The Reserve Bank of India (“RBI”) had announced in the ‘Statement on Developmental and Regulatory Policies’ issued as part of the Monetary Policy Statement dated 4th December, 2020 (discussed in the trail) that with a view to strengthen the Internal Audit Function, which works as a third line of defence, suitable guidelines will be issued to large UCBs and NBFCs on adoption of Risk Based Internal Audit (“RBIA”).
Accordingly, RBI has, through a Circular dated 3rd February 2021, decided to mandate RBIA framework for the following Non-Banking Financial Companies (NBFCs) and Primary (Urban) Co-operative Banks (UCBs):
a. All deposit taking NBFCs, irrespective of their size;
b. All Non-deposit taking NBFCs (including Core Investment Companies) with asset size of ₹5,000 crore and above; and
c. All UCBs having asset size of ₹500 crore and above.
In order to ensure smooth transition from the existing system of internal audit to RBIA, the concerned NBFCs and UCBs may constitute a committee of senior executives with the responsibility of formulating a suitable action plan. The committee may address transitional and change management issues and should report progress periodically to the Board and senior management and the Circular should be placed before the Board in its next meeting.
The above supervised Entities shall implement the RBIA framework by March 31, 2022 in accordance with the specified Guidelines (refer to the attachment) to enhance the efficacy of internal audit systems and processes followed by the NBFCs and UCBs.
The Guidelines cover the following objectives and scope of RBIA:
1. An effective RBIA is an audit methodology that links an organisation’s overall risk management framework and provides an assurance to the Board of Directors and the Senior Management on the quality and effectiveness of the organisation’s internal controls, risk management and governance related systems and processes.
2. The internal audit function should broadly assess and contribute to the overall improvement of the organization’s governance, risk management, and control processes using a systematic and disciplined approach. The function is an integral part of sound corporate governance and is considered as the third line of defence.
3. Historically, the internal audit system in NBFCs/UCBs has generally been concentrating on transaction testing, testing of accuracy and reliability of accounting records and financial reports, adherence to legal and regulatory requirements, etc. However, in the changing scenario, such testing by itself might not be sufficient. Therefore, SEs will have to move towards a framework which will include, in addition to selective transaction testing, an evaluation of the risk management systems and control procedures in various areas of operations. This will also help in anticipating areas of potential risks and mitigating such risks.
4. While the Risk Management Function should focus on identification, measurement, monitoring, and management of risks, development of risk policies and procedures, use of risk management models, etc., RBIA should undertake an independent risk assessment for the purpose of formulating a risk-based audit plan which considers the inherent business risks emanating from an activity / location and the effectiveness of the control systems for monitoring such inherent risks.
Expectations on the roles and responsibilities of different functionaries for this internal audit framework have also been laid down in the specified Guidelines.
Source: Reserve Bank of India