Title: A Survey-Based Assessment of Progress in the Implementation of

Risk-Based Internal Audit in Indian Banks.

Author: Dr Vijay Kumar Khanna, FCA

Email: khanna@nibmindia.org

Affiliation: Associate Professor

National Institute of Bank Management
Pune.

Abstract:

In the backdrop of increasing attention paid to the management of risks in banking by

regulators world over, the Reserve Bank of India proposes to switch over from traditional
transaction based annual inspection of banks to Risk Based Supervision (RBS). The
Risk based approach to Supervision aims at differentiating banks in accordance with
their risk profiles and introduces a flexible approach in deciding the quantum of
supervisory attention and application of supervisory tools. As a corollary to RBS, banks
were advised to migrate towards an internal inspection/audit corresponding to the RBS
framework. Risk Based Internal Audit (RBIA) was introduced formally with the release of
a Guidance Note by RBI in 2002 calling upon banks to gradually switch over from
traditional transaction based internal inspection/audit to RBIA.

RBIA has been implemented in Indian banks for over eight years now. However, in so
far as the progress of implementation of RBIA in Indian banks is concerned, there are no
reliable sources/studies and the literature on RBIA in Indian context is scanty. This
survey study assesses the progress made by banks in implementing RBIA as per the
RBI guidance note as also the organizational preparedness of banks in terms of policy
framework, infrastructure, quantity and quality of audit personnel, IT support etc.

The study reveals that banks in India have adopted a staggered approach for
implementation of RBIA and the progress has been uneven amongst banks. The
formation of a Task Force of senior executives and development of a Board approved
RBIA Policy have been spread over the years 2001 – 2009. All banks in India have
implemented RBIA of branches but many of them have not covered other
activities/locations which form a major part of their business activities. In relation to the
RBI Guidance note, there are some significant gaps in the RBIA process adopted by
banks. These have been identified by the researcher and suggestions made for banks
and RBI for improving the implementation and effectiveness of RBIA.

1
A Survey-Based Assessment of Progress in the Implementation of Risk-
Based Internal Audit in Indian Banks

Introduction
Internal Audit and Inspection in banks has traditionally been transaction based with an
objective to provide feedback on accuracy and appropriateness of the transactions
recorded in the books of accounts. This type of internal audit/inspection was found to be
more acceptable and to some extent appropriate in the regulated environment as
Reserve Bank of India (RBI) in a way, looked after overall risk management in banking
business. With the introduction of reforms in the financial sector in India commencing
from 1991 onwards, banks have been operating in a somewhat deregulated business
environment. The Indian banking scene has witnessed progressive deregulation,
institution of prudential norms and an emulation of international supervisory best
practices. The tightening of exposure and prudential norms and the enhancement in the
items of disclosures over the years, in line with the Basel Capital Accords I & II, have
more closely aligned the Indian banking system with the international best practices. In
the backdrop of increasing attention paid to the management of risks in banking by
regulators world over, the Reserve Bank of India in tune with these developments
proposed to switch over from traditional transaction based annual inspection of banks to
Risk Based Supervision (RBS). The Risk based approach to Supervision aims at
differentiating banks in accordance with their risk profiles and introduces a flexible
approach in deciding the quantum of supervisory attention and application of supervisory
tools1.
As a corollary to RBS, banks were advised to migrate towards an internal
inspection/audit corresponding to the RBS framework as also to facilitate the effectuation
of the latter. Towards this end, Risk Based Internal Audit (RBIA) was thought of in the
year 2002 and the same was introduced formally with the release of a Guidance Note2
on RBIA calling upon banks to gradually switch over from traditional transaction based
internal inspection/audit to RBIA. Since then several initiatives have been taken up by
RBI towards facilitating this switchover.

RBI initiatives

The Guidance Note of RBI on RBIA (2002) states that banks should set up a “Task
Force” comprising of senior executives with the responsibility to chalk out an action plan
for the implementation of RBIA (This has been reiterated in RBI circular of 1 st February
2005 also)3. It was expected that this task force would address all issues pertaining to
switch-over to RBIA covering change management, implementation and review of the
internal processes and so on. The framework of RBIA based on the guidance note of
RBI would entail coverage of the following:
 RBIA policy formulation in the bank
 Identification of risks faced by the bank
 Setting the internal tolerance levels for risks
 Tools and techniques to assess the risks including methodology of risk
assessment
 Conduct of off-site risk assessment
 Preparation of an annual audit plan
 Conduct of on-site audit and reporting
 Action plan for risk mitigation and

2
  Organizational aspects covering infrastructure and manpower support for
effective implementation of RBIA
RBIA, being an independent input to top management of banks, would assist them in
better risk management by providing checks and balances in the system as also
identification of areas of potential risks and measures to be taken for risk mitigation.
Under RBIA, the focus of the audit cell is expected to shift from that of examination of
the accuracy and reliability of accounting records, financial reports, timeliness of control
reports, adherence to legal & regulatory requirements etc, to the application and
effectiveness of risk management procedures, risk assessment methodology, critical
evaluation of the adequacy and effectiveness of the internal control systems. The role of
the auditor would change fundamentally to one who has to identify areas of potential risk
and suggest measures to mitigate the same4.

Need for Research

The concept of RBIA took its birth in Indian context with the release of RBI circular in
2002 and the same has been implemented in different banks for over seven years now.
However, in so far as the progress of implementation of RBIA in Indian banks is
concerned, there are no reliable sources/studies and the literature on RBIA in Indian
context is scanty. Moreover, the concept itself is relatively new and evolving from the
perspective of banks as also RBI. Furthermore, lack of a comprehensive assessment of
the progress made by banks in this direction raises several questions such as for
instance, whether banks have been able to assimilate the concept, its usefulness and
constraints if any in moving forward. From RBI’s perspective also, it is high time that a
critical stock-taking of the developments in this important area is imperative to further the
implementation of RBIA as also remove constraints if any in its implementation. Thus, a
dispassionate analysis of the implementation of RBIA in its totality will undoubtedly be
useful to banks as well as RBI. It is in this context that the researcher has taken up this
study with emphasis on the progress that banks have made in implementation of RBIA
and the effectiveness of the same as an audit tool. After a careful review of the relevant
literature on RBIA, the objectives for the present study were set with appropriate
methodology. The details in this regard are provided in the ensuing sections of this
paper.

Review of Literature on RBIA in Indian Banks

As stated above, during the regulated banking business environment, transaction audit
was found to be appropriate in banks. The report of the Working group (1995) 5,
appointed by RBI, outlining the scope of Internal audit stated that “Internal audit of a
branch involves verification as to whether the books of accounts are properly
maintained, checked and balanced periodically, whether all transactions are properly
accounted for and various checks prescribed by the Head office regarding investments,
advances, custody of cash, securities and other valuables are strictly observed. Internal
audit has to pay particular attention to the following aspects; whether books and records
are accurately maintained, verify physical existence of assets as shown in the books,
documentation with borrowers is complete, compliance with and record of all Head office
instructions, advances are given and expenses incurred under proper authority, internal
checks and controls are properly operated and returns to Head office are correctly
compiled and promptly submitted”. Thus, it is evident that the focus of internal audit was
confined to verification and accuracy of transactions and security of banks assets as well

