RBI MANDATES – RISK BASED INTERNAL AUDIT (RBIA) FOR URBAN CO-OPERATIVE BANKS & NBFCS

Contributed By Huzeifa Unwala, Senior Partner, JHS & Associates LLP

In India, there exist significant differences in the internal auditing systems, processes and practices adopted by different categories of banks viz., Public Sector Banks, Private Sector Banks, Foreign Banks and Urban Cooperative Banks. Owing to non-standardised Internal Auditing Systems in the banking sector, the quality of internal audit supervision and Board reporting has been impacted.

To bring uniformity in approach followed by the banks, as also to align the expectations on Internal Audit Function with the global best practices, RBI has issued directions on February 3^rd, 2021 vide circular Ref. No. DoS. CO.PPG./SEC.05/11.01.005/2020-21 to all the Non-deposit taking NBFCs with asset size of Rs. 5,000 Crores and above, all deposit-taking NBFCs irrespective of their Asset size and all primary UCBs with the asset size of Rs.500 Crores and above on the subject of Risk-Based Internal Audit (RBIA).

RBI in the communique states that the range and commonality of risks faced by Supervised Entities (SEs) would warrant effective and harmonised systems and processes for the internal audit function across the SEs based on certain common guiding principles.

In order to ensure a smooth transition from the existing system of internal audit to RBIA, RBI has asked the concerned NBFCs and UCBs to constitute a committee of senior executives with the responsibility of formulating a suitable action plan and asked the committee to address transitional and change management issues and should report the progress periodically to the board and senior management and implement the framework by March 31st, 2022.

What is RBIA System?

An internal audit function provides vital assurance to a bank’s board of directors and senior management (and bank supervisors) about the quality of the bank’s internal control system. In doing so, the function helps reduce the risk of loss and reputational damage to the bank.

A contemporary internal audit function plays a crucial role in evaluating a bank’s internal control, risk management and governance systems and processes (in the context of both current and potential future risks) – areas in which the Boards and regulatory authorities have a keen interest. Further, internal auditors use risk-based approaches to determine their respective work plans and actions. The internal audit function should develop an independent and informed view of the risks faced by the bank based on their access to all bank records and data, their enquiries, and their professional competence.

The head of internal audit is responsible for establishing an annual internal audit plan that can be part of a multi-year plan. The plan should be based on a robust risk assessment (including input from senior management and the board) and should be updated at least annually (or more frequently to enable an ongoing real-time evaluation of where significant risks lie). The board’s approval of the audit plan implies that an appropriate budget will be available to support the internal audit function’s activities. The budget should be sufficiently flexible to adapt to variations in the internal audit plan in response to changes in the bank’s risk profile.

Key elements of the RBIA as recommended by RBI include: –

1. The internal audit shall undertake an independent risk assessment for the purpose of formulating a risk-based audit plan. This risk assessment would cover risks at various levels/areas (corporate and branch, the portfolio and individual transactions, etc.) as also the associated processes. The risk assessment in the internal audit department should be used for focusing on the material risk areas and prioritising the audit work.
2. The risk assessment process should, inter-alia, include identification of inherent business risks in various activities undertaken, evaluation of the effectiveness of the control systems for monitoring the inherent risks of the business activities (‘Control risk’) and drawing-up a risk-matrix for both the factors viz., inherent business risks and control risks.
3. The basis for determining the level (high, medium, low) and trend (increasing, stable, decreasing) of inherent business risks and control risks should be clearly spelt out.
4. The risk assessment may make use of both quantitative and qualitative approaches. While the quantum of credit, market, and operational risks could largely be determined by quantitative assessment, the qualitative approach may be adopted for assessing the quality of overall governance and controls in various business activities.
5. The risk assessment methodology should include, inter-alia, parameters such as (a) Previous internal audit reports and compliance; (b) Proposed changes in business lines or change in focus; (c) Significant change in management / key personnel; (d) Results of regulatory examination report; (e) Reports of external auditors; (f) Industry trends and other environmental factors; (g) Time elapsed since last audit; (h) Volume of business and complexity of activities; (i) Substantial performance variations from the budget; and (j) Business strategy of the entity vis-à-vis the risk appetite and adequacy of control.
6. For the risk assessment to be accurate, it will be necessary to have proper MIS and data integrity arrangements. The internal audit function should be kept informed of all developments, such as introducing new products, changes in reporting lines, changes in accounting practices/policies, etc. The risk assessment should invariably be undertaken on a yearly basis. The assessment should also be periodically updated to consider changes in business environment, activities and work processes, etc.
7. The SEs may prepare a Risk Audit Matrix based on the magnitude and frequency of risk. The Audit Plan should prioritise audit work to give greater attention to the areas of:
   • High magnitude and high frequency
   • High magnitude and medium frequency
   • High magnitude and low frequency
   • Medium magnitude and high frequency
   • Medium magnitude and medium frequency
   • Low magnitude and high frequency
8. The scope of the audit and resource allocation should be sufficient to achieve the objectives of the audit assignment. The precise scope of RBIA must be determined by each SE for low, medium, high, very high and extremely high-risk areas. The scope of internal audit should also include system and process audits in respect of all critical processes. The findings of such audits should also be placed before the IT Committee of the Board.
9. The internal audit report should be based on appropriate analysis and evaluation. It should bring out adequate, reliable, relevant and useful information to support the observations and conclusions. It should cover the objectives, scope, and results of the audit assignment and make appropriate recommendations and/or action plans.
10. All the pending high and medium risk paras and persisting irregularities should be reported to the ACB/Board in order to highlight key areas in which risk mitigation has not been undertaken despite risk identification.
11. The internal audit function should have a system to monitor compliance with the observations made by internal audit. Status of compliance should be an integral part of reporting to the ACB/Board.
12. The internal audit function shall not be outsourced. However, where required, experts, including former employees can be hired on a contractual basis subject to the ACB/Board being assured that such expertise does not exist within the audit function of the SE. Any conflict of interest in such matters shall be recognised and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the internal audit function.

Historically, the internal audit system in NBFCs/UCBs has generally been concentrating on transaction testing, testing of accuracy and reliability of accounting records and financial reports, adherence to legal and regulatory requirements, etc. However, in the changing scenario, such testing by itself might not be sufficient. Therefore, SEs will have to move towards a framework which will include, in addition to selective transaction testing, and evaluation of the risk management systems and control procedures in various areas of operations. This will also help in anticipating areas of potential risks and mitigating such risks.