RBI/DoS/2026-27/XX
DoS.CO.ARG.XX/08.91.001/2026-27

XXXX XX, 2026

Reserve Bank of India (Commercial Banks – Statutory Audit) Directions, 2026

In exercise of powers conferred by Section 30(1A) of the Banking Regulation Act, 1949, Section 10(1) of the Banking Companies (Acquisition and Transfer of Undertakings) Act, 1970 / 1980, and Section 41(1) of State Bank of India Act, 1955 (SBI Act), and all other provisions / laws enabling the Reserve Bank of India (‘RBI’) in this regard, RBI being satisfied that it is necessary and expedient in the public interest so to do, hereby issues these Directions hereinafter specified.

Chapter I - Preliminary

A. Short Title and Commencement

1. These Directions shall be called the Reserve Bank of India (Commercial Banks – Statutory Audit) Directions, 2026.

2. These Directions shall come into effect immediately upon issuance.

B. Applicability

3. These Directions shall be applicable to the Commercial Banks (hereinafter collectively referred to as ‘banks’ and individually as a ‘bank’) in respect of appointment / reappointment of their Statutory Central Auditors (SCAs) / Statutory Auditors (SAs).

For the purpose of these Directions, ‘Commercial Banks’ means banking companies (other than Small Finance Banks, Payment Banks, and Local Area Banks), corresponding new banks, and the State Bank of India, as defined respectively under clauses (c), (da), and (nc) of Section 5 of the Banking Regulation Act, 1949.

For the purpose of these Directions, SCAs shall apply to banks which appoint separate Statutory Branch Auditors (SBAs), while SAs shall apply to all other banks.

C. Definitions

4. In these Directions, unless the context states otherwise, the terms herein shall bear the meaning assigned to them below.

(1) ‘All India Financial Institutions’ shall mean National Bank for Agriculture and Rural Development (NABARD), Small Industries Development Bank of India (SIDBI), National Housing Bank (NHB), Export-Import Bank of India (EXIM Bank) and National Bank for Financing Infrastructure and Development (NaBFID) as established under their respective statutes, (hereinafter collectively referred to as ‘AIFIs’).

(2) ‘Audit Firm’ shall mean a partnership firm or Limited Liability Partnership (LLP).

(3) ‘Central Co-operative Bank (CCB)’ shall be as defined under Sub-Section (d) of Section 2 of National Bank for Agriculture and Rural Development Act, 1981.

(4) ‘Group Entities’ shall mean two or more entities related to each other through any of the following relationships, viz. Subsidiary - parent [defined in terms of Accounting Standards (AS) 21], Joint venture (defined in terms of AS 27), Associate (defined in terms of AS 23), Promoter - Promotee [as provided in the SEBI (Acquisition of Shares and Takeover) Regulations, 1997] for listed companies, a related party (defined in terms of AS 18), Common brand name, and investment in equity shares of 20 per cent and above.

(5) ‘Large Exposure (LE)’ means the aggregate of all exposure values of a Regulated Entity (RE) to a single counterparty or to a group of connected counterparties, as computed in accordance with paragraphs 32 to 85 of Chapter III (Large Exposures Framework) of the Reserve Bank of India (Commercial Banks - Concentration Risk Management) Directions, 2025 which is equal to or exceeds 10 per cent of the RE’s eligible capital base.

For the purpose of this definition, the expressions counterparty and group of connected counterparties shall have the meanings respectively assigned to them in paragraphs 19 to 31 of the aforesaid Directions. The expression eligible capital base shall have the meaning ascribed to it under the extant regulatory capital framework applicable to the RE, as amended from time to time.

(6) ‘NBFCs [including Housing Finance Companies (HFCs)]’ shall mean such entities as defined in the Reserve Bank of India (Non-Banking Financial Companies – Registration, Exemptions and Framework for Scale Based Regulation) Directions, 2025.

(7) ‘Primary (Urban) Co-operative Banks (UCB)’ shall mean entities as defined in Section 5 (ccv) read with Section 56 of the Banking Regulation Act, 1949.

(8) ‘Public Sector Banks (PSBs)’ (individually as a ‘PSB’) shall refer to State Bank of India and corresponding new banks collectively.

(9) ‘State Bank of India’ shall mean State Bank of India as defined in Section 5 (nc) of the Banking Regulation Act, 1949.

(10) ‘State Co-operative Bank (StCB)’ shall be as defined under Sub-Section (u) of Section 2 of National Bank for Agriculture and Rural Development Act, 1981.

5. All other expressions unless defined herein shall have the same meaning as have been assigned to them under the Reserve Bank of India Act, 1934, the Banking Regulation Act, 1949, the Companies Act, 2013, or any statutory modification or re-enactment thereto or other regulations issued by RBI or the Glossary of Terms published by RBI or as used in commercial parlance, as the case may be.

Chapter II - Governance and Oversight

A. Role of the Board and Senior Management

6. The bank shall decide on the number of SCAs / SAs based on a Board [Local Management (LM) in case of foreign banks operating under branch mode in India] approved policy, inter alia, taking into account the relevant factors such as the size and spread of assets, accounting and administrative units, complexity of transactions, level of computerisation, availability of other independent audit inputs, identified risks in financial reporting, etc.

7. The Audit Committee of the Board (ACB) / LM shall monitor and assess the independence of the auditors and conflict of interest position in terms of relevant regulatory provisions, standards, and best practices. Any concerns in this regard shall be flagged by the ACB / LM to the Board of Directors of the bank and the concerned Senior Supervisory Manager (SSM), Department of Supervision (DoS), RBI.

