Skip to main content

Risk-based Internal Audit for NBFCs

With entry into newer areas of financial services and products, the Non-Banking Financial
Company (NBFC) sector has witnessed phenomenal growth in terms of size and operations.

The evolution has necessitated control functions such as internal audits to meet
stakeholders’ expectations and stay attuned to the evolving risk landscape. An independent
and effective internal audit function is of utmost importance to all NBFCs to mitigate risks. In
late 2021, internal audits in the NBFC sector came under the spotlight when the RBI issued
a circular on Risk Based Internal Audit (RBIA), mandating implementation of the RBIA
framework by March 31, 2022, for select NBFCs with an asset size of Rs 100 crore and
above. The circular is seen as an indication that the regulator is taking a stringent attitude
towards risk management and audit.

Given the uncertain economic environment, which has put significant pressure on the debt
servicing capabilities of corporations and businesses, the need to critically examine the
existing portfolio and take account of the related risk management and accounting practices
becomes more paramount. This situation, coupled with increased global regulatory watch,
requires financial institutions to critically evaluate the quality of their regulatory submissions,
risk model, capital adequacy, and conduct in the financial markets. Hence, it makes sense
that the internal audit system of an NBFC should also broadly align with the principle of
proportionality.

The internal audit of an NBFC, as per the RBI guidance, should aim at undertaking risk
assessment and planning audits in the pecking order of perceived business risks as well as
their severity so that the risk areas are assessed and reviewed timely. Its function should
ideally be targeted towards contributing to the overall improvement of the NBFC’s
governance, risk management, and control processes using a systematic and disciplined
approach. Traditionally, the internal audit function in NBFCs has generally been
concentrated on accounting requirements and regulatory compliance. However, the manner
in which the sector has evolved proves that more factors should be considered. It is no
surprise that the current framework includes evaluation of risk management systems and
control procedures in various areas of operations. This is to help anticipate areas of potential
risk and mitigate such risks.

To get a task like RBIA done meticulously, a fixed responsibility centre should be set up by
the NBFC. This ensures proper implementation and increases its efficiency. Considering
this, RBI has prescribed the responsibilities of senior management, the board, and the audit
committee to ensure proper implementation of the RBIA framework. The chief responsibility
of the board and ACB is to establish and review an NBFC’s RBIA system. The RBIA policy
should be formulated with the approval of the board, and should be disseminated within the
organisation. However, the policy should be consistent with the size and nature of the
business undertaken. Furthermore, the ACB and board of the NBFC should review the
performance of RBIA and accordingly formulate and maintain a quality assurance and
improvement program that covers all aspects of the internal audit function.

The NBFC’s senior management is responsible for the implementation of the systems
established by its board and ACB. It should ensure adherence to the approved internal audit
policy guidelines and the creation of an effective internal control function that identifies,
measures, monitors, and reports all risks. The senior management should also ensure that
the audit reports are placed before the board and the ACB. And, based on the inputs from all
forms of audit, it should annually present a consolidated view of the major risks faced by the
organisation. The management is also responsible for establishing a comprehensive and
independent internal audit function that should promote accountability and transparency, and
ensure that the RBIA function is adequately staffed. However, the internal audit function
cannot be outsourced. When required, experts, including former employees, can be hired on
a contractual basis, subject to the ACB and board being assured that such expertise does
not exist within the audit function of the NBFC.

The RBI circular also mandates that the RBIA function consider the risk matrix while setting
up an actionable plan. The mechanism is to increase the visibility of risks and assist in
management decision-making. It is also used during risk assessment to define the level by
considering the category of probability or likelihood as opposed to the category of
consequence severity.

One may ask why such a stringent attitude has come into place and why NBFCs should take
this seriously. The DHFL saga and Satyam scam can offer an elaborate picture. The home
loan business was taking off, and DHFL found itself in the thick of things. Most thought the
company was seemingly doing quite well, until a couple of years later, when it collapsed due
to financial mismanagement, which resulted in Piramal Group finally acquiring it. The
company reportedly cheated banks to the tune of nearly ₹35,000 crores. Since DHFL
needed a lot of money, a consortium of 17 banks, led by Union Bank, jumped in; from 2010
to 2018, they sanctioned nearly ₹43,000 crores to DHFL.

