NFRA Enforcement Themes 2022-2026: Five Mistakes Indian Auditors Keep Repeating

The NFRA Enforcement Tracker catalogues 19 verified disciplinary orders issued by the National Financial Reporting Authority between September 2022 and January 2025. The Tier-1 firms cited include BSR & Associates LLP (Coffee Day), Deloitte Haskins & Sells LLP (Zee Entertainment), Pathak H.D. & Associates (Reliance Capital), and Chaturvedi & Shah LLP (DHFL). The mid-tier and smaller-firm citations are equally instructive.

Across all 19 orders, five failure themes recur. They are not failures of audit knowledge — most of the partners and firms cited are technically competent. They are failures of audit execution — specifically of contemporaneous documentation, follow-through on red flags, and timing of regulatory reporting.

This post walks through each theme with the specific orders that anchor it, and what audit firms can do to avoid being the next data point.

---

Theme 1 — SA 240 fraud testing without contemporaneous documentation

Cited in roughly 80% of major NFRA orders.

The Standard on Auditing 240 (Auditor's Responsibilities Relating to Fraud) requires the auditor to (a) assess the risk of material misstatement due to fraud, (b) design audit responses to that risk, (c) test journal entries throughout the period for fraud indicators, and (d) consider biases in management's accounting estimates.

What NFRA orders consistently find is not that the audit team didn't think about fraud — it's that the working papers don't document the thinking. The Reliance Capital order (April 2024) specifically cited "bias and lack of professional skepticism" — and the basis for that finding was the audit file. There was no documented discussion of the Price Waterhouse resignation letter flagging ~₹12,571 crore in suspicious group loans. There was no documented audit response to that information.

The audit team likely did discuss it. They likely did perform some procedures. But the working papers are the record. When NFRA reviews the file 5 years later, undocumented discussions don't exist.

What firms can do:

1. At engagement planning, document the team discussion on fraud risk explicitly. SA 240 para 15 requires this — make the engagement-team-discussion memo a mandatory deliverable.
2. For every fraud risk factor identified (significant unusual transactions, related-party concentration, weak controls), document the specific audit response and the result.
3. Maintain a fraud-suspicion register at engagement level — every flag with timestamp and disposition.
4. Reference the SA 240 Journal Entry Risk Scorer for the 16 red-flag criteria NFRA applies.

CORAA's Scrutiny module runs the 16 SA 240 red flags across 100% of journal entries on every engagement — and the timestamp + criteria triggered is preserved in the engagement file. This makes the contemporaneous documentation that NFRA looks for default, not effortful.

---

Theme 2 — SA 550 related-party procedures, but only at a surface level

Top three cited theme across major orders.

The Zee Entertainment order (December 2024) against Deloitte Haskins & Sells LLP cited failure to evaluate a ₹200 crore Fixed Deposit pledged as guarantee for a promoter-group company without board / shareholder approval. The audit team had identified the FD pledge — but the procedures stopped at noting the existence.

What SA 550 demands is more:

• Identify all related parties (including indirect ones — common directorships, financial concentrations)
• Evaluate the entity's controls over RPT identification and disclosure
• Perform substantive procedures to test the arm's-length basis of significant RPTs
• Evaluate the appropriateness of disclosures in the FS
• Where transactions outside normal business are identified, evaluate the business rationale

The Coffee Day Enterprises order against BSR & Associates LLP (August 2024) — ₹10 crore firm penalty, the largest NFRA has issued — cited failure to investigate the ₹3,535 crore fund diversion to MACEL (a promoter entity). The audit team's documented procedures on related-party transactions were described as not commensurate with the magnitude.

What firms can do:

1. At planning, prepare an explicit related-party map — entities, directors, KMPs, relatives, common directorships, common ownership.
2. For each significant RPT, document a separate working paper covering: nature, amount, business rationale tested, arm's-length basis evidence, disclosure adequacy.
3. Cross-test with the Section 188 register and SEBI LODR Reg 23 register for listed entities.
4. Use the Section 188 RPT Threshold Calculator to confirm board / special resolution requirements were complied with.

For Form 3CD reporting under tax audit, clause 23 requires similar disclosure. CORAA's Form 3CD pre-fill automates the cross-check between book and tax disclosure.

---

Theme 3 — SA 230 documentation that doesn't survive a 5-year-later review

The DHFL branch auditor orders (September 2023, against 18 individual auditors for FY 2017-18) cited "inadequate documentation; no audit evidence in working-paper files." Each branch auditor faced a ~₹1 lakh penalty and 6-month to 1-year debarment.

This is not a fraud case. It's a documentation case. The branch auditors may have done the work — but the files five years later showed no evidence of it.

SA 230 paragraph 8 — audit documentation must be sufficient to enable an experienced auditor with no previous connection to the audit to understand the nature, timing, extent of procedures performed; results; significant matters arising; and conclusions reached.

The five-year-later test is operational. NFRA, the ICAI Peer Review Board, the ICAI Disciplinary Directorate — all examine working papers years after the audit. If the file doesn't speak, the auditor's defence collapses.

