The Internal Auditing structures, procedures, and practices followed by various types of banks, such as public sector banks, private sector banks, international banks, and urban cooperative banks, are substantially different in India. As a result of non-standardized internal auditing systems in the banking sector, the quality of internal audit supervision and board reporting has been affected.

RBI released guidelines on 3 February 2021 vide circular Ref.no. DoS. CO.PPG./SEC.05/11.01.005/2020-21 to introduce uniformity in the methodology taken by the banks, as well as to match the expectations on internal audit function with the worldwide best practices to all Non-deposit receiving Non-Banking Financial Companies (NBFCs) with asset size of Rs. 5,000 Crores and above, to all NBFCs taking deposit regardless of their asset size and to all main Urban Cooperative Banks (UCBs) with asset size of Rs. 500 Crores and above on the subject of Internal Risk-Based Audit (RBIA).

RBI asked NBFCs and UCBs to create a committee of senior executives responsible for formulating an appropriate action plan to ensure a seamless transition from the current method of internal audit to RBIA and requested that the committee discuss transitional aspects of change management and report directly to the Board and senior management on a regular basis.

According to RBI the last date for implementing this framework is 31, MARCH 2022.

RBIA

Risk based internal audit (RBIA) is an audit methodology that incorporates an overall risk management structure for an organisation, providing assurance on the consistency and efficiency of the internal controls, management of risks, and systems and processes related to governance to the board of directors and the senior management.

In addition to transaction testing which can enable organisations to avoid and reduce risks, the internal audit system will also review risk management processes and control protocols for NBFC and UCB.

Including core elements of RBIA as proposed by RBI

• For the purposes of formulating a risk-based audit strategy, the internal audit shall conduct an independent risk assessment. This risk assessment, as well as similar procedures, will cover risks at multiple levels/areas (corporate and branch, portfolio and individual transactions, etc.). The Internal Audit Department's risk assessment should be used to concentrate on the areas of material risk and to prioritise audit work.
• The risk assessment process should include, among other aspects, the detection of inherent business risks in the different operations performed, the assessment of the efficacy of the control mechanisms for controlling the inherent risks of business activities and the creation of a risk index for both variables, i.e. inherent business risks and control risks.
• Both quantitative and qualitative methods can be used for risk assessment. Although quantitative evaluation may primarily evaluate the quantity of credit, competition and operating risks, a qualitative approach may be followed to measure the consistency of overall governance and controls in different business operations.
• The risk assessment methodology should include, inter alia, factors such as

1. Past internal audit findings and compliance;
2. Potential improvements in business lines or shifts of focus;
3. Major changes in management/key staff;
4. Regulatory audit report results;
5. External audit reporting;
6. Market dynamics and other environmental factors;
7. Time elapsed since last audit reporting;
8. The scale of business and the complexity of activities;
9. Significant differences in budget performance; and
10. The entity's business plan with respect to risk appetite and adequacy of regulation.

• It would be necessary to provide adequate MIS and data integrity arrangements for the risk assessment to be reliable. All trends, such as the launch of new products, improvements in reporting lines, changes in accounting practices/policies, etc, should be kept aware of the internal audit feature. Invariably, the risk assessment should be performed on an annual basis. In order to consider improvements in the market environment, operations and work practices, etc., the evaluation should also be regularly revised.
• To meet the goals of the audit task, the complexity of the audit and the distribution of resources should be appropriate. Every SE must decide the precise scope of the RBIA for low, medium, high, very high and extremely high-risk areas. System and process assessments for all essential operations should also be included in the framework of the internal audit. It is therefore important to put the results of such audits before the IT Committee of the Board.
• It is essential to develop the internal audit report on accurate analysis and evaluation. It should bring out adequate, reliable, relevant and useful information to support the observations and conclusions. It should cover the audit assignment's priorities, scope, and findings and make relevant recommendations and/or action plans.
• Both ongoing high- and medium-risk paras and significant anomalies should be submitted to the ACB/Board in order to identify main areas where, despite risk detection, risk reduction has not been carried out.
• The Internal Audit function should have a system for monitoring compliance with internal audit observations. An important part of reporting to the ACB/Board should be compliance status.
• There will be no outsourcing of the internal audit function. However, where possible, consultants, including former personnel, can be employed on a contractual basis, subject to the guarantee of the ACB/Board that such experience does not exist beyond the SE's audit function. Any conflict of interest in such matters is recognized and dealt with effectively. In such cases, the ownership of audit results lies with standard internal audit functionaries.

For reference https://m.rbi.org.in/Scripts/BS_CircularIndexDisplay.aspx?Id=12018