NBFCs Audit Aspects and Post Companies Act 2013 scenario · PDF fileNBFCs –Audit Aspects...

NBFCs – Audit Aspects and Post Companies Act 2013 scenario

BCAS

JOLLY BHAVAN

26TH SEPTEMBER, 2014

Zubin F. Billimoria

CONTENTS

• Audit Aspects

• Post Companies Act, 2013 scenario

Audit Aspects

• Classification

• Key Regulatory Aspects

• Key Operational Aspects

• Key Internal Control Aspects

• Applicability and Relevance of specificStandards of Auditing (SAs)

Classification

• Asset Finance Companies• Loan Companies• Investment Companies• Infrastructure Finance Companies• Micro Finance Institutions• Core Investment Companies• Mortgage Guarantee Companies• Infrastructure Debt Fund Companies• Factoring Companies• Non Operative Holding Finance CompaniesIdentification relevant from the point of view of SA-315

Key Regulatory Aspects

• Registration• Capital Adequacy Norms• Norms for Public Deposits• Credit Rating• Liquid Assets• IRAC and Provisioning norms• Lending Restrictions• ALM framework• Reserve FundIdentification relevant from the point of view of SA-315

Key Operational Aspects

• Key business cycles

- Financing

- Borrowing

- Investments / Treasury

Identification relevant from the point of viewof SA-315 and 330

Financing Business Cycle

• Asset based funding – wholesale and retail(vehicles, plant and machinery, consumerdurables, mortgage loans)

• Cash flow based and funding (billsdiscounting, personal loans, ICDs)

Borrowings Business Cycle

• Public Deposits

• Bank Financing

• ICDs

• Debentures

• Money Market Instruments

• Securitisation

Key Internal Control Aspects

• Entity Level Controls

• Risk Mitigation and Management

• Cash / Collection Management

• Receivables / NPA Management

• Investment Management

• Management Override of Controls

• Financial Closing and Reporting process

Identification relevant from the point of view ofSA-315 and 330

Relevance of certain specific SAs to NBFCs

• SA- 230 : Audit Documentation• SA-240 : Auditor’s Responsibilities Relating to Fraud in an

Audit of Financial Statements• SA-250: Consideration of Laws and Regulations in an Audit

of Financial Statements• SA-260 / 265: Communicating (including Deficiencies in

Internal Control) to Those Charged with Governance• SA-315 / 330: Identifying and Assessing the Risk of

Material Misstatement through Understanding the Entityand its Environment and Auditor’s Responses to theAssessed Risks

The above is not an exhaustive list of all SAs which areapplicable

SA-230: Audit Documentation

• Updated and relevant permanent file is ofparamount importance in view of dynamiclegal and regulatory requirements

• Documentation of control and substantiveprocedures to comply with the specificregulatory, operational and control aspectsdiscussed earlier. (Discussion on specificaspects discussed in subsequent slides)

SA-240 : Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements

Characteristics of Fraud

• Nature of business makes them moresusceptible to fraud

• Booking of fictitious loans to earn moreincentives

• Collusion with DSAs

• Non adherence to KYC / AML guidelines

SA-240 : Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements

• Adherence to the RBI Master Circular dated 1st July, 2014 on FraudsMonitoring:

• Classification of Frauds Misappropriation and criminal breach of trust Fraudulent encashment through forged instruments, manipulation of

books of account or through fictitious accounts and conversion of property Unauthorized credit facilities extended for reward or for illegal

gratification. Negligence and cash shortages Cheating and forgery Irregularities in foreign exchange transactions Any other type of fraud not coming under the specific heads as above.• Reporting of Frauds coupled with Quarterly and Annual Reporting• Direct reporting responsibilities to RBI in case of serious irregularities

SA-240 : Auditor’s Responsibilities Relating to Fraud in

an Audit of Financial Statements

Professional Skepticism• Relevant whilst sanctioning and disbursement of big ticket loans• Obtaining project reports / valuation reports from independent

sources directly• Controls over generation of information for determining loan loss

provisioningDiscussion amongst engagement team• Dissemination of information based on review of fraud returns

submitted to the RBI by experienced engagement team members• Dissemination of information based on inside information, news

reports etc.• Applying an element of unpredictability whilst verifying assets

secured, selecting locations for cash verification etc.

