Statutory audit plays an important role in maintaining transparency, accountability, and sound financial management within Non-Banking Financial Companies (NBFCs). It acts as an independent verification process that ensures financial statements accurately represent the company’s financial position, performance, and compliance with regulatory standards. This includes adherence to the Companies Act, 2013, accounting standards, and prudential norms prescribed by the Reserve Bank of India (RBI). A well-conducted audit builds trust among investors, regulators, and stakeholders by confirming that the NBFC operates with integrity and financial discipline.

The RBI circular dated April 27, 2021, has significantly strengthened the statutory audit framework by introducing stricter norms on auditor appointment, independence, and rotation. These updates aim to improve audit quality, enhance risk detection, and ensure better governance oversight. As a result, the role of auditors has evolved beyond compliance becoming a cornerstone of financial stability, credibility, and investor protection in the NBFC sector.

In this article, CA Manish Mishra talks about Statutory Audit & Auditor Appointment Best Practices for NBFC.

Legal Framework Governing Statutory Audits in NBFCs

Statutory audits of Non-Banking Financial Companies (NBFCs) are governed by an integrated legal framework under the Companies Act, 2013, the Reserve Bank of India Act, 1934, and the RBI Circular on Auditor Appointment (2021). These provisions collectively ensure that audits are carried out with independence, transparency, and regulatory integrity.

The Companies Act, 2013

The Companies Act lays the foundation for statutory audits across all corporate entities, including NBFCs.

• Section 139 mandates the appointment of statutory auditors for every financial year, ensuring continuity and oversight.

• Section 143 outlines the powers, duties, and responsibilities of auditors, including verifying internal financial controls and reporting frauds or irregularities.

• Section 141 specifies the qualifications, disqualifications, and independence requirements for auditors to prevent conflicts of interest.

• Section 144 prohibits auditors from providing certain non-audit services such as internal audit, management consultancy, or bookkeeping to maintain objectivity and independence in the audit process.

Together, these provisions create a governance structure that enhances reliability in financial reporting and promotes accountability within NBFCs.

The RBI Act, 1934 and Related Directions

NBFCs are regulated under Chapter III-B of the RBI Act, 1934, which mandates adherence to prudential and governance norms prescribed by the Reserve Bank of India. The RBI (NBFC – Scale-Based Regulation) Directions, 2023 classify NBFCs based on their size, activity, and risk exposure.
Auditors are required to ensure compliance with:

• Capital adequacy requirements, ensuring the NBFC maintains the minimum regulatory capital ratio.

• Asset classification and provisioning norms, confirming correct identification of NPAs and provisioning levels.

• Governance and disclosure standards, which ensure that stakeholders have access to transparent and reliable financial information.

These provisions align audit functions with the risk-based regulatory supervision model adopted by the RBI.

RBI Circular on Auditor Appointment (April 27, 2021)

The RBI Circular issued on April 27, 2021, established a standardized process for appointing statutory auditors across banks, NBFCs, and Housing Finance Companies (HFCs). It introduced uniform eligibility norms, independence criteria, and joint audit requirements for large NBFCs.

This circular applies to:

• All deposit-taking and non-deposit-taking NBFCs.

• Housing Finance Companies (HFCs) governed by the National Housing Bank (NHB) under RBI’s supervision.

The key objectives of the circular are to:

• Strengthen auditor independence and prevent conflicts of interest.

• Enforce rotation discipline by limiting continuous auditor engagement periods.

• Enhance audit quality and regulatory oversight, ensuring that auditors detect risks early and report material irregularities effectively.

This framework collectively ensures that statutory audits within NBFCs remain robust, impartial, and aligned with the evolving risk and compliance landscape of the Indian financial system.

Scope and Objectives of Statutory Audit for NBFCs

The statutory audit of a Non-Banking Financial Company (NBFC) goes beyond traditional financial verification. It ensures that the NBFC’s operations, accounting practices, and compliance framework align with the Companies Act, 2013, Reserve Bank of India (RBI) regulations, and Ind AS accounting standards. The audit’s objective is not only to provide assurance on financial integrity but also to evaluate internal controls, governance effectiveness, and adherence to regulatory norms.