8. The Board / ACB / LM of the bank shall review the performance of SCAs / SAs on an annual basis. Any serious lapses or negligence in audit responsibilities or conduct issues on part of the SCAs / SAs or any other matter considered as relevant shall be reported to DoS, RBI within two months from completion of the annual audit. Such reports should be sent with the approval / recommendation of the Board / ACB / LM, with full details of the audit firm. The Board shall review the performance of SCAs / SAs in case ACB is non-existent in the bank.

9. The Board / ACB / LM of the bank shall make recommendations to the competent authority as per the relevant statutory / regulatory instructions for fixing of audit fees of SCAs / SAs.

10. The bank shall formulate a Board / LM approved policy to be hosted on its official website / public domain and formulate necessary procedure thereunder to be followed for appointment of SCAs / SAs. Apart from conforming to all relevant statutory / regulatory requirements in addition to these instructions, this should afford necessary transparency and objectivity for most key aspects of this important assurance function.

Chapter III - Guidelines for Appointment

A. Number of Statutory Central Auditors / Statutory Auditors and Branch Coverage

11. For banks with asset size of ₹15,000 crore and above as at the end of previous year, the statutory audit shall be conducted under joint audit by a minimum of two audit firms. For the purpose of these Directions, asset size means total assets. All other banks should appoint a minimum of one audit firm for conducting statutory audit. It shall be ensured that the joint auditors of the bank do not have any common partners and they are not under the same network of audit firms as defined in Rule 6(3) of the Companies (Audit and Auditors) Rules, 2014. Further, the bank may finalise the work allocation among SCAs / SAs, before the commencement of the statutory audit, in consultation with their SCAs / SAs.

12. Considering the above factors and the requirements of the bank, the actual number of SCAs / SAs to be appointed shall be decided by the respective Board / LM, subject to the following limits:

The above limits have been prescribed to ensure that the number of SCAs / SAs appointed by the banks are adequate, commensurate with the asset size and extent of operations of the banks, with a view to ensure that audits are conducted in a timely and effective manner.

13. A PSB shall allot the top 20 branches (to be selected strictly in order of the level of outstanding advances) to SCAs in such a manner as to cover a minimum of 15 per cent of the total gross advances of the bank by SCAs. Before approaching RBI for approval to treat any of the branches earlier selected for audit as unaudited subsequently, PSBs should consult their SCAs and obtain their written concurrence for such exclusion from audit. While seeking prior approval from the RBI, the bank shall state in its letter that the concurrence of the SCAs has been obtained.

14. For other banks, SCAs / SAs shall visit and audit at least the top 20 branches / the top 20 per cent of the branches of the bank (in case of banks having less than 100 branches), to be selected in order of the level of outstanding advances, in such a manner as to cover a minimum of 15 per cent of total gross advances of the bank. In addition, the banking companies shall ensure adherence to the provisions of Section 143 (8) of the Companies Act, 2013 regarding the audit of accounts of all branches.

B. Eligibility Criteria of Auditors

15. The bank shall appoint audit firm(s) as its SCA(s) / SA(s) fulfilling the eligibility norms as prescribed below.

Note 1: There shall be at least one-year continuous association of partners with the audit firm as on the date of empanelment (for PSBs) / shortlisting (for other banks) for considering them as full-time partners. Further, for appointment as SCAs / SAs of banks with an asset size above ₹1,000 crore, at least two partners of the firm shall have continuous association with the firm for at least 10 years. For banks, with an asset size above ₹1,000 crore, the full-time partner’s association with the audit firm shall mean ‘exclusive association’. The definition of ‘exclusive association’ will be based on the following criteria:

(1) The full-time partner should not be a partner in another audit firm(s).

(2) They should not be employed full time / part time elsewhere.

(3) They should not be practicing in their own name or engaged in practice otherwise or engaged in other activity which would be deemed to be in practice under Section 2(2) of the Chartered Accountants Act, 1949.

(4) In case of PSBs, the income of the partner from the firm / Limited Liability Partnership (LLP) should not be below the threshold limits prescribed by the Office of Comptroller and Auditor General (CAG) for the purpose of consideration as full-time partners for appointment as auditors of Public Sector Undertakings. For other banks, the Board / ACB / LM shall examine and ensure that the income of the partner from the firm / LLP is adequate for considering them as full-time exclusively associated partners, which will ensure the capability of the firm for the purpose.

Note 2: Certified Information Systems Auditor (CISA) / Information Systems Audit (ISA) Qualification:

There shall be at least one-year continuous association of Paid CAs with CISA / ISA qualification with the firm as on the date of empanelment (for PSBs) / shortlisting (for other banks) for considering them as Paid CAs with CISA / ISA qualification for the purpose.

Note 3: Audit Experience

Audit experience shall mean experience of the audit firm as Statutory Central / Branch Auditor of Commercial Banks, Small Finance Banks, Payment Banks, Local Area Banks or AIFIs. In case of merger and demerger of audit firms, merger effect will be given after two years of merger while demerger shall be effected immediately for this purpose.

Note 4: Professional Staff

Professional staff includes audit and article clerks with knowledge of book-keeping and accountancy and who are engaged in on-site audits but excludes typists / stenographers / computer operators / secretaries / subordinate staff, etc. There should be at least one-year of continuous association of professional staff with the audit firm as on the date of empanelment (for PSBs) / shortlisting (for other banks) for considering them as professional staff for the purpose.

16. Additional Consideration

(1) The audit firm proposed to be appointed as SCAs / SAs for the bank, should be duly qualified for appointment as auditor of a company in terms of Section 141 of the Companies Act, 2013.