SA-250: Consideration of Laws and Regulations in an Audit of Financial Statements

Non compliance with laws and regulations whichmaterially affect the financial statements• Disclosures in the financial statements laid down by

the RBI (CRAR, Direct and Indirect Exposure to RealEstate Sector, Maturity Pattern of Assets andLiabilities)

• Conducting the business including licencing andregistration requirements – Going Concernimplications

• Operating aspects of the business (Provisioning,Valuation, Capital adequacy, Deposit acceptance etc.) –Financial consequences like fines , penalties etc.


Non compliance is primarily the responsibility ofthe Management• Laying down appropriate operating procedures

and systems including internal controls especiallyto capture information for monitoring, reportingand recording compliances with the keyoperational and control aspects discussed earlier

• Framing a code of conduct / fair practices code• Compliance with specific Corporate Governance

guidelines like constitution of Audit, Nominationand Risk Management Committee


Auditor’s Considerations and Responsibilities• Review of the minutes and various regulatory returns and

their timely submission• Review of the RBI inspection reports and other similar

correspondence• Non compliance with licencing / registration conditions –

Going Concern issues• Reporting to Management and Those Charged with

Governance• Specific reporting aspects under the NBFC (Auditor’s Report

Directions)• Direct reporting to the RBI in case of serious irregularities

SA-260 / 265: Communicating (including Deficiencies in Internal Control) to Those Charged with

Governance (TCWG)

• Specific responsibility to report to the Boardon matters specified in the NBFC (Auditor’sReport Directions) (see next slide)

• In case of any non compliance directresponsibility to also report to the RBI prior towhich / simultaneously need to keep TCWGalso informed

SA-260 / 265: Communicating (including Deficiencies in Internal Control) to Those Charged with Governance (TCWG)

Matters to be included in the Auditor’s report

• The auditor’s report on the accounts of a non-banking financial company shall include a statementon the following matters, namely:

• (A) In the case of all Non-Banking Financial Companies• I. Whether the company is engaged in the business of non-banking financial institution and

whether it has obtained a Certificate of Registration (CoR) from the Bank• II. In the case of a company holding CoR issued by the Bank, whether that company is entitled to

continue to hold such CoR in terms of its asset/income pattern as on March 31 of the applicableyear.

• III. Based on the criteria set forth by the Bank in Company Circular No. DNBS.PD. CC No. 85 /03.02.089 /2006-07 dated December 6, 2006 for classification of NBFCs as Asset Finance Company(AFC), whether the non-banking financial company has been correctly classified as AFC as definedin Non-Banking Financial Companies Acceptance of Public Deposits (Reserve Bank) Directions, 1998with reference to the business carried on by it during the applicable financial year.

• IV. Based on the criteria set forth by the Bank in the Notification viz. Non-Banking FinancialCompany- Micro Finance Institutions (Reserve Bank) Directions, 2011 dated December 02, 2011 forclassification of NBFCs as NBFC-MFIs, whether the non-banking financial company has beencorrectly classified as NBFC-MFI as defined in the said Directions with reference to the businesscarried on by it during the applicable financial year.]

http://www.rbi.org.in/scripts/NotificationUser.aspx?Id=3200&Mode=0







































In case of a non-banking financial company accepting/holding public deposits• Apart from the matters enumerated in (A) above, the auditor shall include a statement on

the following matters, namely:-• (i) Whether the public deposits accepted by the company together with other borrowings

indicated below viz.• (a) from public by issue of unsecured non-convertible debentures/bonds;• (b) from its shareholders (if it is a public limited company); and• (c) which are not excluded from the definition of ‘public deposit’ in the Non-Banking

Financial Companies Acceptance of Public Deposits (Reserve Bank) Directions, 1998,arewithin the limits admissible to the company as per the provisions of the Non-BankingFinancial Companies Acceptance of Public Deposits (Reserve Bank) Directions, 1998;

• (ii) Whether the public deposits held by the company in excess of the quantum of suchdeposits permissible to it under the provisions of Non-Banking Financial CompaniesAcceptance of Public Deposits (Reserve Bank) Directions, 1998 are regularised in the mannerprovided in the said Directions;

