RBI/DoS/2026-27/XX
DoS.CO.PPG.XX/11.01.005/2026-27

XXXX XX, 2026

Reserve Bank of India (Urban Co-operative Banks - Internal Audit Function) Directions, 2026

Introduction

An independent and effective Internal Audit Function is integral to sound corporate governance in Urban Co-operative Banks and provides assurance to the Board and senior management on the adequacy and effectiveness of internal controls, risk management, and governance. Given the commonality of risks faced by Urban Co-operative Banks, there is a need for harmonised Internal Audit systems and processes based on uniform guiding principles. Risk-Based Internal Audit (RBIA) framework, as the third line of defence, is intended to strengthen the effectiveness of Internal Audit systems and processes in Urban Co-operative Banks.

In exercise of the powers conferred by Section 35A read with Section 56 of the Banking Regulation Act, 1949, and all other provisions / laws enabling the Reserve Bank of India (‘RBI’) in this regard, RBI being satisfied that it is necessary and expedient in the public interest so to do, hereby, issues these Directions hereinafter specified.

Chapter I - Preliminary

A. Short Title and Commencement

1. These Directions shall be called the Reserve Bank of India (Urban Co-operative Banks - Internal Audit Function) Directions, 2026.

2. These Directions shall come into effect immediately upon issuance.

B. Applicability

3. These Directions shall be applicable to Urban Co-operative Banks (hereinafter collectively referred to as ‘UCBs’ and individually as ‘UCB’).

For the purpose of these Directions, ‘Urban Co-operative Banks’ shall mean Primary Co-operative Banks as defined under Section 5(ccv) read with Section 56 of Banking Regulation Act, 1949.

Provided that Chapter II, III and IV of these Directions shall be applicable to UCBs having asset size of ₹500 crore and above except Salary Earners UCBs, Unit UCBs, and UCBs under All Inclusive Directions.

Provided that Chapter V of these Directions shall be applicable to UCBs having asset size of less than ₹500 crore, all Salary Earners UCBs, Unit UCBs, and UCBs under All Inclusive Directions.

C. Definitions

4. All expressions used in these Directions, shall have the same meaning as have been assigned to them under the Reserve Bank of India Act, 1934, the Banking Regulation Act, 1949, the Companies Act, 2013, or any statutory modification or re-enactment thereto or other regulations issued by RBI or the Glossary of Terms published by RBI or as used in commercial parlance, as the case may be.

Chapter II - Governance and Oversight

A. Role of the Board

5. The Board / Audit Committee of Board (ACB) of the UCB shall be primarily responsible for overseeing the Internal Audit function. It shall approve a RBIA plan to determine the priorities of the Internal Audit function based on the level and direction of risk, consistent with the UCB’s goals.

6. The Board / ACB shall review the performance of RBIA. The Board / ACB should formulate and maintain a quality assurance and improvement program that covers all aspects of the Internal Audit function. The quality assurance program may include assessment of the Internal Audit function at least once a year for adherence to the Internal Audit policy, objectives, and expected outcomes.

7. The Board / ACB shall promote the use of new audit tools / new technologies for reducing the extent of manual monitoring / transaction testing / compliance monitoring, etc.

8. The Board should prescribe a minimum period of service for staff in the Internal Audit function except for those UCBs where the Internal Audit function is a specialised function and managed by career internal auditors. The Board may also examine the feasibility of prescribing at least one stint of service in the Internal Audit function for those staff possessing specialised knowledge useful for the audit function, but who are posted in other areas, so as to have adequate skills for the staff in the Internal Audit function.

B. Role of the Senior Management

9. The senior management is responsible for ensuring adherence to the Internal Audit Policy as approved by the Board and development of an effective internal control function that identifies, measures, monitors, and reports all risks faced. It shall ensure that appropriate action is taken on the Internal Audit findings within given timelines and status on closure of audit reports is placed before the Board / ACB.

10. The senior management shall be responsible for establishing a comprehensive and independent Internal Audit function which should promote accountability and transparency. It shall ensure that the Internal Audit Function is adequately staffed with skilled personnel of right aptitude and attitude who are periodically trained to update their knowledge, skill, and competencies.

11. The senior management shall, based on inputs from all forms of audit, present a consolidated position of major risks faced by the UCB at least annually to the Board / ACB.

