RBI Insists on Risk-based Internal Audit System

The Reserve Bank of India (RBI) has notified guidelines on risk-based internal audit (RBIA) framework for Non-Banking Financial Companies (NBFCs) and Primary (Urban) Co-operative Banks (UCBs). These guidelines have to be implemented by March 31, 2022.

Key Points

  • The risk-based internal audit (RBIA) framework has been made mandatory for supervised entities (SEs) — all deposit-taking NBFCs; all UCBs with asset size of Rs 500 crore and more; all non-deposit taking NBFCs (including Core Investment Companies) with asset size of Rs5,000 crore and above.
  • RBIA framework has been mandated to enhance the efficacy of the internal audit systems and processes of these entities.
  • The supervised entities (SEs) will have to adopt the framework including an evaluation of the risk management systems, selective transaction testing, and control procedures in different areas of operations.
  • Per the RBI guidelines, RBIA should undertake an independent risk assessment for devising a risk-based audit plan.
  • The RBIA policy must be reviewed periodically. Risk assessment should be done on an annual basis.
  • A time limit should also be set beyond which low-risk business locations/activities can remain out of the audit.
  • The quality assurance and improvement must be ensured by the Audit Committee of the Board (ACB)/ Board.

Other than this, RBI has directed the senior management of SEs to ensure that the RBIA function has proper and skilled staff. This staff should also be timely trained to update their skill, knowledge, and competencies. Also, internal audit should not be outsourced; experts can be hired for this.