Financial Integrity

Financial integrity is at the core of the statutory audit process. Auditors are responsible for ensuring that an NBFC’s financial statements truly and fairly represent its financial position and performance as required under Section 143 of the Companies Act, 2013. This involves verifying balance sheet accuracy, income recognition, and valuation of assets and liabilities in accordance with Indian Accounting Standards (Ind AS).

The audit also includes an assessment of internal financial controls, ensuring that financial transactions are authorized, recorded properly, and free from material misstatements or fraud. A strong financial integrity review enhances investor confidence and reinforces the NBFC’s credibility in the market.

Regulatory Compliance

NBFCs operate in a highly regulated financial environment, and adherence to RBI’s prudential and operational norms is a key audit requirement. Auditors must verify compliance with the following regulatory frameworks:

• RBI Prudential Norms: Cover capital adequacy, exposure limits, provisioning policies, and asset-liability management (ALM).

• Income Recognition and Asset Classification (IRAC) Guidelines: Ensure that income is recognized only on performing assets and that NPAs are correctly identified based on the 90-day overdue rule.

• Liquidity and Fair Practice Norms: Confirm that the NBFC maintains sufficient liquidity buffers and follows transparent practices in lending, recovery, and customer disclosures.

Through these verifications, auditors ensure that the NBFC maintains financial discipline and operates within the parameters prescribed by the RBI.

Risk Assessment

In modern audits, the risk-based approach forms the foundation of the auditor’s evaluation. Auditors identify, assess, and respond to the financial and operational risks that could materially impact the NBFC’s performance or compliance status.

This includes assessing:

• Credit Risk: Quality of the loan portfolio, underwriting standards, and exposure concentration across sectors or borrowers.

• Operational Risk: Adequacy of internal processes, fraud detection mechanisms, and effectiveness of internal control systems.

• Cybersecurity and Digital Lending Risk: In the era of fintech partnerships and digital lending, auditors evaluate the NBFC’s IT security framework, data protection practices, and compliance with RBI’s digital lending guidelines.

The auditor’s risk assessment ensures early detection of weaknesses, mitigation of financial losses, and continuous improvement in governance and control mechanisms.

Auditor Appointment under the Companies Act, 2013

The appointment of statutory auditors in Non-Banking Financial Companies (NBFCs) is governed by the provisions of the Companies Act, 2013, particularly Sections 139, 141, and 142. These sections ensure that only qualified, independent, and competent professionals conduct audits, thereby strengthening financial transparency and corporate governance. The process also enforces accountability by establishing clear rules on tenure, rotation, and eligibility.

Appointment and Tenure

Under Section 139(1) of the Companies Act, every company must appoint an auditor to audit its accounts for each financial year.

• First Auditor: The first statutory auditor of the company must be appointed by the Board of Directors within 30 days from the date of incorporation. If the Board fails to do so, shareholders must appoint an auditor within 90 days at an Extraordinary General Meeting (EGM).

• Subsequent Auditors: After the first financial year, auditors are appointed by the shareholders at the Annual General Meeting (AGM) for a term of five consecutive years, subject to ratification and eligibility.

This structured appointment process ensures that the company’s audit responsibilities begin immediately upon incorporation and continue seamlessly through its operational lifecycle.

Rotation Requirements

To maintain auditor independence and prevent over-familiarity with management, Section 139(2) introduces mandatory rotation of auditors for certain categories of companies, including large NBFCs.

• An individual auditor can hold office for one term of five years.

• An audit firm can serve for two consecutive terms of five years each.

• After completion, a five-year cooling-off period applies before the same auditor or firm can be reappointed.

This rotation mechanism prevents long-term dependence on a single auditor, minimizes bias, and promotes fresh perspectives in financial oversight — which is particularly crucial for regulated financial entities like NBFCs.

Eligibility and Consent

Before accepting an audit assignment, the auditor must provide:

• Written consent to act as auditor, and

• A certificate of eligibility as required under Section 141 of the Companies Act, 2013.

This certificate must confirm that the auditor meets all qualification criteria, does not hold any disqualification, and complies with independence standards. In addition, as a best practice, auditors should submit an annual independence declaration to the Audit Committee or Board confirming that no conflict of interest or prohibited non-audit service engagement exists.

This procedure ensures that only qualified and impartial professionals are entrusted with the statutory audit function, safeguarding financial accuracy and maintaining the integrity of NBFC operations.

