Introduction to the RBI Housing Finance Company (HFC) IS & Cyber Audit
Housing Finance Companies (HFCs) occupy a systemically important position in India's financial services landscape, channelling long-tenor credit into the residential mortgage market while simultaneously custodianing vast repositories of borrower personal, financial and property data. Following the transfer of regulatory oversight of HFCs from the National Housing Bank (NHB) to the Reserve Bank of India (RBI) with effect from 9 August 2019, HFCs have progressively been brought within the ambit of the RBI's Non-Banking Financial Company (NBFC) prudential and technology-risk framework. The RBI Housing Finance Company (HFC) IS & Cyber Audit is the independent information systems (IS) audit and cyber-security assurance exercise that an HFC must commission to demonstrate that its technology estate, cyber-resilience posture, IT governance and outsourcing arrangements are compliant with the Reserve Bank's directions.
This guide is written for two audiences at once: the auditor who must plan, evidence and opine on the control environment, and the implementer (CISO, Head of IT, CTO, compliance and risk functions) who must build, remediate and operate the underlying controls. It consolidates the applicable RBI Master Directions, the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (IT GRC Directions, 2023), the Master Directions on Digital Lending, the Cyber Security guidance issued for the NBFC/HFC sector, and the intersecting directions of UIDAI, NPCI, CERT-In and the Digital Personal Data Protection Act, 2023 (DPDP Act) into a single auditor-grade playbook.
What is the RBI HFC IS & Cyber Audit
The RBI HFC IS & Cyber Audit is a structured, evidence-based assurance engagement that evaluates whether a Housing Finance Company's information technology and cyber-security controls meet the requirements set out by the Reserve Bank of India. It is not a single monolithic circular but a composite obligation that draws on several instruments. The keystone is the Master Direction - Information Technology Governance, Risk, Controls and Assurance Practices dated 7 November 2023 (referenced in this guide as the IT GRC Directions), which applies to Regulated Entities (REs) including NBFCs and HFCs above defined asset thresholds, and which mandates an IT governance framework, IT and information security risk management, IT operations, information security controls, business continuity and disaster recovery, and independent assurance through IS Audit.
The audit typically spans the following interlocking obligations: (i) periodic Information Systems (IS) Audit covering IT general controls and application controls; (ii) an annual or event-driven Cyber Security posture assessment aligned to the RBI's cyber-security expectations for the NBFC/HFC sector; (iii) Vulnerability Assessment and Penetration Testing (VAPT) of internet-facing and internal assets; (iv) review of outsourcing and third-party/cloud arrangements against the RBI outsourcing framework; (v) Digital Lending controls where the HFC operates through Lending Service Providers (LSPs) or Digital Lending Apps (DLAs); (vi) data localisation and protection controls under the DPDP Act, 2023 and, where applicable, RBI storage-of-payment-data and Aadhaar (UIDAI/AUA-KUA) directions; and (vii) CERT-In cyber-incident reporting readiness under the 28 April 2022 Directions.
The output of the engagement is a formal IS Audit and Cyber Audit report, tabled before the IT Strategy Committee and the Board (or its Audit Committee / IT Committee), together with a risk-rated observations register, a remediation roadmap with target dates, and a management representation on the corrective action plan. The report and its closure evidence must be retained and made available to the RBI on demand or during supervisory inspection.
Who must comply
Applicability is driven by the HFC's registration status, asset size and the RBI scale-based regulation (SBR) layer into which it falls. Under the SBR framework, HFCs are treated as a category within the NBFC universe and are ordinarily classified in the Middle Layer (NBFC-ML) or Upper Layer (NBFC-UL) depending on size, with correspondingly graded IT and cyber obligations.
