RBI/DoS/2026-27/XX
DoS.CO.PPG.XX/11.01.005/2026-27

XXXX XX, 2026

Reserve Bank of India (Non-Banking Financial Companies - Internal Audit Function) Directions, 2026

Introduction

An independent and effective Internal Audit Function is integral to sound corporate governance in Non-Banking Financial Companies and provides assurance to the Board and senior management on the adequacy and effectiveness of internal controls, risk management, and governance. Given the commonality of risks faced by Non-Banking Financial Companies, there is a need for harmonised Internal Audit systems and processes based on uniform guiding principles. Risk-Based Internal Audit (RBIA) framework, as the third line of defence, is intended to strengthen the effectiveness of Internal Audit systems and processes in Non-Banking Financial Companies.

In exercise of the powers conferred by Sections 45JA, 45L and 45M of the Reserve Bank of India Act, 1934, Section 6 of the Factoring Regulation Act, 2011 and Sections 30A, 31 and 32 of the National Housing Bank Act, 1987, and all other provisions / laws enabling the Reserve Bank of India (‘RBI’) in this regard, RBI being satisfied that it is necessary and expedient in the public interest so to do, hereby, issues these Directions hereinafter specified.

Chapter I - Preliminary

A. Short Title and Commencement

1. These Directions shall be called the Reserve Bank of India (Non-Banking Financial Companies - Internal Audit Function) Directions, 2026.

2. These Directions shall come into effect immediately upon issuance.

B. Applicability

3. These Directions shall be applicable to the following Non-Banking Financial Companies (hereinafter collectively referred to as ‘NBFCs’ and individually as ‘NBFC’):

(1) All Deposit taking NBFCs registered with RBI,

(2) Non-Deposit taking NBFCs registered with RBI with asset size of ₹5,000 crore and above,

(3) All Deposit taking Housing Finance Companies, and

(4) Non-Deposit taking Housing Finance Companies registered with RBI with asset size of ₹5,000 crore and above.

Chapter II - Governance and Oversight

A. Role of the Board

4. The Board / Audit Committee of Board (ACB) of the NBFC shall be primarily responsible for overseeing the Internal Audit function. It shall approve a RBIA plan to determine the priorities of the Internal Audit function based on the level and direction of risk, consistent with the NBFC’s goals.

5. The Board / ACB shall review the performance of RBIA. The Board / ACB should formulate and maintain a quality assurance and improvement program that covers all aspects of the Internal Audit function. The quality assurance program may include assessment of the Internal Audit function at least once a year for adherence to the Internal Audit policy, objectives, and expected outcomes.

6. The Board / ACB shall promote the use of new audit tools / new technologies for reducing the extent of manual monitoring / transaction testing / compliance monitoring, etc.

7. The Board should prescribe a minimum period of service for staff in the Internal Audit function except for those NBFCs where the Internal Audit function is a specialised function and managed by career internal auditors. The Board may also examine the feasibility of prescribing at least one stint of service in the Internal Audit function for those staff possessing specialised knowledge useful for the audit function, but who are posted in other areas, so as to have adequate skills for the staff in the Internal Audit function.

B. Role of the Senior Management

8. The senior management is responsible for ensuring adherence to the Internal Audit Policy as approved by the Board and development of an effective internal control function that identifies, measures, monitors, and reports all risks faced. It shall ensure that appropriate action is taken on the Internal Audit findings within given timelines and status on closure of audit reports is placed before the Board / ACB.

9. The senior management shall be responsible for establishing a comprehensive and independent Internal Audit function which should promote accountability and transparency. It shall ensure that the Internal Audit Function is adequately staffed with skilled personnel of right aptitude and attitude who are periodically trained to update their knowledge, skill, and competencies.

10. The senior management shall, based on inputs from all forms of audit, present a consolidated position of major risks faced by the NBFC at least annually to the Board / ACB.

Chapter III - Risk-Based Internal Audit Framework

A. Policy on Internal Audit

11. The Risk-Based Internal Audit (RBIA) Framework relies broadly on a well-defined policy for Internal Audit, functional independence with sufficient standing, effective channels of communication and adequate audit resources with sufficient professional competence.

12. The Board approved policy shall clearly document the purpose, authority, and responsibility of the internal audit activity, with a clear demarcation of the role and expectations from Risk Management Function and Risk Based Internal Audit Function. The policy should be consistent with the size and nature of the business undertaken, the complexity of operations and should factor in the key attributes of Internal Audit function relating to independence, objectivity, professional ethics, accountability, etc.

