LFAR Compliance by Statutory Central Auditors in a Banking Company

Prepared for Qualified Chartered Accountants | Based on RBI Revised LFAR (Annex I) vide Circular Ref.No.DOS.CO.PPG./SEC.01/11.01.005/2020-21 dated September 5, 2020 (applicable from FY 2020–21 onwards)

1. Executive Context and Scope

The Long Form Audit Report (LFAR) is a structured management-oriented report that supplements the statutory audit of banks. Pursuant to the Reserve Bank of India (RBI) circular dated September 5, 2020, the LFAR formats were comprehensively revised. Annex I prescribes the LFAR to be issued by the Statutory Central Auditors (SCAs) to the management and the Board/Audit Committee of the bank, with the overarching objective of identifying gaps and vulnerable areas in business operations, risk management, compliance, and the efficacy of internal audit. This paper provides a clause-by-clause professional analysis of the SCA-LFAR, defining key terms, explaining the testing focus, and illustrating with corporate-style case studies and numerical examples. The perspective is aligned to Indian commercial banks, with notes relevant to public/ private sector banks, foreign banks’ Indian operations, and small finance banks.

Important note on usage: While branch auditors report under Annex II and specialized appendices, the SCA consolidates and overlays these with bank-wide testing and thematic reviews. Consequently, SCA procedures combine (i) top-down assessment of policies, risk culture, governance, and MIS/data integrity; and (ii) bottom-up synthesis of branch LFARs, critical account reviews, and exception analytics.

2. Guiding Principles Embedded in Annex I

• Objective: Provide an independent opinion to the Board on gaps/vulnerabilities in business operations, risk management, compliance, and internal audit efficacy.
• Coverage: Credit, market, liquidity and operational risks; cyber security; KYC/AML/CFT; supervisory returns quality; data integrity; and business conduct.
• Approach: Risk-based planning, limited transaction testing where necessary, reliance with professional scepticism on branch LFARs, and judgement on qualifications.
• Governance: Material additions to scope require justification and prior intimation to the Audit Committee of the Board (ACB).
• Output: Constructive, actionable observations with risk assessment, materiality, and traceable evidence.

3. Glossary of Important Terms (as used in Annex I analysis)

• SCA: Statutory Central Auditor(s) appointed for the bank as a whole.
• LFAR: Long Form Audit Report, a management report distinct from but complementary to the statutory audit report.
• CRILC: Central Repository of Information on Large Credits; RBI database for exposures ≥ ₹5 crore.
• IRAC: Income Recognition and Asset Classification norms prescribed by RBI.
• EWS: Early Warning Signals used by banks for pre-NPA monitoring.
• RCSA: Risk & Control Self-Assessment used by risk/operational risk functions.
• ALM: Asset-Liability Management covering liquidity and interest rate risks.
• FTP: Funds Transfer Pricing used to allocate interest rate risk/returns to businesses.
• BCP/DR: Business Continuity Planning & Disaster Recovery for resilience.
• DEAF: Depositor Education and Awareness Fund (unclaimed amounts transfer).

4. CREDIT RISK AREAS — Clause-by-Clause Analysis

4.1 Loan Policy

Scope: Assess sufficiency and effectiveness of the loan policy and compliance with RBI instructions on exposure norms, interest rate setting, sectoral restrictions, and statutory caps. Evaluate translation of policy into business model/strategy and actual portfolio behaviour (growth, risk-adjusted returns, and concentrations).

Key words defined — Exposure norms (single/group borrower limits, connected lending, intra-group exposures), Risk Appetite (tolerances for concentrations, sectoral caps, and underwriting standards), Pricing Framework (risk-based pricing matrices, benchmark linkages like EBLR/MCLR, and exceptions approval).

Testing focus for SCAs: (i) Does policy explicitly define risk appetite with measurable limits; (ii) are sectoral/borrower concentration dashboards monitored; (iii) is pricing aligned with obligor/transaction rating and collateral quality; (iv) were material policy deviations approved with rationale and reported to ACB.

Corporate case study (Illustrative): A bank’s NBFC exposure cap was 10% of advances; actual reached 12.6% due to rapid growth in a quarter. Exceptions were approved by a lower-level committee without ACB noting. Risk: concentration vulnerability and governance override. SCA Observation: ‘Concentration limits for NBFCs breached for 2 months; approvals were accorded below mandated level; recommend automated limit-blocks and ACB oversight.’