(2) The audit firm should not be under debarment by any Government Agency, National Financial Reporting Authority (NFRA), the Institute of Chartered Accountants of India (ICAI), RBI or other financial regulators.

(3) The bank shall ensure that appointment of SCAs / SAs is in line with the ICAI’s Code of Ethics / any other such standards adopted and does not give rise to any conflict of interest.

(4) If any partner of an audit firm is a director in any PSB, the said firm shall not be appointed as SCAs / SAs of any PSB. Further, if any partner of an audit firm is a director in any bank, the said firm shall not be appointed as SCAs / SAs of any of the group entities of that bank.

Explanation: The Group Entities here refer to the RBI regulated entities in the Group, which fulfil the definition of Group Entity, as provided in the Direction. Therefore, if any partner of an audit firm is a director in an RBI regulated entity in the Group, the said firm shall not be appointed as SCAs / SAs of any of the RBI regulated entities in the Group. However, if an audit firm is being considered by any of the RBI regulated entities in the Group for appointment as SCAs / SAs, whose partner is a director in any of the Group Entities (which are not regulated by RBI), the said audit firm shall make appropriate disclosures to the ACB as well as Board / LM.

(5) The SCAs / SAs for a bank with asset size above ₹1,000 crore should preferably have capability and experience in deploying Computer Assisted Audit Tools and Techniques (CAATTs) and Generalized Audit Software (GAS), commensurate with the degree / complexity of computer environment of the bank where the accounting and business data reside in order to achieve audit objectives.

17. Continued Compliance with Basic Eligibility Criteria

(1) In case an audit firm (after appointment) fails to comply with any of the eligibility norms (on account of resignation, death etc. of any of the partners, employees, action by Government Agencies, NFRA, ICAI, RBI, other financial regulators, etc.), it shall promptly approach the bank with full details. Further, the audit firm shall take all necessary steps to regain eligibility within a reasonable time and in any case, the audit firm must comply with the above norms before commencement of Annual Statutory Audit for Financial Year ending 31st March and till the completion of annual audit.

(2) In case of any extraordinary circumstance after the commencement of audit, like death of one or more partners, employees, etc., which makes the audit firm ineligible with respect to any of the eligibility norms, RBI will have the discretion to allow the concerned audit firm to complete the audit, as a special case.

C. Independence of Auditors

18. In case of any concern with the management of the bank such as non-availability of information / non-cooperation by the management, which may hamper the audit process, the SCAs / SAs shall approach the Board / ACB / LM of the bank, under intimation to the concerned SSM of RBI. The Board shall be directly approached only when ACB is non-existent in the bank or the SCAs / SAs notice a matter of concern involving any member of the ACB.

19. Concurrent auditors of the bank should not be considered for appointment as SCAs / SAs of the same bank. The audit of the bank and any entity with ‘Large Exposure’ to the bank for the same reference year should also be explicitly factored in while assessing independence of the auditor. ‘Large exposure’ is as defined in the Reserve Bank of India (Commercial Banks - Concentration Risk Management) Directions, 2025.

Explanation: These Directions do not prohibit an audit firm from doing audit of any company / entity with Large Exposure to the bank from being appointed as SCAs / SAs of the bank. It only stipulates that this aspect should also be explicitly factored while assessing independence of the SCAs / SAs. In this regard, the Board / ACB / LM shall see that there is no conflict of interest, and the independence of auditors is ensured.

20. The time gap between any non-audit works (services mentioned in Section 144 of Companies Act, 2013, internal assignments, special assignments, etc.) by the SCAs / SAs for the bank or any audit / non-audit works for its Group Entities should be at least one year, before appointment or after completion of the audit assignment as SCAs / SAs. However, during the tenure as SCA / SA, an audit firm may provide such services to the concerned bank which may not normally result in a conflict of interest, and bank may take its own decision in this regard, in consultation with the Board / ACB / LM. A conflict of interest would not normally arise in the case of following special assignments (indicative list):

(1) Tax audit, tax representation and advice on taxation matters.

(2) Audit of interim financial statements.

(3) Certificates required to be issued by the SCA / SA in compliance with statutory or regulatory requirements.

(4) Reporting on financial information or segments thereof.

Explanation: The Group Entities refer to the RBI regulated entities in the Group, which fulfil the definition of Group Entity, as provided in the Directions. However, if an audit firm engaged with audit / non- audit works for the Group Entities (which are not regulated by RBI) is being considered by any of the RBI regulated entities in the Group for appointment as SCAs / SAs, it shall be the responsibility of the Board / ACB / LM of the concerned RBI regulated entity to ensure that there is no conflict of interest and independence of auditors is ensured, and this should be suitably recorded in the minutes of the meetings of Board / ACB / LM.

21. The restrictions as detailed in paragraphs 19 and 20 above, shall also apply to an audit firm under the same network of audit firms or any other audit firm having common partners, as defined in Rule 6(3) of the Companies (Audit and Auditors) Rules, 2014.

D. Professional Standards

22. The SCAs / SAs shall be strictly guided by the relevant professional standards in discharge of their audit responsibilities with highest diligence.

23. In the event of lapses in carrying out audit assignments resulting in misstatement of a bank’s financial statements, and any violations / lapses vis-à-vis RBI’s directions regarding the role and responsibilities of the SCAs / SAs in relation to the bank, the SCAs / SAs would be liable to be dealt with suitably under the relevant statutory / regulatory framework.

