Can NBFCs “outsource” internal audit functions to external auditors? 

– Anshika Agarwal (finserv@vinodkothari.com)

The Reserve Bank of India (RBI) has consistently emphasized the significance of robust internal control systems; where gaps are found by the supervisor, it has penalised  regulated entities for non-compliance. Recently, the RBI imposed a penalty on an NBFC for outsourcing one of its core management functions, i.e., internal audit to an external auditor, thereby raising doubts as to whether internal audit for NBFCs can be conducted by external auditors. Does the very fact that internal audit is being conducted not internally but by an external chartered accountancy firm amount to “outsourcing” of core management function?  This article examines outsourcing in the context of internal audit function,  and the conditions subject to which internal audit may be conducted by external agencies. 

Understanding the concept of ‘Outsourcing’

Outsourcing is defined under the Basel 2005 document1 as “a regulated entity’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the regulated entity, now or in the future.” Similarly, the IOSCO Consultation Paper2 refers to outsourcing as “a business practice in which a regulated entity uses a service provider to perform tasks, functions, processes, or activities that could otherwise be undertaken by the regulated entity itself.

NBFCs, especially those with asset-light models or limited resources, opt for outsourcing to manage financial as well as non-financial functions. Outsourcing by NBFCs typically involves delegating tasks such as loan application processing, collection of documents, data processing, IT support, customer service, and back-office operations to third-party providers. While outsourcing boosts operational efficiency, they also carry risks, particularly when core management functions are outsourced. Notably, outsourcing is distinct from availing professional services like legal, audit, consulting, or property management, which are ancillary to the NBFC’s core business. In case of outsourcing of financial functions by regulated entities, there are specific guidelines issued by the RBI to regulate the arrangements. Clear regulatory oversight is crucial to strike a balance between leveraging external expertise and maintaining ethical, efficient practices in the financial services sector.

Regulatory Framework: The RBI’s Perspective

The RBI guidelines are specifically aimed at managing risks related to outsourcing of financial services. Master Direction – Reserve Bank of India (Non-Banking Financial Company – Scale Based Regulation) Directions, 2023 (‘SBR Directions’)3, particularly Annexure 13 on Instructions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs (‘Outsourcing Guidelines’), Para 2 lays down stringent conditions for outsourcing to ensure compliance, accountability, and effective risk management. While outsourcing can support operational efficiency, core management functions must remain under the direct control of the regulated entity.

Core Management Functions: Non-Negotiable Responsibilities 

The Outsourcing Guidelines explicitly prohibits NBFCs from outsourcing core management functions vital to governance, decision-making, and risk management. The core management functions are those that are vital and crucial for the existence as well as operations of the entity. These have been defined to include:

These functions are critical for ensuring the organization’s stability and operational integrity. For example, internal audit functions identify risks, ensure regulatory compliance, and assess control effectiveness. Entrusting such functions to external entities could compromise decision-making and erode organizational trust.

Contractual Engagement for Internal Audit

While the internal audit function itself is a core management process, the Outsourcing Guidelines in the same lines allows regulated entities to engage internal auditors on a contractual basis. This means external professionals can be brought in to execute internal audits, provided their engagement adheres to regulatory standards, independence is maintained, and the entity retains oversight and control rather than putting all the responsibility on a third party. 

For example, an entity may handle several operational tasks related to an audit, such as preparing documentation, organizing records, or conducting initial reviews. However, the ultimate responsibility for decision-making, oversight, and ensuring compliance with regulations rests with the audit committee or the entity’s senior management. This approach ensures that the internal management retains control over key aspects of the audit process, even while delegating specific tasks or availing expertise support. In contrast, the action of outsourcing shifts the entire responsibility for the audit to a third-party. This means the external firm is accountable for managing and executing all aspects of the audit, from operational tasks to final implementation. Such an outsourcing may reduce the internal workload, however, it also transfers control and accountability to an external entity, which may not align entirely with the entity’s internal objectives and strategic priorities. 

In other words, what is permitted is to avail the expertise services of a third party for carrying out the internal audit function but not the transfer of the entire responsibility of carrying out internal audit to a third party.

