Tax Management India. Com
                        Law and Practice: A Digital eBook ...

☞ Data-bank

TMI - Tax Management India. Com
Case Laws Acts Notifications Circulars Classification Forms Articles News D. Forum
Highlights
What's New  Latest Cases 

Share:      

        Home        
 
Home Circulars 2022 SEBI SEBI - 2022 This
← Previous Next →
  • Login

Tax Updates - TMI e-Newsletter

User Login
Username  
Password  
Stay sign in     

Forget password       New User/ Regiser



 

System and Network Audit of Market Infrastructure Institutions (MIIs) - SEBI - SEBI/HO/MRD1/MRD1_DTCS/P/CIR/2022/58

Extract

..... TOR) enclosed as Annexure 2. MIIs are also required to maintain a list of all the relevant SEBI circulars/ directions/ advices, etc. pertaining to technology and compliance thereof, as per format enclosed as Annexure 3 and the same shall be included under the scope of System and Network Audit. 4. MIIs are also required to submit information with regard to exceptional major Non-Compliances (NCs)/ minor NCs observed in the System and Network audit as per format enclosed as Annexure 4 and are required to categorically highlight those observations/NCs/suggestions pointed out in the System and Network audit (current and previous) which remain open. 5. The Systems and Network audit Report including compliance with SEBI circulars/ guidelines and exceptional observation format along with compliance status of previous year observations shall be placed before the Governing Board of the MII and then the report along with the comments of the Management of the MII shall be communicated to SEBI within a month of completion of audit. 6. Further, along with the audit report, MIIs are required to submit a Joint declaration from the Managing Director(MD)/Chief Executive Officer(CEO) and Chief Techno .....

X X   X X   Extracts   X X   X X

Login / Subscribe to Access Full Page

System and Network Audit of Market Infrastructure Institutions (MIIs) - SEBI

X X   X X   Extracts   X X   X X

..... n the prescribed Auditor Selection Norms and TOR. c. An Auditor can perform a maximum of 3 successive audits. However, such auditor shall be eligible for re-appointment after a cooling-off period of two years. d. Further, during the cooling-off period, the incoming auditor may not include: (i) Any firm that has common partner(s) with the outgoing audit firm; and ii) Any associate / affiliate firm(s) of the outgoing audit firm which are under the same network of audit firms wherein the term "same network" includes the firms operating or functioning, hitherto or in future, under the same brand name, trade name or common control. e. The number of years an auditor has performed an audit prior to this circular shall also be considered in order to determine its eligibility in terms of sub-clause c above. f. The scope of the Audit may be broadened by the Auditor to inter-alia incorporate any new developments that may arise due to issuance of circulars/ directions/ advice by SEBI from time to time. g. The audit shall be conducted once in a financial year and period of audit shall be 12 months. However for the MIIs, whose systems have been identified as “protected system&rdq .....

X X   X X   Extracts   X X   X X

Login / Subscribe to Access Full Page

System and Network Audit of Market Infrastructure Institutions (MIIs) - SEBI

X X   X X   Extracts   X X   X X

..... n exceptional cases, if MII is of the view that compliance with certain observations may extend beyond said period, then the concerned MII shall seek specific approval from the Governing Board. Auditor Selection Norms 2. MII shall ensure compliance with the following norms while appointing Auditor: a. The Auditor must have minimum 3 years of demonstrable experience in IT audit of securities market participants e.g. stock exchanges, clearing corporations, depositories, intermediaries, etc. and/ or financial services sector i.e. banking, insurance, Fin-tech etc. b. The team performing system and network audit must have experience in / direct access to experienced resources in the areas covered under TOR. It is recommended that resources deployed by the Auditor for the purpose of system and network audit shall have relevant industry recognized certifications e.g. CISA (Certified Information Systems Auditor) from ISACA, CISM (Certified Information Securities Manager) from ISACA, GSNA (GIAC Systems and Network Auditor), CISSP (Certified Information Systems Security Professional) from International Information Systems Security Certification Consortium, commonly known as (ISC). c. The Aud .....

X X   X X   Extracts   X X   X X

Login / Subscribe to Access Full Page

System and Network Audit of Market Infrastructure Institutions (MIIs) - SEBI

X X   X X   Extracts   X X   X X

..... entification of major areas in compliance with various SEBI circulars / norms and internal policies of MII Auditor/Auditee Point wise Compliance Point-wise list of areas/relevant clauses in TOR against which compliance is being audited (in tabular format). Auditor Description of Finding/ Observation Describe the findings in sufficient detail, referencing any accompanying evidence (e.g. procedure manual, interview notes, reports etc.) Auditor Reference Reference to the section in detailed report - where full background information about the findings are available Auditor Process/ Unit Process or unit where the audit is conducted and the finding pertains to Auditor Category of Findings Major/Minor Non-compliance, Observation, Suggestion etc. Auditor Audited By Which Auditor covered the findings Auditor Root Cause Analysis A detailed analysis on the cause of the Non-compliance Auditee Remediation The action (to be) taken to correct the Non-compliance Auditee Target Completion Date for Remedial Action The date by which remedial action must be/will be completed Auditor/Auditee Status Status of finding on reporting date (open/close) Auditor/Auditee Verified By Auditing personnel (upon ve .....

