Skip to main content
CERT-In Empanelled — Mandatory auditor qualification for RBI and SAR-style engagements

System Audit Report (SAR) for Data Localization and Payment Compliance

SAR is a family of regulator-mandated audits required by RBI, NPCI, CDSL, and SEBI. Security Brigade delivers CERT-In empanelled, regulator-ready System Audit Reports across data localization, PA-PG, PPI, BBPOU, UPI TPAP, and depository participant mandates.

Request a Scoping Call Our Methodology
SAR-Ready
Audit Coverage
RBI-Aligned
Methodology
370+
BFSI Engagements
Since 2008
CERT-In Empanelled

Trusted by India's leading enterprises

ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
STEP 01

Assess

Regulatory scoping, asset inventory, architecture review, data-flow mapping, and evidence collection across all in-scope systems, applications, APIs, databases, cloud regions, backups, and third-party processors.

STEP 02

Remediate

Gap assessment with risk-ranked findings, practical remediation guidance, evidence expectations for each gap, and tracked closure support through the Lemon platform until all non-compliances are resolved.

STEP 03

Certify

Final validation, regulator-specific checklist completion, executive summary, and submission-ready System Audit Report with no open findings for regulator or ecosystem body submission.

What Is a System Audit Report (SAR) for Data Localization?

A System Audit Report (SAR) is a regulator-mandated audit that validates whether a regulated entity's systems, payment data flows, and security controls comply with RBI, NPCI, CDSL, or SEBI requirements. For data localization, the SAR specifically verifies that payment data is stored exclusively in India and that any data processed abroad is deleted from foreign systems after processing.

Who Needs a SAR and What Does It Cover?

SAR is not one audit. It is a family of regulator-mandated audits, each with a specific regulatory lens applied to a universal core of system audit, security controls, data-flow validation, and evidence-backed compliance attestation.

RBI Data Localization SAR

Payment data residency, full transaction data storage in India, deletion from foreign systems, database maintenance, backup restoration, and data security evidence.

SAR for Payment Aggregators and Gateways (PA-PG)

Merchant onboarding, escrow and settlement flows, refund handling, card and payment data handling, PCI-DSS relevance, VAPT, and board-level reporting.

SAR for Prepaid Payment Instruments (PPI)

Wallet issuance, loading and reloading controls, KYC/AML dependencies, transaction limits, fraud monitoring, escrow/pool account interfaces, and grievance redressal.

SAR for BBPOU / BBPS

BBPOU role, BBPCU integration, biller and agent onboarding, ON-US/OFF-US transaction flows, settlement, dispute handling, and NPCI/Bharat Connect standards.

SAR for UPI TPAPs

Mobile app security, UPI APIs, PSP-bank integration, device binding, authentication, encryption, VPA/account linking, UPI transaction data handling, and no-open-findings expectations.

CDSL System Audit

Depository participant systems, CDSL-provided and DP-owned applications, demat transaction processing, exchange/depository connectivity, access controls, and BCP/DR.

Methodology

8 steps. Zero guesswork.

Every engagement follows this process through Lemon, our proprietary audit management platform.

Discovery
01

Regulatory Scoping and Applicability Mapping

Identify the applicable SAR variant based on license type, regulator, product, payment system, business flow, and entity role. Define audit scope covering all in-scope systems, applications, and data flows.

02

System and Asset Inventory

Document all applications, APIs, infrastructure, cloud and on-prem systems, databases, third-party systems, logs, backups, and admin interfaces within the audit boundary.

03

Architecture and Data-Flow Review

Review application, network, infrastructure, database, security, and integration architecture. Map data collection, processing, storage, transmission, logging, backup, archive, and deletion flows.

Testing
04

Data Localization and Residency Validation

Verify payment data storage exclusively in India across production, replicas, logs, backups, DR, analytics, support tools, and third-party processors. Validate deletion from foreign systems where data is processed abroad.

05

Security Controls Assessment and Technical Testing

Assess access controls, MFA, encryption, key management, network security, vulnerability management, logging, monitoring, incident response, change management, and backup/DR. Perform application and API security testing where required.

Delivery
06

Evidence Review and Gap Assessment

Review configurations, cloud region proof, database settings, backup jobs, access logs, policies, audit trails, VA/PT reports, contracts, and management confirmations. Produce risk-ranked gap assessment with remediation guidance.

07

Remediation Support and Closure Validation

Track remediation through Lemon platform with owner assignments, evidence expectations, and revalidation. Verify each finding closure before final report generation.

08

Final SAR Delivery and Regulator Submission

Deliver the regulator-ready System Audit Report, variant-specific checklist, data-flow annexure, executive summary, and final closure report with no open findings for submission.