Numerical illustration: If total net advances are ₹2,40,000 crore and NBFC exposure is ₹31,000 crore, concentration = 12.92% (>10% cap). Assuming sectoral PD shock of +150 bps and LGD of 40%, expected loss uplift ≈ ₹1,116 crore (₹2,40,000 × 12.92% × 1.5% × 40%).

4.2 Credit Assessment

Scope: Evaluate end-to-end underwriting including obligor rating, financial analysis, cash flow assessment, security cover, and industry risk. Special focus on ‘quick mortality’ (accounts slipping to NPA within 12 months of sanction).

Key words — Obligor Rating (PD-centric grading), Facility Rating (LGD-inclusive), Cash Flow DSCR (Debt Service Coverage Ratio), External Validation (bureau data, GST, income tax, MCA filings) and Stress Testing (downside scenarios).

Testing focus: (i) Reliance on projected cash flows vs validated orders; (ii) independence of credit risk function vs business; (iii) overrides to rating/projections; (iv) MIS on quick mortality and root cause analysis (RCA).

Case study: A mid-corporate steel trader sanctioned ₹250 crore WC. Projections assumed 25% growth; GST e-way data showed flat volumes. Within 9 months, stock obsolescence hit margins; account downgraded SMA-2. SCA flags weak external validation and absence of stress test on steel spreads.

Numerical: If sanctioned CC limit ₹250 crore with drawing power (DP) linked to stock/debtors (75% margin norms), and actual eligible DP averaged ₹180 crore, utilisation>DP by ₹40–60 crore for 3 months signals tolerance failures; EWS should escalate to Credit Monitoring Committee.

4.3 Sanctioning / Disbursement

Scope: Delegation of powers (DoP), checks/balances, and disbursal conditions (CPs) compliance.

Testing focus: (i) DoP adherence; (ii) end-use certification; (iii) stage-wise disbursal tied to milestones; (iv) escrow/TRA controls.

Case: A project term loan ₹600 crore disbursed 70% upfront without completion of land acquisition CP; later litigations stalled project. Observation: Systemic weakness in CP verification; recommend maker-checker with legal title verification and satellite evidence for land progress.

Numerical: If DoP allows Zonal Credit Committee up to ₹400 crore but sanction noted at ₹450 crore without Board approval, deviation = ₹50 crore requiring ratification; repeated breaches warrant control redesign.

4.4 Documentation

Scope: Execution as per sanction, consortium/ multiple banking documentation, charge creation/registration (CERSAI/ROC), renewal/deficiency tracking, and safe custody.

Key words — CERSAI (central registry), ROC Charge (Companies Act), Dropline Structures, Negative Lien, Pari Passu/First Charge Inter-creditor Agreements (ICA).

Case: In a consortium, pari passu sharing agreement unsigned by a new lender; bank’s charge not perfected on additional inventory. On default, recovery diluted. SCA notes delay in CERSAI filing beyond 30 days causing priority risk under IBC waterfall.

Numerical: Security value ₹800 crore; bank’s share 30%. Without perfected charge, realised value allocation may drop by 10–15%, i.e., loss of ₹24–36 crore.

4.5 Review, Monitoring and Post-Sanction Supervision

Scope: Coverage and effectiveness of monitoring for both on- and off-balance sheet exposures including CRILC/CIBIL reporting, EWS, stock audits, covenants, and monitoring committees. Emphasis on SMA migration, restructuring governance, and special mention accounts (SMA-0/1/2).

Case: Large EPC borrower repeatedly delayed stock audits; ageing of receivables misreported. CRILC mismatch>₹5 crore persisted for two quarters. SCA recommends automated CRILC validations and independent data lineage controls from core banking to regulatory returns.

Numerical: If SMA-2 pool is ₹7,500 crore and historical migration to NPA is 35%, expected slippage ≈ ₹2,625 crore; with average provision coverage ratio (PCR) 45%, incremental provision need ≈ ₹1,181 crore — material to capital planning.

4.6 Recovery, NPA Management and Resolution (including IBC/SARFAESI)

Scope: Efficacy of recovery channels (SARFAESI, DRT, IBC, OTS/compromise), write-off policy, and provisioning discipline. Specific commentaries on legal action not acted upon, compromise frameworks, monitoring under IBC, and prudential write-offs.

