9911796707
TMI BlogAnnual System AuditX X X X Extracts X X X X X X X X Extracts X X X X ..... tem Audit Framework has been reviewed. 3. MIIs are advised to conduct an Annual System Audit as per the framework enclosed as Annexure 1 and Terms of Reference (TOR) enclosed as Annexure 2. MIIs are also advised to maintain a list of all the relevant SEBI circulars/ directions/ advices, etc. pertaining to technology and compliance thereof, as per format enclosed as Annexure 3 and the same shall be included under the scope of System Audit 4. Further, MIIs are advised to submit information with regard to exceptional major Non-Compliances (NCs)/ minor NCs observed in the System Audit as per format enclosed as Annexure 4 and are advised to categorically highlight those observations/NCs/suggestions pointed out in the System Audit (current and previous) which remain open. 5. The Systems Audit Report including compliance with SEBI circulars/ guidelines and exceptional observation format along with compliance status of previous year observations shall be placed before the Governing Board of the MII and then the report along with the comments of the Management of the MII shall be communicated to SEBI within a month of completion of audit. Further, along with the audit report, MIIs ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... order to determine its eligibility in terms of sub-clause c above. f. The scope of the Audit may be broadened to incorporate any new developments that may arise due to issuance of circulars/ directions/ advice by SEBI from time to time. g. The period of Audit shall not be for more than 12 months. Further, the Audit shall be completed within 2 months from the end of the Audit Period. h. In the Audit report, the Auditor shall include its comments on whether the areas covered in the Audit are in compliance with the norms/ directions/ advices issued by SEBI, internal policy of the MII, etc. Further, the report shall also include specific non-compliances (NCs), observations for minor deviations and suggestions for improvement. The report shall take previous audit reports into consideration and cover any open items therein. The auditor should indicate if a follow-on audit is required to review the status of NCs. i. For each of the NCs/ observations and suggestions made by the Auditor, specific corrective action as deemed fit by the MII may be taken. The management of the MII shall provide its comments on the NCs, observations and suggestions made by the Auditor, corrective a ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... tional Information Systems Security Certification Consortium, commonly known as (ISC). c. The Auditor shall have experience in working on IT audit/governance/IT service management frameworks and processes conforming to industry leading practices like CobIT 5/ ISO 27001 and beyond. d. The Auditor should have the capability to undertake forensic audit and undertake such audit as part of Annual System Audit, if required. e. The Auditor must not have any conflict of interest in conducting fair, objective and independent audit of the exchange / depository/ clearing corporation. It should not have been engaged over the last three years in any consulting engagement with any departments / units of the entity being audited. f. The Auditor should not have any cases pending against it, which point to its incompetence and/or unsuitability to perform the audit task. g. The proposed audit agency must be empanelled with CERT-In. h. Any other criteria that the MII may deem fit for the purpose of selection of Auditor. Audit Report Guidelines 3. The Audit report should cover each of the major areas mentioned in the TOR and compliance with SEBI circulars/direc ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... Status Status of finding on reporting date (open/close) Auditor/Auditee Verified By Auditing personnel (upon verification that finding can be closed) Auditor Closing Date Date when finding is verified and can be closed Auditor Annexure 2 System Audit Program Terms of Reference (TOR) 1. IT environment 1.1. Organization details a. Name b. Address c. IT team size (in house- employees) d. IT team size (vendors) 1.2. IT set up and usage a. Data Centre, near site and DR site and Regional/ Branch offices (location, owned/ outsourced) b. System Architecture 2. IT Governance 2.1. Whether IT Governance framework exists to include the following: a. IT organization structure including roles and responsibilities of key IT personnel; b. IT governance processes including policy making, implementation and monitoring to ens ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... tion level) i. Version Control History, Change Management process etc. j. Development / Test/ Production environment Segregation k. New Release in Production Promotion, Release note approvals l. Production Issues / disruptions reported during last year, root cause analysis corrective actions taken m. Software Development Stage n. Software Design to bot crash and capacity to work in degraded manner 3.3. Data Communication/ Network Controls a. Network Administration Redundancy, Monitoring, breakdown resolution etc. b. WAN Management Connectivity provisions for business continuity. c. Encryption - Router based as well as during transmission d. Connection Permissions Restriction on need to have basis e. Fallback Mechanism Dial-up connections controls etc. f. Hardware based Signing Process g. Incidences of access violations in last year corrective actions taken 3.4. Security Controls a. Secured e-mail with other entities like SEBI, other partners b. Email Archival Implementation 3.5. Access Policy and C ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... Utilization Monitoring including report of prior year utilization b. Capacity Planning including projection of business volumes c. IT (S/W, H/W N/W) Assets, Licenses maintenance contracts d. Comprehensive review of Assets life cycle management (Acquisition, commissioning, deployment, monitoring, maintenance and de-commissioning) and relevant records related to it. e. Insurance f. Disposal Equipment, media, etc. 4. Entity Specific Software used for or supporting trading/clearing systems / peripheral systems and critical processes 5. Human Resources Management 5.1. Screening of Employee, Third party vendors / contractors 5.2. Onboarding 5.3. Offboarding 5.4. Consequence Management (Incident / Breach of policies) 5.5. Awareness and Trainings 5.6. Non-Disclosure Agreements (NDAs) and confidentiality agreement 6. IT Vendor Selection and Management 6.1. Identification of eligible vendors 6.2. Dissemination process of Request for Proposal (RFP) 6.3 . Definition of criteria of evaluation 6.4. Proc ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ted to submit following information with regard to exceptional major non-compliances (NCs)/ minor NCs observed in the System Audit. MIIs should also categorically highlight those observations/NCs/suggestions pointed out in the System Audit (current and previous) which are not yet complied with. Name of the MII: ___________________ Name of the System Auditor: _________________ Systems Audit Report Date: _________________ Table 1: For preliminary audit Audit period Observation No. Descript ion of finding Department Status/ Nature of finding Risk Rating of finding as per Auditor Audit TOR clause Root Cause Analysis Impact Analysis Corrective Actions proposed by auditor Deadline for the corrective action Management response in case of acceptance of associated risks ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ormity Table 2: For follow on/ follow up system audit Preliminary Audit Date Preliminary Audit Period Preliminary Observation Number Preliminary Status Preliminary Corrective Action as proposed by Auditor Current Finding Current Status Revised Corrective Action, if any Deadline for the Revised Corrective Action Reason for delay in implementation/ compliance Des cription of relevant Table heads 1. Preliminary Status The original finding as per the pre ..... X X X X Extracts X X X X X X X X Extracts X X X X
|
