Section 31 in The Information Technology (Certifying Authorities) Rules, 2000
31. Audit.
(1)The Certifying Authority shall get its operations audited annually by an auditor and such audit shall include inter alia,-(i)security policy and planning;(ii)physical security;(iii)technology evaluation;(iv)Certifying Authority's services administration;(v)relevant Certification Practice Statement;(vi)compliance to relevant Certification Practice Statement;(vii)contracts/agreements;(viii)regulations prescribed by the Controller;(ix)policy requirements of Certifying Authorities Rules, 2000.(x)[ compliance to relevant X.509 Certificate Policy for India PKI issued by the Controller; [Inserted by Notification No. G.S.R. 662(E), dated 25.8.2015 (w.e.f. 17.10.2000).](xi)compliance to guidelines issued by the Controller for other services like Time Stamping and OCSP service;(xii)compliance to Identity Verification Guidelines issued by the Controller;(xiii)compliance to "Digital Signature Certificates Interoperability Guidelines" issued by the Controller.](2)[ The Certifying Authority shall conduct half yearly internal audit of the security policy, physical security, planning of its operations and the repository.] [ Substituted by G.S.R. 32(E), dated 18.1.2006 (w.e.f. 18.1.2006).](3)The Certifying Authority shall submit copy of each audit report to the Controller within four weeks of the completion of such audit and where irregularities are found, the Certifying Authority shall take immediate appropriate action to remove such irregularities.
