SEBI System Audit Framework requires all market intermediaries including stock exchanges, depositories, brokers, mutual funds, and portfolio managers to conduct annual IS audits by CERT-In empanelled auditors. The framework mandates evaluation of IT governance, cybersecurity controls, disaster recovery, business continuity planning, and compliance with technical standards. Intermediaries must submit audit reports to SEBI within specified timelines, highlighting critical gaps and remediation plans. This framework was strengthened post-2015 following several cyber incidents affecting market infrastructure, with revised guidelines issued through various circulars including SEBI/HO/MIRSD/DOP/CIR/P/2018/73.

• Ensures standardized IT security baseline across all market intermediaries, reducing systemic technology risks that could disrupt trading or settlement operations
• Mandates independent third-party validation of cybersecurity controls, helping detect vulnerabilities before exploitation by threat actors
• Strengthens business continuity and disaster recovery preparedness, ensuring minimal disruption to investor services during incidents
• Creates audit trail and accountability for IT governance failures, enabling SEBI to take enforcement action against non-compliant entities
• Protects sensitive investor data through mandatory privacy controls assessment, reducing incidents of data breaches and unauthorized access

• Many smaller brokers treat system audits as compliance checkbox exercise, hiring lowest-cost auditors who produce generic reports without deep technical assessment
• Significant time lag between audit completion and remediation of critical findings, with some intermediaries taking 12-18 months to address high-risk vulnerabilities
• Lack of standardized audit methodology leads to inconsistent quality across audit firms, with some missing advanced persistent threats or zero-day vulnerabilities
• Limited focus on third-party vendor risks and API security despite increasing integration with fintech platforms and payment gateways
• Inadequate testing of actual disaster recovery capabilities, with many intermediaries having untested or outdated DR plans that fail during real incidents

• NSE's co-location facility controversy (2015-2016) exposed inadequate system audit controls where preferential access and tick-by-tick data dissemination went undetected, leading to SEBI imposing Rs 625 crore penalty and highlighting audit framework weaknesses.
• Karvy Stock Broking's misuse of client securities worth Rs 2,000+ crore (2019) revealed system audit failures in detecting unauthorized fund transfers and pledge of client holdings, despite annual IS audits being conducted regularly.
• Multiple broker platforms experienced ransomware attacks during 2020-2021, with Bigul (now defunct) and smaller regional brokers facing extended outages, exposing gaps in cybersecurity controls that system audits should have identified.

• Implement continuous monitoring and quarterly mini-audits instead of annual audits, using automated security scanning tools to detect vulnerabilities in real-time rather than point-in-time assessment
• Mandate Red Team exercises and penetration testing by specialized cybersecurity firms as supplement to traditional system audits, simulating actual attack scenarios on trading platforms
• Establish SEBI-maintained empanelment criteria for IS auditors with minimum technical competency certification, periodic performance reviews, and delisting of underperforming audit firms
• Require intermediaries to implement Security Operations Centers (SOCs) with 24x7 monitoring and mandate integration of threat intelligence feeds from CERT-In and global sources to proactively identify emerging risks