Guidelines on Risk-Based Internal Audit (RBIA) System for Select Non-Banking Financial Companies and Urban Cooperative Banks

Blog   wpadmin   May 12, 2021

Executive Summary:

      • Risk-Based Internal Audit (RBIA) links an organization’s overall risk management framework and provides an assurance to the board of directors and the senior management on the quality and effectiveness of the organization’s internal controls, risk management etc.
      • RBI has now mandated the RBIA system to all deposit taking Non-Banking Financial Companies (NBFCs) irrespective of their size, on-deposit taking NBFCs (including Core Investment Companies) with asset size of ₹5,000 crore and above and Primary (Urban) Co-operative Banks (UCBs) with asset size of ₹500 crore and above, vide circular dated 3rd February 2021.

Introduction:

The evolvement of financial instruments and markets has enabled banks to undertake varied risk exposures, and hence to conduct smooth banking business it has become crucial to have in place effective risk management and internal control systems. Considering the speed of growing financial system in India with vide varieties of banking business and categories, and also considering the increase in the trend of frauds in banking sectors, the Reserve Bank of India (RBI) which is India’s central bank and regulatory body under the jurisdiction of the Ministry of Finance, Government of India, proposed the need of strong and robust internal auditing and control system thereby constituting a Risk-Based Internal Audit (RBIA) system.

Risk Based Internal Audit (RBIA):

Risk-Based Internal Audit (RBIA) is an audit methodology that links an organization’s overall risk management framework and provides an assurance to the Board of Directors and the Senior Management on the quality and effectiveness of the organization’s internal controls, risk management and governance related systems and processes.
The Reserve Bank of India mandated the RBIA system to schedule commercial banks way back in the year 2002 with guidelines in respect thereof which were supplemented from time to time with the changing trends of banking business and frauds. As mentioned above, considering the increase in the trend of frauds in banking sectors, the RBI has now mandated the RBIA system to all deposit taking Non-Banking Financial Companies (NBFCs) irrespective of their size, on-deposit taking NBFCs (including Core Investment Companies) with asset size of ₹5,000 crore and above and Primary (Urban) Co-operative Banks (UCBs) with asset size of ₹500 crore and above, vide circular dated 3rd February 2021.

RBI Guidelines on Risk-Based Internal Audit (RBIA) System for Select NBFCs and UCBs – Overview:

(1) Role of Board of Directors/ Audit Committee in RBIA system:
The Board of Directors (the Board) /Audit Committee of Board (ACB) of NBFCs and the Board of UCBs are primarily responsible for overseeing the internal audit function in the organization. The ACB/Board shall approve a RBIA plan to determine the priorities of the internal audit function based on the level and direction of risk, as consistent with the entity’s goals and nature of business. Every activity / location, including the risk management and compliance functions, shall be subjected to risk assessment by the RBIA. The ACB/Board is expected to review the performance of RBIA and shall promote the use of new audit tools/ new technologies for reducing the extent of manual monitoring / transaction testing / compliance monitoring, etc. the RBIA policy must be reviewed annually.

(2) Role of Senior Management:
The senior management is responsible for ensuring adherence to the internal audit policy guidelines as approved by the board and establishment of independent internal audit function promoting accountability and transparency.

Key attributes of RBIA system:

1. Authority, Stature, Independence and Resources:
RBIA system should have sufficient authority, stature, independence and resources thereby enabling internal auditors to carry out their assignments properly with a Head of Internal Audit (HIA) with an ability to exercise independent judgement. The HIA and the internal audit functionaries shall have the authority to communicate with any staff member and get access to all records that are necessary to carry out the entrusted responsibilities.

2. Competence and rotation of staff:
The internal auditor to be qualified with requisite professional competence, specialized knowledge such as banking/financial entity’s operations, accounting, information technology, data analytic and experienced, for the effectiveness of internal audit function and the Board should prescribe a minimum period of service for staff in the internal audit function and rotate the staff possessing specialized knowledge for effective functionality.

