In order to keep pace with the technological advancements in the securities market, Sebi on Tuesday came out with new framework on system audit for market infrastructure institutions (MIIs), stock exchanges, clearing corporations and depositories, wherein they need to inform about major non-compliances. The decision has been taken based on discussions with stock exchanges, clearing corporations and depositories along with recommendations of Sebi’s Technical Advisory Committee.
In a circular, the regulator has asked MIIs to conduct an annual system audit as per the prescribed framework and terms of reference.
Also, they have been asked to maintain a list of all the relevant Sebi circular and directions, among others, pertaining to technology and compliance under a stipulated time frame and the same need to be included under the scope of system audit.
Further, they have been asked to submit information with regard to exceptional major or minor non-compliances observed in the system audit and categorically highlight those observations pointed out in the system audit (current and previous) which remain open.
The system audit report, including compliance with Sebi guidelines and exceptional observation format along with compliance status of previous year observations, needs be placed before the governing board of the MIIs and then the report along with the comments of the MII’s management needs to be communicated to Sebi within a month of completion of audit.
Further, along with the audit report, MIIs need to submit a declaration from their managing directors or chief executive officers certifying the security and integrity of their IT systems.
With regard to the audit process, Sebi said the audit needs to be conducted according to the norms, terms of reference and guidelines issued by it. The governing board of the MII will appoint auditor who can perform a maximum of three successive audits. However, such auditor will be eligible for re-appointment after a cooling-off period of two years.
Further, during the cooling-off period, the incoming auditor should not include: Any firm that has common partner with the outgoing audit company. The period of the audit will not be more than 12 months. Further, the audit will be completed within 2 months from the end of the audit period.
According to Sebi, the overall timeline from the last date of the audit period till completion of final compliance by MII, including follow-on audit, if any, should not exceed one year.
In exceptional cases, if MII is of the view that compliance with certain observations may extend beyond a period of one year, then the concerned MII shall seek specific approval from the governing board, it added.
In respect of auditor selection norms, Sebi said the auditor must have minimum 3 years of demonstrable experience in IT audit of securities industry or financial services sector—banking, insurance and fin-tech.
The auditor should have the capability to undertake forensic audit and undertake such audit as part of annual system audit, if required and must not have any conflict of interest.
Sebi said a detailed report with regard to the system audit needs be submitted to it. The detailed report should include executive summary with details about unit where the audit is conducted and the findings.