Internal Audit in an RBI-registered NBFC is a statutory and supervisory requirement designed to ensure financial discipline, regulatory compliance, and strong governance standards. It is grounded in the Companies Act, 2013, which mandates appointment and oversight of internal auditors for specified companies, and the RBI Act, 1934, which empowers RBI to issue binding directions on prudential norms, risk management, and supervisory control. The internal audit function provides independent assurance over credit processes, asset classification, provisioning, capital adequacy, liquidity monitoring, and regulatory reporting accuracy.

RBI has strengthened internal audit expectations through the introduction of Risk-Based Internal Audit (RBIA) and the Scale Based Regulation (SBR) system. RBIA requires NBFCs to focus audit coverage on high-risk areas rather than routine transaction testing, while SBR imposes stricter governance standards on larger and systemically important NBFCs. As a result, internal audit now plays a strategic role in enhancing board oversight, managing risk exposure, and ensuring sustained regulatory compliance.

In this article, CA Manish Mishra talks about Internal Audit Requirements for RBI Registered NBFCs.

Statutory Basis under the Companies Act, 2013

Apart from RBI regulations, internal audit in NBFCs is also grounded in company law. The Companies Act, 2013 establishes the legal requirement for appointment, oversight, and governance of the internal audit function. For most RBI-registered NBFCs, compliance with these provisions is mandatory due to their financial size and borrowing levels.

Mandatory Appointment under Section 138

Section 138 of the Companies Act, 2013 requires certain prescribed classes of companies to appoint an internal auditor. This requirement applies to:

• Listed companies
• Unlisted public companies crossing specified turnover, borrowing, or deposit thresholds
• Private companies exceeding prescribed financial limits

Most NBFCs meet these criteria because of their borrowing exposure and operational scale. Therefore, appointment of an internal auditor is not optional but a statutory obligation under company law. The objective of this provision is to strengthen internal control systems and ensure periodic independent review of company operations.

Role of Rule 13 of the Companies (Accounts) Rules, 2014

Rule 13 provides detailed clarity on the implementation of Section 138. It specifies:

• The exact classes of companies required to appoint an internal auditor
• Eligibility criteria for internal auditors, which may include a Chartered Accountant, Cost Accountant, or other qualified professional
• Authority of the Board or Audit Committee to define the scope, coverage, and frequency of internal audit

This rule ensures that internal audit is structured, professionally managed, and aligned with the company’s size and risk profile.

Audit Committee Oversight under Section 177

Section 177 mandates the constitution of an Audit Committee for specified companies. In the context of NBFCs, the Audit Committee plays a vital governance role. Internal audit reports must be submitted to the Committee for review. The Committee examines significant observations, monitors implementation of corrective actions, and escalates serious governance concerns to the Board.

Through this structure, internal audit becomes an integral part of the corporate governance system. The Board, through the Audit Committee, remains accountable for ensuring that audit findings are addressed and control weaknesses are rectified in a timely manner.

Regulatory Authority under the RBI Act, 1934

The regulatory foundation for internal audit requirements in RBI-registered NBFCs flows from the Reserve Bank of India Act, 1934. NBFCs are governed under Chapter IIIB of the Act, which grants RBI extensive powers to regulate, supervise, and issue binding directions to these entities. Internal audit expectations arise indirectly from this supervisory authority, as RBI mandates strong governance and control systems to ensure financial stability.

Powers under Chapter IIIB

Under Chapter IIIB, RBI derives regulatory powers from key provisions such as:

• Section 45JA, which empowers RBI to determine policy and issue directions relating to NBFC operations.
• Section 45L, which authorizes RBI to give directions to financial institutions in matters concerning prudential regulation.
• Section 45M, which enables RBI to regulate and supervise NBFCs in the public interest.

Through these statutory powers, RBI mandates compliance with prudential norms, governance requirements, and internal control standards. Although the Act does not specifically mention “internal audit” in isolation, the obligation to maintain effective control systems arises from RBI’s authority to ensure sound financial practices.

