A KYC audit and re-KYC are not the same thing, and conflating them is one of the most common ways compliance programmes get caught out at an RBI inspection. Re-KYC refreshes a customer record. A KYC audit tests the programme that produces those records: the policy, the controls, the sampling, the exception handling, and the audit trail. This guide explains what a KYC audit is, what regulators expect, what scope looks like in practice, and how to structure the exercise so findings drive improvement rather than a binder of observations. For compliance officers who want a quick reference alongside this, our KYC checklist is the operational companion.
What Is a KYC Audit?
A KYC audit is an independent review of whether a regulated entity’s KYC programme meets regulatory and internal policy standards. Internal audit typically runs it, with periodic external reviews by statutory or specialist auditors. The output is an opinion on programme health plus a list of observations that feed corrective action.
KYC Audit Defined
A KYC audit tests the programme, not individual customers. It looks at whether the policy exists and is current, whether the controls designed by the policy are actually operating, whether exceptions are captured and resolved, and whether outcomes across the customer base look defensible. It is a process audit with compliance teeth, not a transaction-level review.
KYC Audit vs Re-KYC: The Critical Distinction
This is the distinction most compliance teams miss, and it matters because the two live in different parts of the compliance operation. Re-KYC refreshes a single customer’s KYC record on a scheduled cadence. A KYC audit reviews the entire programme that produces those records. Re-KYC is operational work; KYC audit is assurance work. Our re-KYC process guide covers the operational side in detail; this article covers the assurance side.
| KYC Audit | Re-KYC | |
|---|---|---|
| What it reviews | The programme (policy, controls, outcomes) | A customer record |
| Who runs it | Internal audit, sometimes external auditors | Operations or compliance teams |
| Frequency | Periodically (often annual) | On the customer’s risk-based cadence (2, 8, or 10 years) |
| Output | Audit report and corrective action plan | Refreshed KYC record |
Who Is Accountable
The Board or Audit Committee owns ultimate accountability for KYC audit outcomes. The Principal Officer or MLRO owns the operational response to findings. Internal audit executes the audit. External auditors may be engaged for specialist reviews or by regulatory direction. Keeping these roles distinct is what keeps the audit independent, which is why merging the audit function into the compliance operation it audits is a bad idea even when it looks cost-efficient.
Regulatory Basis for KYC Audits
A KYC audit is not optional for regulated entities. Three layers of regulation require it, and each adds a specific obligation.
RBI Expectations for Regulated Entities
The RBI KYC Master Direction requires regulated entities to conduct periodic independent reviews of their KYC policy and its implementation. Concurrent audit and internal audit functions are expected to cover KYC controls within their scope. The intensity of review scales with the size and layer of the regulated entity: larger banks and Upper Layer NBFCs face more prescriptive requirements than smaller Base Layer NBFCs.
SEBI and Intermediary Obligations
SEBI-regulated intermediaries, including mutual fund distributors, stockbrokers, and portfolio managers, must have documented KYC audit procedures as part of their compliance framework. Intermediaries that rely on KRA records still bear audit responsibility for how they use those records internally, which auditors examine during inspections.
FATF and International Baselines
FATF Recommendation 18 and its Interpretive Note establish the international expectation that financial institutions implement internal controls and an independent audit function that tests AML and KYC compliance. Indian supervisory practice aligns with this baseline, and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 codify the recordkeeping and reporting obligations that an audit examines in practice.
Scope of a KYC Audit
Scope is where audit quality is won or lost. A thin scope produces a clean report that misses real problems. A well-defined scope covers four areas.
Policy and Governance
The audit verifies that a Board-approved KYC policy exists, is current with the latest regulatory changes (including the 2025 Master Directions for banks and NBFCs), and is known across relevant teams. It checks the delegated authority matrix: who can approve exceptions, who can escalate high-risk onboardings, who signs off on periodic updation exceptions. A policy that looks good on paper but has no evidence of operational awareness is a common finding.
Onboarding Controls
This is where customer identification procedures, Customer Due Diligence (CDD), and Enhanced Due Diligence (EDD) get tested. Sampling is risk-weighted, with oversampling of high-risk customers, EDD cases, and any segments flagged in prior audits. For each sampled customer, the auditor walks through the onboarding file end-to-end and compares what was done against what policy required.
Ongoing Monitoring
Periodic updation adherence is the most commonly failing control. The auditor checks whether customers due for re-KYC have been refreshed, whether outreach was done per the August 2025 three-intimation rule, and whether sanctions and AML screening hits are being resolved rather than piling up in a queue. Transaction-monitoring linkage is also examined because weak linkage between KYC risk ratings and monitoring thresholds is a recurring observation.
Data, Records, and Reporting
Record retention is tested against the PMLA five-year minimum. The CKYCR synchronisation is audited: are new records being uploaded within ten working days, are updates being pushed, is the entity using the registry before running fresh KYC. The STR and CTR pipeline to FIU-IND is reviewed for timeliness and completeness, per the FIU-IND AML and CFT Guidelines.
The KYC Audit Process: Step by Step
A well-run KYC audit follows a predictable four-phase cycle, and each phase has its own quality markers.
Step 1: Planning and Risk Assessment
The audit begins with scope definition, time period, and sampling methodology. Risk-weighted sampling means over-representing high-risk customers, EDD cases, geographically concentrated segments, and any area flagged in prior audits. Plan documentation should include the sample size, the stratification logic, and the controls being tested; a plan that cannot answer “why these samples?” is the first red flag.