13. The policy should also lay down the maximum time period beyond which even the low-risk business activities / locations would not remain excluded for audit.

14. The policy should be reviewed periodically and disseminated widely within the organisation.

B. Objectives and Scope

15. RBIA as an effective audit methodology should link the NBFC's overall risk management framework and provide assurance to the Board and the senior management on the quality and effectiveness of the NBFC’s internal controls, risk management, and governance related systems and processes.

16. The Internal Audit function should broadly assess and contribute to the overall improvement of the NBFC’s governance, risk management, and control processes using a systematic and disciplined approach. It should work on the basis of established policies and procedures as approved by the Board / ACB.

17. RBIA, in addition to selective transaction testing, shall include an evaluation of the risk management systems and control procedures in various areas of operations, which will also help in anticipating areas of potential risks and mitigating such risks.

18. While the Risk Management function should focus on identification, measurement, monitoring, and management of risks, development of risk policies and procedures, use of risk management models, etc., RBIA should undertake an independent risk assessment for the purpose of formulating a risk-based audit plan which considers the inherent business risks emanating from an activity / location and the effectiveness of the control systems for monitoring such inherent risks.

19. The Internal Audit function should assess and make appropriate recommendations to improve the governance processes on business decision making, risk management and control; promote appropriate ethics and values within the NBFC; and ensure effective performance management and staff accountability, etc.

C. Authority, Stature, and Independence

20. The Internal Audit Function shall have sufficient authority, stature, independence and resources, thereby enabling internal auditors to carry out their assignments properly.

21. The remuneration of Internal Audit staff shall not be linked to the financial performance of the business lines for which they exercise audit responsibilities. Accordingly, the remuneration policies should be structured in a way to avoid creating conflict of interest and compromising audit’s independence and objectivity.

22. The Internal Audit function should be kept informed of all developments such as introduction of new products, changes in reporting lines, changes in accounting practices / policies, etc.

23. Requisite professional competence, knowledge, and experience of each internal auditor is essential for the effectiveness of internal audit function. The areas of knowledge and experience may include banking / financial entity’s operations, accounting, information technology, data analytics, forensic investigation, among others. The collective skill levels should be adequate to audit all areas of the NBFC.

D. Risk Assessment

24. RBIA shall undertake an independent risk assessment for the purpose of formulating a risk-based audit plan. This risk assessment should cover risks at various levels / areas (corporate and branch, the portfolio and individual transactions, etc.) as also the associated processes. Such risk assessment of business and other functions of the organisation shall at the minimum be conducted on an annual basis. The assessment should also be periodically updated to take into account changes in business environment, activities, and work processes, etc.

25. Every activity / location, including the risk management and compliance functions, shall be subjected to risk assessment by the RBIA.

26. The risk assessment in the Internal Audit department should be used for focusing on the material risk areas and prioritising the audit work.

27. The risk assessment process should, inter alia, include identification of inherent business risks in various activities undertaken, evaluation of the effectiveness of the control systems for monitoring the inherent risks of the business activities (‘Control risk’) and drawing-up a risk-matrix for both the factors viz., inherent business risks and control risks.

28. The basis for determination of the level (high, medium, low) and trend (increasing, stable, decreasing) of inherent business risks and control risks should be clearly spelt out.

29. The risk assessment may make use of both quantitative and qualitative approaches. While the quantum of credit, market, and operational risks could largely be determined by quantitative assessment, the qualitative approach may be adopted for assessing the quality of overall governance and controls in various business activities.

30. The risk assessment methodology should, inter alia, cover following parameters:

(1) Previous internal audit reports and compliance;

(2) Proposed changes in business lines or change in focus;

(3) Significant change in management / key personnel;

(4) Results of regulatory examination report;

(5) Reports of external auditors;

(6) Industry trends and other environmental factors;

(7) Time elapsed since last audit;

(8) Volume of business and complexity of activities;

(9) Substantial performance variations from the budget; and

(10) Business strategy of the NBFC vis-à-vis the risk appetite and adequacy of control.

E. Audit Plan

31. The NBFC may prepare a Risk Audit Matrix based on the magnitude and frequency of risk. Based on the matrix, the Audit Plan should prioritise audit work to give greater attention to the areas of:

(1) High magnitude and high frequency

(2) High magnitude and medium frequency

(3) High magnitude and low frequency

(4) Medium magnitude and high frequency

(5) Medium magnitude and medium frequency

(6) Low magnitude and high frequency

32. Before taking up specific internal audit assignment, the plan, scope, objectives, timelines and resource allocations of the assignment should be clearly established. The scope and objectives of the assignment should be based on a preliminary assessment of the risks relevant to the business activity under review.