E. Tenure and Rotation

24. In order to protect the independence of the auditors, the bank shall appoint the SCAs / SAs for a continuous period of three years, subject to the firms satisfying the eligibility norms each year. The audit firms which have already completed tenure of one year or two years with any bank may be permitted to complete the balance tenure only, i.e., two years and one year, respectively, if they fulfil the eligibility norms on an annual basis. Further, the bank can remove the audit firms during the above period only with the prior approval of the DoS, RBI, as applicable for prior approval for appointment, as mentioned at paragraph 32(1) of these Directions.

25. An audit firm shall not be eligible for reappointment in the same bank for six years (two tenures) after completion of full or part of one term of the audit tenure. However, audit firms can continue to undertake statutory audit of other entities. In case an audit firm has conducted audit of any bank for part-tenure (one year or two years) and then not appointed for remainder tenure, then also it shall not be eligible for reappointment in the same bank for six years from completion of part-tenure.

26. One audit firm can concurrently take up statutory audit of a maximum of four Commercial Banks including Small Finance Banks, Payment Banks, and Local Area Banks (but not more than one PSB or one AIFI or RBI), eight UCBs, eight NBFCs and five StCBs / CCBs (including not more than one StCB) during a particular year, subject to compliance with required eligibility criteria and other conditions for each bank and within overall ceiling prescribed by any other statutes or rules. For clarity, the limits prescribed for UCBs exclude audit of other co-operative societies by the same audit firm. These limits are applicable in respect of audit of all RBI regulated entities, irrespective of the asset size.

27. For the purpose of these Directions, a group of audit firms having common partners and / or under the same network, will be considered as one entity and they shall be considered for allotment of SCAs / SAs accordingly. Shared / Sub-contracted audit by any other / associate audit firm under the same network of audit firms is not permissible. The incoming audit firm shall not be eligible if such audit firm is associated with the outgoing auditor or audit firm under the same network of audit firms.

28. If a private sector bank is appointing separate branch auditors, then it shall ensure that there are no common partners between the retiring audit firm(s) and proposed audit firm(s). If the retiring and proposed auditors are proprietary concerns, the firm in which any proprietor or both is / are partner(s) should not be considered for audit. Further, the sister concerns or associate firms of rested auditors should also not be proposed for appointment till they complete the rest period.

29. Office of CAG will continue to appoint SAs of the Government Companies and Government Controlled Other Companies under Section 139 (5) and 139 (7) of the Companies Act, 2013. Such Companies are also subject to supplementary / test audit by the Office of CAG under Section 143 (6) and (7) of the said Act. Such entities will be guided by the CAG guidelines regarding tenure and rotation policy. However, such appointment for Jammu & Kashmir Bank Ltd. will be done by the Office of CAG with RBI’s concurrence.

F. Audit Fees and Expenses

30. The audit fees for SCAs / SAs shall be decided in terms of the relevant statutory / regulatory provisions. PSBs shall continue to be guided by relevant RBI instructions in the matter.

31. The audit fees for SCAs / SAs shall be reasonable and commensurate with the scope and coverage of audit, size and spread of assets, accounting and administrative units, complexity of transactions, level of computerisation, identified risks in financial reporting, etc.

G. Appointment Procedure

32. The guidelines on minimum procedural requirements are given below.

(1) The bank shall obtain prior approval of DoS, RBI for appointment / reappointment of SCAs / SAs, on an annual basis in terms of the above-mentioned statutory provisions. For the purpose, the bank shall apply to DoS, RBI before 31^st July of the reference year and the PSBs shall approach RBI within one month of receipt of list of eligible audit firms from RBI. For the purpose, all Commercial Banks in India shall approach the Central Office of RBI (Department of Supervision).

(2) The bank shall shortlist minimum of two audit firms for every vacancy of SCAs / SAs so that even if audit firm at first preference is found to be ineligible / refuses appointment, the audit firm at second preference can be appointed and the process of appointment of SCAs / SAs does not get delayed. However, in case of reappointment of SCAs / SAs by a bank till completion of tenure of continuous term of three years, there shall not be any requirement of shortlisting and sending names of multiple audit firms to RBI while seeking approval to appointment.

(3) The banking companies shall continue to follow the existing procedure followed by them for selection of SCAs / SAs. They shall place the name of shortlisted audit firms, in order of preference, before their ACB / LM for selection as SCAs / SAs. Upon selection of SCAs / SAs by the bank in consultation with their ACB / LM and verifying their compliance with the eligibility norms prescribed by RBI, the bank shall seek RBI’s prior approval for appointment of SCAs / SAs.

(4) For a PSB, empanelment of audit firms eligible for appointment as SCAs will continue to be done by the Office of CAG based on the norms prescribed by RBI, as on January 1 of the relevant year. The list of firms as furnished by the Office of CAG to RBI will be subjected to scrutiny by RBI for identifying the eligible firms and excluding audit firms who have been denied audit by the CAG / RBI. RBI shall forward a single list of all audit firms eligible for appointment as SCAs to all PSBs on an annual basis. The audit firms in list shall not be ranked in any order and all audit firms shall be eligible for selection by all PSBs.

(5) PSBs shall shortlist audit firms from the said list of eligible audit firms as received from RBI, based on certain objective criteria (like number of full-time partners, number of professional staff, number of CISA / ISA qualified partners / paid CAs, number of FCAs, etc.) as laid down in the bank’s policy for appointment of SCAs / SAs. Further, the PSBs shall place the list of shortlisted firms, in order of preference, before the ACB for selection of SCAs in a transparent manner. Upon selection of SCAs by the PSBs in consultation with their ACB and verifying their compliance with the eligibility norms prescribed by RBI, the PSBs shall seek RBI’s prior approval for appointment of SCAs.

