RBI IT & IS Audits | Banks, NBFCs, HFCs & PSOs

Overview

Independent assurance the RBI expects.

The Reserve Bank of India holds its regulated entities to detailed expectations on IT governance, cyber resilience and information security — and requires independent assurance that those controls are designed well and operating effectively. Falling short invites supervisory observations, and in serious cases, business restrictions.

Our RBI audit practice assesses your environment against the directions that apply to your entity category, validates the controls through hands-on technical testing, and documents everything in a board- and regulator-ready format. We don't just check boxes against a circular — we give you a clear, prioritised path to close gaps within RBI's timelines.

As a CERT-In empanelled auditing organization with a dedicated BFSI practice, we bring purpose-built audit workbooks — including a 112-point Master Direction IS-audit workbook and a 124-point NBFC compliance workbook — so nothing in the framework is missed.

Who must comply

RBI regulated entities

RBI's IT and information-security expectations apply across its supervised entities. The intensity and cadence of audit depend on your category and, for NBFCs, your regulatory layer.

Commercial BanksPublic, private, foreign, small finance and payments banks.

Cooperative BanksUrban, state and district cooperative banks under a graded framework.

NBFCsAcross the Scale-Based Regulation Base, Middle, Upper and Top layers.

Housing Finance CompaniesHFCs regulated by RBI since 2019.

Payment System OperatorsPSOs and PPI issuers, including a mandated System Audit Report.

CICs, ARCs & AIFIsCredit information companies, asset reconstruction and all-India financial institutions.

Regulated entity	Key applicable RBI frameworks	Typical audit
Commercial & Small Finance Banks	ITGRCA MD 2023Cyber Security Framework 2016Digital Payment Security 2021	Annual
Payments Banks	ITGRCA MD 2023Cyber Security FrameworkDigital Payment Security	Annual
Regional Rural Banks	Cyber Security FrameworkITGRCA (phased)	Periodic
Urban Cooperative Banks	Cyber Security Framework for UCBsGraded Levels I–IV	Per level
NBFCs — Middle, Upper & Top Layer	ITGRCA MD 2023Scale-Based Regulation	Annual
NBFCs — Base Layer	Proportionate IT governance	Periodic
Housing Finance Companies	ITGRCA MD 2023	Annual
Payment System Operators / PPI	Cyber Resilience & DPSC for PSOs 2024System Audit Report	Annual SAR
Credit Information Companies	IT / IS governanceITGRCA (as applicable)	Periodic
ARCs, AIFIs & Account Aggregators	ITGRCA (as applicable)IT framework	Periodic

Applicability and cadence are indicative and depend on the latest RBI directions and your specific licence. We confirm the exact scope for your entity during planning.

Regulatory landscape

The RBI frameworks we audit against.

We map every finding to the specific directions that govern your entity.

Master Direction · 2023

IT Governance, Risk, Controls & Assurance (ITGRCA)

The consolidated direction, effective April 2024, setting IT governance, risk management, information security and IS-audit expectations across banks, NBFCs (by layer), HFCs and CICs.

Framework · 2016

Cyber Security Framework for Banks

Baseline cyber-security controls, a Cyber Crisis Management Plan, security operations and incident reporting obligations for banks.

Master Direction · 2021

Digital Payment Security Controls

Security controls for internet, mobile and card payment channels offered by regulated entities to their customers.

Directions · 2024

Cyber Resilience & DPSC for PSOs

Cyber-resilience and digital-payment-security requirements for authorised payment system operators, phased by entity size.

Framework

Cyber Security Framework for UCBs

A graded, four-level framework for urban cooperative banks, scaling controls to each bank's digital footprint.

Master Direction · 2023

Outsourcing of IT Services

Governance of outsourced IT and cloud services, including third-party risk, concentration risk and exit strategies.

Payment systems

System Audit Report (SAR) & data-localization audits.

For authorised payment system operators and their participants, RBI requires an independent system audit and confirmation that payment data is stored only in India — both attested through a System Audit Report by a CERT-In empanelled auditor.

System Audit Report

SAR for Payment System Operators

A periodic, independent system audit of a PSO’s architecture, security controls, transaction integrity, business continuity and compliance with the applicable RBI directions — documented as a System Audit Report and submitted to RBI by a CERT-In empanelled auditor.