3
as prevention of frauds. This aspect is reinforced by Satyanarayana & Kaveri in their
study (1995)6.
The Basel Committee on Banking Supervision (BCBS) in its August 2002 paper 7
“Internal Audit in banks and the supervisor’s relationship with auditors: A Survey”, uses
the definition of Internal Audit, as approved by the Board of the Institute of Internal
Auditors (IIA) in June 1999 “Internal auditing is an independent, objective assurance
and consulting activity designed to add value and improve an organizations operations.
It helps an organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control and
governance processes”. Further, the paper states that the survey’s findings concerning
the scope of Internal audit are broadly consistent with the IIA’s definition of Internal
auditing as quoted above. Keeping in mind the requirements of our banking industry
and business environment, RBI came out with a discussion paper on “ Move towards
Risk Based Supervision” on 13th August, 2001 and subsequently with a Guidance note
on RBIA dated 27th December, 2002, both of which are in line with the BCBS paper and
survey findings referred to above.
As mentioned earlier, literature on RBIA in banks in India is scanty and most of the
books/articles restrict themselves to the theoretical aspects of the circulars issued by
RBI. One of the first papers was by G V Sharma (2004) 8. The paper gave some
explanation of the RBIA methodology and its implementation based on the RBI guidance
note but without any detailed formats for assessment of various risks faced by banks
and the resultant risk mitigants. R S Raghavan (2004) 9 notes that in post Basel Accord II
environment, the Risk focused audit will be an additional tool of assessment, as it would
be the basic mechanism to judge performance in risk management area and to convince
RBI that the bank has a risk management system functioning effectively. But he also
does not provide the methodology for implementation of Risk focused audit. D P Gupta
& R K Gupta (2004)10 in their book on RBIA in banks discusses the various guidelines
issued by RBI on Risk management. They have converted the existing traditional
transaction based internal audit parameters into risk assessment parameters and
formats without any focus on risk assessment methodology, risk mitigation or
identification of areas of potential risk. Kalyan Debnath (2004) 11 in his paper on
“Enterprise Wide Risk Management in Banks” refers to the state of RBIA in Indian banks
and says “While most banks are trying to migrate gradually towards RBIA, it appears
that the process is rather slow and radical reform in the Inspection environment is quite
missing. There are misconceptions of the process itself. In many banks, the process of
preparation of an Audit plan is not preceded by thorough risk assessment and the
concept of audit prioritization for appropriate resource allocation is not understood. In
many banks, RBIA is still a format driven exercise. Inspectors are not equipped to do
process audit and provide suggestions for process improvement”.
Krishnan and Kaveri (2003)12 studied the progress of implementation of RBIA in Indian
banks. Their research framework was basically confined to the compliance of banks to
the guidance note of RBI (2002) and the research probe centered on the progress of
implementation of RBIA in banks in tune with the said guidance note. The researchers
concluded that the implementation of RBIA in Indian banks has been rather uneven.
During 2004 and 2005, RBI held extensive discussions with banks on the progress in
implementation of RBIA. Individual banks gave presentations on the progress made and
the methodology adopted for risk assessment. There was more or less unanimity
amongst banks and RBI in regard to the need for revision of the approaches,
methodology, formats and so on. As a sequel to these consultative processes, RBI
came out with a revised and second circular on February, 1, 2005 providing clarifications
on implementation of RBIA in banks in India.

4
Objectives of the Study

Against the conceptual framework provided earlier, the specific objectives of the
research study are listed below.
1. To critically assess the progress made by banks in implementing RBIA as
also identify deviations from RBI guidelines.
2. To investigate into the risk assessment methodology, preparation of audit
plan, conduct of audit as also reporting in the context of RBIA
3. To examine the risk containment measures in banks where the RBIA is in
place
4. To study the organizational preparedness of banks in terms of policy
framework, infrastructure covering quantity and quality of audit personnel
and IT support
5. To offer suggestions for the consideration of policy makers and banks in
improving the effectiveness of RBIA.

Methodology of Study

In line with the objectives of the study the following methodology has been adopted:

1. A survey was undertaken by mailing a detailed structured questionnaire (containing

63 questions) on the stated objectives of the study to all Public sector banks (27) and all
Private sector banks (24) to create primary data. A total of 40 banks, 23 from Public
sector and 17 from Private sector, responded to the questionnaire. These banks
represent approximately 95% of the Total Assets of Indian Banks and have nearly 94%
of the branch network. The responses received from the banks were studied, tabulated
and analyzed under six key headings. The findings of this survey are covered in detail in
Section I.

2. Discussions were held with senior executives of Inspection & Audit Department of 8
banks located at Pune/Bangalore/Mumbai and New Delhi to develop better practical
insight of the implementation of RBIA and its effectiveness in their banks. Discussions
were also held with senior executives of Department of Banking Supervision, RBI on the
questionnaire sent to and responses received from the banks. The important findings are
discussed in Section II

3. Based on the survey and discussions with bankers and professionals the researcher
has identified the important issues to be addressed by banks and policy makers for the
effective implementation of RBIA in banks in India. These issues have been outlined in
Section III.

Section I: Findings of Survey of Banks and summary of Responses

The findings of the survey are presented under the six key sub-headings covering the
entire gamut of RBIA and its implementation by banks in line with the objectives of the
study. The responses have been analyzed from the three groups of banks, namely
PSBs - Public sector banks, OPSBs – Old Private sector banks and NPSBs – New
Private sector banks.

5
1. Setting up of Task Force and preparation of Road Map for implementation
of Risk Based Internal Audit.
(a) In line with the requirements of the RBI Guidance Note, all banks (except
one) formed a Task Force (TF) of senior executives to chalk out an action plan for the
implementation of RBIA as detailed in Table 1 below. The year of formation of this TF
varies from bank to bank and was initiated by State Bank of India in the year 2001.
Another 5 banks formed the Task Force in 2002 (the year of issue of RBI Guidance
note) and 15 banks initiated it in 2003. By 2006, all 39 responding banks had formed this
TF. It is pertinent to note here that all NPSBs formed the Task Force during 2002-04
whereas the PSBs were spread over 2001-06 and the OPSBS from 2003-06. 5 of the 11
OPSBs set up the Task Force in 2006 which is rather late as the Guidance note was
issued in 2002.
Table 1: Year of formation of Task Force
Formation PSBs OPSBs NPSBs All Banks
of Task
Force Y N Y N Y N Y N T
Years
TF formed 22 1 11 - 6 - 39 1 40
2001 1 - - 1
2002 3 - 2 5
2003 10 3 2 15
2004 3 2 2 7
2005 3 1 - 4
2006 2 5 - 7
NA - 1 - - 1
Y=Yes, N=No, T=Total

(b) All responding banks undertook a review of the existing system of Internal Audit in
their bank and developed a Road map for implementation of RBIA. These are in line with
the requirements of the RBI Guidance Note.
(c) The implementation of RBIA in banks is being undertaken of the activities and
locations as detailed in Table 2 below:

Table 2: Activities/locations where RBIA has been implemented by

Banks as on 31/3/2009
Activities PSBs OPSBs NPSBs All Banks
Y N P Y N P Y N P Y N P T
1. Branches 22 - 1 11 - - 6 - - 39 1 - 40
2. Currency chest 11 9 3 1 8 2 4 1 1 16 18 6 40
3. ATMs 10 9 4 2 8 1 6 - - 18 17 5 40
4. Controlling offices 6 11 6 1 9 1 4 2 - 11 22 7 40
5. Treasury 11 10 2 5 5 1 6 - - 22 15 3 40
6. Risk Management 4 15 4 - 9 2 3 3 - 7 27 6 40
department
7. Foreign exchange 10 9 4 4 6 1 6 - - 20 15 5 40
department
8. Centralized 7 12 4 2 8 1 4 2 - 13 22 5 40
Processing cells
9. Merchant Banking 5 15 3 1 9 1 4 2 - 10 26 4 40
&Advisory
services
10. IT Systems 10 12 1 2 8 1 5 1 - 17 21 2 40
Y=Yes, N=No, P=Proposed=Total

