The most over-read page of any annual report is the one with the numbers on it. The least-read is the one that decides whether those numbers mean anything: the auditor’s report, and the small block of type at the foot of it where a firm name, a partner’s name, a membership number, a firm registration number, a place, and a date are set down. A Western reader trained on a 10-K skims past this. The audit opinion is, after all, almost always clean; the signature is almost always a name they half-recognise; the whole apparatus reads as a formality discharged.
In India this instinct is wrong, and expensively so. The signature block at the foot of an Indian audit report encodes more regulated information per square inch than almost anywhere else in the listed world. It tells you which global network actually stands behind the audit, even though the global network’s name appears nowhere. It tells you where the firm sits on a statutory rotation clock that the United States considered and rejected. It tells you whether a second firm signed alongside the first. And — since 2018, and only since 2018 — it tells you the name of an institution that a public, searchable regulator can inspect, fine, and debar, in a way that simply was not possible in India for the seventy years before.
This letter is about that apparatus: who audits the auditors in India, how that machinery differs from the British and American versions a global reader carries in their head, and why the differences are not cosmetic. The audit is the load-bearing wall of the disclosure system. If you do not know how it is supervised, you do not know how much weight the financial statements can take.
Two regulators, and a seventy-year gap between them
For most of independent India’s history there was exactly one body standing over the auditing profession, and it was the profession itself. The Institute of Chartered Accountants of India (ICAI), constituted under the Chartered Accountants Act, 1949, is one of the oldest and largest professional accountancy bodies in the world, with something approaching four hundred thousand members. It writes the examinations, awards the qualification, sets the Standards on Auditing, runs the disciplinary machinery, and — this is the part that matters — did all of this as a self-regulator. The auditors were policed by a body elected by auditors. For routine quality this is unremarkable; nearly every country began this way. The problem is what self-regulation does under stress, when the firm under scrutiny is large, the failure is systemic, and the regulator’s own electorate is the population being judged.
India’s stress test was the collapse of Infrastructure Leasing & Financial Services — the IL&FS group — in 2018. A sprawling, systemically connected infrastructure financier defaulted on its obligations with debts north of ₹90,000 crore, having reported health right up to the edge of the cliff. The audits became a national question. And the answer the state reached for had, in fact, already been written into the law five years earlier and left dormant. Section 132 of the Companies Act, 2013 had provided for a National Financial Reporting Authority — an independent audit regulator, separate from the profession — but it had never been operationalised. In the wake of IL&FS, in October 2018, it was. NFRA went live, and the seventy-year monopoly of professional self-regulation ended for the part of the market that matters most.
The division of labour that resulted is the first thing a global reader must hold in mind, because nothing in the British or American systems maps to it cleanly. NFRA’s jurisdiction is not the whole profession; it is the *Public Interest Entity segment. Under Rule 3 of the NFRA Rules, 2018, NFRA oversees the auditors of all listed companies, plus large unlisted public companies (the thresholds run to net worth or paid-up capital of ₹500 crore, turnover of ₹1,000 crore, or aggregate outstanding loans, debentures and deposits of ₹500 crore), plus banks, insurers and electricity companies, plus anything the Central Government specifically refers to it. Everything below that line — the vast tail of private and smaller public companies — remains with the ICAI. So India runs a two-regulator* system, split by the systemic importance of the audited entity: the independent statutory body for the companies whose failure would hurt the public, the professional body for the rest.
This is closer to the American design than the British one, and India got there faster than Britain. The United States created the Public Company Accounting Oversight Board (PCAOB) in 2002, in the rubble of Enron and the dissolution of Arthur Andersen, precisely to take oversight of public-company audits out of the profession’s hands. India’s NFRA is its analogue, sixteen years later but built on the same insight. Britain, by contrast, still does not have one. The Financial Reporting Council — itself not a statutory regulator in the full sense — was supposed to be replaced by an Audit, Reporting and Governance Authority (ARGA) after the Carillion, BHS and Patisserie Valerie failures laid bare the limits of the old settlement. As of 2026 ARGA still does not exist: the Audit Reform and Corporate Governance Bill has slipped repeatedly, the government has signalled it may rename the body again (to a Corporate Reporting Authority), and the reform has been described candidly as on the backburner. A global reader who instinctively treats the Indian system as the less-developed one has the chronology backwards. On independent audit oversight, Delhi moved years ahead of London.
