Securities and Exchange Board of India
CIRCULAR
SEBI/HO/MRD1/ICC1/CIR/P/2020/03
January 07, 2020
To,
All Stock Exchanges, Clearing Corporations and Depositories
Dear Sir / Madam,
Annual System Audit
1. Taking into account the rapid technological developments in the securities market and the entailing risks that these developments pose to the efficiency and integrity of markets, SEBI vide Circular no. CIR/MRD/DMS/13/2011 dated November 29, 2011, had mandated that stock exchanges and depositories should conduct an Annual System Audit by a reputed independent auditor. Subsequently, the framework was also extended to clearing corporations.
2. In order to keep pace with the technological advancements in the securities market, it is felt that there is a need to revise the aforementioned Circular. Accordingly, based on discussions with Stock Exchanges, Clearing Corporations, Depositories (hereinafter referred as ‘Market Infrastructure Institutions – MIIs), and recommendations of Technical Advisory Committee (TAC) of SEBI, the existing System Audit Framework has been reviewed.
3. MIIs are advised to conduct an Annual System Audit as per the framework enclosed as Annexure 1 and Terms of Reference (TOR) enclosed as Annexure 2. MIIs are also advised to maintain a list of all the relevant SEBI circulars/ directions/ advices, etc. pertaining to technology and compliance thereof, as per format enclosed as Annexure 3 and the same shall be included under the scope of System Audit.
4. Further, MIIs are advised to submit information with regard to exceptional major Non-Compliances (NCs)/ minor NCs observed in the System Audit as per format enclosed as Annexure 4 and are advised to categorically highlight those observations/NCs/suggestions pointed out in the System Audit (current and previous) which remain open.
5. The Systems Audit Report including compliance with SEBI circulars/ guidelines and exceptional observation format along with compliance status of previous year observations shall be placed before the Governing Board of the MII and then the report along with the comments of the Management of the MII shall be communicated to SEBI within a month of completion of audit. Further, along with the audit report, MIIs are advised to submit a declaration from the MD / CEO certifying the security and integrity of their IT Systems.
6. This circular supersedes the above mentioned Circular CIR/MRD/DMS/13/2011 dated November 29, 2011. This circular is available on SEBI website at www.sebi.gov.in under the categories “Legal Framework” and “Circulars”.
7. This circular is being issued in exercise of the powers conferred by Section 11(1) of Securities and Exchange Board of India Act, 1992 to protect the interest of investors in securities and to promote the development of, and to regulate the securities market.
Yours faithfully,
Ansuman Dev Pradhan
Deputy General Manager
Market Regulation Department
Email: ansumanp@sebi.gov.in
Encl.:
| Annexure 1 | System Audit Framework |
| Annexure 2 | Terms of Reference (TOR) for System Audit Program |
| Annexure 3 | Format for monitoring compliance with circulars/ guidelines/advisories related to Technology SEBI |
| Annexure 4 | Exception Observation Reporting Format |
Annexure 1
System Audit Framework
Audit Process
1. For the Annual System Audit, the following broad areas shall be considered in order to ensure that the audit is comprehensive and effective:
a. The Audit shall be conducted according to the Norms, Terms of Reference (TOR) and Guidelines issued by SEBI.
b. The Governing Board of the Market Infrastructure Institution (MII) shall appoint the Auditors based on the prescribed Auditor Selection Norms and TOR.
c. An Auditor can perform a maximum of 3 successive audits. However, such auditor shall be eligible for re-appointment after a cooling-off period of two years.
d. Further, during the cooling-off period, the incoming auditor may not include:
(i) Any firm that has common partner(s) with the outgoing audit firm; and
(ii) Any associate / affiliate firm(s) of the outgoing audit firm which are under the same network of audit firms wherein the term “same network” includes the firms operating or functioning, hitherto or in future, under the same brand name, trade name or common control.