Storage of Payment System Data · 2018

Data-localization audit

Under RBI’s directive, the entire data relating to payment systems must be stored only in India. We validate storage locations and data flows end to end, confirm that any data processed abroad for cross-border transactions is purged overseas and brought back within 24 hours, and report compliance through a board-approved SAR.

What the SAR & data-localization audit covers

Inventory of payment systems and the full end-to-end transaction data elements

Data-flow mapping across application, network, infrastructure and third-party layers

Confirmation that payment system data is stored only in India

Cross-border transaction handling — overseas purging and 24-hour repatriation

Storage across data centres, DR sites, cloud and vendor / outsourced systems

Encryption, access control and protection of stored payment data

System architecture, security controls, transaction integrity and BCP / DR

Board approval and submission of the System Audit Report to RBI

Audit scope

The 12 domains of an RBI IS audit

Our audit provides full coverage across the twelve control domains an RBI information-security audit examines — aligned to the RBI Master Direction (ITGRCA) and the foundational Gopalakrishna Working Group framework.

IT Governance

Board and IT Strategy Committee oversight, IT strategy, organisational structure and the IT/IS policy framework.

IT Operations

Day-to-day IT operations and service management, including capacity, change and patch management.

Information & Cyber Security

The information-security programme, CISO function, risk management and the Cyber Security Framework / CCMP.

Access Control & Identity

Identity and access management, least privilege, privileged-access control and segregation of duties.

Application Security & Controls

Application controls, secure development, maker-checker, and VAPT of in-scope applications.

Network & Infrastructure Security

Network segmentation, perimeter defences, and server and endpoint hardening.

IT Outsourcing & Third-Party Risk

Governance of outsourced IT and cloud services, vendor risk and concentration / fourth-party risk.

Business Continuity & DR

BCP and disaster recovery with defined RTO/RPO and documented DR-drill evidence.

Cyber Incident & Fraud Management

Incident response, RBI / CERT-In reporting, and cyber-fraud detection and management.

IS Audit & Assurance

The IS-audit function — its independence, planning, coverage and follow-up.

Data Security, Privacy & Localisation

Data classification, encryption, customer-data protection and data-localisation requirements.

Customer Education, Grievance & Legal

Customer awareness, grievance redressal, and legal and regulatory compliance.

How we work

An audit built around your RBI obligations.

A compliance-first lifecycle that produces supervisory-ready evidence.

Scoping & applicability

We confirm your entity category and layer, and the exact RBI directions that apply to you.

Governance & documentation review

Board minutes, IT strategy, policies and prior audit and RBI inspection observations.

Control assessment

Design and operating-effectiveness testing across every applicable control domain.

Technical assessment & VAPT

Vulnerability assessment and penetration testing of in-scope applications and infrastructure.

Compliance gap mapping

Every finding mapped clause-by-clause to ITGRCA, the Cyber Security Framework and DPSC.

Reporting & closure

A board- and RBI-ready report, remediation tracker, retest and formal closure.

Checklists

RBI audit readiness checklists.

Use these to prepare. The first gets you ready for the engagement; the second is the control-domain checklist we assess against.

Pre-audit readiness checklist

Entity category, NBFC layer and applicable RBI directions identified

Board-approved IT and information-security policies, current and dated

IT Strategy Committee and IT Steering Committee constituted

Up-to-date IT asset and application inventory

Previous IS-audit reports and RBI inspection observations

Current IT risk assessment and risk register

Recent VAPT reports and remediation status

Outsourcing / vendor register and agreements

Incident register and RBI / CERT-In reporting records

BCP / DR plan and latest DR-drill evidence

Log sources, retention configuration and time synchronisation

Remediation owners and target closure timelines

Control-domain checklist

Governance & Risk

Board / IT Strategy Committee oversight defined and active

IT and IS policies board-approved and reviewed periodically

IT risk-management framework operational

CISO appointed with sufficient independence and authority

Access & Change

Identity and access management with least privilege

Privileged access restricted, logged and monitored

Segregation of duties enforced across key processes

Change and patch management documented and followed

Cyber Resilience & Operations

SOC / monitoring with SIEM in place

Log retention meeting regulatory periods

Cyber Crisis Management Plan (CCMP) maintained and tested

VAPT performed periodically and findings closed

Continuity & Third Party

BCP and DR with defined and tested RTO / RPO

DR drills conducted and documented

Outsourcing governance and cloud controls in place

Concentration and fourth-party risk assessed

What you receive

Supervisory-ready documentation.

