Regulatory Audits (RBI, IRDA, Privacy)

In this article we will be diving deep about this interesting topic Regulatory Audits(RBI, IRDA, Privacy).

Now, let us see what it means !

Regulatory Audit

    – Many businesses are required to get independent verification of financial and other data they provide to regulators. Others seek independent verification on their own initiative to avoid factual inaccuracies and the danger of non-compliance.
    – Financial statement audits are among the types of regulatory audits. One of the auditor’s most important responsibilities is to assist regulators with prudential oversight. Additional participation may be needed to address special needs.
    – We stay up to date on the latest regulatory developments and best practices in the banking, funds, and insurance/reinsurance businesses by providing frequent training to our employees and participating in a number of industry events.
    – A regulatory audit verifies that a project complies with all applicable regulations and requirements. A regulatory audit must be accurate, objective, and impartial, with monitoring and assurance to the organization, according to the NEMEA Compliance Centre’s best practices.
    Now, let us see the actions taken by the NFRA (National Financial Reporting Authority) for the future of audit profession.

NFRA Actions

    – Fixing the issue of accountability : One thing is certain based on NFRA’s orders and Audit Quality review reports: the new audit regulator will not hesitate to take strong action against those responsible for auditing. It has barred Udayan Sen, a former managing partner and chief executive officer of Deloitte India and an engagement partner in the IFIN audit, Rishad Daruvala (an audit quality control reviewer in the IFIN audit), and Shrenik Baid from participating in the IFIN audit (part of the IFIN audit engagement team).
        → Similar charges have been levelled against Sen, Daruvala, and Baid. These include professional misconduct stemming from a variety of issues, such as failing to assess whether IFIN was a going concern, ignoring RBI inspection reports that raised concerns about IFIN’s failure to meet regulatory capital requirements, and failing to assess the risk of material misstatements creeping into financial statements, among others.
    – The independence of the auditor : With these orders and AQRs, the NFRA appears to have established a standard that audit companies cannot use to get around the statute that prohibits auditors or entities affiliated to them from providing non-audit services. Some multinational audit firms deal with various entities that are linked to the firm’s network. Clients receive non-audit services from these organizations.
        → For example, Deloitte India has a firm called Deloitte Haskins and Sells LLP, and KPMG has BSR & Associates LLP in its India network. However, Deloitte India and KPMG India are both members of the broader Deloitte India and KPMG India groups, respectively.
        → The NFRA is attempting to carry out the letter of the legislation, which states that while an audit firm is engaged in an audit of financial statements, no affiliated entities of the audit firm should provide non-audit services. Also, even if the auditor is not providing non-audit services throughout the audit, taking audit engagements may be prohibited if the auditor and the client had a business relationship before the audit began. Before beginning the audit for the financial year 2017-18, BSR (KPMGconnected )’s entities offered non-audit services to IFIN.
        → Before beginning the IFIN audit engagement, NFRA deemed BSR’s affiliates having a business relationship with IFIN to be a sufficient justification for the audit firm to lose its independence. When audit firms are required to rotate under the rules of the Companies Act 2013, this could have an impact on their capacity to generate revenue.
    – Audit methods and materiality : The NFRA examined the audit files of both BSR and DHS and discovered that several of the audit techniques they utilized were inadequate. This was done even during the previous administration, when the ICAI’s audit review board was in charge of such a review.
        → The NFRA is attempting to fix blame by designing audit procedures in such a way that auditors do not ignore instances of fraud using these AQR processes. As a corollary, before signing an audit report, ensure that auditors do not ignore the impact of such a fraud on the financial accounts.
        → The NFRA further noted that in the case of AQR of BSR, the firm’s IFIN audit engagement team set the financial materiality level unilaterally and without basis. Materiality is used to screen out transactions in order to conduct a transaction-level sample audit.
        → The auditors also failed to identify unique kinds of transactions for which the financial materiality level needed to be dropped, according to the report. This was necessary, given the intricacy of the IFIN audit, yet it was overlooked.
        → This could suggest two things for future audits: auditors will have to adjust how they establish materiality before they start their audit, and a rigorous materiality level for transactions is only useful for auditing routine transactions.
    Now, let us see various audits performed by different bodies.

RBI Audit

    → Governments’ principal job is to raise resources through tax and non-tax revenue tools and then spend them to achieve public policy goals. Democracies like India must do so within the framework of the constitution’s established rule of law.
    → A crucial tenet of this framework is that no department or agency in charge of resource mobilization can normally usurp it or a portion of it for its own spending.
    → The income-tax agency, for example, cannot utilize the funds it raises to pay the wages of its personnel. Such costs must be covered by the department’s budgetary allocations from Parliament.
    → The logic is clear. Agencies having legal authority to raise funds should not have perverse incentives to extort money from citizens.