6
 RBIA of branches has been implemented in 95% of the responding banks. In one bank
it is proposed to be undertaken shortly. Other activities/locations have not been covered
under RBIA by many banks and the position as on 31/3/2009 indicated above is not
satisfactory. The coverage of RBIA is inadequate (in 50% or more banks) in
activities/locations other than branches and needs to be addressed by banks and
regulator on a priority. Treasury, Foreign exchange department, IT systems, ATM’s,
Controlling offices & Risk management department are some of the important
activities/locations which must be fully covered under RBIA by all banks at the earliest.
One of the important reasons for the delay in the coverage of all activities of banks under
RBIA is the slow implementation of CBS by banks. Further there is a shortage of skilled
staff for identification and assessment of risks, preparation of risk assessment formats,
and conduct of internal audit under RBIA.
(d) RBIA is being conducted along with Regular Inspection in 70% of the banks as the
banks have yet to become fully conversant with the process and concept of RBIA and
prefer this approach for the transition period. RBIA is being independently conducted in
30% of the banks. This indicates substantial duplication of work by the Internal audit
department and the full benefits of RBIA will not be achieved with this approach. It is
important for all banks to develop a Road map for discontinuation of Regular inspection
at the earliest and make a complete switchover to RBIA.
(e) In 12 banks regular inspection has been discontinued and in another 3 banks it is
proposed to be discontinued in the 2010-11. Apart from discontinuation of regular
inspection in 15 banks, no other form of audit/inspection is expected to be discontinued.
(f) There is a gradual improvement in the coverage of the activities/locations under
RBIA over the years and the position as on 31/3/2009 is given in Table 3 below. This
appears to be in line with the identified Road map by the banks. 30 banks have covered
100% of the branches under RBIA and the other 7 are above 50% coverage. That 2
banks have not covered even 50% of the branches by 31/3/2009 is a matter of concern
and steps must be taken to improve this situation. The coverage of the other activities
under RBIA (wherever it is being undertaken by banks) is satisfactory but the issue
remains that many of the other important activities are yet to be brought under RBIA in
many banks as discussed in (e) above.

Table 3: Coverage of activities/locations under RBIA as on 31/3/2009

Activities PSBs OPSBs

100% 75- 50- <50% NIL 100% 75- 50- <50% NIL
99% 74% 99% 74%
1. Branches 18 1 2 1 - 6 1 3 1 -
2. Currency chest 11 1 1 - 10 2 - - - 9
3. ATMs 8 1 1 - 13 3 - - - 8
4. Controlling offices 6 - - 1 16 2 - 1 - 8
5. Treasury 11 - - - 12 7 - - - 4
6. Risk Management 4 - - 1 18 3 - - - 8
department
7. Forex department 10 - - - 13 5 - - - 6
8. Centralized 7 - - - 16 3 - - - 8
Processing cells
9. Merchant Banking 3 - - - 20 1 - - - 10
&Advisory services
10. IT Systems 10 1 - - 12 4 - - - 7

7
Activities NPSBs All Banks
100% 75- 50- <50 NIL 100 75- 50- <50% NIL T
99% 74% % % 99% 74%
1. Branches 6 - - - - 30 2 5 2 - 39
2. Currency chest 4 - - - 2 17 1 1 - 21 40
3. ATMs 5 - - - 1 16 1 1 - 22 40
4. Controlling offices 3 - - - 3 11 - 1 1 27 40
5. Treasury 5 - - - 1 23 - - - 17 40
6. Risk Management 3 - - - 3 10 - - 1 29 40
department
7. Forex department 5 - - - 1 20 - - - 20 40
8. Centralized 3 - - - 3 13 - - - 27 40
Processing cells
9. Merchant Banking 4 - - - 2 8 - - - 32 40
&Advisory services
10. IT Systems 4 - - 1 1 18 1 1 20 40

(g) All banks except one (which did not set up the Task Force) undertake a
review of the
progress made in the implementation of RBIA. The frequency of the review in 21 banks
is Quarterly, in 15 banks once a year and in 3 banks once since implementation. The
review is mostly done internally (34/40).
(h) In 95% of the banks the progress in implementation of RBIA has been in line with the
identified Road Map and only in one bank it has not been so. The major impediments in
implementation are identified as:
 Shortage of inspectors
 Skills gap of auditors/inspectors for conduct of RBIA
 Increased coverage of Regular inspection along with RBIA
 New items of audit/inspection being introduced
(i) In 85% of the banks a detailed Manual of Inspection/Audit under RBIA has been
prepared. In 15% of the banks it has not been prepared. All NPSBs have an Audit
Manual whereas one OPSB and 5 PSBs do not have an Audit Manual.
One of the 6 banks indicates that a comprehensive Audit Manual will be prepared when
the bank makes a complete switchover to RBIA whereas another 2 banks state that it
will be taken up shortly. Three banks indicate that guidelines for RBIA have been issued
by way of circulars
The above responses indicate that the NPSB’s as a group set up the Task Force of
senior executives for implementation of RBIA within 2 years of the RBI Guidance Note.
They have covered a large part of all activities of the bank under RBIA and have a
Manual of audit in place for RBIA. Most of the PSB’s were also quick in setting up the
task Force but the OPSB’s were slow in comparison. The coverage of bank activities
under RBIA (other than branches) is inadequate in many PSB’s and OPSB’s and an
Audit manual has not been prepared in 6 of them

2. RBIA Policy Formulation, Approval and Review

(a) All banks have developed a Policy for RBIA. The Policy document in all banks has
been developed in-house. 13 banks made their own efforts and independently prepared
the document. 27 banks consulted the Policy documents of other banks and then
finalized their policy document.
(b) 90% of the banks find the RBI Guidance Note and subsequent clarifications issued

8
by RBI to be sufficient to guide them to draw their policy document for RBIA. Only 4
banks feel the need for further guidance and clarifications. Some of the important
clarifications include:
 Identification and assessment of Business Risk parameters at Branch level
 Composite risk matrix not suitable for Branch.
 Guidance for determining Cut-off scores for Low, Medium & High risk.
 Compliance and Closure of RBIA reports
(c) In all banks, except one, the RBIA Policy document has been approved by the
Board of Directors / Audit committee of the Board. As depicted in Table 4, the approval
has been spread over the year 2003 – 2009 which is generally in line with the time frame
(with a time lag of 2/3 years) of setting up of the Task Force for implementation of RBIA
in the bank. It may be noted that 9 banks approved their Policy document in 2003, within
a year of the RBI Guidance note. 30 banks had their Policy in place by 2006 and 10
banks were spread across 2007-2009.

Table 4: Year of approval of the RBIA policy

Year PSBs OPSBs NPSBs All banks

2003 4 2 3 9
2004 4 2 1 7
2005 5 - 1 6
2006 6 2 - 8
2007 2 3 - 5
2008 - 2 1 3
2009 1 - - 1
No 1 - - 1
Total 23 11 6 40

The contents of the RBIA Policy document appear to be in line with the requirements of
the RBI Guidance Note. It is pertinent to note that in 20% of the banks, HR &
organizational aspects of RBIA are not addressed. In 15% of the banks there is no clarity
on Follow up of RBIA report and role of Regional/Controlling offices. These are important
issues that need to be addressed in the Policy document for effective implementation of
RBIA.
(d) In 60% of the banks, the RBIA Policy document has undergone a change which
indicates that the review mechanism in them is effective. In 40% of the banks there is no
change. 10% of the banks have indicated that they do not see any reason for a change
in their policy document as it is working fine.
There are no material variations in the progress made by the three groups of banks on
the Policy formulation, approval and review parameters.

3. Risk Identification and Assessment

(a) Most of the banks have identified the Inherent Business risks and Control risks as
depicted in Table 5 below and as specified in the RBI Guidance Note of 2002. These are
also in line with the risks identified by RBI in its draft paper on “Move towards Risk
Based Supervision of banks”.