| Entity / population | Applicability of RBI HFC IS & Cyber Audit |
|---|---|
| Housing Finance Companies registered with RBI (post-NHB transfer) | In scope; must comply with HFC Directions, 2021 and the IT GRC Directions per applicable asset threshold |
| HFCs in the NBFC Upper Layer (NBFC-UL) | Full applicability of IT GRC Directions including IT Strategy Committee, CISO, IS Audit, BCP/DR and enhanced cyber controls |
| HFCs in the NBFC Middle Layer (NBFC-ML) | Applicable with graded expectations; IT governance, IS Audit and cyber-resilience controls required |
| Smaller HFCs / Base Layer equivalents | Proportionate, baseline cyber-hygiene and IS Audit expectations apply as prescribed |
| HFCs offering digital lending via DLAs / LSPs | Additional Digital Lending Directions, 2025 controls, KFS, and data-handling obligations apply |
| HFCs acting as Aadhaar AUA/KUA or Sub-AUA | UIDAI Aadhaar Act, regulations and AUA/KUA audit obligations apply |
| HFCs storing or processing payment data (EMI collections, mandates) | RBI payment-data storage and NPCI/NACH e-mandate controls apply |
| All HFCs as bodies corporate handling personal data | DPDP Act, 2023 obligations as Data Fiduciary; CERT-In incident reporting Directions, 2022 |
- Board and IT Strategy Committee members, who bear ultimate accountability for the IT and cyber-risk framework.
- Chief Information Security Officer (CISO) and Chief Technology / Information Officer, who own the control environment being audited.
- Head of Compliance and Chief Risk Officer, who must ensure regulatory alignment and risk-acceptance governance.
- Internal auditors and the appointed independent IS auditor / CERT-In empanelled assessor conducting the review.
- Outsourced service providers, LSPs, cloud providers and fintech partners whose controls fall within the assessment perimeter.
Structure of the RBI HFC IS & Cyber Audit
The audit is organised around the control domains defined primarily in the IT GRC Directions (2023), supplemented by sector-specific obligations. The table below sets out the principal domains, their indicative control families and the anchoring regulatory reference. These domains form the backbone of the master assessment checklist that follows.
| Domain | Indicative control families | Anchoring reference |
|---|---|---|
| D1. IT Governance | Board & IT Strategy Committee oversight, IT policy framework, roles and accountability, IT & cyber strategy | IT GRC Directions Ch. II |
| D2. IT Infrastructure & Service Management | Capacity, change, configuration, patch, asset and problem management, IT operations | IT GRC Directions Ch. III |
| D3. Information Security & Cyber Resilience | Security policy, access control, cryptography, network security, endpoint, SOC/monitoring, cyber-crisis management | IT GRC Directions Ch. IV; RBI cyber guidance |
| D4. IT & Information Security Risk Management | Risk assessment, risk register, KRIs, third-party risk, risk acceptance | IT GRC Directions Ch. II-IV |
| D5. Business Continuity & Disaster Recovery | BIA, BCP, DR site, RTO/RPO, drills, resilience testing | IT GRC Directions Ch. V |
| D6. IS Audit & Assurance | IS Audit charter, scope, competency, reporting, follow-up | IT GRC Directions Ch. VI |
| D7. Outsourcing, Cloud & Third-Party | Due diligence, contracts, right-to-audit, concentration & exit, cloud shared responsibility | RBI Outsourcing of IT Services Directions |
| D8. Digital Lending Controls | DLA/LSP governance, KFS, cooling-off, data minimisation, grievance, direct disbursal | Digital Lending Directions, 2025 |
| D9. Data Protection & Privacy | DPDP Act obligations, consent, localisation, Aadhaar/UIDAI, payment-data storage | DPDP Act 2023; UIDAI; RBI storage directions |
| D10. Incident Management & Reporting | CERT-In 6-hour reporting, RBI incident reporting, forensic readiness, log retention | CERT-In Directions 28 Apr 2022; RBI |
| D11. Application Controls | Loan origination, LOS/LMS, collections, GL interface, input/processing/output controls | IS Audit application-control review |
Master assessment checklist
This is the operative heart of the engagement. Each control domain below is decomposed into verifiable requirements. For every group the auditor should test design and operating effectiveness, and the implementer should ensure the control exists, is documented, and produces the typical evidence noted. The tables use two columns throughout: What to verify (the audit assertion) and Typical evidence (the artefacts an auditor will request and an implementer must be able to produce).