e. The number of years an auditor has performed an audit prior to this circular shall also be considered in order to determine its eligibility in terms of sub-clause c above.
f. The scope of the Audit may be broadened to incorporate any new developments that may arise due to issuance of circulars/ directions/ advice by SEBI from time to time.
g. The period of Audit shall not be for more than 12 months. Further, the Audit shall be completed within 2 months from the end of the Audit Period.
h. In the Audit report, the Auditor shall include its comments on whether the areas covered in the Audit are in compliance with the norms/ directions/ advices issued by SEBI, internal policy of the MII, etc. Further, the report shall also include specific non-compliances (NCs), observations for minor deviations and suggestions for improvement. The report shall take previous audit reports into consideration and cover any open items therein. The auditor should indicate if a follow-on audit is required to review the status of NCs.
i. For each of the NCs/ observations and suggestions made by the Auditor, specific corrective action as deemed fit by the MII may be taken. The management of the MII shall provide its comments on the NCs, observations and suggestions made by the Auditor, corrective actions taken or proposed to be taken along with time-line for such corrective action.
j. The Audit report along with the comments of management shall be placed before the Governing Board of the MII. The Audit report along with Comments of the Governing Board shall be submitted to SEBI, within 1 month of completion of Audit.
k. The follow-on audit should be completed within one month of the corrective actions taken by the MII. After the follow-on audit, the MII shall submit a report to SEBI within 1 month from the date of completion of the follow-on audit. The report shall include updated Issue-Log to indicate the corrective actions taken and specific comments of the Auditor on the NCs and the corrective actions.
l. If follow-on audit is not required, the MII shall submit an Action Taken Report (ATR) to the Auditor. After verification of the ATR by the Auditor, the MII shall submit a report to SEBI within 1 month from the date of completion of verification by the Auditor. The report shall include updated Issue-Log to indicate the corrective actions taken and specific comments of the Auditor on the ATR.
m. The overall timeline from the last date of the audit period till completion of final compliance by MII, including follow-on audit, if any, should not exceed one year. In exceptional cases, if MII is of the view that compliance with certain observations may extend beyond a period of one year, then the concerned MII shall seek specific approval from the Governing Board.
Auditor Selection Norms
2. MII shall ensure compliance with the following norms while appointing System Auditor:
a. The Auditor must have minimum 3 years of demonstrable experience in IT audit of Securities Industry i.e. Stock Exchanges, Clearing Corporations, Depositories, intermediaries etc. and/ or Financial Services Sector i.e. Banking, Insurance, Fin-tech.
b. The team performing system audit must have experience in / direct access to experienced resources in the areas covered under TOR. It is recommended that resources deployed by the Auditor for the purpose of system audit shall have relevant industry recognized certifications e.g. CISA (Certified Information Systems Auditor) from ISACA, CISM (Certified Information Securities Manager) from ISACA, GSNA (GIAC Systems and Network Auditor), CISSP (Certified Information Systems Security Professional) from International Information Systems Security Certification Consortium, commonly known as (ISC).
c. The Auditor shall have experience in working on IT audit/governance/IT service management frameworks and processes conforming to industry leading practices like CobIT 5/ ISO 27001 and beyond.
d. The Auditor should have the capability to undertake forensic audit and undertake such audit as part of Annual System Audit, if required.
e. The Auditor must not have any conflict of interest in conducting fair, objective and independent audit of the exchange / depository/ clearing corporation. It should not have been engaged over the last three years in any consulting engagement with any departments / units of the entity being audited.
f. The Auditor should not have any cases pending against it, which point to its incompetence and/or unsuitability to perform the audit task.
g. The proposed audit agency must be empanelled with CERT-In.
h. Any other criteria that the MII may deem fit for the purpose of selection of Auditor.
Audit Report Guidelines
3. The Audit report should cover each of the major areas mentioned in the TOR and compliance with SEBI circulars/directions/advices, etc. related to technology. The Auditor in the Audit Report shall give its views indicating the NCs to the standards or observations or suggestions. For each section, auditors should also provide qualitative inputs/suggestions about ways to improve the processes, based upon the best industry practices.
