promoter group not aggregated for materiality

Common questions

NBFC audit — FAQs

Which NBFCs need a statutory auditor + concurrent auditor?

Statutory audit applies to every NBFC under Section 139 of the Companies Act 2013. Concurrent audit is RBI-mandated for deposit-taking NBFCs (NBFC-D) and other prescribed categories — typically on monthly/quarterly cycles. Upper Layer NBFCs (UL) must additionally appoint an Internal Auditor under Section 138.

Are IRACP norms and Ind AS 109 ECL compatible?

Both apply concurrently for Ind AS-reporting NBFCs. IRACP gives a prudential floor (minimum classification and provisioning), Ind AS 109 ECL gives the accounting recognition. Where ECL provisioning exceeds IRACP, ECL applies for accounting; the IRACP shortfall (if any) is disclosed separately. The auditor verifies both computations and the higher of the two governs.

What is the Scale-Based Regulation framework?

Effective October 2022, RBI classifies NBFCs into four layers based on size, activity, and systemic importance: Base Layer (less restrictive, <₹1000 cr asset size and non-systemic activities), Middle Layer (most NBFCs), Upper Layer (top 25-30 by RBI’s scoring + criteria), Top Layer (rarely populated). Audit and governance requirements scale up by layer.

How CORAA helps with nbfc audit

Scrutiny hub — IRACP classification testing on the full loan book →Procedures hub — materiality, sampling, going concern for NBFC →Reporting hub — CARO 2020 clause (xvi) automation →

Related templates and tools:

NBFC audit strategy memo CARO 2020 checklist (clause xvi)Related-party transactions WP Going concern assessment ECL Calculator (Ind AS 109)

Ready to bring AI into your nbfc audit?

CORAA handles the audit. You handle the judgement.

Book a 20-min walkthrough See the AI Modules