RBI Master Directions and Prudential Norms

Using its statutory powers, RBI issues Master Directions and prudential norms that are binding on NBFCs. These directions cover key regulatory areas such as:

• Income recognition norms
• Asset classification (including NPA norms)
• Provisioning requirements
• Capital adequacy standards
• Exposure limits and concentration norms
• Corporate governance requirements

Internal audit plays a crucial role in verifying adherence to these regulatory prescriptions. It must independently assess whether the NBFC complies with RBI’s prudential norms and accurately reports its financial and risk position. Any deviation from these norms may attract supervisory action or penalties.

Scale Based Regulation (SBR) and Its Impact

RBI introduced Scale Based Regulation (SBR) to regulate NBFCs according to their size, complexity, and systemic importance. Under this approach, NBFCs are classified into:

• Base Layer
• Middle Layer
• Upper Layer
• Top Layer

This categorization ensures proportional regulation smaller NBFCs face lighter compliance requirements, while larger and systemically significant NBFCs are subject to stricter governance and risk standards.

Governance Expectations Across Layers

As an NBFC moves upward in regulatory layers, RBI’s expectations increase significantly. Governance standards become stricter, requiring stronger internal controls and more active board supervision. Internal audit coverage must expand to include advanced risk areas such as enterprise-level risk assessment, stress testing, and liquidity monitoring.

Risk management expectations also intensify. Larger NBFCs must maintain stronger oversight mechanisms for credit risk, market risk, operational risk, and compliance risk. The Board and Audit Committee are held more accountable for ensuring that internal audit findings are addressed promptly and effectively.

Additional Responsibilities for Upper Layer NBFCs

NBFCs classified in the Upper Layer are subject to enhanced regulatory scrutiny due to their size and potential systemic impact. These entities must ensure:

• Strong independence of the internal audit function
• Detailed review of credit concentration and sectoral exposure risks
• Validation of stress testing processes
• Continuous oversight of liquidity position and funding risks
• Comprehensive IT governance and cybersecurity audits

Internal audit in Upper Layer NBFCs is expected to function with a level of rigor comparable to banks. The audit must not only detect control weaknesses but also evaluate enterprise-wide risk management practices and governance effectiveness.

Risk-Based Internal Audit (RBIA) Requirements

Risk-Based Internal Audit (RBIA) represents a major shift in how internal audit is conducted in larger RBI-registered NBFCs. RBI introduced this requirement to ensure that internal audit focuses on areas that pose the highest financial, regulatory, and systemic risk, rather than merely reviewing transactions mechanically.

Applicability

RBI has mandated implementation of RBIA for:

• All deposit-taking NBFCs, regardless of size
• Non-deposit taking NBFCs with asset size of ₹5,000 crore and above

These entities are considered to have higher public interface, financial exposure, or systemic importance. Therefore, a more advanced and risk-oriented audit approach is required to safeguard financial stability and regulatory compliance.

Key Elements of RBIA

RBIA requires internal audit to begin with a structured risk assessment process. The audit team must identify risks across all business units, including credit, liquidity, IT, compliance, and operational functions. Each risk must be evaluated and assigned a severity score based on impact and likelihood.

Based on this assessment:

• Audit planning must prioritize high-risk areas
• Audit coverage must align with risk severity
• Resources must be allocated proportionately
• Coverage must be updated if risk profile changes

RBIA also emphasizes identification of systemic vulnerabilities issues that could affect the NBFC at an enterprise level rather than isolated process lapses.

Shift from Traditional Audit Approach

Under RBIA, audit is no longer transaction-driven or checklist-based. Instead:

• High-risk functions such as credit underwriting, NPA recognition, ALM, and regulatory reporting receive deeper scrutiny
• Internal audit must evaluate residual risk after control implementation
• The focus is on identifying emerging risks before they materialize
• Forward-looking risk analysis is encouraged rather than historical fault-finding

This approach increases the depth, analytical capability, and strategic value of internal audit. It transforms audit from a compliance activity into a proactive risk assurance function aligned with RBI’s supervisory expectations.

Independence and Reporting Structure

Independence of the internal audit function is a fundamental regulatory expectation for RBI-registered NBFCs. RBI considers internal audit to be an independent assurance mechanism that must function without influence from operational management. Without independence, audit findings lose credibility and regulatory value.