D1 - IT Governance
| What to verify | Typical evidence |
|---|---|
| Board-approved IT and cyber-security strategy aligned to business strategy exists and is reviewed at least annually | Board/IT Strategy Committee minutes, approved IT strategy document with review dates |
| An IT Strategy Committee (ITSC) with the required independent-director chair is constituted and meets at prescribed frequency | ITSC terms of reference, member list, attendance registers, meeting minutes |
| A comprehensive, Board-approved IT policy and cyber-security policy framework is in place and version-controlled | Policy repository, approval sign-offs, version history, review calendar |
| Roles, responsibilities and accountability (CISO, CTO, IT heads) are formally defined and segregated | Organisation chart, RACI matrix, CISO appointment letter, reporting-line evidence |
| IT and cyber budget, resourcing and investment are governed and tracked | Budget approvals, IT spend reports, ITSC review of resourcing |
| Adequacy of the CISO function, reporting independently of business/IT operations, is established | CISO charter, reporting structure, CISO reports to Board/ITSC |
D2 - IT Infrastructure and Service Management
| What to verify | Typical evidence |
|---|---|
| A change management process with segregation between development, test and production is enforced | Change tickets, CAB minutes, approvals, promotion logs, rollback plans |
| Patch management ensures timely deployment of security and OS patches per defined SLAs | Patch policy, patch deployment reports, aged-patch exception register |
| Configuration and hardening baselines (CIS/vendor benchmarks) are applied and monitored for drift | Hardening standards, configuration scan reports, drift-remediation records |
| A complete IT asset inventory (hardware, software, cloud) is maintained with ownership | CMDB/asset register, reconciliation reports, licence compliance records |
| Capacity and performance are monitored to prevent service degradation | Capacity plans, utilisation dashboards, threshold-breach alerts |
| Problem and incident management processes exist with root-cause analysis | ITSM tool records, RCA reports, problem register, trend analysis |
D3 - Information Security and Cyber Resilience
| What to verify | Typical evidence |
|---|---|
| A logical access control framework enforces least privilege, RBAC and periodic access recertification | Access matrices, recertification reports, joiner-mover-leaver logs |
| Privileged access is managed through a PAM solution with session recording and just-in-time elevation | PAM configuration, privileged-session logs, break-glass procedure evidence |
| Multi-factor authentication is enforced for remote, administrative and internet-facing access | MFA policy, authentication logs, VPN/remote-access configuration |
| Encryption is applied to data at rest and in transit using approved algorithms and key management | Crypto policy, TLS configuration, KMS/HSM records, key-rotation logs |
| Network segmentation, firewalls, IPS and DDoS protection are deployed and rule-reviewed | Network diagrams, firewall rule-base review, IPS/DDoS reports |
| Endpoint protection (EDR/anti-malware) with centralised management is deployed on all assets | EDR console coverage report, detection/response logs, exception list |
| A Security Operations Centre / SIEM performs 24x7 monitoring with defined use-cases and correlation | SIEM use-case catalogue, alert triage records, SOC SLA reports |
| Email and web security controls (anti-phishing, DMARC/SPF/DKIM, URL filtering) are enforced | DMARC records, phishing-simulation results, gateway configuration |
| A cyber-crisis management plan (CCMP) and cyber-drill programme are established and tested | CCMP document, tabletop/drill reports, lessons-learned actions |
| Secure SDLC / secure configuration for applications and APIs is followed | SDLC policy, code-review/SAST-DAST reports, API security testing |
D4 - IT and Information Security Risk Management
| What to verify | Typical evidence |
|---|---|
| A documented IT and information-security risk assessment methodology is applied periodically | Risk methodology, latest risk assessment, scoring rationale |
| A maintained risk register with owners, treatment plans and residual-risk ratings exists | Risk register, treatment-plan tracker, residual-risk sign-offs |
| Key Risk Indicators (KRIs) are defined, monitored and escalated to the ITSC/Board | KRI dashboard, threshold breaches, escalation records |