3. Tenor and responsibility of head of internal audit (HIA):
The tenor of HIA should be of 3 years except for the entities where the internal audit function is a specialized function and managed by career internal auditors. The HIA shall directly report to either the Audit Committee of Board /Board/ MD & CEO or to the Whole Time Director (WTD) in accordance with proposed ‘Reporting Authority’, ‘Reviewing Authority’ and ‘Accepting Authority’ by the Board. ACB/Board shall meet the HIA at least once in a quarter, without the presence of the senior management (including the MD & CEO/WTD). The HIA shall not have any reporting relationship with the business verticals of these Supervised Entities (SEs) and shall not be given any business targets.

4. Remuneration of Internal Audit Staff:
The remuneration policies should be structured in a way to avoid creating conflict of interest and compromising audit’s independence and objectivity.

General responsibilities of RBIA:

The internal audit functionaries should:

  • Work on the basis of approved policies and procedures by ACB/Board.
  • Undertake an independent risk assessment covering risks at various levels/areas (corporate and branch, the portfolio and individual transactions, etc.) for the purpose of formulating a risk-based audit plan thereby focusing on the material risk areas and prioritizing the audit work.
  • The basis for determination of the level (high, medium, low) and trend (increasing, stable, and decreasing) of inherent business risks and control risks should be clearly spelt out.
  • The quantum of credit, market, and operational risks could largely be determined by quantitative assessment; the qualitative approach may be adopted for assessing the quality of overall governance and controls in various business activities.
  • The risk assessment methodology should include, inter alia, parameters such as
    • (a) Previous internal audit reports and compliance;
    • (b) Proposed changes in business lines or change in focus;
    • (c) Significant change in management / key personnel;
    • (d) Results of regulatory examination report;
    • (e) Reports of external auditors;
    • (f) Industry trends and other environmental factors;
    • (g) Time elapsed since last audit;
    • (h) Volume of business and complexity of activities;
    • (i) Substantial performance variations from the budget; and
    • (j) Business strategy of the entity vis-à-vis the risk appetite and adequacy of control.
  • For accuracy of risk management, proper MIS and data integrity arrangements is a must. Such assessment should also be periodically updated to take into account changes in business environment, activities and work processes, etc.
  • The scope and objectives of the assignment should be based on a preliminary assessment of the risks relevant to the business activity under review and hence in taking up specific internal audit assignment, the plan, scope, objectives, timelines and resource allocations of the assignment should be clearly established.
  • Supervised entities in preparation of Risk Audit Matrix based on the magnitude and frequency of risk by prioritizing audit work in focus of-
    • (a) High magnitude and high frequency
    • (b) High magnitude and medium frequency
    • (c) High magnitude and low frequency
    • (d) Medium magnitude and high frequency
    • (e) Medium magnitude and medium frequency
    • (f) Low magnitude and high frequency
  • The precise scope of RBIA must be determined by each supervised entity for low, medium, high, very high and extremely high-risk areas. The scope of internal audit should also include system and process audits in respect of all critical processes. The findings of such audits should also be placed before the IT committee of the board.
  • Pending high and medium risk paras and persisting irregularities should be reported to the ACB/Board in order to highlight key areas in which risk mitigation has not been undertaken despite risk identification.
  • There should be a system to monitor compliance to the observations made by internal audit. Status of compliance should be an integral part of reporting to the ACB/Board.
  • The internal audit function shall not be outsourced. However, where required, experts including former employees can be hired on a contractual basis subject to the ACB/Board being assured that such expertise does not exist within the audit function of the supervised entities.

Conclusion:

As seen in last 18 years of the economic development, the lasting impression of introduction of RBIA system in schedule commercial banks, and a present step of RBI to bring under arms of RBIA system the other Banking sectors shows a bright future for effective functioning of bank sectors which would lower the risk of frauds and help achieving the goals and competence in national economic growth.

Regards,
Legal Team

Proind Business Solutions Private Limited
306, Tower B, I-thum, Plot No A-40, Sector 62, Noida, UP, India- 201301
No.: +91 120 4224203
Email: info@proind.in, website: www.proind.in

Leave a Reply

Your email address will not be published.

Find out how ProInd can help you