9
 Table 5: Risks identified by banks
PSBs OPSBs NPSBs All Banks
Y N Y N Y N Y N T
Inherent Business Risks
Capital 12 11 4 7 6 - 22 18 40
Credit 23 - 11 - 6 - 40 - 40
Market 19 4 6 5 6 - 31 11 40
Liquidity 18 5 8 3 6 - 32 8 40
Operational 23 - 11 - 6 - 40 - 40
Earnings 21 2 11 - 6 - 38 2 40
Business Environment & 18 5 11 - 6 - 35 5 40
Strategy
Group 13 10 7 4 5 1 25 15 40
Any other, please specify 1. Technology Risks 2. Organization & Governance
3. Legal & Compliance 4. Financial Reporting & Accounting
Control Risks
Internal Control & 23 - 11 - 6 - 40 - 40
Housekeeping
Organizational 16 7 9 2 6 - 31 9 40
Management 19 4 10 1 6 - 35 5 40
Compliance 22 1 10 1 5 1 37 3 40
Any other, please specify 1. Technology Risks 2. External Compliance
3. Legal Risk 4. Reputation Risk
5. Regulatory & External Audit Report Compliance
6. Variations in Budget v/s Actual
Y=Yes, N=No, T=Total

Under inherent Business risks, all banks have identified Credit risk and Operational risks
followed by Earnings risk, Business environment & strategy risk, Liquidity risk and
Market risk. 55% of the banks have identified Capital risk and 63% Group risks also.
Additionally some banks have identified other Inherent Business risks such as
Technology risk, Legal risk and Financial reporting and accounting risk.
Under Control risks, Internal control & housekeeping risk has been identified by all banks
followed by Compliance risk, Management risk and Organizational risk. Additional risks
identified by some banks include Technology risk, Reputation risk and Legal risk.
The NPSBs have identified all the abovementioned risks. On the other hand the OPSBs
and PSBs have quite a few gaps in identification of risks in both Inherent Business risks
and Control risks. Both these groups of banks need to work in this area for the effective
implementation of RBIA is largely dependent upon correct identification of risks and
subsequently their assessment of levels and direction.
(b) 95% of the banks conduct risk assessment which is being carried out by the
Inspection department. The activities/locations where risk assessment is being
conducted by the banks is summarized in Table 6 below:

Table 6: Activities/Locations where Risk assessment is being conducted

10
 Activities PSBs OPSBs NPSBs All Banks
Y N Y N Y N Y N T
1. Branches 23 - 10 1 6 - 39 1 40
2. Currency chest 10 13 2 9 4 2 16 24 40
3. ATMs 10 13 2 9 6 - 18 22 40
4. Controlling offices 8 15 1 10 3 3 12 28 40
5. Treasury 11 12 4 7 6 - 21 19 40
6. Risk Management department 4 19 1 10 3 3 8 32 40
7. Foreign exchange department 10 13 5 6 6 - 21 19 40
8. Centralized Processing cells 7 16 2 9 4 2 13 27 40
9. Merchant Banking &Advisory 3 20 1 10 4 2 8 32 40
services
10. IT Systems 11 12 2 9 6 - 19 21 40
11. Any other Nainital Bank - Policy is made for branches only & for other
Deptt. Separate format are being designed.
Y=Yes, N=No, T=Total

Risk assessment of branches is conducted in 95% of the banks. Risk assessment of

Treasury and Foreign exchange departments is carried out in 55% of the banks and IT
systems in 48% of the banks. In other activities/locations risk assessment is being
carried out by less than 50% of the banks with Risk management department and
Merchant banking activities being the lowest at 20%.
Consistent with the coverage of RBIA in various activities/locations of the bank, the
NPSBs show the maximum activities/locations being covered under risk assessment. In
PSBs approximately 50% of the banks are not conducting risk assessment of
activities/locations other than branches. The gaps in the OPSBs are even higher with
approximately 80% of the banks not conducting risk assessment of other
activities/locations.
This parameter is very important for effective implementation of RBIA in banks. RBI must
ensure, at the earliest, that risk assessment of all activities/locations is undertaken by
banks.
(c) One of the most important steps in effective implementation of RBIA is the conduct of
Off-site risk assessment. This has been envisaged in the RBI Guidance Note for the
preparation of the Annual Audit Plan by banks as also to determine the
activities/locations which require priority in allocation of audit resources. The Off-site risk
assessment also assists banks in determining the scope and focus of On-site audit.
As per the response received from banks, only 20% of the banks are conducting risk
assessment Off-site before the conduct of On-site audit whereas 90% of the banks are
conducting risk assessment On-site during the conduct of audit. In 8 banks risk
assessment is being conducted at the Head office. Some banks are conducting risk
assessment off-site, on-site and at Head Office (IDBI, SBI-Indore & United) and some
are conducting risk assessment only at Head Office (HDFC & Catholic Syrian bank).
The RBI must ensure that all Banks conduct Off-site risk assessment of
activities/locations to meet the Objectives of RBIA as set out in the RBI Guidance Note
as also derive fully the benefits of implementation of RBIA.
(d) In 88% of the banks risk assessment is being conducted separately for Business
risks and Control risks as per the requirements of the RBI Guidance note. Only in 12% of
the banks this is not being done, possibly due to lack of clarity of process and risk
assessment formats. The Magnitude of risk (in terms of business volume) is being taken
into consideration in 83% of the banks whilst determining the level of risk.

11
70% of the banks are determining 3 levels of risk viz. Low, Medium and High risk, as
suggested by the RBI Guidance Note. 20% of the banks are determining 4 levels of risk
viz. Low, Moderate, Fair and High risk and in 10% of the banks 5 levels of risk viz. Low,
Medium, High, Very High and Extremely High risk are being determined.
The higher the number of levels of risk the greater the complexity of risk assessment.
However, it does provide more granularities and assists in better management of risks.
Banks should gradually move to 5 levels of risk which is an International practice.
(e) As envisaged in the RBI Guidance Note, 95% of the banks are preparing the
Composite risk matrix after determining separately the level of Business risk and Control
risk. Only two banks are not preparing this since their levels of risk are already five and
do not use the Composite risk matrix.
(f) 80% of the banks determine the Direction of risk separately for Business risk and
Control risk. They use these inputs to determine the Direction of Composite risk.
Some of the banks are not complying with the requirements of the RBI Guidance Note in
terms of non - incorporation of Magnitude of risk, non preparation of Composite risk
matrix and non determination of Direction of risk/Composite risk as indicated above. The
main reason for this is the risk assessment formats do not provide for this assessment
and need to be modified.
(g) 95% of the banks rely upon information derived from previous internal audit reports
and Compliance reports for sources of information to undertake risk assessment.
Additionally 85% of the banks consider the volume of business and the complexity of
business activities as important inputs for risk assessment. The reports of the External
Auditors are used by 75% of the banks whereas 58% also use the changes in business
lines Industry trends and environment. Significant changes in management/key
personnel as an important input is applied by 45% of the banks.
(h) Only 50%of the banks have a system of an independent quality check of the Risk
assessment ratings assigned by the RBIA auditors to the various activities/locations of
the banks. An independent quality check leads to confirmation and correction, if
required, of the risk assessment ratings assigned by the inspector/auditor and gives
assurance to the top management of the bank and external users like RBI of the
robustness of the RBIA process. This must be introduced by all banks at the earliest for
effective implementation of RBIA.
(i) All banks have adopted a score based model for risk assessment. The levels of risk
and the range of scores adopted by various banks are depicted in Table 7.