• (iii) Whether an Asset Finance Company having Capital to Risk Assets Ratio (CRAR) less than15% or an Investment Company or a Loan Company as defined in paragraph 2(1)(ia), (vi) and(viii) respectively of Non-Banking Financial Companies Acceptance of Public Deposits(Reserve Bank) Directions, 1998 is accepting "public deposit” without minimum investmentgrade credit rating from an approved credit rating agency;


• (iv) In respect of NBFCs referred to in clause (iii) above,

• whether the credit rating, for each of the fixed deposits schemes that has been assigned byone of the Credit Rating Agencies listed in Non-Banking Financial Companies Acceptance ofPublic Deposits (Reserve Bank) Directions, 1998 is in force; and

• whether the aggregate amount of deposits outstanding as at any point during the year hasexceeded the limit specified by the such Credit Rating Agency;

• (v) In case of NBFCs having Net Owned Funds of Rs 25 lakh and above but less than Rs 200lakhs, whether the public deposit held by the companies is in excess of the quantum of suchdeposit permissible to it in terms of Notification No. DNBS. 199/CGM (PK) - 2008 dated June17, 2008 and whether such company :

• (a) has frozen its level of deposits as on the date of that Notification; or

• (b) has brought down its level of deposits to the level of revised ceiling of deposits in terms ofthat Notification.

• (vi) Whether the company has defaulted in paying to its depositors the interest and /orprincipal amount of the deposits after such interest and/or principal became due;


• (vii) Whether the company has complied with the prudential norms on income recognition, accounting standards,asset classification, provisioning for bad and doubtful debts, and concentration of credit/investments as specifiedin the Directions issued by the Reserve Bank of India in terms of the Non-Banking Financial (Deposit Accepting orHolding) Companies Prudential Norms (Reserve Bank) Directions, 2007.

• (viii) Whether the capital adequacy ratio as disclosed in the return submitted to the Bank in terms of the Non-Banking Financial (Deposit Accepting or Holding) Companies Prudential Norms (Reserve Bank) Directions, 2007has been correctly determined and whether such ratio is in compliance with the minimum CRAR prescribedtherein;

• (ix) Whether the company has complied with the liquid assets requirement as prescribed by the Bank in exerciseof powers under section 45-IB of the RBI Act and whether the details of the designated bank in which theapproved securities are held is communicated to the office concerned of the Bank in terms of NotificationNo.DNBS.172/CGM(OPA)-2003 dated July 31, 2003;

• (x) Whether the company has furnished to the Bank within the stipulated period the return on deposits asspecified in the NBS 1 to the Non-Banking Financial Companies Acceptance of Public Deposits (Reserve Bank)Directions, 1998;

• (xi) Whether the company has furnished to the Bank within the stipulated period the half-yearly return onprudential norms as specified in the Non-Banking Financial (Deposit Accepting or Holding) Companies PrudentialNorms (Reserve Bank) Directions, 2007;

• (xii) Whether, in the case of opening of new branches or offices to collect deposits or in the case of closure ofexisting branches/offices or in the case of appointment of agent, the company has complied with therequirements contained in the Non-Banking Financial Companies Acceptance of Public Deposits (Reserve Bank)Directions, 1998.


(C) In the case of a non-banking financial company not accepting public deposits• Apart from the aspects enumerated in (A) above, the auditor shall include a statement on the

following matters, namely: -• (i) Whether the Board of Directors has passed a resolution for non- acceptance of any public

deposits;• (ii) Whether the company has accepted any public deposits during the relevant period/year;• (iii) Whether the company has complied with the prudential norms relating to income recognition,

accounting standards, asset classification and provisioning for bad and doubtful debts as applicableto it in terms of Non-Banking Financial (Non- Deposit Accepting or Holding) Companies PrudentialNorms (Reserve Bank) Directions, 2007;

• (iv) In respect of Systemically Important Non-deposit taking NBFCs as defined in paragraph 2(1)(xix)of the Non-Banking Financial (Non- Deposit Accepting or Holding) Companies Prudential Norms(Reserve Bank) Directions, 2007:

• (a) Whether the capital adequacy ratio as disclosed in the return submitted to the Bank in formNBS- 7, has been correctly arrived at and whether such ratio is in compliance with the minimumCRAR prescribed by the Bank;

• (b) Whether the company has furnished to the Bank the annual statement of capital funds, riskassets/exposures and risk asset ratio (NBS-7) within the stipulated period.