Functional Independence

Internal audit must not report to business or operational heads whose activities are being audited. Reporting to such officials creates a conflict of interest and compromises objectivity. Instead, the internal audit function should have direct functional access to the Audit Committee of the Board. This ensures that significant observations are escalated to the highest level of governance. Internal audit must also operate free from operational interference, meaning management cannot suppress, modify, or delay reporting of material findings.

Authority and Resources

RBI expects NBFCs to equip the internal audit function with adequate authority and resources. This includes sufficient staffing, professionals with expertise in credit, finance, IT, and regulatory compliance, and unrestricted access to records, systems, and data. Internal audit must also have the authority to conduct surprise audits where required. Without adequate manpower and access, audit effectiveness is weakened and regulatory expectations remain unmet.

Role of the Audit Committee

The Audit Committee plays a central role in safeguarding independence. It must approve the annual audit plan, review high-risk observations, monitor closure of significant issues, and hold management accountable for delays in corrective action. Regular reporting to the Audit Committee strengthens oversight and ensures that audit findings translate into governance improvements.

Scope of Internal Audit in RBI-Registered NBFCs

The scope of internal audit in an RBI-registered NBFC is wide and risk-driven. It must cover all key operational, financial, regulatory, and governance areas to ensure compliance with RBI directions and prudential norms. Internal audit is expected to function as an independent assurance mechanism across the entire business cycle.

Credit Risk Areas

Credit risk is the primary risk for most NBFCs. Internal audit must examine whether the loan appraisal and sanctioning process follows approved credit policies and delegated authority limits. It should assess the robustness of credit underwriting standards, verification of borrower credentials, and adequacy of collateral documentation. Audit must also review monitoring of stressed accounts, identification of early warning signals, and effectiveness of recovery mechanisms. Weak credit controls directly impact asset quality and regulatory compliance.

Prudential Compliance

Internal audit must verify adherence to RBI’s prudential norms. This includes checking proper asset classification under NPA norms, accurate income recognition, and adequacy of provisioning. It should also validate capital adequacy ratio calculations and compliance with exposure norms. Errors in these areas may lead to regulatory penalties and supervisory action.

Liquidity and Asset Liability Management (ALM)

Liquidity risk is an important regulatory concern. Internal audit must review Asset Liability Management processes, maturity mismatch statements, liquidity coverage position, and funding concentration risks. It should ensure that the NBFC maintains sufficient liquidity buffers and conducts stress testing where required. Poor liquidity oversight can threaten financial stability.

Regulatory Reporting

NBFCs are required to submit periodic returns to RBI. Internal audit must verify the accuracy of regulatory returns, ensure timely submission of statutory filings, and reconcile reported data with financial records. Misreporting or delays in filings are treated seriously by RBI.

KYC and AML Compliance

Internal audit must examine compliance with KYC norms and anti-money laundering requirements under the Prevention of Money Laundering Act (PMLA). This includes reviewing Customer Due Diligence procedures, suspicious transaction reporting systems, sanctions screening processes, and record maintenance. Deficiencies in this area may attract severe regulatory consequences.

IT and Cybersecurity Controls

With increasing digitization, IT systems form the backbone of NBFC operations. Internal audit must assess controls over core lending systems, data protection measures, access management policies, and vendor IT security. Cyber vulnerabilities are treated as governance risks and require close oversight.

Customer Protection and Fair Practices

RBI places strong emphasis on customer protection. Internal audit must verify compliance with the Fair Practices Code, transparency in loan agreements, proper disclosure of interest and charges, adherence to grievance redressal timelines, and ethical collection practices. Failure in this area can lead to reputational damage and regulatory action.

Outsourcing and Internal Audit Responsibilities

RBI permits NBFCs to outsource certain operational activities, but it clearly prohibits outsourcing in a way that shifts or dilutes the NBFC’s accountability. Even when services are performed by third parties, the Board and senior management remain fully responsible for regulatory compliance and risk control.

Functions That Cannot Be Fully Delegated

Certain core management functions must remain under direct control of the NBFC. These include:

• Internal Audit: The responsibility for independent assurance cannot be transferred to external parties in a way that compromises oversight.
• Compliance Oversight: Monitoring adherence to RBI directions must remain within the organization.
• Strategic Decision-Making: Key business and risk decisions cannot be outsourced.

