Internal Controls and Risk Assessment in Banking Audits: What Businesses Need to Know

21 Nov 2025

Updated: May 2026

Internal controls and risk assessment sit at the core of every banking audit — whether it is a statutory audit of the bank itself, a concurrent audit of a branch's operations, or a credit audit of a borrower's financial position. The Reserve Bank of India's supervisory framework, SEBI's inspection norms for market intermediaries, and the banking regulator's risk-based supervision (RBS) model have all elevated the importance of documented, tested internal controls over the last decade.

Here is what internal controls and risk assessment involve in the banking audit context, and why they matter for both auditors and the businesses being audited.

Internal Controls in Banking — The RBI Framework

The RBI's guidelines on internal controls for banks are anchored in the Basel Committee on Banking Supervision's framework and localised through the RBI's master circulars on fraud risk management, KYC/AML compliance, and the Internal Audit and Inspection functions. For commercial banks, internal controls operate at three levels — the "three lines of defence" model:

First line: Business units and branches — the frontline staff who originate loans, process transactions, and interact with customers. Controls at this level include maker-checker systems for transactions, loan sanction authorities, and KYC verification at account opening.

Second line: Risk management and compliance functions — independent of the business units, responsible for monitoring adherence to policies, regulatory guidelines, and risk appetite. This includes credit risk, market risk, operational risk, and compliance monitoring.

Third line: Internal audit — provides independent assurance to the board and senior management that the first and second lines are functioning effectively. Internal audit in banks is required to be risk-based, meaning audit resources are directed to areas with the highest risk exposure.

Risk Assessment in the Audit Context

Risk assessment is the auditor's process of identifying where material misstatements or compliance failures are most likely to occur. In banking audits, the key risk areas are:

Credit risk: Non-Performing Asset (NPA) identification and provisioning is the highest-risk area in most bank audits. The auditor assesses whether the bank has correctly classified accounts as Standard, Sub-Standard, Doubtful, or Loss in accordance with the RBI's Income Recognition and Asset Classification (IRAC) norms. Under-provisioning — keeping NPAs as standard assets to inflate profits — is the most common form of financial misstatement in bank audits.

Interest income recognition: Interest on NPA accounts must not be recognised on an accrual basis — it is only recognised when actually received. Incorrect accrual of interest on NPAs overstates income and understates provisions simultaneously.

Concurrent audit findings: Concurrent auditors are present at branches on an ongoing basis. Their reports flag transaction-level exceptions — loan disbursements without adequate documentation, cash transactions above threshold limits not reported under FEMA, excess drawings on working capital accounts, and so on. The statutory auditor reviews concurrent audit reports as part of their risk assessment.

Treasury and investment risk: Valuation of the bank's investment portfolio — HTM (Held to Maturity), AFS (Available for Sale), and HFT (Held for Trading) — follows RBI guidelines on marking to market. Incorrect categorisation (keeping underperforming securities in HTM to avoid MTM losses) is an audit risk area.

Why This Matters for Businesses Borrowing from Banks

For a business that has working capital loans or term loans from a bank, the bank's internal audit and risk assessment functions directly affect the credit relationship. When a bank's internal auditor or credit audit team reviews a borrower's account, they look at:

• Whether the borrower is using the facility for the declared purpose (end-use verification)
• Whether stock statements submitted to the bank match GST filings and financial statements
• Whether the drawing power has been correctly computed
• Whether there are any signs of financial stress — slowing receivables, deteriorating margins, increasing creditor days

A business whose books are accurate, whose stock audit reports are timely, and whose financial statements are professionally prepared will navigate bank credit audits without friction. A business with inconsistent records — stock statements that do not match GST returns, financials that are months behind, or TDS defaults visible in Form 26AS — will face questions, facility freezes, or downgrade in credit classification.

Internal Controls for Businesses — The Audit Preparation Angle

For businesses subject to statutory audit (companies, firms above the tax audit threshold), the auditor is required under SA 315 to understand and document the entity's internal controls as part of the risk assessment process. Strong internal controls reduce the auditor's assessed risk and, consequently, the extent of detailed testing required. Weak controls lead to more extensive substantive procedures, longer audit timelines, and a greater likelihood of audit qualifications.

The minimum internal control framework a business should have in place before statutory audit: documented authorisation matrix for expenditures and payments, bank reconciliations done monthly, fixed asset register maintained and verified annually, and clear segregation between the person raising purchase orders, the person approving payments, and the person recording transactions.

For SMEs looking to strengthen governance and audit readiness, visit SME Advisory.

Regi Tom Antony And Associates conducts statutory audits, concurrent audits, internal audits, and stock audits for businesses and financial institutions across Kerala. Contact: letstalk@rtaandassociates.com | Kakkanad, Kochi.