Tax Management India. Com
                        Law and Practice: A Digital eBook ...
TMI - Tax Management India. Com
Case Laws Acts Notifications Circulars Classification Forms SMS News Articles
Highlights
D. Forum
What's New

Share:      

        Home        
 
Home Circulars 2020 SEBI SEBI - 2020 This
← Previous Next →
  • Login

 

User Login
Username  
Password  
Stay sign in     

Forget password       New User/ Regiser



 

Annual System Audit - SEBI - SEBI/HO/MRD1/ICC1/CIR/P/2020/03

Extract

..... of Reference (TOR) enclosed as Annexure 2. MIIs are also advised to maintain a list of all the relevant SEBI circulars/ directions/ advices, etc. pertaining to technology and compliance thereof, as per format enclosed as Annexure 3 and the same shall be included under the scope of System Audit 4. Further, MIIs are advised to submit information with regard to exceptional major Non-Compliances (NCs)/ minor NCs observed in the System Audit as per format enclosed as Annexure 4 and are advised to categorically highlight those observations/NCs/suggestions pointed out in the System Audit (current and previous) which remain open. 5. The Systems Audit Report including compliance with SEBI circulars/ guidelines and exceptional observation format along with compliance status of previous year observations shall be placed before the Governing Board of the MII and then the report along with the comments of the Management of the MII shall be communicated to SEBI within a month of completion of audit. Further, along with the audit report, MIIs are advised to submit a declaration from the MD / CEO certifying the security and integrity of their IT Systems. 6. This circular supersedes the above-menti .....

X X   X X   Extracts   X X   X X

Login / Subscribe to Access Full Page

Annual System Audit - SEBI

X X   X X   Extracts   X X   X X

..... n the Audit report, the Auditor shall include its comments on whether the areas covered in the Audit are in compliance with the norms/ directions/ advices issued by SEBI, internal policy of the MII, etc. Further, the report shall also include specific non-compliances (NCs), observations for minor deviations and suggestions for improvement. The report shall take previous audit reports into consideration and cover any open items therein. The auditor should indicate if a follow-on audit is required to review the status of NCs. i. For each of the NCs/ observations and suggestions made by the Auditor, specific corrective action as deemed fit by the MII may be taken. The management of the MII shall provide its comments on the NCs, observations and suggestions made by the Auditor, corrective actions taken or proposed to be taken along with time-line for such corrective action. j. The Audit report along with the comments of management shall be placed before the Governing Board of the MII. The Audit report along with Comments of the Governing Board shall be submitted to SEBI, within 1 month of completion of Audit. k. The follow-on audit should be completed within one month of the corrective .....

X X   X X   Extracts   X X   X X

Login / Subscribe to Access Full Page

Annual System Audit - SEBI

X X   X X   Extracts   X X   X X

..... or must not have any conflict of interest in conducting fair, objective and independent audit of the exchange / depository/ clearing corporation. It should not have been engaged over the last three years in any consulting engagement with any departments / units of the entity being audited. f. The Auditor should not have any cases pending against it, which point to its incompetence and/or unsuitability to perform the audit task. g. The proposed audit agency must be empanelled with CERT-In. h. Any other criteria that the MII may deem fit for the purpose of selection of Auditor. Audit Report Guidelines 3. The Audit report should cover each of the major areas mentioned in the TOR and compliance with SEBI circulars/directions/advices, etc. related to technology. The Auditor in the Audit Report shall give its views indicating the NCs to the standards or observations or suggestions. For each section, auditors should also provide qualitative inputs/suggestions about ways to improve the processes, based upon the best industry practices. 4. The report should also include tabulated data to show NCs / observations for each of the major areas in the TOR. 5. Evidences should be specified in the .....

X X   X X   Extracts   X X   X X

Login / Subscribe to Access Full Page

Annual System Audit - SEBI

X X   X X   Extracts   X X   X X

..... Procedures (SOPs) for the following processes are in place? i. IT Assets Acquisition ii. Access Management iii. Change Management iv. Backup and Recovery v. Incident Management vi. Problem Management vii. Patch Management viii. Data Centre Operations ix. Operating Systems and Database Management x. Network Management xi. DR Site Operations xii. Data Retention and Disposal 3. Business Controls 3.1. General Controls for Data Centre Facilities a. Application Access - segregation of duties, database and application access etc. (Approved Policy clearly defining roles and responsibilities of the personnel handling business operations) b. Maintenance Access - vendor engineers c. Physical Access - permissions, logging, exception reporting & alerts d. Environmental Controls - fire protection, AC monitoring, etc. e. Fault Resolution Mechanism f. Folder Sharing and Back Up Controls - safeguard of critical information on local desktops g. Incidences of violations in last year and corrective action taken 3.2. Software change control a. Whether pre-implementation review of application controls (including controls over change management) was undertaken? b. Adherence to secure Software Develop .....

X X   X X   Extracts   X X   X X

Login / Subscribe to Access Full Page

Annual System Audit - SEBI

X X   X X   Extracts   X X   X X

..... systems (hardware, software, network) performance over period c. Review of the current volumes against the last performance test and against the current system utilization 3.9. Business Continuity / Disaster Recovery Facilities a. BCP manual, including Business Impact Analysis (BIA), Risk Assessment and DR process, Roles and responsibilities of BCP team} b. Implementation of policies c. Back-up procedures and recovery mechanism using back-ups. d. Storage of Back-up (Remote site, DRS etc.) e. Redundancy - Equipment, Network, Site etc. f. DRS installation and Drills - Management statement on targeted resumption capability (in terms of time required & extent of loss of data) g. Evidence of achieving the set targets during the DRS drills in event of various disaster scenarios. h. Debrief / review of any actual event when the DR/BCP was invoked during the year i. User awareness and training j. Is Recovery Time Objective (RTO) /Recovery Process Objective (RPO) during Business Impact Analysis (BIA) documented? k. Is annual review of BCP-DR or in case of major change in business/ infrastructure undertaken? l. Testing of BCP-DR plan through appropriate strategies including simulations, .....

X X   X X   Extracts   X X   X X

Login / Subscribe to Access Full Page

Annual System Audit - SEBI

X X   X X   Extracts   X X   X X

..... n the System Audit (current and previous) which are not yet complied with. Name of the MII: ___________________ Name of the System Auditor: _________________ Systems Audit Report Date: _________________ Table 1: For preliminary audit Audit period Observation No. Descript ion of finding Department Status/ Nature of finding Risk Rating of finding as per Auditor Audit TOR clause Root Cause Analysis Impact Analysis Corrective Actions proposed by auditor Deadline for the corrective action Management response in case of acceptance of associated risks Whether similar issue was observed in any of the previous 3 Audits Description of relevant Table heads 1. Audit Period - This indicates the period of audit 2. Description of findings/observations - Description of the findings in sufficient details, referencing any accompanying evidence 3. Status/ Nature of Findings - The category can be specified for example: a. Non-compliant (Major/Minor) b. Work in progress c. Observation d. Suggestion 4. Risk Rating of finding - A rating has to be given for each of the observations based on their impact and severity to reflect the risk exposure, as well as the suggested priority for action Rating Descript .....

X X   X X   Extracts   X X   X X

Login / Subscribe to Access Full Page

Annual System Audit - SEBI

X X   X X   Extracts   X X   X X

 

← Previous Next →

 

 

 

|| Home || About us || Feedback || Contact us || Disclaimer || Terms of Use || Privacy Policy || Database || Members || Refer Us ||

© Taxmanagementindia.com [A unit of MS Knowledge Processing Pvt. Ltd.] All rights reserved.
|| Site Map - Recent || Site Map || ||