TaxTMI 
TaxTMI 
System Audit of Professional Clearing Members (PCMs)
X X X X Extracts X X X X
X X X X Extracts X X X X
....uired to submit information with regard to exceptional major Non-Compliances (NCs)/ minor NCs observed in the System Audit as per format enclosed as Annexure 4 and are required to categorically highlight those observations/NCs/suggestions pointed out in the System Audit (current and previous) which remain open. 5. The Systems Audit report including compliance with SEBI/CCs circulars/guidelines and exceptional observation format along with compliance status of previous year observations shall be placed before the Governing Board of the PCM and then the report along with the comments of the Management of the PCM shall be communicated to CCs within one month of completion of audit. 6. All CCs are jointly advised to devise the appropriate uniform penalty structure for PCMs to ensure that system audit reports are submitted to them within defined timelines as well as audit observations are closed within defined timelines. 7. The provisions of the Circular shall come into force with immediate effect. The first audit shall be conducted for FY 2023-24. 8. The circular is issued with the approval of the competent authority. 9. This circular is being issued in exercise of the powers conf....
X X X X Extracts X X X X
X X X X Extracts X X X X
....udit report shall be submitted to CCs within one month of completion of the Audit, after approval of the Governing Board (or equivalent governance structure as applicable to the entity). PCMs, who have conducted clearing activities during the audit period are liable for submission of the System Audit report. g. In the Audit report, the Auditor shall include its comments on whether the areas covered in the Audit are in compliance with the norms/ directions/ advices issued by SEBI, Clearing Corporation, internal policy of the PCM, etc. Further, the Audit report shall also include specific non- compliances (NCs), observations for minor deviations and suggestions for improvement. The audit report shall take previous audit reports into consideration and cover any open items therein. The Auditor should indicate if a follow-on audit is required to review the status of NCs. h. For each of the NCs/ observations and suggestions made by the Auditor, specific corrective action as deemed fit may be taken by the PCM. The management of the PCM shall provide its comments on the NCs, observations and suggestions made by the Auditor, corrective actions taken or proposed to be taken along with ti....
X X X X Extracts X X X X
X X X X Extracts X X X X
....stry recognized certifications e.g. CISA (Certified Information Systems Auditor) from ISACA, CISM (Certified Information Securities Manager) from ISACA, GSNA (GIAC Systems and Network Auditor), CISSP (Certified Information Systems Security Professional) from International Information Systems Security Certification Consortium, commonly known as (ISC). c. The Auditor shall have experience in working on Network audit/IT audit/governance/IT service management frameworks and processes conforming to industry leading practices like CobiT/ ISO 27001 and beyond. d. The Auditor should have the capability to undertake forensic audit and undertake such audit as part of system audit, if required. e. The Auditor must not have any conflict of interest in conducting fair, objective and independent audit of the PCM. It should not have been engaged over the last three years in any consulting engagement with any departments / units of the entity being audited. f. The Auditor should not have any cases pending against it, which point to its incompetence and/or unsuitability to perform the audit task. g. The proposed audit agency must be empanelled with CERT-In on the date of appointment ....
X X X X Extracts X X X X
X X X X Extracts X X X X
....2.1. Organization details a. Name b. Address c. IT team size (in house- employees) d. IT team size (vendors) 2.2. IT and network set up and usage a. PDC, DRS, NS and Regional/ Branch offices (location, owned/ outsourced), if applicable b. Connectivity amongst PDC, NS and DRS, if applicable c. IT infrastructure / applications pertaining to the activities done as a PCM. d. System Architecture e. Network architecture f. Telecommunication network 3. IT Governance 3.1. Whether IT Governance framework exists to include the following: a. IT organization structure including roles and responsibilities of key IT personnel; b. IT governance processes including policy making, implementation and monitoring to ensure that the governance principles are followed; 3.2. IT policies and procedures a. Whether the organization has a defined and documented IT policy. If yes, is it approved by the Governing Board (GB)? b. Is the current System Architecture, including infrastructure, network and application components describing system linkages and dependencies, documented? c. Whether defined and documented Standard Operating Procedures (SOPs)/Policy fo....
X X X X Extracts X X X X
X X X X Extracts X X X X
....S. 4.3. Software change control a. Whether pre-implementation review of application controls (including controls over change management) was undertaken. b. Adherence to secure Software Development Life Cycle (SDLC) / Software Testing Life Cycle (STLC) standards/ methodologies c. Whether post implementation review of application controls was undertaken. d. Is the review of processes to ensure data integrity post implementation of new application or system followed by implementation team? e. User awareness f. Processing of new feature request g. Fault reporting / tracking mechanism & process for resolutions h. Testing of New releases / Bug-fixes - Testing process (automation level) i. Version Control - History, Change Management process etc. j. Development / Test/ Production environment - Segregation k. New Release in Production - Promotion, Release note approvals l. Production Issues / disruptions reported in the previous audit report, root cause analysis & corrective actions taken, if any m. Software Development Stage n. Software Design to ensure adequate system capacity to enable functioning in a degraded manner in the event of a crash. ....
X X X X Extracts X X X X
X X X X Extracts X X X X
....nce of achieving the set targets during the DR drills in event of various disaster scenarios., if applicable h. Debrief / review of any actual event when the DR/BCP was invoked during the year, if applicable. i. User awareness and training j. Is Recovery Time Objective (RTO) /Recovery Process Objective (RPO) during Business Impact Assessment (BIA) documented, if applicable? k. Is review of BCP-DR undertaken annually or in case of major change in business/ infrastructure? l. Testing of BCP-DR plan through appropriate strategies including simulations, DR drills, system recovery, etc. 4.9. IT/Network Support & IT Asset Management a. Utilization Monitoring - including report of prior year utilization b. Capacity Planning - including projection of business volumes c. Capacity and performance management process for the network/systems d. IT (S/W, H/W & N/W) Assets, Licenses & maintenance contracts e. Comprehensive review of Assets life cycle management (Acquisition, commissioning, deployment, monitoring, maintenance and de commissioning) and relevant records related to it. f. Insurance g. Disposal of Equipment, media, and other electronic waste as pe....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ation with regard to exceptional major non-compliances (NCs) / minor NCs observed in the System Audit. PCMs should also categorically highlight those observations/ NCs/ suggestions pointed out in the System Audit (current and previous) which are not yet complied with. Name of the PCM: ___________________ Name of the Auditor: _________________ Systems Audit Report Date: _________________ Table 1: For preliminary audit Audit period Observation No. Description of finding Department of PCM Status/ Nature of finding Risk Rating of finding as per Auditor (1) (2) (3) (4) (5) (6) Audit TOR clause Root Cause Analysis Impact Analysis Corrective Actions proposed by auditor Deadline for the corrective action Management response in case of acceptance of associated risks Whether similar issue was observed in any of the previous 3 Audits (7) (8) (9) (10) (11) (12) (13) Description of relevant Table heads 1. Audit Period - This indicates the period of audit 2. Description of findings/observations - Description of the findings in sufficient details, referencing any accompanying evidence 3. Status/ Nature of Findings - The category can be specifi....