The Reserve Bank of India, the apex financial institution of the country is the central banking institution that requires unrestricted data of all transactions that take place in India. In an effort to promote "Data Localization" on the 8th of April 2018, Data Localization is the act of storing citizens’ data within the country’s geographical boundaries to avoid any foreign accessibility. The RBI issued a notice to all transaction providers and facilitators to ensure all the data is stored in systems within India.
The RBI directed the system providers to submit the System Audit Report within 6 months from the date of notice. The Auditor has to verify multiple facets of the system based on the guidelines issued by the RBI before certifying it :
The Auditor or the auditing firm meticulously verifies and categorizes elements of the system according to the guidelines. In case of any gaps in terms of compliance, the Auditor informs the company regarding the non-compliance and offers solutions to ensure that everything is in line. Once all the required verification is carried out, the Auditor then gives the report the stamp of approval which showcases the reliability of the system provided by the company.
As SAR audit may be a necessity, we approach our work in a practical proactive manner adding value to the process through our expert opinion and experience.
Working alongside RBI & NPCI Guidelines, QRC assesses your organization with a wholesome approach, dealing with SAR Data Localization controls. Our approach for assessment is as follows:
Information Gathering & Documentation Review
We provide a detailed questionnaire, shared with your teams along with other documentation, and evidence is collected on the architecture, implementation and controls to understand data flow.
Post scope definition and initial engagement, we will conduct an initial audit for understanding the infra of the organization and help our clients in identifying all the storage locations which comprise of any payment related data.
As per the assessment, and the identification of the payment data, QRC will provide remediation support for complying with the RBI mandate.
Report & Confirmation Letter
Post assessment and remediation, we will review your evidence on the closure of the Action phase as identified during the audit. On successful closure, we will share the confirmation letter that all payment related data is residing inside India.
Having a successful System Audit Report (SAR) audit ensures appropriate assessment of technology risks and the control environment as related to critical business processes.