Writing from the desk
CA Ashish Gupta
Senior Partner
- Internal Audit
- BFSI Advisory
- Risk Management
Ashish leads the Internal Audit and Risk Management division at Nucleus Advisors, bringing extensive experience in internal audit, risk management, process improvement, and operational excellence across diverse industries.
He has successfully led internal audits, risk assessments, compliance reviews, and process optimisation assignments for organisations ranging from growing enterprises to large established businesses. His expertise lies in identifying operational gaps, strengthening internal controls, improving efficiency, and helping businesses build robust and scalable processes.
With a practical and business-oriented approach, Ashish works closely with management teams to design tailored solutions that not only mitigate risks but also enhance productivity, transparency, and long-term growth. His ability to understand business operations in depth enables organisations to navigate complex challenges with confidence while maintaining strong governance and compliance standards.
Under his leadership, Nucleus Advisors has built a reputation for delivering insightful, value-driven internal audit solutions that help businesses across industries improve performance, reduce risks, and achieve sustainable growth.
Body of work
All articles by Ashish.
Internal audit & ICFR
AI will not replace internal auditors — but it will replace low-value audit work
AI will absolutely change internal audit. Procedural testing will become faster and broader. But the highest-value audit work has always been about judgement — and that part is where auditors stay essential.
11 min read
Internal audit & ICFR
What internal audit actually catches in an NBFC: five recurring control failures
Ashish Gupta has audited NBFCs across lending, microfinance, and housing finance for 13 years. The same five control failures appear in almost every engagement. Here is what they are and what the cost looks like.
9 min read
Sector risk
Why most concurrent audits miss the real branch risk
Most concurrent audits still operate as transaction-checking exercises. The reports exist, the observations exist, and the real risk sits outside the reporting framework. The problem is not whether the audit happened — it is what the audit chose to look at.
11 min read
Internal audit & ICFR
SOPs and operational audits in NBFCs: why growth without process discipline eventually fails
Most NBFC operational failures do not begin with fraud. They begin with inconsistency — one branch follows the credit policy strictly, another relies on local judgement. The portfolio still grows, until it does not.
11 min read
Internal audit & ICFR
Risk-based audit planning: how to allocate hours by risk score
A uniform audit plan — every process every three years — wastes hours on low-risk areas and under-serves high-risk ones. The fix is a five-axis scoring model that drives hour allocation against risk, refreshed annually.
11 min read
Sector risk
Concurrent audit in NBFCs: what RBI inspectors are looking for in 2026
RBI's 2026 inspection cycle is asking sharper questions than the previous one. The same seven observations recur in roughly 80% of NBFC findings. Here is what they are and what the concurrent audit should be catching first.
10 min read
Fraud & forensics
Fraud risk assessment: building a framework that does more than tick boxes
Most fraud risk assessments are a one-page document that lists 'segregation of duties' under every process and gets refreshed annually. That document does not prevent fraud. Here is what a real framework looks like.
11 min read
Internal audit & ICFR
Audit committees: five questions the chair should ask every quarter
Most audit committee meetings get stuck on routine approvals — minutes, fee proposals, statutory updates. The five questions below are what an effective chair brings to every quarterly meeting, in this order.
11 min read
Internal audit & ICFR
Treasury controls: the four reconciliations every CFO should automate
Most treasury fraud surfaces at month-end, when manual reconciliations slip and the closing team is exhausted. The fix is not more headcount. It is automating the four reconciliations that should never depend on a tired person at 11pm.
11 min read
Sector risk
Vendor risk: why 60% of post-incident reviews trace back to suppliers
Verizon's 2024 Data Breach Investigations Report puts third-party involvement in 60% plus of breach cases. The vendor risk lifecycle most companies operate stops at onboarding due diligence. The other three stages are where the actual exposure sits.
11 min read
Sector risk
Internal audit for SaaS companies: what to test beyond AR and cash
Most internal audit programmes for SaaS companies were designed for an earlier business model. AR ageing and cash reconciliation are necessary but no longer enough. The places where SaaS-specific risk concentrates are different.
11 min read
Internal audit & ICFR
Whistleblower mechanisms that work — and how to handle the first one
Section 177 makes a vigil mechanism mandatory. Most companies build the mechanism, post the email address, and then are unprepared when the first material complaint actually arrives. Here is the protocol that holds.
11 min read
Fraud & forensics
Forensic accounting basics for in-house finance teams
Forensic accounting is not a separate profession that you call when fraud has already happened. It is a set of analytical techniques that an in-house finance team can apply to the books, every month, to surface anomalies before they become incidents.
11 min read
Sector risk
Cybersecurity audits for fintechs: beyond the ISO 27001 certificate
An ISO 27001 certificate is necessary but not enough for an Indian fintech today. RBI's newly issued IT Framework Master Direction has raised the floor, and real audits now test what the certificate does not — API security, secrets hygiene, and tabletop response.
11 min read