To enhance oversight of technology risks in the securities market, the Securities and Exchange Board of India (“SEBI”) has introduced a comprehensive framework for monitoring and supervising the system audit of Stock Brokers (“SBs”) and Trading Members through technology-based measures. The circular, issued on January 31, 2025, outlines key guidelines to strengthen system audit processes and ensure robust compliance mechanisms.
Key Highlights of the Framework
1. Strengthening System Audit Monitoring through Online Mechanism
Stock Exchanges must develop a web portal to monitor and supervise the entire system audit lifecycle of stock brokers.
Auditors must log into the portal during audits, with geo-location tracking ensuring physical visits to stock broker premises.
Only authorized auditors can access the platform via a secure OTP mechanism.
2. Standardization of System Audit Process & Reporting
SBs must upload audit-related details on the web portal before the audit begins, including audit plans, IT system coverage, and auditor credentials.
During each audit visit, auditors must log entry and exit times, record findings, and document systems reviewed.
Exchanges will conduct surprise visits to verify the authenticity of audit activities.
SBs utilizing third-party virtual assets (e.g., cloud services) must submit SOC-II compliance certificates.
3. Post-Audit Compliance & Reporting
SEBI has mandated a standardized system audit report template, which must be submitted via the web portal.
The report must comprehensively cover IT infrastructure, system security, sample selection criteria, and compliance levels.
Stock Brokers must submit Action Taken Reports, validated by the same auditor, to Stock Exchanges.
Qualified Stock Brokers (“QSBs”) must obtain Governing Board and Standing Committee on Technology (SCOT) approvals before submission.
4. Framework for Empanelment & Oversight of System Auditors
Stock Exchanges will empanel system auditors based on stringent eligibility criteria (qualifications, experience, number of partners/employees, etc.).
Exchanges will limit auditor reappointments and introduce a cooling-off period of two years after three consecutive audits.
Reassessment audits will be required if gaps or deficiencies are found in critical areas.
Auditors found to be non-compliant or negligent may be de-empaneled and referred to regulatory bodies such as NFRA, ICAI, or ISACA.
5. Enhanced Responsibilities for System Auditors
Auditors must verify compliance with SEBI’s technical glitch framework, ensuring issues are reported and addressed timely.
System audits must review capacity planning, software testing, disaster recovery (DR) drills, and compliance with logging & monitoring protocols.
6. Stock Exchanges' Due Diligence & Compliance Enforcement
Exchanges will cross-check audit reports against previous submissions for discrepancies.
Exchanges will hold discussions with auditors of QSBs post-audit to ensure robustness.
Financial penalties will be imposed on brokers failing to close audit observations within defined timelines.
Audit-related documents, including working papers, logs, and site visit records, must be preserved for future reference.
Stock Exchanges will submit semi-annual system audit summaries to SEBI, detailing compliance levels and enforcement actions.
Implementation Timeline
The web portal must be developed within six months from the circular issuance date.
The new system audit framework will be applicable from the financial year 2025-26.
This framework marks a significant step toward ensuring greater transparency, standardization, and accountability in system audits for Stock Brokers. By leveraging technology-driven monitoring, SEBI aims to fortify the securities market’s resilience against operational risks and cyber threats.
Comments