RBI Guidelines on Appointment of Statutory Auditors (SAs)

The Reserve Bank of India (RBI), through its circular dated April 27, 2021, introduced comprehensive guidelines to standardize the appointment, independence, and rotation of Statutory Auditors (SAs) for Non-Banking Financial Companies (NBFCs) and Housing Finance Companies (HFCs). These guidelines aim to strengthen the quality of audit, reduce concentration risk, and enhance transparency in financial reporting.

Applicability

The RBI guidelines on SAs apply to:

• All NBFCs and HFCs, both deposit-taking and non-deposit-taking, effective from financial year 2021–22 onwards.

• Large NBFCs with an asset size of ₹15,000 crore or above are required to appoint joint auditors to ensure a balanced audit opinion and avoid dependency on a single audit firm.

This joint audit requirement enhances audit quality and provides cross-verification, especially in systemically important entities with complex operations. Smaller NBFCs are permitted to appoint a single statutory auditor subject to compliance with other eligibility and independence criteria.

Key Provisions

The RBI circular lays out stringent norms for the selection and eligibility of audit firms to ensure that only competent and independent professionals are appointed.
Key provisions include:

• Independence in Joint Audits: Two or more joint auditors must not belong to the same network or firm affiliation, ensuring truly independent evaluations.

• Professional Qualification and Experience: The audit firm must have adequate partners with CISA/ISA qualifications and proven experience in auditing financial institutions, particularly banks, NBFCs, or other regulated entities.

• Audit Engagement Cap: A single audit firm cannot audit more than a prescribed number of regulated entities (banks, NBFCs, or HFCs) in one financial year. This cap prevents over-concentration and ensures that auditors maintain focus and audit quality.

The circular further mandates that the audit firm must not have any conflict of interest or business relationship with the audited entity, its subsidiaries, or its promoters.

Audit Committee Oversight

The Audit Committee of the Board (ACB) plays a central role in ensuring the proper selection and monitoring of statutory auditors under the RBI framework. The ACB must:

• Approve a formal policy detailing eligibility criteria, selection methodology, and tenure for auditor appointment.

• Review auditor independence, ensuring that no conflict of interest exists and that rotation rules are being followed in accordance with RBI and Companies Act provisions.

• Recommend qualified firms to the Board of Directors after evaluating their capability, resources, prior experience, and compliance record.

The ACB should also monitor auditor performance annually and maintain transparency in audit appointment decisions through board-level documentation and disclosure.

Auditor Independence and Ethical Standards

Auditor independence lies at the heart of a credible statutory audit. For Non-Banking Financial Companies (NBFCs), independence ensures that the auditor’s opinion is unbiased, objective, and free from any conflict of interest that might compromise the quality of financial reporting. The Companies Act, 2013, the Reserve Bank of India (RBI) guidelines, and professional standards issued by the Institute of Chartered Accountants of India (ICAI) collectively establish a strong ethical and legal framework to safeguard auditor independence and integrity.

Legal Provisions

The Companies Act, 2013 provides explicit provisions to maintain auditor independence and eliminate conflicts of interest.

• Section 141: This section disqualifies individuals or firms from being appointed as auditors if they have any direct or indirect financial interest, shareholding, or business relationship with the company or its management. It prevents auditors from being officers, employees, or relatives of directors or key managerial personnel. Such measures ensure that auditors remain impartial and independent in both appearance and substance.

• Section 144: This section strictly prohibits auditors from providing non-audit or consulting services to the same company or its subsidiaries. Prohibited services include internal audit, management advisory, bookkeeping, financial system design, and investment advisory. By preventing dual roles, this provision ensures that auditors do not audit their own work or develop a vested interest in company decisions.

Together, these legal safeguards maintain auditor objectivity, preserve professional skepticism, and ensure the credibility of the audit opinion issued to regulators, investors, and stakeholders.

RBI Independence Rules

The RBI’s 2021 guidelines on the appointment of Statutory Auditors (SAs) for NBFCs and Housing Finance Companies (HFCs) introduced additional requirements to strengthen independence in practice.

• No Dual Engagements: Under the RBI framework, an audit firm cannot provide management, consultancy, or advisory services to the same NBFC or its group entities. This restriction prevents potential influence over audit judgments and reinforces transparency in reporting.

