RBI on Friday (08.01.2021) said that all commercial banks (including small finance banks, payments banks, and Local area banks) are required to put in place a risk-based internal audit (RBIA) system as part of their internal control framework that relies on a well-defined policy for internal audit, functional independence with sufficient standing and authority within the bank, effective channels of communication, adequate audit resources with sufficient professional competence, among others. Though aforesaid guidance note on internal audit function already exists banks are expected to re-orient their approach, in line with the evolving best practices, as a part of their overall Governance and Internal Control framework, RBI said.
In views with Banks are encouraged to adopt the International Internal Audit standards, like those issued by the Basel Committee on Banking Supervision (BCBS) and the Institute of Internal Auditors (IIA), and to align the expectations on Internal Audit Function with the best practices, banks are advised as under. The instructions contained in the circular shall come into effect immediately from 08.01.2021.
- The internal audit function must have sufficient authority, stature, independence, and resources within the bank, thereby enabling internal auditors to carry out their assignments with objectivity. A senior executive of the bank that shall have the ability to exercise independent judgment, shall be the Head of Internal Audit (HIA), it said. The HIA as well as the internal audit function shall have the authority to communicate with any staff member and have access to all records or files that are necessary to carry out the entrusted responsibilities. The HIA shall be appointed for a reasonably long period, preferably for a minimum of three years except for entities where the internal audit function is a specialised function and managed by career internal auditors.
- The internal auditor shall have the requisite professional competence, knowledge, and experience for the effectiveness of the bank’s internal audit function. The desired areas of knowledge and experience may include banking operations, accounting, information technology, data analytics, and forensic investigation, among others. Banks should ensure that the internal audit function has the requisite skills to audit all areas of the bank.
- Staff Rotation – Except for the entities where the internal audit function is a specialised function and managed by career internal auditors, the Board should prescribe a minimum period of service for staff in the Internal Audit function. The Board may also examine the feasibility of prescribing at least one stint of service in the internal audit function for those staff possessing specialized knowledge useful for the audit function, but who are posted in other departments, so as to have adequate skills for the staff in the Internal Audit function.
- The HIA shall directly report to either the Audit Committee of the Board (ACB) / MD & CEO or the Whole Time Director (WTD). In case, the Board of Directors decides to allow the MD & CEO or a WTD to be the ‘reporting authority’ of the HIA, then the ‘reviewing authority’ shall be with the ACB, and the ‘accepting authority’ shall be with the Board in matters of performance appraisal of the HIA. Further, in such cases, the ACB shall meet the HIA at least once a quarter, without the presence of the senior management, including the MD & CEO/WTD. The HIA shall not have any reporting relationship with the business verticals of the bank and shall not be given any business targets. In foreign banks operating in India as branches, the HIA shall report to the internal audit function in the controlling office/head office.
- The remuneration policy of the bank for internal auditors should be structured in a way that avoids creating a conflict of interest and compromising the audit’s independence and objectivity. This is because, if the remuneration of internal audit staff is linked to the financial performance of the business lines for which they exercise audit responsibilities, it would undermine the independence and objectivity of the internal audit function.
- The internal audit function shall not be outsourced. However, where required, experts, including former employees, could be hired on a contractual basis subject to the ACB being assured that such expertise does not exist within the audit function of the bank. Any conflict of interest in such matters shall be recognised and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the internal audit function.
The RBI communication further said that the above guidelines supplement the bank’s guidelines dated December 27, 2002, on Risk-based internal audit along with other circulars/instructions on the subject issued from time to time. The banks must ensure and demonstrate through proper documentation that their risk-based internal audit framework captures all the significant criteria/principles suited for their organizational structure, the business model, and the risks, it said.