Addressing Annual Audit Observations

During the statutory annual audit, the auditor examines the adviser’s books, client records, compliance systems and internal controls. Any deviation from SEBI (Investment Advisers) Regulations, 2011 or from the adviser’s own policies is recorded as an audit observation.

Observations can be minor (e.g., missing signatures) or material (e.g., breach of suitability norms). Each observation is assigned a unique reference number, a risk rating, and a deadline for remediation as stipulated by the auditor’s report.

For the NISM exam, remember that audit observations are distinct from regulatory penalties. An observation signals a deficiency that must be corrected; a penalty is a monetary sanction imposed after a violation is confirmed.

• Observation – a finding that requires corrective action.
• Penalty – a financial or other sanction imposed by SEBI.

SEBI’s Investment Advisers Regulations, 2011 mandate that advisers maintain proper books, conduct periodic internal audits and act on external audit observations within the stipulated time‑frame. Failure to do so may attract a notice under Section 11(1) and possible suspension under Section 15.

The NISM Code of Conduct further requires advisers to act with "integrity, competence and diligence". Promptly addressing audit observations demonstrates compliance with this ethical standard.

In the exam, a question may ask which regulation obliges the adviser to submit a remedial action plan. The correct answer is the SEBI (Investment Advisers) Regulations, not the Companies Act.

Step 1 – Receipt and Acknowledgement: Upon receiving the auditor’s report, the compliance officer logs each observation in a central register and acknowledges receipt to the auditor within five business days.

Step 2 – Root‑Cause Analysis: A cross‑functional team (compliance, operations, finance) analyses why the deficiency occurred, documenting the cause, impact and risk rating.

Step 3 – Action Plan Development: The team drafts a remedial action plan (RAP) detailing corrective steps, responsible persons, resources required and a realistic deadline, usually not exceeding the auditor’s stipulated period.

Step 4 – Implementation and Monitoring: The RAP is executed, with weekly status updates captured in the register. Any deviation from the plan triggers a revised timeline approved by senior management.

Step 5 – Closure Reporting: Once remedial steps are complete, evidence (e.g., revised SOPs, screenshots) is compiled and submitted to the auditor for sign‑off. The register is updated to reflect the closure date.

Observations are prioritized based on their risk rating (High, Medium, Low). High‑risk items—such as breaches of client suitability or KYC lapses—must be closed within 30 days, whereas low‑risk items may have up to 90 days.

The auditor’s deadline is the maximum allowable period. Advisers should aim to close earlier to demonstrate proactive compliance. Delays beyond the deadline must be justified in writing to SEBI, and repeated delays can affect the adviser’s ethical rating.

Exam candidates should remember the typical time‑frames: 30 days for high, 60 days for medium, and 90 days for low risk. Questions may present a scenario and ask for the correct deadline; choose the one matching the risk rating.

All remediation activities must be documented in the Audit Observation Register. The register should capture observation ID, description, risk rating, action plan, responsible officer, start date, target date, actual closure date and supporting evidence.

Supporting evidence includes revised SOPs, system screenshots, client communication logs, and sign‑off sheets. SEBI expects these records to be retained for a minimum of five years from the date of closure.

During the exam, a question may ask which document proves closure of an observation. The correct answer is the "Signed closure evidence" filed in the observation register.

Effective communication is vital at three levels: internal teams, clients and regulators. Internally, the compliance head circulates the RAP and weekly status to ensure accountability.

Clients may be informed if an observation affects their portfolio or advisory recommendations. Transparency builds trust and aligns with the NISM ethical principle of "fair dealing".

Regulators (SEBI) are notified only if the observation is material and remains unresolved beyond the deadline. The notification must include reasons for delay and a revised action plan. Exam questions may test the sequence of these communications.

SEBI assigns an ethical rating to advisers based on compliance history. Unresolved audit observations lower the rating, leading to increased scrutiny and potential restrictions on advisory activities.

A high Observation Closure Rate (above 90 %) positively influences the rating, signalling robust internal controls. Conversely, repeated delays trigger a "non‑compliant" tag in the SEBI portal.

For the exam, remember the direct link: Timely closure → Better ethical rating → Fewer regulatory interventions.

Before answering any audit‑related question, verify three things: (1) the risk rating of the observation, (2) the regulator‑mandated deadline, and (3) the evidence required for closure.

Use the mnemonic "RDE" – Risk, Deadline, Evidence – to recall the key components quickly.

Typical MCQ traps include swapping the deadline for high‑risk (30 days) with that for medium‑risk (60 days) and overlooking the need for signed evidence. Keep the formula for Observation Closure Rate handy; a question may ask you to compute it from given numbers.