Chapter III - Risk-Based Internal Audit Framework

A. Policy on Internal Audit

12. The Risk-Based Internal Audit (RBIA) Framework relies broadly on a well-defined policy for Internal Audit, functional independence with sufficient standing, effective channels of communication and adequate audit resources with sufficient professional competence.

13. The Board approved policy shall clearly document the purpose, authority, and responsibility of the internal audit activity, with a clear demarcation of the role and expectations from Risk Management Function and Risk Based Internal Audit Function. The policy should be consistent with the size and nature of the business undertaken, the complexity of operations and should factor in the key attributes of Internal Audit function relating to independence, objectivity, professional ethics, accountability, etc.

14. The policy should also lay down the maximum time period beyond which even the low-risk business activities / locations would not remain excluded for audit.

15. The policy should be reviewed periodically and disseminated widely within the organisation.

B. Objectives and Scope

16. RBIA as an effective audit methodology should link the UCB's overall risk management framework and provide assurance to the Board and the senior management on the quality and effectiveness of the UCB’s internal controls, risk management, and governance related systems and processes.

17. The Internal Audit function should broadly assess and contribute to the overall improvement of the UCB’s governance, risk management, and control processes using a systematic and disciplined approach. It should work on the basis of established policies and procedures as approved by the Board / ACB.

18. RBIA, in addition to selective transaction testing, shall include an evaluation of the risk management systems and control procedures in various areas of operations, which will also help in anticipating areas of potential risks and mitigating such risks.

19. While the Risk Management function should focus on identification, measurement, monitoring, and management of risks, development of risk policies and procedures, use of risk management models, etc., RBIA should undertake an independent risk assessment for the purpose of formulating a risk-based audit plan which considers the inherent business risks emanating from an activity / location and the effectiveness of the control systems for monitoring such inherent risks.

20. The Internal Audit function should assess and make appropriate recommendations to improve the governance processes on business decision making, risk management and control; promote appropriate ethics and values within the UCB; and ensure effective performance management and staff accountability, etc.

C. Authority, Stature, and Independence

21. The Internal Audit Function shall have sufficient authority, stature, independence and resources, thereby enabling internal auditors to carry out their assignments properly.

22. The remuneration of Internal Audit staff shall not be linked to the financial performance of the business lines for which they exercise audit responsibilities. Accordingly, the remuneration policies should be structured in a way to avoid creating conflict of interest and compromising audit’s independence and objectivity.

23. The Internal Audit function should be kept informed of all developments such as introduction of new products, changes in reporting lines, changes in accounting practices / policies, etc.

24. Requisite professional competence, knowledge, and experience of each internal auditor is essential for the effectiveness of internal audit function. The areas of knowledge and experience may include banking / financial entity’s operations, accounting, information technology, data analytics, forensic investigation, among others. The collective skill levels should be adequate to audit all areas of the UCB.

D. Risk Assessment

25. RBIA shall undertake an independent risk assessment for the purpose of formulating a risk-based audit plan. This risk assessment should cover risks at various levels / areas (corporate and branch, the portfolio and individual transactions, etc.) as also the associated processes. Such risk assessment of business and other functions of the organisation shall at the minimum be conducted on an annual basis. The assessment should also be periodically updated to take into account changes in business environment, activities, and work processes, etc.

26. Every activity / location, including the risk management and compliance functions, shall be subjected to risk assessment by the RBIA.

27. The risk assessment in the Internal Audit department should be used for focusing on the material risk areas and prioritising the audit work.

28. The risk assessment process should, inter alia, include identification of inherent business risks in various activities undertaken, evaluation of the effectiveness of the control systems for monitoring the inherent risks of the business activities (‘Control risk’) and drawing-up a risk-matrix for both the factors viz., inherent business risks and control risks.

29. The basis for determination of the level (high, medium, low) and trend (increasing, stable, decreasing) of inherent business risks and control risks should be clearly spelt out.

30. The risk assessment may make use of both quantitative and qualitative approaches. While the quantum of credit, market, and operational risks could largely be determined by quantitative assessment, the qualitative approach may be adopted for assessing the quality of overall governance and controls in various business activities.

