Regulator Flags Audit Deficiencies at PwC, KPMG, EY and BDO Affiliates

Audit quality is like oxygen in financial markets. Nobody talks about it when it’s there. Everyone panics when it’s missing. That’s where India’s audit ecosystem finds itself right now. NFRA’s latest inspection reports have pulled back the curtain on audit work across PwC, EY, KPMG, and BDO-linked firms. No fraud allegations. No headline-grabbing scandal. Just something more uncomfortable, repeat cracks in independence, documentation, and risk evaluation. And if you’ve spent enough time in audit rooms, you know this isn’t small stuff. This is where opinions start to wobble.

Did the audit file forget to show its work?

Let’s start with what NFRA actually found, because the pattern matters more than any single issue. Across multiple firms, the regulator flagged weak audit documentation, incomplete evaluation of related-party transactions, and gaps in testing key areas like impairment and investments. In some cases, audit files did not clearly show how conclusions were reached. That’s not a technical miss, that’s a credibility problem. Think about a typical engagement. A client has intercompany loans, layered subsidiaries, and some gray-area transactions. The audit team “gets comfortable” with management explanations. But when a regulator asks, “Show me the evidence,” the file doesn’t fully back it up. That’s exactly the kind of situation NFRA is calling out.

In PwC-linked firms, issues included independence breaches involving partners and insufficient evaluation of loans to subsidiaries, especially whether they were at arm’s length. There were also gaps in assessing the impact of external risks, like investigations.

• EY’s SRBC & Co. had independence policies on paper, but NFRA questioned whether those policies were actually enforced consistently across engagements.
• BDO affiliate MSKA & Associates faced criticism for weak controls over non-audit services and post-sign-off changes to audit reports without proper re-approval.
• KPMG-linked BSR came out relatively stronger, but still got nudged to tighten non-audit acceptance policies and improve root-cause analysis.

Different firms, same theme. The work may have been done, but the file didn’t always prove it.

Rulebook or Real Thing?

If there’s one area where regulators don’t play around, it’s independence. NFRA flagged partner-level independence breaches, weak monitoring systems, and blurred lines between audit and non-audit services. That’s a big deal, because once independence looks shaky, everything else starts to feel a little off. Here’s the real tension. Clients want integrated services. Firms want to retain relationships. Global networks want consistency. Regulators want clean separation. Something has to give.

We’re now seeing firms move toward tighter restrictions on non-audit services, especially for listed clients. Some are already shifting toward a cleaner audit-only model. That means fewer gray zones, fewer “this should be fine” calls, and more centralized approvals. Partner-level controls are also getting stricter. Financial interests, relationships, even indirect exposures are being scrutinized more closely. Pre-clearance processes are expanding, and independence checks are becoming less of a formality and more of a real gatekeeper. Because let’s be honest, independence isn’t just about being independent. It’s about looking independent when someone else reviews your file six months later.

So, how are firms fixing this mess?

To their credit, these firms are not sitting still. The response has been firm-wide and pretty structured. Think policy updates, tighter controls, more training, and heavier monitoring.

• PwC-linked firms are tightening partner independence checks, improving HR verification processes, and raising the bar on documentation for impairment, related-party loans, and going-concern assessments.
• BDO’s MSKA is strengthening network-wide controls over non-audit services and enforcing stricter re-sign-off requirements when audit reports are modified after issuance.
• EY’s SRBC is focusing on better monitoring of independence policies and upgrading training systems to ensure consistency across teams.
• KPMG’s BSR is sharpening rules on non-audit work for recently audited clients and expanding its root-cause analysis framework to prevent repeat issues.

Across the board, firms are leaning into what regulators like to see: stronger audit trails, clearer documentation, and systems that actually work in practice. It’s less about rewriting policies and more about proving those policies hold up under inspection.

What should audit professionals actually take from this?

This isn’t just about India. The same pressure is building globally, whether it’s the PCAOB in the U.S., the FRC in the UK, or NFRA here. Regulators are asking the same question everywhere: Can you prove what you did? And that changes how professionals need to think. Documentation is not admin work. It’s your defense file.

• If you conclude a related-party transaction is at arm’s length, show the benchmarking.
• If you rely on management’s assumptions, document why they hold up.
• If independence looks clean, prove the checks were done, not just assumed.

Here’s a real-world example. A U.S. CPA firm audits a mid-sized group with multiple subsidiaries. Loans move between entities, and pricing looks “reasonable.” The team signs off comfortably. Months later, a regulator asks for evidence supporting arm’s-length pricing. If the file doesn’t show the analysis clearly, the conclusion doesn’t matter anymore. That’s the shift we’re seeing. Also, internal systems matter more than ever. Independence databases, review layers, consultation processes, and root-cause analysis frameworks are no longer background infrastructure. They are front-line defense.

Where does this go from here?

NFRA has positioned these inspections as early feedback, not punishment. That’s the present. The future depends on whether firms actually fix the root causes or just patch the surface. If the same deficiencies show up again, the tone will change. Regulators tend to move from guidance to enforcement pretty quickly when patterns repeat. For now, the message is clear. Clean up independence. Tighten documentation. Strengthen internal controls. And make sure the audit file tells the full story without anyone needing to fill in the blanks. Because in audit, if the file can’t prove it, it didn’t happen. And nobody wants to explain that in front of a regulator.