Case: Compromise settlement below net present value of security without Board-approved deviation paper; recovery committee minutes lacked sensitivity analysis. SCA urges hard thresholds (e.g., minimum recovery vs realisable value) and post-OTS monitoring for covenant adherence.

Numerical: NPA outstanding ₹10,000 crore with average security realizable value 35%. If compromise at 32% with 12-month bullet receipt, time value adjustment at 10% discount rate gives PV ≈ 28.9%; delta vs security value (35%) implies economic loss ≈ ₹610 crore — requires ACB scrutiny.

4.7 Restructuring, Rescheduling and Evergreening Risks

Scope: Compliance with RBI frameworks (e.g., Prudential Framework for Resolution of Stressed Assets), inter-creditor agreements, independent credit evaluation, and guardrails against evergreening (fresh limits/rollovers to avoid NPA recognition).

Case: WC limit top-ups prior to code downgrades without underlying cash conversion; round-tripping via related-party trade revealed in GST data. SCA flags EWS override and recommends forensic-style validation for high-risk exposures.

Numerical: If overdue ≥ 90 days on ₹500 crore facility, fresh ad-hoc ₹60 crore disbursed on day 89 to clear dues and rebook; pattern repeated thrice — a strong evergreening indicator; governance escalation mandatory.

4.8 Off-Balance Sheet Exposures and Contingent Liabilities

Scope: Guarantees, LCs, derivatives, and undrawn commitments; collateral management; and capital charge adequacy under Basel norms.

Case: Bank’s non-fund exposure concentration in performance guarantees to a single EPC group>25% of Tier 1 capital; triggering risk appetite breach despite low utilisation of fund-based lines.

Numerical: If non-fund exposure ₹18,000 crore with 30% CCF for capital computation, RWA add-on = ₹5,400 crore; at 10.875% capital requirement, capital demand ≈ ₹587 crore; breaches must be reported with remediation plan.

4.9 Collateral Valuation and Insurance

Scope: Panel valuer independence, revaluation frequency, forced sale value usage, and insurance adequacy with bank clause.

Case: Inventory insurance without bank clause; claim repudiated. SCA recommends system-enforced bank clause and automated renewal alerts.

5. MARKET RISK AREAS — Clause-by-Clause Analysis

5.1 Investments — Policy, Classification and Valuation

Scope: HTM/HFT/AFS classification, valuation methodologies, price sources (FIMMDA/FBIL), depreciation reserves, and migration between categories. Special attention to complex products and hedge effectiveness documentation.

Case: Improper day-count conventions in MTM of AFS G-Secs overstated value by 4 bps; cumulative impact ₹120 crore. SCA insists on maker-checker in valuation files and exception analytics across scrips/curves.

Numerical: Duration 6.0; yield upshift 25 bps implies price drop ≈ 1.5%; on ₹10,000 crore book, MTM loss ≈ ₹150 crore — provisioning/AFS reserve impact to be assessed.

5.2 Treasury Operations and Controls

Scope: Dealing room segregation (front–mid–back office), deal capture, confirmation, settlement, and limit monitoring (counterparty, stop-loss, dealer limits).

Case: FX spot–forward mis-bookings due to spreadsheet uploads; back office reconciliations lagging T+1. SCA recommends STP and system-based counterparty limit checks with real-time alerts.

5.3 ALM — Liquidity and Interest Rate Risk

Scope: Structural liquidity statements, LCR/NSFR compliance, interest rate risk in the banking book (IRRBB), and behavioural modelling of deposits/loans.

Numerical: LCR HQLA ₹80,000 crore; net cash outflows ₹70,000 crore → LCR 114.3% (≥100% compliant). IRRBB: EVE sensitivity of −8% of Tier 1 on +200 bps shock may breach risk appetite; requires hedging or repricing strategy.

6. OPERATIONAL RISK AREAS — Clause-by-Clause Analysis

6.1 KYC/AML/CFT Compliance

Scope: Customer due diligence, beneficial ownership, PEP screening, transaction monitoring, STRs, and sanctions compliance. SCA examines centralised KYC utilities, periodic KYC updates, and alert closure quality.

Case: High false-positive STR closure rates; inadequate narrative quality. Recommend QA function and risk-based sampling escalation to ACB.

