Securities and Exchange Board of India (SEBI) has modified the required composition for the internal audit teams of Credit Rating Agencies (CRAs). A circular issued on May 14, 2025, revises the provisions outlined in the Master Circular for CRAs dated May 16, 2024.
Previously, the internal audit team for a CRA needed to include at least a Chartered Accountant and a professional with a Certified Information Systems Auditor (CISA) or Diploma in Information Systems Auditor (DISA) qualification.
The regulatory change broadens the pool of eligible professionals. Under the revised norms, the internal audit team must now comprise at least a Chartered Accountant or a Cost Accountant (holding ACMA or FCMA qualifications from the Institute of Cost Accounts of India). Additionally, the information systems audit requirement can now be met by a professional holding CISA, DISA, or a Diploma in Information System Security Audit (DISSA) from the Institute of Cost Accounts of India.
SEBI stated that this decision aims to provide CRAs with a larger selection of qualified professionals for conducting internal audits. The revised requirements are effective immediately upon the issuance of the circular.
Securities and Exchange Board of India
Circular No. SEBI/HO/DDHS/DDHS-PoD-2/P/CIR/2025/68 Dated: May 14, 2025
To,
All Registered Credit Rating Agencies,
Madam/ Sir,
Sub: Composition of the Internal Audit team for CRAs
1. Para 33.1.3 of the Master Circular for Credit Rating Agencies (CRAs) dated May 16, 2024, in respect of requirements related to Internal Audit of CRAs, specifies as under:
“The audit team must be composed of, at least, a Chartered Accountant (ACA/ FCA) and a Certified Information Systems Auditor/ Diploma in Information Systems Auditor (CISA/ DISA).”
2. In order to provide CRAs with a larger pool of eligible professionals with the relevant experience/ qualifications for conducting the internal audit, it has been decided to include Cost Accountant (ACMA/ FCMA) and Diploma in Information System Security Audit (DISSA) qualifications from the Institute of Cost Accounts of India (ICMAI) to the audit team. Accordingly, Para 33.1.3 of the Master Circular for CRAs stands modified as under:
“The audit team must be composed of at least a Chartered Accountant (ACA/ FCA) or a Cost Accountant (ACMA/ FCMA) and a Certified Information Systems Auditor/ Diploma in Information System Auditor/ Diploma in Information System Security Audit (CISA/ DISA/ DISSA).”
3. The circular shall be applicable with immediate effect.
4. This circular is issued with the approval of competent authority, in exercise of the powers conferred by Section 11 (1) of Securities and Exchange Board of India Act, 1992 read with the provisions of Regulation 20 of SEBI (Credit Rating Agencies) Regulations, 1999 to protect the interest of investors in securities and to promote the development of, and to regulate, the securities market.
5. This Circular is available on the website of the Securities and Exchange Board of India at sebi.gov.in under the category “Legal” and under the drop down “Circulars”.
Yours faithfully,
Ritesh Nandwani
Deputy General Manager
Department of Debt and Hybrid Securities
Tel No.022-2644-9696
Email ID – riteshn@sebi.gov.in
