Conducting an internal audit of risk management in a Non-Banking Financial Company

(NBFC) is an essential process to ensure that the organization effectively identifies,

assesses, and manages risks within its operations. Here are the key steps involved in
conducting such an audit:

1. Understand the Regulatory Framework: Begin by familiarizing yourself with the

applicable regulatory guidelines and requirements for risk management in NBFCs.
This will help you ensure that the company's risk management practices align
with regulatory expectations.
2. Review Risk Management Policies and Procedures: Examine the NBFC's risk
management policies and procedures to assess their adequacy and effectiveness.
Evaluate whether these policies are comprehensive, up-to-date, and aligned with
industry best practices. Pay particular attention to risk identification, risk
assessment, risk mitigation strategies, and risk monitoring mechanisms.
3. Assess Risk Identification and Assessment Processes: Evaluate the NBFC's
methods for identifying and assessing risks. Review the risk assessment
techniques, such as risk registers, risk scoring models, and risk matrices. Assess
the comprehensiveness of risk identification efforts and the accuracy of risk
assessments. Ensure that risks are categorized appropriately, considering factors
such as operational, credit, market, liquidity, legal, and regulatory risks.
4. Evaluate Risk Mitigation Strategies: Examine the NBFC's risk mitigation strategies
and controls. Assess whether the company has implemented adequate measures
to mitigate identified risks effectively. Evaluate the design and implementation of
internal controls, risk transfer mechanisms (such as insurance), and contingency
plans. Verify that the risk mitigation strategies align with the risk appetite and
tolerance levels defined by the organization.
5. Assess Risk Monitoring and Reporting: Review the NBFC's risk monitoring and
reporting processes. Evaluate the effectiveness of the company's monitoring
mechanisms, including periodic risk assessments, key risk indicators (KRIs), and
early warning systems. Assess the quality and frequency of risk reporting to
senior management and the board of directors. Ensure that the reporting
includes a comprehensive overview of risks, their potential impact, and the status
of risk mitigation efforts.
6. Evaluate Compliance with Regulatory Requirements: Assess the NBFC's
compliance with applicable regulatory requirements concerning risk
management. Ensure that the organization adheres to regulatory guidelines, such
as capital adequacy ratios, provisioning norms, asset classification, and income
recognition standards.
7. Conduct Interviews and Testing: Interview key personnel involved in risk
management, including senior management, risk officers, compliance officers,
 and internal audit staff. Obtain their insights into the effectiveness of risk
management practices. Additionally, perform testing and sample reviews of
transactions, risk reports, and internal control mechanisms to validate the
accuracy and reliability of the data and information.
8. Prepare Audit Report: Summarize your findings and observations in an internal
audit report. Highlight areas of strength, areas for improvement, and any
identified deficiencies or non-compliance. Provide actionable recommendations
to enhance the effectiveness of risk management practices within the NBFC.
9. Follow-Up: Monitor the implementation of the recommended actions and track
the progress made by the NBFC in addressing identified gaps. Follow up with
management to ensure that the necessary corrective actions have been taken and
are effective.

Remember, the process and scope of an internal audit may vary depending on the
specific requirements of the NBFC, its size, complexity, and the regulatory environment.
It's always recommended to adapt the audit approach accordingly and consult with
relevant stakeholders throughout the process.

Conducting an internal audit of the Internal Capital Adequacy Assessment Process

(ICAAP) in a Non-Banking Financial Company (NBFC) is crucial for assessing the
adequacy of the company's capital in relation to its risk profile. Here are the key steps
involved in conducting an audit of ICAAP:

1. Understand the Regulatory Framework: Begin by familiarizing yourself with the

regulatory guidelines and requirements related to ICAAP for NBFCs. This will help
you ensure that the company's ICAAP process aligns with regulatory
expectations, such as those provided by the regulatory authority overseeing
NBFCs in your jurisdiction.
2. Review ICAAP Policies and Procedures: Examine the NBFC's ICAAP policies and
procedures to assess their adequacy and adherence to regulatory requirements.
Evaluate whether these policies cover all the necessary components of ICAAP,
such as risk identification, risk measurement, stress testing, capital planning, and
scenario analysis. Ensure that the policies and procedures are up-to-date and
aligned with industry best practices.
3. Assess Risk Identification and Measurement: Evaluate the NBFC's risk
identification and measurement processes. Review the methods and models used
to identify and quantify risks within the organization. Assess the
comprehensiveness and accuracy of risk assessment techniques, including the
assessment of credit risk, market risk, operational risk, liquidity risk, and other
relevant risks specific to the NBFC's activities. Ensure that the NBFC has
 appropriate systems and methodologies in place to capture and measure these
risks effectively.
4. Review Stress Testing and Scenario Analysis: Evaluate the NBFC's stress testing
and scenario analysis methodologies. Review the stress testing scenarios used,
including adverse and severe stress scenarios, and assess whether they capture
the key risks faced by the NBFC adequately. Evaluate the sensitivity analysis
performed to assess the impact of stress scenarios on the NBFC's capital
adequacy. Verify that the NBFC has appropriate contingency plans and capital
buffers in place to address the outcomes of stress testing exercises.
5. Assess Capital Planning and Allocation: Evaluate the NBFC's capital planning and
allocation process. Assess whether the NBFC has defined an appropriate capital
planning framework that considers its risk appetite, business strategy, and
regulatory requirements. Review the methodologies used for determining the
amount and composition of capital required to support the NBFC's risk profile.
Evaluate the NBFC's capital allocation mechanisms and verify their alignment with
the identified risks.
6. Evaluate Compliance with Regulatory Requirements: Assess the NBFC's
compliance with regulatory requirements related to ICAAP. Ensure that the NBFC
adheres to regulatory guidelines concerning minimum capital requirements,
capital adequacy ratios, capital buffers, and any other specific ICAAP-related
requirements applicable to NBFCs in your jurisdiction.
7. Conduct Interviews and Testing: Interview key personnel involved in the ICAAP
process, such as senior management, risk officers, finance officers, and internal
audit staff. Obtain their insights into the effectiveness of the ICAAP process.
Additionally, perform testing and sample reviews of ICAAP documentation, risk
reports, stress testing outcomes, and capital planning methodologies to validate
the accuracy and reliability of the information.
8. Prepare Audit Report: Summarize your findings and observations in an internal
audit report. Highlight areas of strength, areas for improvement, and any
identified deficiencies or non-compliance. Provide actionable recommendations
to enhance the effectiveness of the ICAAP process within the NBFC.
9. Follow-Up: Monitor the implementation of the recommended actions and track
the progress made by the NBFC in addressing identified gaps. Follow up with
management to ensure that the necessary corrective actions have been taken and
are effective.

Keep in mind that the process and scope of an internal audit of ICAAP may vary
depending on the specific requirements of the NBFC, its size, complexity, and the
regulatory environment. It's essential to adapt