33. The scope of the audit and resource allocation should be sufficient to achieve the objectives of the audit assignment. The precise scope of RBIA shall be determined by the NBFC for low, medium, high, very high, and extremely high-risk areas. The scope of internal audit should also include system and process audits in respect of all critical processes. The findings of system audits should also be placed before the IT Committee of the Board.

34. The Internal Audit report should be based on appropriate analysis and evaluation. It should bring out adequate, reliable, relevant, and useful information to support the observations and conclusions. It should cover the objectives, scope, and results of the audit assignment and make appropriate recommendations and / or action plans.

F. Monitoring of Compliance

35. The Internal Audit function should have a system to monitor compliance to the observations made by internal audit. Status of compliance should be an integral part of reporting to the Board / ACB.

36. All pending high and medium risk paras and persisting irregularities should be reported to the Board / ACB in order to highlight key areas in which risk mitigation has not been undertaken despite risk identification.

37. The RBIA shall have proper Management Information System (MIS) and data integrity arrangements.

G. Outsourcing

38. The Internal Audit function shall not be outsourced. However, where required, experts, including former employees, can be hired on a contractual basis subject to the Board / ACB being assured that such expertise does not exist within the audit function of the NBFC. Any conflict of interest in such matters shall be recognised and effectively addressed. Ownership of audit reports in all cases shall rest with regular functionaries of the Internal Audit function.

Chapter IV - Head of Internal Audit

A. Authority, Stature, and Independence

39. The Head of Internal Audit (HIA) shall be a senior executive in the NBFC with the ability to exercise independent judgement. The HIA, along with the Internal Audit functionaries, shall have the authority to communicate with any staff member and get access to all records that are necessary to carry out the entrusted responsibilities.

B. Tenure

40. Except for NBFCs where the Internal Audit function is a specialised function and managed by career internal auditors, the HIA shall be appointed for a reasonably long period, preferably for a minimum of three years.

C. Reporting Line

41. The HIA shall directly report to either the Board / ACB / Managing Director and Chief Executive Officer (MD & CEO) or to the Whole Time Director (WTD). In case the MD & CEO or a WTD is the ‘reporting authority’, then the ‘reviewing authority’ shall be the ACB / Board and the ‘accepting authority’ shall be the Board in matters of performance appraisal of the HIA. In such cases, the ACB / Board shall meet the HIA at least once in a quarter, without the presence of Senior Management (including the MD & CEO / WTD).

42. The HIA shall not have any reporting relationship with the business verticals of the NBFC and shall not be given any business targets.

Chapter V - Repeal and Other Provisions

A. Repeal and Saving

43. With the issue of these Directions, the existing directions, instructions, and guidelines relating Internal Audit Function as applicable to Non-Banking Financial Companies stand repealed, as communicated vide circular no. XX dated XXXX XX, 2026. The directions, instructions, and guidelines already repealed vide any of the directions, instructions, and guidelines listed in the above circular shall continue to remain repealed.

44. Notwithstanding such repeal, any action taken or purported to have been taken, or initiated under the repealed directions, instructions, or guidelines shall continue to be governed by the provisions thereof. All approvals or acknowledgments granted under these repealed lists shall be deemed as governed by these Directions. Further, the repeal of these directions, instructions, or guidelines shall not in any way prejudicially affect:

(1) any right, obligation or liability acquired, accrued, or incurred thereunder;

(2) any penalty, forfeiture, or punishment incurred in respect of any contravention committed thereunder;

(3) any investigation, legal proceeding, or remedy in respect of any such right, privilege, obligation, liability, penalty, forfeiture, or punishment as aforesaid; and any such investigation, legal proceedings, or remedy may be instituted, continued, or enforced and any such penalty, forfeiture or punishment may be imposed as if those directions, instructions, or guidelines had not been repealed.

B. Application of Other Laws Not barred

45. The provisions of these Directions shall be in addition to, and not in derogation of the provisions of any other laws, rules, regulations, or directions, for the time being in force.

C. Interpretations

46. For giving effect to the provisions of these Directions or to remove any difficulties in the application or interpretation of the provisions of these Directions, RBI may, if it considers necessary, issue necessary clarifications in respect of any matter covered herein and the interpretation of any provision of these Directions given by RBI shall be final and binding.

(Tarun Singh)
Chief General Manager