System and Network Audit of Market Infrastructure Institutions
System and Network Audit of Market Infrastructure Institutions (MIIs)
- Taking into account the rapid technological developments in the securities market and the entailing risks that these developments pose to the efficiency and integrity of markets, SEBI vide Circular no. SEBI/HO/MRD1/ICC1/CIR/P/2020/03 dated January 07, 2020, had mandated that stock exchanges, clearing corporations and depositories should conduct an Annual System Audit by a reputed independent auditor.
- In order to keep pace with the technological advancements in the securities market, it is felt that there is a need to revise the aforementioned Circular. Accordingly, based on discussions with Stock Exchanges, Clearing Corporations, Depositories (hereinafter referred as ‘Market Infrastructure Institutions – MIIs), and recommendations of the Technical Advisory Committee (TAC) of SEBI, the existing System Audit Framework has been reviewed.
- MIIs are required to conduct System and Network Audit as per the framework enclosed as Annexure 1 and Terms of Reference (TOR) enclosed as Annexure 2. MIIs are also required to maintain a list of all the relevant SEBI circulars/ directions/ advices, etc. pertaining to technology and compliance thereof, as per format enclosed as Annexure 3 and the same shall be included under the scope of System and Network Audit.
- MIIs are also required to submit information with regard to exceptional major Non-Compliances (NCs)/ minor NCs observed in the System and Network audit as per format enclosed as Annexure 4 and are required to categorically highlight those observations/NCs/suggestions pointed out in the System and Network audit (current and previous) which remain open.
- The Systems and Network audit Report including compliance with SEBI circulars/ guidelines and exceptional observation format along with compliance status of previous year observations shall be placed before the Governing Board of the MII and then the report along with the comments of the Management of the MII shall be communicated to SEBI within a month of completion of audit.
- Further, along with the audit report, MIIs are required to submit a Joint declaration from the Managing Director(MD)/Chief Executive Officer(CEO) and Chief Technology Officer (CTO) certifying a) the security and integrity of their IT Systems. b) correctness and completeness of data provided to the Auditor c) entire network architecture, connectivity (including co-lo facility) and its linkage to the trading infrastructure are in conformity with SEBI’s regulatory framework to provide fair equitable, transparent and non-discriminatory treatment to all the market participants d) internal review of Critical Systems as defined in SEBI circular dated March 22, 2021 was carried out during the Audit period, including the Failure Modes and Effects Analysis (FMEA).
- This circular supersedes the abovementioned Circular no. SEBI/HO/MRD1/ICC1/CIR/P/2020/03 dated January 07, 2020. This circular is available on SEBI website at www.sebi.gov.in under the categories “Legal Framework” and “Circulars”.
- The provisions of the Circular shall come into force with immediate effect.
- The circular is issued with the approval of the competent authority.
- This circular is being issued in exercise of the powers conferred by Section 11(1) of Securities and Exchange Board of India Act, 1992 read with Regulation 51 of Securities Contracts (Regulation) (Stock Exchanges and Clearing Corporations) Regulations, 2018 and Section 19 of the Depositories Act, 1996 read with Regulation 97 of Securities and Exchange Board of India (Depositories and Participants) Regulations, 2018 to protect the interest of investors in securities market and to promote the development of, and to regulate the securities market.
Read More on SEBI