Content authored by practitioners with experience at Amazon India, Intuit QuickBooks, and the Tata Group. Meet the team →
RBI mandates concurrent audit coverage of 60 percent of advances and deposits at public sector banks and 50 percent at private banks; NBFC-Upper Layer and large NBFC-Middle Layer entities follow the Scale-Based Regulation framework. Output is a monthly report to the Audit Committee covering credit, operations, treasury, KYC/AML, statutory dues, and revenue leakage.
Coverage is allocated to large branches, forex branches, risk-rated branches, treasury, central processing units, and data centres. A sampling matrix scopes every high-value transaction and a percentage of low-value transactions each month. Revenue leakage is quantified across interest under-charging, fee under-recovery, charge omission, commission gaps, and forex margin under-recovery.
Engagement coverage matrix mapped to RBI percentage requirements, monthly sampling plan keyed to transaction size bands, focus-area checklist per RBI directive, revenue leakage recomputation worksheet, and Audit Committee reporting template with risk rating and action tracker.
Monthly concurrent audit report to the Audit Committee, quantified revenue leakage finding per month, KYC/AML and statutory compliance flags, NPA migration alerts, and an action tracker that closes the loop on prior observations.
An NBFC-Middle Layer entity with a ₹4,200 crore loan book and 38 branches across six states appointed a concurrent audit firm in April. The first month’s report flagged ₹26 lakh of revenue leakage — ₹18 lakh in processing fee under-recovery on rural housing loans where the system was applying a discontinued promotional rate, ₹6 lakh in prepayment charge omissions, and ₹2 lakh in stamp duty recovery gaps. By month six, the cumulative revenue leakage recovered had exceeded the annual concurrent audit fee by a multiple. This guide covers how concurrent audit works for banks and NBFCs under the current RBI framework, what gets covered, and how findings get reported.
What Is Concurrent Audit and Why Is It Mandated?
Concurrent audit is the assurance layer that sits between operations and statutory audit. It is performed by an external audit firm (or in some cases an in-house team with sufficient independence) on transactions as they occur, with a monthly reporting cadence to the Audit Committee. The RBI mandates concurrent audit at banks because the volume of transactions and the lag between an irregularity and a year-end statutory audit are too high for statutory audit alone to provide adequate control. The same logic now applies to large NBFCs under the Scale-Based Regulation.
Quick-Reference Table
| Entity | Coverage Mandate | Reporting Cadence | Authority |
|---|---|---|---|
| Public sector bank | 60% of advances and deposits | Monthly to AC | RBI guidance on concurrent audit |
| Private sector bank | 50% of advances and deposits | Monthly to AC | RBI guidance, AC-approved policy |
| Foreign bank | Per AC policy, treasury mandatory | Monthly to AC | RBI guidance |
| NBFC-Upper Layer | Full framework required | Monthly to AC | Scale-Based Regulation |
| NBFC-Middle Layer (large) | Framework required | Monthly to AC | Scale-Based Regulation |
| NBFC-Base Layer | Risk-based | Quarterly typical | Board-approved policy |
How Is Coverage Allocated Across Branches and Functions?
Mandatory Inclusions
Regardless of percentage thresholds, the following must be under concurrent audit at all times: all large branches (size threshold notified by each bank); all branches handling foreign exchange; all treasury and dealing rooms; all credit card units; all central processing units that originate or service loans; all data centres for IT general controls; and all branches that the bank’s risk-based audit framework rates as high-risk.
Coverage Computation
Coverage is computed on average outstanding balances during the year, not on point-in-time balances. A branch with advances of ₹500 crore at year-end but average balance of ₹420 crore contributes ₹420 crore to the coverage numerator. The bank’s Audit Committee approves the coverage plan and reviews actual coverage achieved quarterly.
Selection Methodology
Most banks use a layered selection: tier-1 — all branches above a size threshold; tier-2 — all forex and treasury units; tier-3 — risk-rated branches; tier-4 — a rotating sample of remaining branches to ensure every branch is covered at least once in three years.
What Are the Focus Areas?
Credit
Loan origination KYC, credit appraisal, sanction terms compliance, security creation and perfection. Disbursement matched to sanction. End-use verification for term loans. NPA migration tracked monthly with the system NPA flags.
Operations
Cash handling, cheque return, account maintenance, deposit dormancy, unclaimed deposits, locker rentals, and demand draft reconciliation.
Treasury
Borrowing under permitted instruments, ALM mismatch versus internal limits, dealing room compliance (front-back office segregation, deal capture timeliness, mark-to-market), and counterparty exposure limits.