6.2 IT General Controls (ITGC) and Cyber Security

Scope: Access controls, change management, interfaces, batch jobs, backups, patching, endpoint security, SOC monitoring, and incident response. Coverage extends to DC/DR drills, RPO/RTO, and cyber hygiene across branches and digital channels.

Case: Delay in critical patch deployment beyond SLA; CVE-related exploit attempts observed in SOC. SCA recommends risk-acceptance thresholds and Board-level metrics on mean-time-to-patch (MTTP).

6.3 Outsourcing and Third-Party Risk Management

Scope: Policy compliance with RBI outsourcing guidelines, due diligence, SLA/KPIs, concentration risk, and exit/BCP arrangements.

Case: Single vendor dependency for application management; termination clause weak. Suggest dual-vendor model and escrow of source code/build scripts.

6.4 Business Continuity, Fraud Risk and Complaint Management

Scope: BCP/DR, fraud risk governance (including digital channels), whistle-blower mechanisms, and complaint resolution TATs. SCA integrates fraud trend analytics with product/process vulnerabilities.

Numerical: If digital fraud losses rose from ₹35 crore to ₹60 crore YoY (+71%), but recoveries improved by ₹8 crore, net impact +₹17 crore; control enhancements must target top 3 MOs contributing 80% of loss.

6.5 DEAF, Inoperative Accounts and Suspense/Sundry

Scope: Compliance with DEAF transfers, interest methodology, reconciliation of suspense/sundry heads, ageing analysis, and fraud-prone nature of inoperative accounts.

Case: Unreconciled suspense credits>₹150 crore older than 180 days without provision; SCA demands root-cause analytics and provisioning per policy.

7. FINANCIAL REPORTING AND OTHER MATTERS — Clause-by-Clause Analysis

7.1 Accounting Policies (including Changes during the Period)

Scope: Appropriateness and consistency of significant accounting policies; disclosures of changes and quantitative impact. SCA evaluates alignment with RBI/Ind AS (where applicable) and prudential norms.

Case: Change in EIR computation for floating-rate retail loans; revenue recognition advanced by 3–5 bps. SCA recommends retrospective calibration and disclosure.

7.2 Statutory Liabilities and Provisions

Scope: Adequacy of provisions for income tax, gratuity, pension, provident fund; actuarial assumptions reasonableness; and compliance with regulatory guidance.

Numerical: If actuarial liability increased by ₹420 crore due to discount rate drop of 50 bps, OCI impact and regulatory capital filters to be assessed.

7.3 Provisions for Off-Balance Sheet Exposures and Other Claims

Scope: Prudential provisioning for devolved LCs/guarantees and litigations; adequacy of legal contingency estimation.

Case: Court-awarded damages probable at ₹180 crore; provision booked only ₹60 crore. SCA recommends raise to best estimate with ACB approval.

7.4 Balances with Other Banks — Reconciliation Controls

Scope: Reconciliations for nostro/vostro/IB balances; ageing of unmatched entries; materiality thresholds and provisioning for stale items.

Case: Nostro long items>90 days of ₹85 crore; inadequate provisioning policy trigger. SCA suggests accelerated write-back/write-off framework.

7.5 NOSTRO Revaluation and Outstanding Forward Exchange Contracts

Scope: Year-end revaluation rates, spot/forward points sources (FBIL), and hedge documentation completeness; linkage to unrealised gain/loss policies and disclosure.

Numerical: Net open position $120 million; 10 paise INR move → P&L impact ₹12 crore; capital sensitivity to be reported to ACB.

7.6 Compliance with DEAF Norms

Scope: Transfer of unclaimed deposits, interest computation as guided, claim processing and fraud risk in reactivation; systemic controls for maker–checker and video-KYC where applicable.

7.7 Compliance with RBI Committee Recommendations

Scope: Periodic self-assessment of compliance to committee recommendations on internal controls and customer service; SCA to comment on gaps and remediation ownership.

7.8 Subsidiaries/Associates/Joint Ventures — Oversight and Reporting

Scope: Reporting systems from subsidiaries to the bank, impairment triggers, related-party transactions, and consolidation controls.

Case: Insurance subsidiary incurred large new business strain; capital support letters issued by bank. SCA assesses going concern and regulatory capital impact.

