Regulatory Compliance
SAR
Compliance Audit
The current trend in data storage technology involves storing data in many locations so that data centers may quickly access backup copies of it. Every entity managing payment data, from fintech companies that conduct peer-to-peer transactions to gateway operators accessed globally for universal fund transfers, must have the appropriate authorization, hence conducting a SAR audit becomes a necessity. As per the guidelines of RBI on 6th April 2018, all payment firms which earlier used to have their payment systems servers based outside India, now have to establish their payment systems on servers in India having data related to Indian national residents. The directive states that all the payment system providers who have been regulated by the Reserve Bank of India, have to set up their payment systems in India now wards as per the Payment and Settlement Act, 2007.
Methodology
RBI and NPCI have defined a holistic checklist for all information being stored in India in RBI’s data localization guidelines. The checklist is often referred to as the System Audit Report criterion highlighting several domains that need to be taken into account while auditing payment systems.
Why do organizations need it?
- SAR data localisation shields native citizen’s financial and personal information in moments of geopolitical crisis
- Shielding against anti-money laundering threats
- Holistic implementation of regulations to secure payment gateways
- Enhance IT Governance for payment service providers
Our Approach
Our cyber security approach prioritizes a layered, proactive defense strategy encompassing robust network security, vigilant endpoint protection, strict access controls, regular vulnerability assessments, employee security awareness training, and a rapid incident response plan, ensuring the protection of sensitive data and systems against evolving cyber threats by focusing on the “people, process, and technology” pillars.
Scope Drafting
Creating an Audit Plan
Finalizing the audit schedule
Auditing
Report and attestation
Scope Drafting
Finally, all the information and understandings are compiled in a well-documented scope, determining the boundaries and applicability of the SAR audit, referring to the pain point and the requirements of the stakeholders. The Scope encompasses the work systems, number of departments and location of the organization.
Creating an Audit Plan
Once the scope, objective and criteria for the audit have been defined, the board members must draft an audit plan.
The board members (auditee) along with auditors should streamline the nature, timing and extent of tests of controls and substantive procedures, along with examining the network security measures.
Finalizing the audit schedule
After defining what and what not has to be audited, a proper audit schedule must be published with the approval of both parties. The audit schedule includes a proper timeline suggesting which departments must be audited within a time range.
Auditing
Once the audit schedule is published, the auditors will examine the pre-implemented documents and controls in the auditee’s organization. The purpose of the audit is to determine if there are any discrepancies or certain observations in the payment gateway’s organization.
Report and attestation
After conducting the audit, the auditing body will nail down their observations, areas of improvement, and minor and significant Non-conformities against the departments which were being audited. All of these observations will be further compiled in a summary report along with the standard checklist that had been followed.
Benefits
Cybersecurity is important because it protects organizational assets and services from malicious attacks and safeguards all types of data, including but not limited to sensitive data, protected health information (PHI), and personally identifiable information (PII) from theft and loss.
iLeads Insights
Enterprise Customers
0
+
Organizations’ Security Compliant
0
+
Small and mid-size enterprises (SMEs)
0
k+
Threats Recorded in GCTx Database
0
k+
FAQ's
What are the major key criteria covered under SAR audit?
The major parts covered are - Payment Data elements, Data Storage, Access Management, Data Backup & Restoration, Data Security.
What does data localisation as per RBI stand for?
Data Localization is an attempt to rehabilitate citizens’ data under Section 94 of the Companies Act 2013, where organizations must collect, process or store the data in their native country and registered office before transferring it overseas.
Is there any limitation of data localization?
One of the prominent drawbacks of enforcing data localization is that there is nil assurance that the services provided would fully wipe out the data informally stored overseas.
Why are Indian Officials localizing data?
The major catch behind localizing citizens’ data is to prevent their information from international monitoring. This further ensures that if some foreign organization wishes to look into the financial information of Indian citizens, they must acquire legal permission from the domestic authorities of India.