Standard Operating Procedure: Internal Audit for Non-Banking Financial Companies (NBFCs)

This Standard Operating Procedure (SOP) outlines the framework for conducting a comprehensive internal audit of a Non-Banking Financial Company (NBFC). The objective is to evaluate the effectiveness of the internal control environment, ensure adherence to regulatory guidelines (such as those prescribed by the RBI or local financial authorities), verify the integrity of financial reporting, and mitigate operational and credit risks. This audit process is designed to provide management with actionable insights to strengthen governance and maintain compliance.

Phase 1: Regulatory Compliance and Governance

• Verify the existence and validity of the Certificate of Registration (CoR) issued by the regulator.
• Review the minutes of the Board of Directors and various committees (Audit, Risk Management, Nomination and Remuneration).
• Assess compliance with Fair Practices Code (FPC) and Interest Rate Policy.
• Confirm the presence of a Chief Risk Officer (CRO) and Chief Compliance Officer (CCO) as per regulatory mandates.
• Ensure that the "Fit and Proper" criteria for directors are documented and updated annually.

Phase 2: Loan Origination and Credit Underwriting

• Check KYC/AML documentation for a sample of loan files (verify OVDs, PAN, and Aadhaar seeding).
• Validate the credit appraisal process against the board-approved Credit Policy.
• Verify the assessment of borrower repayment capacity and debt-to-income ratios.
• Ensure that collateral valuation reports are obtained from empanelled valuers and are current.
• Review documentation for Loan-to-Value (LTV) ratios to ensure they remain within prescribed regulatory limits.

Phase 3: Loan Disbursement and Monitoring

• Confirm that disbursement is made only via electronic transfer (NEFT/RTGS/IMPS) to the borrower's bank account.
• Reconcile the loan management system (LMS) with the general ledger.
• Verify the existence and security of original collateral documents (property deeds, hypothecation agreements).
• Test the system for identifying and flagging Non-Performing Assets (NPAs) based on the "days past due" (DPD) aging criteria.
• Ensure proper provisioning as per the Expected Credit Loss (ECL) or income recognition and asset classification (IRAC) norms.

Phase 4: Financial Accounting and Treasury

• Reconcile bank statements with the accounting software on a monthly basis.
• Verify that TDS, GST, and other statutory deductions are paid within the prescribed timelines.
• Audit the treasury operations, including liquidity risk management and investment policy adherence.
• Check for any unauthorized inter-company transfers or related-party transactions.
• Ensure that financial statements are prepared in accordance with applicable accounting standards (e.g., Ind-AS).

Phase 5: IT Systems and Data Security

• Review the Information Security Policy and incident reporting logs.
• Assess data backup and disaster recovery (DR) protocols (verify last successful restore test).
• Check user access controls and verify that terminated employees have been de-provisioned from the LMS.
• Validate the audit trail logs for any manual overrides in interest rates or loan tenures.

Pro Tips & Pitfalls

• Pro Tip: Use data analytics tools to perform 100% testing on high-risk areas (like disbursements) rather than relying on manual sampling.
• Pro Tip: Maintain an "Audit Trail Repository" where all communication regarding audit observations is stored to ensure transparency during external audits.
• Pitfall: Over-reliance on "System Logic." Never assume the software is always correct; always perform a manual "sanity check" on the calculation of interest and late payment charges.
• Pitfall: Ignoring the "soft" controls. An audit is not just about numbers; check the office culture, staff training records, and grievance handling mechanisms.

Frequently Asked Questions (FAQ)

Q: How often should an internal audit be conducted for an NBFC? A: Regulatory guidelines typically mandate at least an annual internal audit. However, for companies with a high volume of transactions or complex asset portfolios, a quarterly or bi-annual audit cycle is highly recommended to manage risk proactively.

Q: What is the most critical area to prioritize during an NBFC audit? A: Credit underwriting and KYC/AML compliance are the most critical. Regulatory penalties for KYC lapses or poor credit quality can be severe and carry significant reputational risk.

Q: What should be done if the internal auditor finds a significant regulatory breach? A: Any material breach must be reported immediately to the Audit Committee of the Board and, if required by law, to the regulatory authority. A corrective action plan (CAP) with a firm deadline for remediation must be drafted and tracked.

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "mainEntity": [ { "@type": "Question", "name": "What is the primary objective of an NBFC internal audit?", "acceptedAnswer": { "@type": "Answer", "text": "The primary objective is to evaluate the effectiveness of internal controls, ensure adherence to regulatory guidelines like RBI mandates, verify financial reporting integrity, and mitigate operational and credit risks." } }, { "@type": "Question", "name": "Which regulatory areas are covered in Phase 1 of the NBFC audit?", "acceptedAnswer": { "@type": "Answer", "text": "Phase 1 covers the validation of the Certificate of Registration (CoR), review of board committee minutes, compliance with Fair Practices Codes, and ensuring the appointment of a Chief Risk Officer and Chief Compliance Officer." } }, { "@type": "Question", "name": "How does the audit address Loan Origination and Credit Underwriting?", "acceptedAnswer": { "@type": "Answer", "text": "The audit validates the credit appraisal process against board-approved policies, checks KYC/AML documentation, confirms debt-to-income ratio assessments, and ensures LTV ratios remain within regulatory limits." } } ] } </script> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "SoftwareApplication", "name": "NBFC Audit Management Framework", "applicationCategory": "Financial Management Software", "operatingSystem": "All", "description": "A comprehensive standard operating procedure framework designed to audit and manage regulatory compliance, loan origination, and financial reporting for Non-Banking Financial Companies.", "softwareVersion": "1.0", "featureList": [ "Regulatory Compliance Assessment", "Loan Origination & Credit Underwriting Validation", "NPA Management & Provisioning", "Treasury & Financial Reconciliation" ] } </script>