The Reserve Bank of India (RBI) has asked banks to ensure that the internal audit function has sufficient authority, stature, independence and resources within the bank to enable internal auditors to carry out their assignments with objectivity. It also emphasised that this function cannot be outsourced.

These directives are aimed at strengthening governance arrangements in banks under the Risk-Based Internal Audit (RBIA) Framework.

The central bank said the Head of Internal Audit (HIA) should be a senior executive of the bank with the ability to exercise independent judgement.

Also read: Audit firms told to delve deep into management explanations

The HIA as well as the internal audit function should have the authority to communicate with any staff member and have access to all records or files that are necessary to carry out the entrusted responsibilities.

RBI underscored that requisite professional competence, knowledge and experience of each internal auditor is essential for the effectiveness of banks’ internal audit functions.

The desired areas of knowledge and experience may include banking operations, accounting, information technology, data analytics and forensic investigation, among others.

The HIA will directly report to either the Audit Committee of the Board (ACB) / MD & CEO or Whole Time Director (WTD).

“Should the Board of Directors decide to allow the MD & CEO or a WTD to be the ‘reporting authority’ of the HIA, then the ‘reviewing authority’ shall be with the ACB and the ‘accepting authority’ shall be with the Board in matters of performance appraisal of the HIA,” the RBI said in a circular.

Besides, in such cases, the ACB should meet the HIA at least once in a quarter, without the presence of the senior management, including the MD & CEO/WTD.

As per the circular, the HIA will not have any reporting relationship with the business verticals of the bank and will not be given any business targets.

In foreign banks operating in India as branches, the HIA will report to the internal audit function in the controlling office / head office.

Except for the entities where the internal audit function is a specialised function and managed by career internal auditors, the Board should prescribe a minimum period of service for staff in the Internal Audit function and HIA should be appointed for a reasonably long period, preferably for a minimum of three years.

“The Board may also examine the feasibility of prescribing at least one stint of service in the internal audit function for those staff possessing specialised knowledge useful for the audit function, but who are posted in other departments, so as to have adequate skills for the staff in the Internal Audit function,” RBI said.

Also read: RBI to mandate risk-based internal audit for large UCBs, NBFCs

The central bank observed that the independence and objectivity of the internal audit function could be undermined if the remuneration of internal audit staff is linked to the financial performance of the business lines for which they exercise audit responsibilities.

Thus, the remuneration policies should be structured in a way that it avoids creating conflict of interest and compromising audit’s independence and objectivity.

No outsourcing

While the internal audit function should not be outsourced, RBI said where required, experts, including former employees, could be hired on contractual basis subject to the ACB being assured that such expertise does not exist within the audit function of the bank.

“Any conflict of interest in such matters shall be recognised and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the internal audit function,” the circular said.

RBI has encouraged banks to adopt the International Internal Audit standards, such as those issued by the Basel Committee on Banking Supervision (BCBS) and the Institute of Internal Auditors (IIA).

Related Topics
comment COMMENT NOW