(6) The bank shall obtain a certificate, along with relevant information as per Annex I (Form B), from the audit firm(s) proposed to be appointed as SCAs / SAs by the bank to the effect that the audit firm(s) complies with all the eligibility norms prescribed by RBI for the purpose. Such certificate should be signed by the main partner / s of the audit firm proposed for appointment of SCAs / SAs of the bank, under the seal of the said audit firm.

(7) The bank shall verify the compliance of audit firm(s) to the eligibility norms prescribed by RBI for the purpose and after being satisfied of their eligibility, recommend the names along with a certificate, in the format as per Annex II (Form C), stating that the audit firm(s) proposed to be appointed as SCAs / SAs by it complies with all eligibility norms prescribed by RBI for the purpose.

(8) While approaching the RBI for its prior approval for appointment of SCAs / SAs, the bank shall indicate its total asset size as on 31st March of the previous year (audited figures), forward a copy of Board / ACB Resolution (resolution not needed for foreign banks operating under branch mode) recommending names of audit firms for appointment as SCAs / SAs in the order of preference and also furnish information as per Annex I (Form B) and Annex II (Form C) as mentioned above, to facilitate expeditious approval of appointment / re-appointment of the concerned audit firm.

H. Appointment of Statutory Auditors for Overseas Branch(es)

33. SAs shall be appointed for all the overseas branches of Indian Commercial Banks every year. While seeking approval for appointment of SAs for overseas branches, the bank may indicate the details of audit firms, being recommended for appointment (their experience, standing etc.) in the cases where the appointment is not subjected to the approval of the overseas regulator. However, if the approval of the overseas regulator is required, the same may be indicated in the application.

Chapter IV – Long Form Audit Report

A. Procedure and Timelines

34. The bank shall ensure timely receipt of Long Form Audit Report (LFAR) from the SCAs / SAs and SBAs.

35. The LFAR of the bank, after due examination, shall be placed before the ACB, indicating the action taken / proposed to be taken for rectification of the irregularities, if any, mentioned therein.

36. The bank shall forward a copy of the LFAR (i.e., for the bank / all Indian offices of the foreign bank as a whole) along with the related agenda notes and the Board's views or directions, to the concerned SSM, DoS, RBI, within 60 days from the date of submission of the same by the SCA/ SA.

B. Long Form Audit Report by the Statutory Central Auditors

B.1 Objectives, Strategy, Scope, and Coverage

37. The overall objective of the LFAR should be to identify and assess the gaps and vulnerable areas in the business operations, risk management, compliance and the efficacy of internal audit and provide an independent opinion on the same to the Board of the bank and provide the observations of SCAs.

38. This may also involve commenting on various risks to which the bank is exposed to like credit, market, operational and liquidity risk and risk management efficacy, assessment of appropriateness of procedures for preparation of supervisory returns, Know Your Customer (KYC) / Anti-Money Laundering (AML) / Combating Financing of Terrorism (CFT) issues, cyber security, business performance, business strategy including very high growth / high return on equity (ROE) accompanied with high risks, etc.

39. Some of the matters to be dealt with by the SCAs in their LFARs will be based on the LFARs received from the SBAs. In dealing with such matters, the SCAs should exercise their own judgement to make their observations based on review of LFARs from SBAs.

40. While deciding their audit strategy, the SCAs may factor-in all material issues which are considered critical by looking at the size and complexity of the business operations, business strategy / models, internal controls including the control culture of the bank, structure, and complexity of the IT systems, etc.

41. The scope and coverage of Statutory Audit and LFAR will broadly be as per the indicative areas given in Paragraphs 44 to 77. However, if the SCAs feel a need of some material additions in the scope, this may be done by giving specific justification and with the prior intimation to the ACB of the bank.

42. SCAs may resort to need based limited transaction testing.

43. In deciding whether a qualification in the main report is necessary, the SCAs should use their judgement based on the available evidence / facts and circumstances of each case. The bank is expected to measure and monitor the accuracy of data and to develop appropriate escalation channels and action plans to rectify any deterioration in data quality.

B.2 Indicative Coverage

B.2.1 Credit Risk Areas

44. Loan Policy: The observations should broadly cover the sufficiency and effectiveness of the loan policy along with the compliance to instructions issued by RBI in areas like exposure norms, interest rates, statutory and other restrictions, among others. Other aspects relating to updation of the policy, system of monitoring and adherence thereto should also be commented upon. The observations should also comprise business model / business strategy as per the policy as against the actual business / income flow of the bank.

45. Credit Assessment: Whether the credit assessment process is sufficiently placed to capture the risk as also the adequacy of information / data available with the bank. The quick mortality cases should be closely examined.

46. Sanctioning / Disbursement: Policy relating to delegation of powers at various levels, appropriateness of checks and balances, adherence to authorised limits, disbursal after complying with terms and conditions of disbursal should be examined.

47. Documentation: The entire process, including the system of ensuring execution as per the terms of sanction, system of documentation in respect of joint / consortium advances, availability of relevant documents to ensure creation of charge in favour of the bank when required, renewal of documents, should be examined. Defects observed along with compliance to RBI guidelines / bank’s internal policy should also be examined.

48. Review / Monitoring / Post Sanction Follow-up / Supervision: Extent of coverage and effectiveness of credit monitoring system covering both on balance sheet and off-balance sheet exposures, along with the quality of reporting both within the bank and outside agencies such as Central Repository of Information on Large Credits, Credit Information Companies should be examined along with adherence to RBI instructions / bank’s own policy. Special focus should be given on functioning and effectiveness of system of identifying and reporting of Red Flagged Accounts, Early-Warning System (EWS), receipt of periodic balance confirmation / acknowledgement of debts, stock / book debt statements, balance-sheet, audited-accounts etc. System of scrutiny of the above information and follow-up by the bank should also be examined to identify process gaps. System of periodic physical verification or inspection of stocks, equipment, machinery, other securities and review / renewal of advances including enhancement of limits, overall monitoring of advances through maturity / aging analysis should also be examined and suitably factored-in.