| Risk-acceptance decisions are governed with defined authority and time limits | Risk-acceptance forms, approver authority matrix, review dates |
| Third-party and concentration risks are assessed and aggregated | Vendor risk assessments, concentration analysis, dependency mapping |
D5 - Business Continuity and Disaster Recovery
| What to verify | Typical evidence |
|---|---|
| A Business Impact Analysis identifies critical systems, RTO and RPO targets | BIA document, criticality ratings, RTO/RPO register |
| A Board-approved BCP covering people, process and technology exists and is current | BCP document, approval, review dates, call trees |
| A geographically separate DR site with adequate capacity is maintained | DR architecture, site details, capacity parity evidence |
| DR drills and failover tests are conducted at prescribed frequency with documented results | DR test plans, drill reports, RTO/RPO achievement vs target |
| Backup, restoration and data-integrity testing are performed and validated | Backup policy, restore-test logs, backup success/failure reports |
| Resilience of critical outsourced/cloud services is contractually assured and tested | Provider DR/SLA clauses, cloud region-failover evidence |
D6 - IS Audit and Assurance
| What to verify | Typical evidence |
|---|---|
| A Board/Audit Committee-approved IS Audit charter and risk-based annual IS Audit plan exist | IS Audit charter, approved plan, coverage universe |
| IS Audit is performed by competent, independent auditors (CISA/CERT-In empanelled) | Auditor credentials, empanelment proof, independence declaration |
| IS Audit scope covers IT general controls and application controls across critical systems | Audit scope documents, workpapers, coverage matrix |
| Findings are risk-rated, reported to the Audit Committee and tracked to closure | IS Audit report, ACB minutes, open-observation tracker |
| Prior-period observations are followed up and closure evidence is validated | Follow-up audit, closure evidence, re-test results |
D7 - Outsourcing, Cloud and Third-Party Management
| What to verify | Typical evidence |
|---|---|
| An outsourcing policy consistent with RBI Outsourcing of IT Services Directions is Board-approved | Outsourcing policy, Board approval, materiality assessment |
| Due diligence is performed before onboarding IT and cloud service providers | Vendor due-diligence reports, financial/security assessments |
| Contracts include right-to-audit, confidentiality, SLA, data-location and exit clauses | Executed contracts, clause matrix, right-to-audit invocation records |
| Sub-contracting and fourth-party dependencies are identified and controlled | Sub-contractor register, chain-of-outsourcing mapping |
| Cloud shared-responsibility model and data-residency requirements are documented and honoured | Shared-responsibility matrix, data-residency evidence, cloud config reviews |
| Exit and business-continuity strategy for material outsourcing is defined and tested | Exit plan, data-return/destruction procedure, portability evidence |
D8 - Digital Lending Controls
| What to verify | Typical evidence |
|---|---|
| All Digital Lending Apps (DLAs) and Lending Service Providers (LSPs) are inventoried and Board-approved | DLA/LSP register, agreements, RBI DLA reporting/directory submission |
| A Key Fact Statement (KFS) with all-inclusive APR is provided to every digital borrower | KFS templates, sample disbursals, APR computation evidence |
| A cooling-off / look-up period is enforced for digital loans | Product configuration, borrower communications, cancellation logs |
| Loan disbursal and repayment flow directly between borrower and HFC bank accounts (no pass-through/pool) | Disbursal/collection reconciliation, no third-party pool-account evidence |
| Data collected by DLAs is need-based, consent-driven and minimised; no access to phone contacts/media | DLA permission audit, consent architecture, data-minimisation review |
| A grievance redressal mechanism and nodal officer for digital lending are published and functional | Grievance SOP, nodal officer details, complaint MIS, TAT reports |
D9 - Data Protection, Privacy and Localisation
| What to verify | Typical evidence |
|---|---|
| The HFC's obligations as a Data Fiduciary under the DPDP Act, 2023 are mapped and operationalised | Data inventory, RoPA equivalent, consent notices, purpose limitation |
| Consent management, notice and grievance/data-principal rights processes exist | Consent records, DPB/grievance workflow, rights-request logs |