While professional assistance may be taken, ultimate accountability always rests with the NBFC.

Audit Coverage of Outsourced Activities

Even when activities are outsourced, internal audit must examine the risks arising from such arrangements. This includes reviewing the functioning and control environment of:

• Loan sourcing agents
• Recovery and collection agencies
• IT service providers
• Call centres
• Other third-party vendors

Internal audit must assess whether outsourced entities comply with RBI norms, internal policies, and contractual obligations. Weak vendor oversight can expose the NBFC to operational, legal, and reputational risks.

The Audit Committee plays an important role in monitoring outsourcing risks. It must review audit findings related to vendors and ensure corrective measures are implemented. RBI holds the NBFC fully responsible for any non-compliance arising from outsourced functions.

Compliance Function and Internal Audit Interaction

In larger RBI-registered NBFCs, the regulatory expectation goes beyond operational controls and extends to structured compliance governance. Such NBFCs are required to appoint a Chief Compliance Officer (CCO) who is responsible for ensuring adherence to RBI directions, prudential norms, statutory requirements, and internal policies. The compliance function operates as a second line of defence, while internal audit acts as an independent third line of assurance.

Testing the Effectiveness of Compliance Monitoring

Internal audit must evaluate whether the compliance department is actively monitoring regulatory obligations. This includes verifying whether compliance checklists are updated, whether periodic compliance reviews are conducted, and whether regulatory filings are accurate and timely. The objective is to ensure that compliance is not merely documented but effectively implemented in day-to-day operations.

Tracking of Regulatory Changes

RBI frequently issues circulars, amendments, and clarifications. Internal audit must assess whether the compliance function has a proper mechanism to track such regulatory updates, analyse their impact, and implement necessary changes in policies and procedures. Failure to update internal systems in line with regulatory changes may expose the NBFC to supervisory action.

Breach Reporting Mechanisms

Internal audit must examine whether compliance breaches are identified promptly and reported appropriately. This includes reviewing internal reporting systems, documentation of violations, and communication to senior management or the Board. Delayed or concealed reporting of breaches is viewed seriously by the regulator.

Escalation Procedures

Effective governance requires that significant compliance lapses be escalated to higher management levels without delay. Internal audit must verify whether clear escalation protocols exist and whether high-risk issues are reported to the Audit Committee or Board in a timely manner.

By independently assessing the compliance function, internal audit ensures that regulatory risk is properly identified, monitored, and controlled. This layered oversight strengthens governance credibility and reduces the likelihood of regulatory penalties or supervisory concerns.

Documentation and Reporting Standards

Proper documentation is one of the most important aspects of internal audit in an RBI-registered NBFC. RBI inspections do not rely merely on verbal explanations; they assess documentary evidence, quality of reporting, and the effectiveness of follow-up mechanisms. Well-structured audit reports demonstrate seriousness of governance, while weak documentation raises supervisory concerns.

Risk Grading of Audit Observations

Every audit observation must be classified based on its severity and potential impact. Risk grading helps management and the Audit Committee prioritize corrective action.

• High Risk: These are material control failures that may lead to regulatory non-compliance, financial misstatement, capital erosion, or reputational damage. Examples include incorrect NPA classification, provisioning errors, liquidity mismatches, or KYC violations. High-risk observations require immediate corrective action and close monitoring by the Audit Committee.

• Medium Risk: These relate to control weaknesses that may not immediately impact financial stability but could escalate if left unaddressed. For example, gaps in documentation, delay in reconciliation, or partial compliance with internal policies. These require time-bound remediation.

• Low Risk: These are minor procedural lapses or improvement suggestions that do not materially affect regulatory compliance. Though less important, they must still be recorded and monitored for closure.

Risk grading ensures structured prioritization and demonstrates to RBI that the NBFC understands the seriousness of identified issues.

Detailed Observation Structure

Each audit observation must be clearly documented in a structured and analytical manner. A vague remark is not sufficient; the report must explain the issue comprehensively.

