Earlier this year (Feb'2021) RBI had released a circular for NBFCs (All deposit-taking NBFCs, irrespective of their size; All Non-deposit taking NBFCs (including Core Investment Companies) with asset size of ₹5,000 crore and above; and All UCBs having asset size of ₹500 crores and above) to mandating Risk Based Internal Audits. Later there was another circular in June'21 mandating HFCs (All deposit-taking HFCs, irrespective of their size, and non-deposit-taking HFCs with asset size of ₹5,000 crores and above).
RBI had also shared an annexure detailing the guidelines on Risk-Based Internal Audits (RBIA). The timeline to adopt this was also fixed as the end of March 2022.
Below are excerpts from the annexure that is relevant for the points being discussed here, in this article.
Historically, the internal audit system in NBFCs/UCBs has generally been concentrating on transaction testing, testing of accuracy and reliability of accounting records and financial reports, adherence to legal and regulatory requirements, etc. However, in the changing scenario, such testing by itself might not be sufficient. Therefore, SEs will have to move towards a framework that will include, in addition to selective transaction testing, an evaluation of the risk management systems and control procedures in various areas of operations. This will also help in anticipating areas of potential risks and mitigating such risks.
While the Risk Management Function should focus on identification, measurement, monitoring, and management of risks, development of risk policies and procedures, use of risk management models, etc., RBIA should undertake an independent risk assessment for the purpose of formulating a risk-based audit plan which considers the inherent business risks emanating from an activity/location and the effectiveness of the control systems for monitoring such inherent risks.
IIA defines risk-based internal auditing (RBIA) as a methodology that links internal auditing to an organization's overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.
Stages involved in RBIA
Not dwelling deeper into the above stages as that is not the topic intended to be discussed here.
This article is about the third stage - Audit Execution.
Carrying out the Audits - General RBIA approach.
Generic RBIA process follows the below steps
a. Process walkthrough
b. Identifying the risks
c. Identifying the controls - availability
3. Control testing - existence and efficacy
4. Report writing
The above is a high-level process followed by auditors in any mission/audit engagement and holds good for many industries/domains.
Is this model practical for an NBFC or HFC? Will it work effectively? This approach may work for department/functional or head office audits only. I see the following challenges for branch audits, which are an integral part of IA.
This is where the checklist comes in. The process followed across all Branches of an organization shall be the same and is guided by the organization's Policy, Process, and Procedures. So that process walkthrough, risk identification, assessment of available controls, required controls to be tested can all be decided centrally, by the Head of IA or is the core team. This understanding can be deduced then, into an elaborate (as required by the organization, and is demanded by the Risks identified) internal audit checklist. The advantages of this approach are,
This in fact may be extended to other audits as well, e.g., Vendor audits, Functional Audits, etc can have standardized checklists with required variations according to the individual process managed or function involved. Here, the advantage is that a change in person (unavoidable) will not affect the Audit Process.
Yes, that is my humble opinion. These are not mutually exclusive. The second read of RBIA requirements detailed by RBI or IIA would cut the clutter. Having to ensure RBIA is not about giving up a check-list based process. It is all about ensuring that the IA undertakes an independent risk assessment for the purpose of formulating a risk-based audit plan which considers the inherent business risks emanating from an activity/location and the effectiveness of the control systems for monitoring such inherent risks.
The art and science here are to ensure that this essence is encapsulated by the checklist that is used for Audits and it does not remain a cheat sheet.
I have been lucky to discuss this with learned IA professionals at length and the article reflects their take as well. The idea of sharing this was to share this with the IA fraternity at large, especially with those adding value to NBFCs and HFCs.
Would be great to hear your thoughts. Please share your views in the comments.
Bangalore Corporate Office
1st Floor, Samvit Bldg,
21st Kanakpura Main Road,
Udayapura, Bangalore - 560082
1st Floor, Devi Prasad Building
334/28, 14th Cross,
2nd block Jayanagar,
Bangalore - 560011
Surucha's Mundapatt Residency,
Gokhiware Main Road,
Vasai East, Palghar 401208
Plot 44, Block H,
Jimoh Odutola Street,
Off Eric Moore,
Massans gata 18,
412 51 Gothenburg, Sweden
Quedlinburger Str. 14,
2401 15th Street, NW,
Washington DC - 20009
+61 408 598 864
Sumeru Tech Afriken
+254 722 525928
+880 1711 520698
Akshay Kumar Jain
+234 90 4433 2222
+94 77 771 2290
Copyright 2021 Sumeru Software Solutions Pvt. Ltd.