Risk Based Internal Audit (RBIA) Framework – Strengthening Governance arrangements
In terms of the Guidance Note on Risk-Based Internal Audit issued by RBI vide circular DBS.CO.PP.BC.10/11.01.005/2002-03 dated December 27, 2002, banks, inter alia, are required to put in place a risk based internal audit (RBIA) system as part of their internal control framework that relies on a well-defined policy for internal audit, functional independence with sufficient standing and authority within the bank, effective channels of communication, adequate audit resources with sufficient professional competence, among others.
2. While the aforesaid Guidance Note lays out the basic approach for risk based internal audit functions, banks are expected to re-orient their approach, in line with the evolving best practices, as a part of their overall Governance and Internal Control framework. Banks are encouraged to adopt the International Internal Audit standards, like those issued by the Basel Committee on Banking Supervision (BCBS) and the Institute of Internal Auditors (IIA).
3. To bring uniformity in approach followed by the banks, as also to align the expectations on Internal Audit Function with the best practices, banks are advised as under:
- Authority, Stature and Independence - The internal audit function must have sufficient authority, stature, independence and resources within the bank, thereby enabling internal auditors to carry out their assignments with objectivity. Accordingly, the Head of Internal Audit (HIA) shall be a senior executive of the bank who shall have the ability to exercise independent judgement. The HIA as well as the internal audit function shall have the authority to communicate with any staff member and have access to all records or files that are necessary to carry out the entrusted responsibilities.
- Competence - Requisite professional competence, knowledge and experience of each internal auditor is essential for the effectiveness of the bank's internal audit function. The desired areas of knowledge and experience may include banking operations, accounting, information technology, data analytics and forensic investigation, among others. Banks should ensure that internal audit function has the requisite skills to audit all areas of the bank.
- Staff Rotation - Except for the entities where the internal audit function is a specialised function and managed by career internal auditors, the Board should prescribe a minimum period of service for staff in the Internal Audit function. The Board may also examine the feasibility of prescribing at least one stint of service in the internal audit function for those staff possessing specialized knowledge useful for the audit function, but who are posted in other departments, so as to have adequate skills for the staff in the Internal Audit function.
- Tenor for appointment of Head of Internal Audit - Except for the entities where the internal audit function is a specialised function and managed by career internal auditors, the HIA shall be appointed for a reasonably long period, preferably for a minimum of three years.
- Reporting Line - The HIA shall directly report to either the Audit Committee of the Board (ACB) / MD & CEO or Whole Time Director (WTD). Should the Board of Directors decide to allow the MD & CEO or a WTD to be the ‘reporting authority’ of the HIA, then the ‘reviewing authority’ shall be with the ACB and the ‘accepting authority’ shall be with the Board in matters of performance appraisal of the HIA. Further, in such cases, the ACB shall meet the HIA at least once in a quarter, without the presence of the senior management, including the MD & CEO/WTD. The HIA shall not have any reporting relationship with the business verticals of the bank and shall not be given any business targets. In foreign banks operating in India as branches, the HIA shall report to the internal audit function in the controlling office / head office.
- Remuneration - The independence and objectivity of the internal audit function could be undermined if the remuneration of internal audit staff is linked to the financial performance of the business lines for which they exercise audit responsibilities. Thus, the remuneration policies should be structured in a way that it avoids creating conflict of interest and compromising audit’s independence and objectivity.
4. The internal audit function shall not be outsourced. However, where required, experts, including former employees, could be hired on contractual basis subject to the ACB being assured that such expertise does not exist within the audit function of the bank. Any conflict of interest in such matters shall be recognised and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the internal audit function.
5. Banks must ensure and demonstrate through proper documentation that their risk-based internal audit framework captures all the significant criteria / principles suited for their organisational structure, the business model and the risks.
6. The instructions contained in this circular shall come into effect immediately from the date of this circular.
7. This circular supplement the guidelines issued by Reserve Bank of India on December 27, 2002 on Risk-based internal audit along with other circulars/instruction on the subject issued from time-to time and for any common areas of guidance, the prescription of this circular shall be followed.