• Annual Declaration of Independence: Every auditor must submit a yearly independence and conflict-of-interest declaration to the Audit Committee of the Board (ACB). This statement certifies that neither the audit firm nor its partners have any business or personal relationships that could impair independence.

• Transparency and Documentation: The NBFC is required to maintain detailed records of all auditor relationships, including network affiliations, other service engagements, and audit fee disclosures. The Audit Committee must periodically review these relationships to ensure ongoing compliance with both Companies Act and RBI norms.

Audit Planning and Execution Best Practices

For Non-Banking Financial Companies (NBFCs), audit planning and execution play a pivotal role in ensuring that financial statements are accurate, compliant, and free from material misstatements. Effective audit planning helps auditors focus on critical risk areas, while strong execution ensures comprehensive verification of financial, operational, and regulatory parameters. Given the complexity of NBFC operations, especially in credit risk, digital lending, and regulatory compliance, adopting a risk-based audit approach is essential for meaningful assurance.

Risk-Based Audit Planning

The foundation of any effective statutory audit lies in risk-based planning. Rather than applying a uniform approach, auditors prioritize areas that present higher risk to financial accuracy or regulatory compliance.

Key focus areas include:

• Loan Origination and Approval: Auditors evaluate the end-to-end loan process from borrower assessment and documentation to credit sanctioning ensuring adherence to internal credit policy and RBI guidelines.

• Income Recognition Policies: NBFCs often have diverse revenue streams, including interest income, processing fees, and penalties. Auditors must confirm that income recognition aligns with Ind AS 109 and RBI’s Income Recognition and Asset Classification (IRAC) norms.

• Related-Party Transactions and Restructuring: Special attention is given to transactions involving promoters or group entities to prevent conflicts of interest, misreporting, or fund diversion.

Through risk-based planning, auditors allocate more time and resources to areas most susceptible to fraud, financial misstatement, or regulatory deviation.

Key Testing Areas

During audit execution, auditors perform substantive and control testing to validate financial and regulatory accuracy. For NBFCs, certain areas are always critical due to their direct impact on profitability and capital adequacy.

Core audit testing areas include:

• Verification of NPA Classification: Auditors ensure that assets are correctly classified into standard, substandard, doubtful, and loss categories based on days past due (DPD). This affects provisioning and reported profitability.

• Provisioning Accuracy: Review of provisioning policies for compliance with RBI prudential norms and adequacy of Expected Credit Loss (ECL) models under Ind AS 109.

• Liquidity and Capital Adequacy Norms: Verification of adherence to capital adequacy ratio (CAR) requirements under RBI’s Scale-Based Regulatory (SBR) Directions, 2023. This includes validation of ALM (Asset-Liability Management) data and liquidity buffers.

• Compliance with Ind AS 109: The ECL model requires complex judgments related to default probability, loss given default (LGD), and exposure at default (EAD). Auditors must test model assumptions, calibration, and adequacy of provisioning.

These testing procedures provide assurance that financial results reflect the NBFC’s true risk position and regulatory compliance status.

Use of Technology

With the increasing digitization of financial services, auditors must leverage technology-driven audit tools to enhance accuracy, detect anomalies, and assess large volumes of transactional data.

Key technological audit practices include:

• Data Analytics and Automation: Use of analytical tools to identify unusual patterns in loan disbursements, interest accruals, or recoveries. Data analytics helps uncover hidden risks that traditional sampling might miss.

• Digital Loan Audits: Many NBFCs operate through fintech platforms or digital lending partners. Auditors must perform end-to-end digital audits of loan origination systems (LOS) and loan management systems (LMS) to ensure compliance with RBI’s digital lending guidelines.

• Stress Testing and Model Validation: Conducting stress tests on liquidity and credit models under various scenarios to assess resilience against defaults or market shocks. Regular validation of ECL and risk models ensures that assumptions remain realistic and compliant with evolving RBI norms.

Reporting and Post-Audit Requirements

Post-audit reporting is a crucial phase in the statutory audit process for Non-Banking Financial Companies (NBFCs). It ensures that the findings from the audit are formally communicated to stakeholders, management, regulators, and the Audit Committee. The reporting framework under the Companies Act, 2013 and RBI Directions emphasizes transparency, accountability, and timely remediation of identified issues.

