Annex T — Audit & Assurance Policy (Internal / External / Security)

Owner: Audit & Risk Committee (ARC)
Co‑Owners: Head of Internal Audit (HIA), CISO, DPO, GC, Controller, Protocol Custodian, Regional Ops/Finance Leads
Review cadence: Annual plan approval + quarterly status

Purpose. Define a single, conservative audit & assurance framework covering Internal Audit, External/Third‑Party Assurance, Security testing (pen‑tests/red‑team), and GRF Conformance (CL/EQL) audits. Core controls: risk‑based annual audit plan, pen‑test cadence, SOC/ISO roadmap, conformance audits, and management responses tracking with time‑bound remediation. Integrates with Annexes A–S and especially B (Regulatory), C/D/E/F (Privacy/SDZ/Security/IR), I (PVAS), J (Sanctions/Export), L (TP), M (RPT/COI), N (Dual‑Logging), P (BC/DR), Q (Treasury), R (Investor), S (FDI/CoC).

1) Scope & Equal‑Treatment Baseline

Applies to SNC, all NatCos, Program SPVs, and shared services. Where host‑law, donor covenants, or customer contracts impose stricter requirements (e.g., NIS2, MAS TRM, GDPR processor audits), the most restrictive rule prevails. Vendor/PoR audits operate under Annex I with flow‑down audit rights.

2) Governance Model — Three Lines & Independence

• First line: Management owns risks/controls and remediation.
• Second line: Risk/Compliance, Security, Privacy (oversight, policies, monitoring).
• Third line: Internal Audit (HIA) reports functionally to ARC and administratively to CEO; independence safeguarded. HIA may not audit areas they operationally own.
• External/Third‑party: Financial auditors, certification bodies (SOC/ISO), GRF Conformance assessors (CL/EQL), regulators, and customers via contractual rights.

3) Annual Risk‑Based Audit Plan (RBAP)

• Universe: Finance (Q), Procurement/PVAS (I), Security (E/F/P), Privacy/SDZ (C/D), Product/SDLC & SLSA/SBOM (E/G), IC/TP (L), Treasury (Q), RPT/COI (M), Sanctions/Export (J), Offering/IR (R), FDI/CoC (S), Operations/Service Delivery, Data Quality/Lineage, Ledger/Register (N).
• Method: Heat‑map using impact/likelihood, change velocity, incidents, regulator focus, vendor concentration, and prior findings.
• Output: RBAP with engagements, objectives, scope, sampling, resources, and target quarter; ARC approves; mid‑year refresh allowed.

4) Internal Audit Execution Standards

• Standards: IIA IPPF adapted; evidence‑based; reproducible workpapers; chain‑of‑custody for digital artifacts.
• Ratings:
  – High (Red) = control design/operating effectiveness fails; material regulatory/financial/security risk.
  – Moderate (Amber) = deficiencies with meaningful risk but compensating controls exist.
  – Low (Yellow) = improvement opportunities.
  – Positive (Green) = strong/exemplary controls.
• Issue ownership: Management assigns Action Owners; due dates agreed before report finalisation.
• Reporting: Draft → management response (≤10 business days) → final to ARC; Class B dual‑log report abstracts if policy/program changes ensue (Annex N).

5) Management Responses & Tracking (IRM)

• Time‑bound remediation:
  – Red: 30 days to implement or risk‑accept with ARC approval (and risk memo).
  – Amber: 60 days.
  – Yellow: 90 days.
• Evidence of closure: Artifacts, test results, before/after configs, SBOM deltas, tickets; Internal Audit validates and marks Closed or Unsatisfactory.
• Aging & escalation: Quarterly report to ARC; overdue Red/Amber escalated to CEO/Board.
• Risk acceptance: Documented with rationale, sunset date, and compensating controls; logged in Risk Acceptance Register.

6) Security Assurance — Pen‑Tests, Red‑Team & Continuous Scanning

• Cadence:
  – External network & app pen‑test: Annually (and after major releases); certified third‑party.
  – Internal/SDZ zone pen‑test: Annually; privacy‑preserving methods; no production PII extraction.
  – Targeted pen‑tests: Quarterly on high‑change services.
  – Red‑team / purple‑team exercise: Annual end‑to‑end (assume breach), including SDZ unilateral disconnect and ledger/register continuity (Annex N/P).
  – Vulnerability scanning: Weekly authenticated scans; SCA/SAST/DAST in CI/CD per Annex E.
• Rules of engagement: Authorisation letters; scope, hours, contacts, stop‑conditions; clean‑up of artefacts; no data exfiltration beyond test harness; evidence retained in secure vault.
• Remediation clocks: High/Critical vulns per Annex F/E (e.g., mitigate ≤72h; patch ≤7d).
• Bug bounty (optional): If operated, scope, safe‑harbor, and triage SLA documented.

7) SOC/ISO & Certifications Roadmap

• SOC 2 Type II: Readiness → Year 1 Type I → Year 2 Type II; scope: core platform, SDZ controls, change management, incident response.
• ISO/IEC 27001: SoA, risk treatment plan, internal ISMS audits, management review; target certification within 18–24 months; surveillance annually; recert every 3 years.
• ISO 27701 / 22301 (optional): Privacy extension and business continuity certification aligned to Annex C/P.
• Bridging letters: Required between SOC periods; issued by CISO/Controller; disclose significant changes/incidents.
• Alignment: SBOM/SLSA attestations published (Annex E); map controls to NIS2/MAS TRM where applicable.

