How the CBN selects companies for audit
The CBN does not audit every licensed institution every year. The selection process is a combination of risk-based targeting and periodic rotation. Understanding the triggers helps you anticipate when your audit is coming.
Risk-based selection
Companies processing high transaction volumes, holding significant customer deposits, or operating in high-risk segments (mobile money, cross-border payments, lending) are audited more frequently. If your daily settlement volume exceeds ₦500 million, expect more scrutiny.
Complaint-driven audits
Customer complaints filed with the CBN's Consumer Protection Department about unauthorised transactions, data exposure, or system failures can trigger a targeted cybersecurity audit. A spike in complaints is a red flag that often precedes an audit notice.
Incident-driven audits
If the CBN learns of a security incident at your institution, whether through your own reporting, media coverage, or threat intelligence, an audit will follow. The Sterling Bank-Remita breach triggered audits across multiple connected financial institutions.
Periodic rotation
All licensed institutions are subject to periodic audits on a rotating schedule, typically every 2-3 years. Microfinance banks, payment service providers, mobile money operators, and switching companies are all in the rotation pool.
The CSAT framework: Your baseline document
The Cybersecurity Self-Assessment Tool (CSAT) is the starting point for every CBN cybersecurity audit. Licensed institutions must complete and submit the CSAT annually. It evaluates your cybersecurity maturity across five domains: Governance, Risk Management, Technology Controls, Incident Management, and Third-Party Risk.
Your CSAT submission is not just a compliance checkbox. CBN auditors use it as their baseline. They will walk into your office with your CSAT report and verify every claim you made. If your CSAT says you conduct quarterly penetration tests, they will ask to see the last four pentest reports. If your CSAT says you have network segmentation, they will ask to see your network diagrams and firewall rules. Discrepancies between your self-assessment and the auditor's observations are treated as material misrepresentation and will significantly worsen your audit outcome.
₦1 billion in fines in 2024
The CBN levied over ₦1 billion in cumulative cybersecurity-related fines against Nigerian financial institutions in 2024. Common fine triggers included: absence of penetration test reports, inadequate network segmentation, missing or outdated incident response plans, and material discrepancies between CSAT submissions and actual controls.
What CBN auditors check
CBN cybersecurity auditors are thorough. They do not simply review documents; they validate technical controls, interview staff, and examine evidence of implementation. Here is what they examine across each domain.
1. Network segmentation
Auditors will request your network architecture diagrams and verify them against your actual infrastructure. They are looking for: separation between the DMZ and internal networks, isolation of payment processing systems from corporate IT, segmentation between development, staging, and production environments, and restrictions on lateral movement between network zones.
If a compromised marketing server can reach your payment ledger database through unrestricted internal network access, that is a critical finding. The CBN expects zero-trust network architecture where each system can only communicate with the specific services it needs.
2. Access controls
Auditors examine your Identity and Access Management (IAM) implementation in detail:
- Principle of least privilege: Are user permissions scoped to the minimum required for their role? Auditors will pull user permission reports and flag any non-admin users with admin-level access.
- Multi-factor authentication: Is MFA enforced for all admin access, VPN connections, and privileged operations? SMS-based OTP is increasingly viewed as insufficient; auditors prefer TOTP or hardware tokens.
- Access reviews: Do you conduct periodic access reviews? Auditors want to see evidence that user permissions are reviewed at least quarterly and that terminated employees have access revoked within 24 hours.
- Privileged access management: Are superuser/root accounts individually assigned (not shared)? Is privileged session activity logged and monitored?
3. Penetration test reports
This is the document auditors ask for most frequently, and the one most Nigerian fintechs cannot produce. The CBN expects licensed institutions to conduct at least annual penetration tests performed by a qualified independent firm. Auditors will examine:
- Recency: When was the last test conducted? Reports older than 12 months are flagged as non-compliant.
- Scope: Did the test cover your externally facing assets, internal network, APIs, and mobile applications? A pentest that only scanned your marketing website does not satisfy the requirement.