• Issue Description: A clear and factual explanation of what was observed during audit, supported by evidence.

• Regulatory Reference: Citation of the applicable RBI direction, prudential norm, internal policy, or statutory provision that has been violated or not fully complied with.

• Risk Implication: Explanation of how the issue impacts the NBFC financial risk, compliance risk, operational risk, or reputational risk.

• Root Cause Analysis: Identification of the underlying reason for the deficiency, such as inadequate supervision, weak system controls, or lack of training.

• Recommended Corrective Action: Practical steps required to rectify the issue and prevent recurrence.

• Timeline for Closure: Specific deadline assigned to management for implementing corrective action.

This structured format enhances transparency and accountability and is closely examined during RBI inspections.

Monitoring and Follow-Up Mechanism

Audit reporting does not end with issuance of the report. Effective monitoring of corrective action is equally important.

• Audit Issue Tracker: A centralized tracking system recording all audit observations, risk ratings, responsible officials, and closure status.

• Periodic Review by Audit Committee: The Audit Committee must regularly review pending high- and medium-risk observations and question delays.

• Validation of Corrective Actions: Internal audit should verify whether management’s corrective action has been properly implemented before marking the issue as closed.

• Escalation of Delays: If deadlines are missed, matters should be escalated to senior management or the Board to ensure accountability.

Without a strong follow-up system, audit observations lose effectiveness and may be viewed by RBI as governance weakness.

Supervisory and Penal Consequences of Weak Internal Audit

Internal audit in an RBI-registered NBFC is an important governance safeguard. If the function is ineffective, lacks independence, or fails to identify material risks, RBI may take supervisory action.

RBI Supervisory Observations

During inspections, RBI examines whether internal audit adequately covers high-risk areas such as credit appraisal, NPA classification, provisioning, liquidity management, and regulatory reporting. If gaps or recurring deficiencies are found, RBI issues supervisory observations and may direct time-bound corrective measures. Persistent weaknesses can escalate regulatory intervention.

Monetary Penalties under Section 58B

If internal audit failures result in violation of RBI directions such as incorrect asset classification or misreporting of regulatory returns RBI may impose monetary penalties under Section 58B of the RBI Act, 1934. Audit lapses are treated as governance failures contributing to non-compliance.

Business Restrictions and Enhanced Scrutiny

Serious control weaknesses may lead to restrictions on expansion, new lending, or product launches. RBI may also increase inspection frequency or require additional reporting. Public disclosure of penalties can damage reputation, affect credit ratings, and reduce investor confidence. Weak internal audit often triggers broader governance review by the regulator.

Recent Regulatory Emphasis on Audit Effectiveness

RBI now evaluates the effectiveness of internal audit rather than merely its existence. The focus is on quality, independence, and risk sensitivity.

• Stronger Board Oversight: Boards and Audit Committees are expected to actively review audit findings, monitor closure of high-risk issues, and ensure management accountability. Passive review is no longer sufficient.

• 11.2 Asset Quality and Liquidity Monitoring: RBI emphasizes strict NPA recognition, provisioning accuracy, and liquidity risk monitoring. Internal audit must independently verify compliance with prudential norms and ALM discipline.

• 11.3 Cyber and Compliance Accountability: With increasing digitization, RBI expects robust IT and cybersecurity audits. Internal audit must also verify accuracy of regulatory filings and effectiveness of the compliance function.

RBI’s supervisory approach has shifted from checking whether internal audit exists to evaluating how effectively it safeguards governance, risk management, and regulatory compliance.

Conclusion

Internal Audit requirements for RBI-registered NBFCs arise from a combination of statutory company law provisions and RBI’s regulatory powers under the RBI Act, 1934. Section 138 and Section 177 of the Companies Act mandate appointment and oversight, while RBI’s Master Directions and prudential norms demand risk-oriented assurance.

With Risk-Based Internal Audit requirements and Scale Based Regulation, internal audit has evolved into a strategic governance function. It must be independent, technically competent, risk-focused, and Board-supervised. A strong internal audit mechanism protects the NBFC from regulatory penalties, strengthens asset quality control, enhances governance credibility, and supports long-term financial stability.