4. The report should also include tabulated data to show NCs / observations for each of the major areas in the TOR.
5. Evidences should be specified in the Audit Report while reporting/ closing an issue.
6. A detailed report with regard to the System Audit shall be submitted to SEBI. The report should include an Executive Summary as per the following format:
| Issue Log Column Heading | Description | Responsibility |
| Major Area | Major area/relevant clause in TOR against which compliance is being audited | Auditor |
| Description of
Finding/ Observation |
Describe the findings in sufficient detail, referencing any accompanying evidence (e.g. procedure manual, interview notes, reports etc.) | Auditor |
| Reference | Reference to the section in detailed report – where full background information about the findings are available | Auditor |
| Process/ Unit | Process or unit where the audit is conducted and the finding pertains to | Auditor |
| Category of Findings | Major/Minor Non-compliance, Observation, Suggestion etc. |
Auditor |
| Audited By | Which Auditor covered the findings | Auditor |
| Root Cause Analysis | A detailed analysis on the cause of the Non-compliance |
Auditee |
| Remediation | The action (to be) taken to correct the Non-compliance |
Auditee |
| Target Completion Date for Remedial Action | The date by which remedial action must be/will be completed | Auditor/Auditee |
| Status | Status of finding on reporting date (open/close) | Auditor/Auditee |
| Verified By | Auditing personnel (upon verification that finding can be closed) | Auditor |
| Closing Date | Date when finding is verified and can be closed | Auditor |
Annexure 2
System Audit Program – Terms of Reference (TOR)
1. IT environment
1.1. Organization details
a. Name
b. Address
c. IT team size (in house- employees)
d. IT team size (vendors)
1. 2. IT set up and usage
a. Data Centre, near site and DR site and Regional/ Branch offices (location, owned/ outsourced)
b. System Architecture
2. IT Governance
2.1. Whether IT Governance framework exists to include the following:
a. IT organization structure including roles and responsibilities of key IT personnel;
b. IT governance processes including policy making, implementation and monitoring to ensure that the governance principles are followed;
2.2. IT policies and procedures
a. Whether the organization has defined and documented IT policy? If yes, is it approved by the Governing Board (GB)?
b. Is the current System Architecture including infrastructure, network and application components to show system linkages and dependencies documented?
c. Whether defined and documented Standard Operating Procedures (SOPs) for the following processes are in place?
i. IT Assets Acquisition
ii. Access Management
iii. Change Management
iv. Backup and Recovery
v. Incident Management
vi. Problem Management
vii. Patch Management
viii. Data Centre Operations
ix. Operating Systems and Database Management
x. Network Management
xi. DR Site Operations
xii. Data Retention and Disposal
3. Business Controls
3.1. General Controls for Data Centre Facilities
a. Application Access – segregation of duties, database and application access etc. (Approved Policy clearly defining roles and responsibilities of the personnel handling business operations)
b. Maintenance Access – vendor engineers
c. Physical Access – permissions, logging, exception reporting & alerts
d. Environmental Controls – fire protection, AC monitoring, etc.
e. Fault Resolution Mechanism
f. Folder Sharing and Back Up Controls – safeguard of critical information on local desktops
g. Incidences of violations in last year and corrective action taken
3.2. Software change control
a. Whether pre-implementation review of application controls (including controls over change management) was undertaken?
b. Adherence to secure Software Development Life Cycle (SDLC) / Software Testing Life Cycle (STLC) standards/ methodologies
c. Whether post implementation review of application controls was undertaken?
d. Is the review of processes followed by implementation team to ensure data integrity post implementation of new application or system?
e. User awareness
f. Processing of new feature request
g. Fault reporting / tracking mechanism & process for resolutions
h. Testing of New releases / Bug-fixes – Testing process (automation level)
i. Version Control – History, Change Management process etc.