ICAI Standards: Expertise and Independence in Internal Audits

The Institute of Chartered Accountants of India (ICAI) Standards on Internal Audit4 states that “Where the Internal Auditor lacks certain expertise, he shall procure the required skills either though in-house experts or through the services of an outside expert, provided independence is not compromised”. 

The aforesaid guidance from the ICAI emphasizes maintaining expertise and independence. While not explicitly addressing outsourcing, these standards recognize that internal auditors may lack certain specialized skills. In such scenarios, they encourage engaging in-house or external experts while safeguarding independence.

The standards indirectly allow for outsourcing when:

  • Specific expertise is unavailable in-house,
  • Independence remains uncompromised

By availing the services of experts ensures that internal audit teams possess the necessary skills to perform effective reviews, while the entity retains oversight and accountability.

Companies Act, 2013: Flexibility in Internal Audit Assignments

Section 138 of the Companies Act, 2013 (‘CA 2013’)5, specifies the requirement for internal audits for certain classes of companies. It allows the appointment of internal auditors, which may include chartered accountants, cost accountants, or other professionals, as decided by the Board. Explanation of Rule 13 of the Companies (Accounts) Rules, 2014, states that “the internal auditor may or may not be an employee of the company”.

The aforesaid provision also enables companies to engage external auditors to perform internal audits, even if they are not part of the organization. While the CA 2013 does not explicitly prohibit outsourcing of internal audit functions, it places the ultimate responsibility for conducting and reporting on internal audits with the Board. This also clarifies that companies may utilize external expertise while maintaining oversight and control of the audit process.

Conclusion

In conclusion, the RBI’s recent penalties underscore the importance for regulated entities to maintain strict compliance with outsourcing regulations, particularly regarding core management functions. While the Outsourcing Guidelines as well as the provisions of CA 2013 permit engaging external auditors on a contractual basis to perform operational tasks related to audits, accountability and strategic control such as having audit plan approved by the audit committee, regular reporting to the audit committee, discussion of the board and audit committee on the conduct of audit,implementing remedial measure on the oversight of the audit committee or senior management must remain firmly within the organization. Adherence to these principles will help maintain the fine distinction between outsourcing the internal audit function and appointing external auditors as internal auditors, specifically in the context of internal audits.

Read our other related resources –

  1. UNDERSTANDING THE CONCEPT OF OUTSOURCING- ENVISAGING A TOUGH ROAD AHEAD FOR THE SERVICE PROVIDERS
  2. Draft framework for Financial Services Outsourcing

  1.   https://www.bis.org/publ/joint12.pdf (last accessed in November 2024) ↩︎
  2.   https://www.iosco.org/library/pubdocs/pdf/IOSCOPD654.pdf (last accessed in November 2024) ↩︎
  3.  Reserve Bank of India, Master Direction – Scale Based Regulation (SBR): A Revised Regulatory Framework for NBFCs, October 22, 2021. Available at: https://rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=12550 ↩︎
  4.  Institute of Chartered Accountants of India, Standard on Internal Audit (SIA) 2: Basic Principles Governing Internal Audit. Available at: https://resource.cdn.icai.org/52727iasb-basicprinciples-3.pdf ↩︎
  5.  The Companies Act, 2013, Ministry of Corporate Affairs, Government of India. Available at: https://www.mca.gov.in/. ↩︎

The Clean up call: RBI Action against Lending practices

Virtual Webinar | 28th October 2024 | 6:15 PM.

To watch the webinar, click here.

Click here to register: https://forms.gle/BtiZdmEDrU7Y9Tcb9

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [663.81 KB]

OVERVIEW OF THE RBI REGULATORY FRAMEWORK FOR NBFCS

– Vinod Kothari & Anita Baid | finserv@vinodkothari.com

This presentation was used during the ICSI Crash course

Day 1

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [2.30 MB]

Day 6

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [2.02 MB]

Two days refresher course on NBFC Regulations

Fill the google form to register: https://forms.gle/mpVZhhhqsZV9uiti8

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [481.77 KB]

Refer our resources on SBR:

Online Workshop on Regulatory Concerns on Fair Lending Practices and KYC

Register here: https://forms.gle/cQ3RYWAwhqd3hqTs7
Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [370.96 KB]

Our resources on KYC can be accessed here.

