Can NBFCs “outsource” internal audit functions to external auditors?
– Anshika Agarwal (finserv@vinodkothari.com)
The Reserve Bank of India (RBI) has consistently emphasized the significance of robust internal control systems; where gaps are found by the supervisor, it has penalised regulated entities for non-compliance. Recently, the RBI imposed a penalty on an NBFC for outsourcing one of its core management functions, i.e., internal audit to an external auditor, thereby raising doubts as to whether internal audit for NBFCs can be conducted by external auditors. Does the very fact that internal audit is being conducted not internally but by an external chartered accountancy firm amount to “outsourcing” of core management function? This article examines outsourcing in the context of internal audit function, and the conditions subject to which internal audit may be conducted by external agencies.
Understanding the concept of ‘Outsourcing’
Outsourcing is defined under the Basel 2005 document1 as “a regulated entity’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the regulated entity, now or in the future.” Similarly, the IOSCO Consultation Paper2 refers to outsourcing as “a business practice in which a regulated entity uses a service provider to perform tasks, functions, processes, or activities that could otherwise be undertaken by the regulated entity itself.”
NBFCs, especially those with asset-light models or limited resources, opt for outsourcing to manage financial as well as non-financial functions. Outsourcing by NBFCs typically involves delegating tasks such as loan application processing, collection of documents, data processing, IT support, customer service, and back-office operations to third-party providers. While outsourcing boosts operational efficiency, they also carry risks, particularly when core management functions are outsourced. Notably, outsourcing is distinct from availing professional services like legal, audit, consulting, or property management, which are ancillary to the NBFC’s core business. In case of outsourcing of financial functions by regulated entities, there are specific guidelines issued by the RBI to regulate the arrangements. Clear regulatory oversight is crucial to strike a balance between leveraging external expertise and maintaining ethical, efficient practices in the financial services sector.
Regulatory Framework: The RBI’s Perspective
The RBI guidelines are specifically aimed at managing risks related to outsourcing of financial services. Master Direction – Reserve Bank of India (Non-Banking Financial Company – Scale Based Regulation) Directions, 2023 (‘SBR Directions’)3, particularly Annexure 13 on Instructions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs (‘Outsourcing Guidelines’), Para 2 lays down stringent conditions for outsourcing to ensure compliance, accountability, and effective risk management. While outsourcing can support operational efficiency, core management functions must remain under the direct control of the regulated entity.
Core Management Functions: Non-Negotiable Responsibilities
The Outsourcing Guidelines explicitly prohibits NBFCs from outsourcing core management functions vital to governance, decision-making, and risk management. The core management functions are those that are vital and crucial for the existence as well as operations of the entity. These have been defined to include:
These functions are critical for ensuring the organization’s stability and operational integrity. For example, internal audit functions identify risks, ensure regulatory compliance, and assess control effectiveness. Entrusting such functions to external entities could compromise decision-making and erode organizational trust.
Contractual Engagement for Internal Audit
While the internal audit function itself is a core management process, the Outsourcing Guidelines in the same lines allows regulated entities to engage internal auditors on a contractual basis. This means external professionals can be brought in to execute internal audits, provided their engagement adheres to regulatory standards, independence is maintained, and the entity retains oversight and control rather than putting all the responsibility on a third party.
For example, an entity may handle several operational tasks related to an audit, such as preparing documentation, organizing records, or conducting initial reviews. However, the ultimate responsibility for decision-making, oversight, and ensuring compliance with regulations rests with the audit committee or the entity’s senior management. This approach ensures that the internal management retains control over key aspects of the audit process, even while delegating specific tasks or availing expertise support. In contrast, the action of outsourcing shifts the entire responsibility for the audit to a third-party. This means the external firm is accountable for managing and executing all aspects of the audit, from operational tasks to final implementation. Such an outsourcing may reduce the internal workload, however, it also transfers control and accountability to an external entity, which may not align entirely with the entity’s internal objectives and strategic priorities.
In other words, what is permitted is to avail the expertise services of a third party for carrying out the internal audit function but not the transfer of the entire responsibility of carrying out internal audit to a third party.
ICAI Standards: Expertise and Independence in Internal Audits
The Institute of Chartered Accountants of India (ICAI) Standards on Internal Audit4 states that “Where the Internal Auditor lacks certain expertise, he shall procure the required skills either though in-house experts or through the services of an outside expert, provided independence is not compromised”.
The aforesaid guidance from the ICAI emphasizes maintaining expertise and independence. While not explicitly addressing outsourcing, these standards recognize that internal auditors may lack certain specialized skills. In such scenarios, they encourage engaging in-house or external experts while safeguarding independence.
The standards indirectly allow for outsourcing when:
- Specific expertise is unavailable in-house,
- Independence remains uncompromised
By availing the services of experts ensures that internal audit teams possess the necessary skills to perform effective reviews, while the entity retains oversight and accountability.
Companies Act, 2013: Flexibility in Internal Audit Assignments
Section 138 of the Companies Act, 2013 (‘CA 2013’)5, specifies the requirement for internal audits for certain classes of companies. It allows the appointment of internal auditors, which may include chartered accountants, cost accountants, or other professionals, as decided by the Board. Explanation of Rule 13 of the Companies (Accounts) Rules, 2014, states that “the internal auditor may or may not be an employee of the company”.
The aforesaid provision also enables companies to engage external auditors to perform internal audits, even if they are not part of the organization. While the CA 2013 does not explicitly prohibit outsourcing of internal audit functions, it places the ultimate responsibility for conducting and reporting on internal audits with the Board. This also clarifies that companies may utilize external expertise while maintaining oversight and control of the audit process.
Conclusion
In conclusion, the RBI’s recent penalties underscore the importance for regulated entities to maintain strict compliance with outsourcing regulations, particularly regarding core management functions. While the Outsourcing Guidelines as well as the provisions of CA 2013 permit engaging external auditors on a contractual basis to perform operational tasks related to audits, accountability and strategic control such as having audit plan approved by the audit committee, regular reporting to the audit committee, discussion of the board and audit committee on the conduct of audit,implementing remedial measure on the oversight of the audit committee or senior management must remain firmly within the organization. Adherence to these principles will help maintain the fine distinction between outsourcing the internal audit function and appointing external auditors as internal auditors, specifically in the context of internal audits.
Read our other related resources –
- UNDERSTANDING THE CONCEPT OF OUTSOURCING- ENVISAGING A TOUGH ROAD AHEAD FOR THE SERVICE PROVIDERS
- Draft framework for Financial Services Outsourcing
- https://www.bis.org/publ/joint12.pdf (last accessed in November 2024) ↩︎
- https://www.iosco.org/library/pubdocs/pdf/IOSCOPD654.pdf (last accessed in November 2024) ↩︎
- Reserve Bank of India, Master Direction – Scale Based Regulation (SBR): A Revised Regulatory Framework for NBFCs, October 22, 2021. Available at: https://rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=12550 ↩︎
- Institute of Chartered Accountants of India, Standard on Internal Audit (SIA) 2: Basic Principles Governing Internal Audit. Available at: https://resource.cdn.icai.org/52727iasb-basicprinciples-3.pdf ↩︎
- The Companies Act, 2013, Ministry of Corporate Affairs, Government of India. Available at: https://www.mca.gov.in/. ↩︎
Reload document 
Open in new tab 