- Findings and remediation: What vulnerabilities were found? Were they remediated? Auditors will check whether critical and high findings from the pentest have been fixed. Unresolved critical findings from a pentest conducted months ago are a serious audit failure.
- Vendor qualification: Was the test conducted by a reputable, independent security firm? Internal vulnerability scans do not satisfy the penetration testing requirement.
4. Vulnerability management process
Beyond penetration testing, auditors examine your ongoing vulnerability management programme: regular automated scanning (at least monthly), a defined SLA for patching critical vulnerabilities (typically 72 hours for critical, 30 days for high), evidence that patches are actually applied (not just identified), and a process for tracking exceptions (vulnerabilities that cannot be patched immediately and the compensating controls in place).
5. Incident response capabilities
Auditors will ask to see your incident response plan and evidence that it has been tested. They will ask: When was the last tabletop exercise? Who participated? What were the findings? What improvements were made? A plan that exists only as a PDF on the CISO's laptop, never tested or exercised, will be flagged.
They will also review your incident logs. If you have experienced security incidents and failed to report them to the CBN as required, the auditors will discover this through log examination and it will be treated as a concealment violation.
6. Security awareness training
Auditors will request training records for all staff. They are looking for: evidence of regular security awareness training (at least annually), completion rates (ideally above 90%), phishing simulation results, and specialised training for engineering teams (secure coding practices, security culture programmes).
7. Data classification and encryption
The CBN expects a formal data classification policy that categorises data by sensitivity level (public, internal, confidential, restricted). Auditors verify that encryption standards match the classification:
- Encryption at rest: Customer PII, BVNs, NINs, and financial data must be encrypted at rest. Auditors may check database encryption configuration directly.
- Encryption in transit: All data in transit must use TLS 1.2 or higher. Auditors will check your TLS configuration and may run SSL Labs-style tests against your endpoints.
- Key management: How are encryption keys stored and rotated? Hardcoded keys or keys stored alongside the data they protect are critical findings.
8. Third-party risk management
The CBN recognises that modern fintechs rely heavily on third-party services: cloud providers, payment processors, KYC vendors, mobile SDKs. Auditors will examine your vendor risk assessment process, contractual security requirements, and monitoring of third-party compliance. If you use AWS, Azure, or GCP, they may ask to see your cloud security configuration.
Do not wait for the audit notice to discover your gaps. A penetration test identifies the exact findings auditors will flag.
Prepare for Your AuditCommon findings that trigger enforcement
Based on publicly available CBN enforcement actions and industry reporting, these are the findings that most frequently lead to penalties:
No penetration test report
The single most common critical finding. Auditors ask for your last pentest report. If you cannot produce one, or if the most recent one is more than 12 months old, this is an immediate compliance failure.
Flat network architecture
All servers on the same network segment with no segmentation between payment processing, customer data, and corporate systems. This means a single compromise gives the attacker access to everything.
No incident response plan
Or a plan that has never been tested. The CBN requires evidence of regular testing (tabletop exercises, simulations). A document that was written once for a compliance submission and never exercised does not satisfy the requirement.
Unpatched critical vulnerabilities
Known CVEs that have been publicly disclosed for months with available patches that have not been applied. Auditors may run their own vulnerability scans or request output from your scanning tools.
Timeline from audit notice to completion
A typical CBN cybersecurity audit follows this timeline:
- Day 0 - Audit notice: You receive formal written notification from the CBN's IT Standards and Cybersecurity department. The notice specifies the audit scope, scheduled dates, and preliminary document requests.
- Day 1-14 - Document preparation: Compile and submit requested documents: CSAT submission, pentest reports, network diagrams, security policies, training records, incident logs, and access control reports.
- Day 15-25 - On-site audit: CBN auditors visit your office (or conduct remote sessions for smaller institutions). They interview key staff (CTO, CISO, DPO, engineering leads), review technical controls, and verify documentation against actual implementation.
- Day 25-45 - Draft findings: The audit team produces a draft report with findings categorised by severity. You have an opportunity to respond to each finding with evidence or clarification.
- Day 45-60 - Final report: The CBN issues the final audit report with confirmed findings and required remediation actions, including deadlines.