Download methodology whitepaper →
"Security Brigade's structured approach through Lemon gave us complete visibility into the testing process. The three-layer review caught issues that our previous vendor missed entirely. Their reports were the first our developers could actually act on without a follow-up call."
CISO, Leading Indian BFSI Enterprise
Indian Private Sector Bank

Read more client stories →

The Platform

Powered by Lemon

Most firms rely on individual tester skill. We built a platform that makes quality structural — informed by 6,700+ previous assessments.

lemon.securitybrigade.com/project/PRJ-2847
D
C
F
R
T
PROJECT PRJ-2847
Coverage Validation — acmecorp.com
94% covered
Endpoints
247 / 263
Parameters
1,847
Auth Flows
12 / 12
JS Routes
38 / 41
AI flagged 3 undiscovered endpoints
/api/v2/admin/export, /api/v2/billing/webhook, /internal/healthcheck
L1 Complete
L2 In Review
L3 Pending

Real-Time Client Dashboard

Live view of findings, severity breakdown, remediation status, project timelines, and evidence gaps across all SAR workstreams.

Remediation Tracking and Revalidation

Each finding moves through Vulnerable, Fixed, Confirmed Fixed, or Accepted Risk stages with revalidation by Security Brigade auditors.

Evidence and Artifact Management

Centralized storage for configurations, screenshots, cloud region proof, access logs, policies, VA/PT reports, and management confirmations.

Compliance-Ready

Audit-ready reporting for every framework

As a CERT-In empanelled firm, our reports are accepted by all major Indian and global regulators.

Banks and NBFCs
RBI Data Localization SAR, RBI Cyber Sec
Payment Aggregators and Gateways
SAR-PA-PG under RBI 2025 PA Master Direc
PPI Issuers
SAR-PPI covering wallet issuance, KYC/AM
BBPS Operating Units
SAR-BBPOU covering BBPCU integration, bi
UPI TPAPs and PSP Banks
SAR for UPI covering mobile app, backend
Depository Participants
CDSL System Audit covering DP systems, C
Fintechs and Lending Platforms
Data localization, account aggregator, P
Stock Brokers and AMCs
SEBI CSCRF-aligned system audit, CDSL/NS

Industries

700+ clients across verticals

Every type of application architecture and business logic pattern — tested.

BFSIICICI Bank, HDFC, Yes Bank, UTI MF, Edelweiss
Fintech & PaymentsPhonePe, Amazon Pay, Groww, BillDesk
ManufacturingMahindra, Asian Paints, L&T, Hindalco
Retail & ConsumerSwiggy, Sephora, Pernod Ricard, Jubilant
Aviation & LogisticsEtihad Airways, DHL Express, Shadowfax
HealthcareCloudNine, Pharmeasy, Wave Health

Deliverables

What you get

Reports for two audiences — executives who need the risk picture, and developers who need to fix the issues. With code-level guidance, not vague advice.

Request sample report →Read case studies →

Final System Audit Report

The main regulator-submission document with scope, systems reviewed, audit period, methodology, observations, compliance status, and conclusion.

Regulator-Specific Control Matrix

Checklist mapping each RBI, NPCI, CDSL, PA-PG, PPI, or BBPOU requirement to evidence collected, compliance status, and auditor observations.

Data-Flow and Architecture Annexure

Diagrams showing systems, payment and data flows, storage locations, third parties, backup/DR topology, and cross-border processing paths.

Gap Assessment Report

Risk-ranked non-compliances, evidence gaps, and recommended remediation actions with owner assignments and target closure dates.

Remediation Tracker

Tracked through Lemon with owner, severity, target closure date, closure status, and validation evidence for each finding.

Technical Annexures

VA/PT reports, application and API testing notes, configuration review results, access review, cloud/storage evidence, and backup/restore evidence.

Executive Summary and Board Presentation

Management-ready presentation for CXO, board, audit committee, compliance, and technology leadership summarizing posture and compliance status.

Final Closure Report

The no-open-findings compliance version ready for regulator or ecosystem body submission after all remediation is validated.

Continuous Compliance with ShadowMap

The audit gives you a snapshot. ShadowMap gives you the always-on view.

An annual audit proves your posture at a single point in time. Between audits, attack surfaces drift, credentials leak, sub-domains get added, vendors get breached. ShadowMap watches the boundary continuously so the next audit isn't a surprise.

Attack Surface Area

Continuous discovery of internet-facing assets — sub-domains, APIs, cloud resources, open ports, SSL certificates, technology stack.

