The evolvement of financial instruments and markets has enabled banks to undertake varied risk exposures, and hence to conduct smooth banking business it has become crucial to have in place effective risk management and internal control systems. Considering the speed of growing financial system in India with vide varieties of banking business and categories, and also considering the increase in the trend of frauds in banking sectors, the Reserve Bank of India (RBI) which is India’s central bank and regulatory body under the jurisdiction of the Ministry of Finance, Government of India, proposed the need of strong and robust internal auditing and control system thereby constituting a Risk-Based Internal Audit (RBIA) system.
Risk-Based Internal Audit (RBIA) is an audit methodology that links an organization’s overall risk management framework and provides an assurance to the Board of Directors and the Senior Management on the quality and effectiveness of the organization’s internal controls, risk management and governance related systems and processes.
The Reserve Bank of India mandated the RBIA system to schedule commercial banks way back in the year 2002 with guidelines in respect thereof which were supplemented from time to time with the changing trends of banking business and frauds. As mentioned above, considering the increase in the trend of frauds in banking sectors, the RBI has now mandated the RBIA system to all deposit taking Non-Banking Financial Companies (NBFCs) irrespective of their size, on-deposit taking NBFCs (including Core Investment Companies) with asset size of ₹5,000 crore and above and Primary (Urban) Co-operative Banks (UCBs) with asset size of ₹500 crore and above, vide circular dated 3rd February 2021.
(1) Role of Board of Directors/ Audit Committee in RBIA system:
The Board of Directors (the Board) /Audit Committee of Board (ACB) of NBFCs and the Board of UCBs are primarily responsible for overseeing the internal audit function in the organization. The ACB/Board shall approve a RBIA plan to determine the priorities of the internal audit function based on the level and direction of risk, as consistent with the entity’s goals and nature of business. Every activity / location, including the risk management and compliance functions, shall be subjected to risk assessment by the RBIA. The ACB/Board is expected to review the performance of RBIA and shall promote the use of new audit tools/ new technologies for reducing the extent of manual monitoring / transaction testing / compliance monitoring, etc. the RBIA policy must be reviewed annually.
(2) Role of Senior Management:
The senior management is responsible for ensuring adherence to the internal audit policy guidelines as approved by the board and establishment of independent internal audit function promoting accountability and transparency.
1. Authority, Stature, Independence and Resources:
RBIA system should have sufficient authority, stature, independence and resources thereby enabling internal auditors to carry out their assignments properly with a Head of Internal Audit (HIA) with an ability to exercise independent judgement. The HIA and the internal audit functionaries shall have the authority to communicate with any staff member and get access to all records that are necessary to carry out the entrusted responsibilities.
2. Competence and rotation of staff:
The internal auditor to be qualified with requisite professional competence, specialized knowledge such as banking/financial entity’s operations, accounting, information technology, data analytic and experienced, for the effectiveness of internal audit function and the Board should prescribe a minimum period of service for staff in the internal audit function and rotate the staff possessing specialized knowledge for effective functionality.
3. Tenor and responsibility of head of internal audit (HIA):
The tenor of HIA should be of 3 years except for the entities where the internal audit function is a specialized function and managed by career internal auditors. The HIA shall directly report to either the Audit Committee of Board /Board/ MD & CEO or to the Whole Time Director (WTD) in accordance with proposed ‘Reporting Authority’, ‘Reviewing Authority’ and ‘Accepting Authority’ by the Board. ACB/Board shall meet the HIA at least once in a quarter, without the presence of the senior management (including the MD & CEO/WTD). The HIA shall not have any reporting relationship with the business verticals of these Supervised Entities (SEs) and shall not be given any business targets.
4. Remuneration of Internal Audit Staff:
The remuneration policies should be structured in a way to avoid creating conflict of interest and compromising audit’s independence and objectivity.
The internal audit functionaries should:
As seen in last 18 years of the economic development, the lasting impression of introduction of RBIA system in schedule commercial banks, and a present step of RBI to bring under arms of RBIA system the other Banking sectors shows a bright future for effective functioning of bank sectors which would lower the risk of frauds and help achieving the goals and competence in national economic growth.