A well-drafted audit report not only fulfills legal obligations but also strengthens governance and risk management frameworks across the NBFC.

Audit Report (Under Section 143 of the Companies Act, 2013)

Under Section 143 of the Companies Act, 2013, the auditor’s report is a formal opinion on whether the financial statements present a true and fair view of the NBFC’s financial position and performance.

Key requirements include:

• True and Fair Certification: The auditor must confirm that financial statements comply with applicable accounting standards (Ind AS) and fairly represent the company’s state of affairs, profit/loss, and cash flows.

• Reporting on Internal Financial Controls: The auditor is required to assess and comment on the adequacy and operating effectiveness of Internal Financial Controls (IFC), ensuring that systems in place prevent fraud and financial misstatements.

• Fraud Reporting under Section 143(12): If the auditor detects any fraud or suspected fraud by officers or employees of the company, it must be reported to the Central Government in the prescribed manner, typically through Form ADT-4.

This statutory reporting ensures accountability, highlights governance issues, and alerts regulators to potential financial irregularities or operational lapses.

Management Letter

The Management Letter (ML), though not a statutory requirement, is a vital best practice that complements the main audit report. It serves as a confidential communication from the auditor to the management and the Audit Committee of the Board (ACB).

It documents the auditor’s observations and provides actionable insights into process improvement. The management letter typically includes:

• Internal Control Deficiencies: Gaps or weaknesses identified in financial or operational controls that may lead to risk exposure or non-compliance.

• Policy Gaps and Compliance Lapses: Instances where company policies do not align with RBI or Companies Act requirements, such as credit risk assessment, liquidity management, or digital lending norms.

• Recommendations for Improvement: Practical suggestions for strengthening financial reporting systems, enhancing internal audit coordination, and improving the overall control environment.

The management is expected to provide a formal management response or action plan addressing each observation, which the auditor may later review during the next audit cycle.

Communication with Regulators

Regulatory communication forms an essential part of the auditor’s post-audit obligations, particularly for NBFCs under the supervisory purview of the Reserve Bank of India (RBI) and the National Financial Reporting Authority (NFRA).

Key requirements include:

• Reporting Material Irregularities or Frauds: If the auditor uncovers frauds, fund diversion, or significant misstatements, they are obligated to report these directly to the RBI and NFRA without delay. This aligns with RBI’s circular on Auditor Responsibility and Reporting (2021), ensuring transparency in the financial system.

• Audit Committee Oversight: The Audit Committee of the Board must actively monitor all issues raised by auditors, ensure that corrective actions are implemented, and verify closure of observations. The committee should also document discussions and remedial actions in its minutes for regulatory review.

Regular communication with regulators ensures that the NBFC remains compliant, reinforces governance integrity, and builds regulatory trust.

Governance and Audit Committee Role

The Audit Committee of the Board (ACB) plays a central role in maintaining transparency, independence, and accountability in the audit function of Non-Banking Financial Companies (NBFCs). As mandated under Section 177 of the Companies Act, 2013 and RBI’s Scale-Based Regulatory (SBR) Directions, 2023, every systemically important NBFC must establish an Audit Committee to oversee financial reporting integrity, auditor performance, and internal control effectiveness.

This committee acts as the guardian of governance, ensuring that auditors function independently, management decisions are ethical, and compliance obligations are fully met.

Policy and Oversight

The first responsibility of the Audit Committee is to formulate and approve a Board-level policy governing the appointment, reappointment, and removal of statutory auditors.

This policy must:

• Define eligibility criteria for auditors in line with RBI’s Circular on Appointment of Statutory Auditors (April 27, 2021).

• Lay down procedures for fixing audit fees, considering the scope, size, and complexity of the NBFC’s operations.

• Include a rotation policy, ensuring adherence to the cooling-off period requirements under Section 139(2) of the Companies Act, 2013.

By reviewing the auditor’s scope, independence, and compensation, the Committee safeguards against conflicts of interest and ensures fair, transparent audit engagement.

Evaluation and Interaction

An effective Audit Committee maintains continuous engagement with both internal and external auditors to promote transparency.

