Standardized format for System and Network audit report of Market Infrastructure Institutions

Page 1 of 9 CIRCULAR SEBI/HO/MRD/TPD/CIR/P/2025/50 April 04, 2025 To, All Stock Exchanges, All Clearing Corporations, All Depositories Dear Sir/ Madam, Subject: - Standardized format for System and Network audit report of Market Infrastructure Institutions(MIIs)

1. SEBI has stipulated the guidelines for System and Network audit for MIIs as mentioned below: - 1.1 Clause 8.1 of Chapter 2 of Master Circular No. SEBI/HO/MRD2/PoD￾2/CIR/P/2024/181 dated December 30, 2024 for Stock Exchanges and Clearing Corporations. 1.2 Clause 4.29 of SEBI Master Circular No. SEBI/HO/MRD/MRD-PoD￾1/P/CIR/2024/168 dated December 03, 2024 for Depositories. 1.3 Clause No. 16.3 of SEBI Master Circular No. SEBI/HO/MRD/MRD-PoD￾1/P/CIR/2023/136 dated August 04, 2023 for Commodity Derivatives Segment.
2. Presently, all MIIs are required to conduct System and Network audit as per the aforesaid framework and each MII has adopted different template for System and Network audit report. In view of the same, the format of report adopted by MIIs for System and Network audit was reviewed by SEBI in consultation with the Technology Advisory Committee (TAC) of SEBI. Based on the recommendations of the Committee and in consultation with MIIs, a standardized format for System and Network Audit report for MIIs has been prepared and the same is enclosed as Annexure A.

Page 2 of 9 3. The standardized format for System and Network Audit report would help to increase the data quality, capture of relevant information as per regulatory requirements in a streamlined and standardized manner across MIIs, monitor compliance requirements in a more focused manner, ease of traceability of current/historical open observations found during audit at the end of MII and SEBI by assigning a unique ID to each observation. 4. The Circular shall become applicable for audit period FY 2024-25 or second half of FY 2024-25 as per the frequency of System and Network audit required to be conducted by the MII. 5. MIIs are required to take necessary steps to put in place systems for implementation of the Circular, including necessary amendments to the relevant bye-laws, rules and regulations, if any. 6. This Circular is being issued in exercise of the powers conferred by Section 11(1) of Securities and Exchange Board of India Act, 1992 read with Regulation 51 of Securities Contracts (Regulation) (Stock Exchanges and Clearing Corporations) Regulations, 2018 and Section 19 of the Depositories Act, 1996 read with Regulation 97 of Securities and Exchange Board of India (Depositories and Participants) Regulations, 2018 to protect the interest of investors in securities market and to promote the development of, and to regulate the securities market. 7. The Circular is issued with the approval of Competent Authority. 8. This Circular is available on SEBI website at www.sebi.gov.in under the categories “Legal Framework” and “Circulars”. Yours faithfully, Ansuman Dev Pradhan General Manager +91-22-26449622 ansumanp@sebi.gov.in

Page 3 of 9 Annexure A

1. Background: -
2. Details of Auditee:- Auditee Name Auditee Address Contact Information Date of agreement between MII and auditor
3. Details of Audit Team Members: - Auditor Name Auditor address Contact information Location of audit Audit team members and details of qualifications
4. Information about audit: - Audit Period Date of start of audit Date of end of audit Date of audit report
5. Overview of IT environment of MII (including any major projects/positive development undertaken during audit period)

Page 4 of 9 6. Scope of audit/Terms of reference (as agreed between the auditee and auditor), including the standard/specific scope for audit as defined by SEBI: - a) List of SEBI Circulars and Advisories covered during the audit: - b) List of various rule based regulatory requirements defined by SEBI related to IT resilience/Technology Risk Management (TRM), covered during the audit: - For instance, Disaster Recovery (DR) drills on quarterly basis, Live trading sessions from DR site, Review of BCP-DR policy, Review of capacity planning as per projected peak load and other relevant factors, Stress testing of existing load scenarios on quarterly basis, Review of performance monitoring and alert systems on quarterly basis, Review of Capacity Planning and Real Time Performance Monitoring Policy, Mock session of SaaS-RMS on quarterly basis etc. c) List of technical glitches covered during the audit: - d) List of all IT/network infrastructure (including IT systems/applications/database management systems of Primary Data Center (PDC), Disaster Recovery Site (DRS), Near Site, Co-lo facility) covered under audit: -

e) Geographical locations covered under audit (PDC/DRS/Near Site etc.): - f) Name of audit tools used during audit, if any: - g) Any other specific item(s): - 7. Methodology /Audit approach (audit subject identification, pre-audit planning, data gathering methodology, sampling methodology etc. followed): -

