Get SAR Audit Report

    RBI Directive on Data Localization

    The Reserve Bank of India issued a directive through circular DPSS.CO.OD.No 2785/06.08.005/2017-18 dated April 8, 2018, requiring all transaction data to be exclusively stored within India. As the central banking institution overseeing monetary policies, the RBI mandates unrestricted supervisory access to payment data, leading to the enforcement of this directive.

    Under this mandate, all companies engaged in transactions in India, whether global or local, such as fintech companies facilitating peer-to-peer transactions or gateway operators managing global fund transfers, are obligated to store all payment data within India.

    What is SAR Audit?

    A System Audit Report (SAR) is a document that organizations, particularly those dealing with payment data, must submit to the Reserve Bank of India (RBI) to comply with the data localization mandate. The SAR acts as an official certification, confirming that the organization has met the obligation of storing end-to-end transaction data within India.

    How does it work?

    • The audit, as specified by the RBI, is to be carried out by auditors who are enlisted with CERT-IN (Indian Computer Emergency Response Team).
    • The System Audit Report (SAR) should incorporate a certification from the auditors, affirming the successful completion of the data localization activity.
    • The System Audit Report (SAR) must receive formal approval from the Board of the system provider. This approval signifies that the leadership of the organization concurs with and endorses the findings and conclusions outlined in the audit report.
    • Following the preparation, certification, and approval of the SAR, it is submitted to the Reserve Bank of India. This submission is a pivotal step in showcasing adherence to the regulatory requirement.

    The Benefits of SAR Audits

    Data Localization

    Amid geopolitical uncertainty, SAR audits play a crucial role in strengthening the security of financial and personal data belonging to local citizens. By enforcing data localization, these audits establish a strong defense against potential vulnerabilities during geopolitical crises.

    Anti-Money Laundering

    SAR audits play a key role in detecting and thwarting suspicious financial activities. Through comprehensive audits, organizations bolster their defenses, making a substantial contribution to the global effort against illicit financial practices.

    Enhanced IT Governance

    In the realm of payment service providers, robust IT governance is of utmost importance. SAR audits, by pinpointing and rectifying potential vulnerabilities in data storage, access management, and security protocols, enhance the overall integrity of IT governance for payment service providers.

    How it Works

    Methodology

    The audit of the Banks’ Cybersecurity Framework aligns with the following audit domains, segregated based on the designated Level for the respective UCB. The applicability of domains varies depending on the Bank’s Level, categorized as Level 1, Level 2, Level 3, or Level 4.

    Review Inception

    We provide the auditee with the audit charter, outlining the roles and responsibilities of the audit function, along with the audit objectives.

    Documentation

    We furnish the Auditee with a Document Review List (DRL), outlining the necessary policies. Further analysis of these policies will be conducted in accordance with compliance standards.

    Detection & Examination

    A risk assessment, both quantitative and qualitative, will be carried out for each business process within the scope, and the risks will be analyzed.

    Hazard Reaction

    The GAP Assessment Report will recommend action points and a risk response methodology. The auditee will be requested to provide an action plan in response.

    Deployment Assessment

    We perform a review post-implementation of the mitigations.

    Do you know?

    Want a quick Audit?



      Critical Data Prerequisites for System Audit Report on Data Localization (SAR)

      • Payment Data Components – Categorization of diverse data elements encompassing payment credentials, transaction data, and customer information.
      • Transaction / Data Flow – Detailed diagram specifying the entire transaction flow, distinguishing between data at rest and in motion.
        Application Architecture – Necessity for a thorough application architecture diagram illustrating all components involved.
      • Online System Security – Evaluation of controls to ensure the security of payment information systems and mobile applications against malicious attacks.
      • Network Diagram / Architecture – Comprehensive network architecture diagram and compliance with a Network Security Policy.
      • Data Storage – Illustrative architecture diagram outlining data retention, accompanied by a database architecture diagram and retention policy.
      • Transaction Processing – Thorough depiction of transaction/data flow with supporting evidence of Standard Operating Procedure (SOP)
      • Backup and Restoration Protocols – Conformance with prescribed standards for data backup and restoration, upheld through policies governing Data Backup, Disaster Recovery, and Log Management.

      What do you get?

      Audit Preliminary Report

      Draft of the audit report highlighting the initial discoveries and findings.

      Conclusive Audit Report

      A detailed report expounding on the conclusive audit findings.

      Remediation Assistance

      Using a GAP Assessment Report, recommendations for addressing non-compliant controls will be provided.

      Compliance Confirmation Letter

      A letter affirming that the requirements have been met, and all relevant controls/regulations are satisfied.

      Embrace the Assumed Breach approach to outmaneuver Advanced Persistent Threat groups.

      Schedule a Consultation