Best practices include:

• Independent Meetings: The Committee should conduct periodic meetings with auditors without the presence of management to allow for candid discussions about financial risks, irregularities, and audit findings.

• Annual Performance Review: The Committee must evaluate the independence, objectivity, and performance of the statutory auditors annually.

• Follow-up on Findings: Discussion of prior year’s audit observations and verification of corrective actions taken ensures continuous improvement in governance.

This interactive process strengthens the quality of the audit and promotes a culture of accountability within the organization.

Documentation

Proper documentation is a cornerstone of audit governance and compliance transparency. The Audit Committee must maintain a comprehensive compliance tracker mapping every audit observation to its resolution.

The tracker should include:

• Auditor Observations: All findings noted in statutory, internal, and concurrent audit reports.

• Corrective Actions: Management’s proposed or implemented remediation steps.

• Timelines and Status: Deadlines for completion and periodic updates on progress.

• Follow-Up Reviews: Verification of whether remedial measures were effectively implemented and sustained over time.

This structured documentation system provides a verifiable audit trail, ensuring accountability and readiness for RBI inspections or NFRA reviews.

Emerging Challenges and Regulatory Focus (2024–2025)

The audit and compliance landscape for Non-Banking Financial Companies (NBFCs) is evolving rapidly. With the Reserve Bank of India (RBI) tightening its regulatory grip and emerging institutions such as NFRA (National Financial Reporting Authority) and ICAI (Institute of Chartered Accountants of India) strengthening audit oversight, statutory auditors now face enhanced responsibilities and expectations.

The focus for 2024–2025 lies on transparency, technology integration, and governance discipline demanding that auditors move beyond checklist-based audits to adopt a risk-based and tech-enabled audit framework.

Scale-Based Regulation (SBR) Framework

The Scale-Based Regulatory (SBR) Framework, introduced by RBI in October 2021 and reinforced through 2023–2024 updates, redefined the regulatory architecture for NBFCs. It classifies NBFCs into Base Layer, Middle Layer, Upper Layer, and Top Layer, depending on their systemic importance, risk profile, and size.

Under this framework:

• Enhanced Disclosure Requirements: Large and systemically important NBFCs (Upper and Top Layers) are required to maintain advanced disclosure standards, covering capital adequacy, leverage, governance, related-party transactions, and risk concentration.

• Auditor’s Role: Statutory auditors must verify and report the NBFC’s alignment with its SBR category, ensuring that the entity complies with capital norms, liquidity coverage ratios (LCR), and governance standards prescribed for its layer.

• Focus on Governance Audits: Auditors are expected to review compliance with the RBI’s fit and proper criteria for directors, board independence, and composition of mandatory committees (Audit, Risk Management, Nomination & Remuneration).

In essence, the SBR framework has increased the complexity and accountability of audits, especially for larger NBFCs that are closely monitored by the RBI.

Cyber Resilience and IT Audits

In today’s digital-first financial ecosystem, cybersecurity and IT governance have emerged as integral components of statutory audit evaluations. The RBI’s Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices (2023) mandates that NBFCs adopt a robust cybersecurity framework and undergo regular independent IT audits.

Key regulatory expectations include:

• Cybersecurity Audit: NBFCs must conduct annual cybersecurity audits by qualified auditors to ensure compliance with the RBI’s 2023 Cyber Security Framework. The audit scope must include data protection, vulnerability management, network resilience, and disaster recovery testing.

• Integration with Statutory Audit: The statutory audit must now incorporate an evaluation of IT general controls (ITGCs), data integrity, and digital transaction risk management.

• Incident Response Readiness: Auditors must assess whether the NBFC has a Cyber Crisis Management Plan (CCMP) and whether incidents are reported to the RBI within 6 hours of detection, as per regulatory norms.

This evolution signifies a clear shift auditors must now be equally competent in financial and technological domains, bridging the gap between finance, risk, and information security.

NFRA and ICAI Oversight

To further enhance audit quality and professional accountability, the NFRA (National Financial Reporting Authority) and the ICAI (Institute of Chartered Accountants of India) have strengthened their regulatory supervision of statutory audits, particularly for NBFCs and other financial institutions.

