RBI makes risk-based internal audit mandatory for select NBFCs, UCBs

The Reserve Bank of India (RBI) on Wednesday introduced a risk-based internal audit (RBIA) system for select non-bank lenders and urban co-operative banks (UCBs).

All deposit-taking non-banking financial companies (NBFCs), NBFCs with an asset size of Rs 5,000 crore, and UCBs with an asset size of Rs 500 crore will have to implement the system by March 31, 2022. 

This, the RBI said, will enhance the efficacy of internal audit systems and processes followed by NBFCs and UCBs. The central bank had introduced RBIA for scheduled commercial banks (SCBs) in 2002. 

These entities already have internal audit systems, but by and large they have focused on transaction testing, checking accuracy and reliability of accounting records and financial reports, adherence to legal and regulatory requirements, etc.

As these entities have grown in size and become systemically important, the central bank felt different audit systems for lending entities, engaged in financial intermediation of similar nature, has created inconsistencies, risks and gaps. 

The RBI has been focusing on bringing the supervisory regulations of NBFCs, UCBs on a par with banks after some recent defaults. These firms, especially NBFCs, have enjoyed light-touch regulation from the RBI which has enabled them to grow at a faster rate.

“As SCBs, NBFCs and UCBs face similar risks by virtue of being engaged in similar financial intermediation activities, their internal audit systems also need to broadly align while keeping in mind the principle of proportionality,” the RBI said.

RBIA is an audit methodology that links an organisation’s overall risk management framework and provides an assurance to the board of directors and the senior management on the quality and effectiveness of internal controls, risk management, and governance-related systems and processes.

For NBFCs and UCBs, the internal audit system will evaluate the risk management systems and control procedures in various aspects of operations, in addition to transaction testing, which is expected to help the entities to anticipate risks and mitigate it too.

According to the RBI guidelines, the board of the entity or its audit committee — which anyway is responsible for overseeing the internal audit function of the organisation — will be responsible for reviewing the performance of RBIA. The RBIA system should be consistent with the entity’s goal so that it adds value to the organisation.

The RBI has suggested the entities prepare a risk audit matrix based on the magnitude and frequency of risk. 

“The precise scope of RBIA must be determined by each supervised entity for low, medium, high, very high and extremely high risk areas. The scope of internal audit should also include system and process audits in respect of all critical processes. The findings of such audits should also be placed before the IT Committee of the board,” the RBI said.