RBI has vide its circular dated 11th June, 2021 mandated risk based internal audit for housing finance companies (HFCs)as follows:
- all deposit taking HFCs irrespective of their size;
- all non deposit taking HFCs having asset size of Rs.50 billion million and above
Previously vide circular dated 3rd February, 2021 risk based internal audit was mandated for NBFC companies as follows:
a) all deposit taking NBFCs irrespective of their size;
b) all non deposit taking NBFCs (including core investment companies) with asset size of Rs.50 billion and above;
c) all urban co-operative banks having asset size of Rs.5 billion and above
The risk based internal audit was originally introduced by RBI in 2002 as an overall move towards risk based supervision of the banks. There was a guidance note issued for the same which can be found in this circular i.e.
The importance of risk based internal audit was reiterated by RBI on 7th January, 2021 wherein they have laid down few parameters to give risk based internal audit sufficient importance in the organisation. These parameters are :
- Authority, Stature and Independence – The internal audit function must have sufficient authority, stature, independence and resources within the bank, thereby enabling internal auditors to carry out their assignments with objectivity. Accordingly, the Head of Internal Audit (HIA) shall be a senior executive of the bank who shall have the ability to exercise independent judgement. The HIA as well as the internal audit function shall have the authority to communicate with any staff member and have access to all records or files that are necessary to carry out the entrusted responsibilities.
- Competence – Requisite professional competence, knowledge and experience of each internal auditor is essential for the effectiveness of the bank’s internal audit function. The desired areas of knowledge and experience may include banking operations, accounting, information technology, data analytics and forensic investigation, among others. Banks should ensure that internal audit function has the requisite skills to audit all areas of the bank.
- Staff Rotation – Except for the entities where the internal audit function is a specialised function and managed by career internal auditors, the Board should prescribe a minimum period of service for staff in the Internal Audit function. The Board may also examine the feasibility of prescribing at least one stint of service in the internal audit function for those staff possessing specialized knowledge useful for the audit function, but who are posted in other departments, so as to have adequate skills for the staff in the Internal Audit function.
- Tenor for appointment of Head of Internal Audit – Except for the entities where the internal audit function is a specialised function and managed by career internal auditors, the HIA shall be appointed for a reasonably long period, preferably for a minimum of three years.
- Reporting Line – The HIA shall directly report to either the Audit Committee of the Board (ACB) / MD & CEO or Whole Time Director (WTD). Should the Board of Directors decide to allow the MD & CEO or a WTD to be the ‘reporting authority’ of the HIA, then the ‘reviewing authority’ shall be with the ACB and the ‘accepting authority’ shall be with the Board in matters of performance appraisal of the HIA. Further, in such cases, the ACB shall meet the HIA at least once in a quarter, without the presence of the senior management, including the MD & CEO/WTD. The HIA shall not have any reporting relationship with the business verticals of the bank and shall not be given any business targets. In foreign banks operating in India as branches, the HIA shall report to the internal audit function in the controlling office / head office.
- Remuneration – The independence and objectivity of the internal audit function could be undermined if the remuneration of internal audit staff is linked to the financial performance of the business lines for which they exercise audit responsibilities. Thus, the remuneration policies should be structured in a way that it avoids creating conflict of interest and compromising audit’s independence and objectivity.
It was also emphasised that the internal audit function should not be outsourced. However, where required, experts, including former employees, could be hired on contractual basis subject to the Audit Committee being assured that such expertise does not exist within the audit function of the bank. Any conflict of interest in such matters shall be recognised and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the internal audit function.
Banks must ensure and demonstrate through proper documentation that their risk-based internal audit framework captures all the significant criteria / principles suited for their organisational structure, the business model and the risks.
All these circulars may be accessed for easy reference on the subject.