Concurrent audit in NBFCs: what RBI inspectors are looking for in 2026

The RBI's NBFC inspection cycle has tightened in two specific ways since the scale-based regulation framework came into force. First, the inspection scope is now calibrated to the NBFC's layer — base, middle, upper, top — and the depth of testing in the upper and middle layers has expanded materially. Second, the inspection team is reading the concurrent audit reports more carefully than they used to. If the concurrent auditor flagged an issue and the management did not act, the inspection note will say so. If the concurrent auditor missed an issue that the inspection found, the inspection note will say that too.

We have run concurrent audits across NBFCs in retail lending, microfinance, gold loans, and equipment finance for the better part of a decade. The seven observations below show up in roughly 80% of inspection findings we have reviewed in the last two cycles. None of them are exotic. All of them should be caught by a concurrent audit that is scoped correctly.

The RBI Master Direction baseline

The operating reference for NBFC concurrent audit is the Master Direction on Internal Audit Function in NBFCs (Risk-Based Internal Audit) read with the RBI Scale-Based Regulation framework. For upper-layer and middle-layer NBFCs, the audit committee is required to ensure that high-risk areas are covered concurrently. The specific areas — credit administration, treasury, large exposures, KYC, branch operations — are spelled out and are not optional.

The 2026 inspection focus reflects this, with the added overlay of Ind-AS 109 ECL methodology, which has become a serious area of review for NBFCs with portfolios above ₹500 crore.

Observation one: NPA classification gaps under IRACP

RBI's Income Recognition, Asset Classification and Provisioning (IRACP) norms are the bedrock of NBFC portfolio reporting. The classification rules are well-documented. What inspectors find repeatedly is that the system implementation of the rules does not match the policy intent.

The most common pattern: an account is classified as standard at month-end based on the receipt of a partial payment in the last week of the month. The partial payment is not enough to bring the account current — it does not cover the overdue interest plus principal — but the system treats any payment received as a cure event and resets the DPD bucket.

On a portfolio of ₹2,000 crore, this can suppress reported gross NPAs by 30 to 80 basis points. The concurrent auditor's role is to sample accounts where the latest payment did not fully cure the arrears, and check whether the classification rule was applied correctly. In our experience, between 4% and 7% of such accounts in a typical sample are misclassified.

Observation two: KYC documentation that the LOS green-lit but the file does not support

The loan origination system collects a KYC document checkbox. The branch operations executive ticks the box. The disbursement proceeds. The actual document, in many files, is either a poor-quality photocopy, a document for a different person, or a document that expired before the loan was booked.

RBI inspectors pull a sample of disbursed files and check the underlying KYC documents physically or through the imaging system. The mismatch rate they find is consistently higher than what the concurrent auditor's monthly report shows. The reason is that the concurrent auditor often relies on the LOS report rather than the underlying file.

A concurrent audit that does not physically inspect KYC documents is not testing KYC. It is testing the LOS reporting accuracy, which is a different thing.

Observation three: end-use monitoring of loans

For working capital loans, term loans for specific equipment, and any loan where the end-use is tied to the credit decision, the NBFC is required to monitor that the funds were used for the stated purpose. The most common monitoring tool is a post-disbursement visit, supported by GST invoices, equipment delivery receipts, or other documentary evidence.

What inspectors find: the post-disbursement visit is recorded but the supporting documentation is missing. The branch executive visited the borrower, signed a visit report, and filed it. The invoice for the equipment financed is not in the file. The GST registration that the working capital loan was supposed to support has not been verified. When the inspector asks for the evidence, the file is bare.

Concurrent audit can catch this in two weeks of branch-level sampling if the scope includes end-use verification. Many concurrent audit scopes do not include it.

Observation four: related-party exposures

NBFCs with a holding company structure or a sponsor group routinely have exposures to related parties — group companies, promoter-linked entities, or co-lending partners with common ownership. The reporting of these exposures has tightened materially under RBI's 2024 disclosure framework.

