Information System Audit & Assurance

CyberSRC Consultancy offers CISA Information System Audit services. IT system audits is an examination of management controls within IT infrastructure as per guidelines of various regulatory entities such as RBI, IRDA, NPCI etc. It not only examines physical security controls but also the business and financial controls that involve information technology systems. For an organization to operate effectively, for safeguarding the assets and maintaining the integrity the evidence evaluation is important.

We provide services in domain, Information System Audit & Assurance our services include but we are not limited to:

1. RBI
   1.  Payment & Settlement Systems (PSS)
   2.   NBFC
   3.  Co-Operative Banks
   4.  Prepaid Payment Instruments PPI
   5. P2P Lending
2. IRDA ISNP 
3. SEBI
4. NPCI
5. UIDAI Aadhaar
6.  eSign ASP
7. GST Suvidha Provider
8. Security Standards (ISO, NIST, CIS )

Use of Information Technology by banks and their constituents has grown rapidly and is now an integral part of the operational strategies of banks. The Reserve Bank, had, provided guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (G.Gopalakrishna Committee) vide Circular DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated April 29, 2011, wherein it was indicated that the measures suggested for implementation cannot be static and banks need to pro-actively create/fine-tune/modify their policies, procedures and technologies based on new developments and emerging concerns.

The Payments & Settlement Act is a regulation for the supervision of payment systems in India and to designate the Reserve Bank of India as the authority for that purpose and for matters connected therewith or incidental thereto. A payment company must comply with stipulated RBI requirements to ensure that the technology deployed to operate the payment system is safe, secure, and efficient, and as per the approved process flow. An RBI PSS audit evaluates security and controls, hardware, operating systems, applications, access controls, and disaster recovery, among other aspects.

The NBFC (Non-Banking Finance Company) sector has grown both in size and complexity over the years. As the NBFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, etc. must be benchmarked to best practices. Accordingly, directions on IT Framework for the NBFC sector that are expected to enhance safety, security, efficiency in processes leading to benefits for NBFCs and their customers are enclosed. NBFCs may have already implemented or may be implementing some of the requirements indicated in the DNBS.PPD.No.04/66.15.001/2016-17 that was issued on June 08, 2017.

In a race to adopt technology innovations, banks have increased their exposure to cyber incidents/ attacks thereby underlining the urgent need to put in place a robust cybersecurity and resilience framework. The Reserve Bank of India has provided guidelines on Cyber Security Framework vide circular DBS, CO/CSITE/BC.11/33.01.001/2015-16 dated June 2, 2016, where it has highlighted the urgent need to put in place a robust cybersecurity/ resilience framework to ensure adequate cybersecurity preparedness among banks on a continuous basis. The RBI guidelines related to Cyber Security framework will enable banks to formalize and adopt cybersecurity policy and cyber crisis management plan. The requirement to share information on cyber security incidents with RBI will also help structure proactive threat identification and mitigation.

PPIs are payment instruments that facilitate purchase of goods and services, including financial services, remittance facilities, etc., against the value stored on such instruments. Banks and non-bank entities have been issuing PPIs in the country after obtaining necessary approval/authorization from RBI under the Payment and Settlement Systems Act, 2007 (PSS Act). RBI has issued Master Direction on Issuance and Operation of Prepaid Payment Instruments to carry out information system audit by CISA auditors. The Reserve Bank of India vide Master Direction DPSS.CO.PD.No.1 164/02.14.006/2017-18 has laid down a framework for the Payment Instrument Providers.

Peer-to-peer lending companies often offer their services online, and attempt to operate with lower overhead and provide their services more cheaply than traditional financial institutions. The RBI issued a Notification on August 24, 2017 which is mandatory to comply for every Non-Banking Financial Company that carries on the business of a Peer-to-Peer Lending Platform.

The Insurance Regulatory and Development Authority of India (IRDA) had issued guidelines IRDA/ INT/ GDU ECM/ 055/03/2017 relating to insurance e-commerce on 9th March 2017. The main objective of these guidelines is to set standardize rules for conducting insurance e-commerce activities. As per these regulations, anyone willing to sell insurance online is required to set-up a digital platform is known as Insurance Self-Network Platform (ISNP) and follows all the regulations specified for its Insurance Self-Network Platform refers to an electronic platform set up with a view to conducting insurance e-commerce activity. Such platforms can only operate after getting permission from IRDA.

The SEBI circular SEBI/HO/MIRSD/CIR/PB/2018/147 dated on December 03, 2018 made it mandatory for all stockbrokers must comply with the SEBI cyber security framework to maintain robust cyber security and cyber resilience framework to protect the integrity of data and privacy. It focuses on protecting the data and the privacy of security holders by improving the Cyber Security and Cyber Resilience of the Stockbrokers and Depository Participants. It governs data created, received, or maintained by them wherever these data records are and whatever form they are in, while carrying out their designated duties and functions.

Unique Identification Authority of India has been set up by the government for developing, identifying, and setting up the necessary infrastructure to issue Aadhaar cards. An organization can intend to become Authentication User Agency (AUA), to do the same it is required for the organization to be enrolled with UIDAI. After becoming AUA, organization will be able to provide E-KYC and Aadhaar based authentication. It will also be helpful in registering as KYC User Agency (KUA) for using Aadhaar e KYC service.

Aadhaar eSign is an online electronic signature service in India to facilitate an Aadhaar holder to digitally sign a document. The signature service is facilitated by authenticating the Aadhar holder via the Aadhar-based e-KYC service. An application service provider is any vendor that provides software that will contain data but is managed and operated in the vendor’s data centre and is not controlled or secured by Information Technology. An eSign ASP is a service provider for facilitating electronic signature service in India.

GST Service Providers are the special entities who have been authorized to develop a platform to enable the taxpayer to do the GST compliances. All GST system functionalities like registration, return filing, payment of taxes, uploading of invoices will be available through APIs. All return filings under GST will be managed by GSTN.

National Payments Corporation of India, an initiative of the Reserve Bank of India and Indian Banks’ Association. It is an umbrella organisation for operating retail payments and settlement systems in India. It aims to provide infrastructure to the whole banking industry, both physical and electronic payment and settlements system.

CyberSRC offers internal audit and CISA audit services. These audits can be based on myriad of standards and frameworks including, but not limited to:
ISO: ISO (International Organization for Standardization) is an independent, non-governmental, international organization that develops standards to ensure the quality, safety, and efficiency of products, services, and systems.
NIST: National Institute of Standards and Technology (NIST), develops cybersecurity standards, guidelines, best practices, and resources to meet the needs of U.S. industry, federal agencies, and the broader public.
CIS: Center for Internet Security (CIS) recognized as security standards for defending IT systems and data against cyber-attacks which is used by thousands of businesses. Its mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.’