8) GRF Conformance Audits — CL/EQL

• Scope: System Conformance Levels (CL1–CL4) and Artifact Evidence Quality Levels (EQL1–EQL5) per GRF standards.
• Cadence: Annual conformance review or upon major release; spot checks post‑incident.
• Outcomes: Award/maintain/suspend/revoke badges; publish registry links; Class A dual‑log conformance decisions (Annex N).
• Conflict management: Conformance assessors must be independent of delivery teams; recuse for COIs (Annex M).

9) Vendor / PoR Assurance

• Tier‑1 vendors & PoRs: Provide SOC2/ISO or equivalent; supply BCP/DR test results (Annex P); participate in joint exercises; permit right to audit with notice.
• SBOM & provenance: For software vendors, provide per‑release SBOM (SPDX/CycloneDX) and provenance attestations; support coordinated vulnerability disclosure.
• Corrective actions: Vendors must meet remediation SLAs or face service credits/termination (Annex I/Schedules).

10) Data Protection & Privacy Audits

• DPIAs/TIAs: Audit DPIA quality and follow‑through; verify compute‑to‑data and residency (Annex D).
• DSR handling: Test data‑subject rights processes (access, deletion) and breach notification clocks.
• Processor audits: Exercise audit rights on high‑risk processors; verify sub‑processor registers and transfer tools (SCCs/IDTA).

11) Financial & Compliance Assurance

• External financial audit: Annual statutory audit where required; management representation letters; going‑concern and treasury controls (Annex Q).
• Tax/TP reviews: Align to Annex L; sample IC invoices and Local Files.
• Compliance audits: ABAC (K), Sanctions/Export (J), RPT/COI (M), Labor‑antitrust/HR (O), FDI/CoC (S) — rotating coverage at least every 24 months.

12) Reporting, Registers & Dual‑Logging

• Registers: Audit Plan, Engagement Register, Findings Register (with severity, owner, due date), Risk Acceptance Register, Pen‑test/Red‑team Register, Conformance Decisions Register.
• Board reporting: Quarterly ARC pack: plan progress, findings by severity, aging, remediation status, penetration test results, SOC/ISO roadmap status, conformance outcomes.
• Dual‑logging: Post Class A entries for conformance awards/suspensions and material control changes; Class B for policy/SOP changes (Annex N).
• QPP: Publish aggregate metrics (no PII/MNPI): open findings, overdue remediations, conformance badges, pen‑test cadence.

13) KPIs & Targets

• Coverage: ≥ 80% of RBAP executed annually (100% for Tier‑0/1 scopes).
• On‑time remediation: ≥ 90% of Red/Amber issues closed by due dates.
• Pen‑test cadence: 100% completion vs plan; median time‑to‑patch Critical ≤ 7 days.
• SOC/ISO roadmap: Milestones met; zero critical non‑conformities outstanding > 30 days.
• Conformance: % systems with current CL badge; % artifacts at target EQL level.
• Vendor: % Tier‑1 with current SOC/ISO; SBOM coverage rate.

14) Exceptions & Waivers

Document in Audit Exception Register with risk memo, compensating controls, expiry, and approvals (HIA + ARC Chair; Board for material). Publicly reported as counts in QPP.

15) Host‑Law Appendices (Equal Treatment)

Appendices capture local audit/assurance regimes and authority interfaces; apply the strictest rule where conflicts arise.

• Appendix SG — Singapore: MAS TRM, PDPA audit expectations; IMDA/National Cyber Security guidance.
• Appendix EU/FR — EU/France: NIS2/ENISA mappings; GDPR audit rights; ANSSI guidance.
• Appendix CH — Switzerland: nFADP processor audit rights; WEKO security expectations; SECO for export‑linked audits.
• Appendix US — United States: SOC/SSAE standards; FTC Safeguards (where applicable); sectoral rules.
• Appendix CA — Canada: PIPEDA; provincial privacy and cybersecurity guidance.
• Appendix BR — Brazil: LGPD audit expectations; ANPD guidance.
• Appendix KE — Kenya: Data Protection Act audits; ODPC; sectoral ICT guidelines.
• Appendix ZA — South Africa: POPIA audits; NCCA; sectoral SOC guidance.
• Appendix SN/WA — Senegal/WAEMU: Data protection authorities; telecom/energy regulator audit clauses.
• Appendix UAE — United Arab Emirates: Federal/NESA/ADGM/DIFC cyber and audit frameworks.

16) Effective Date & Governance

Adopted by the Board(s) of all regional operators on [●] and incorporated by reference into Charters/Bylaws, Security/Privacy SOPs, Procurement schedules, and Conformance programs. Class B to amend/strengthen; Class A to relax pen‑test cadence, remove SOC/ISO roadmap obligations, or weaken remediation clocks.

Appendices (Templates)

T‑1 — Annual Risk‑Based Audit Plan (RBAP) Template
T‑2 — Audit Report & Findings Matrix (severity/aging)
T‑3 — Management Action Plan (MAP) & Evidence Checklist
T‑4 — Pen‑Test / Red‑Team ROE Template
T‑5 — SOC/ISO Roadmap Gantt + SoA
T‑6 — CL/EQL Conformance Audit Checklist
T‑7 — Quarterly ARC Pack Outline