• Deficiency in Internal Control- A control is designed, implemented or operated in such a way that

it is unable to prevent, detect and correct misstatements on a timelybasis

- A control necessary to prevent or detect and correctmisstatements on a timely basis is missing(Communication to an appropriate level of Management on a timelybasis would be sufficient- Letter of Weakness , Management Letteretc.)• Significant deficiency in Internal Control

- Deficiency or combination of deficiencies in internal control thatbased on professional judgment are of sufficient importance to meritattention to TCWGIdentification relevant from the point of view of SA-315 and SA -330


Adequacy of Entity Level Controls• Constitution of an Audit Committee (asset size of > Rs. 50

crores or Deposits >Rs. 20 crores)• Constitution of a Nomination Committee to evaluate “fit

and proper” criteria (Deposits > Rs. 20 crores and SI NBFCs)• Constitution of an Asset Liability Management Committee

together with a Risk Management Committee to ensure anIntegrated Risk Management framework (asset size of > Rs.100 crores or Deposits >Rs. 20 crores)

• Framing of and adherence to the Fair Practices code interms of the RBI guidelines (deals with Loan applicationsand processing, recoveries, Grievance Redressal Officer,recoveries etc.)


Adequacy of Entity Level Controls (contd.)

• Review of budgets and incentive plans to checkwhether they are realistic or put undue pressure

• Adequate training provided to employees and DSAs onselling skills, regulatory requirements and IT SYSTEMSon induction and periodically

• Adequacy and appropriateness of the Approval Matrix

• Adequacy of the Internal Audit charter / scope

Identification relevant from the point of view of SA-315and SA -320


Risk Mitigation and Management• Deficiencies in the credit appraisal and evaluation process at the micro

and macro level (specific aspects relating to Loans against Gold Jewellery,adherence to KYC guidelines etc.)

• Non adherence to the interest rate guidelines at the individual level anddeficiencies in the interest rate policy vis a vis the maturity profile etc.

• Non adherence to the credit concentration and exposure norms at theindividual and group level

• Irregular monitoring of securities held against advances exposing the NBFCto price risks

• Non adherence to the KYC guidelines• Adequacy and appropriateness of the hedging policy to mitigate exchange

fluctuation / currency risks• Methodology for determining the base rateIdentification relevant from the point of view of SA-315 and SA -320


Controls over Cash / Collections Management• Timely banking and recording of PDCs• Monitoring the reversal of bounced cheques• Timely preparation and adequate review / follow up of

bank reconciliations• Adequate IT / SYSTEM controls to enable seamless

transfer of funds electronically• Controls over cash collections in rural areas• Adequacy of insurance for cash in transitIdentification relevant from the point of view of SA-315and SA -320


Receivables / NPA Management• Accurate and timely generation of overdue reports• Procedures for follow up of overdues• Adequacy of IT / SYSTEM controls• Timely initiation of legal proceedings• Adherence to the guidelines for restructuring of advances

including those under the CDR mechinism – Ensure that it isnot a tool for avoiding provisions

• Whether to take cognisance of subsequent receipts?• Identify cases of “evergreening”Identification relevant from the point of view of SA-315 andSA -320


Investment Management• Investment policy needs to be in line with RBI

guidelines (Classification, valuation, transfer,transactions in government securities through CSGLaccount etc.)

• Specific requirements for Core Investment Companies• Controls over timely recording of deals, accrual and

receipt of interest etc.• Policy for determining provisioning for diminution

other than temporaryIdentification relevant from the point of view of SA-315and SA -320


Financial Closing and Reporting Process(includingManagement Override of Controls)• Controls over uploading from sub-systems to the main

system• Controls over closing entries especially those involving

estimation (provisioning, valuation, revaluation,impairment etc.)

