The Securities and Exchange Board of India (SEBI), the regulator overseeing India’s securities and commodities markets, has taken a significant step toward enhancing the security and efficiency of financial market infrastructure. SEBI has introduced a standardized format for System and Network Audit (SNA) reports for Market Infrastructure Institutions (MIIs), aimed at streamlining the audit process and strengthening IT resilience across the financial ecosystem.
Why Standardization Was Needed
Currently, MIIs are required to conduct system and network audits as per SEBI’s regulatory framework. However, each MII has been using different templates for their audit reports, leading to inconsistencies in data quality, information capture, and compliance monitoring. Recognizing this challenge, SEBI reviewed the existing formats in consultation with the Technology Advisory Committee (TAC) and MIIs themselves.
The result is a standardized audit report format designed to:
- Improve data quality and regulatory compliance
- Facilitate easier tracking of audit observations
- Enable better monitoring of IT infrastructure and security risks
Key Features of the Standardized Audit Format
The standardized format is designed to provide a comprehensive overview of an MII’s IT resilience and risk management practices. Some of the critical components include
Scope of Audit and Terms of Reference:
Clearly defined audit areas, including the scope agreed upon between the auditee and the auditor, and specific SEBI-defined audit requirements.
Regulatory Compliance Checklists:
A detailed list of SEBI circulars, advisories, and rule-based regulatory requirements related to IT resilience and Technology Risk Management (TRM) covered during the audit.
IT Resilience Testing:
Reviews of critical activities such as:
- Disaster Recovery (DR) Drills on a quarterly basis
- Live Trading Sessions from DR sites
- Business Continuity Planning (BCP)-DR Policy assessments
- Stress Testing of load scenarios
- Performance Monitoring and Alert Systems reviews
Audit Coverage
Details on the technical infrastructure audited, including:
- Primary Data Centers (PDC)
- Disaster Recovery Sites (DRS)
- Near-Site and Co-location Facilities
Audit Tools and Methodologies:
Information on the tools used during audits and any specialized testing conducted.
Unique Observation ID System:
Each observation identified during the audit is assigned a unique ID, making it easier to track and manage audit findings over time.
Implementation Timeline
The new circular outlining the standardized format will apply to audits conducted during the FY 2024-25 or the second half of FY 2024-25, depending on the frequency of audits required by each MII.
