TaxTMI 
TaxTMI 
TaxTMI 
System and Network Audit of Market Infrastructure Institutions (MIIs)
X X X X Extracts X X X X
X X X X Extracts X X X X
....Framework has been reviewed. 3. MIIs are required to conduct System and Network Audit as per the framework enclosed as Annexure 1 and Terms of Reference (TOR) enclosed as Annexure 2. MIIs are also required to maintain a list of all the relevant SEBI circulars/ directions/ advices, etc. pertaining to technology and compliance thereof, as per format enclosed as Annexure 3 and the same shall be included under the scope of System and Network Audit. 4. MIIs are also required to submit information with regard to exceptional major Non-Compliances (NCs)/ minor NCs observed in the System and Network audit as per format enclosed as Annexure 4 and are required to categorically highlight those observations/NCs/suggestions pointed out in the System and Network audit (current and previous) which remain open. 5. The Systems and Network audit Report including compliance with SEBI circulars/ guidelines and exceptional observation format along with compliance status of previous year observations shall be placed before the Governing Board of the MII and then the report along with the comments of the Management of the MII shall be communicated to SEBI within a month of completion of audit. 6. Furt....
X X X X Extracts X X X X
X X X X Extracts X X X X
....of Reference (TOR) and Guidelines issued by SEBI. b. The Governing Board of the Market Infrastructure Institution (MII) shall appoint the Auditors based on the prescribed Auditor Selection Norms and TOR. c. An Auditor can perform a maximum of 3 successive audits. However, such auditor shall be eligible for re-appointment after a cooling-off period of two years. d. Further, during the cooling-off period, the incoming auditor may not include: (i) Any firm that has common partner(s) with the outgoing audit firm; and ii) Any associate / affiliate firm(s) of the outgoing audit firm which are under the same network of audit firms wherein the term "same network" includes the firms operating or functioning, hitherto or in future, under the same brand name, trade name or common control. e. The number of years an auditor has performed an audit prior to this circular shall also be considered in order to determine its eligibility in terms of sub-clause c above. f. The scope of the Audit may be broadened by the Auditor to inter-alia incorporate any new developments that may arise due to issuance of circulars/ directions/ advice by SEBI from time to time. g. The audit....
X X X X Extracts X X X X
X X X X Extracts X X X X
.... from the last date of the audit period till completion of final compliance by MII, including follow-on audit, if any, should not exceed one year/6 months(as applicable). In exceptional cases, if MII is of the view that compliance with certain observations may extend beyond said period, then the concerned MII shall seek specific approval from the Governing Board. Auditor Selection Norms 2. MII shall ensure compliance with the following norms while appointing Auditor: a. The Auditor must have minimum 3 years of demonstrable experience in IT audit of securities market participants e.g. stock exchanges, clearing corporations, depositories, intermediaries, etc. and/ or financial services sector i.e. banking, insurance, Fin-tech etc. b. The team performing system and network audit must have experience in / direct access to experienced resources in the areas covered under TOR. It is recommended that resources deployed by the Auditor for the purpose of system and network audit shall have relevant industry recognized certifications e.g. CISA (Certified Information Systems Auditor) from ISACA, CISM (Certified Information Securities Manager) from ISACA, GSNA (GIAC Systems and Network A....
X X X X Extracts X X X X
X X X X Extracts X X X X
....rk audit shall be submitted to SEBI. The report shall include an Executive Summary as per the following format: Issue Log Column Heading Description Responsibility Major Area Comprehensive identification of major areas in compliance with various SEBI circulars / norms and internal policies of MII Auditor/Auditee Point wise Compliance Point-wise list of areas/relevant clauses in TOR against which compliance is being audited (in tabular format). Auditor Description of Finding/ Observation Describe the findings in sufficient detail, referencing any accompanying evidence (e.g. procedure manual, interview notes, reports etc.) Auditor Reference Reference to the section in detailed report - where full background information about the findings are available Auditor Process/ Unit Process or unit where the audit is conducted and the finding pertains to Auditor Category of Findings Major/Minor Non-compliance, Observation, Suggestion etc. Auditor Audited By Which Auditor covered the findings Auditor Root Cause Analysis A detailed analysis on the cause of the Non-compliance Auditee Remediation The action (to be) taken to correct the Non-compliance Auditee Target ....
X X X X Extracts X X X X
X X X X Extracts X X X X
....hether the above mentioned SOPs is reviewed at periodic intervals or upon the occurrence of any major event? In this regard, whether any organization policy has been formulated by the MII? 4. Business Controls 4.1. General Controls for Data Centre Facilities a. Application Access - segregation of duties, database and application access etc. (Approved Policy clearly defining roles and responsibilities of the personnel handling business operations) b. Maintenance Access - vendor engineers c. Physical Access controls - permissions, logging, exception reporting & alerts d. Environmental Controls - fire protection, AC monitoring, etc. e. Fault Resolution Mechanism f. Folder Sharing and Back Up Controls - safeguard of critical information on local desktops g. Incidences of violations in the previous audit report and corrective action(s), if any, taken h. Any other controls, as deemed fit, by the MII 4.2. Software change control a. Whether pre-implementation review of application controls (including controls over change management) was undertaken? b. Adherence to secure Software Development Life Cycle (SDLC) / Software Testing Life Cycle (STLC) standards/ methodol....
X X X X Extracts X X X X
X X X X Extracts X X X X
....y other controls, as deemed fit, by the MII 4.6. Electronic Document Controls 4.7. General Access Controls 4.8. Performance Audit a. Comparison of changes in transaction volumes since previous audit b. Review of systems (hardware, software, network) performance over the period c. Review of the current volumes against the last performance test and against the current system utilization 4.9. Business Continuity / Disaster Recovery Facilities a. Business Continuity Planning (BCP) manual, including Business Impact Analysis (BIA), Risk Assessment and Disaster Recovery (DR) process, Roles and responsibilities of Incent Response Team (IRT) /Crisis Management Team (CMT), employees, support/outsourced staff. b. Implementation of policies c. Back-up procedures and recovery mechanism using back-ups. d. Storage of Back-up (Remote site, DRS etc.) e. Redundancy - Equipment, Network, Site etc. f. DRS installation and Drills - Management statement on targeted resumption capability (in terms of time required & extent of loss of data) g. Evidence of achieving the set targets during the DR drills in event of various disaster scenarios. h. Debrief / review of any actual e....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ver applications, internal networks, servers, etc. of the MIIs/offered by the MIIs to its members that are used for trading, risk management, clearing and settlement etc. 7.6 Network performance and design 7.7 Network Security implementation 7.8 Network health monitoring and alert system 7.9 Log management process 7.10 Service level definition for vendors/Service level management 7.11 Governance process for network service delivery by vendors 8. The results of all testing that was conducted before deployment of any IT system/application in production environment, shall be checked by auditor during system audit. . 9. IT Vendor Selection and Management 9.1. Identification of eligible vendors 9.2. Dissemination process of Request for Proposal (RFP) 9.3. Definition of criteria of evaluation 9.4. Process of competitive analysis 9.5. Approach for selection 9.6. Escrow arrangement for keeping source code 10. E-Mail system 10.1. Existence of policy for the acceptable use of electronic mail 10.2. Regulations governing file transfer and exchange of messages with external parties 10.3. Rules based on which e-mail addresses are assigned 10.4. Storage, backup ....