The surrogate Big Four
Now to the names. Open the audit report of almost any large Indian company and you will not find “EY,” “KPMG,” “PwC” or “Deloitte” on the signature line. You will find S R Batliboi & Co LLP, or SRBC & Co LLP; B S R & Co LLP, or B S R & Associates LLP; Price Waterhouse Chartered Accountants LLP, or Price Waterhouse & Co Chartered Accountants LLP; Deloitte Haskins & Sells LLP. To these you can add Walker Chandiok & Co LLP, the Indian member firm behind Grant Thornton. The global brand is invisible because, as a matter of Indian law, it cannot sign.
The reason is structural and old. Under the Chartered Accountants Act, 1949, only a firm whose partners are all Indian chartered accountants holding a certificate of practice may audit an Indian company. A foreign accounting firm cannot hold the pen. So the global networks operate in India the way they operate in many jurisdictions, but here the gap between brand and signatory is unusually load-bearing: they are present through Indian member, network and affiliate firms that carry the audit appointments, share methodology and quality systems, and connect to the international network through arrangements of branding, referral and revenue that have themselves been litigated. The Supreme Court, in S. Sukumar v. Secretary, Institute of Chartered Accountants of India (2018), examined exactly these multinational-accounting-firm arrangements and directed the Central Government to constitute an expert committee to look into whether they complied with the Act, the foreign-exchange rules, and the ICAI’s own code. The “Big Four in India” is therefore not a marketing simplification a reader can safely make; it is a precise factual claim about a network standing behind a domestically-incorporated firm, and the law has spent years arguing about where one ends and the other begins.
For the practitioner this has a concrete payoff. The audit-quality story of a large Indian company is a Big-Four-network story even though the report never says so, and you can only see it if you can decode the names. When NFRA began publishing audit-quality *inspection reports* of these firms — Price Waterhouse Chartered Accountants LLP, B S R & Co LLP, SRBC & Co LLP, Deloitte Haskins & Sells LLP, Walker Chandiok & Co LLP, and others, across 2024 and 2025 — it was, in substance, inspecting the Indian arms of EY, KPMG, PwC, Deloitte and Grant Thornton, and saying so to anyone who could read the network behind the name. The findings were not trivial: gaps in the monitoring of firm-wide independence, weaknesses in the policies governing acceptance of non-audit work from audit clients, and — in more than one case — insufficient procedures to verify that related-party transactions were genuinely at arm’s length. (That last point connects directly to a theme this letter has treated before: the related-party footnote is where Indian value quietly leaks, and it is precisely where the regulator found the auditors looking least hard.)
The signature at the foot of an Indian audit report encodes more regulated information per square inch than almost anywhere else in the listed world.
THE NORTHPATH LETTER
The statutory architecture the West does not have
The most striking feature of the Indian audit, to a reader raised on the 10-K, is how much of its independence machinery is hard-coded into primary statute rather than left to a regulator’s rulebook or a listing standard. Four provisions of the Companies Act, 2013 are worth knowing by section number.
*Mandatory rotation — Section 139(2). For listed companies and other prescribed classes, an individual auditor may serve a single term of five consecutive years, and an audit firm two terms of five consecutive years — ten years — after which a five-year cooling-off period applies before re-appointment. This is not partner rotation; it is firm* rotation, written into the company law itself. The United States considered and pointedly declined to impose firm rotation: the PCAOB floated the idea in 2011 and abandoned it under congressional and corporate pushback, and the US makes do with rotating the lead and concurring partners every five years. The European Union went the other way, mandating firm rotation for public-interest entities under Regulation 537/2014 — ten years, extendable to twenty with a public retender, or twenty-four with a joint audit. India sits with the EU, not the US, on the single most consequential independence question in auditing: whether the firm itself must eventually go.
*The concentration cap — Section 141(3)(g).* A person or partner cannot be the auditor of more than twenty companies at one time. There is no equivalent hard numerical ceiling in US or UK law. It is a blunt instrument, but it is a deliberate brake on the over-concentration of audit appointments in a few signing partners.