7.9 Business Conduct and Customer Service

Scope: Wrongful charges, mis-selling, grievance redressal efficacy, and fair practices. SCA examines thematic reviews and consumer complaints analytics.

Numerical: If wrongful charges refunded ₹140 crore after regulator’s directive, root-cause fix and product disclosure revamp required; ACB to monitor closure.

7.10 Any Other Matter Considered Material by the Auditor

Examples: Emerging risks (climate/ESG, model risk, fintech partnerships), large data quality issues in supervisory returns, and persistent internal audit findings not remediated across cycles.

8. SCA Methodology for LFAR — A Practical Blueprint

1. Planning: Risk-based plan aligned to business model, risk appetite, portfolios, and digital footprint; map to Annex I clauses.

2. Data Integrity: End-to-end data lineage walkthroughs from source systems to regulatory returns; reconcile sampling to ensure completeness/accuracy.

3. Evidence: Triangulate Board minutes, policy documents, MIS dashboards, ICAAP/ILAAP, internal/concurrent audit, and branch LFARs.

4. Sampling: Thematic samples for concentrations, slippages, evergreening indicators, restructurings, and large/irregular/critical accounts.

5. Analytics: Use EWS, bureau/GST integrations, and textual mining of sanction notes for overrides; compare CRILC to internal ratings.

6. Materiality: Define quantitative and qualitative materiality for management points vs report qualifications.

7. Reporting: Classify observations by severity (High/Medium/Low), root-causes, risk ratings, and time-bound action plans; track management responses.

8. Governance: Communicate scope additions to ACB; document professional judgement for any qualification in main report.

9. Synthesising Branch LFARs into SCA-LFAR

SCAs should deploy a structured consolidation framework mapping branch LFAR findings into thematic risk buckets: documentation lapses, DP/stock audit issues, NPA management effectiveness, KYC/AML exceptions, ITGCs at branch-level, and cash/ATM reconciliations. Material repeated issues should escalate to bank-wide control redesign points in the SCA-LFAR, with cross-references to affected business lines and root causes (policy gaps, system limitations, training needs).

10. Professional Judgement Areas and Common Pitfalls

• Conflating LFAR with statutory opinion — LFAR is diagnostic; ensure precision without boilerplate language.
• Under-reporting evergreening risk due to reliance on management narratives; insist on independent external corroboration (GST, e-way, MCA).
• Inadequate attention to off-balance sheet exposures and hedge documentation leading to latent P&L volatility.
• Ignoring data quality in supervisory returns (CRILC/BSR/OSMOS) — a regulatory hotspot with reputational risk.
• Delays in closing aged reconciliations and suspense heads — often indicative of revenue leakage or fraud risk.

11. Numerical Appendix — Selected Worked Examples

11.1 Expected Credit Loss Style Sensitivity (Non-Ind AS bank using prudential proxies)

Illustration: Portfolio advances ₹3,50,000 crore; SMA-2 pool ₹9,000 crore; migration-to-NPA ratio 30%; LGD 45%; interest rate 9%. Expected incremental NPA = ₹2,700 crore; provision requirement ≈ ₹1,215 crore. Capital adequacy impact at 10.875% minimum ≈ 0.31% CET1 consumption if unmitigated.

11.2 ALM Gap Sensitivity

Illustration: Rate-sensitive liabilities (RSLs) ₹2,10,000 crore repricing < 6 months; rate-sensitive assets (RSAs) ₹1,95,000 crore in same bucket → gap −₹15,000 crore. A parallel +100 bps shock over 6 months implies short-term NII drop ≈ ₹75 crore (assuming uniform distribution and average gap duration of 0.5 years).

11.3 Treasury MTM Check

Illustration: AFS book ₹12,000 crore, average modified duration 5.5. Yield upshift 40 bps → price drop ≈ 2.2%; MTM loss ≈ ₹264 crore; validate against GL movements and valuation reserves after tax.

12. Pragmatic Reporting Templates for SCA-LFAR

SCAs may adopt a structured template per clause with (i) Reference to Annex I clause; (ii) Observation; (iii) Risk; (iv) Root Cause; (v) Regulatory/Policy reference; (vi) Impact (quantified where feasible); (vii) Recommendation; (viii) Management Response; (ix) Closure Target Date; (x) Owner. This enables the ACB to track remediation and link LFAR outcomes to risk appetite breaches and Internal Audit plans.