31. The risk assessment methodology should, inter alia, cover following parameters:

(1) Previous internal audit reports and compliance;

(2) Proposed changes in business lines or change in focus;

(3) Significant change in management / key personnel;

(4) Results of regulatory examination report;

(5) Reports of external auditors;

(6) Industry trends and other environmental factors;

(7) Time elapsed since last audit;

(8) Volume of business and complexity of activities;

(9) Substantial performance variations from the budget; and

(10) Business strategy of the UCB vis-à-vis the risk appetite and adequacy of control.

E. Audit Plan

32. The UCB may prepare a Risk Audit Matrix based on the magnitude and frequency of risk. Based on the matrix, the Audit Plan should prioritise audit work to give greater attention to the areas of:

(1) High magnitude and high frequency

(2) High magnitude and medium frequency

(3) High magnitude and low frequency

(4) Medium magnitude and high frequency

(5) Medium magnitude and medium frequency

(6) Low magnitude and high frequency

33. Before taking up specific internal audit assignment, the plan, scope, objectives, timelines and resource allocations of the assignment should be clearly established. The scope and objectives of the assignment should be based on a preliminary assessment of the risks relevant to the business activity under review.

34. The scope of the audit and resource allocation should be sufficient to achieve the objectives of the audit assignment. The precise scope of RBIA shall be determined by the UCB for low, medium, high, very high, and extremely high-risk areas. The scope of internal audit should also include system and process audits in respect of all critical processes. The findings of system audits should also be placed before the IT Committee of the Board.

35. The Internal Audit report should be based on appropriate analysis and evaluation. It should bring out adequate, reliable, relevant, and useful information to support the observations and conclusions. It should cover the objectives, scope, and results of the audit assignment and make appropriate recommendations and / or action plans.

F. Monitoring of Compliance

36. The Internal Audit function should have a system to monitor compliance to the observations made by internal audit. Status of compliance should be an integral part of reporting to the Board / ACB.

37. All pending high and medium risk paras and persisting irregularities should be reported to the Board / ACB in order to highlight key areas in which risk mitigation has not been undertaken despite risk identification.

38. The RBIA shall have proper Management Information System (MIS) and data integrity arrangements.

G. Outsourcing

39. The Internal Audit function shall not be outsourced. However, where required, experts, including former employees, can be hired on a contractual basis subject to the Board / ACB being assured that such expertise does not exist within the audit function of the UCB. Any conflict of interest in such matters shall be recognised and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the Internal Audit function.

Chapter IV - Head of Internal Audit

A. Authority, Stature, and Independence

40. The Head of Internal Audit (HIA) shall be a senior executive in the UCB with the ability to exercise independent judgement. The HIA, along with the Internal Audit functionaries, shall have the authority to communicate with any staff member and get access to all records that are necessary to carry out the entrusted responsibilities.

B. Tenure

41. Except for UCBs where the Internal Audit function is a specialised function and managed by career internal auditors, the HIA shall be appointed for a reasonably long period, preferably for a minimum of three years.

C. Reporting Line

42. The HIA shall directly report to either the Board / ACB / Managing Director and Chief Executive Officer (MD & CEO) or to the Whole Time Director (WTD). In case the MD & CEO or a WTD is the ‘reporting authority’, then the ‘reviewing authority’ shall be the ACB / Board and the ‘accepting authority’ shall be the Board in matters of performance appraisal of the HIA. In such cases, the ACB / Board shall meet the HIA at least once in a quarter, without the presence of Senior Management (including the MD & CEO / WTD).

43. The HIA shall not have any reporting relationship with the business verticals of the UCB and shall not be given any business targets.

Chapter V – Inspection and Internal Audit System

A. System and Structure

44. The UCB shall have an Inspection and Internal Audit system. The Head of the Inspection Department at the Head Office of the UCB should be an official of sufficient seniority and integrity, who shall report directly to the Chairman. If the UCB has Zonal / Regional Offices, there should be an audit machinery under an official of sufficient seniority as the Zonal / Regional Chief to conduct the periodic audit of branches under its jurisdiction.

45. The officers posted to Inspection Department shall have sufficient experience and exposure. A minimum continuous experience of three years in Inspection Department should be made as a prerequisite for promotion of the staff to senior level.

