How the CBN selects companies for audit

The CBN does not audit every licensed institution every year. The selection process is a combination of risk-based targeting and periodic rotation. Understanding the triggers helps you anticipate when your audit is coming.

Risk-based selection

Companies processing high transaction volumes, holding significant customer deposits, or operating in high-risk segments (mobile money, cross-border payments, lending) are audited more frequently. If your daily settlement volume exceeds ₦500 million, expect more scrutiny.

Complaint-driven audits

Customer complaints filed with the CBN's Consumer Protection Department about unauthorised transactions, data exposure, or system failures can trigger a targeted cybersecurity audit. A spike in complaints is a red flag that often precedes an audit notice.

Incident-driven audits

If the CBN learns of a security incident at your institution, whether through your own reporting, media coverage, or threat intelligence, an audit will follow. The Sterling Bank-Remita breach triggered audits across multiple connected financial institutions.

Periodic rotation

All licensed institutions are subject to periodic audits on a rotating schedule, typically every 2-3 years. Microfinance banks, payment service providers, mobile money operators, and switching companies are all in the rotation pool.

The CSAT framework: Your baseline document

The Cybersecurity Self-Assessment Tool (CSAT) is the starting point for every CBN cybersecurity audit. Licensed institutions must complete and submit the CSAT annually. It evaluates your cybersecurity maturity across five domains: Governance, Risk Management, Technology Controls, Incident Management, and Third-Party Risk.

Your CSAT submission is not just a compliance checkbox. CBN auditors use it as their baseline. They will walk into your office with your CSAT report and verify every claim you made. If your CSAT says you conduct quarterly penetration tests, they will ask to see the last four pentest reports. If your CSAT says you have network segmentation, they will ask to see your network diagrams and firewall rules. Discrepancies between your self-assessment and the auditor's observations are treated as material misrepresentation and will significantly worsen your audit outcome.

Enforcement Data

₦1 billion in fines in 2024

The CBN levied over ₦1 billion in cumulative cybersecurity-related fines against Nigerian financial institutions in 2024. Common fine triggers included: absence of penetration test reports, inadequate network segmentation, missing or outdated incident response plans, and material discrepancies between CSAT submissions and actual controls.

What CBN auditors check

CBN cybersecurity auditors are thorough. They do not simply review documents; they validate technical controls, interview staff, and examine evidence of implementation. Here is what they examine across each domain.

1. Network segmentation

Auditors will request your network architecture diagrams and verify them against your actual infrastructure. They are looking for: separation between the DMZ and internal networks, isolation of payment processing systems from corporate IT, segmentation between development, staging, and production environments, and restrictions on lateral movement between network zones.

If a compromised marketing server can reach your payment ledger database through unrestricted internal network access, that is a critical finding. The CBN expects zero-trust network architecture where each system can only communicate with the specific services it needs.

2. Access controls

Auditors examine your Identity and Access Management (IAM) implementation in detail:

3. Penetration test reports

This is the document auditors ask for most frequently, and the one most Nigerian fintechs cannot produce. The CBN expects licensed institutions to conduct at least annual penetration tests performed by a qualified independent firm. Auditors will examine:

4. Vulnerability management process

Beyond penetration testing, auditors examine your ongoing vulnerability management programme: regular automated scanning (at least monthly), a defined SLA for patching critical vulnerabilities (typically 72 hours for critical, 30 days for high), evidence that patches are actually applied (not just identified), and a process for tracking exceptions (vulnerabilities that cannot be patched immediately and the compensating controls in place).

5. Incident response capabilities

Auditors will ask to see your incident response plan and evidence that it has been tested. They will ask: When was the last tabletop exercise? Who participated? What were the findings? What improvements were made? A plan that exists only as a PDF on the CISO's laptop, never tested or exercised, will be flagged.

They will also review your incident logs. If you have experienced security incidents and failed to report them to the CBN as required, the auditors will discover this through log examination and it will be treated as a concealment violation.

6. Security awareness training

Auditors will request training records for all staff. They are looking for: evidence of regular security awareness training (at least annually), completion rates (ideally above 90%), phishing simulation results, and specialised training for engineering teams (secure coding practices, security culture programmes).

7. Data classification and encryption

The CBN expects a formal data classification policy that categorises data by sensitivity level (public, internal, confidential, restricted). Auditors verify that encryption standards match the classification:

8. Third-party risk management

The CBN recognises that modern fintechs rely heavily on third-party services: cloud providers, payment processors, KYC vendors, mobile SDKs. Auditors will examine your vendor risk assessment process, contractual security requirements, and monitoring of third-party compliance. If you use AWS, Azure, or GCP, they may ask to see your cloud security configuration.

Do not wait for the audit notice to discover your gaps. A penetration test identifies the exact findings auditors will flag.

Prepare for Your Audit

Common findings that trigger enforcement

Based on publicly available CBN enforcement actions and industry reporting, these are the findings that most frequently lead to penalties:

No penetration test report

The single most common critical finding. Auditors ask for your last pentest report. If you cannot produce one, or if the most recent one is more than 12 months old, this is an immediate compliance failure.

Flat network architecture

All servers on the same network segment with no segmentation between payment processing, customer data, and corporate systems. This means a single compromise gives the attacker access to everything.

No incident response plan

Or a plan that has never been tested. The CBN requires evidence of regular testing (tabletop exercises, simulations). A document that was written once for a compliance submission and never exercised does not satisfy the requirement.

Unpatched critical vulnerabilities

Known CVEs that have been publicly disclosed for months with available patches that have not been applied. Auditors may run their own vulnerability scans or request output from your scanning tools.

Timeline from audit notice to completion

A typical CBN cybersecurity audit follows this timeline:

What a failed audit means

Failing a CBN cybersecurity audit is not just a fine. It triggers a cascade of consequences:

How to prepare in 30 days

If you have received an audit notice and have 30 days to prepare, here is your priority list:

Got a CBN audit notice? We can deliver a penetration test report and remediation support within your preparation window.

Request Urgent Pentest

Frequently asked questions

How does the CBN decide which companies to audit?

The CBN uses a risk-based selection process. High-risk factors include: processing high transaction volumes, previous security incidents, customer complaints, recent licensing changes, or being identified through the CBN's own threat intelligence. The CBN also conducts periodic audits of all licensed institutions on a rotating schedule, typically every 2-3 years.

What is the CSAT and how does it relate to a CBN audit?

The Cybersecurity Self-Assessment Tool (CSAT) is a framework the CBN requires licensed financial institutions to complete annually. It evaluates your cybersecurity maturity across domains like governance, risk management, access controls, and incident response. Your CSAT submission serves as the baseline document for a CBN audit. Discrepancies between your self-assessment and the auditor's findings will trigger additional scrutiny.

What happens if we fail a CBN cybersecurity audit?

Failure triggers a remediation order with specific deadlines (typically 30-90 days). If you do not remediate within the specified timeframe, the CBN can impose escalating sanctions including monetary penalties (up to ₦1 billion in severe cases), operational restrictions (limiting your transaction types or volumes), and in extreme cases, licence revocation.

Can we challenge or appeal a CBN audit finding?

Yes. You can submit a formal response to audit findings, providing evidence that contradicts specific observations or demonstrating mitigating circumstances. However, the response must include a remediation plan regardless. The CBN is generally receptive to well-documented technical explanations but will not accept excuses for absent controls.

Related reading

Blog: CSAT Framework Guide · CBN Data Localization · PCI DSS Compliance

Guides: CBN Compliance Guide · CBN IT Audit Preparation

Services: Penetration Testing · Secure Architecture Review