X X   X X   Extracts   X X   X X

Login / Subscribe to Access Full Page

System and Network Audit of Market Infrastructure Institutions (MIIs) - SEBI

X X   X X   Extracts   X X   X X

..... d application access etc. (Approved Policy clearly defining roles and responsibilities of the personnel handling business operations) b. Maintenance Access - vendor engineers c. Physical Access controls - permissions, logging, exception reporting & alerts d. Environmental Controls - fire protection, AC monitoring, etc. e. Fault Resolution Mechanism f. Folder Sharing and Back Up Controls - safeguard of critical information on local desktops g. Incidences of violations in the previous audit report and corrective action(s), if any, taken h. Any other controls, as deemed fit, by the MII 4.2. Software change control a. Whether pre-implementation review of application controls (including controls over change management) was undertaken? b. Adherence to secure Software Development Life Cycle (SDLC) / Software Testing Life Cycle (STLC) standards/ methodologies c. Whether post implementation review of application controls was undertaken? d. Is the review of processes to ensure data integrity post implementation of new application or system followed by implementation team? e. User awareness f. Processing of new feature request g. Fault reporting / tracking mechanism & process for reso .....

X X   X X   Extracts   X X   X X

Login / Subscribe to Access Full Page

System and Network Audit of Market Infrastructure Institutions (MIIs) - SEBI

X X   X X   Extracts   X X   X X

..... iness Continuity / Disaster Recovery Facilities a. Business Continuity Planning (BCP) manual, including Business Impact Analysis (BIA), Risk Assessment and Disaster Recovery (DR) process, Roles and responsibilities of Incent Response Team (IRT) /Crisis Management Team (CMT), employees, support/outsourced staff. b. Implementation of policies c. Back-up procedures and recovery mechanism using back-ups. d. Storage of Back-up (Remote site, DRS etc.) e. Redundancy - Equipment, Network, Site etc. f. DRS installation and Drills - Management statement on targeted resumption capability (in terms of time required & extent of loss of data) g. Evidence of achieving the set targets during the DR drills in event of various disaster scenarios. h. Debrief / review of any actual event when the DR/BCP was invoked during the year i. User awareness and training j. Is Recovery Time Objective (RTO) /Recovery Process Objective (RPO) during BIA documented? k. Is annual review of BCP-DR or in case of major change in business/ infrastructure undertaken? l. Is quarterly review regarding implementation of BCP policy done by Standing Committee of Technology (SCOT) of the MII? m. Testing of BCP-DR plan thro .....

X X   X X   Extracts   X X   X X

Login / Subscribe to Access Full Page

System and Network Audit of Market Infrastructure Institutions (MIIs) - SEBI

X X   X X   Extracts   X X   X X

..... all testing that was conducted before deployment of any IT system/application in production environment, shall be checked by auditor during system audit. . 9. IT Vendor Selection and Management 9.1. Identification of eligible vendors 9.2. Dissemination process of Request for Proposal (RFP) 9.3. Definition of criteria of evaluation 9.4. Process of competitive analysis 9.5. Approach for selection 9.6. Escrow arrangement for keeping source code 10. E-Mail system 10.1. Existence of policy for the acceptable use of electronic mail 10.2. Regulations governing file transfer and exchange of messages with external parties 10.3. Rules based on which e-mail addresses are assigned 10.4. Storage, backup and retrieval 11. Redressal of Technological Complaints 11.1. Ageing analysis of technology complaints 11.2. Whether all complaints received are brought to their logical conclusion? 12. Any other Item(s) 12.1. Electronic Waste Disposal 12.2. Observation(s) based on previous Audit Report (s) 12.3. Any other specific area(s) that may be informed by SEBI. Annexure 3 Format for monitoring compliance with requirements emanating from SEBI circulars/guidelines/advisories related to technology Sl. No. D .....

X X   X X   Extracts   X X   X X

Login / Subscribe to Access Full Page

System and Network Audit of Market Infrastructure Institutions (MIIs) - SEBI

X X   X X   Extracts   X X   X X

..... presents weaknesses in control, which in combination with other weakness can develop into an exposure. Suggested improvements for situations not immediately/directly affecting controls. . 5. Audit TOR clause - The TOR clause corresponding to this observation 6. Root Cause analysis - A detailed analysis on the cause of the non-conformity. 7. Impact Analysis - An analysis of the likely impact on the operations/ activity of the organization 8. Corrective Action - The action taken to correct the non-conformity Table 2: For follow on/ follow up system and Network audit Preliminary Audit Date Preliminary Audit Period Preliminary Observation Number Preliminary Status Preliminary Corrective Action as proposed by Auditor Current Finding Current Status Revised Corrective Action, if any Deadline for the Revised Corrective Action Reason for delay in implementation/ compliance Description of relevant Table heads 1. Preliminary Status - The original finding as per the preliminary System and Network Audit Report 2. Preliminary Corrective Action - The original corrective action as prescribed in the preliminary System and Network audit report 3. Current Finding - The current finding w.r.t. the issu .....

X X   X X   Extracts   X X   X X

Login / Subscribe to Access Full Page

System and Network Audit of Market Infrastructure Institutions (MIIs) - SEBI

X X   X X   Extracts   X X   X X

 

← Previous Next →

 

 

 

|| Home || About us || Feedback || Contact us || Disclaimer || Terms of Use || Privacy Policy || Database || Members || Refer Us ||

© Taxmanagementindia.com [A unit of MS Knowledge Processing Pvt. Ltd.] All rights reserved.
|| Site Map - Recent || Site Map || ||