• NFRA Inspections: The NFRA conducts periodic inspections and quality reviews of statutory audits performed for listed and systemically important NBFCs. The objective is to identify deficiencies in audit documentation, independence, and compliance with auditing standards (SAs). Non-compliance may lead to penalties, debarment, or disciplinary proceedings against auditors.

• ICAI Technical Guide (2023): The ICAI issued a Technical Guide on Audit of NBFCs (Revised 2023), emphasizing risk-based audit methodologies. It encourages auditors to focus on critical areas like ECL provisioning, digital lending, related-party exposure, and fair value measurements.

• Enhanced Auditor Accountability: Both NFRA and ICAI now expect auditors to maintain complete working papers and document their professional judgments in detail, ensuring that audit opinions are defensible under scrutiny.

Best Practices for Auditor Selection and Management

The process of selecting and managing statutory auditors is one of the most critical governance functions in a Non-Banking Financial Company (NBFC). Given the heightened regulatory scrutiny from the Reserve Bank of India (RBI) and the National Financial Reporting Authority (NFRA), NBFCs must adopt transparent, well-documented, and compliant practices to ensure audit integrity, independence, and quality.

Effective auditor management not only supports accurate financial reporting but also builds stakeholder trust, enhances accountability, and mitigates regulatory risks.

Prepare a Shortlist of Eligible Firms with RBI Experience

The first step toward a credible audit engagement is preparing a shortlist of audit firms that meet both statutory qualifications and sectoral expertise.
NBFCs should prioritize firms with:

• Proven experience auditing RBI-regulated entities such as NBFCs, banks, and housing finance companies.

• Adequate partner strength, specialized teams, and CISA-qualified professionals (for IT audit integration).

• Clean regulatory track records, with no disciplinary proceedings under NFRA or ICAI.

Such a shortlist ensures that the appointed firm understands sector-specific risks, RBI circulars, and compliance frameworks under the Scale-Based Regulatory (SBR) Directions, 2023.

Use Transparent Evaluation Criteria

Auditor selection should be based on objective and transparent evaluation metrics rather than familiarity or convenience.
Key criteria should include:

• Firm Size and Infrastructure: Evaluate the firm’s audit capacity, staffing levels, and partner-to-client ratio.

• Technical Expertise: Consider experience in auditing Ind-AS compliant financials, ECL models, and digital lending portfolios.

• Independence and Integrity: Verify that the firm has no conflict of interest, financial relationships, or business ties with the NBFC or its management.

The Audit Committee of the Board (ACB) must document the selection rationale in its minutes to ensure accountability and regulatory transparency.

Maintain a Rotation Calendar

To comply with Section 139(2) of the Companies Act, 2013 and RBI’s 2021 Auditor Appointment Guidelines, NBFCs must maintain an auditor rotation calendar.
This calendar helps in:

• Planning auditor transitions well in advance of term expiry.

• Avoiding last-minute disruptions in financial closure or regulatory reporting.

• Ensuring compliance with cooling-off periods five years for individual auditors and ten years for audit firms.

A proactive rotation schedule demonstrates good governance and prevents over-familiarity that could impair independence.

Document Audit Engagement Letters

Before the commencement of any audit, NBFCs should execute a formal audit engagement letter that defines the scope, responsibilities, and deliverables of the engagement.

This letter should clearly outline:

• The nature of the audit (statutory, concurrent, IT, or forensic).

• Timelines for audit completion and report submission.

• Confidentiality obligations, data access protocols, and reporting channels for irregularities.

• Applicable auditing standards (SAs) and regulatory circulars.

Documenting these terms not only clarifies mutual expectations but also provides legal protection in case of disputes or regulatory queries.

Encourage Knowledge-Sharing and Collaboration

Auditors and management should not operate in isolation. Periodic knowledge-sharing sessions between auditors, finance teams, and compliance officers can help foster mutual understanding of regulatory expectations and evolving audit risks.

These sessions should cover:

• Updates on RBI circulars, Ind-AS changes, and cybersecurity regulations.

• Emerging challenges such as digital lending audits, ECL provisioning, and data privacy compliance.

• Lessons learned from previous audits and action plan reviews.

Such collaborative initiatives help bridge communication gaps, strengthen internal controls, and elevate overall audit quality.

