The Reserve Bank of India (RBI) on Wednesday issued a circular on risk-based internal audit (RBIA) for non-banking finance companies (NBFC) and urban co-operative banks (UCB).

The circular is applicable on “all non-deposit taking NBFCs (including Core Investment Companies) with asset size of ₹5,000 crore and above; and all Primary (Urban) Co-operative Banks (UCBs) with asset size of ₹500 crore and above,” the issued circular said.

The circular intends, “to provide the essential requirements for a robust internal audit function, which include sufficient authority, stature, independence, resources and professional competence, so as to align these requirements in larger NBFCs, UCBs with those stipulated for scheduled commercial banks.”

“It is expected that the adoption of RBIA by such entities would help to enhance the quality and effectiveness of their internal audit system,” it said.

RBI had announced in the ‘Statement on Developmental and Regulatory Policies’ issued as part of the Monetary Policy Statement dated December 4, 2020 that with a view to strengthen the Internal Audit Function, which works as a third line of defence, suitable guidelines will be issued to large UCBs and NBFCs on adoption of Risk Based Internal Audit (RBIA).

RBIA is an audit methodology that links an organisation’s overall risk management framework and provides an assurance to the Board of Directors and the Senior Management on the quality and effectiveness of the organisation’s internal controls, risk management and governance related systems and processes.

As per the RBI guidelines the Board of Directors or Audit Committee of Board (ACB) of NBFCs and the Board of UCBs are primarily responsible for overseeing the internal audit function in the organisation.

The RBI policy shall be formulated with the approval of the board and disseminated widely within the organisation.

“The policy shall clearly document the purpose, authority, and responsibility of the internal audit activity, with a clear demarcation of the role and expectations from Risk Management Function and Risk Based Internal Audit Function,” said the guidelines.

The circular said that the policy should be consistent with the size and nature of the business undertaken, the complexity of operations and should factor in the key attributes of internal audit function relating to independence, objectivity, professional ethics, accountability among.