What firms can do:

1. Enforce SA 230 paragraph 14 — final assembly of audit file within 60 days of audit report date. After that, only specified additions are permitted.
2. Use a structured engagement file template — index, lead schedules, sub-schedules with sign-offs, review notes resolved.
3. Maintain working papers contemporaneously, not retrospectively. The date and signature of every document matters.
4. The Peer Review Phase IV Readiness Hub lists 19 specific documentation items reviewers look for.

CORAA's Working Papers module timestamps every document on creation. Every CARO 2020 observation, every JE testing result, every reconciliation is anchored to the underlying transaction with a cryptographic timestamp. The "five-year-later" test isn't a memory test — it's a logged event.

---

Theme 4 — Ignoring the predecessor-auditor signal

The Reliance Capital, Reliance Home Finance, and Reliance Commercial Finance orders (April-May 2024) collectively cite ignoring Price Waterhouse's reported suspected fraud as a primary failure. Price Waterhouse had resigned as statutory auditor of these entities, flagging concerns. Successor auditors continued the audit without adequately addressing the predecessor's reported concerns.

SA 510 (Initial Audit Engagements — Opening Balances) and the ICAI Code of Ethics both require the incoming auditor to communicate with the predecessor before accepting an audit. Where the predecessor has reported a concern, the incoming auditor cannot treat the audit as a clean slate.

The NFRA orders treat this as a basic failure — when the previous auditor has flagged fraud, the new auditor's first procedure is to investigate that flag, not to ignore it.

What firms can do:

1. For every new audit engagement, communicate with the predecessor in writing. Document the communication.
2. Specifically ask about: known or suspected fraud, going concern issues, management integrity concerns, regulatory communications, qualified opinions.
3. If the predecessor flags anything significant, document the procedures the firm intends to perform to address it.
4. The CARO 2020 clause (xviii) reporting requirement covers this — auditor must confirm consideration of outgoing auditor's issues. See the CARO clause (xviii) page.

The economics are uncomfortable here. A predecessor auditor's red flag may make the audit substantially harder and longer. But accepting the engagement and ignoring the flag is the more expensive path — measured in NFRA penalties and ICAI proceedings.

---

Theme 5 — Section 143(12) timing missed even after fraud was identified

The Religare Finvest order (January 2025), discussed in detail in the Form ADT-4 deep dive, cited delay in reporting ₹2,036 cr Corporate Loan Book fraud under Section 143(12).

Section 143(12) requires:

• For fraud ≥ ₹1 crore: report to Central Government in Form ADT-4 within 60 days from knowledge.
• Below ₹1 crore: report to Audit Committee within 2 days.

The mechanics break into 2 days (initial communication to Board / AC) + 45 days (Board response) + 15 days (ADT-4 filing). This is unambiguous.

The Religare Finvest delay was not about whether the fraud was identified — it was. The delay was in the 60-day clock to file ADT-4. NFRA treated that delay alone as a regulatory failure, separate from the underlying audit quality.

What firms can do:

1. Build the workflow described in the ADT-4 deep dive — 2 day, 45 day, 15 day calendar from "date of reasonable belief."
2. Train every audit team member that fraud-suspicion identification triggers an immediate partner-level review.
3. Document the date of "reasonable belief" with the trigger event. NFRA's interpretation has been that this is the date the auditor first had objective basis — not the date of final confirmation.
4. File ADT-4 by day 60 — no exceptions.

---

The pattern beneath the patterns

Across all five themes, the underlying issue is the same: the gap between what the audit team did and what the working papers show.

Audit teams are often more diligent than their files suggest. They have informal conversations, raise concerns in meetings, walk through transactions with management. But NFRA, peer reviewers, and ICAI disciplinary committees review the file — not the informal record.

The file is the only record that survives 5 years. When the question is "did the auditor adequately address fraud risk?" or "did the auditor follow up on the predecessor's flag?", the working paper is the only evidence.

This is why the modern audit-tech infrastructure matters disproportionately. A platform that timestamps every observation as it's made, links every flag to the underlying transaction, and preserves the full investigation trail — that platform's output IS the working paper. There is no gap between the work and the documentation.

CORAA was built specifically to close this gap. Every transaction analysed, every flag raised, every reconciliation completed is preserved with timestamp, criteria, and outcome. The 5-year-later test stops being a test of memory and becomes a test of search.

---

Five action items for this audit season

1. At engagement planning: document the SA 240 team discussion on fraud risk. Include amounts, persons, transactions identified as risk areas.
2. Predecessor communication: written, on firm letterhead, addressing fraud / going concern / management integrity. Filed in engagement permanent file.
3. SA 550 related-party map: completed before fieldwork. Cross-referenced with Section 188 register.
4. SA 230 file assembly: 60 days from report date. Every working paper signed and dated.
5. Fraud-suspicion register: live during the engagement. Every flag, timestamp, disposition.

---

Where to go from here

• NFRA Enforcement Tracker — all 19 verified orders with citation links to underlying NFRA PDFs
• Form ADT-4 Mechanics Deep Dive — the 60-day clock and what counts as "reasonable belief"
• Peer Review Phase IV Readiness Hub — the 19-item checklist a reviewer will test against
• SA 240 Journal Entry Risk Scorer — score JEs against the 16 red-flag criteria
• Section 188 RPT Threshold Calculator — confirm board / special resolution compliance

Try CORAA → Every flag timestamped, every observation linked to source, every working paper defensible 5 years later. See pricing or talk to us.