Picture of the author
Kratikal's Logo
Contact Us
Regulatory Compliance

IS Audit (RBI) Guidelines

  • Overview
  • Methodology
  • Purpose
  • Our Approach
  • Benefits
  • Clients
  • FAQs

Overview : IS Audit (RBI) Guidelines Security Audit for NBFC Sector

The banking sector is one of the most vulnerable sectors in terms of cyber threats and attacks. Annually, 6 out of 10 people report that their data has been compromised by loan service. Having said this, RBI in its master directions has passed a directive for all NBFCs to conduct an IT audit and get attested by RBI under RBI IS Audit.Read continue...


The IS Audit is conducted per the Terms of Reference (TOR) and regulations outlined by the ICAI, RBI, and pertinent authorities. The NBFC along with the external auditor, should set an audit plan along with the scope of the current and previous audits if it wants to have an audit performed. The auditors will check the network systems and work environment against security controls, network controls, access controls, and electronic document controls once they obtain a plan of action for the IS Audit.

NBFCs with more than 500 crores - The IT framework requirement would include IT Governance, operations, Business Continuity Planning and Disaster Recovery, IT service Outsourcing.

NBFCs with less than 500 crores - The IT framework needed would involve data backup and testing, having a well-defined function in the IT system, filing regulatory returns with the RBI, and generating crucial financial reports for top management... Read More

Why do organizations need it?

The goal of information security is to limit the access to sensitive data. NBFCs must have a comprehensive information security
policy that includes the following essential principles:

data authorization


Ensuring access to sensitive data to authorized users only.



Assuring information accuracy and reliability by preventing.

data access


Make sure that users have access to data whenever they need it.



It is vital for Information Security to ensure that data, transactions.

Our Approach

All the information and understandings are compiled in a well-documented scope, objective and crtieria, determining the boundaries and applicability of the RBI IS Audit, referring to the pain point and the requirements of the stakeholders. The Scope encompasses the work systems, the number of departments and the location of the organization.

To understand data flow in your business, we review your Information Security Policies that are to be updated considering the ever-changing Information Security needs. Evidence is requested on the architecture, implementation, and controls. The organization's policies, procedures, and other documentation are further assessed.

An initial audit to understand the organization's infrastructure and to assist our clients in identifying evidence for all audit points Wherever possible, options for improvement are offered once these gaps are identified.

Kratikal will give appropriate recommendations for compliance with the RBI Mandate based on the evaluation results and data identification.

Kratikal will review your evidence on the closing of the Action phase as indicated during the audit after we complete the assessment and remediation.Upon Successful closure of the identified issues, we will submit an audit report.


certin empanelled
nbfc audit
qualified experts


convin logo
finbit logo
kogta logo
procap logo
square yards logo
suco bank logo

Kratikal Insights




Organizations’ Security


Small and mid-size
enterprises (SMEs)


Threats Recorded in
GCTx Database


What are the necessary requirements to be met for NBFCs above 500 crores?
  • • IT Governance
  • • IT Policy
  • • Information and Cyber Security
  • • IS Audit
  • • IT Services Outsourcing

    Every NBFC must register with the RBI before starting or carrying on any non-banking financial institution business.

    Systemically important NBFCs are those with assets of Rs500 crore or more as of their most recent audited balance sheet.