Frequently Asked Questions (FAQs)

Q1. Is internal audit mandatory for all RBI-registered NBFCs?

Ans. Internal audit is mandatory for NBFCs that fall within the applicability of Section 138 of the Companies Act, 2013, which is based on turnover, borrowing, or listing status. In addition, RBI expects all NBFCs especially deposit-taking and large asset-sized entities to maintain strong internal control systems. For deposit-taking NBFCs and NBFCs with asset size ₹5,000 crore and above, Risk-Based Internal Audit (RBIA) is mandatory. Even where not explicitly mandated under company law thresholds, RBI supervision effectively requires internal audit in practice.

Q2. What is Risk-Based Internal Audit (RBIA) and who must implement it?

Ans. RBIA is an audit approach where audit planning is based on risk assessment rather than routine transaction testing. RBI has mandated RBIA for all deposit-taking NBFCs and non-deposit-taking NBFCs with asset size ₹5,000 crore and above. Under RBIA, high-risk areas such as credit underwriting, asset classification, liquidity risk, and regulatory reporting are prioritized. The objective is to identify control weaknesses that may materially affect financial stability or regulatory compliance.

Q3. Can an NBFC outsource its internal audit function?

Ans. RBI permits engagement of external professionals for assistance; however, core management functions including internal audit cannot be outsourced in a way that dilutes accountability. The ultimate responsibility for internal audit remains with the Board and senior management. Even if co-sourcing is adopted, independence, oversight, and governance responsibility must remain internal to the NBFC.

Q4. To whom should the internal audit function report in an NBFC?

Ans. For independence and regulatory compliance, the internal audit function should report functionally to the Audit Committee of the Board and not to operational management. The head of internal audit should have direct access to the Audit Committee. This ensures unbiased reporting and avoids conflicts of interest with business units.

Q5. What key areas must internal audit cover in an NBFC?

Ans. Internal audit in NBFCs must cover all important operational and regulatory areas, including:

• Credit appraisal and monitoring
• Asset classification and provisioning
• Capital adequacy compliance
• Asset Liability Management (ALM)
• Liquidity risk monitoring
• KYC/AML compliance
• Regulatory return accuracy
• IT systems and cybersecurity
• Fair Practices Code compliance
• Outsourced activity monitoring

The scope must align with RBI prudential norms and Master Directions applicable to the NBFC.

Q6. What happens if RBI finds internal audit to be weak or ineffective?

Ans. If RBI determines that the internal audit system is inadequate, it may issue supervisory observations and require corrective action. In serious cases, RBI may impose monetary penalties under Section 58B of the RBI Act, restrict business expansion, or increase supervisory monitoring. Weak internal audit often results in broader governance scrutiny during inspections.

Q7. Is an Audit Committee mandatory for NBFCs?

Ans. Yes, certain NBFCs are required under Section 177 of the Companies Act, 2013 to constitute an Audit Committee. Additionally, RBI governance directions require larger NBFCs to maintain Board-level oversight committees. The Audit Committee plays a central role in reviewing internal audit reports, monitoring unresolved issues, and ensuring corrective measures are implemented promptly.

Q8. How frequently should internal audit be conducted in an NBFC?

Ans. The frequency depends on the size and risk profile of the NBFC. Under Risk-Based Internal Audit requirements, high-risk areas should be reviewed more frequently sometimes quarterly while lower-risk areas may be reviewed annually. The audit plan must be approved by the Audit Committee and updated periodically based on changing risk conditions.

Q9. Does internal audit also evaluate compliance with RBI Master Directions?

Ans. Yes. Internal audit must verify compliance with all applicable RBI Master Directions and prudential norms, including income recognition, NPA classification, provisioning standards, exposure limits, and capital adequacy norms. It must also examine the accuracy of regulatory returns submitted to RBI and detect any reporting discrepancies.

Q10. How does internal audit interact with the compliance function in NBFCs?

Ans. For larger NBFCs, RBI requires appointment of a Chief Compliance Officer. Internal audit independently evaluates whether the compliance function effectively tracks regulatory changes, monitors compliance breaches, and reports deviations to senior management and the Board. This layered oversight ensures that regulatory risk is properly managed and escalated.