| Aadhaar handling (as AUA/KUA/Sub-AUA) complies with UIDAI Act, regulations and audit requirements | UIDAI licence, AUA/KUA audit report, Aadhaar data-vault, tokenisation |
| Payment/EMI/mandate data storage complies with applicable RBI storage directions | Data-storage location evidence, storage-compliance audit, NPCI mandate config |
| Data retention, archival and secure disposal schedules are defined and enforced | Retention schedule, disposal certificates, media-sanitisation records |
| Data classification and DLP controls protect PII and sensitive financial data | Classification policy, DLP incident reports, PII discovery scans |
D10 - Incident Management and Regulatory Reporting
| What to verify | Typical evidence |
|---|---|
| Cyber incidents are reported to CERT-In within 6 hours per the 28 April 2022 Directions | Incident register, CERT-In reporting acknowledgements, timelines |
| Material cyber incidents are reported to the RBI within prescribed timelines | RBI incident-report submissions, escalation matrix |
| An incident response plan with severity classification and roles is documented and tested | IR plan, severity matrix, playbooks, drill records |
| Logs are synchronised to Indian Standard Time (NTP) and retained for the mandated period (180 days) | NTP configuration, log-retention policy, log-storage evidence |
| Forensic readiness and evidence-preservation procedures exist for post-incident investigation | Forensic SOP, retainer with DFIR provider, chain-of-custody templates |
D11 - Application Controls (LOS / LMS / Collections / GL)
| What to verify | Typical evidence |
|---|---|
| Input controls prevent unauthorised or erroneous data entry in loan origination and servicing | Validation rules, maker-checker configuration, rejection logs |
| Processing controls ensure accurate interest, EMI, NPA classification and provisioning computation | Recalculation testing, EMI/interest reconciliation, NPA logic review |
| Output and interface controls ensure integrity of GL, regulatory returns and reporting | GL reconciliation, interface logs, return-generation validation |
| Segregation of duties is enforced within the LOS/LMS through role configuration | Role-permission matrix, SoD conflict report, override log review |
| Audit trails capture create/modify/delete with user, timestamp and before/after values | Application audit-log samples, tamper-protection evidence |
Scoping the engagement
Accurate scoping determines both audit effort and regulatory sufficiency. Scoping must be risk-based and traceable to the HFC's actual technology footprint rather than a generic checklist. The following dimensions define the assessment perimeter.
- Business criticality: the core Loan Origination System (LOS), Loan Management System (LMS), collections, treasury, general ledger, regulatory-reporting and customer-facing channels are always in scope.
- Channel exposure: internet-facing portals, mobile apps, DLAs, APIs and partner integrations that expand the attack surface.
- Data sensitivity: systems processing Aadhaar, PAN, bank details, credit-bureau data, property documents and other PII/financial data.
- Hosting model: on-premises data centres, co-location, private/public cloud and SaaS, with the cloud shared-responsibility split clearly delineated.
- Outsourcing perimeter: material IT outsourcing, LSPs, managed-service providers and fourth-party dependencies within right-to-audit reach.
- Regulatory triggers: SBR layer (ML/UL), digital-lending activity, Aadhaar AUA/KUA status and payment-data processing that pull in additional directions.
- Exclusions and rationale: any system deliberately excluded must be documented with justification and residual-risk acknowledgement.
Implementation approach (phased)
For an HFC preparing for or remediating against the RBI IS & Cyber Audit, a phased programme reduces disruption and produces defensible, board-reportable milestones. Each phase below lists indicative activities and deliverables.
Phase 1 - Discovery and gap assessment (Weeks 1-4)
- Activities: build the asset, data-flow and vendor inventory; map obligations across IT GRC Directions, digital-lending, DPDP, UIDAI and CERT-In; run a control-by-control gap assessment against the master checklist.
- Deliverables: current-state assessment report, regulatory-obligation register, prioritised gap list with risk ratings.
Phase 2 - Governance and policy foundation (Weeks 3-8)
- Activities: constitute/refresh the IT Strategy Committee; formalise the CISO charter and reporting line; author or update the IT, cyber-security, outsourcing, BCP and data-protection policy suite; obtain Board approval.
