Chapter - 7 Information Technology Regulatory Issues

In this post, we are going to learn CA Final ISCA's Chapter - 7 [IT Regulatory Issues] latter topics.
I have already cover ITIL topic in my earlier post, link to that post will be provided under this.


Topic # 7.11.1

Requirements of IRDA & Development Authority of India (IRDA)


Before proceeding with the audit, the auditor is expected to obtain the following information at the audit location:

  • Location(s) from where Investment activity is conducted. 
  • IT Applications used to manage the Insurer's Investment Portfolio. 
  • Obtain the system layout of the IT and network infrastructure including: Server details, database details, type of network connectivity, firewalls other facilities/ utilities (describe). 
  • Are systems and applications hosted at a central location or hosted at different office? 
  • Previous Audit reports and open issues I details of unresolved issues from: 
          o Intenal Audit,
          o Statutory Audit, and
          o IRDA Inspection/Audit.
  • Internal circulars and guidelines of the Insurer. 
  • Standard Operating Procedures (SOP). 
  • List of new Products/funds introduced during the period under review along with IRDA approvals for the same. 
  • Scrip wise lists of all investments, fund wise, classified as per IRDA Guidelines, held on date. 
  • IRDA Correspondence files, circulars and notifications issued by IRDA. 
  • IT Security Policy. 
  • Business Continuity Plans
  • Network Security Reports pertaining to IT Assets. 

Now we are going to learn the above topic with the help of Mnemonics which can be downloaded below along with the video class.

Auditor को audit करने से पहले क्या क्या information चाहिए होती है IRDA के according


Story Background:

link: Auditor एक Insurance (IRDA) co. का audit करने गया जहाँ ISI ने हमला कर दिया।

Auditor audit करने गया उसने सबसे पहले Previous audit report मांगी जब पहले ISI ने हमला किया था
AUR auditor ने पूछा तुमने BCP बनाया हुआ था? [ इस हमले से बहार आने के लिए]
तो Insurance co. ने बोला हमने NEW
LOCATION खरीदी हुई है
जहाँ पर IT का Application भी हुआ है
उस जगह हमने बहुत Investment की हुई है 
----हमला होने के बाद जब हम shift कर रहे थे----

तो हमने Internally ये बात circulate करवा थी
और पूछा था कि वहां Network secure है ना (Internet)
वहां पर IT (computers) भी secure है ना
वहां के systems कि application तो ठीक है न (मतलब computer चलते ना)


P: Previous Audit report & {ISI: Internal audit, Statutory Audit & IRDA audit}
E: NEW List of New Products/funds.....
L: Location(s)
I: IT Applications
M: Investment Scrip wise list of all investment
I: Internal Circulation & guidelines
N: Network security reports
I: IT Security Policy
S: Systems & Applications


Topic # 7.11.2 


Firstly the text from Module is mentioned here for reference purposes.

(i) System Control

  • Duties of system programmer/designer should not be assigned to persons operating the system and there should be separate persons dedicated to system programming/design. System person would only make modifications\improvements to programs and the operating persons would only use such programs without having the right to make any modifications. 
  • Contingency plans\procedures in case of failure of system should be introduced/ tested at periodic intervals. EDP auditor should put such contingency plan under test during the audit for evaluating the effectiveness of such plans. 
  • An appropriate control measure should be devised and documented to protect the computer system from attacks of unscrupulous elements.
  • In order to bring about uniformity of software used by various branches/offices there should be a formal method of incorporating change n standard software and it should be approved by senior management. Inspection and Audit Department should verify such changes from the view-point of control and for its implementation in other branches in order to maintain uniformity. 
  • Board of Directors and senior management are responsible for ensuring that an institution's system of Internal controls operates effectively. 
  • There should also be annual review of IS Audit Policy or Charter to ensure its continued relevance and effectiveness. 
  • With a view to provide assurance to barks management and regulators, banks are required to conduct a quality assurance, at least once every three years, on the banks Internal Audit including IS Audit to validate the approach and practices adopted by them in the discharge of its responsibilities as laid out in the Audit Charter/Audit Policy.