12
 Table 7: Range of scores used for determining level of risk

Range of Scores (%) used by different banks for determining level of Risk
Karn
All Other Banks Canara IOB BOM PNB TMB SBI Dena J&K ataka
Higher Higher SBII
the the United
risk risk - CSyB
-highe lower Dhan-
Risk r the the laxmi
Levels marks marks SBT
>70
Very Low >90 <20 >90
<15 >85 BR<50 BR< >75 BR< <40 71- >80 20-40 60-70
<40 >80 CR<40 35 20 >80 90 70-90
<45 >75 CR< CR< <25
<50 >70 30 20 >75
>65 <30
Low >60
15-40 50-85 BR BR BR 41-55 60- 65-80 40-60 50-60
41-60 70-80 51-80 35- 20- 65-80 70 51-70
45-75 50-80 CR 60 40 25-50
51-80 50-75 41-60 CR CR 60-74
40-74 30- 20- 31-60
50-70 50 35
40-70
41-65
Medium 31-60
Moderate 61-74
Fair 41-60
>40 <70 BR BR> <40 BR 56-70 <60 50-65 60-80 40-50
>60 <50 81-100 60 40- 50-65 36-50
>75 <40 CR>60 CR> 60 50-75
>80 <30 50 CR 45-59
35- 61-80
High 50
BR> >70 45-50 >80
60 <50
CR> >75
50 <45
Very high >80
<45 <40
Extremely High <35
The levels of risk that have been adopted include Very low risk, Low risk, Medium risk,
Moderate risk, Fair risk, High risk, Very high risk and Extremely high risk. The RBI
Guidance Note has indicated three levels of risk viz. Low risk, Medium risk and High risk.
Some of the banks adopting more than 3 levels of risk may need to review their
methodology.
The ranges of scores that have been adopted by the banks are quite varied and the above
Table gives a snapshot of the same. Some banks have chosen the range based on the
principle of “Higher the risk Higher the marks” whereas others have chosen “Higher the
risk Lower the marks”. This does not make any difference as everyone is using
percentages to determine the level of risk. A few banks have adopted different cut-off

13
scores for determining the levels of Business risk and Control risk, making Control risk
scores more conservative.
The range of scores adopted by different banks extend from a minimum of 15 % to a
maximum of 90% as the choice has been left to individual banks to adopt the methodology
of determining the level of risk.
There should be some consistency in the ranges adopted and it may be necessary for the
RBI to give some indicative score ranges to be adopted by banks for different levels of
risk.
(j) After completion of risk assessment all banks are assigning risk assessment ratings to
the activity/location where risk assessment has been undertaken using both the level and
direction of risk. Banks using a 3 x 3 Composite risk matrix are adopting 15 different
ratings, 3 for each level of Composite risk viz. Extremely High Risk (EHR) – Increasing,
EHR – Stable and EHR – Decreasing. Banks using a 4x4 Composite risk matrix have 21
different ratings and those using a 5x5 composite risk matrix have 30 different ratings. It is
evident that with more number of ratings migration from one rating to another will become
more frequent and can assist the auditors in identification of areas of potential risk.
However, this makes the risk assessment exercise more complicated and thus it is
advocated that banks should first assimilate the concept and process of a 3x3 composite
risk matrix and then graduate to more complex processes.

Risk identification and assessment is being undertaken by the banks generally in line with
the requirements of the RBI Guidance Note. There are areas within the framework where
gaps exist. The most important gaps being the non-identification of important risks in
banking business by a few banks, the non-conduct of off-site risk assessment for
preparation of the Annual Audit plan by most of the banks (approximately 80% of the
banks). A few banks are also not preparing the Composite risk matrix nor determining the
Direction of risk. The NPSBs have the best response as they have implemented almost all
the parameters for risk identification and assessment. They have adopted the steps as
indicated in Framework for implementation of RBIA in banks. Many of the PSBs and
OPSBs have a number of gaps in the process adopted for implementation of RBIA
especially in identification of risks, conduct of off-site risk assessment, preparation of
composite risk matrix, determining direction of risk and quality review of ratings.

4. Preparation of Annual Audit Plan

(a) Based on the response, all banks have indicated that they prepare an
Annual Audit Plan. However, only 18% of the banks prepare both the audit plans covering
the Audit universe and the activity/location. Whilst 65% of the banks prepare the Audit
Plan for the Audit Universe only 50% of the banks prepare an Audit Plan for the Auditee
activity/location. There appears to be some lack of clarity on this aspect. Since most of the
banks are not conducting Off-site risk assessment for preparation of the Annual Audit plan
they continue to follow the earlier practice of preparing a plan for the Audit Universe/Audit
activity. For effective implementation of RBIA and a risk focused audit, it is important that
both the Audit plans should be prepared. The Annual Audit plan for the Audit Universe
assists the bank in identifying the activities/locations that need priority of audit resources
as also the total resources required for completion of the audit activities for the year. An
Audit plan of the Auditee activity/location assists the bank in determining the focus of the
On-site audit based on the Off-site risk assessment.
(b) The Annual Audit Plan is being prepared on the basis of the Previous
audit risk assessment ratings in 93% of the banks. Only 20% of the banks take into

14
consideration the Off-site risk assessment rating which is specifically carried out for
preparation of Audit Plan. This is due to the lack of conduct of an Off-site risk assessment
by most banks. As has been pointed out earlier, the conduct of Off-site risk assessment is
one of the most important steps in effective implementation of RBIA as it determines the
activities/locations within the bank that require priority of audit resources and also
determines the focus of On-site audit. Banks must be directed by RBI to introduce this
step at the earliest.
(c) The preparation of the Annual Audit plan under RBIA is to determine the
activities/locations of the bank which require Priority of audit resources, what should be the
frequency of On-site audit (the time gap between two audits of same activity/location) and
the extent of Transaction testing to be undertaken during On-site audit. The risk
assessment ratings are being used by 93% of the banks to determine the Priority of audit,
Frequency of audit and extent of Transaction testing during on-site audit as envisaged in
the RBIA Guidance Note. In most of the banks EHR & VHR ratings lead to 100%
transaction testing with audit frequency pegged at 6 – 9 months. For HR ratings majority of
the banks carry out 60% - 100% transaction testing with a frequency of audit at 12 months.
For MR ratings transaction testing is between 30% - 100% and frequency at 12 – 15
months. For LR ratings transaction testing is between 20% - 100% and frequency at 15 –
36 months. In some banks the extent of Transaction Testing is linked to risk levels as also
frequency - longer the gap between two audits - higher the Transaction Testing. The audit
frequency and the extent of transaction testing are broadly in line with the
recommendations of the RBI Guidance Note. However, in a few banks the frequency of
On-site audit under RBIA is stated to be from 21 to 36 months in Low risk areas. Since
many of the banks continue to undertake regular Inspection along with conduct of RBIA
the extension of the audit cycle beyond 18 months does not violate the RBI guidelines.
(d) In line with the requirements under the RBI Guidance Note, 80% of the banks are
making use of the Audit risk matrix to determine the priority of audit resources. This matrix
incorporates the Magnitude and Frequency of risk (based on the risk assessment) to
determine the activities/locations that need priority of audit resources.
The gaps in the parameters covered under this heading are common across the three
groups of banks in the areas of preparation of an Annual audit plan for a particular activity,
use of risk assessment specifically carried out for preparation of Audit plan (Off-site risk
assessment), determining the priority of allocation of audit resources, determining the
periodicity of audit and the extent of transaction testing. The NPSBs exhibit a slightly
better application of the RBIA framework process and RBI Guidelines.