- Deliverables: approved policy framework, ITSC terms of reference, RACI matrix, governance calendar.
Phase 3 - Technical control remediation (Weeks 6-16)
- Activities: deploy/tune PAM, MFA, EDR, SIEM/SOC, DLP and encryption; harden configurations; segment networks; remediate VAPT findings; implement secure SDLC and API security.
- Deliverables: remediation tracker with closure evidence, VAPT re-test report, hardened-baseline attestation.
Phase 4 - Resilience and third-party assurance (Weeks 10-18)
- Activities: complete BIA, refresh BCP/DR, conduct DR drill; execute outsourcing due-diligence, contract remediation and right-to-audit; validate cloud data-residency and exit plans.
- Deliverables: BIA/BCP pack, DR drill report, vendor-assurance dossier, cloud-compliance evidence.
Phase 5 - Independent IS & Cyber Audit (Weeks 16-22)
- Activities: engage the independent CERT-In empanelled / CISA-qualified auditor; conduct fieldwork across all domains; risk-rate observations; agree the management action plan.
- Deliverables: IS & Cyber Audit report, observations register, Board/ACB presentation, corrective action plan.
Phase 6 - Closure, reporting and continuous assurance (Ongoing)
- Activities: remediate observations; re-test; embed KRIs and continuous monitoring; establish periodic re-audit and CERT-In/RBI reporting readiness.
- Deliverables: closure-evidence pack, continuous-assurance dashboard, annual re-audit plan.
Maturity and capability model
To communicate progress to the Board and to prioritise remediation, CyberSigma rates each control domain against a five-level capability model. The audit report assigns a maturity level per domain, enabling a heat-map view of the HFC's overall cyber and IT-governance posture.
| Level | Descriptor | Characteristics |
|---|---|---|
| Level 1 | Initial / Ad hoc | Controls undocumented, reactive, person-dependent; no consistent evidence trail |
| Level 2 | Developing / Repeatable | Basic policies exist but coverage is partial; controls applied inconsistently |
| Level 3 | Defined / Established | Policies approved, controls documented and consistently operated across scope |
| Level 4 | Managed / Measured | Controls monitored with metrics/KRIs; exceptions governed; regular testing and review |
| Level 5 | Optimised / Leading | Continuous improvement, automation, threat-informed defence and predictive assurance |
For RBI supervisory sufficiency, an HFC should target a minimum of Level 3 (Defined) across all mandatory domains, with Level 4 (Managed) on information security, incident management and business continuity given their systemic and customer-impact significance.
Assessment and audit approach
The independent IS & Cyber Audit follows a disciplined, repeatable methodology so that the resulting opinion is defensible before the RBI. The typical sequence is as follows.
- Engagement planning: agree scope, timelines, access and rules of engagement; confirm auditor independence and CERT-In empanelment where required.
- Risk-based scoping: finalise the audit universe from the asset, data-flow, vendor and DLA/LSP inventories; rank systems by criticality.
- Control design evaluation: review policies, standards, architecture and configuration against each domain of the master checklist.
- Operating-effectiveness testing: sample transactions, logs and tickets; perform walkthroughs, re-performance and inspection to test controls in operation.
- Technical testing: conduct VAPT, configuration reviews, access-recertification testing and application-control testing on in-scope systems.
- Third-party and cloud review: assess outsourcing contracts, right-to-audit exercise, cloud shared-responsibility and data-residency.
- Findings analysis and risk rating: classify each observation by severity (Critical/High/Medium/Low) with impact and likelihood rationale.
- Reporting and validation: table the draft report, agree management responses and target dates, and issue the final IS & Cyber Audit report.
- Governance tabling: present to the IT Strategy Committee and Audit Committee of the Board; obtain acceptance of the action plan.
- Follow-up and closure: re-test remediated observations, validate closure evidence and confirm residual-risk acceptance where remediation is deferred.
Evidence request list
The following categorised evidence list is what an auditor will request at kick-off and what an implementer should assemble in advance to compress fieldwork. Gathering these artefacts before the audit begins is the single biggest lever on engagement efficiency.
