Annual System Audit

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... advised to conduct an Annual System Audit as per the framework enclosed as Annexure 1 and Terms of Reference (TOR) enclosed as Annexure 2. MIIs are also advised to maintain a list of all the relevant SEBI circulars/ directions/ advices, etc. pertaining to technology and compliance thereof, as per format enclosed as Annexure 3 and the same shall be included under the scope of System Audit 4. Further, MIIs are advised to submit information with regard to exceptional major Non-Compliances (NCs)/ minor NCs observed in the System Audit as per format enclosed as Annexure 4 and are advised to categorically highlight those observations/NCs/suggestions pointed out in the System Audit (current and previous) which remain open. 5. The Systems Audit Report including compliance with SEBI circulars/ guidelines and exceptional observation format along with compliance status of previous year observations shall be placed before the Governing Board of the MII and then the report along with the comments of the Management of the MII shall be communicated to SEBI within a month of completion of audit. Further, along with the audit report, MIIs are advised to submit a declaration from the MD / CEO cert .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... n 12 months. Further, the Audit shall be completed within 2 months from the end of the Audit Period. h. In the Audit report, the Auditor shall include its comments on whether the areas covered in the Audit are in compliance with the norms/ directions/ advices issued by SEBI, internal policy of the MII, etc. Further, the report shall also include specific non-compliances (NCs), observations for minor deviations and suggestions for improvement. The report shall take previous audit reports into consideration and cover any open items therein. The auditor should indicate if a follow-on audit is required to review the status of NCs. i. For each of the NCs/ observations and suggestions made by the Auditor, specific corrective action as deemed fit by the MII may be taken. The management of the MII shall provide its comments on the NCs, observations and suggestions made by the Auditor, corrective actions taken or proposed to be taken along with time-line for such corrective action. j. The Audit report along with the comments of management shall be placed before the Governing Board of the MII. The Audit report along with Comments of the Governing Board shall be submitted to SEBI, withi .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... e the capability to undertake forensic audit and undertake such audit as part of Annual System Audit, if required. e. The Auditor must not have any conflict of interest in conducting fair, objective and independent audit of the exchange / depository/ clearing corporation. It should not have been engaged over the last three years in any consulting engagement with any departments / units of the entity being audited. f. The Auditor should not have any cases pending against it, which point to its incompetence and/or unsuitability to perform the audit task. g. The proposed audit agency must be empanelled with CERT-In. h. Any other criteria that the MII may deem fit for the purpose of selection of Auditor. Audit Report Guidelines 3. The Audit report should cover each of the major areas mentioned in the TOR and compliance with SEBI circulars/directions/advices, etc. related to technology. The Auditor in the Audit Report shall give its views indicating the NCs to the standards or observations or suggestions. For each section, auditors should also provide qualitative inputs/suggestions about ways to improve the processes, based upon the best industry practices. 4. The report shou .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... y the Governing Board (GB)? b. Is the current System Architecture including infrastructure, network and application components to show system linkages and dependencies documented? c. Whether defined and documented Standard Operating Procedures (SOPs) for the following processes are in place? i. IT Assets Acquisition ii. Access Management iii. Change Management iv. Backup and Recovery v. Incident Management vi. Problem Management vii. Patch Management viii. Data Centre Operations ix. Operating Systems and Database Management x. Network Management xi. DR Site Operations xii. Data Retention and Disposal 3. Business Controls 3.1. General Controls for Data Centre Facilities a. Application Access - segregation of duties, database and application access etc. (Approved Policy clearly defining roles and responsibilities of the personnel handling business operations) b. Maintenance Access - vendor engineers c. Physical Access - permissions, logging, exception reporting & alerts d. Environmental Controls - fire protection, AC monitoring, etc. e. Fault Resolution Mechanism f. Folder Sharing and Back Up Controls - safeguard of critical information o .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... for privileged users h. Authentication mechanisms used for access to systems including use of passwords, One Time Passwords (OTP), Single Sign on, etc. 3.6. Electronic Document Controls 3.7. General Access Controls 3.8. Performance Audit a. Comparison of changes in transaction volumes since previous audit b. Review of systems (hardware, software, network) performance over period c. Review of the current volumes against the last performance test and against the current system utilization 3.9. Business Continuity / Disaster Recovery Facilities a. BCP manual, including Business Impact Analysis (BIA), Risk Assessment and DR process, Roles and responsibilities of BCP team} b. Implementation of policies c. Back-up procedures and recovery mechanism using back-ups. d. Storage of Back-up (Remote site, DRS etc.) e. Redundancy - Equipment, Network, Site etc. f. DRS installation and Drills - Management statement on targeted resumption capability (in terms of time required & extent of loss of data) g. Evidence of achieving the set targets during the DRS drills in event of various disaster scenarios. h. Debrief / review of any actual event when the DR/BCP was inv .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... tus (Open / closed) Comments of the Management Time-line for taking corrective action in case of open observations Annexure 4 Exception Observation Reporting Format Note: MIIs are expected to submit following information with regard to exceptional major non-compliances (NCs)/ minor NCs observed in the System Audit. MIIs should also categorically highlight those observations/NCs/suggestions pointed out in the System Audit (current and previous) which are not yet complied with. Name of the MII: ___________________ Name of the System Auditor: _________________ Systems Audit Report Date: _________________ Table 1: For preliminary audit Audit period Observation No. Descript ion of finding Department Status/ Nature of finding Risk Rating of finding as per Auditor Audit TOR clause Root Cause Analysis Impact Analysis Corrective Actions proposed by auditor Deadline for the corrective action Management response in case of acceptance of associated risks Whether similar issue was observed in any of the previous 3 Audits Description of relevant Table heads 1. Audit Period - This indicates the period of audit 2. Description of findings/observations - Description o .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X