5. Conduct of On-site audit, Audit report, MAP & Audit Report closure

(a) The scope of On-site audit under RBIA should be based on the Off-site risk
assessment. In only 20% of the banks is the scope of On-site audit based on the Off-site
risk assessment. In 80% of the banks it is based on the previous audit risk assessment. In
some banks additional parameters (other than risk assessment) like occurrence of frauds,
complexity of business mix, the volume and value business activity, level of compliance
etc are being used to determine the scope of audit. In 73% of the banks, the extent of On-
site transaction testing is based on the risk assessment. Many banks continue to conduct
extensive audit as per earlier approach leading to greater time requirements for conduct of
On-site audit and without any material risk focus.
(b) In 43% of the banks the auditee activity/location is informed in advance of the
schedule and scope of audit whereas in 67% of the banks the element of surprise
continues. The first approach is an international practice nowadays due to the thinking that
internal audit is a tool to improve the performance and enhance the control framework of

15
the organization and should be applied in a spirit of collaboration and cooperation. The
latter approach is the traditional approach wherein detection of errors/frauds etc gained
prominence during audit.
(c) In line with the requirements of the RBI Guidance Note 88% of the banks have
developed separate formats for Reporting the audit findings under RBIA. The contents of
the RBIA report formats developed by banks are largely in conformity with the
requirements of the RBI Guidance note. However, in some banks there are gaps,
especially in the areas of Risk identification (15% of the banks), Risk management (28% of
the banks), Compliance with earlier RBIA reports (15% of the banks), Integrity of MIS
(18% of the banks), Data integrity and reliability (13% of the banks) and Budgetary
controls (10% of the banks). Revision of formats should be undertaken by these banks to
make RBIA more effective and in line with the framework and guidance note.
(d) Nearly all banks, 95%, have a system of Interim/Flash reports for Reporting
exceptions and excesses as well as Reporting of negative and sensitive findings in line
with the requirements of the RBI Guidance Note.
(e) The Audit report under RBIA is finalized by the audit team on site in 60% of the
banks whereas in 23% of the banks it is finalized at the Inspectorate and in another 23%
of the banks it is finalized at Head office (Inspectorate). In almost all banks the Audit team
has detailed discussions with operation heads of activity/location explaining the findings of
the audit and their recommendations. As is evident, in a few banks the finalization of the
audit report is undertaken at more than one stage/level depending on the findings and
movement in risk assessment ratings. In 50% of the banks the reports of the audit teams
are confirmed by the Zonal/Head offices of Inspection.
(f) One of the distinguishing features of RBIA in comparison to the earlier regular
inspection is the onus on the inspectors/auditors to suggest measures for risk mitigation.
In 78% of the banks the audit team in its Audit report under RBIA or the Head office
(Inspectorate) is recommending the risk mitigation measures to be taken by the auditee
activity/location.
For identification and suggestions of measures for risk mitigation it is important for the
inspectors/auditors to be aware of the Acceptable levels of various risks as per the risk
management policy of the bank. The Acceptable levels of various risks have been
identified in only 55% of the banks. The OPSB’s are ahead amongst the three groups with
acceptable levels being identified in 80% of the banks followed by the NPSBs at 66% and
the PSBs being the worst with only 43%. There appears to be a lack of clarity on this
aspect and identification and incorporating the acceptable level of risk in the risk
assessment formats or in the audit manual is a challenge for many banks. The RBI should
take this up on priority and advise the banks to identify and incorporate the acceptable
level of risk in their risk assessment formats.
(g) Preparation of a Checklist for Risk Mitigation techniques is an important and
effective audit tool for the inspectors/auditors of banks. 90% of the responding banks
express the need for such a checklist but in only 43% of the banks has such a checklist
been prepared. 73% of the OPSBs, 52% of the PSBs and 50% of the NPSBs have not
prepared the checklist. Such a checklist has tremendous advantages for the auditors for
they are in a position to recommend risk mitigation measures in line with the requirements
of the Risk management Policy framework of the bank.
(h) The framework for effective implementation of RBIA calls for the preparation of a
time bound Action plan to implement the recommendations of the audit team as contained
in the RBIA report. It is heartening to note that 90% of the banks prepare a time bound
Action Plan for implementation of Risk mitigation measures and rectification of deficiencies
based on the audit findings under RBIA.

16
The responsibility for implementation of the Action Plan lies with the Branch/Controlling
offices in 53% of the banks whereas the Inspectorate is responsible in 47% of the banks.
The Risk management department has not been made responsible for implementation of
the Action Plan in any of the responding banks. The implementation of the Action plan is
essentially an operational function and should be left to the controlling offices/branch
functionaries/Operational risk management department.
Monitoring of the progress in implementation of the Action Plan is being undertaken jointly
by the Controlling offices and Inspectorate in all banks. Additionally, the Risk management
department is involved in monitoring the implementation of the Action Plan in 30% of the
banks. The Inspectorate should not be involved in the Implementation or Monitoring of the
Action Plan as this should ideally be done by the Controlling offices and the Operational
risk management department. The Inspectorate can save its scarce resources for more
effective uses.
(i) One of the important steps in effective implementation of RBIA is the
validation of the Off-site risk assessment by the audit team after conduct of On-site audit.
Since only 20% of the banks are undertaking Off-site risk assessment, as a result, such a
comparison between the Off-site risk assessment and the On-site risk assessment is
being undertaken in only 20% of the banks. In 63% of such banks where comparison is
being undertaken, material variations in the two risk assessments have been observed.
Some of the important reasons for the variations are:
 MIS being used for off-site risk assessment was incorrect
 There were changes in Management/ Key Personnel at the auditee
activity/location during the time interval of the two risk assessments
 A material change in focus of business activity/location took place
between the two risk assessments
 It was observed that a material change in the control environment of the
activity/location has taken place between the two risk assessments
 Substantial time has lapsed since the Off-site risk assessment was
undertaken
 Activity/location had reported compliance of deficiencies of earlier reports
which, in the subsequent audit, were found not to have been actually
carried out.
(j) The closure of audit reports under RBIA is an issue that requires clarity based on
experiences of banks. As per the findings of the survey, in 90% of the banks the audit
report under RBIA is deemed to be closed after rectification of major deficiencies. In 23%
of the banks the closure has to be achieved in a stipulated period in addition to the
rectification of major deficiencies. In 2 banks it is closed on rectification of all deficiencies.
In the case of only 2 banks it is closed after preparation of the Action Plan. There is a
concern expressed by many banks that the quality of Closure of Audit reports is not good
and should be effectively addressed.
(k) Varied criteria are being used by banks for placing the audit reports under RBIA
before the Audit Committee of the Board. In 2 banks all RBIA reports are placed before the
ACB. In 40% of the banks a summary of all RBIA reports is placed before the ACB
whereas in another 40% of the banks reports with risk assessment ratings of High risk and
above are placed before the ACB. In 20% of the banks all reports of high business
segments are placed before the ACB. Some banks submit the RBIA reports of Treasury,
Foreign exchange operations, specialized branches, Risk management department,
controlling offices and IS audit to the ACB whereas others place all the Flash reports
under RBIA before the ACB. The basis adopted is essentially an internal decision of the
bank management and should be as per the requirements of establishing best practices.

17
The process adopted by most of the banks in conduct of On-site RBIA is in line with the
framework set out in the RBI Guidance note. Variations exist in defining the scope of audit,
coverage of parameters in audit report, identification of Acceptable levels of risk, a
checklist of risk mitigation techniques, implementation and monitoring of the Action plan,
closure of audit reports and rectification of deficiencies and use of the RBIA reports by the
Controlling offices for improving the performance of activities under their jurisdiction.
The NPSBs have a better record in most of the parameters as compared to the other two
groups of banks followed by the PSBs and then the OPSBs.

