The Reserve Bank of India (“RBI”) pursuant to its notification dated February 03, 2021, has now decided to mandate risk-based internal audit (“RBIA”) system with a view to enhance the quality and effectiveness of the internal audit system for the following Non-Banking Financial Companies (“NBFCs”) and Primary Urban Co-operative Banks (“UCBs”):
- All deposit taking NBFCs, irrespective of their size.
- All Non-deposit taking NBFCs (including Core Investment Companies) with asset size of ₹5,000 crore and above.
- All UCBs having asset size of ₹500 crore and above
The Board of Directors (“the Board”) / Audit Committee of Board (“ACB”) of NBFCs and the Board of UCBs are primarily responsible for overseeing the internal audit function in the organization. The RBIA policy shall be formulated with the approval of the Board and disseminated widely within the organization.
The ACB/Board shall approve a RBIA plan to determine the priorities of the internal audit function based on the level and direction of risk, as consistent with the entity’s goals. The risk assessment of business and other functions of the organization shall at the minimum be conducted on an annual basis.
The senior management is responsible for ensuring adherence to the internal audit policy guidelines as approved by the Board. It shall ensure that appropriate action is taken on the internal audit findings within given timelines.
A consolidated position of major risks faced by the organization shall be presented annually to the ACB/Board, based on inputs from all forms of audit.
The Head of Internal Audit (“HIA”) shall be a senior executive with the ability to exercise independent judgement. The HIA and the internal audit functionaries shall have the authority to communicate with any staff member and get access to all records that are necessary to carry out the entrusted responsibilities.
Requisite professional competence, knowledge and experience of each internal auditor is essential for the effectiveness of internal audit function. The areas of knowledge and experience may include banking/financial entity’s operations, accounting, information technology, data analytics, forensic investigation.
The Board should prescribe a minimum period of service for staff in the internal audit function. The Board may also examine the feasibility of prescribing at least one stint of service in the internal audit function for those staff possessing specialized knowledge useful for the audit function.
The HIA shall be appointed for a reasonably long period, preferably for a minimum of three years.
The HIA shall directly report to either the ACB/Board/ MD & CEO or to the Whole Time Director (“WTD”). Should the Board of Directors decide to allow the MD & CEO or a WTD to be the ‘Reporting authority’, then the ‘Reviewing authority’ shall be the ACB/Board and the ‘Accepting authority’ shall be the Board in matters of performance appraisal of the HIA. Further, in such cases, the ACB/Board shall meet the HIA at least once in a quarter, without the presence of the senior management (including the MD & CEO/WTD).
The risk assessment methodology should include parameters such as
- Previous internal audit reports and compliance.
- Proposed changes in business lines or change in focus.
- Significant change in management / key personnel.
- Results of regulatory examination report.
- Reports of external auditors.
- Industry trends and other environmental factors.
- Time elapsed since last audit.
- Volume of business and complexity of activities.
- Substantial performance variations from the budget.
- Business strategy of the entity vis-à-vis the risk appetite and adequacy of control.
The internal audit function shall not be outsourced. However, where required, experts including former employees can be hired on a contractual basis subject to the ACB/Board being assured that such expertise does not exist within the audit function of the supervised entities. Any conflict of interest in such matters shall be recognised and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the internal audit function.
Historically, the internal audit system in NBFCs/UCBs has generally been concentrating on transaction testing, testing of accuracy and reliability of accounting records and financial reports, adherence to legal and regulatory requirements, etc. However, in the changing scenario, such testing by itself might not be sufficient. The introduction of the abovementioned framework may be, therefore, viewed as a progressive step towards effective internal audit function ensuring smooth transition from the existing system of internal audit to RBIA.