49. Restructuring / Resolution of Stressed Accounts: Comments on deviations observed in restructured accounts / stressed accounts under resolution with reference to Internal / RBI guidelines should be provided. Special emphasis should be given on the stance of the bank with respect to resolution of stressed accounts, specially covering compliance to regulatory guidelines, formulation of Board approved policies including timelines for resolution, the manner in which decisions are taken during review period, Board approved policies regarding recovery, compromise settlements, exit from exposure through sale of stressed assets, mechanism of deciding whether a concession granted to a borrower should be treated as restructuring or not, implementation of resolution in accordance with the laid down conditions, among others.

50. Asset Quality: Special emphasis should be given on continuous monitoring of classification of accounts into Standard, Special Mention Account, Sub-standard, Doubtful or loss as per Income Recognition, Asset Classification and Provisioning norms by the system, without manual intervention, correct recognition of income, and adequacy of provision thereof. Effectiveness of the system for compiling data relating to Non-Performing Assets (NPAs) and their provisions, data integrity, system of suspension of charging of interest and adherence thereto, should be examined and commented upon. Deviations observed, if any, should be provided along with examples. Further, comments be provided on the procedure followed by the bank in upgradation of NPAs, updation of the value of securities with reference to RBI regulations and compliance by the bank with divergences observed during earlier RBI Inspection(s) with examples of deviations, if any.

51. Recovery Policy: The existence and effectiveness of recovery policy, along with regular updates, manner of appropriation of recovery, instances wherein the appropriation was not as per the recovery policy be examined and commented upon. Instances observed / reported, wherein the instructions of controlling authority related to legal action for recovery or recalling of advances is not acted upon, system of compromise settlements, system of monitoring accounts under Insolvency and Bankruptcy Code 2016 (IBC), write-off, should be specifically commented. In respect of compromise settlement, special emphasis should be given to the systems and processes relating to cases of recovery of ₹1 crore and above and also the cases wherein limits of sacrifice laid down in the recovery policy is breached. The auditors should verify the list of accounts where insolvency proceedings had been initiated under IBC but subsequently was taken out of insolvency under Section 12A of the IBC. The auditors may satisfy themselves regarding the reasons of the creditors, especially the bank concerned, to agree to exiting the insolvency resolution process, and may comment upon deficiencies observed, if any.

52. Large Advances: Comments on significant adverse features in top 50 standard large advances and the accounts which need management’s attention should be provided. In respect of other advances, the process needs to be checked and commented upon, based on a sample testing.

53. Audit Reports: Major adverse features observed in the reports of all audits / inspections, internal or external, carried out at credit department during the financial year should be suitably incorporated in the LFAR, if found persisting.

54. Recovery Records: Recovery from all the written-off accounts during the financial year should be examined and commented upon.

55. Wilful Defaulter: System of identifying and reporting of wilful defaulter should be examined and commented upon.

B.2.2 Market Risk Areas

56. Investments including Derivatives: The focus should be on the merit of investment policy and adherence to RBI guidelines. Any deviations to the RBI directions, and guidelines issued by Fixed Income Money Market and Derivatives Association of India / Financial Benchmarks India Private Limited / Foreign Exchange Dealers' Association of India should be suitably highlighted. Special focus should be given on system of purchase and sale of investments, delegation of powers, reporting systems, segregation of back, middle and front office functions, efficacy of control over investments, including periodic verification / reconciliation of investments with book records, valuation mode, changes in mode of valuation, system relating to inter-bank call money operations, system relating to unquoted investments in the portfolio, system of audit including periodic verification / verification of investment activities / portfolios, policies and systems for monitoring activities such as underwriting, derivatives, etc., among others. With respect to RBI directions, special focus should be given on compliance to exposure norms, classification of investments into Held to Maturity (HTM) / Available for Sale (AFS) / Fair Value through Profit and Loss (FVTPL) category and inter-category shifting of securities, compliance to valuation, asset classification and provisioning norms, along with deviation from accounting and disclosure norms, among others. Comments should also be made on the composition of investment portfolio as per RBI guidelines and the depreciations on investments, if not provided for. System of recording of income from investments, income accrued and due but not received, monitoring of mature investments and their timely encashment etc. should be examined and commented. The auditor may also comment upon the veracity of liquidity characteristics of different investments in the books, as claimed by the bank in different regulatory / statutory statements. The internal control system, including all audits and inspections, IT and software being used by the bank for investment operations should be examined in detail.

57. Statutory Liquidity Ratio (SLR) / Cash Reserve Ratio (CRR) Requirements: Any discrepancies in the process of compilation and calculation of Net Demand and Time Liabilities (NDTL) by the bank should be highlighted in LFAR. It should be specifically commented whether the bank has complied with SLR / CRR requirements, with the instances of non-compliance, thereof.

58. Asset Liability Management: Existence of Policy on Asset-Liability Management and monitoring thereof, along with compliance with RBI guidelines and functioning of Asset Liability Management Committee should be examined.