An investigation revealed a dodgy nexus between DHFL’s promoters and several shell
companies. The claim is that the promoters borrowed money from banks to enrich
themselves. The revelation panicked the lenders. Finally, the Union Bank hired consulting
firm KPMG and demanded a special audit of the NDFC’s financial accounts. It turned out
that the rot ran deep and a lot of money had indeed gone missing. At this point, the banks
couldn’t label these as bad loans anymore; they had to classify them as fraud. So the Union
Bank of India complained to the CBI later.

Another case involving NBFCs is the Satyam scam, which emerged around 2009. The
company has a liability of Rs 1,231 crore on account of loans taken from NBFCs, despite
part payments made by the company's founder, Ramalinga Raju through pledging of shares,
says the CBI. Raju and his family had raised a loan of Rs 1,744 crore from NBFCs, and the
money was transferred to a number of shell companies floated by him. The CBI further
revealed that an amount of Rs 1,425 crore out of the Rs 1,744 crore loan obtained from
NBFCs was transferred to the bank accounts of Satyam Computer Services by 37
companies as loan over a period ranging from November 17, 2006, to October 30, 2008.

The list is indeed long, but such failures emerge only when they are too big or too big to
hide. With the aftermath of every corporate collapse and upon root cause analysis it was
believed that these collapses could have been averted or at least forewarned if a strong
internal audit mechanism was in place.

*Written for a client in December 2023

Comments

Post a Comment

Popular posts from this blog

An Outlier In The Wrong World

Delhi was once Chinglen’s ‘cradle of love’. With his student years over and the love that once comforted his stay has come to a tragic end, he is seized by a strong urge to flee the city. Run as far as he can from the memories of love. As a costly escape is beyond means, he returns to Manipur, a place long marred by protracted violence, a failed revolution, an engineered incessant political chaos, and already neck-deep in corruption. Perhaps to lick his wounds and hide with the beguiled sense. That the distance and the rich bizarre should shield him from the very memories sloshing thick inside him. His attempt to keep himself engaged as well as to make a meagre living lands him a shoddy journalist job and the opportunity to pursue a PhD at the state's only university. In the absence of his laidback editor and opportunistic professor, he teaches himself some degree of creative writing and dabbles in academia. As he moves further into the labyrinth, he learns the hard way that trying...
Post a Comment
Read more

Dream of Beliefs

Seeking quiet corners In the silence of the city By day, by night, Even in the stillness of late hours I carried you. To pursue, to court, And finally, to know If it was mine Or ever would be. I remember Tossing, turning, Muttering to myself, Searching for signs While gathering words. Then, one rainy day, I believed I had it. The dream was mine. Twenty years have passed With the dream, In another city, Where silence and inner peace Slip through my grasp. Penury and ill-fortune Trail me like shadows, Reminding me How fragile, how futile The pursuit can be. Often, I wonder: Have I failed? Is my back now pressed Against the walls Of this city, Of life itself? It is dreadful. It is disheartening. Yet I have nothing But this dream: A flickering flame, A roaring inferno, A monster trapped within. I am no one No titles, no claims, Only belief to shield me, And a longing For a place in the world. After all these years, Oh, dream of mine To possess you Is to know who I am, What I can be. And st...
Post a Comment
Read more

Revised Edition of Tales of Human Mischief

Tales of Human Mischief   by Nameirakpam Bobo Meitei is a poignant collection of short stories set against the backdrop of Manipur, also known as Kangleipak.   The anthology delves into the lives of ordinary individuals whose experiences are shaped by the region's prolonged civil unrest and armed conflicts.   Through rich prose, Meitei brings to light the often-overlooked narratives of those affected by systemic violence and societal upheaval. ​ The stories encapsulate a range of human emotions and experiences: a mother's lament for her lost child, the silent suffering of a young soul molded by surrounding violence, the humiliation endured by dishonored victims, and the pervasive fear of those yearning for salvation.   These narratives reflect the extremities of terror and human brutality, painting a vivid picture of a society grappling with moral decay and existential despair. ​ Meitei's writing is characterized by its melancholic tone and introspective depth. ...
Post a Comment
Read more