Pass your RBI Information Systems Audit.
Golonex runs a three-phase IS Audit Readiness Program — gap assessment six weeks before the audit, a complete auditor-ready evidence pack, and post-audit remediation tracking. Banks that prepare with Golonex go into their IS Audit knowing exactly where they stand.
Important clarification
Golonex does not conduct the statutory IS Audit — only a CERT-In empanelled auditor can perform the mandatory annual IS Audit. Golonex provides pre-audit readiness, evidence preparation, and post-audit remediation — the work that determines how well your institution performs in the audit.
Three phases. Before, during, and after.
Most banks fail IS Audits not because they lack controls, but because they cannot produce the evidence. Our three-phase program fixes that — systematically.
Pre-Audit Gap Assessment
Evidence Pack Compilation
Remediation Tracking
Eight audit areas. Every one covered.
RBI IS Audits are structured around defined domains. Golonex maps every gap assessment and evidence pack item to the specific audit area it satisfies.
| Audit Area | What IS Auditors Check |
|---|---|
| IT Governance | IT Policy, Board ITSC, ISC structure, IT Risk register, Board reporting |
| Information Security (BCSF) | All 11 BCSF controls — patch management, hardening, network security, email security, EDR, audit trail, access control |
| Business Continuity & DR | Written BCP, secondary DR site documentation, RTO/RPO targets, annual DR drill report, MD/CEO sign-off |
| VAPT | Annual VAPT report scope, critical/high findings, remediation evidence, retest confirmation |
| Access Control & IAM | Least privilege, access review records, MFA status, privileged access controls, CBS user access |
| Vendor & Outsourcing | IT Outsourcing Policy, CBS vendor risk assessment, contract clause compliance, annual vendor review |
| Incident Management | Incident register, response procedures, escalation records, post-incident reviews |
| Change Management | Change log records, approval evidence, post-change validation, rollback documentation |
Frequently asked questions
What's the difference between IS Audit readiness and the actual IS Audit? +
The IS Audit is conducted by a CERT-In empanelled auditor appointed by your bank's Board — Golonex does not conduct the statutory audit. IS Audit readiness is the work done before the auditor arrives: identifying gaps, producing evidence, and ensuring your documentation, controls, and processes will hold up to scrutiny. Think of it as preparing the brief before the advocate argues the case.
How far in advance should we engage before the audit? +
Ideally 10–12 weeks before the audit date. Phase 1 (gap assessment) runs 6–8 weeks out — long enough to identify material gaps and close the most significant ones before the auditor arrives. Engaging 4 weeks out is workable but limits what can be remediated. Engaging the week before limits you to evidence packaging only — gaps cannot be closed that quickly.
What does the evidence pack contain? +
A structured document set organised by the 8 audit areas RBI typically covers: IT governance, information security, change management, BCP/DR, access control, network security, application security, and data management. Each section includes the relevant policy, a control walkthrough, and supporting evidence — logs, screenshots, test reports, board minutes — mapped to what an IS auditor expects to see.
Is this service relevant for urban co-operative banks? +
Yes — specifically. RBI requires urban co-operative banks (UCBs) to conduct an annual IS Audit by a CERT-In empanelled firm. Many UCBs engage Golonex because they lack in-house staff who understand the audit scope and what evidence is needed. We specialise in making the UCB IS Audit process predictable: you know what the auditor will ask, and the evidence exists before they ask it.
Do you remediate the gaps you find, or only report them? +
We remediate. Gap identification without remediation is a gap assessment — useful but incomplete. Our programme covers finding gaps, prioritising them by audit risk, implementing fixes (policy updates, configuration changes, documentation), and producing the remediated evidence. We do not hand you a list of problems and disappear.
Six weeks is the minimum. Start sooner.
Tell us your scheduled audit date and current governance status. We will tell you what is missing and how long it will take to fix. Most institutions need at least 8–10 weeks to be properly prepared.