menu
Regulatory Compliance
IS Audit
(RBI) Guidelines
The banking sector is one of the most vulnerable sectors in terms of cyber threats and attacks. Annually, 6 out of 10 people report that their data has been compromised by loan service. Having said this, RBI in its master directions has passed a directive for all NBFCs to conduct an IT audit and get attested by RBI under RBI IS Audit.
As per the directive, a CERT-IN empanelled institution must perform an annual information Security Audit. Data security, audit control, corporate governance, risk management, and other terms and conditions of the license are the fundamentals of the Information Security Audit.
Methodology
The IS Audit is conducted per the Terms of Reference (TOR) and regulations outlined by the ICAI, RBI, and pertinent authorities. The NBFC along with the external auditor, should set an audit plan along with the scope of the current and previous audits if it wants to have an audit performed. The auditors will check the network systems and work environment against security controls, network controls, access controls, and electronic document controls once they obtain a plan of action for the IS Audit.
NBFCs with more than 500 crores – The IT framework requirement would include IT Governance, operations, Business Continuity Planning and Disaster Recovery, IT service Outsourcing.
NBFCs with less than 500 crores – The IT framework needed would involve data backup and testing, having a well-defined function in the IT system, filing regulatory returns with the RBI, and generating crucial financial reports for top management

Why do organization need it?
The goal of information security is to limit the access to sensitive data. NBFCs must have a comprehensive information security
policy that includes the following essential principles:
Confidentiality
Ensuring access to sensitive data to authorized users only.
Integrity
Assuring information accuracy and reliability by preventing.
Availability
Make sure that users have access to data whenever they need it.
Authenticity
It is vital for Information Security to ensure that data, transactions.
Our Approach
Our cyber security approach prioritizes a layered, proactive defense strategy encompassing robust network security, vigilant endpoint protection, strict access controls, regular vulnerability assessments, employee security awareness training, and a rapid incident response plan, ensuring the protection of sensitive data and systems against evolving cyber threats by focusing on the “people, process, and technology” pillars.
Scope Drafting
Creating an Audit Plan
Finalizing the Audit Schedule
Auditing
Report and Attestation
Scope Drafting
All the information and understandings are compiled in a well-documented scope, objective and criteria, determining the boundaries and applicability of the RBI IS Audit, referring to the pain point and the requirements of the stakeholders. The Scope encompasses the work systems, the number of departments and the location of the organization.
Creating an Audit Plan
The board members must streamline an audit plan after defining the audit’s scope, aim, and criteria. The Audit plan must entail the nature, timing, and scope of tests of controls and substantive procedures. Auditors and board members should also evaluate the network security measures.
Finalizing the Audit Schedule
A proper audit schedule must be published with the consent of all parties after outlining what must be audited and what is not required. A proper timeline that suggests which departments should be audited within a certain time frame is included in the audit schedule.
Auditing
The auditors will review the pre-implemented documentation and controls in the auditee’s organization after the audit schedule is made public. The audit’s goal is to find any inconsistencies or noteworthy observations in the NBFC’s workspace.
Report and Attestation
The auditing body will record its findings, suggestions for improvement, and minor and significant non-conformities against the departments that were the subject of the audit. A summary report will be created from all of these observations and the standard checklist that was used.
Benefits
Cybersecurity is important because it protects organizational assets and services from malicious attacks and safeguards all types of data, including but not limited to sensitive data, protected health information (PHI), and personally identifiable information (PII) from theft and loss.
Being Cert-In empanelled organization, the activities of the company can be guided to provide better sevices.
NBFC audits assure compannies and partners that their service organizations have procedures and controls.
The assessments are being carried out by qualified experts to provide consistent and valuable services.
iLeads Insights
Enterprise Customers
0
+
Organizations’ Security Compliant
0
+
Small and mid-size enterprises (SMEs)
0
k+
Threats Recorded in GCTx Database
0
k+
FAQ's
What are the necessary requirements to be met for NBFCs above 500 crores?
• IT Governance
• IT Policy
• Information and Cyber Security
• IS Audit
• IT Services Outsourcing
Is it necessary that every NBFC should be registered with the RBI?
Every NBFC must register with the RBI before starting or carrying on any non-banking financial institution business.
What are systemically important NBFCs?
Systemically important NBFCs are those with assets of Rs500 crore or more as of their most recent audited balance sheet.