Reference: Securities Exchange Board of India
Taking into account the rapid technological developments in the securities market and the entailing risks that these developments pose to the efficiency and integrity of markets, SEBI vide Circular dated 29 November 2011 had mandated that stock exchanges and depositories should conduct Annual System Audit by a reputed independent auditor. Subsequently the framework was also extended to clearing corporations.
On 7th January 2020, SEBI has come out with the Annual System Audit Framework for Market Infrastructure Institutions- MIIs which supersedes the above mentioned circular dated 29th November 2011.
In order to keep pace with the technological advancements in the securities market, SEBI has felt need to revise the existing framework on the Annual system Audit. Based on discussions with Stock Exchanges, Clearing Corporations, Depositories (Market Infrastructure Institutions- MIIs), and recommendations of Technical Advisory Committee of SEBI, the existing System Audit Framework has been reviewed by SEBI.
SEBI has instructed MIIs to conduct an Annual System Audit as per the revised framework.
MIIs are also required to submit information with regard to exceptional major Non- Compliance (NCs)/ Minor NCs observed in the System Audit and categorically highlight those observations/NCs/suggestions pointed out on the System Audit (Current and previous) which remain open.
The Systems Audit Report including compliance with SEBI circulars/guidelines and exceptional observation format along with compliance status of previous year observations shall be placed before the Governing Board of the MII and then the report along with the comments of the Management of the MII shall be communicated to SEBI within a month of completion of audit.
Further, along with the audit report, MIIs are required to submit a declaration from the MD / CEO certifying the security and integrity of their IT Systems.
Framework relating to Audit Process
- The Audit shall be conducted according to the Norms, Terms of Reference (TOR) and Guidelines issued by SEBI
- An Auditor can perform a maximum of 3 successive audits. However, such auditor shall be eligible for re-appointment after a cooling-off period of two years.
- The number of years an auditor has performed an audit prior to this circular shall also be considered in order to determine its eligibility in above terms.
- The period of Audit shall not be for more than 12 months. Further, the Audit shall be completed within 2 months from the end of the Audit Period.
- For each of the NCs/ observations and suggestions made by the Auditor, specific corrective action as deemed fit by the MII may be taken.
- The Audit report along with the comments of management shall be placed before the Governing Board of the MII. The Audit report along with Comments of the Governing Board shall be submitted to SEBI, within 1 month of completion of Audit.
- The follow-on audit should be completed within one month of the corrective actions taken by the MII. After the follow-on audit, the MII shall submit a report to SEBI within 1 month from the date of completion of the follow-on audit.
- If follow-on audit is not required, the MII shall submit an Action Taken Report (ATR) to the Auditor. After verification of the ATR by the Auditor, the MII shall submit a report to SEBI within 1 month from the date of completion of verification by the Auditor.
- The overall timeline from the last date of the audit period till completion of final compliance by MII, including follow-on audit, if any, should not exceed one year.
Auditor Selection Norms
- The Auditor must have minimum 3 years of demonstrable experience in IT audit of Securities Industry i.e. Stock Exchanges, Clearing Corporations, Depositories, intermediaries etc. and/ or Financial Services Sector i.e. Banking, Insurance, Fin-tech.
- the team performing system audit must have experience in / direct access to experienced resources in the areas covered under TOR. It is recommended that resources deployed by the Auditor for the purpose of system audit shall have relevant industry recognized certifications e.g. CISA (Certified Information Systems Auditor) from ISACA, CISM (Certified Information Securities Manager) from ISACA, GSNA (GIAC Systems and Network Auditor), CISSP (Certified Information Systems Security Professional) from International Information Systems Security Certification Consortium, commonly known as (ISC).
- The Auditor shall have experience in working on IT audit/governance/IT service management frameworks and processes conforming to industry leading practices like CobIT 5/ ISO 27001 and beyond.
- The Auditor should have the capability to undertake forensic audit and undertake such audit as part of Annual System Audit, if required.
- The Auditor must not have any conflict of interest in conducting fair, objective and independent audit of the exchange / depository/ clearing corporation. It should not have been engaged over the last three years in any consulting engagement with any departments / units of the entity being audited.
- The Auditor should not have any cases pending against it, which point to its incompetence and/or unsuitability to perform the audit task.
- The proposed audit agency must be empanelled with CERT-In.
- Any other criteria that the MII may deem fit for the purpose of selection of Auditor.
Audit Report Guidelines
- The Audit report should cover each of the major areas mentioned in the TOR and compliance with SEBI circulars/directions/advices, etc. related to technology.
- The Auditor in the Audit Report shall give its views indicating the NCs to the standards or observations or suggestions. For each section, auditors should also provide qualitative inputs/suggestions about ways to improve the processes, based upon the best industry practices.
- The report should also include tabulated data to show NCs / observations for each of the major areas in the TOR. Evidences should be specified in the Audit Report while reporting/ closing an issue.
- A detailed report with regard to the System Audit shall be submitted to SEBI. The report should include an Executive Summary as per the format prescribed by SEBI.