Exceptions to the Rule

→ This rule does not apply to statutory regulatory authorities (SRAs). SRAs, such as the RBI, are authorized by law to levy fees, retain them, and use them to fund their operations. This exception is justified on the larger grounds because SRA independence is a public policy aim that is equally essential. The ability to raise finances to carry out responsibilities delegated to the SRAs is a crucial part of independence. This is when “audit” comes into play.
    → Given the potential for perverse incentives in an SRA raising and using resources, an audit by a reputable and empowered entity is required to ensure that SRAs are working in accordance with the law. This entails lawfully, fairly, and equitably raising resources and spending them to achieve the goals for which the SRA was established. Excessive resource raising and squandering are not uncommon, and audit is a tool for detecting and resolving this issue. In reality, an Indian SRA’s board decided to dramatically reduce ad valorem costs on regulated firms in 2008 after an embarrassing amassing of wealth from exorbitant ad valorem fees on regulated entities.
    → As a result, most SRAs in India are required by law to have their financial statements audited by the CAG. There are major outliers, however, and the pre-Independence SRA, RBI is one one them. According to the law, RBI will be audited by two auditors nominated by the government of India. It further states that the Government of India may appoint the CAG to investigate the RBI’s accounts at any time. This, however, has never been done, and instead, chartered accounting firms audit the RBI. This is, without a doubt, an unhappy arrangement. Any private auditor is unlikely to have the fortitude to point out any concerns, if any, with RBI’s finances and expenditures.

The Alternative Solution

→ The Financial Sector Legislative Reforms Commission (FSLRC) has suggested that the financial statements (of all financial regulators) be audited by CAG in section 3.6 of its report for this reason.
    → It’s vital to remember that SRA audits are specialized and distinct from audits of government agencies. As a result, teams tasked with this must be well equipped and trained. Otherwise, we can find ourselves in trouble. CAG demanded a few years ago that SRAs cannot maintain their fee income in separate accounts and must deposit it in government accounts.
    → This recommendation is not only backward, but it is also illegal. Fortunately, it appears that a feasible solution has been identified. However, because these threats are genuine and persistent, the greatest long-term response will be to legislation with clarity, as the FSLRC recommends.
    Now. let us see IRDAI audit !

→ Every insurer’s financial accounts must be audited by an auditor once a year. According to the IRDA Act of 1999, at the end of each financial year, every insurer must prepare a Balance Sheet, a Profit and Loss Account, a separate Account of Receipts and Payments, and a Revenue Account in accordance with the IRDA’s regulations in respect of insurance business transacted by him and in respect of his shareholders’ funds.
    → An insurance company’s central and branch auditors are appointed during the company’s annual general meeting, with the permission of the C & AG required before the appointment is made.
    → With the most recent amendments to the Insurance Act of 1938 and the Companies Act of 2013, the Insurance Regulatory and Development Authority of India (IRDAI) has issued revised guidelines requiring insurers to comply with the provisions of the Companies Act of 2013 relating to the appointment of auditors.
    → Insurers must also follow the rules set forth in such guidelines. The Board will designate the statutory auditors based on the Audit Committee’s proposal, subject to shareholder approval at an Indian insurance company’s general meeting.
    → The statutory auditors to whom the branch auditors are supposed to submit their report have the same rights and obligations as the statutory auditors to whom they are expected to submit their report.
    → The branch auditors at the division level, on the other hand, certified that the division’s trial balance properly incorporated the financial statements of the division’s branches.
    → Without the Authority’s permission, an insurer cannot fire its statutory auditor. At any given moment, an audit firm cannot accept audits from more than three insurers (Life/Nonlife/Health/Reinsurer). If it is discovered that insurers are not following the requirements for appointing auditors, the appointment might be cancelled.
    Now, let us see about Privacy Audit Law !

Privacy Audit

    → A privacy audit, also known as a privacy compliance audit, is an evaluation tool that examines an organization’s privacy policies and procedures in light of current laws and regulatory requirements.
    → Private groups or government bodies that are confirming a company’s regulatory compliance may perform audits. In terms of privacy audit law, the FTC has the authority to conduct audits of businesses and take action if they are not properly securing personal information.
    → The FTC Act, which regulates unfair trade practices, is used to take action. Audits under the Health Insurance Portability and Accountability Act are also carried out to ensure that providers are abiding by HIPAA regulations and safeguarding sensitive health information.
    → A privacy audit can be conducted by a corporation to establish that the protections it provides are in line with industry best practices and its declared privacy policy. A privacy compliance audit might reveal significant liabilities for a corporation.


    That’s all about the Regulatory Audit India. After reading this essay, I hope you found it enjoyable and learned something new. We have learned what are regulatory audits, NFRA actions, RBI audits, IRDA audits, and Privacy audits.

Call Us