Explanation of the above topic in simple language

  • The one who makes, don't let him operate.
  • If something goes wrong, what to do next?
  • Control to prevent attacks.
  • Bring uniformity through Formal method.
  • Seniors are responsible.
  • Annual review for relevance
  • Quality assurance

Mnemonics to learn & remember this is given below

I have tried to make a Mnemonic for this topic by relating it with the phase of Demonitisation

link: Demonitisation मे RBI के system का control अच्छा नहीं था। 

RBI की ये Duty है कि वो sari Contingencies के बारे मे Plan  करे
Contingencies = ATM/BANKS मे रुपए ख़त्म होना, single person doesn't take all the money
इस पर RBI ने Control लगाया i.e 2000/person , 4000/person
पर इस control मे Uniformity नहीं थी (बार बार change कर रहे थे)
इसके लिए Govt. = senior management responsible थी
अब Demonitisation खत्म हुआ, साल के end मे total कितने रुपए वापिस आये इसका Review किया = Annual review
New notes issue किए but उनकी Quality अच्छी नहीं थी। 

Words & Linkage:

RBI                                = DUTIES
CONTROL                   = 2000/person, 4000/person
SENIOR MGMT         = GOVT responsible
QUALITY                    = NEW NOTES

Watch the video class here:

Topic # 7.11.3 

Requirements of SEBI for System Controls & Audit 

The Securities and Exchange Board of India (SEBI) is the regulator for the securities market in India. SEBI has to be responsive to the needs of three groups, which constitute the market:
The issuers of securities,
The investors, and
The market intermediaries.

(i) Systems Audit: SEBI had mandated that exchanges shall conduct an Annual system audit by a reputed independent auditor.

  • The Audit shall be conducted according to the Norms, Terms of References (TOR) and Guidelines issued by SEBI. 
  • Stock Exchange/Depository (Auditee) may negotiate and the board of the Stock Exchange/Depository shall appoint the Auditors based on the prescribed Auditor Selection Norms and TOR. The Auditors can perform a maximum of 3 successive audits. The proposal from Auditor must be submitted to SEBI for records. 
  • Audit schedule shall be submitted to SEBI at-least 2 months in advance, along with the scope of current audit & previous audit. 
  • The scope of the Audit may be extended by SEBI, considering the changes which have taken place during last year or post previous audit report 
  • The audit has to be conducted and the Audit report be submitted to the Auditee. The report should have specific compliance\non-compliance issues, observations for minor deviations as well as qualitative comments for scope for improvement. The report should also take previous audit reports in consideration and cover any open items therein. 
  • The Auditee management provides their comment about the Non-Conformities (NCs) and observations. For each NC, specific time-bound (within 3 months) corrective action must be taken and reported to SEBI. The auditor should indicate If a follow-on audit is required to review the status of NCs. The report along with Management Comments shall be submitted to SEBI within 1 month of completion of the audit. Sample areas of review covered by IS Audit assignments are given here. 

Mnemonic to remember the above topic is given as under:

LINK: SEBI ने Stock Exchange को ANNUAL Audit करवाने के लिए बोला जिसपे management को  Comment करनी पड़ेगी 
Link words:

S E: Scope Extended
A: Audit Schedule
N: Norms
N: Negotiate 
AUDIT: Audit Report 


Stock Exchange बोल सकता (negotiate) है SEBI को Auditor appoint करने के लिए
Auditor को अपना Audit Schedule 2-month advance मे देना होगा
Auditor को SEBI के Norms के according audit करना होगा
SEBI audit का scope extend कर सकता है अगर पिछले साल कुछ हुआ होगा तो
अब Auditor अपनी report देगा
जिस पर Mgmt को Comment करनी होगी।

(iii) Auditor Selection Norms: 

There are various norms for selection of Auditors, which are given as follows:

  • The auditor must have minimum 3 years of experience in IT audit of Securities Industry participants e.g. stock exchanges, clearing houses, depositories etc. The audit experience should have covered all the Major Areas mentioned under SEBl's Audit Terms of Reference (TOR). 
  • The Auditor must have experience in/direct access to experienced resources in the areas covered under TOR. 
  • The Auditor should have IT audit/governance frameworks and processes conforming to industry leading practices like CoBlT. 
  • The Auditor must not have any conflict of interest in conducting fair, objective and independent audit of the Exchange/Depository. It should not have been engaged over the last three years in any consulting engagement with any departments/units of the entity being audited. 
  • The Auditor may not have any cases pending against its previous auditees, which fall under SEBl's jurisdiction, which point to its incompetence and/or unsuitability to perform the audit task. 

Mnemonic for the above topic is given below


CA को job interview के basis पे select करेंगे। 

Job requirement: CA को 3+ year का experience होना चाहिए
उसने Experienced resources use किए हो
 --अब उसका Interview होगया--
but offer letter pending था
थोड़े time बाद CA के मन मे conflict आगया job करने का
उसने सोचा भाड़ मे जाये job, मैं तो practice करूंगा।