- Day 60-150 - Remediation window: You must implement the required fixes and provide evidence of remediation. Critical findings typically have 30-day deadlines; high findings get 60-90 days.
What a failed audit means
Failing a CBN cybersecurity audit is not just a fine. It triggers a cascade of consequences:
- Mandatory remediation orders: Specific fixes with hard deadlines. Missing these deadlines triggers escalating penalties.
- Monetary penalties: The CBN can impose fines up to ₦1 billion for severe cybersecurity failures. The amount depends on the severity and number of findings, the size of the institution, and whether deficiencies were previously identified.
- Operational restrictions: The CBN can restrict your operations: limiting transaction types, capping daily transaction volumes, suspending specific products, or requiring prior approval for new product launches.
- Increased audit frequency: A failed audit places you on an accelerated audit schedule. Instead of the normal 2-3 year rotation, you may be audited annually or even semi-annually until deficiencies are resolved.
- Licence revocation: In extreme cases of persistent non-compliance, the CBN can revoke your operating licence. This is rare but has precedent, particularly for smaller institutions that repeatedly fail to remediate critical findings.
How to prepare in 30 days
If you have received an audit notice and have 30 days to prepare, here is your priority list:
- Week 1 - Commission an emergency pentest: Engage a firm like Simpa Labs for a focused penetration test. A 2-week turnaround on a scoped engagement is feasible and gives you a report to show auditors. Fix critical findings immediately.
- Week 1-2 - Document what exists: You may have better security than your documentation suggests. Write up your access control procedures, network architecture, encryption standards, and incident response process. Make sure what you document is accurate; auditors will verify.
- Week 2 - Run a tabletop exercise: Gather your incident response team and walk through a breach scenario. Document the exercise, participants, findings, and action items. This satisfies the "tested IR plan" requirement.
- Week 2-3 - Fix quick wins: Enable MFA on all admin accounts. Remove unnecessary admin privileges. Patch critical CVEs. Verify encryption at rest. These are findings you can eliminate in days.
- Week 3-4 - Prepare the document package: Organise all evidence documents: pentest reports, CSAT submission, network diagrams, security policies, training records, incident logs, vendor assessments. Have them ready before the auditors arrive.
- Week 4 - Brief your team: Prepare the staff who will be interviewed. They should be able to explain their security responsibilities, point to relevant documentation, and demonstrate familiarity with the incident response plan.
Got a CBN audit notice? We can deliver a penetration test report and remediation support within your preparation window.
Request Urgent PentestFrequently asked questions
How does the CBN decide which companies to audit?
The CBN uses a risk-based selection process. High-risk factors include: processing high transaction volumes, previous security incidents, customer complaints, recent licensing changes, or being identified through the CBN's own threat intelligence. The CBN also conducts periodic audits of all licensed institutions on a rotating schedule, typically every 2-3 years.
What is the CSAT and how does it relate to a CBN audit?
The Cybersecurity Self-Assessment Tool (CSAT) is a framework the CBN requires licensed financial institutions to complete annually. It evaluates your cybersecurity maturity across domains like governance, risk management, access controls, and incident response. Your CSAT submission serves as the baseline document for a CBN audit. Discrepancies between your self-assessment and the auditor's findings will trigger additional scrutiny.
What happens if we fail a CBN cybersecurity audit?
Failure triggers a remediation order with specific deadlines (typically 30-90 days). If you do not remediate within the specified timeframe, the CBN can impose escalating sanctions including monetary penalties (up to ₦1 billion in severe cases), operational restrictions (limiting your transaction types or volumes), and in extreme cases, licence revocation.
Can we challenge or appeal a CBN audit finding?
Yes. You can submit a formal response to audit findings, providing evidence that contradicts specific observations or demonstrating mitigating circumstances. However, the response must include a remediation plan regardless. The CBN is generally receptive to well-documented technical explanations but will not accept excuses for absent controls.
Related reading
Blog: CSAT Framework Guide · CBN Data Localization · PCI DSS Compliance
Guides: CBN Compliance Guide · CBN IT Audit Preparation
Services: Penetration Testing · Secure Architecture Review