6. Organizational Aspects – assessment of trained manpower and

Infrastructural support for RBIA

(a) As outlined earlier 95% of the banks had set up a Task force of senior executives to
chalk out a Road map for implementation of RBIA in their bank. The survey reveals that
in only 83% of the banks did the Task force identify the transitional and change
management issues in the implementation of RBIA in the bank. The most significant of
these issues and challenges were identified as being regular training of audit personnel
for conduct of RBIA, a greater focus and exposure to all bank personnel on the risk
management practices and policies of the bank, need for better quality of manpower for
audit/inspection department of banks, a speedier implementation of CBS in banks for
reliable and timely MIS, better IT infrastructural support and frequent revision in formats
for risk assessment in line with the changing banking business environment and
business plans.
The abovementioned issues are being addressed by the banks. In 75% of the banks
increased training of personnel from audit department and operations is being
undertaken. In 65% of the banks some revision of the risk assessment formats for
conduct of RBIA has been undertaken. In 43% of the banks requisitioning of better
quality of staff for audit department has been made as also for better IT infrastructural
support.
(b) For effective implementation of RBIA in banks it is necessary for a system within the
bank to keep the Internal Audit Department informed of any changes in business plans,
business practices, bank products and services, risk management practices and tools,
changes in reporting lines, changes in accounting practices and policies etc to enable
the audit department to identify any additional risks to be assessed as also undertake
revision of the risk assessment formats. The survey reveals that in all banks the Internal
audit department is kept informed of the abovementioned changes by way of
instructions, circulars, letters, conduct of review meetings, display/notification on banks
internal portals, circulation of information of briefings to Board and Board Committees,
the Head of the Internal Audit department participates as a member of the Top
Management Meetings, audit department personnel attending briefings of bank product
programmes, the banks Credit Policy and process manuals are vetted by Audit and
Compliance Department etc. Accordingly the audit checklists are suitably revised from
time to time.
(c) Keeping in mind the special skills required for conduct of RBIA the banks were
asked whether any assessment had been made by them about the quality and quantity
of manpower required by the Internal Audit Department for conduct of RBIA. On an
overall basis 78% of the banks responded that this assessment has been carried out in
their banks. The assessment has been undertaken in 100% of the NPSBs, in 78% of the
PSBs and in 64% of the OPSBs. Some of the relevant responses on how this
assessment is undertaken by some of the banks are as follows:

18
1. Every year, officers are selected from operations / other areas having good
personal rating and good exposure in the areas of advances, foreign exchange,
risk management, computer systems, general operations / administration etc. on a
rotation basis to serve in Audit department for 3 years.
2. Training is being given to inspectors to acquire better knowledge and skills for
conducting RBIA. Manpower requirements for the Inspection and Audit Division are
always discussed by the HR Division at the time of each promotion process.
3. We are proposing to computerize the RPT rating and arriving at Composite rating.
Accordingly staff who are well versed with computer application and banking
application have been selected.
4. Based on number of days of previous year's increase in business, opening of new
branches / offices etc., manpower requirement is assessed. Scale II officers with
minimum 5 year service in branch banking and proven track record are only posted
as Inspectors for conduct of RBIA.
5. Mostly RBIA work is assigned to senior inspecting officials who are also Chartered
Accountants including those having CISA qualifications.
6. Branches are categorized as A+, A, B and C based on their risk profile. Audit man
days are computed based on extent of detailed checking basis on which the
manpower requirement is compiled.
7. We have been recruiting officials with specialized skills. Job description is shared
with Human Resource department for recruitment of resource personnel for
internal audit department.
8. Considering the number of units/locations under Audit Universe and estimated
number of days required for completing audit of each unit/location, total number of
man days required is arrived at vis-à-vis man days available based on the current
staff strength of the Audit Dept. Also, qualifications and experience of every official
of Internal Audit Dept are also taken into account in the assessment of manpower
requirement for Internal Audit Dept.
(d) The awareness of the risk management practices and policies of the bank of the
Operating personnel manning the branches/functions/ activities/locations of banks is
high and prevalent across all banks. These personnel have been regularly imparted
training in risk management practices and policies of the bank. The personnel in the
audit/inspection departments of banks have also been regularly trained in the conduct of
RBIA and risk assessment.
(e) On the question of IT support for conduct of RBIA in banks, 75% of the banks state
that the technology support for conduct of RBIA and risk assessment is adequate. The
response indicates this support to be adequate in 100% of the NPSBs, in 73% of OPSBs
and in 70% of the PSBs. In 25% of the responding banks constraints exist in IT support
on account of CBS not having fully stabilized yet or the benefits of 100%
implementation of CBS have not been utilized properly by the bank or no standard
software has been developed/provided for conduct of RBIA or customized output for
RBIA has not been incorporated in the IT systems. In some banks MIS is not readily
traceable on many occasions.
In only 20% of the banks software has been developed/purchased for the conduct of
RBIA. 50% of the NPSBs have software whereas only 18% of OPSBs and 13% of PSBs
have the same. In today’s banking environment wherein bulk of the operations are being
conducted with IT support and IT applications this scenario is unacceptable and urgent
corrective action needs to be initiated by the banks and RBI. This will substantially
enhance the efficiency and effectiveness of RBIA.
(f) One of the important steps after introduction of a new methodology for conduct of
audit is to undertake a review of its effectiveness and achievement of objectives outlined

19
at the time of its introduction. The banks were asked whether they had undertaken such
a review, the frequency of such a review and any major findings of such a review. 88%
of the banks have undertaken such reviews though at varying intervals. Most banks
undertake a quarterly review and discuss the findings with the Task Force or the ACB for
further directions. In two banks the review is undertaken annually and only one bank
indicated that it has not undertaken any review since introduction of RBIA in the bank.
Many banks indicate that the review has led to revision in the formats for risk
assessment, revision of the methodology of computation of risk assessment ratings,
introduction of and revision in the checklist prepared for risk mitigation, improvement in
the risk management practices of the bank with improving risk profile of branches,
expanding the coverage of activities under RBIA, amongst others.
The parameter of Organizational aspects is a very important one for effective
implementation of RBIA. The responses are quite encouraging for the industry as a
whole but within the group of banks there is a definite variation. The NPSBs have
responded positively in most of the parameters of training and availability of qualified
manpower, IT support for conduct of RBIA and 50% of the NPSBs have installed
software for risk assessment. Other groups of banks have also responded positively on
the qualitative aspects but find that operational personnel lack appreciation of the
process of RBIA and in these banks the IT support needs to be strengthened for
effective implementation of RBIA.
The banks were also asked to indicate the benefits of introduction of RBIA in banks in
relation to the Objectives of RBIA as outlined in the framework. Based on the response it
is indicated that in almost all banks, 95%, implementation of RBIA has led to heightened
awareness of Risk management practices and policies of the bank. Implementation of
RBIA has also led to a more focused internal audit of the areas of High risk to the bank.
Reduction in time taken for conduct of internal audit (of up to 15%) has been reported by
58% of the banks and a reduction in manpower requirements (of up to 15%) has also
been reported by 48% of the banks. A further benefit has been that the audit/inspection
department seems to be gaining in stature within the bank as it has started attracting
better talent.
In 63% of the banks the Controlling offices are making use of the risk assessment under
RBIA for improving the risk profile of the activities under their jurisdiction. Their
experiences regarding the advantages/effectiveness of using the risk assessment
undertaken under RBIA include timely initiation of risk mitigation steps, providing
focused attention to high risk areas, planning of training needs for operating manpower,
preparation of business plans for the ensuing year and assessing manpower
requirements with special skills for deputation to activities under their jurisdiction.

