System & Network Audit of Market Infrastructure Institutions: SEBI Circular

Ashish M. Shaji

01 Jun, 2024

The Securities and Exchange Board of India vide circular dated May 02, 2022, notified of the revised framework for System and Network Audit of Market Infrastructure Institutions. This circular supersedes the previously issued Circular no. SEBI/HO/MRD1/ICC1/CIR/P/2020/03 dated January 7, 2020. In this article, we will discuss the key highlights of the guidelines issued by SEBI in this regard.

What do you mean by Market Infrastructure Institutions?

Stock exchanges, depositories and clearing houses form part of the Market Infrastructure Institutions. They are an important part of the nation’s vital economic infrastructure. As per a panel set up in 2010 under the chairmanship of former RBI Governor Bimal Jalan, the term ‘market infrastructure’ denotes such fundamental facilities/systems serving this capital market.

Need for revision of guidelines

SEBI in its circular dated Jan 7, 2020, stated that due to the rapid technological advancements in the securities market and entailing risks that it poses to the efficiency and integrity of markets, stock exchanges, clearing corporations and depositories were mandated to conduct an annual system audit by a reputed independent auditor.

However, SEBI has felt the need to revise the aforementioned circular to keep up with the technological advancements in the securities market.

Compliances to be undertaken by Market Infrastructure Institutions

Market Infrastructure Institutions are required to undertake the following compliances:

• Market Infrastructure Institutions must conduct System and Network Audit;
• Market Infrastructure Institutions are also required to keep a list of all the relevant SEBI circulars/ directions/ advice, etc.  relating  to  technology  and  compliance thereof;
• Market Infrastructure Institutions are also required to submit information with respect to exceptional major Non-Compliances (NCs)/ minor Non-Compliances observed in the System and Network audit;
• Market Infrastructure Institutions are required to submit a Joint declaration from the Managing  Director/Chief Executive Officer and Chief Technology Officer certifying the following:
• The security & integrity of their IT Systems;
• Accuracy and completeness of data provided to the Auditor;
• Entire network architecture, connectivity (including co-lo facility) and its linkage to the trading infrastructure conform with SEBI’s regulatory framework to provide a fair equitable, transparent and  non-discriminatory treatment to all market participants;
• Internal review of Critical Systems.

Framework for System and Network Audit

For system and network audit the following points should be considered:

• Audit to be conducted as per the Norms, Terms of Reference (TOR) and Guidelines issued by SEBI.
• Governing Board of the Market Infrastructure Institution to appoint the Auditor.
• An Auditor can perform maximum of 3 successive audits.
• Such auditor can be re-appointed after a cooling-off period of two years.
• Scope of the Audit may be broadened by the Auditor.
• Audit to be conducted once in a financial year and audit period to be  12  months except for those MIIs,  whose systems have been identified as  “protected system”  by  NCIIPC, the audit will be conducted on a half yearly basis and audit period shall be of 6 months.
• The auditor report shall entail specific non-compliances (NCs), observations for minor deviations and suggestions for improvement.
• For every NCs/observations and suggestions made by the Auditor, specific corrective action can be taken by the MI.
• Audit report, along with the managements’ comments will be brought before the governing board of the Market Infrastructure Institutions. The Audit report with comments of the governing board will be submitted to SEBI, within a month of completion of audit.
• The follow-on audit to be completed within a month of the corrective actions taken by the MII.  After that MII will submit a report to SEBI which will include updated Issue-Log indicating the corrective actions taken and specific comments of the Auditor.
• The total timeline from the last date of the audit period till completion of the final compliance by MII, should not exceed 1 year/6 months (as made be applicable).

Appointment of Auditor by Market Infrastructure Institutions

The following norms have been notified by SEBI in this regard:

• The Auditor should have minimum 3 years of demonstrable experience in IT audit of securities market participants e.g.  Stock exchanges, depositories, intermediaries, etc.  and/ or financial services sector-banking, insurance, Fin-tech etc.;
• The team performing system and network audit should have experience in/direct access to experienced resources in the areas covered under TOR;
• The Auditor must have experience in working on Network audit/IT audit/governance/IT service management frameworks as well as processes conforming to industry leading practices such as CobiT/ ISO 27001 etc.;
• The Auditor should not have any conflict of interest in conducting fair, objective and independent audit;
• The Auditor should not be having any cases pending against it;
• The Auditor should have the capability to undertake forensic audit.

Guidelines on Audit Report

The audit report shall:

• Cover each of the major areas specified in the terms of reference and compliance with SEBI circulars/directions/advice, etc. related to technology;
• Contain auditor’s views indicating the NCs to the standards or observations or suggestions; auditors should also provide qualitative inputs/suggestions about how to improve the processes, based on the best industry practices;
• Certify that entire network architecture, connectivity (including co-lo facility) and its linkage to the trading infrastructure conforms with SEBI’s regulatory framework to provide fair equitable, transparent as well as non-discriminatory treatment to all the market participants;
• include tabulated data to show NCs/observations for each of the major areas in the Terms of Reference;
• include point-wise compliance of areas prescribed in Terms of  Reference  (TOR)  and areas emanating from relevant  SEBI circulars/directions/advice with any accompanying evidence.

Conclusion

The latest decision has been taken based on discussions with Market Infrastructure Institutions such as stock exchanges, clearing corporations, depositories and recommendations of the Technical Advisory Committee of SEBI^[1]. The new framework will come into force with immediate effect, the Securities and Exchange Board of India said.

Read Our Article: Financial Market Infrastructures (FMIs) and Retail Payment Systems (RPSs) as per RBI