The inspection observation is rarely about an undisclosed exposure. It is about exposures that are disclosed but where the arm's-length pricing, the operating terms, and the actual portfolio behaviour do not match what was approved by the board.

A specific pattern: the board approves a co-lending arrangement with a group entity at a defined first-loss default guarantee structure and a defined portfolio selection criterion. Over 18 months, the operating team modifies the selection criterion informally to reflect the group entity's preferences. The board has not approved the modification. The inspection sees the original board resolution and the actual portfolio composition, and the gap is the finding.

Concurrent audit's role is to flag the gap between the documented arrangement and the operating practice. This requires interviewing the treasury and credit teams, not just reading the agreements.

Observation five: fair practices code adherence

The Fair Practices Code is treated by many NBFCs as a website disclosure. RBI inspectors treat it as an operating requirement. The areas where inspectors find consistent gaps:

Recovery practices — particularly third-party recovery agencies that are not on the NBFC's approved panel, or that use practices that violate the recovery agent code of conduct.

Communication with delinquent borrowers — the regulatory expectation that calls happen in restricted hours, in the borrower's language where reasonably possible, and with recorded scripts.

Pricing disclosure — the annualised interest rate, fee structure, and total cost of credit communicated to the borrower at sanction, in the form required by RBI.

Each of these is auditable. The concurrent audit should sample recovery calls, recovery agent panel records, and sanction documents, on a rolling basis.

Observation six: Ind-AS 109 ECL methodology

Expected Credit Loss computation under Ind-AS 109 is the area where the 2026 inspection cycle has stepped up the most. The methodology is complex — staging based on credit deterioration, probability of default models, loss given default by collateral class, exposure at default, forward-looking macroeconomic adjustments.

The inspection findings cluster in three places. The PD models are calibrated on a portfolio cohort that no longer reflects the current portfolio mix. The LGD assumptions on unsecured personal lending have not been updated despite a clear shift in collection recovery rates. The forward-looking adjustment is a flat multiplier rather than a documented response to a specific macroeconomic input.

Concurrent audit is not expected to redo the ECL model. It is expected to test that the model is being run as documented, that the inputs are current, and that the governance — the model committee, the model risk policy, the periodic validation — is functioning.

Observation seven: branch-level cash and gold loan operations

For NBFCs with branch networks, particularly gold loan NBFCs, branch-level operations remain the highest-risk area. Cash handling, gold valuation, auction process for defaulted accounts, and physical custody of pledged gold.

The inspection observations: vault access logs that are not maintained, dual-custody breaches at branch level, gold valuation that did not follow the documented purity testing process, auction sales below the floor price without board-approved exception.

Concurrent audit at branch level is the single highest-value piece of work in a gold loan NBFC. The scope should include surprise vault counts, valuation reperformance on a sample, and auction file review.

What a concurrent audit scope should look like in 2026

Most concurrent audit scopes are anchored to the 2018 or 2020 Master Direction language. The 2026 inspection focus has moved beyond those scopes. The audit committee should review the concurrent audit terms of reference annually and update them to reflect:

Ind-AS 109 ECL governance testing, related-party transaction operating-practice verification, end-use monitoring sampling, fair practices code call sampling, IT general controls including access reviews, and branch-level surprise verification for cash and physical collateral.

What we recommend before the next inspection

Three things, in order.

First, pull the last two RBI inspection notes and the last two concurrent audit reports, and overlay them. Where the inspection found something the concurrent audit did not, the scope or the depth was insufficient.

Second, refresh the concurrent audit terms of reference with the audit committee. Add the seven observations above as standing scope items unless one of them is genuinely not applicable.

Third, run a mock inspection in the quarter before the actual inspection is due. The mock inspection is not the same as a concurrent audit. It is a focused, two-week exercise scoped exactly the way RBI scopes its inspection, run by people who have been on the other side of the table.

The NBFCs that finish their RBI inspections with two-page observation lists rather than twelve-page ones are not lucky. They have done this work, in this order, before the inspector walked in.