Audits are point-in-time. ShadowMap watches your boundary daily.

Explore on ShadowMap
See the full ShadowMap platform 30-day POC available · Platform Only · Service Only · Hybrid

FAQ

Common questions

Can't find what you're looking for? Talk to our team.

Contact us
What is a System Audit Report (SAR) and why is it mandatory?+
A System Audit Report is a regulator-mandated audit that validates whether a regulated entity's systems, security controls, and data handling comply with RBI, NPCI, CDSL, or SEBI requirements. It is mandatory because regulators require independent assurance that payment data is stored in India, security controls are effective, and operational processes meet prescribed standards. Non-submission can result in license restrictions, penalties, or onboarding blocks.
Who needs to get a SAR audit done?+
Any entity regulated by RBI, NPCI, CDSL, or SEBI that processes, stores, or transmits payment data needs a SAR. This includes banks, NBFCs, payment aggregators, payment gateways, PPI issuers, BBPOUs, UPI TPAPs, PSP banks, depository participants, stock brokers, and fintechs operating under regulated licenses. The specific SAR variant depends on your license type and regulator mandate.
What is the difference between RBI data localization SAR and other SAR variants?+
RBI data localization SAR focuses specifically on payment data residency, verifying that full transaction data is stored exclusively in India, data processed abroad is deleted from foreign systems, and database maintenance, backup restoration, and data security meet RBI requirements. Other SAR variants such as SAR-PA-PG, SAR-PPI, or SAR-BBPOU add controls specific to their licensed payment flows on top of the universal data localization core.
Does the SAR auditor need to be CERT-In empanelled?+
Yes. RBI mandates that the SAR must be conducted by a CERT-In empanelled auditor. This applies to data localization audits, PA-PG annual system audits, and other RBI-mandated system audits. Security Brigade is CERT-In empanelled, meeting this mandatory auditor qualification requirement for all SAR engagements.
How long does a SAR engagement typically take?+
A typical SAR engagement takes 6 to 9 weeks from scoping to final report delivery. This includes regulatory scoping, system and asset inventory, architecture and data-flow review, security controls assessment, technical testing, gap assessment, remediation support, closure validation, and final report generation. The exact timeline depends on the SAR variant, number of in-scope systems, and remediation closure speed.
What is the RBI SAR audit checklist and what does it cover?+
The RBI SAR audit checklist covers data storage and localization, database maintenance, backup restoration, data security controls, application and API security, access controls, encryption, network security, logging and monitoring, incident response, change management, and vendor controls. The specific checklist items vary by SAR variant, but all require evidence-backed compliance status, auditor observations, and management comments for each control.
Can Security Brigade help with remediation or only the audit?+
Security Brigade provides both audit and remediation support. After the gap assessment, each finding includes practical remediation guidance with evidence expectations. Remediation is tracked through the Lemon platform with owner assignments, target dates, and revalidation by Security Brigade auditors. The final SAR is delivered only after all findings are validated as closed or formally accepted as residual risk.
What happens if our SAR has open findings at submission time?+
Open findings in a SAR can delay regulator approval, block NPCI onboarding or renewal, or trigger additional scrutiny. NPCI specifically requires entities to close open findings and submit a final compliance report with no open findings. Security Brigade's remediation support and Lemon tracking are designed to ensure all findings are closed before the final report is generated, avoiding this situation entirely.
How is Security Brigade's SAR approach different from Big-4 or other compliance firms?+
Security Brigade wins SAR engagements where customers need real technical validation behind every compliance claim, not a generic checklist. Differentiators include cybersecurity-first audit methodology with VA/PT, AppSec, and architecture review built into SAR delivery; Lemon platform for structured evidence, remediation, and closure tracking; CERT-In empanelled credibility; practical remediation guidance instead of generic audit language; and direct engagement with CTO, CISO, and engineering teams rather than layers of delivery bureaucracy.
Is a SAR required annually or only once?+
SAR is an annual compliance obligation. RBI's 2025 PA Master Direction requires annual system audit including cybersecurity audit. NPCI expects annual compliance reports by December 31. CDSL's cyber audit for depository participants is also conducted annually. Security Brigade recommends building SAR into your annual compliance calendar with a structured engagement window to avoid last-minute rushes before submission deadlines.

Ready to Start Your SAR Compliance Journey?

Whether you need a data localization SAR, PA-PG system audit, PPI audit, BBPOU compliance, UPI TPAP audit, or CDSL system audit, Security Brigade's CERT-In empanelled team delivers regulator-ready reports backed by real technical validation.

Request a Scoping Call

Typically responds within 1 business day · No commitment required

Request a Scoping Call