Conclusion

The statutory audit of Non-Banking Financial Companies (NBFCs) goes far beyond routine financial verification it serves as the foundation of governance, accountability, and investor assurance. With rising regulatory expectations under the RBI’s 2021 Auditor Appointment Guidelines, Scale-Based Regulatory (SBR) Directions, 2023, and the ICAI’s 2023 Technical Audit Guide, NBFCs are expected to follow a structured and transparent audit process that aligns with both financial and operational integrity. These frameworks emphasize independence, professional competence, and ethical conduct, ensuring that audits provide meaningful oversight.

In today’s evolving financial landscape, adopting a risk-based audit approach, leveraging technology and data analytics, and ensuring timely, transparent reporting are critical for maintaining compliance and public confidence. A well-managed audit not only meets regulatory obligations but also strengthens institutional credibility, minimizes compliance risks, and promotes sustainable business growth. Thus, for NBFCs, an effective audit system is both a legal necessity and a strategic advantage. 

Frequently Asked Questions (FAQs)

Q1. What is the objective of a statutory audit for NBFCs?

Ans. The statutory audit ensures that an NBFC’s financial statements present a true and fair view of its financial position. It also verifies compliance with RBI prudential norms, asset classification, provisioning, capital adequacy, and governance standards, ensuring transparency, investor protection, and alignment with the Companies Act, 2013.

Q2. Who can conduct a statutory audit for an NBFC?

Ans. Only Chartered Accountant firms registered with the Institute of Chartered Accountants of India (ICAI) and meeting the eligibility criteria prescribed by the RBI and Companies Act can conduct NBFC audits. The auditor must be independent, qualified, and have relevant experience in financial-sector audits and regulatory compliance.

Q3. How long can a statutory auditor serve in an NBFC?

Ans. Under Section 139 of the Companies Act, 2013, an individual auditor can serve for one term of five years, while an audit firm can serve for two consecutive terms (ten years). After completion, a five-year cooling-off period is mandatory before reappointment to ensure auditor independence and rotation.

Q4. Is joint audit mandatory for all NBFCs?

Ans. Joint audit is mandatory for NBFCs and Housing Finance Companies (HFCs) with asset size of ₹15,000 crore or more as per RBI’s April 27, 2021 circular. It ensures balanced opinion, greater transparency, and independence in audit reporting by preventing over-reliance on a single audit firm.

Q5. What are the auditor’s key reporting responsibilities?

Ans. Auditors must report whether financial statements reflect a true and fair view, comply with Ind AS, RBI norms, and internal controls. They also report fraud under Section 143(12) of the Companies Act and ensure proper documentation of provisioning, liquidity, and related-party transactions to prevent regulatory breaches.

Q6. Can the same firm provide both audit and consulting services?

Ans. No. Section 144 of the Companies Act, 2013 strictly prohibits statutory auditors from providing non-audit services like internal audit, management consultancy, or financial advisory to the same NBFC. This ensures auditor independence and prevents conflict of interest between auditing and consulting engagements.

Q7. What are RBI’s expectations from NBFC auditors?

Ans. RBI expects auditors to verify compliance with prudential norms, assess internal control systems, and detect misstatements or irregularities. They must promptly report serious non-compliances or fraud to RBI and ensure accurate reporting of asset quality, capital adequacy, and adherence to the Scale-Based Regulatory framework.

Q8. What happens if an NBFC fails to comply with auditor appointment norms?

Ans. Non-compliance with auditor appointment or independence rules can attract penalties under Section 45-IA of the RBI Act, suspension of registration, and restrictions on new business. Persistent violations may trigger enforcement actions, audits by RBI inspectors, or reference to the National Financial Reporting Authority (NFRA).

Q9. How can NBFCs strengthen their audit readiness?

Ans. NBFCs can enhance audit readiness by maintaining accurate records, updating compliance checklists, improving internal controls, and adopting digital accounting tools. Regular internal audits, Board oversight, timely reconciliation, and training finance teams on regulatory updates ensure a smooth and transparent statutory audit process.

Q10. What is the role of NFRA in NBFC audits?

Ans. The National Financial Reporting Authority (NFRA) oversees audit quality for listed and large unlisted companies, including NBFCs. It ensures adherence to accounting and auditing standards, inspects audit firms, and can take disciplinary action for professional misconduct, thereby strengthening the reliability of financial reporting.