- Governance: Board and ITSC minutes, IT/cyber strategy, approved policy suite, CISO appointment and charter, organisation chart and RACI.
- Risk: risk-assessment methodology, current risk register, KRI dashboards, risk-acceptance records.
- Infrastructure & operations: asset inventory/CMDB, network diagrams, change/patch/configuration records, capacity reports.
- Information security: access matrices and recertification, PAM/MFA configuration, encryption and key-management records, SIEM/SOC reports, EDR coverage, VAPT reports.
- Business continuity: BIA, BCP, DR architecture, DR drill reports, backup and restore-test logs.
- Outsourcing & cloud: outsourcing policy, due-diligence reports, executed contracts with right-to-audit, cloud shared-responsibility and data-residency evidence, exit plans.
- Digital lending: DLA/LSP register and agreements, KFS samples, disbursal/collection reconciliations, grievance MIS.
- Data protection: data inventory, consent records, retention/disposal schedules, UIDAI AUA/KUA audit, DLP incident reports.
- Incident management: incident register, CERT-In and RBI reporting acknowledgements, IR plan, log-retention and NTP evidence.
- Prior assurance: previous IS Audit reports, open-observation tracker, closure evidence and re-test results.
Roles and responsibilities
| Role | Primary responsibilities in the audit |
|---|---|
| Board / Audit Committee | Approve IS Audit charter and plan; receive audit report; own residual-risk acceptance and remediation oversight |
| IT Strategy Committee | Oversee IT/cyber strategy and posture; review audit findings; ensure resourcing for remediation |
| Chief Information Security Officer | Own information-security controls; coordinate evidence; drive remediation; report posture to Board/ITSC |
| Chief Technology / IT Officer | Own IT operations, infrastructure and application controls; provide technical evidence and access |
| Chief Risk Officer | Ensure risk framework integration; validate KRIs and risk-acceptance governance |
| Head of Compliance | Confirm regulatory alignment across RBI, CERT-In, UIDAI, DPDP; track reporting obligations |
| Internal Audit | Coordinate the engagement; maintain the observation tracker; validate closure evidence |
| Independent IS & Cyber Auditor | Plan and execute the audit; perform testing and VAPT; issue risk-rated opinion and report |
| Business / Process Owners | Provide walkthroughs, transaction samples and process documentation for in-scope systems |
| Outsourced / Cloud Providers | Furnish assurance reports, configuration evidence and support right-to-audit exercises |
KPIs to track
- Percentage of control domains at or above target maturity (minimum Level 3).
- Number of open Critical/High audit observations and mean time to remediation.
- VAPT critical/high vulnerability count and closure rate against SLA.
- Patch compliance percentage within defined SLA windows.
- Privileged-access recertification completion rate and orphaned-account count.
- Mean time to detect (MTTD) and mean time to respond (MTTR) to security incidents.
- CERT-In / RBI incident-reporting timeliness (percentage reported within mandated windows).
- DR drill success rate against RTO/RPO targets.
- Third-party assurance coverage (percentage of material vendors with current assessments and right-to-audit).
- Digital-lending compliance metrics: KFS issuance rate, grievance TAT, direct-disbursal reconciliation exceptions.
- Phishing-simulation failure rate and security-awareness training completion.
Readiness checklist
- IT Strategy Committee constituted with independent-director chair and meeting at prescribed frequency.
- CISO appointed with an independent reporting line and a Board-approved charter.
- Board-approved IT, cyber-security, outsourcing, BCP and data-protection policy suite is current and version-controlled.
- Complete, reconciled asset, data-flow, vendor and DLA/LSP inventories are maintained.
- IT and information-security risk register with owners, treatment plans and KRIs is live.
- PAM, MFA, EDR, SIEM/SOC, DLP and encryption controls are deployed and monitored.
- Latest VAPT completed with critical/high findings remediated and re-tested.
- BIA, BCP and DR are current and a DR drill has been conducted with results within RTO/RPO.