KYC and AML
Customer due diligence for new accounts, periodic re-KYC for existing customers, suspicious transaction monitoring, and FIU-IND reporting timelines under the Prevention of Money Laundering Act.
Statutory Compliance
TDS deduction at source on payments above thresholds (Section 194A on interest, 194C on contractor payments, 194J on professional fees, 194Q on goods, plus the 2026 migration to payment codes 1001-1092), GST liability on interest and fee components, PF/ESI on employee dues, professional tax, and stamp duty.
Revenue Leakage
Interest under-charging on floating-rate loans, fee under-recovery, charge omissions, commission gaps on third-party products, and forex margin under-recovery.
A Worked Example: NBFC With ₹4,200 Crore Loan Book
The NBFC operates across rural housing, MSME secured loans, vehicle finance, and personal loans through 38 branches in six states. Engagement letter signed for a one-year concurrent audit with monthly Audit Committee reporting.
Coverage Matrix
- All 6 state head office branches (₹2,800 crore of book) — full coverage
- Top 4 branches by disbursement volume in each state (24 branches, ₹980 crore) — full coverage
- 8 remaining branches (₹420 crore) — rotating quarterly coverage
- Treasury function at head office — full coverage
- Central processing unit at head office — full coverage
Coverage achieved: 90 percent of loan book under continuous review.
Sampling Plan
- All loans disbursed above ₹50 lakh — 100 percent review
- Loans between ₹10 lakh and ₹50 lakh — 25 percent random sample
- Loans below ₹10 lakh — 5 percent random sample plus all loans flagged by the risk engine
- All cash transactions above ₹2 lakh — 100 percent review
- All NPA migrations — 100 percent review with security and recovery action verification
- All write-offs and restructurings — 100 percent review with Board resolution traceability
Month-One Findings
- Revenue leakage: ₹26 lakh (₹18 lakh processing fee under-recovery on rural housing — system applied a discontinued promotional rate; ₹6 lakh prepayment charge omissions; ₹2 lakh stamp duty recovery gaps)
- KYC: 14 customer onboarding files with incomplete utility bill verification (rural branches)
- Statutory: TDS deduction on legal fees paid to two law firms below threshold — voluntary review
- NPA migration: 8 accounts in 30+ DPD bucket not flagged by the system due to a data sync gap with the LMS
The report is tabled at the next Audit Committee meeting. The processing fee gap triggers a system rate-master fix and a recovery exercise on loans disbursed since the gap began. By month six, cumulative recovery exceeds ₹1.4 crore.
Where Concurrent Audit Field Work Bottlenecks
Most field-time loss happens in three places. Loan documentation retrieval — branches store hardcopy files and the concurrent auditor waits for files to be pulled. Reconciliation between loan management system and General Ledger — the auditor often has to redo the reconciliation because the branch reconciliation is summary-level. System log access — the auditor needs read-only access to the LMS and core banking for transaction-level testing, and access provisioning often lags engagement start.
Continuous reconciliation infrastructure that maintains loan management system to General Ledger reconciliation in real time gives the concurrent auditor a ready evidence file each month, which compresses fieldwork from ten days to four.
Use the three-way match exception cost calculator to size the cost of running monthly reconciliations manually versus on a continuous engine for an NBFC of comparable size.
How Are Findings Reported and Closed?
The monthly report goes to the Audit Committee with an executive summary, risk rating for the month, observations grouped by category, an open-observations tracker from prior months, and a recommended-actions list with owners and target dates. The Audit Committee reviews the tracker at the next meeting. Significant findings — RBI directive non-compliance, fraud indicators, material revenue leakage — are flagged immediately to the CEO and Audit Committee Chair without waiting for the monthly cycle.
Closing
Concurrent audit is the largest in-flight assurance layer at banks and large NBFCs, with coverage mandated at 60 percent for public sector banks, 50 percent for private banks, and a full framework for NBFC-Upper Layer entities. The economic argument for concurrent audit lives in revenue leakage recovery; the regulatory argument lives in the RBI mandate. Banks and NBFCs that run continuous reconciliation between core systems and General Ledger give their concurrent auditors a clean evidence file each month, which is the single biggest lever for improving audit depth without expanding audit cost. For the underlying reconciliation infrastructure that produces this evidence, see reconciliation software India. For TDS deduction and statutory reconciliation that the concurrent audit report depends on, see TDS reconciliation software. The current concurrent audit guidance for banks and the Scale-Based Regulation for NBFCs are published on the Reserve Bank of India website.
The FAQs below cover the RBI coverage thresholds, the difference from statutory audit, NBFC-Upper Layer focus areas, monthly report structure, and revenue leakage quantification.