13. Conclusion

The revised LFAR elevates the SCA’s role from compliance reporting to a forward-looking, risk-intelligent assurance partner to the Board. A rigorous, data-driven, and sceptical approach — anchored in Annex I clauses — helps surface vulnerabilities early, calibrate capital and liquidity buffers, and improve customer outcomes. Meticulous documentation of professional judgement, clear quantification of impacts, and crisp remediation roadmaps are essential for a high-quality LFAR that stands regulatory scrutiny and adds tangible value to the bank’s control environment.

Annex I — Detailed Clause-wise Checklists, Procedures, and Illustrations

I. CREDIT RISK: Detailed Procedures

Loan Policy — Additional Tests:

• Verify alignment of sectoral caps with ICAAP stress scenarios; ensure board-approved risk appetite statement includes MIs (migration indices) and tail-risk thresholds.
• Assess policy clarity on connected lending, exposure aggregation across group entities, and related party transactions; validate UBO identification via MCA, PAN, and independent databases.
• Examine exception governance: % of sanctions approved under deviations, cumulative impact on RAROC, and periodic ACB reporting.

Credit Assessment — Additional Tests:

• Back-test rating models: compare one-year default rates versus model PD buckets; evaluate calibration drift.
• Validate borrower cash flows using GST returns, TDS/TCS data, bank statement analytics, and industry benchmarks.
• Assess collateral legal validity: search reports, encumbrance checks, ROC/CERSAI timelines, and cross-collateralization clauses.

Sanctioning/Disbursement — Additional Tests:

• End-use validation through UPI/NEFT trace mapping, vendor confirmations, and GRN/BoL documents for term loans.
• TRA/escrow reconciliation: verify prohibited payments and unauthorised fund transfers.
• Milestone-based term loan drawdowns: sample EPC projects to confirm physical progress (geo-tagged photos/satellite tools).

Documentation — Additional Tests:

• Check stamp duty adequacy and revalidation on renewal; custody logs with dual control.
• For consortium accounts, examine DRA sharing, ICA compliance, and information sharing frequency; minutes and voting thresholds.

Monitoring & Post-Sanction — Additional Tests:

• Covenant analytics (DSCR, TOL/ATNW, FACR) and breach remediation timelines; auto-triggers for downgrade watch.
• Stock audit quality: valuer independence, exception closure tracking, and fake/related-party sales indicators.
• CRILC integrity: reconcile large exposures file with GL; investigate threshold breaches and systemic mapping errors.

Recovery/NPA/Resolution — Additional Tests:

• Ageing analysis of legal cases vs policy timelines; measure recovery velocity by channel (SARFAESI, DRT, IBC, OTS).
• Provisioning discipline: NPA ageing buckets, security value haircuts, and write-back governance post recovery.
• IBC monitoring: CoC voting records, resolution value vs liquidation value analysis, and post-resolution performance (implementation risk).

Restructuring/Evergreening — Additional Tests:

• Identify round-tripping via trade cycles, related-party trails, and abnormal spike in vendor/customer balances pre-quarter-end.
• Validate RBI framework compliance: Inter-Creditor Agreement, ICE ratings, and disclosure adequacy.

Off-Balance Sheet & Collateral — Additional Tests:

• Counterparty limits vs Tier-1; stress impact on CVA/DVA (where applicable) and RWA.
• Collateral valuation periodicity; impairment triggers from sectoral price indices; insurance with bank clause and claims track record.

II. MARKET RISK: Detailed Procedures

Investments — Additional Tests:

• Verify classification documentation, board approvals for reclassifications, and HTM ceiling compliance.
• Price source hierarchy, stale price controls, and curve validation against FBIL/FIMMDA.
• Hedge effectiveness testing (prospective/retrospective) and documentation completeness.

Treasury Operations — Additional Tests:

• Dealer-wise P&L attribution (PAA), unexplained residuals, and limit utilisation dashboards.
• Confirmation matching timeliness, settlement fails metrics, and reconciliation completeness.

ALM — Additional Tests:

• Behavioural assumptions (prepayments, non-maturity deposit decay) governance; independent validation.
• LCR/NSFR eligibility computations and HQLA operational requirements; collateral flows and encumbrance tracking.
• IRRBB policy adherence; EVE/NII sensitivity under prescribed interest rate shock scenarios; FTP design effectiveness.

