Framework for Monitoring and Supervision of System Audit of Stock Brokers (SBs) through Technology based Measures. - SEBI - SEBI/HO/MIRSD/TPD/CIR/2025/10

CIRCULAR SEBI/HO/MIRSD/TPD/CIR/2025/10 January 31, 2025 To, All recognised Stock Exchanges All registered Stock Brokers through Recognized Stock Exchanges Dear Sir / Madam, Sub: Framework for Monitoring and Supervision of System Audit of Stock Brokers (SBs) through Technology based Measures. 1. SEBI vide Master Circular No. SEBI/HO/MRD2/PoD-2/CIR/P/2023/171 dated October 16, 2023 in Clause 8.2 of Chapter 2 has specified the comprehensive framework for System Audit for Stock Brokers (SBs)/Trading Members (TMs). Considering the complexities of technology and system used by stock brokers and emanating technology risk thereof, there is a need to further strengthen the system audit framework. Therefore, it has been decided to introduce technology based mechanism to monitor and supervise the way in which the system audits are conducted and to prescribe eligibility criteria for the empanelment of auditors to ensure that audits are conducted in a stipulated manner. 2. Based on the discussions with Stock Exchanges (SEs) and Technical Advisory Committee (TAC) of SEBI as well as in Intermediary Advisory Committee (IAC) wherein representative of ICAI was also invited, the following guidelines shall be prescribed for the conduct of system audit of SBs. 3. Monitoring and Supervision of System Audit process through online mechanism: 3.1 Stock Exchanges shall develop web portal/ web based platform and create technology based mechanisms to monitor and supervise the entire system audit lifecycle of a stock broker. 3.2 Stock Exchanges shall monitor process of carrying out of system audit of SBs through online monitoring mechanism. As part of the monitoring mechanism, exchanges shall capture the geo location of the auditor to ensure that physical visit is carried out by auditor in the premises of the stock broker. 3.3 The web based monitoring supervision framework shall be accessed by the auditor during the audit. Exchanges shall ensure that only the authorized auditor or person of the audit firm shall have access to the web portal while conducting audit through secure OTP mechanism. 4. Standardization System Audit Process and Audit Report: Pre audit requirements: 4.1 In order to ensure that the appointed auditor conducts the audit, Stock Exchanges shall monitor the process of carrying out of system audit through web portal in following manner: 4.2 SBs are mandated to provide following details through web portal before the commencement of system audit: Details of audit members such as name, address, registration no., membership no., PAN, qualification, mobile number etc. Date of appointment of auditor, period of audit, copy of auditor appointment letter. Audit plan including proposed dates for physical visit by auditor, list of proposed coverage of IT systems/processes, SBs/TMs name, address, PAN, SEBI registration no. etc. Requirements during the audit: 4.3 During every visit to the SBs premises, auditor shall log in to the web portal of the exchange from SBs location. The login into the web portal shall be enabled only to authorized auditor through secured mechanism such as OTP on mobile device of the auditor. 4.4 Web portal shall capture the geo location of the auditor to confirm physical visits by the auditor. 4.5 During audit, the auditor shall provide following details through online web portal: Audit start date, Date of visit, entry time, exit time, audit team members visited, person with whom interacted, details of systems covered, audit end date etc. Evidence shall be collected by inspecting physical assets, records/documents, testing of relevant systems, system generated reports etc. 4.6 Exchanges shall conduct surprise visit to the premises of Qualified Stock Brokers (QSBs) to verify the audit being actually carried out by authorized auditor or authorize persons of audit firm. The exchanges may explore the possibilities of surprise visit to other SBs on a sample basis. 4.7 The system auditor shall carry out offsite assessments of the virtual assets provided by third party vendors (cloud services SaaS, PaaS, IaaS etc.). SBs/TMs shall obtain SOC-II compliance from vendors and provide it to the auditor. Exchanges may also prescribe suitable certification/compliance to be obtained from third-party vendors and maintained by SBs/TMs. Post audit requirements: 4.8 Stock Exchanges shall define standardized template for the system audit report in order to maintain uniformity of audit reports across SBs/TMs. The standardised template of the audit report shall be made available on the web portal which can be filled up by the auditor and submit it to SBs/TMs through the web portal. 4.9 The system audit report shall be comprehensive and shall include all areas pertaining to system and technology used by SBs including details of locations/sites covered, IT infrastructure/applications, systems covered during audit, distribution of critical and non-critical IT systems, internal and external systems, sample size chosen, criteria used to choose it, the percentage of the total that was chosen as a sample etc. 4.10 The system audit report and the Action Taken Report (ATR) shall be submitted to Exchanges through web portal. The ATR shall be validated by the same auditor who has carried out the system audit. 