RBI Notification

Risk Based Internal Audit (RBIA) Framework– Strengthening Governance Arrangements

RBI Notification - Risk Based Internal Audit (RBIA) Framework

With a view to bring uniformity in the approach of banks and to align the expectations of internal audit function with best practices, the Reserve bank of India issued a risk based internal audit framework. In this article, we shall have an overview of RBIs directions in this regard.


As per a 2002 guidance note by RBI, banks are required to put in place a risk based internal audit system as part of the internal control framework. It relies on a well defined policy for internal audit, effective channels of communication, adequate audit resources with professional competence among others.

Risk based Internal Audit Framework- Strengthening Governance Arrangement- Overview

The Reserve Bank of India asked banks to ensure that the internal audit function has sufficient authority, independence, stature, and resources within the bank to make sure internal auditors carry out their assignments with objectivity.

RBI also emphasized that this function can’t be outsourced.  These directives are aimed to strengthen governance arrangements in banks under the framework of Risk based internal audit. Let’s look at these in detail in the following segment.

Risk based Internal Audit Framework- RBIs direction to Banks

The central bank has advised banks under the following heads:

Risk based Internal Audit Framework
  • Authority, Stature, and Independence

Under this, the central bank has stated that the internal audit should have sufficient authority, stature, and independence, and resources within the bank, enabling internal auditors to carry out their assignments with objectivity.

Further, the bank central said that the head of internal audit has to be a senior executive of the bank who will have the ability to exercise independent judgement. The head of the internal audit and the internal audit function will have the authority to communicate with any of the staff members and shall have access to all records or files that are necessary to carry out the entrusted responsibilities.  

  • Competence

RBI underscored that requisite professional competence, knowledge as well as experience of each internal auditor is needed for the bank’s effective internal audit functioning. The desired areas of knowledge and experience can include banking operations, information technology, accounting, data analytics, and forensic investigation, among others.

Therefore banks will ensure that the internal audit function has the required skills to audit all areas of the bank.

  • Staff Rotation

The Reserve Bank said that except for entities where internal audit function is a specialized function and where it’s managed by career internal auditors, the Board is required to prescribe a minimum period of service for staff in the internal audit function.

Further, the RBI stated that the board can also examine the feasibility of prescribing a minimum one stint of service in the internal audit function for staff possessing specialized knowledge required for the audit function, but those who are posted in other departments, so that to have adequate skills for the staff in internal audit function.

  • The Tenor for Internal Audit Head Appointment

Except for the entities where internal audit function is a specialized one and is managed by career internal auditors, the Board is required to prescribe a minimum period of service for staff, and the Head of internal audit will be appointed for a reasonably longer period, preferably for a period of minimum three years.

  • Reporting Line

The head of internal audit will report directly either to the audit committee of the board/MD and CEO or to the Whole Time Director. Should the board of directors decide to permit the MD and the CEO or a Whole Time Director to be the reporting authority of the Head of Internal audit, then the reviewing authority shall be with the audit committee of the board, and the accepting authority will be with the board in the matters of performance appraisal of the HIA.

Besides, the Audit Committee of Board, in such cases, shall meet the HIA at least once in a quarter, without the presence of senior management, including the MD and the CEO or the Whole Time Director.

According to the RBI circular, the Head of Internal Audit will not have any sort of reporting relationship with the business verticals of the bank and won’t be given any business targets. In foreign banks that operate in India as branches, the HIA will report to the internal audit function in the controlling office/head office.

  • Remuneration

The Reserve Bank observed that the independence and the objectivity of the internal audit function could be undermined in case the remuneration of the internal audit staff is linked to the financial performance of the business lines for which they exercise audit responsibilities.

Therefore the remuneration policies have to be structured in a manner that it avoids creating a conflict of interest and compromising the independence and objectivity of audit.

Risk based Internal Audit Framework- No Outsourcing

While the internal audit function should not be outsourced, however, RBI stated that where required, experts, including former employees, can be hired on a contractual basis, subject to the audit committee board being assured that such expertise doesn’t exist in the audit function of the bank.

The RBI circular stated that any conflict of interest in such matters would be recognized and addressed effectively. The ownership of audit reports in all cases will rest with regular functionaries of the internal audit function.

Another important thing to note is that RBI has directed banks to ensure and demonstrate that their risk based internal audit framework[1] captures all the significant criteria / principles, through proper documentation, suited for their organizational structure, business model, and risks. 

The Basel Committee on Banking Supervision and the Institute of Internal Auditors

The Reserve bank has encouraged banks to adopt the International Audit standards such as that issued by the Basel Committee on Banking Supervision and the Institute of Internal Auditors.

So what is Basel Committee on Banking Supervision?

Well, it is a primary global standard setter for prudential banks regulation and it provides a regular co-operation on banking supervisory matters. Its 45 members comprise of central banks and bank supervisors from 28 jurisdictions. It was established by the governors of the central bank of ten countries in the late 1974 during the aftermath of great disturbances in the banking markets and international currencies.

It may be noted that the Basel Committee was established with a view to enhance the financial stability by improving the banking supervision quality globally. Also to be as a forum for regular co-operation among its member countries.

What’s Institute of Internal Auditors?

This was established in 1941. It is an international professional association with its global headquarters located in the United States of America (Florida).  The Institute of Internal Auditors is the internal audit profession’s recognized authority, global voice, chief advocate and a principal educator.  Generally the members work in risk management governance, internal control, internal auditing, education and security.


It may be noted that the instructions contained in the RBI circular shall come into effect from the date of this circular (Risk based Internal Audit Framework).

Read our article:RBI Releases Draft Framework for Regulatory Sandbox to Create Innovation Test Lab for Fintech


Trending Posted