Section 3(10) in The Information Technology (Recognition of Foreign Certifying Authorities not Operating under any Regulatory Authority) Regulations, 2013
(10)Audit of operations - (a) A foreign certifying authority recognized under this regulation shall get its operations audited annually by an auditor approved under sub-regulation (6) and such audit shall include inter alia,-(i)security policy and planning;(ii)physical security;(iii)technology evaluation;(iv)services administration;(v)relevant Certification Practice Statement;(vi)compliance to relevant Certification Practice Statement;(vii)contracts or agreements;(viii)regulations prescribed by the Controller;(ix)policy requirements of Certifying Authorities Rules, 2000.(b)The Recognized Foreign Certifying Authority shall conduct internal half yearly audit of the Security Policy, physical security and planning of its operation.(c)The Recognized Foreign Certifying Authority shall submit copy of each audit report to the Controller within a period of four weeks of the completion of such audit and where irregularities are found, the Certifying Authority shall take immediate appropriate action to remove such irregularities.
