What is SAR Audit? Key Aspects To Conduct A Successful Audit
The System Audit Report (SAR) is a mandatory compliance for data localization and Storage of Payment System Data imposed by the Reserve Bank of India (RBI) to ensure adequate security measures and data localization controls are in place for the safe storage of payment-related data.
RBI, the pinnacle financial institution of India, is the country's central banking system, which needs unfiltered data on every transaction that takes place in India. In order to promote data security, RBI introduced the “Data Localization” Act on 8th April 2018
It is an act of storing subjects’ data within the geographical boundaries of India to prevent foreign accessibility. The Reserve Bank of India (RBI) has issued a notice to all payment-related service providers and facilitators to make sure all the transaction data is stored in systems within the geographical region of India.
Additionally, the RBI has issued a notice to all the system providers to submit the System Audit Report within 6 months (the stipulated time) from the date of notice received. The organization carrying out a SAR audit has to assess and verify various facets of the system depending on the guidelines released by the RBI before certifying the assessee company.
Key facets to assess and verify during the SAR audit:
Transaction Data Components
Payment / Data Flow
Application Structure
Network Architecture / Diagram
Data Storage
Payment Processing
Cross Border Transactions
Activities Successive to Payment Processing
Database Storage and Maintenance
Data Backup & Restoration
Access Management
Data Security
The assessor and the assessee company meticulously categorize and verify the system facets as per the RBI-issued guidelines. In case, the assessee company has any gaps in terms of adherence to guidelines, the auditor company conveys it to the auditee organization and provides solutions to ensure everything is in place.
What Should be the SAR Audit Approach?
When it comes to conducting a SAR audit, the approach is a factor that plays a vital role. An auditor organization must follow RBI and NPCI guidelines while conducting a SAR audit.
Understanding Business Environment
It should be the initial step while conducting a SAR audit. The process includes a requirement to evaluate business processes and the environment to thoroughly understand the key components of the institution.
Audit Scope Finalization
Another key aspect of the SAR audit is finding gaps and prioritizing them to define the audit scope. The process involves documentation and details sharing on collected evidence on the architecture, controls, and implementations.
Initial/Readiness Assessment
Perform an initial audit to understand the business infrastructure and assist clients in knowing about the storage location, which consists of any payment-related data.
Data Flow Assessment
The process involves carrying out an in-depth system audit to analyze data flow and the faults that might lead to data leakage.
Risk Assessment
Risk assessment includes identifying and assessing the existing risks and vulnerabilities in the organization's information security posture.
Scans & Testing
The auditor will scan the systems to find out existing faults and test the security flaws to understand the extent to which the vulnerability can be exploited.
Evidence Validation
This process involves the requirement of reviewing the collected evidence to examine their security in accordance with compliance requirements.
Remediation Support
In this, the auditor needs to provide the clients with remediation support by offering solutions to gaps and compliance challenges.
Final Audit
After offering remediation solutions and patching the faults, the auditor should conduct a final audit of the systems by reviewing the collected evidence during the audit. After conducting the final audit, the auditor company should release a confirmation letter that all the assets defined as per the scope cater to all the RBI-issued guidelines.
Concise Reporting
Post a successful audit, the assessor should document all the findings and remediation solutions, collected during the audit. The document should be submitted to the client organization as soon as possible.
Conclusion
Cyber security in banking and financial institutions is significant as they process and store sensitive transaction information, leakage which could lead patrons and partners to lose their sensitive information and could face severe issues. On April 8, 2018, RBI released an order for all payment-related service providers to ensure their customers’ transaction data is stored in systems in India only.
The auditor organization needs to carry out an in-depth SAR audit to assess the existing faults and provide the client organization with remediation solutions to fix those bugs along with verifying that all the preventive measures and controls are in line, in terms of compliance.
After patching evidence collected during the audit, the auditor must conduct a final audit and release the confirmation letter that the assessee organization follows all the RBI-notified guidelines and implemented security controls to prevent data breach cases.
If you are looking for an auditor to conduct a SAR audit, connect the auditor with rich experience in the relevant field to ensure effectiveness and security.











