Information Technology (Certifying Authorities) Rules, 2000
31. Audit. -
(1) The Certifying Authority shall get its operations audited annually by an auditor and such audit shall include inter alia,-
i. security policy and planning;
ii. physical security;
iii. technology evaluation;
iv. Certifying Authority’s services administration;
v. relevant Certification Practice Statement;
vi. compliance to relevant Certification Practice Statement;
viii. regulations prescribed by the Controller;
ix. policy requirements of Certifying Authorities Rules, 2000.
(2) The Certifying Authority shall conduct,-
(a) half yearly audit of the Security Policy, physical security and planning of its operation;
(b) a quarterly audit of its repository.
(3) The Certifying Authority shall submit copy of each audit report to the Controller within four weeks of the completion of such audit and where irregularities are found, the Certifying Authority shall take immediate appropriate action to remove such irregularities.