Step 2: Fieldwork and Sampling
The auditor pulls customer files, walks through a selection of end-to-end onboarding journeys, and maps each file against the policy. This is where the walkthrough versus the document examination matters: a walkthrough simulates an actual onboarding and catches process gaps that file review alone misses.
Step 3: Testing Controls
Two classes of controls are tested. Automated controls (sanctions hit handling, OVD validation, liveness check pass rates) are tested by examining logs and running regression tests against known inputs. Manual controls (override justifications, EDD escalations, senior management approvals for high-risk relationships) are tested by sampling cases and examining the reasoning captured in the file. Video KYC sessions in particular need audit-trail inspection because the session itself is ephemeral.
Step 4: Findings, CAPs, and Reporting
Findings are rated (commonly: satisfactory, needs improvement, unsatisfactory), and each finding gets a Corrective Action Plan (CAP) with a named owner and a deadline. The final report is issued to the Audit Committee. Tracking CAPs to closure is as important as raising them; findings that recur audit after audit indicate a governance problem, not just a control problem.
KYC Audit Checklist (12 Points)
A working audit checklist covers three areas: programme-level controls, customer-level controls, and technology and data controls. The twelve points below are the minimum viable scope; more detailed audits add dozens more.
Programme-Level Controls
- KYC policy currency: Is the Board-approved policy updated for the latest RBI, SEBI, and FATF changes?
- Training coverage: Have relevant staff received current KYC training? Is attendance tracked?
- Independence of audit: Is the auditor independent of the compliance function being audited?
- Exception authority: Does the delegation matrix match actual approval practice?
Customer-Level Controls
- Identification quality: Are sampled customer records backed by valid OVDs with no obvious mismatches?
- Risk rating accuracy: Do the assigned risk ratings reflect the customer profile and transaction behaviour?
- EDD triggers: Are EDD procedures triggered for all PEP, high-risk jurisdiction, and sanctions-adjacent customers?
- Periodic updation adherence: Are customers due for re-KYC actually being refreshed within the required timelines?
Technology and Data Controls
- CKYCR synchronisation: Are new records uploaded within ten working days and updates propagated? Integration via a CKYC record upload API should leave a clean audit trail.
- Sanctions feed freshness: Are sanctions and PEP feeds refreshed on the documented cadence?
- Audit log integrity: Are logs immutable, time-stamped, and retained for the required period?
- Access control: Can only authorised personnel modify KYC records? Is segregation of duties enforced?
Periodic Review vs Re-KYC vs Perpetual KYC
Three overlapping terms that compliance teams often use interchangeably. They are not the same, and the KYC audit function interacts with each one differently.
| Periodic Review | Re-KYC | Perpetual KYC | |
| Definition | Periodic review is the scheduled refresh of a customer record at the risk-based cadence (2, 8, or 10 years). | Re-KYC is the act of re-documenting a customer, which can happen during periodic review or in response to a specific event. | Perpetual KYC (pKYC) is the model where the customer record is updated continuously based on data triggers rather than scheduled dates. |
| KYC audit fit | KYC audit checks whether customers due for review have been refreshed | KYC audit examines file quality and reasoning. | KYC audit tests whether triggers fire as designed, whether the data sources are current, and whether the audit trail captures every automated update |
Think of periodic review as the calendar, re-KYC as the action, and pKYC as a different operating model for both.
A KYC audit tests all three. The audit is independent of the operating model; what changes is the evidence the auditor examines.
Common Audit Findings and How to Resolve Them
Three findings recur across KYC audits at Indian regulated entities. Each has a known fix.
Stale Periodic Updation
Customers whose KYC is overdue for refresh are the single most common finding. Root cause is usually the absence of a trigger engine that flags upcoming review dates and drives outreach. The fix is a calendar-plus-event trigger system tied to CKYC data, with the three-intimation outreach now explicitly required by the August 2025 amendment becoming the audit checklist item.
Weak EDD Documentation
EDD cases where the file contains tick-boxes but no reasoning fall apart under auditor scrutiny. The fix is a workflow tool that enforces reasoning fields at the moment of EDD approval, rather than a checklist that can be completed with minimal effort. For NBFC onboarding at scale, this usually means embedding the workflow into the case management platform.
CKYC Mismatch
Customer data in the internal record diverging from the CKYCR record is the third recurring observation. It typically happens when internal updates are not pushed to CKYCR or when CKYCR updates are not pulled back in. The fix is automated two-way sync with a reconciliation job that flags divergence daily, treated as a compliance incident rather than a data-quality ticket.
Turning a Clean Audit Into a Competitive Edge
A KYC audit is not just a regulatory compliance exercise. The same discipline that passes a clean audit (policy currency, controlled onboarding, audit-trail-quality data, event-driven updates) also reduces onboarding friction, improves customer experience, and lowers compliance cost per customer over time. Treating audit preparation as year-round hygiene rather than an event gets compliance teams ahead of the next supervisory wave rather than scrambling to respond.
To see how HyperVerge helps compliance teams build audit-ready KYC flows with Aadhaar, V-CIP, DigiLocker, CKYCR, and complete audit logging in one stack, sign up for a product walkthrough.
