The objectives and scope of risk-based internal audits in banks

Historically, the internal audit system in banks has been concentrating on transaction testing, testing of accuracy and reliability of accounting records and financial reports, integrity, reliability, and timeliness of control reports, and adherence to legal and regulatory requirements.  Recently, vide circular DoS.CO.PPG./SEC.04/11.01.005/2020-21 dated January 07, 2021, RBI asked banks to align their internal audit function with international best practices, like those issued by the Basel Committee on Banking Supervision (BCBS).  The above direction of the central bank was in view of the changing scenario such testing by itself would not be sufficient. ‘There is a need for widening as well as redirecting the scope of internal audit to evaluate the adequacy and effectiveness of risk management procedures and internal control systems in the banks’, it said. To bring uniformity in approach followed by the banks, as also to align the expectations on internal audit function with the best practices, RBI has advised them certain norms on ‘authority, stature and independence’, ‘competence’, ‘staff rotation’, ‘tenor for appointment of the head of internal audit’, ‘reporting line’ and ‘remuneration’.

As per a 2002 guidance note, banks are required to put in place a risk based internal audit (RBIA) system as part of their internal control framework that relies on a well-defined policy for internal audit, functional independence with sufficient standing and authority within the bank, among others.The primary focus of risk-based internal audit should be to provide reasonable assurance to the Board and top management about the adequacy and effectiveness of the risk management and control framework in the banks’ operations. Accordingly, every bank has to put in place a risk based internal audit policy developed under Board approved internal audit policy, that focuses on risk identification, prioritization of audit areas and allocation of audit resources in accordance with the risk assessment instead of full scale transaction testing. However, transaction testing would continue to remain an essential aspect of risk-based internal audit and it should include the same in its report of major exceptions and excesses.The extent of transaction testing will have to be determined based on the risk assessment. In some cases where an area falls in cell “C-Extremely High Risk” or cell “B-very high risk” or cell “F-Very high risk” of the risk matrix formulated by the regulator, banks may consider 100 percent transaction testing. Further, the policy guidance on audit function shall include the risk assessment methodology for identifying the risk areas based on which the audit plan would be formulated. The methodology may range from a simple analysis of why certain areas should be audited more frequently than others in the case of small sized banks undertaking traditional banking business, to more sophisticated assessment systems in large sized banks undertaking complex business activities. The banks may also consider transaction-testing with an element of surprise in respect of low risk areas which would be audited at relatively longer intervals.The approved policy needs to lay down the maximum time period beyond which even the low risk business activities/locations should not remain unaudited.

The Internal Audit Department of a bank should be independent of the internal control process in order to avoid any conflict of interest and should be given an appropriate standing within the bank to carry out its assignments. Normally, the head of the internal audit department shall directly report to the Board of Directors/Audit Committee of the Board. The management should also ensure that the supervisory staff entrusted with the internal audit job should not be assigned the responsibility of performing other accounting or operational functions. RBI further said that the internal audit function should not be outsourced. However, where required, experts, including former employees, could be hired on a contractual basis subject to the Audit Committee of the Board of Directors (ACB) being assured that such expertise does not exist within the audit function of the bank. It has also said banks must ensure and demonstrate through proper documentation that their RBIA framework captures all the significant criteria/principles suited for their organizational structure, the business model, and the risks.