RBI-aligned audit reportStructured to the applicable directions, ready for submission and board review.
Clause-by-clause compliance mappingEvery requirement mapped to your posture using our 112-point workbook.
VAPT findings & evidence packTechnical findings with severity, proof and remediation guidance.
Prioritised remediation trackerA clear plan to close gaps within RBI's expected timelines.
Board-ready executive summaryA concise risk view for your board and audit committee.
Closure & retest reportVerification that findings are remediated and the audit can be closed.

Frameworks & references

Your audit is mapped to the RBI directions and supporting standards that apply.

ITGRCA MD 2023Cyber Security Framework 2016Digital Payment Security 2021 DPSC for PSOs 2024IT Outsourcing MD 2023CERT-InISO 27001NISTSystem Audit Report (SAR)Data localization

FAQ

RBI audit — frequently asked questions

What is an RBI IT / IS audit?

It's an independent assessment of a regulated entity's IT and information-security controls against the RBI directions that apply to it — covering governance, cyber resilience, application and network security, business continuity, outsourcing and more. The goal is to give the board and the regulator assurance that controls are well designed and operating effectively.

Which entities are required to undergo this audit?

Commercial, small finance and payments banks, regional rural and cooperative banks, NBFCs across the Scale-Based Regulation layers, housing finance companies, payment system operators and PPI issuers, credit information companies and others. The applicable framework and cadence depend on your category and, for NBFCs, your regulatory layer.

What is the RBI ITGRCA Master Direction?

The Master Direction on IT Governance, Risk, Controls and Assurance Practices, issued in 2023 and effective from April 2024, consolidates RBI's expectations on IT governance, IT and information-security risk, controls and independent assurance (IS audit) across banks, applicable NBFCs, HFCs and CICs.

How often is the audit required?

For most banks and applicable NBFCs and HFCs, an IS audit is generally expected at least annually, alongside periodic VAPT. Payment system operators submit a System Audit Report. Cooperative banks follow a graded cadence based on their level. We confirm the exact requirement for your entity during scoping.

Do we need a CERT-In empanelled auditor?

For many RBI and payment-system audits — including the System Audit Report for PSOs — a CERT-In empanelled auditor is expected. We are a CERT-In empanelled auditing organization, so our reports carry the recognition regulated entities rely on.

What's the difference between an IT audit and an IS audit?

An IT audit looks broadly at IT governance, controls and operations; an IS (information-security) audit focuses specifically on the security of information assets. RBI's ITGRCA direction brings these together, which is why our engagement covers both governance and security in a single, coordinated audit.

Does the audit include penetration testing?

Yes. Vulnerability assessment and penetration testing of in-scope applications and infrastructure is a core part of the engagement, with findings mapped to the relevant RBI requirements and supported by a retest.

Do you provide System Audit Reports (SAR) for payment system operators?

Yes. As a CERT-In empanelled auditor we conduct the periodic system audit of authorised payment system operators — covering system architecture, security controls, transaction integrity, business continuity and compliance with the applicable RBI directions — and document it as a System Audit Report (SAR) for submission to RBI.

What is the RBI data-localization audit?

Under RBI’s Storage of Payment System Data directive (2018), the entire data relating to payment systems must be stored only in India. We verify storage locations and end-to-end data flows, confirm that data processed abroad for cross-border transactions is purged overseas and brought back within 24 hours, and report compliance through a board-approved System Audit Report.

How long does an RBI audit take?

Most engagements run three to six weeks depending on your size, the number of applications and systems in scope, and the breadth of applicable directions. We agree a precise timeline during planning.

What do we receive at the end?

A board- and RBI-ready audit report, a clause-by-clause compliance mapping, VAPT findings with evidence, a prioritised remediation tracker, an executive summary for your board, and a closure and retest report once findings are addressed.

Can you help us close findings and respond to RBI?

Yes. Beyond the audit we provide remediation guidance, retesting to confirm closure, and board- and regulator-ready documentation to support your response to supervisory observations.