What internal audit actually catches in an NBFC: five recurring control failures

Internal audit in an NBFC carries a specific weight that does not apply in the same way to most other financial institutions. The RBI's scale-based regulation framework has raised the compliance floor sharply, and the consequences of a control failure are not just regulatory. A poorly controlled NBFC can misstate its credit-loss trajectory, misrepresent portfolio quality to lenders, and accumulate operational risk that only surfaces under stress. At that point, the audit committee is asking why nobody caught it earlier.

We have run internal audits across NBFCs in retail lending, microfinance, housing finance, and equipment financing over the last 13 years. The issues that keep appearing are not exotic. They are not the kind of failure that requires sophisticated forensics to uncover. They are the kind that a well-structured internal audit catches in the first two weeks, if the audit scope is actually calibrated to the business.

Five of them come up, in some form, in almost every engagement.

Credit appraisal that exists on paper but not in practice

Most NBFCs have a credit policy. It specifies income verification requirements, LTV limits, customer segment eligibility, and deviation approval processes. What internal audit often finds is that the policy is followed in the application file and not in the actual appraisal decision.

In one mid-size retail lending NBFC we audited, the credit policy required income verification via two independent sources for self-employed borrowers above a certain ticket size. In a sample of 60 files we pulled, 31 had income verification based on a single bank statement, with a credit manager's handwritten note saying the customer's income had been 'verified telephonically'. The handwritten note was being treated as the second independent source.

The downstream effect was not visible yet in the NPA numbers because the portfolio was young. But the NPA projection for that segment, done against the verified-vs.-unverified split, showed a statistically different delinquency pattern. The deviation had been running for at least 14 months without being picked up by any internal function.

The pattern we see most often: the credit policy is tight enough that branches cannot meet their disbursement targets if they follow it strictly. The informal workarounds accumulate. Nobody explicitly approves them, but nobody flags them either. By the time they reach audit, they are embedded.

Loan documentation gaps that the system does not catch

Every NBFC has a loan origination system. Most LOS platforms have a checklist function, often configured as a mandatory field gate before disbursement can be authorised. The assumption is that if the disbursement goes through, the documentation is complete.

The assumption is frequently wrong.

Document checklist gates are often configured as tick-box fields rather than file-verification fields. The branch executive marks the document as received; the system accepts it; the disbursement proceeds. Whether the document was actually received, whether it is legible, whether it matches the customer record, is not verified by the system. That verification is supposed to happen in a post-disbursement review. In practice, the post-disbursement review is a reporting exercise, not an exception-handling exercise.

In one microfinance NBFC audit, we found that 19% of the files sampled had a KYC document marked as received that was either a photocopy of a photocopy (illegible), a document for a different customer, or a document that had expired before the loan was booked. The LOS had green-lit all of them.

The practical risk is not just regulatory. An unsupported KYC document becomes a problem in recovery proceedings. A property document with a chain-of-title gap becomes a problem at the time of enforcement. These are not abstract compliance issues. They are operational liabilities.

Why post-disbursement review fails

The post-disbursement review is almost universally under-resourced relative to the volume it is supposed to cover. In most NBFCs we have audited, one operations officer is reviewing 400 to 600 files per month on top of their normal branch duties. At that volume, the review becomes a count of documents received, not an assessment of quality. Internal audit's job is to quantify the gap between what the review is supposed to catch and what it actually catches.

Collections reporting that smooths over real portfolio stress

Bucket migration analysis is one of the sharper early-warning tools available in NBFC portfolio management. It tracks how accounts move between DPD buckets, and a deterioration in the forward-roll rate (the proportion of accounts that move from a worse bucket to an even worse one, rather than being resolved) is a leading indicator of systemic stress.

What internal audit repeatedly finds is that the collections MIS does not distinguish clearly between genuine cures and tactical cures. A tactical cure is a payment received from a borrower specifically to prevent the account from crossing a DPD threshold, often facilitated by the collections field team offering restructuring, rescheduling, or in some cases simply collecting cash without posting it to the system before month-end.

