The Reserve Bank of India (RBI) on Tuesday issued guidelines on risk-based internal audit (RBIA) framework for Non-Banking Financial Companies (NBFCs) and Primary (Urban) Co-operative Banks (UCBs) which they need to implement by March 31, 2022.
Also read Regulating NBFCs
RBI asked the SEs to place the RBIA circular before their Board in its next meeting. The implementation of these guidelines as per timeline specified should be done under the oversight of the Board.
The central bank observed that the internal audit function should broadly assess and contribute to the overall improvement of the organization’s governance, risk management, and control processes using a systematic and disciplined approach. The function is an integral part of sound corporate governance and is considered as the third line of defence.
The supervised entities (SEs) will have to move towards a framework which will include, in addition to selective transaction testing, an evaluation of the risk management systems and control procedures in various areas of operations. This will also help in anticipating areas of potential risks and mitigating such risks.
Audit plan and review
Per the guidelines, RBIA should undertake an independent risk assessment for the purpose of formulating a risk-based audit plan which considers the inherent business risks emanating from an activity / location and the effectiveness of the control systems for monitoring such inherent risks.
The RBIA policy must be reviewed periodically. The risk assessment of business and other functions of the organization shall at the minimum be conducted on an annual basis. Every activity / location, including the risk management and compliance functions, shall be subjected to risk assessment by the RBIA, according to the guidelines.
The SEs RBIA policy should also lay down the maximum time period beyond which even the low risk business activities / locations would not remain excluded for audit.
The Audit Committee of the Board (ACB)/ Board should formulate and maintain a quality assurance and improvement program that covers all aspects of the internal audit function.
The quality assurance program may include assessment of the internal audit function at least once in a year for adherence to the internal audit policy, objectives and expected outcomes.
RBI said a consolidated position of major risks faced by the organization needs to be presented at least annually to the ACB/Board, based on inputs from all forms of audit.
Authority and competence
The regulator wants senior management of SEs to ensure that the RBIA function is adequately staffed with skilled personnel of right aptitude and attitude who are periodically trained to update their knowledge, skill and competencies.
RBI emphasised that the internal audit function must have sufficient authority, stature, independence and resources thereby enabling internal auditors to carry out their assignments properly.
The Head of Internal Audit (HIA) shall be a senior executive with the ability to exercise independent judgment. Except for the entities where the internal audit function is a specialised function and managed by career internal auditors, the HIA shall be appointed for a reasonably long period, preferably for a minimum of three years.
RBI said requisite professional competence, knowledge and experience — including banking/financial entity’s operations, accounting, information technology, data analytics, forensic investigation, among others.– of each internal auditor is essential for the effectiveness of internal audit function. The collective skill levels should be adequate to audit all areas of the SE.
The SEs may prepare a Risk Audit Matrix based on the magnitude and frequency of risk.
RBI said the internal audit function should not be outsourced. However, where required, experts including former employees can be hired on a contractual basis subject to the ACB/Board being assured that such expertise does not exist within the audit function of the SE.