4.11 QSBs are mandated to submit the system audit report and the ATR to Stock Exchanges after approval from their respective Governing Board and Standing Committee on Technology (SCOT) or equivalent Technology Committee (TC). Other SBs/TMs are mandated to submit the system audit report and the ATR to Stock Exchanges on approval of Proprietor/Partner or equivalent responsible official through SCOT or TC. 5. Framework for Empanelment of System Auditors: 5.1 Appointment of Auditor: Stock Exchanges are required to empanel system auditors. The eligibility criteria for such empanelment shall be prescribed such as qualification, experience, minimum no. of partners required in an audit firm, minimum experience of conducting audits required for the auditor, minimum no. of skilled employees required etc. and norms for de-empanelment. The eligibility criteria shall emphasized on the experience and qualification of auditors rather than only on the experience of the audit firm. The list of the empaneled auditors shall be made available on the web portal. 5.2 Stock exchanges shall ensure that auditor so appointed shall be independent and do not have any conflict of interest with stock brokers. To address the conflict of interest and to ensure quality in the audit report, exchange shall put in place maximum ceiling on the appointment or reappointment of an auditor. 5.3 Exchanges in consultation with SEBI, shall issue broad guideline to ensure rationalization and standardization of the cost of conducting system audit from empaneled system auditor based on certain parameters such as no. of clients, turnover, IT infrastructure etc. 5.4 Exchanges shall prescribe the additional criteria for empanelment of system auditor for QSBs. 5.5 Re-appointment of auditor: After carrying out the audits of three consecutive years, cooling off period of 2 years may be prescribed for reappointment of the auditor/audit firm. Monitoring of compliance of this provision shall be done by stock exchanges through web portal. 5.6 Reassessment of audit: Exchanges shall define the critical audit area and place them in the online web portal. The reassessment shall be carried out by the same system auditor if gaps/deficiencies are found in such critical areas of system audit. Further, such reassessment shall also be carried out by such auditor in case of other stock brokers where he has conducted the audit. 5.7 De-empanelment: In case it is observed by stock exchanges that auditor has not done audit prudently or gaps/deficiencies are found in audit report repeatedly, exchanges shall de-empanel such auditor and also refer such matters to the National Financial Reporting Authority (NFRA)/ICAI/ISACA, as applicable for appropriate action against such auditor. 6. Enhanced obligation on the system auditor: 6.1 Considering the extensive use of technology by the stock brokers, the system auditor shall verify the following aspects during the audit: Reporting of all technical glitches occurred in the system of SBs to the exchanges as per the requirements. Remedial steps taken by SBs to resolve technical glitches occurred in past 1 year Capacity planning in proportion to increase in clients/turnover etc. Software testing and change management/patch management as per prescribed guidelines (including OMS/RMS systems provided by vendors) Implementation of Logging and Monitoring Mechanism (LAMA) to detect technical glitches as prescribed by exchanges in the technical glitch framework dated December 16,2022. Preservation of logs of LAMA parameters for the prescribed period Servers/applications used for placing the orders or routing such orders to exchange are located at SBs premise. Compliance with the requirements of DR site and conducting live DR drill etc. 7. Other due diligence by Stock Exchanges: 7.1 Exchanges shall carry out due diligence to ensure authenticity of the system audit report. In addition to the same, the system audit report submitted by SB/TM shall be validated against the last submitted report. 7.2 Exchanges may discuss the findings of the system audit of QSBs with the auditor after submission of audit report. 7.3 Stock Exchanges shall prescribe financial disincentive on SBs for instances where serious lacunas found in the system audit process and/or non-closure of observations found during the audit within defined timelines. 7.4 Exchanges shall prescribe the period for preservation of documents such as working papers, logs, screenshots, records of visit to the premises of the entity and other evidence in support of the audit. 7.5 Stock Exchanges are mandated to submit summary of system audits of SBs/TMs to SEBI on half yearly basis giving details of stock brokers who have carried out the audit, action taken on non-compliant stock brokers, details of surprise visits carried and findings thereof, action taken on the auditor if any etc. 8. The web portal shall be developed by stock exchanges within six months from the issuance of this circular. Exchanges to ensure availability of adequate resources in terms of technology and manpower for implementation, adherence and support of requirements. 9. The proposed framework for Monitoring and Supervision of the System Audit of the Stock Brokers (SBs) through technology based measures shall come into force for the audit period FY 2025-26. 10. This circular is being issued in exercise of the powers conferred by Section 11(1) of Securities and Exchange Board of India Act, 1992 to protect the interest of investors in securities market and to promote the development of, and to regulate the securities market. Yours faithfully, Vishal Padole General Manager Market Intermediaries Regulation and Supervision Department Email: [email protected]