• Controls over identification of changes in regulatoryrequirements / processes having an impact onaccounting / reporting and disclosures

Identification relevant from the point of view of SA-315and SA -320

SA-315 / 330: Identifying and Assessing the Risk of Material Misstatement through Understanding the Entity and its Environment and Auditor’s

Responses to the Assessed Risks

Understanding the entity and its Environment• Classification• Key regulatory aspects• Key Operational aspects / business cycles• Understanding the Internal Controls (Process designed,

implemented and maintained by TCWG, management and others toprovide reasonable assurance about the achievement of an entity’sobjectives with regard to reliability of financial reporting,effectiveness and efficiency of operations, safeguarding of assetsand compliance with applicable laws and regulations)

• Understanding the IT Controls – General and Business process(covers controls over the source data, report parameters / changemanagement process and report logic)



Identification and assessment of ROMMs andresponses thereto

• Needs to be done for ELCs , FCRP and all keybusiness cycles identified earlier

• Identification of ROMM (“what could gowrong”)– Identify the “control” (“review typeor “direct and specific”)– identify RAWC

• RAWC is higher if it addresses a significantrisk



Significant risk:• Control activity is non routine• Whether identified as a fraud risk• Control is a review type control or requires judgement• Significant changes in the nature and volume of transactions which might

adversely affect the design and operating effectiveness of the control• Whether the account has a history of errors (i.e. OE not effective or

significant misstatement observed in the past)• Effectiveness of ELCs that monitor control are not effective• Whether the control operates less frequently• Whether the control is performed by incompetent persons or there is a

change in the key personnel performing the controls• Whether the control is manual or complex in natureA yes answer to one or more of the above questions would generally implythat there is a significant risk



Based on the above assessment the following aregenerally the common significant ROMMs forNBFCs

• Revenue recognition (presumed fraud risk)

• Provisioning for NPAs

• Assessing provisions for diminution in value ofinvestments especially for unquoted investments

• Valuation of derivatives and other financialinstruments



Responses to the Assessed Risks• Maintaining professional skepticism• Assigning experienced staff• Providing more supervision• Incorporating unpredictability• Control Testing – Design and Implementation

and Operating Effectiveness - Inquiry,Observation, Inspection and Reperformance

• Substantive procedures – Analytical Proceduresand Test of Details

Post Companies Act, 2013 Scenario

• Raising of Funds[sections 2(30), 42, 62 and71]

• Related party transactions [section 2(76),2(77) and 188]

• Internal Financial Reporting Controls [Section134(5)(e) and Section 143(3)(i)]

• Depreciation

• CSR Obligations (Section 135)

Raising of Funds[sections 2(30), 42, and 71]

• Definition of Debenture

• Private Placements Regulated

• Creation of charge on specific assets for issueof debentures

Definition of Debenture [Section 2(30)]

• Section 2(30) “Debenture includes debenturestock, bonds or any other instrument of acompany evidencing a debt, whether constitutinga charge on the assets of the company or not”

• 1956 act did not refer to any other instrument

• Not clear whether commercial paper would becovered since it is not a security under theSecurities (Contracts Regulation) Act but amoney market instrument under the NegotiableInstruments Act?

Private Placements Regulated (section 42)

• Private placements not covered under the 1956 act• Private placement means any offer of securities or invitation to subscribe securities by a company which satisfies

the following conditions:i. It is made to a select group of personsii. It is other than by way of public offeriii. It is through the issue of a private placement letter accompanied by a serially numbered application form

addressed to specified persons and through normal banking channels with allotment being made within 60days or else refund within 15 days failure of which will result in interest to be payable

iv. Moneys received to be kept in a separate bank accountv. Record to be maintained and details to be filed with the ROC including a return of allotmentvi. The offer / invitation in a financial year is not made to more than 200 persons (excluding QIBs and ESOPs to

employees) which is to be reckoned individually for each kind (not applicable to NBFCs which comply with theRBI guidelines - mainly relevant for subordinated / perpetual debt for CRR purposes)

vii. The value of such offer per person shall not be less than Rs. 20,000 FV (not applicable to NBFCs which complywith the RBI guidelines - mainly relevant for subordinated / perpetual debt for CRR purposes)

viii. Prior special resolution needs to be passed for each offer or invitation except for NCDs where the same can bepassed once in a year

ix. No fresh offer / invitation unless allotments with respect to the earlier offer / invitation are completed orwithdrawn / abandoned

• Guidelines made more stringent• Fall out of the judgement of the Honourable Supreme Court in the Sahara case the primary ruling being that the

limit of 49 earlier laid down cannot be circumvented by approaching groups of 49 at a time

