Insights
Notes from the desk.
Long-form writing from Nucleus partners. Fundraise mechanics, term sheets, M&A, valuations, risk and tax. Filter by service line, tag, or author; sort newest or oldest; or search the archive.
Latest: 26 May 2026
AI will not replace internal auditors — but it will replace low-value audit work
AI will absolutely change internal audit. Procedural testing will become faster and broader. But the highest-value audit work has always been about judgement — and that part is where auditors stay essential.
What internal audit actually catches in an NBFC: five recurring control failures
Ashish Gupta has audited NBFCs across lending, microfinance, and housing finance for 13 years. The same five control failures appear in almost every engagement. Here is what they are and what the cost looks like.
Why most concurrent audits miss the real branch risk
Most concurrent audits still operate as transaction-checking exercises. The reports exist, the observations exist, and the real risk sits outside the reporting framework. The problem is not whether the audit happened — it is what the audit chose to look at.
SOPs and operational audits in NBFCs: why growth without process discipline eventually fails
Most NBFC operational failures do not begin with fraud. They begin with inconsistency — one branch follows the credit policy strictly, another relies on local judgement. The portfolio still grows, until it does not.
Risk-based audit planning: how to allocate hours by risk score
A uniform audit plan — every process every three years — wastes hours on low-risk areas and under-serves high-risk ones. The fix is a five-axis scoring model that drives hour allocation against risk, refreshed annually.
Concurrent audit in NBFCs: what RBI inspectors are looking for in 2026
RBI's 2026 inspection cycle is asking sharper questions than the previous one. The same seven observations recur in roughly 80% of NBFC findings. Here is what they are and what the concurrent audit should be catching first.
Fraud risk assessment: building a framework that does more than tick boxes
Most fraud risk assessments are a one-page document that lists 'segregation of duties' under every process and gets refreshed annually. That document does not prevent fraud. Here is what a real framework looks like.
Audit committees: five questions the chair should ask every quarter
Most audit committee meetings get stuck on routine approvals — minutes, fee proposals, statutory updates. The five questions below are what an effective chair brings to every quarterly meeting, in this order.
SOX-like controls in Indian listed companies: where US framework diverges
Indian listed companies with ADR exposure run dual control frameworks — SOX 404 for US filings and IFC under the Companies Act for India. Most of the work overlaps. The differences are where the engagement effort sits.
ICFR for first-time IPO-bound companies: the 90-day prep checklist
Most IPO-bound companies start their ICFR work twelve months too late. By the time the merchant banker asks for the auditor's IFC report, the gap is too wide to close cleanly. Here is what a real 90-day sprint looks like.
Treasury controls: the four reconciliations every CFO should automate
Most treasury fraud surfaces at month-end, when manual reconciliations slip and the closing team is exhausted. The fix is not more headcount. It is automating the four reconciliations that should never depend on a tired person at 11pm.
Vendor risk: why 60% of post-incident reviews trace back to suppliers
Verizon's 2024 Data Breach Investigations Report puts third-party involvement in 60% plus of breach cases. The vendor risk lifecycle most companies operate stops at onboarding due diligence. The other three stages are where the actual exposure sits.
The control gaps PE auditors flag in diligence — and how to close them in 90 days
Private equity diligence on growth-stage Indian targets surfaces the same eight control gaps in roughly 90% of cases. Catch them before the diligence starts, and the closing timeline tightens by weeks.
Internal audit for SaaS companies: what to test beyond AR and cash
Most internal audit programmes for SaaS companies were designed for an earlier business model. AR ageing and cash reconciliation are necessary but no longer enough. The places where SaaS-specific risk concentrates are different.
Whistleblower mechanisms that work — and how to handle the first one
Section 177 makes a vigil mechanism mandatory. Most companies build the mechanism, post the email address, and then are unprepared when the first material complaint actually arrives. Here is the protocol that holds.
Forensic accounting basics for in-house finance teams
Forensic accounting is not a separate profession that you call when fraud has already happened. It is a set of analytical techniques that an in-house finance team can apply to the books, every month, to surface anomalies before they become incidents.
Process audit vs internal audit: when each is the right tool
Most CFOs use the two terms interchangeably. They are not the same thing. Using one when you need the other is how companies end up with deep dives in places that did not need them and breadth gaps in places that did.
Cybersecurity audits for fintechs: beyond the ISO 27001 certificate
An ISO 27001 certificate is necessary but not enough for an Indian fintech today. RBI's newly issued IT Framework Master Direction has raised the floor, and real audits now test what the certificate does not — API security, secrets hygiene, and tabletop response.