The Reserve Bank on Wednesday released the guidelines for risk-based internal audit (RBIA) for NBFCs and urban co-operative banks.
The RBIA guidelines aim to align the requirements of internal audit of Non-Banking Finance Companies (NBFCs) and Primary (Urban) Co-operative Banks (UCBs) with those for Scheduled Commercial Banks (SCBs), and its adoption will help in enhancing the quality and effectiveness of internal audit system of these entities, the Reserve Bank of India (RBI) said.
The new framework will be applicable to all deposit taking NBFCs, all non-deposit taking NBFCs (including Core Investment Companies) with asset size of Rs 5,000 crore and above, and all UCBs with asset size of Rs 500 crore and above. They will have to implement the RBIA framework by March 31, 2022.
"RBIA should undertake an independent risk assessment for the purpose of formulating a risk-based audit plan which considers the inherent business risks emanating from an activity/location and the effectiveness of the control systems for monitoring such inherent risks," the central bank said in a circular.
It also laid down the roles and responsibilities of different functionaries within the organisation for RBIA.
"The internal audit function must have sufficient authority, stature, independence and resources thereby enabling internal auditors to carry out their assignments properly. The Head of Internal Audit (HIA) shall be a senior executive with the ability to exercise independent judgement," it said.
The framework also called for a "reasonably long period" of appointment for HIA, preferably for a minimum of three years.
Saying that the objectivity of the internal audit function could be undermined if the remuneration of internal audit staff is linked to the financial performance of the business lines for which they exercise audit responsibilities, the RBI said that the remuneration policies should be structured in a way to avoid creating conflict of interest and compromising audit's independence and objectivity.
While the internal audit function cannot be outsourced, the circular said, where required, experts including former employees can be hired on a contractual basis subject to the organisation's audit committee board being assured that such expertise does not exist within the audit function of the entity.