February 1, 2005

All Scheduled Commercial Banks
(Except Regional Rural Banks)

Dear Sirs,

As you would recall the guidelines relating to risk-based internal audit were issued by us on December 27, 2002 vide our letter DBS.CO.PP.BC.10 /11.01.005/2002-03. A review of the implementation of the risk-based internal audit in various banks has revealed that there are certain gaps/deficiencies which need to be addressed in order to ensure that the RBIA framework is effective. Some of the gaps/deficiencies observed by us are as under:

1) The risk assessment of branches should be carried out on the basis of the "inherent business risks" and "control risks", as indicated in paragraph 4.2 of our 'Guidance note on risk based internal audit'.

2) The risk assessment should not only indicate the level of risk as High, Medium and Low but also the trend of risk in terms of increasing, decreasing or stable. (paragraph 4.2 of the 'Guidance note on risk based internal audit'.)

3) The risk assessment should invariably be undertaken on a yearly basis (paragraph 4.3 of the 'Guidance note on risk based internal audit'.)

4) As mentioned in paragraph 6.1 of the 'Guidance note on risk based internal audit', the bank should undertake 100 per cent transaction testing if an area falls in cell "C- Extremely High Risk" of the risk matrix. The bank may also consider 100 per cent transaction testing if an area falls in cell "B- Very High Risk" or "F- Very High Risk", and the risks are showing an increasing trend. The banks may also consider transaction testing with an element of surprise in respect of low risk areas which would be audited at relatively longer intervals. As regards the areas falling in other cells (viz., ‘A- High Risk’, ‘D-Medium Risk’, ‘E-High Risk’, ‘G- Low Risk’, ‘H-Medium Risk’, ‘I-High Risk’) of the risk matrix, the bank has to decide on the level of transaction testing based on its risk based internal audit policy duly approved by the Board.

5) As indicated in paragraph 6.1 of the 'Guidance note on risk based internal audit', the bank has to prepare a Risk Audit Matrix which would be based on the magnitude and frequency of risk. Preparation of the Risk Audit Matrix can also enable the bank to move towards the Advanced Measurement Approach for Operational Risk under Basel II.

2.Banks are advised to review the methodology of conducting the risk-based internal audit and the policy in this regard so as to align the same with the guidelines issued by RBI. As already indicated in paragraph 3 of our letter dated December 27, 2002, mentioned above, banks should form a Task Force comprising senior executives and entrust them with the responsibility of chalking out an action plan for switching over to risk-based internal audit. This process may be expedited and compliance with our guidelines ensured at an early date.

Yours faithfully,

(Amarendra Mohan)
General Manager