Creation of charge on specific assets for issue of debentures

• Secured debentures to be issued subject to certainconditions as under(absent under the 1956 Act):

i. Redemption period of 10 years (30 years for infraproject companies – not clear whether applies tocompanies engaged in financing infra projects)

ii. Creation of charge shall be on specific movable andimmovable properties or assets of sufficient value-fixed charge on present and future assets andfloating charge is not permissible

• This would lead to challenges for NBFCs whereby itwould be difficult to identify specific loans in thesecurity document

Related party transactions [section 2(76), 2(77) and 188]

As per Section 2(76) Related party with reference to a company, means:• A director or his relative;• A key managerial personnel (‘KMP’) or his relative;• A firm, in which a director, manager or his relative is a partner;• A private company in which a director or manager [or his relative] is a member ordirector;• A public company in which a director or manager is a director and holds along withhis relatives, more than two per cent of its paid up share capital;• Any body corporate whose board of directors, managing director or manager isaccustomed to act in accordance with the advice, directions or instructions of adirector or manager (other than those provided in a professional capacity);• Any person on whose advice, directions or instructions a director or manager isaccustomed to act (other than those provided in a professional capacity);• Any company which is: • ― a holding, subsidiary or an associate company of such company; or • ― a subsidiary of a holding company to which it is also a subsidiary; • A director or KMP of the holding company of such company or his relative.


As per Section 2(77) read with Rule 4 of Companies (Specification ofDefinitions Details) Rules, 2014 ,Relative with reference to a personmeans:• Members of a Hindu Undivided Family;• Husband and wife;• Father (including step father);• Mother (including step mother);• Son (including step son);• Son’s wife;• Daughter;• Daughter’s husband;• Brother (including step brother);• Sister (including step sister).


Challenges for NBFCs• Tracking details especially for entities involved in retail

lending and accepting public deposits• IT systems need to be updated• Approval by audit committee especially for listed

companies in terms of Clause 49• Disclosure in the Board Report even if transactions are

in the ordinary course of business but are material(materiality not defined- guidance from AS-18 orClause 49)

• Documentation to justify arm’s length

Internal Financial Reporting Controls [Section 134(5)(e) and Section 143(3)(i)]

• Internal Financial Controls means policies andprocedures adopted by the company forensuring orderly and efficient conduct of thebusiness, including adherence to thecompany’s policies, safeguarding of assets,the prevention and detection of frauds anderrors, the accuracy and completeness ofaccounting records and timely preparation ofreliable financial information [Explanation tosection 134(5)(e)]

Internal Financial Reporting Controls [Section 134(5)(e) and Section 143(3)(i)]

• Disconnect between the Act and the Rules regardingcompanies covered

• Onerous responsibilities placed on the Managementand Auditors (both internal and external)

• Rigours seem to be more onerous than the SOXreporting requirements since operating controls arealso covered

• SOPs need to be realigned / prepared to documentspecific controls and align them with the risks –distinction between a process and a control needs tobe understood

Depreciation • Significant increase in rate of depreciation of commonly used

assets by NBFCs as compared to Schedule XIV rates underthe 1956 Act

• Impact on profitability and distributable surplus

• IT systems would need to be realigned

47

Nature of asset - illustrative

The Companies Act,

2013 The

Companies

Act, 1956

Increase % change

Useful Life Deemed

rate

General Plant and Machinery other

than continuous process plant 15 6.33% 4.75% 1.58% 33.33%

General furniture and fittings 10 9.50% 6.33% 3.17% 50.08%

Office equipment 5 19.00% 4.75% 14.25% 300.00%

Desktops, laptops, etc. 3 31.67% 16.21% 15.46% 95.35%

Electrical Installations and Equipment 10 9.50% 4.75% 4.75% 100.00%

CSR Obligations (Section 135)

• More formalised monitoring

• Specific procedural compliances

• May need to shift focus from existing avenuesto ensure compliance with specificrequirements

• Impact on profitability , taxation anddistributable surplus

Questions????

NBFCs Audit Aspects and Post Companies Act 2013 scenario · PDF fileNBFCs –Audit Aspects...

Documents

Transcript of NBFCs Audit Aspects and Post Companies Act 2013 scenario · PDF fileNBFCs –Audit Aspects...