Section II: Summary of the discussions with Senior Executives of banks

Discussions were held with Senior executives of Audit and inspection departments of a
few selected banks based at Pune/ Mumbai/Bangalore/New Delhi on the implementation
of RBIA in their bank. The discussions focused on the practical issues that arose during
the implementation of RBIA in their bank as also the important issues that they consider
require to be addressed by banks and policy makers. The important findings of these
discussions are as under:
 Identification of risks faced by bank in its various activities/locations is a major
challenge. The business environment is undergoing a transformation and the risk
management practices of banks are not at a very advanced stage. Therefore
identification of risks in existing and new activities in a dynamic environment is

20
 turning out to be a big challenge. Assistance from external consultants is being
sought.
 Development of appropriate risk assessment formats for measuring the level of
risk in the various activities/locations of the bank is another challenge. Change in
business lines, change in focus and plans of business, changes in operating
environment, changes in key management personnel etc can all lead to a change
in risk profile of the activity/location. The risk assessment formats thus require to
be modified and changed every year to adequately capture the risk profile of the
activity/location. Regular revision of risk assessment formats is a challenge.
 There is an extreme shortage of qualified and trained manpower for conduct of
RBIA
 IT support for effective conduct of RBIA is a must. Appropriate Software needs to
be developed for risk assessment and risk mitigation which can lead to
substantial savings in time for conduct of RBIA.
 Enhanced IT support will lead to a more robust, accurate and timely MIS which in
turn will assist in the ability of banks to undertake off-site risk assessment
 Members of the Audit Committee of the Board need to be well informed on the
concept and process of RBIA. In view of a substantial number of branches
currently being rated as High risk and above, there is constant pressure to align
the ratings under RBIA with ratings under the earlier Regular Inspection system
when most of the Branches had a satisfactory or good rating. There is a serious
concern of the members on the perceived deterioration in audit ratings of
branches under RBIA
 All major activities of bank (other than branches) will be gradually brought under
RBIA due to difficulty in identification and assessment of risks, development of
risk assessment formats and especially on account of a shortage of trained
manpower and IT support.
 RBIA is an effective audit tool and has resulted in a more focused audit. It has
enhanced the understanding of risk management practices of the bank across
the whole spectrum of employees and increased the focus on areas of High risk
to the bank. Savings in time and effort is envisaged and will be achieved over
time.

Section III: Identification of key issues and suggestions

Based on an analysis of the findings of the surveys conducted and supplemented by the
discussions with senior executives of banks, the researcher has identified many
important issues. These issues need to be addressed by banks and the policy makers to
make the implementation of RBIA more effective and beneficial for the banking system
as also assist in meeting the objectives of introduction of RBIA. The identification of the
issues has been done with reference to the RBI Guidance note for implementation of
RBIA in banks in India and the framework of RBIA. The identified issues have been
categorized in the six headings outlined in the questionnaire and form the basis of
assessment of organizational preparedness of banks for effective implementation of
RBIA.

21
 Summary of key Issues and suggestions for banks and RBI
Issues Suggestions for banks and RBI
1 Delay in formation of Task Force Speedier implementation should be undertaken by banks
2 Coverage of Bank activities under RBIA A time bound plan should be formulated by banks to expand
inadequate (other than branches) coverage at the earliest of Treasury, IT systems, Foreign exchange
operations & Risk management department.
RBI to issue necessary instructions to banks.
3 Continuation of Regular inspection along Regular inspection must be fully replaced by RBIA at the earliest.
with RBIA by most banks has increased RBI to review such banks and develop road map.
workload for audit cells
4 Risk assessment of all activities of bank Risk assessment of all activities/locations must be carried out by
not carried out banks. RBI should indicate a timeframe.
5 Risk assessment formats need revision Banks must form dedicated teams to regularly revise risk
as they are too lengthy and do not assessment formats. Outsourcing of development of risk
capture risks adequately assessment formats can be considered.
6 Multiple risk assessment formats being Development of risk assessment formats based on Functional
used by banks for branches areas can eliminate this duplication
7 Risk assessment, solely for preparation This is a critical step in effective implementation of RBIA and
of Audit plan not carried out by most should be introduced by all banks. RBI should insist for banks to
banks undertake off-site risk assessment
8 Audit plan is largely prepared on the basis This could lead to an erroneous Audit plan as risk assessment may
of previous RBIA ratings be too old and not valid. Risk assessment must be undertaken for
preparation of Audit plan
9 Acceptable level of risk not identified in This is a critical input for effective implementation of RBIA and
many banks must be identified for each parameter. It is an important input for
suggesting risk mitigants. Banks should include this in their risk
assessment formats.
RBI should instruct banks accordingly
10 Check list of risk mitigation not available This should be prepared by all banks and regularly updated. RBI
in many banks may instruct accordingly
11 Validation of risk assessment for audit This is an important step to initiate corrective action to strengthen
plan with on-site RBIA is not carried out in off-site surveillance. Should be undertaken by all banks.
many banks
12 Continuous training of auditors/inspectors Efforts should be increased with additional sessions in all training
and operating staff is required programmes. E-learning may be introduced and a mechanism may
be formulated by all banks that advances in RBIA are regularly
communicated to all audit personnel
13 Better quality of manpower for The RBIA policy should specify that for the audit department only
audit/inspection cells experienced personnel having an understanding of bank’s
operations and risk management policies be inducted for effective
implementation of RBIA
14 Up gradation of IT systems and IT All Auditors/inspectors should be provided Laptops. Software for
assistance for RBIA inadequate risk assessment under RBIA should be developed by all banks. IT
systems must be up graded to meet of-site risk assessment MIS
requirements
15 Time to conduct RBIA is too short Banks must reassess the time allotted for conduct of RBIA to make
it more effective to achieve objectives
16 Board/Audit committee members require NIBM/RBI can take the initiative to undertake this awareness need
increased awareness of the process and by way of seminars or conferences on RBIA
concept of RBIA to appreciate the change
in audit ratings compared to Regular
inspection

22
Conclusion
The RBI Guidance note for implementation of RBIA in banks in India was issued in
December 2002 and further clarifications were issued in February 2005. Banks have
adopted a staggered approach for implementation of RBIA and the formation of a Task
Force of senior executives as also development of a Board approved Policy on RBIA
have been spread over the years 2001 – 2009. All banks have implemented RBIA of
branches but many of them have not implemented RBIA in other activities/locations
forming a major part of their business activities. In relation to the RBI Guidance note,
there are some gaps in the process that has been adopted by banks in the
implementation of RBIA which have been identified by the study of responses to the
surveys and the discussions with banks. On an overall basis it can be said that RBIA has
been implemented in all banks in India, though the progress made in implementation
varies amongst different banks.

References:

1. Reserve Bank of India circular DBS.CO/RBS/58/36.01.002/2001-02 dated

August 13, 2001 on Move towards Risk Based Supervision (RBS) of Banks –
discussion paper.
2. Reserve Bank of India circular DBS.CO.PP.BC. 10/11.01.005/2002-03 dated
December 27, 2002 on Risk Based Internal Audit and the attached guidance
note.
3. Reserve Bank of India circular DBS.CO.PP.BC. 17/11.01.005/2004-05 dated
February 1, 2005 on Implementation of Risk Based Internal Audit (RBIA) in
Banks. www.rbi.org
4. V K Khanna (2008), “Risk Based Internal Audit in Indian Banks: A Modified and
improved approach for conduct of Branch Audit”, The ICFAI University Journal of
Audit Practice, October, 2008. Pages 35-56.
5. Reserve Bank of India, Department of Supervision, (1995), Report of the Working
Group to review the internal control and inspection/audit system in banks,
September 1995.
6. Satyanarayana K, Kaveri V S, Ravisankar T S (1997), Management Audit in
Banks, Concept and Process, Publisher, National Institute of Bank Management,
1997, Page3.
7. Basel Committee on Banking Supervision, Bank for International Settlements
(2002), Internal Audit in Banks and the Supervisor’s relationship with auditors: A
Survey, August 2002.
8. Gourav Vallabh Sharma (2004), Risk Based Internal Audit in Banks, The
Chartered Accountant, April 2004, Pages 1057-1066.
9. S Raghavan (2004), Risk Based Supervision and Risk – focused Audit in Banks,
The Chartered Accountant, November 2004, Pages 579 – 584.
10. D P Gupta & R K Gupta (2004), Risk Based Internal Audit in Banks, Taxmann
Allied services Pvt Ltd, 2004.
11. Kalyan Debnath (2004), EWRM in Banks, The Chartered Accountant, November
2004, Pages 559 – 566.
12. PKK Krishnan and V S Kaveri (2003), Risk Based Internal Audit in Banks: A
Survey, SBI Monthly Review, December 2003.

23