*Prohibited non-audit services — Section 144.* The Act itself blacklists a defined set of services an auditor may not render to its audit client or that client’s holding or subsidiary: book-keeping and accounting, internal audit, design and implementation of financial information systems, actuarial services, investment advisory, investment banking, rendering of outsourced financial services, and management services. The principle — that the auditor cannot audit its own work or sell consulting to the body it polices — exists in the US (Sarbanes-Oxley s201) and the EU (the 70% fee cap and prohibited-services list), but in India it is in the company law, not a securities rule.
*Fraud reporting — Section 143(12). This one genuinely has no clean Western parallel. An Indian statutory auditor who, in the course of the audit, has reason to believe an offence of fraud is being or has been committed against the company by its officers or employees is under a positive legal duty to report it* — to the Central Government, through the prescribed channel, where the amount involved is ₹1 crore or more, and to the audit committee or board below that threshold. The auditor is conscripted as a whistle-blower by statute. In the Anglo-American model the auditor’s duty runs to forming an opinion and, at most, to resignation and private communication with those charged with governance; it does not ordinarily compel an affirmative report to the state.
To these one should add two features with no Western counterpart at all. *Cost audit (Section 148) requires specified companies in regulated and manufacturing sectors to maintain cost records and have them audited — by cost accountants, a separate profession — producing a second, parallel audit of the unit economics that the financial audit does not perform. And joint audit*, in which two firms are jointly appointed and jointly sign, is mandatory for banks and many public-sector undertakings and common among the largest companies; the conduct of it is governed by its own standard, SA 299. The idea that two competing firms might be made to share, and to check, a single audit is one that the EU treats as an exotic option to extend a rotation period and the US does not entertain at all.
Rotation, compared — and why it matters to a buyer of the stock
Lay the four regimes side by side and the philosophical split is clear. The *United States trusts the firm and rotates the people: no firm rotation, five-year partner rotation, oversight by an independent board with real teeth. The European Union distrusts the long engagement and rotates the firm: ten years and out, with extensions for retendering or joint audit. India is firmly on the EU side of this line — ten-year firm rotation in primary statute — but pairs it with a fraud-reporting duty and a concentration cap the EU lacks. The United Kingdom*, having suffered the most spectacular recent audit failures, has the most ambitious reform on paper and the least of it enacted: mandatory retendering at ten years and rotation at twenty for the FTSE 350, an old competition remedy, but still no independent statutory regulator to stand over the profession.
Why should a buyer of an Indian listed company care where its auditor sits on this clock? Because rotation is an information event. An audit firm approaching the end of its ten-year term is an audit firm whose successor will arrive with fresh eyes, fewer relationships, and an incentive to find — and be seen to find — what the predecessor missed. The years immediately after a forced rotation are statistically the years in which prior-period adjustments, re-estimated provisions, and the occasional restatement surface. A reader who knows the rotation calendar can anticipate where the audit risk is concentrated and read the first incoming auditor’s report with appropriate suspicion of the outgoing one’s last few. The signature block, in other words, carries a date that is also a forecast.
The enforcement turn — and its limits
A regulator is only as real as its enforcement, and here the NFRA story turns genuinely interesting, because it is simultaneously a story of a regulator finding its teeth and of the courts filing some of them down.
On the enforcement side, NFRA has been active in a way the old self-regulatory machinery never was. Between 2022 and 2025 it debarred on the order of eighty-five chartered accountants and imposed monetary penalties on more than a hundred professionals. The orders are specific and public: penalties and multi-year debarments running, in the most serious individual cases of 2024 and 2025, to five years and fines in the lakhs; eighteen branch auditors of DHFL fined and debarred for terms of six months to a year; firm-level findings naming the Big-Four-network firms by name. Crucially, the orders, the inspection reports and the debarment list all sit on NFRA’s public website, searchable by firm and by individual. This is a genuine break with the past. A global investor can now, for a PIE, look up whether the firm signing the accounts has been the subject of an inspection finding or a disciplinary order — a piece of due diligence that simply had no data source in India before 2018.