j. Development / Test/ Production environment – Segregation
k. New Release in Production – Promotion, Release note approvals
l. Production Issues / disruptions reported during last year, root cause analysis & corrective actions taken
m. Software Development Stage
n. Software Design to bot ‘crash’ and capacity to work in degraded manner
3.3. Data Communication/ Network Controls
a. Network Administration – Redundancy, Monitoring, breakdown resolution etc.
b. WAN Management – Connectivity provisions for business continuity.
c. Encryption – Router based as well as during transmission
d. Connection Permissions – Restriction on need to have basis
e. Fallback Mechanism – Dial-up connections controls etc.
f. Hardware based Signing Process
g. Incidences of access violations in last year & corrective actions taken
3.4. Security Controls
a. Secured e-mail with other entities like SEBI, other partners
b. Email Archival Implementation
3.5. Access Policy and Controls
a. Defined and documented policies and procedures for managing access to applications and infrastructure – PDC, DRS,NS, branches (including network, operating systems and database) and approved by relevant authority
b. Review of access logs
C. Access rights and roles review procedures for all systems
d. Segregation of Duties (SOD) matrix describing key roles
e. Risk acceptance for violation of SOPs and alternate mechanism put in place
f. Privileged access to system and record of logs,
g. Periodic monitoring of access rights for privileged users
h. Authentication mechanisms used for access to systems including use of passwords, One Time Passwords (OTP), Single Sign on, etc.
3.6. Electronic Document Controls
3.7. General Access Controls
3.8. Performance Audit
a. Comparison of changes in transaction volumes since previous audit
b. Review of systems (hardware, software, network) performance over period
c. Review of the current volumes against the last performance test and against the current system utilization
3.9. Business Continuity / Disaster Recovery Facilities
a. BCP manual, including Business Impact Analysis (BIA), Risk Assessment and DR process, Roles and responsibilities of BCP team}
b. Implementation of policies
c. Back-up procedures and recovery mechanism using back-ups.
d. Storage of Back-up (Remote site, DRS etc.)
e. Redundancy – Equipment, Network, Site etc.
f. DRS installation and Drills – Management statement on targeted resumption capability (in terms of time required & extent of loss of data)
g. Evidence of achieving the set targets during the DRS drills in event of various disaster scenarios.
h. Debrief / review of any actual event when the DR/BCP was invoked during the year
i. User awareness and training
j. Is Recovery Time Objective (RTO) /Recovery Process Objective (RPO) during Business Impact Analysis (BIA) documented?
k. Is annual review of BCP-DR or in case of major change in business/ infrastructure undertaken?
l. Testing of BCP-DR plan through appropriate strategies including simulations, DR drills, system recovery, etc.
3.10. IT Support & IT Asset Management
a. Utilization Monitoring – including report of prior year utilization
b. Capacity Planning – including projection of business volumes
c. IT (S/W, H/W & N/W) Assets, Licenses & maintenance contracts
d. Comprehensive review of Assets life cycle management (Acquisition, commissioning, deployment, monitoring, maintenance and de commissioning) and relevant records related to it.
e. Insurance
f. Disposal – Equipment, media, etc.
