What changed
RBI partially modified earlier circulars from December 2009 and December 2010 on system audit submissions. The key change: system audits must now be conducted exclusively by a Certified Information Systems Auditor (CISA) registered with ISACA or a holder of a Diploma in Information System Audit (DISA) from ICAI.
What it means for you
Payment system operators and entities must now ensure their system auditors hold specific, recognized certifications—CISA or DISA. This raises the bar for audit quality and consistency, potentially limiting the pool of eligible auditors and increasing compliance costs for smaller operators.
What you must do
- Verify that your current system auditor holds a valid CISA (ISACA) or DISA (ICAI) qualification.
- Update your vendor/auditor empanelment criteria to match the new qualification requirements.
- Ensure future system audit reports are submitted only after audits by qualified CISA or DISA auditors.
- Acknowledge receipt of this circular to RBI as instructed.
Who it affects
All authorised payment system operators, All authorised payment system entities, System audit firms and auditors serving payment operators
What qualifications are now mandatory for system auditors under this circular?
The auditor must be a Certified Information Systems Auditor (CISA) registered with ISACA, or hold a Diploma in Information System Audit (DISA) from ICAI.
Does this circular replace all earlier system audit instructions?
No, it only partially modifies the instructions in the earlier circulars of December 2009 and December 2010. Other requirements from those circulars remain in force.
What should I do if my current auditor does not have CISA or DISA?
You need to engage a new auditor who meets the specified qualification criteria before your next system audit submission to RBI.