B. Periodicity and Coverage

46. All branches of the UCB should be subjected to Internal Audit of surprise character at least once every 12 months.

47. Such inspections should have a comprehensive coverage leaving no scope for any malpractices / irregularities remaining undetected, and should include, inter alia, the following:

(1) the internal control system including various periodical control returns submitted to the controlling offices;

(2) position of irregularities pointed out by RBI; and

(3) corruption / fraud prone areas such as appraisal of credit proposals, balancing of books, reconciliation of inter-branch accounts, settlement of clearing transactions, suspense accounts, premises, and stationery accounts.

48. The annual internal inspection should be supplemented by surprise short inspection at irregular intervals, particularly of large branches, to be carried out by officials at appropriate higher levels, to ensure that branch officials are not indulging in malafide practices.

49. Head Office Departments and Controlling Offices shall also be subjected to regular inspection by very senior officials of the UCB.

C. Special Audits

50. Apart from the above inspections, there should be a regular system of revenue audit of large branches. The reasons for income leakage unearthed during such audit should be examined and action should be taken against the staff responsible for the lapses.

51. The UCB may implement a system of exclusive scrutiny of credit portfolio with focus on larger advances and group exposures at regular intervals.

52. The UCB shall conduct special scrutiny of high value accounts shifted to the UCB along with executives / officials including General Managers / Executive Directors / Managing Directors transferred from other banks. Similarly, the accounts transferred from other branches along with the officials should be subjected to thorough scrutiny during inspection. The summary of the important findings may be submitted to the ACB.

D. Other Instructions

53. Inspections should not be treated as fault-finding missions. Instead, they should be used to educate staff on prescribed safeguards and the risks of deviating from established systems and guidelines.

54. Issues raised by RBI through its supervisory processes should be followed up expeditiously, with periodic compliance reports submitted to the Board.

55. The UCB should keep its control-returns framework optimised by minimising multiplicity of internal returns and ensuring accurate compilation, timely submission, and thorough scrutiny to detect early warning signals and irregularities.

56. Whenever control returns indicate an abnormal position, a surprise inspection should be conducted promptly to safeguard the bank’s interests and prevent any opportunity for delinquent officials to aggravate the situation or tamper with records.

57. The branches of the UCB should submit monthly certificates confirming that inspections of associated units have been completed at the prescribed intervals and that no deficiencies in the quality or quantity of stocks pledged or hypothecated as security for advances have been observed.

58. During visits to the branches, controllers should conduct random checks of drawing power records, stock statements received, and related documents against outstanding balances. They should also verify select balance books to ensure proper maintenance and accuracy of balancing and obtain periodic reports.

59. The UCB should put in place a system requiring any employee who notices an irregular practice in any operational area to promptly report it to higher authorities for remedial action.

Chapter VI - Repeal and Other Provisions

A. Repeal and Saving

60. With the issue of these Directions, the existing directions, instructions, and guidelines relating Internal Audit Function as applicable to Urban Co-operative Banks stand repealed, as communicated vide circular no. XX dated XXXX XX, 2026. The directions, instructions, and guidelines already repealed vide any of the directions, instructions, and guidelines listed in the above circular shall continue to remain repealed.

61. Notwithstanding such repeal, any action taken or purported to have been taken, or initiated under the repealed directions, instructions, or guidelines shall continue to be governed by the provisions thereof. All approvals or acknowledgments granted under these repealed lists shall be deemed as governed by these Directions. Further, the repeal of these directions, instructions, or guidelines shall not in any way prejudicially affect:

(1) any right, obligation or liability acquired, accrued, or incurred thereunder;

(2) any penalty, forfeiture, or punishment incurred in respect of any contravention committed thereunder;

(3) any investigation, legal proceeding, or remedy in respect of any such right, privilege, obligation, liability, penalty, forfeiture, or punishment as aforesaid; and any such investigation, legal proceedings, or remedy may be instituted, continued, or enforced and any such penalty, forfeiture or punishment may be imposed as if those directions, instructions, or guidelines had not been repealed.

B. Application of Other Laws Not barred

62. The provisions of these Directions shall be in addition to, and not in derogation of the provisions of any other laws, rules, regulations, or directions, for the time being in force.

C. Interpretations

63. For giving effect to the provisions of these Directions or to remove any difficulties in the application or interpretation of the provisions of these Directions, RBI may, if it considers necessary, issue necessary clarifications in respect of any matter covered herein and the interpretation of any provision of these Directions given by RBI shall be final and binding.

(Tarun Singh)
Chief General Manager