Just a moment...

Top
Help
×

By creating an account you can:

Logo TaxTMI
>
Call Us / Help / Feedback

Contact Us At :

E-mail: [email protected]

Call / WhatsApp at: +91 99117 96707

For more information, Check Contact Us

FAQs :

To know Frequently Asked Questions, Check FAQs

Most Asked Video Tutorials :

For more tutorials, Check Video Tutorials

Submit Feedback/Suggestion :

Email :
Please provide your email address so we can follow up on your feedback.
Category :
Description :
Min 15 characters0/2000
TMI Blog
Home / RSS

Annual System Audit

X X   X X   Extracts   X X   X X

Full Text of the Document

X X   X X   Extracts   X X   X X

....he existing System Audit Framework has been reviewed. 3. MIIs are advised to conduct an Annual System Audit as per the framework enclosed as Annexure 1 and Terms of Reference (TOR) enclosed as Annexure 2. MIIs are also advised to maintain a list of all the relevant SEBI circulars/ directions/ advices, etc. pertaining to technology and compliance thereof, as per format enclosed as Annexure 3 and the same shall be included under the scope of System Audit 4. Further, MIIs are advised to submit information with regard to exceptional major Non-Compliances (NCs)/ minor NCs observed in the System Audit as per format enclosed as Annexure 4 and are advised to categorically highlight those observations/NCs/suggestions pointed out in the System Audit (current and previous) which remain open. 5. The Systems Audit Report including compliance with SEBI circulars/ guidelines and exceptional observation format along with compliance status of previous year observations shall be placed before the Governing Board of the MII and then the report along with the comments of the Management of the MII shall be communicated to SEBI within a month of completion of audit. Further, along with the audi....

X X   X X   Extracts   X X   X X

Full Text of the Document

X X   X X   Extracts   X X   X X

....e any new developments that may arise due to issuance of circulars/ directions/ advice by SEBI from time to time. g. The period of Audit shall not be for more than 12 months. Further, the Audit shall be completed within 2 months from the end of the Audit Period. h. In the Audit report, the Auditor shall include its comments on whether the areas covered in the Audit are in compliance with the norms/ directions/ advices issued by SEBI, internal policy of the MII, etc. Further, the report shall also include specific non-compliances (NCs), observations for minor deviations and suggestions for improvement. The report shall take previous audit reports into consideration and cover any open items therein. The auditor should indicate if a follow-on audit is required to review the status of NCs. i. For each of the NCs/ observations and suggestions made by the Auditor, specific corrective action as deemed fit by the MII may be taken. The management of the MII shall provide its comments on the NCs, observations and suggestions made by the Auditor, corrective actions taken or proposed to be taken along with time-line for such corrective action. j. The Audit r....

X X   X X   Extracts   X X   X X

Full Text of the Document

X X   X X   Extracts   X X   X X

....(ISC). c. The Auditor shall have experience in working on IT audit/governance/IT service management frameworks and processes conforming to industry leading practices like CobIT 5/ ISO 27001 and beyond. d. The Auditor should have the capability to undertake forensic audit and undertake such audit as part of Annual System Audit, if required. e. The Auditor must not have any conflict of interest in conducting fair, objective and independent audit of the exchange / depository/ clearing corporation. It should not have been engaged over the last three years in any consulting engagement with any departments / units of the entity being audited. f. The Auditor should not have any cases pending against it, which point to its incompetence and/or unsuitability to perform the audit task. g. The proposed audit agency must be empanelled with CERT-In. h. Any other criteria that the MII may deem fit for the purpose of selection of Auditor. Audit Report Guidelines 3. The Audit report should cover each of the major areas mentioned in the TOR and compliance with SEBI circulars/directions/advices, etc. related to technology. The Auditor in the....

X X   X X   Extracts   X X   X X

Full Text of the Document

X X   X X   Extracts   X X   X X

....IT Governance framework exists to include the following: a. IT organization structure including roles and responsibilities of key IT personnel; b. IT governance processes including policy making, implementation and monitoring to ensure that the governance principles are followed; 2.2. IT policies and procedures a. Whether the organization has defined and documented IT policy? If yes, is it approved by the Governing Board (GB)? b. Is the current System Architecture including infrastructure, network and application components to show system linkages and dependencies documented? c. Whether defined and documented Standard Operating Procedures (SOPs) for the following processes are in place? i. IT Assets Acquisition ii. Access Management iii. Change Management iv. Backup and Recovery v. Incident Management vi. Problem Management vii. Patch Management viii. Data Centre Operations ix. Operating Systems and Database Management x. Network Management xi. DR Site Operations xii. Data Retention and Disposal 3. Business Controls ....

X X   X X   Extracts   X X   X X

Full Text of the Document

X X   X X   Extracts   X X   X X

....ons in last year & corrective actions taken 3.4. Security Controls a. Secured e-mail with other entities like SEBI, other partners b. Email Archival Implementation 3.5. Access Policy and Controls a. Defined and documented policies and procedures for managing access to applications and infrastructure - PDC, DRS,NS, branches (including network, operating systems and database) and approved by relevant authority b. Review of access logs c. Access rights and roles review procedures for all systems d. Segregation of Duties (SOD) matrix describing key roles e. Risk acceptance for violation of SOPs and alternate mechanism put in place f. Privileged access to system and record of logs, g. Periodic monitoring of access rights for privileged users h. Authentication mechanisms used for access to systems including use of passwords, One Time Passwords (OTP), Single Sign on, etc. 3.6. Electronic Document Controls 3.7. General Access Controls 3.8. Performance Audit a. Comparison of changes in transaction volumes since previous audit b. Review of s....

X X   X X   Extracts   X X   X X

Full Text of the Document

X X   X X   Extracts   X X   X X

.... 6.2. Dissemination process of Request for Proposal (RFP) 6.3. Definition of criteria of evaluation 6.4. Process of competitive analysis 6.5. Approach for selection 6.6. Escrow arrangement for keeping source code 7. E-Mail system 7.1. Existence of policy for the acceptable use of electronic mail 7.2. Regulations governing file transfer and exchange of messages with external parties 7.3. Rules based on which e-mail addresses are assigned 7.4. Storage, backup and retrieval 8. Redressal of Technological Complaints 9. Any other Item 9.1. Electronic Waste Disposal 9.2. Observations based on previous Audit Report (s) 9.3. Any other specific area that may be informed by SEBI. Annexure 3 Format for monitoring compliance with SEBI circulars/guidelines/advisories related to technology   Sl.No. Date of SEBI circular / directions /  advice, etc. Subject Technological requirements specified by SEBI in brief Mechanism put in place by the MIIs Non compliances with SEBI circulars / guidelines Compliance status (Open / closed) Comments&n....