Bankpulse
HomeSearchLatestCo-pilotRankingsCrosswalkHistoryWithdrawnDashboardsMethodologyGlossaryCircularsAskChangelogReviewsAbout
HomeCirculars › RBI/2020-21/83

RBI Tightens Risk-Based Internal Audit Norms for Banks

Live · in forceNo withdrawal recorded as of 19 Jun 2026. Reviewed by Vikram Jain; always verify against the official RBI source below.
⏱ ~2 min read
Quick answerRBI has strengthened the Risk-Based Internal Audit (RBIA) framework, mandating greater independence, competence, and longer tenures for Heads of Internal Audit (HIA). Banks must ensure HIA reports directly to the Audit Committee or MD/CEO, with no business targets or reporting to verticals.

What changed

RBI issued a new circular on January 7, 2021, updating the 2002 RBIA guidance. Key changes include: HIA must be a senior executive with independent judgement, appointed for a minimum of three years (preferably), and report directly to the Audit Committee of the Board, MD & CEO, or Whole Time Director. Banks must ensure internal audit staff have skills in IT, data analytics, and forensic investigation, and the Board must prescribe minimum service periods for audit staff.

What it means for you

Banks must overhaul their internal audit governance to ensure functional independence and professional competence. The HIA cannot have business targets or report to business verticals, reducing conflicts of interest. This aligns Indian banks with international standards like BCBS and IIA, potentially increasing audit effectiveness but requiring significant organizational changes and investment in training.

What you must do

Who it affects

All Scheduled Commercial Banks (excluding RRBs), All Local Area Banks, All Small Finance Banks, All Payments Banks, Heads of Internal Audit, Audit Committees of the Board

What is the minimum tenure for the Head of Internal Audit under the new framework?

The HIA should be appointed for a reasonably long period, preferably a minimum of three years, unless the internal audit function is a specialized career function.

Can the HIA report to a business vertical head?

No, the HIA must not have any reporting relationship with business verticals and should not be given any business targets. The reporting line is directly to the Audit Committee of the Board, MD & CEO, or Whole Time Director.

What skills are required for internal auditors as per this circular?

Internal auditors should have competence in banking operations, accounting, information technology, data analytics, and forensic investigation, among others.

Track this rule
⏳ How this rule evolved — History Map →Full RBI rulebook crosswalk →
Official source: RBI/2020-21/83 on rbi.org.in ↗
AI-drafted · 3-model AI consensus fact-check · under the editorial review of Vikram Jain · published · 19 Jun 2026, 12:53 IST
Official RBI source: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12011&Mode=0 — Plain-English summary by BankPulse (bankpulse.ai), reviewed by Vikram Jain. Independent platform, not affiliated with the Reserve Bank of India; never reproduces RBI text verbatim.