Tactical cures inflate the apparent portfolio quality because accounts show as current at the reporting date. The forward-roll rate looks acceptable. The NPA number is clean. The stress is real but deferred.

In a housing finance NBFC audit, we reconstructed the bucket movement data for a 12-month period and identified a cohort of accounts that had touched DPD 30+ at least once but were showing as regular at each month-end reporting date. The cohort was 8.2% of the portfolio by value. The actual credit-loss trajectory of that cohort, modelled against the collections history, was meaningfully different from the rest of the portfolio. The audit committee had not seen this view of the data. The standard MIS showed current portfolio quality; it did not show the history of the accounts that were currently in the current bucket.

This is not always a deliberate misrepresentation. It is often a consequence of MIS design: reports are built for month-end snapshots, and mid-month movement is not tracked or archived. But the effect on the board's picture of portfolio quality is the same.

Related-party and co-lending arrangements without arm's-length documentation

NBFCs frequently operate with co-lending arrangements, business correspondent relationships, or co-origination structures involving entities with common promoter ownership or board overlap. RBI has tightened the disclosure and approval requirements for these arrangements substantially, but the operational compliance has not kept pace with the policy commitments.

The failures we see are not typically of the outright undisclosed variety. They are softer: a co-lending partner that is a promoter-linked NBFC, with an approved board resolution and a signed agreement, but where the pricing terms, the first-loss default guarantee structure, and the portfolio selection criteria have been modified informally since the agreement was signed. The original agreement is on file. The current operating practice does not match it.

The gap between the documented arrangement and the actual operating practice is where audit risk concentrates. If a regulator pulls the files, the documented terms look compliant. The actual economics are different. Internal audit has to bridge that gap, which requires interviewing the treasury and collections teams, not just reading the agreements.

In one equipment finance NBFC, the co-lending arrangement with a promoter-linked entity had been modified three times at the operational level over 18 months. None of the modifications had gone to the board for approval, because they were framed internally as 'operational adjustments' rather than material changes to the arrangement. The audit committee had approved the original structure. They had not approved what was actually running.

IT access controls that have not been reviewed since implementation

The fifth failure is the one that surprises audit committees the most, because it tends to be clean on paper. Most NBFCs have an IT access control policy. It specifies role-based access, segregation of duties, maker-checker requirements, and periodic access reviews. The policy is usually well-drafted. The implementation is often years out of date.

The specific pattern we see: the access matrix was designed and implemented when the LOS or the core banking system went live. Staff have changed roles, been promoted, joined, and left. The access matrix has not been updated to reflect any of it. Former employees have active system credentials in a significant portion of the NBFCs we audit. Employees who have moved from branch operations to collections still have disbursement authorisation rights. A credit manager who was promoted to zonal manager has retained their own individual maker credentials along with the approver credentials they acquired on promotion.

Segregation of duties violations in financial systems are not theoretical. They create the conditions for fraud and for undetected error. In a stressed collections environment, the combination of disbursement access and collections posting access in a single user's credentials is a specific and serious operational risk.

The fix is a structured user access review, typically a three-to-four-week exercise depending on system complexity, followed by access revocation, role realignment, and a quarterly review cadence going forward. Most NBFCs know they need to do this. Most have not done it in the last 18 months.

What these five failures have in common

They are all detectable with a well-scoped audit. None of them require forensic investigation. None of them are hidden by sophisticated concealment. They persist because the audit scope is often designed around the regulatory checklist rather than around the actual operating model, and because the internal audit function is under-resourced relative to the portfolio growth the NBFC has experienced.

The RBI's revised framework for NBFCs has raised the bar on what audit committees are expected to know. The gap between that expectation and what the current internal audit function is actually surfacing is where engagement starts. When we run an NBFC audit, the five areas above are where we begin, because in 13 years, they have never all been clean at once.