B.2.3 Governance, Assurance Functions and Operational Risk Areas

59. Governance and Assurance Functions: Observations on governance, policy and implementation of business strategy and its adequacy vis-à-vis the risk appetite statement of the bank, effectiveness of assurance functions (risk management, compliance, and internal audit) should be examined and suitably incorporated in the LFAR. Adequacy of risk-awareness, risk-taking and risk-management, risk, and compliance culture per se, compliance testing, including the sustenance of the compliance, as also system of branch inspection, frequency, scope / coverage of inspection / internal audit, concurrent audit or revenue audit should also be examined along with the system of follow-up of these reports, position of compliance, corrective action taken by the bank among others.

60. Balancing of Books / Reconciliation of Control and Subsidiary Records: Special focus should be given on the system of control for internal accounts along with effectiveness of the system of monitoring the position of balancing of books / reconciliation of control and subsidiary records, with details of books not balanced, if any. The item wise details of system generated transitory accounts not nullified at the year-end should be given separately with ageing of such items.

61. Inter-Branch Reconciliation: The effectiveness of the system of inter-branch / inter-office reconciliation with respect to each type of entries, along with sufficiency of audit trail should be examined and commented upon. Age-wise analysis of unreconciled entries for each type of entry covered under inter-branch reconciliation, as on balance sheet date along with subsequent clearance, thereof, if any, should be provided. Any unusual entries observed in the reconciliation process, along with procedure for auto and forced matching of entries, should be commented. Compliance with RBI guidelines with respect to provisioning for old outstanding entries, should be factored in the observations.

62. Frauds / Vigilance: Appropriateness of fraud risk management system and processes for early detection, timely reporting to RBI, investigation of frauds as also adequacy of provisioning with respect to reported frauds and deviations observed in compliance with directions issued by RBI should be examined and commented upon. Age-wise analysis of the cases / complaints investigated / under investigation of Vigilance Department along with observations on major frauds discovered during the year under audit should be provided. Special focus should be given on the potential risk areas which might lead to perpetuation of fraud (e.g. falsification of accounts / false representation by the borrower; misappropriation of funds especially through related party / shell company transactions; forgery and fabrication of financial documents like invoices, debtor lists, stock statements, trade credit documents, shipping bills, work orders and encumbrance certificates to avail credit; use of current accounts outside consortium where Trust and Retention Account (TRA) is maintained to divert funds; list of debtors / creditors were being fabricated and receivables were not followed up / write off of debt of related parties; fake export / shipping bill ; over-statement of invoice amounts, stock statements, shipping bills, turnover; fly by night operations including the cases where vendors, related / associate parties, manufacturing units etc., are not available on the registered addresses; round tripping of funds, etc.).

63. Suspense Accounts, Sundry Deposits, etc.: System of clearance of items debited / credited to suspense / sundry accounts should be examined with the focus on audit trail, along with age-wise analysis of un-cleared entries of suspense accounts, sundry deposits, etc. as on balance sheet date along with subsequent clearance, thereof, if any. Any unusual entries observed in suspense accounts, sundry deposits etc. should be specifically commented. An examination of inactive / inoperative accounts may also be carried out, as it is a fraud prone area. It should also be examined whether the bank has made adequate provision with respect to un-cleared entries in suspense accounts, sundry deposits, etc. as per RBI guidelines and to the satisfaction of the auditor.

64. Know Your Customer (KYC) / Anti-Money Laundering (AML): It should be examined whether the bank has duly updated and approved KYC and AML policies in synchronization with RBI directions and whether the said policies are effectively implemented by the bank. Assessment of the effectiveness of provisions for preventing money laundering and terrorist financing may be provided for.

65. Cash and Other Security Items: System of monitoring of cash at branches, and management of cash through currency chest operations, including adequacy of insurance cover, system, and procedure for physical custody of cash, systems and controls for procurement, issue, and custody of valued stationary items such as Cheque Books, Demand Drafts, Pay Orders, Gold Coins etc., should be examined.

66. Para-Banking Activities: It should be examined whether the bank has effective internal control system with respect to para-banking activities undertaken by it. A list of para-banking activities undertaken by the bank should be provided.

67. Management Information System (MIS): Existence and adequacy of MIS, method of compilation and accuracy of information, appropriateness of procedures for preparation of supervisory returns and their reliability under the Off-Site Surveillance System of RBI, reliability of information flow for the internal risk management system should be commented. Additionally, comments should also be provided on whether the bank has effective system of preparation and consolidation of branch returns and financial statements.

68. Any Other Comments relating to People, Process and System Risks: Any other concerns relating to people, process and system risks may be commented upon.

B.2.4 Capital Adequacy

69. Capital Adequacy Certificate: A copy of the capital adequacy certificate should be provided along with comments as to whether the bank has effective system of calculation of capital adequacy as per the directions of RBI. Any concerns which are considered material relating to the bank’s solvency and capital may be commented upon.

70. Internal Capital Adequacy Assessment Process (ICAAP) Document: Comments should be provided on whether stress test is done as per RBI stress test Guidelines; whether assumptions made in the document are realistic, encompassing all relevant risks; and whether bank strategy is aligned with its Board approved Risk Appetite Statements.

B.2.5 Going Concern and Liquidity Risk Assessment

71. Going Concern Assessment: The auditor should comment whether the going concern basis of preparation of financial statements is appropriate; and auditor’s evaluation of the bank’s assessment of its ability to continue to meet its obligations for the foreseeable future (for at least 12 months after the date of the financial statements) with reasonable assurance for the same. Any material uncertainties relating to going concern should be disclosed.

72. Profitability: Analysis of variation in major items of income and expenditure compared to previous year should be carried out along with important ratios such as Return on Assets (RoA), Return on Equity (RoE), etc.

