Guidelines on Risk based Internal Audit (RBIA) – Third line of Defense

Introduction of Risk Based Internal Audit

Reserve Bank of India has issued guidelines for the implementation of Risk based internal audit framework by all Supervised Entities (SEs) by 31st march, 2022. These guidelines are intended to enhance the efficacy of internal audit systems and processes followed by the NBFCs and UCBs. Earlier the introduction of Risk-Based Internal Audit (RBIA) system was mandated for all Scheduled Commercial Banks (except Regional Rural Banks). The range and commonality of risks faced by Supervised Entities (SEs) has warranted effective and harmonized systems and processes for the internal audit function across the SEs based on certain common guiding principles.

Transition to new system of audit

In order to ensure smooth transition from the existing system of internal audit to RBIA, the concerned NBFCs and UCBs may constitute a committee of senior executives with the responsibility of formulating a suitable action plan. The committee may address transitional and change management issues and should report progress periodically to the Board and senior management. The circular on risk based internal audit (RBIA) shall be placed before the Board in their next meeting. Further, the implementation of the guidelines shall be done under the oversight of Board.

Need for RBIA

With the increase in size of NBFCs and UCBs and their growing status as Systematically Important entities, it has become important to address the inconsistencies/gaps created due to adoption of different audit systems/approaches. Considering these aspects, the Guidelines prescribe the broad principles that should be followed by NBFCs and UCBs to enable them to gradually move towards an RBIA system.

Historically, internal audit function in SEs was limited to transaction testing, adherence to legal or statutory requirements, testing of accuracy and reliability of accounting records etc. However, in the dynamic environment, the focus will have to be shifted to evaluation of the risk management systems and control procedures in various areas of operations. This will also help in anticipating areas of potential risks and mitigating such risks.

Approach of RBIA

As per the guidelines, RBIA should undertake an independent risk assessment for the purpose of formulating a risk-based audit plan which considers the inherent business risks emanating from an activity / location and the effectiveness of the control systems for monitoring such inherent risks.

Methodology of formulation

RBI has stated that the Board/Audit Committee of the NBFCs and UCBs shall ensure that RBIA policy is formulated and widely disseminated within the organization. The policy shall clearly document the purpose, authority, and responsibility of the internal audit activity, with a clear demarcation of the role and expectations from Risk Management Function and Risk Based Internal Audit Function. Further, the RBIA policy must be reviewed periodically.

Implementation of RBIA

The senior management is responsible for ensuring adherence to the internal audit policy guidelines as approved by the Board and development of an effective internal control function that identifies, measures, monitors and reports all risks faced. It shall ensure that appropriate action is taken on the internal audit findings within given timelines and status on closure of audit reports is placed before the ACB/Board.

Independence of RBIA

The internal audit function must have sufficient authority, stature, independence and resources thereby enabling internal auditors to carry out their assignments properly. The Head of Internal Audit (HIA) shall be a senior executive with the ability to exercise independent judgement. The HIA and the internal audit functionaries shall have the authority to communicate with any staff member and get access to all records that are necessary to carry out the entrusted responsibilities. RBI has stated that the internal audit function shall not be outsourced. However, where required, experts including former employees can be hired on a contractual basis subject to the ACB/Board being assured that such expertise does not exist within the audit function of the SE. Any conflict of interest in such matters shall be recognized and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the internal audit function.

Road ahead

With the introduction of RBIA, RBI’s intention is to make internal audit function robust, independent, strong and result oriented. With different auditing practices being adopted by entities working in the same market scenarios, it is important that they attune to the same principles of work. It is essentially important to understand that the regulatory body intends to transform the ancient audit principles to real time techniques that address the ever changing business dynamics and risk areas.

As professional internal auditor, the biggest challenge is to implement the right risk assessment methodology which can cover the parameters which reflect the business complexities vis-à-vis the risk appetite and adequacy of control.

Before taking up specific internal audit assignment, the plan, scope, objectives, timelines and resource allocations of the assignment should be clearly established. The scope and objectives of the assignment should be based on a preliminary assessment of the risks relevant to the business activity under review.

Follow us for free tax updates : facebook Twitter

***

Subscribe our portal and get FREE Tax e-books , quality articles and updates on your e-mail.

Resolve your GST queries from national level experts on GST free of cost.