III. OPERATIONAL RISK: Detailed Procedures

KYC/AML/CFT — Additional Tests:

• BO identification for complex structures; PEP screening completeness; name-match quality and fuzzy logic thresholds.
• STR governance: alert generation to STR filing pipeline metrics; QA of narratives; regulator feedback loop.

ITGC & Cyber — Additional Tests:

• User access reviews (UARs), SoD conflicts, privileged access monitoring; joiner–mover–leaver controls.
• Change management: CR approvals, testing evidence, deployment logs, and backout plans.
• Patch management KPIs: mean-time-to-patch critical vulnerabilities; DR drills and evidence of successful failover.

Outsourcing & Third Parties — Additional Tests:

• Risk assessments prior to onboarding; data localisation clauses; right-to-audit; and exit/transition plans.
• Concentration analysis by service/vendor/geo; financial health of vendors and escrow arrangements.

BCP/Fraud/Complaints — Additional Tests:

• Scenario-based BCP tests; cyber tabletop exercises; documentation of lessons-learned.
• Fraud analytics: velocity controls, mule account patterns, and rule tuning governance.
• Complaint TATs and thematic remediation; linkages to product/process changes.

DEAF/Inoperative/Suspense — Additional Tests:

• Automated ageing, maker–checker for reactivation, call-back verifications.
• Sundry/suspense reconciliations with provisioning logic and write-off/write-back governance.

IV. FINANCIAL REPORTING & OTHER MATTERS: Detailed Procedures

Accounting Policies — Additional Tests:

• Consistency across periods; impact quantification of any change; alignment with RBI instructions and applicable Ind AS path.
  Statutory Liabilities — Additional Tests:
• Actuarial assumption sensitivity, plan asset performance, and regulatory capital filter impacts.
  Off-Balance Sheet Provisions — Additional Tests:
• Devolved LCs/guarantees provisioning; legal contingencies — probability and range estimation; disclosure accuracy.
  Interbank/Nostro — Additional Tests
• Ageing of unmatched items; provisioning; FX revaluation evidence and rate sources.
  DEAF — Additional Tests:
• Interest methodology; claimant authentication; fraud controls.

Committee Recommendations & Subsidiaries — Additional Tests:

• Periodic compliance matrices for Ghosh/Jilani/Mitra; subsidiary reporting cadence, loss drivers, and capital support governance.
  Business Conduct — Additional Tests:
• Thematic review outcomes; suitability/affordability assessments; fee income controls and reversals analytics.

V. Case Studies — Extended Scenarios with Numbers

1) Consortium Manufacturing Borrower (₹2,800 crore FB/NFB):

• Issues: Delayed stock audits; inflated receivables; breach of FACR covenant for 3 quarters; CRILC mismatch.
• Numbers: FACR covenant ≥1.50; actual 1.28, 1.31, 1.33. SMA-1 exposure ₹420 crore moved to SMA-2 ₹260 crore; expected slippage at 35% → ₹91 crore.
• SCA Reportable Point: Strengthen covenant breach triggers; independent receivable confirmations; automated CRILC validation.

2) Treasury AFS Book (₹18,500 crore):

• Issues: Inconsistent price source selection; day-count errors; mid-office understaffed.
• Numbers: Duration 5.2; +30 bps shock → loss ≈ 1.56% = ₹288 crore; partial hedge ineffectiveness adds ₹22 crore.
• SCA Reportable Point: Centralise valuation; independent curve validation; daily PAA with exception thresholds.

3) Digital Fraud Spike in Payments:

• Issues: New app launch led to 70% YoY rise in fraud attempts; rule thresholds too lax.
• Numbers: Gross fraud ₹62 crore; recovery ₹11 crore; net loss ₹51 crore; concentration in 3 MOs = 82%.
• SCA Reportable Point: Re-tune rules; introduce device fingerprinting; strengthen mule detection; board metrics on fraud loss per million transactions.

4) Outsourcing of Collections:

• Issues: Single vendor 78% share; inadequate data security clauses; weak exit plan.
• Numbers: Vendor SLA breach days 24; customer complaints +35%; leakage estimated ₹14 crore.
• SCA Reportable Point: Dual-vendor strategy; escrow of IP; revised SLA with penalties and audit rights.