What Happened
- Comptroller and Auditor General (CAG) K. Sanjay Murthy urged autonomous institutions receiving government funding to adopt and use the Risk-Control Maturity Scorecard (RCMS) — a self-monitoring tool that helps institutions assess and improve their own financial controls.
- The RCMS is designed as an internal governance instrument that enables autonomous bodies to identify areas of financial risk and control weakness before formal CAG audit reveals them.
- The CAG's message positions the RCMS as part of a broader shift from reactive audit-and-correct cycles to proactive risk management by autonomous institutions themselves.
- This follows CAG's earlier announcement that it would double the commercial cadre handling urban audits over the next four to five years, as part of expanding audit reach.
Static Topic Bridges
Comptroller and Auditor General (CAG) — Constitutional Mandate and Functions
The CAG of India is established under Articles 148 to 151 of the Constitution as the Supreme Audit Institution (SAI) of India. The CAG is the principal auditor of all public expenditure — Union, State, and local bodies receiving government funds — and acts as Parliament's watchdog over the public purse.
- Article 148: Establishes the office; CAG is appointed by the President and can only be removed on the same grounds as a Supreme Court judge (ensuring independence)
- Article 149: Defines the CAG's duties and powers — to audit all Union and State government expenditure, contingency funds, public accounts, and accounts of departments
- Article 150: Accounts of Union and States shall be kept in forms prescribed by the President on CAG's advice
- Article 151: CAG's audit reports are submitted to the President (Union) or Governors (States), who lay them before Parliament or State Legislatures
- Audit types: Compliance audit, performance audit, financial audit, proprietary audit
Connection to this news: The CAG's push for RCMS within autonomous bodies is a natural extension of Article 149's mandate — autonomous institutions substantially funded by the government fall within CAG's audit jurisdiction. By promoting self-assessment tools, the CAG seeks to improve the baseline quality of financial management before formal audit intervention.
Audit of Autonomous Bodies — Scope and Challenges
Autonomous bodies are government-funded entities that operate with administrative independence — universities, research councils, cultural bodies, welfare boards, development authorities, and public enterprises. Their financial management ranges widely in quality, and CAG audits have repeatedly flagged irregularities in fund utilisation, procurement, and internal controls.
- CAG audits approximately 400 non-commercial autonomous bodies at the Union level alone, plus those at state level
- Common audit findings in autonomous bodies: diversion of funds, poor procurement controls, non-adherence to service rules, weak internal audit mechanisms
- CAG has also piloted a maturity scoring framework for urban local bodies' financial accounts, analysing nearly 700 local body accounts across geographies
- The Risk-Control Maturity Scorecard (RCMS) adapts the maturity model concept — widely used in information security and governance frameworks globally — to the financial prudence context of Indian autonomous institutions
Connection to this news: The CAG's recommendation that autonomous bodies leverage RCMS for "self-monitoring" signals a shift toward pre-audit governance improvement. The RCMS provides institutions a structured framework to rate their own internal controls on a maturity scale, prioritise weaknesses, and implement remedial action without waiting for audit directives.
Risk-Control Maturity Models — The Concept
Maturity models assess the sophistication of an organisation's processes on a scale — typically from ad hoc and reactive (Level 1) to optimised and proactive (Level 5). Applied to financial risk and internal controls, a Risk-Control Maturity Scorecard helps institutions map their current control environment, identify gaps, and chart a path toward higher institutional maturity.
- The maturity framework concept originates from the Capability Maturity Model (CMM) used in software process assessment; widely adopted in governance and risk management globally
- Applied to autonomous bodies: the RCMS rates areas like procurement controls, financial reporting, internal audit effectiveness, fund utilisation tracking, and compliance with statutory obligations
- Self-assessment nature: Institutions score themselves, which promotes ownership of financial accountability — unlike reactive audit findings which are often treated as administrative exercises
- CAG's role: Promoting the tool and providing guidance rather than mandating specific scores — complementary to rather than replacing formal audit
Connection to this news: K. Sanjay Murthy's urging of autonomous bodies to "leverage" RCMS reflects the CAG's recognition that with hundreds of autonomous bodies and limited audit bandwidth, a culture of self-assessment within institutions is necessary to improve financial governance at scale.
Key Facts & Data
- CAG K. Sanjay Murthy: 1989-batch IAS officer of Himachal Pradesh cadre; sworn in as CAG on 21 November 2024
- Constitutional basis: Articles 148–151 of the Constitution of India
- CAG audits approximately 400 non-commercial autonomous bodies at Union level
- CAG has analysed nearly 700 urban local body accounts in a pilot maturity assessment exercise
- RCMS: A self-monitoring tool for autonomous institutions to assess financial prudence and internal controls proactively
- CAG plans to double commercial audit cadre for urban local body audits in the next 4–5 years
- India's Supreme Audit Institution (SAI) is a member of INTOSAI (International Organisation of Supreme Audit Institutions)