Our resources on SBR:

NBFC Regulation turned sixty

Vinod Kothari, finserv@vinodkothari.com

Not sure if any cake was cut[1], but NBFC regulation turned 60, on 1st Feb., 2024. It was on 1st Feb., 1964 that the insertion of Chapter IIIB in the RBI Act was made effective. This is the chapter that gave the RBI statutory powers to register and regulate NBFCs.

1964: Insertion of regulatory power

What was the background to insertion of this regulatory power? Chapter IIIB was inserted by the Banking Law (Miscellaneous Provisions) Act, 1963. The text of the relevant Bill, 1963  gives the object of the amendment: “The existing enactments relating to banks do not provide for any control over companies or institutions, which, although they are not treated as banks, accept deposits from the general public or carry other business which is allied to banking. For ensuring more effective supervision and management of the monetary and credit system by the Reserve Bank, it is desirable that the Reserve Bank should be enabled to regulate the conditions on which deposits may be accepted by these non-banking companies or institutions. The Reserve Bank should also be empowered to give to any financial institution or institutions directions in respect of matters, in which the Reserve Bank, as the central banking institution of the country, may be interested from the point of view of the control of credit policy.”

Therefore, there were 2 major objectives – regulation of deposit-taking companies, and giving credit-creation connected directions, as these entities were engaged in quasi-banking activities.

Read more

Consolidated NBFC Regulations for all Scales and Functions

– Anita Baid, Vice President | anita@vinodkothari.com

Updated as on 09.11.2023

The Reserve Bank of India (RBI) has issued a notification outlining a new regulatory framework for Non-Banking Financial Companies (NBFCs) on October 19, 2023 (‘SBR Framework’). The RBI has played a crucial role in regulating the NBFC sector over the years. With the sector’s evolution and changing dynamics, the regulator has been proactive in amending regulations. Previously, NBFCs were classified into two categories: systemically important and non-systemically important. However, starting from October 2022, the RBI introduced a new classification system based on layers: base, middle, upper, and top.

The reclassification introduced some progressive changes but also created certain ambiguities in the applicability of regulatory rules. Specifically, the terms “base layer” and “middle layer” were related with non-systemically important (non-SI) and systemically important (SI) NBFCs. When classifying NBFCs based on asset size, those with assets under Rs. 500 crores were considered non-SIs, while those with assets over Rs. 500 crores were classified as SIs.

However, the SBR Framework introduced a different set of criteria. According to this framework, NBFCs with assets less than Rs. 1000 crores are categorized as Base Layer entities, while those with assets exceeding Rs. 1000 crores are classified as Middle Layer entities. This creates a gray area for NBFCs with assets falling between Rs. 500 crores and Rs. 1000 crores.

To address this issue and provide a more streamlined regulatory framework, the RBI has issued the Master Direction – Reserve Bank of India (Non-Banking Financial Company – Scale Based Regulation) Directions, 2023 (‘SBR Master Directions’).

The SBR Master Direction, effective immediately, intends to consolidate the various regulations for NBFCs of different scales and functions in one place. The consolidation has streamlined various regulations issued under the SBR Framework governing the different layers of NBFCs. It brings clarity to compliance requirements and ensures that all NBFCs operate within a framework that is consistent and transparent. The SBR Master Directions is divided into sections for different categories of NBFCs, based on size as well as function:

  1. Regulations for Base Layer;
  2. Regulations for Middle Layer (this would be in addition to the regulations for BL);
  3. Regulations for Upper Layer (this would be in addition to the regulations for BL and ML);
  4. Regulations for Top Layer (to be specifically communicated upon classification in TL);
  5. Specific Directions for MFIs this is in addition to the regulations based on layers);
  6. Specific Directions for Factors and NBFCs registered under Factoring Act (this is in addition to the regulations based on layers);
  7. Specific Directions for IDFs (this is in addition to the regulations based on layers).