73. Liquidity Assessment: As a part of assessment of the bank on going concern basis, the auditor should also consider the robustness of the bank’s liquidity risk management systems and controls for managing liquidity, any external indicators that reveal liquidity or funding concerns, the availability of short-term liquidity support and compliance with norms relating to Liquidity Coverage Ratio (LCR) and Net Stability Funding Ratio (NSFR) among others.

B.2.6 Information Systems

74. Robustness of Information Technology (IT) Systems: Auditors should comment on the robustness of IT systems covering all the software used by the bank along with functions thereof, inter-linkage / interface between different IT Systems, Automated Teller Machine (ATM) network and its security, payment system products and services among others. It should be examined whether the software used by the bank were subjected to Information System (IS) Audit, Application function testing and any other audit mandated by RBI. Adequacy of IS Audit, migration audit (as and where applicable) and any other audit relating to IT and cyber security system and bank’s compliance to the findings of those audits should be commented upon.

75. IT Security and Information Security Policy: Auditors should comment whether the bank has duly updated and approved IT Security and Information Security Policy and whether the bank has complied with RBI advisory / directives relating to IS environment / cyber security, issued from time-to-time.

76. Critical Systems / Processes: It should be examined whether there is an effective system of inter-linkage including seamless flow of data under Straight Through Process (STP) amongst various software / packages deployed. Special emphasis should be placed on outsourced activities and bank’s control over them, including bank’s own internal policy for outsourced activities.

B.2.7 Other Matters

77. Comments on the following should also be provided:

(1) Accounting policies including changes in accounting policies made during the period.

(2) Adequacy of provisions made for statutory liabilities such as Income Tax, Gratuity, Pension, Provident Fund, etc.

(3) Adequacy of provisions made for off-balance sheet exposures and other claims against the bank.

(4) Balances with other banks - observations on outstanding items in reconciliation statements.

(5) Procedure for revaluation of NOSTRO accounts and outstanding forward exchange contracts.

(6) System related to compliance with Depositor Education and Awareness Fund (DEAF) norms.

(7) Compliance mechanism with regard to recommendations of specific committees appointed by RBI such as Ghosh, Jilani, Mitra, etc.

(8) Working of subsidiaries / associates / joint ventures of the bank.

(9) Reporting system to the holding bank.

(10) Major losses of the subsidiary, if any.

(11) Business conduct including customer service by the bank describing instances, if any, of wrong debit of charges from customer accounts, mis-selling, ineffective complaint disposal mechanism, etc.

(12) Any other matter, which the auditor considers should be brought to the notice of the management.

C. Long Form Audit Report by the Statutory Branch Auditors

78. SBAs shall submit the LFAR to the SCAs of the bank. The overall objective of the audit of bank branch should be to have transaction testing and provide inputs to the SCAs on adequacy of implementation of various policy and regulatory requirements, including efficacy of the system and assurance functions (risk management, compliance, and internal audit) at branch level.

79. The threshold fixed for different purposes for comments in the LFAR will decide that above the threshold, the transaction detailing needs to be seen and commented upon. However, below the threshold, the system and processes should be checked and commented upon.

80. Verification of data integrity and data related control systems and processes should be carried out and commented upon, with the special thrust on those data inputs which are to be used for MIS at corporate office level and for supervisory reporting purposes.

81. Indicative Format / Coverage in the LFAR by the SBAs is enclosed as Annex III. Additional Questionnaire applicable to Specialised Branches is enclosed as Annex IV. The questionnaire contains questions, which are relevant to the specialised branches dealing in foreign exchange transactions, branches having very large advances, recovery of NPA and clearing house operations, if any. Auditors of foreign branches of Indian banks should also furnish this report. In the case of foreign branches, reference to RBI should be construed to include RBI, as well as the relevant regulating authority of the foreign country where the branch is located. LFAR for Large / Irregular / Critical Advance Accounts which is to be obtained by the SBAs from branches dealing in large advances / asset recovery branches is enclosed as Annex V.

Chapter V - Repeal and Other Provisions

A. Repeal and Saving

82. With the issue of these Directions, the existing directions, instructions, and guidelines relating to Statutory Audit as applicable to Commercial Banks stand repealed, as communicated vide circular no. XX dated XXXX XX, 2026. The directions, instructions and guidelines already repealed vide any of the directions, instructions, and guidelines listed in the above circular shall continue to remain repealed.

83. Notwithstanding such repeal, any action taken or purported to have been taken, or initiated under the repealed directions, instructions, or guidelines shall continue to be governed by the provisions thereof. All approvals or acknowledgments granted under these repealed lists shall be deemed as governed by these Directions. Further, the repeal of these directions, instructions, or guidelines shall not in any way prejudicially affect:

(1) any right, obligation or liability acquired, accrued, or incurred thereunder;

(2) any penalty, forfeiture, or punishment incurred in respect of any contravention committed thereunder;

(3) any investigation, legal proceeding, or remedy in respect of any such right, privilege, obligation, liability, penalty, forfeiture, or punishment as aforesaid; and any such investigation, legal proceedings or remedy may be instituted, continued, or enforced and any such penalty, forfeiture or punishment may be imposed as if those directions, instructions, or guidelines had not been repealed.

B. Application of Other Laws Not Barred

84. The provisions of these Directions shall be in addition to, and not in derogation of the provisions of any other laws, rules, regulations, or directions, for the time being in force.

C. Interpretations

85. For the purpose of giving effect to the provisions of these Directions or in order to remove any difficulties in the application or interpretation of the provisions of these Directions, RBI may, if it considers necessary, issue necessary clarifications in respect of any matter covered herein and the interpretation of any provision of these Directions given by RBI shall be final and binding.

(C Saravanan)
Chief General Manager