Risk-based internal audit system by NBFCs and UCBs introduced

The Reserve Bank of India (RBI) on Wednesday unveiled the risk-based internal audit (RBIA) system for select non-bank lenders and urban co-operative banks, with a view to enhancing the quality and effectiveness of their internal audit system. All NBFCs with asset size of Rs 5,000 crore and above, and all primary urban cooperative banks with asset size of Rs 500 crores and above will have to migrate to the new system, the regulator said.

At present, all the entities supervised by the RBI have their own approaches on internal audit, resulting in certain inconsistencies, risks, and gaps in the system, the RBI said. The “The circular intends, inter alia, to provide essential requirements for a robust internal audit function, which include sufficient authority, stature, independence, resources, and professional competence, so as to align these requirements in larger NBFCs/UCBs with those stipulated for Scheduled Commercial Banks,” it said.

According to RBI “The internal audit function is an integral part of sound corporate governance and is considered as the third line of defence”.  The central bank said that the Risk-Based Internal Audit (RBIA) is an audit methodology that links an organisation’s overall risk management framework. It provides an assurance to the board of directors and the senior management on the quality and effectiveness of the organisation’s internal controls, risk management and governance-related systems and processes, it added.

Traditionally, the internal audit system at NBFCs/UCBs have generally been concentrating on transaction testing, testing of accuracy and reliability of accounting records and financial reports, adherence to legal and regulatory requirements, which might not be sufficient in a changing scenario. The RBI’s new guidelines are important in the context of risks and inconsistencies faced by systemically important NBFCs and UCBs as they adopt different audit systems. A shift to a framework that focuses on the evaluation of the risk management systems and control procedures in various areas of operations, in addition to transaction testing, will help in anticipating areas of potential risks and mitigating such risks, the RBI said.

The senior management is responsible for ensuring adherence to the internal audit policy guidelines as approved by the Board and development of an effective internal control function that identifies, measures, monitors, and reports all risks faced, it said. The senior management is also responsible for establishing a comprehensive and independent internal audit function which should promote accountability and transparency, the RBI said.  “It shall ensure that appropriate action is taken on the internal audit findings within given timelines and status on the closure of audit reports is placed before the ACB/Board,” it added.