The systems and network audit report will be placed before the governing board of the MII concerned. Later, the report along with the comments of the management of the MII need to be communicated to Sebi within a month of completion of audit, according to a circular.
Taking into account the rapid technological developments in the securities market and the entailing risks that these developments pose to the efficiency and integrity of markets, Sebi, in January 2020, had mandated that stock exchanges, clearing corporations and depositories should conduct an annual system audit by a reputed independent auditor.
Further, in order to keep pace with the technological advancements in the securities market, Sebi reviewed the existing system audit framework.
The latest decision has been taken based on discussions with MIIs — stock exchanges, clearing corporations, depositories and recommendations of the Technical Advisory Committee (TAC) of Sebi.
Under the new guidelines, MIIs are required to conduct system and network audit as per the framework and Terms of Reference specified by the regulator.
Also, they are required to maintain a list of all the relevant Sebi directions pertaining to technology and compliance thereof and the same need to be included under the scope of system and network audit.
MIIs are also required to submit information with regard to exceptional major Non-Compliances (NCs)/ minor NCs observed in the system and network audit. Besides, they have to categorically highlight those observations/NCs pointed out in the system and network audit (current and previous) which remain open.
The systems and network audit report, including compliance with Sebi guidelines and exceptional observation format, along with compliance status of previous year observations will have to be placed before the governing board of the MII concerned. Then, the report along with the comments of the management of the MII shall be communicated to Sebi within a month of completion of audit, as per the circular.
Along with the audit report, MIIs are required to submit a joint declaration from the Managing Director (MD)/Chief Executive Officer (CEO) and Chief Technology Officer (CTO) certifying the security and integrity of their IT systems, correctness and completeness of data provided to the auditor.
Among others, the joint declaration should also certify about entire network architecture, connectivity (including co-lo facility) and its linkage to the trading infrastructure are in conformity with Sebi’s regulatory framework to provide fair equitable, transparent and non-discriminatory treatment to all the market participants.
In addition, they need to make the joint declaration that the internal review of critical systems was carried out during the audit period, including the Failure Modes and Effects Analysis (FMEA).
The new framework will come into force with immediate effect, the Securities and Exchange Board of India (Sebi) said.