Page 5 of 9 8. Executive Summary of findings (including identification tests, tools used and results of tests performed): - S.No Number of observations Risk rating Any other High Medium comments Low 9. Control-wise compliance status of various SEBI Circulars /Advisories related to technology: - S. No. Date of SEBI circular/ direction / advice, etc. Requirement s specified by SEBI in brief Mechan ism put in place by MIIs Complian ce status (‘Yes’/ ‘No’) Details of Non Compliance with SEBI circulars/dir ections, etc.(applica ble only in case of non￾compliance) *List of documentary evidence including physical verification **Unique Observation ID (in case of non￾compliance/ observation found during audit) Associated risks in case Compliance status is ‘No’ Path of file system where details of supporting annexures of non￾compliances are placed *Explicit reference to the key auditee organisational documents (by date or version) including policy and procedure documents **Unique ID shall be assigned to each unique observation found during audit and its format shall be “Name of MII￾SNFYYYY”. The description of the same is mentioned below: - S.NO Heading Interpretation 1 Name of MII Name of MII shall be written in short form such as NSE/BSE/NCL/ICCL/MSEI/NSDL/CDSL/MCX/MCXCCL/NCCL/NCDEX 2 S S represents observation found in System and Network audit 3 N N represents ith observation found during particular audit period i.e. serial number of unique observation i.e. 1,2……n. 4 F F represents frequency of audit i.e. value of F=0 in case of audit is being done for full financial year, F=1 in case of audit is being done for first half

Page 6 of 9 S.NO Heading Interpretation of any financial year, F=2 in case of audit is being done for second half of any financial year. 5 YYYY YYYY represents the financial year for which audit is being carried out by auditor For instance, Unique ID NSE-S122324 represents the observation serial number 1 found in second half of FY 2023-24 of System and Network audit of NSE, Similarly, Unique ID CDSL-S212425 represents the observation serial number 2 found in first half of FY 2024-25 of System and Network audit of CDSL. Unique ID ICCL-S302425 represents the observation serial number 3 found in audit period of FY 2024-25 of System and Network audit of ICCL. 10.Compliance status of various rule based regulatory requirements related to IT resilience mandated by SEBI: - S. No . Name of regulatory report /requirements Brief about regulatory requirements Compliance status (‘Yes’/ ‘No’) List of documentary evidence including physical inspection **Unique Observation ID(in case of non￾compliance found during audit) Associated risks in case compliance status is ‘No’ Comments on comprehensiv eness of exercise 1 DR drills 2 Live trading sessions 3 Stress testing of existing load scenarios 4 Mock session of SaaS-RMS (applicable for NCL and ICCL)

Page 7 of 9 S. No . Name of regulatory report /requirements Brief about regulatory requirements Compliance status (‘Yes’/ ‘No’) List of documentary evidence including physical inspection **Unique Observation ID(in case of non￾compliance found during audit) Associated risks in case compliance status is ‘No’ Comments on comprehensiv eness of exercise 5 Review of BCP-DR policy 6 Review of Capacity Planning and Real Time Performance Monitoring Policy 7 Review of performance monitoring and alert systems 8 Review of Capacity planning as per projected peak load and other relevant factors **Similar format mentioned in point number 9 above

Page 8 of 9 11.Compliance status of corrective action taken for technical glitches occurred at MIIs during audit period: - S. No. Date of technical glitch Brief about incident Corrective action suggested by SCOT/SE BI/MIIs Compliance status of corrective action to be taken by concerned MII(‘Yes’/’N o’) List of documentary evidence including physical inspection **Unique Observation ID(in case of non￾compliance found during audit) Associated risks in case compliance status is ‘No’ Any other comments by auditor ** Similar format mentioned in point number 9 above 12. Open observation reporting format as per Annexure 25 of SEBI Master Circular dated December 03, 2024, Annexure VIII of Chapter 2 of SEBI Master Circular dated December 30, 2024, Annexure ZB of SEBI Master Circular dated August 04, 2023. It may be noted that the abovementioned Unique observation ID shall be quoted in the open observation reporting format. 13. List of observations pending for closure which are pertaining to previous audits: - S. No. Unique observation ID assigned by auditor in previous audits (may be left blank for observations found before the date of issuance of this Circular) Name and date of SEBI Circular Relevant Clause of SEBI Circular Details of open observation Open observation pertaining to which audit period Reasons for pending for closure￾comments of management Comments of auditor including risk associated with non￾closure of observation

Page 9 of 9 14. Limitations, if any 15. Any other relevant comments by the auditor 16. Conclusion

---