4. Entity Specific Software used for or supporting trading/clearing systems / peripheral systems and critical processes
5. Human Resources Management
5.1. Screening of Employee, Third party vendors / contractors
5.2. Onboarding
5.3. Offboarding
5.4. Consequence Management (Incident / Breach of policies)
5.5. Awareness and Trainings
5.6. Non-Disclosure Agreements (NDAs) and confidentiality agreement
6. IT Vendor Selection and Management
6.1. Identification of eligible vendors
6.2. Dissemination process of Request for Proposal (RFP)
6.3. Definition of criteria of evaluation
6.4. Process of competitive analysis
6.5. Approach for selection
6.6. Escrow arrangement for keeping source code
7. E-Mail system
7.1. Existence of policy for the acceptable use of electronic mail
7.2. Regulations governing file transfer and exchange of messages with external parties
7.3. Rules based on which e-mail addresses are assigned
7.4. Storage, backup and retrieval
8. Redressal of Technological Complaints
9. Any other Item
9.1. Electronic Waste Disposal
9.2. Observations based on previous Audit Report (s)
9.3. Any other specific area that may be informed by SEBI.
Annexure 3
Format for monitoring compliance with SEBI circulars/guidelines/advisories related to technology
Sl. No. |
Date of SEBI circular/ directions/ advice, etc. |
Subject |
Technological requirements specified by SEBI in brief |
Mechanism
|
Non compliances with SEBI circulars/ guidelines |
Compliance status (Open/ closed) |
Comments of the Management |
Time-line for taking corrective action in case of open observations |
Annexure 4
Exception Observation Reporting Format
Note: MIIs are expected to submit following information with regard to exceptional major non-compliances (NCs) / minor NCs observed in the System Audit. MIIs should also categorically highlight those observations/ NCs/suggestions pointed out in the System Audit (current and previous) which are not yet complied with.
Name of the MII:
Name of the System Auditor:
Systems Audit Report Date:
Table 1: For preliminary audit
Audit period |
Obser vation No. |
Descript ion of finding |
Depart ment |
Status/ Nature of finding |
Risk Rating of finding as per Auditor |
Audit TOR clause |
Root Cause Analys is |
Impact Analysi s |
Corrective Actions proposed by auditor |
Deadline for the correctiv e action |
Management response in case of acceptance of associated risks |
Whether similar issue was observed in any of the previous 3 Audits |
Description of relevant Table heads
1. Audit Period – This indicates the period of audit
2. Description of findings/observations – Description of the findings in sufficient details, referencing any accompanying evidence
3. Status/ Nature of Findings – The category can be specified for example:
a. Non-compliant (Major/Minor)
b. Work in progress
c. Observation
d. Suggestion
4. Risk Rating of finding – A rating has to be given for each of the observations based on their impact and severity to reflect the risk exposure, as well as the suggested priority for action
| Rating | Description |
| HIGH | Represents weakness in control with respect to threat(s) that is /are sufficiently capable and impacts asset (s) leading to regulatory non-compliance, significant financial, operational and reputational loss. These observations need to be addressed with utmost priority. |
| MEDIUM | Represents weakness in control with respect to threat(s) that is /are sufficiently capable and impacts asset (s) leading to exposure in terms of financial, operational and reputational loss. These observations need to be addressed reasonably promptly. |
| LOW | Represents weaknesses in control, which in combination with other weakness can develop into an exposure. Suggested improvements for situations not immediately/directly affecting controls. . |
5. Audit TOR clause – The TOR clause corresponding to this observation
6. Root Cause analysis – A detailed analysis on the cause of the non-conformity.
7. Impact Analysis – An analysis of the likely impact on the operations/ activity of the organization
8. Corrective Action – The action taken to correct the non-conformity
Table 2: For follow on/ follow up system audit
Preliminary Audit Date |
Preliminary Audit Period |
Preliminary Observation Number |
Preliminary Status |
Preliminary Corrective Action as proposed by Auditor |
Current Finding |
Current Status |
Revised Corrective Action, if any |
Deadline for the Revised Corrective Action |
Reason for delay in impleme ntati on/ compliance |
Description of relevant Table heads
1. Preliminary Status – The original finding as per the preliminary System Audit Report
2. Preliminary Corrective Action – The original corrective action as prescribed in the preliminary system audit report
3. Current Finding – The current finding w.r.t. the issue
4. Current Status – Current Status of the issue viz. compliant, non-compliant, work in progress (WIP)
5. Revised Corrective Action – The revised corrective action prescribed w.r.t. the Non-compliant/ WIP issue