On the other side sits the law’s discipline of the regulator. In February 2025 the Delhi High Court delivered a long-awaited judgment on a clutch of challenges to NFRA’s very constitution. The court *upheld Section 132 and the NFRA Rules: it rejected the arguments that the regime was retrospective penal legislation barred by Article 20(1), reasoning that “professional misconduct” was already an offence under the Chartered Accountants Act and that Section 132 had merely imported an existing standard, creating no new crime. The authority’s foundations, in short, are constitutionally sound. But* the same court quashed eleven of NFRA’s show-cause notices — several in the IL&FS matters that had birthed the body — on the ground that NFRA had collapsed two functions the law requires it to keep apart: the audit-quality review that investigates, and the disciplinary process that judges. Running both through the same hands, the court held, produced predetermination and structural bias. The Supreme Court has since been asked to weigh in on the “division of functions” question. The net effect, as of this writing, is a regulator with its powers affirmed but its process under repair, and a meaningful number of penalties and debarments stayed or in appeal. Teeth confirmed; bite, in several headline cases, suspended.
And there is a quieter, structural contest running underneath the litigation: the turf war between the new regulator and the old one. The sharpest current flashpoint is *SA 600*, the standard governing how a principal auditor uses the work of the auditors of a group’s components. NFRA has moved to rewrite it to align with the international standard (ISA 600), under which the group auditor carries ultimate responsibility for the group opinion and cannot simply lean on component auditors it has not adequately supervised. The ICAI has resisted, arguing the change threatens the viability of the smaller firms that audit components and that the international definition of a “component auditor” does not fit the Indian market. NFRA’s rejoinder is that the change protects the public and that the audits of roughly 98% of companies are unaffected. With NFRA’s board having recommended the revision and the matter awaiting the Ministry’s assent, the revised standard is set to take effect from April 2026. The substance of the fight is exactly the substance of the IL&FS failure — a group that looked healthy because no one was unambiguously responsible for the consolidated whole — which is why the new regulator has chosen it as the hill to take.
How to read the audit apparatus of an Indian annual report
The practitioner’s payoff from all of this is a short, repeatable routine. When you open an Indian annual report, work the audit apparatus in this order.
First, *decode the signatory*. Read the firm name on the audit report and translate it into its network: S R Batliboi or SRBC is EY; B S R is KPMG; Price Waterhouse is PwC; Deloitte Haskins & Sells is Deloitte; Walker Chandiok is Grant Thornton. An independent local firm with no network is not a mark against the company, but it is a fact worth noting for a large, complex group.
Second, *place the firm on the rotation clock*. The report and the notice of the annual general meeting will tell you when the current auditor was appointed. Count toward the ten-year wall of Section 139(2). An auditor in year nine is one whose work is about to be inherited and re-examined by a successor; weight the most recent estimates accordingly.
Third, *check for a joint auditor*. Banks and public-sector undertakings will have two firms; large private groups sometimes do voluntarily. Two signatures are a strength, but read whether they are genuinely co-equal or whether one firm does the work and the other lends a name.
Fourth, *read the report, not just the opinion*. Look past the clean “true and fair” sentence to the Key Audit Matters, any emphasis-of-matter or qualification, the separate opinion on internal financial controls required by Section 143(3)(i), and the annexed CARO 2020 report with its twenty-one specific disclosures. These are where the auditor tells you what worried them.
Fifth, *run the firm through NFRA*. For a PIE, search NFRA’s public orders, debarments and inspection reports for the signing firm and, where named, the engagement partner. A recent inspection finding on independence or related-party procedures is a reason to read those very areas of the financials harder.
Sixth, *treat a mid-term resignation as an alarm*. Under Section 140 an auditor leaving before the end of its term must file the reasons, and since SEBI tightened the regime in 2019 and after, a listed company must disclose the reasons for an auditor’s departure. An auditor that walks away from a ten-year appointment in year four is telling you something the financial statements are not.
The takeaway
In most of the listed world the auditor’s signature is a formality you are entitled to ignore; in India, since 2018, it is the visible end of a regulated, rotating, network-backed and openly contested institution — and the global reader who learns to decode that signature gains an X-ray of the accounts that the Indian market itself has only possessed for seven years.
Important. All content on this site and in this email is journalism and education for a general audience. Nothing here constitutes investment advice or a recommendation in respect of any specific financial instrument, nor an offer or solicitation to buy or sell any security. Readers should consult an authorised financial adviser regulated in their own jurisdiction before making any investment decision.