Further, the specific regulations issued by the RBI would still be relevant and continue to be applicable for Housing Finance Companies, Core Investment Companies, NBFC-P2P, NBFC-Account Aggegator, deposit taking NBFCs, Residuary Non-Banking Companies, Mortgage Guarantee Companies and  Asset Reconstruction Companies. Additionally, based on the classification under the SBR Framework (BL or ML), the relevant provisions of the SBR Master Directions shall be applicable. 

Previously, under the SBR notification dated October 22, 2021, the RBI clarified that all references to NBFC-ND (non-systemically important non-deposit taking NBFC) would now be referred to as NBFC-BL, and all references to NBFC-D (deposit-taking NBFC) and NBFC-ND-SI (systemically important non-deposit taking NBFC) would be known as NBFC-ML or NBFC-UL, depending on the case.

Furthermore, it specified that existing NBFC-ND-SI with asset sizes of ₹ 500 crore and above but below ₹1000 crore (except those necessarily categorized as Middle Layer) would be reclassified as NBFC-BL.

However, upon an initial review of the SBR Master Directions, it appears that certain guidelines that were typically applicable to NBFC-SI and should logically apply to NBFC-ML are explicitly retained for NBFCs with asset sizes exceeding ₹ 500 crores. Here is a list of such guidelines:

  1. Prudential Framework for Resolution of Stressed Assets dated June 07, 2019, as amended from time to time would be applicable on all NBFCs-D and non-deposit taking NBFCs of asset size of ₹500 crore and above. It may be noted that there are specific norms for restructuring of advances by non-deposit taking NBFCs with asset size less than ₹500 crore
  2. Non-Cooperative Borrowers identification shall be done by all NBFC-Factors, NBFCs-D and non-deposit taking NBFCs of asset s.ize of ₹500 crore and above.
  3. Refinancing of Project Loans to any existing infrastructure and other project loans by non-deposit taking NBFCs with asset size less than ₹500 crore.
  4. Framework for Revitalizing Distressed Assets in the Economy shall apply to non-deposit taking NBFCs with asset size less than ₹500 crore.
  5. Early Recognition of Stress and Reporting to Central Repository of Information on Large Credits (CRILC) reporting by all NBFC-Factors, NBFC-D and non-deposit taking NBFCs of asset size of ₹500 crore and above. 

As the financial landscape continues to evolve, the RBI’s proactive approach ensures that the NBFC sector remains well-updated. 

Upon further perusal of the SBR Master Directions, it can be noticed that there are certain regulations that were issued under the SBR Framework that have not been consolidated, such as follows:

  1. Compliance Function and Role of Chief Compliance Officer (CCO) – NBFCs
  2. Implementation of ‘Core Financial Services Solution’ by Non-Banking Financial Companies (NBFCs)

Further, there are specific master directions on information technology framework, fraud reporting, etc. that have not been consolidated. It may also be noted that para 4.2 clarifies that the SBR Master Directions consolidate the regulations as issued by Department of Regulation (DoR); any other directions/guidelines issued by any other Department of the RBI, as applicable to an NBFC shall continue to be adhered to. Accordingly, the aforesaid regulations that were issued by the Department of Supervision (DoS) or Department of Non-Banking Supervision (DNBS) have not been consolidated and are neither listed in the Repeal Section of the SBR Master Directions. There does not seem to be any reason for the aforesaid regulations to be repealed, and hence, it seems that only those circulars and notifications that are issued by the DoR have been considered while compiling the regulations, including those introduced under the SBR Framework. Considering that there are standalone notifications on the aforesaid issued by the DoS or DNBS, therefore, the said regulations should also continue to be applicable.


Our YouTube Series realting to the topic: Tattva

Our Resources on SBR can be accessed here:

Implementation of Compliance Function by NBFC-ML

Eliza Bahrainwala, Executive| eliza@vinodkothari.com

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [77.82 KB]


Our related resources on the topic:-

  1. Enhanced Corporate Governance and Compliance Function for larger NBFCs
  2. Compliance Risk Assessment

Our Resource Centre on SBR:

Workshop on Regulatory Framework for New-age NBFCs

Register Here : https://forms.gle/C2DQCp5BrAGu9Nry5
Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [267.25 KB]