Is Poor Internal Audit a Lacuna in HDFC Bank’s Processes, Or Part of Its Business Model?


EXECUTIVE SUMMARY. Recently, the Reserve Bank of India (RBI) was forced to disclose its confidential inspection reports, called Risk Assessment Reports (RARs), of the State Bank of India (SBI), HDFC Bank, ICICI Bank and Axis Bank for the years FY2013 to FY2015. Shockingly, among the four banks, HDFC Bank was assessed not only with poor scores on internal audit, operational (non-IT) risk, risk governance, senior management and board risk, but with the worst scores on internal audit in all 3 years, and in non-IT operational risk in 2 of the 3 years. This stands in contrast to HDFC Bank’s reputation for good governance. Although, on the aggregate risk, there was no cause for concern, the fact that RBI scored HDFC Bank as high-risk on these select segments, and that from FY2013 to FY2015 these segment risk scores kept getting worse, should be of concern to shareholders. It is worth recalling that in July 2011, Cobrapost had exposed the staff of banks brazenly marketing money laundering; HDFC Bank figured prominently among these, and was subsequently fined by the RBI. Apparently, the bank and its board took the regulator’s penalty lightly, as its subsequent RBI risk scores evidenced a casual approach towards internal audit and compliance.

The accountability for such poor risk scores on internal audit and non-IT operational risk rests squarely with the bank’s audit and compliance committee, which in the concerned years was chaired by the chairperson of the board, namely C.M. Vasudev (FY2013 and FY2014) and Shyamala Gopinath (FY2015), and had as its members Pandit  Palande, Partho Datta and Bobby Parikh. That a committee chaired by the chairperson of the board, with eminent independent directors as its members, was ranked so poorly by the banking supervisor, and that its rating kept getting worse, is a sad reflection on the oversight exercised by HDFC Bank’s board of directors. This was all the more surprising as Shyamala Gopinath was a former career central banker and retired as deputy governor, RBI, and should have realised the importance of compliance and internal audit in banks.

What should also be of concern is that HDFC Bank has never indicated that these risk scores were so poor in their management commentary, which portrayed a rosy picture. It is also extremely unfortunate, but largely expected, that sell-side analysts have not displayed any interest in further probing these concerns regarding India’s largest bank by market capitalisation, though they are in the public domain.

Previous articleRBI Confidential Reports Reveal a Gulf between Axis Bank Annual Reports and Reality
Next articleWhy Is Sell-Side Research So Afraid of Mentioning the RBI’s Confidential Reports on India’s Top Banks?


  1. I’m a Preferred Banking customer of HDFC Bank since 2013. This report on the Bank’s internal audit and risk assessment scores speaks badly about the risk oversight prevailing in the Bank’s transactional as well as asset management portfolios. I’m concerned about this gross indifference by the bank management and the board.