- Outsourcing contracts include right-to-audit, data-residency and exit clauses; cloud residency validated.
- Digital-lending controls (KFS, cooling-off, direct disbursal, data minimisation, grievance) are operational.
- DPDP, UIDAI AUA/KUA and payment-data storage obligations are mapped and evidenced.
- CERT-In 6-hour and RBI incident-reporting processes are documented, tested and NTP/log-retention configured.
- Prior IS Audit observations are closed with validated evidence.
- Independent CERT-In empanelled / CISA-qualified auditor is engaged with agreed scope.
Common gaps
- Incomplete audit scope that omits shadow-IT systems, unlisted DLAs or fourth-party sub-processors holding borrower data.
- CISO reporting into IT operations rather than independently, undermining segregation and challenge.
- Outsourcing contracts lacking enforceable right-to-audit, data-residency or exit clauses for material services.
- DR sites present but never failover-tested, so RTO/RPO targets are unproven.
- Log retention shorter than the mandated 180 days, or clocks not synchronised to Indian Standard Time, weakening incident forensics.
- CERT-In 6-hour reporting process undocumented or untested, risking non-compliance during a live incident.
- Digital-lending flows using pass-through or pool accounts instead of direct borrower-to-HFC disbursal and repayment.
- Key Fact Statement omitting the all-inclusive APR, or DLAs requesting excessive permissions (contacts, media, location).
- Privileged access unmanaged by a PAM tool, with shared admin credentials and no session recording.
- Risk-acceptance decisions taken informally without defined authority, expiry or Board visibility.
- VAPT performed but findings not tracked to closure, or re-testing skipped after remediation.
- Aadhaar data handled without a compliant data-vault/tokenisation and current UIDAI AUA/KUA audit.
RBI HFC IS & Cyber Audit mapped to other frameworks
HFCs frequently maintain overlapping certifications and obligations. Mapping the RBI audit domains to widely adopted frameworks lets the HFC reuse control evidence and avoid duplicate effort across assurance cycles.
| RBI HFC domain | ISO/IEC 27001:2022 | NIST CSF 2.0 | PCI DSS / DPDP relevance |
|---|---|---|---|
| IT Governance | Clauses 5-6 (Leadership, Planning); A.5 policies | GOVERN (GV) | DPDP accountability of Data Fiduciary |
| IT Infrastructure & Service Management | A.8 Asset & operations controls | PROTECT (PR), IDENTIFY (ID) | PCI DSS Req 2, 6 (config, secure systems) |
| Information Security & Cyber Resilience | A.5-A.8 across access, crypto, network | PROTECT (PR), DETECT (DE) | PCI DSS Req 1,3,4,7,8,10; DPDP security safeguards |
| Risk Management | Clause 6.1; A.5.7 threat intel | IDENTIFY (ID), GOVERN (GV) | DPDP risk-based safeguards |
| Business Continuity & DR | A.5.29-A.5.30 continuity | RECOVER (RC), RESPOND (RS) | PCI DSS Req 12 (BCP elements) |
| IS Audit & Assurance | Clauses 9-10 (evaluation, improvement) | GOVERN (GV) | PCI DSS Req 12 assessment; DPDP audits |
| Outsourcing, Cloud & Third-Party | A.5.19-A.5.23 supplier relationships | IDENTIFY (ID), GOVERN (GV) | PCI DSS Req 12.8; DPDP processor obligations |
| Digital Lending Controls | A.5.34 privacy & PII | GOVERN (GV), PROTECT (PR) | DPDP consent & data minimisation |
| Data Protection & Privacy | A.5.34; ISO/IEC 27701 PIMS | PROTECT (PR) | DPDP Act 2023; PCI DSS Req 3 (data storage) |
| Incident Management & Reporting | A.5.24-A.5.28 incident mgmt | RESPOND (RS), DETECT (DE) | PCI DSS Req 10, 12.10; CERT-In reporting |
| Application Controls | A.8.25-A.8.31 secure development | PROTECT (PR) | PCI DSS Req 6 secure software |
Frequently asked questions
Need help with RBI HFC Audit?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
