Audit & Assurance · Capital Market & SEBI Audit
Stock / Commodity Broker Audit (NSE, BSE, MCX)
Stock and commodity brokers registered with SEBI and trading on NSE, BSE, or MCX operate under one of the most tightly supervised compliance regimes in Indian financial services — half-yearly internal audits, periodic system audits, client fund segregation rules, net worth certification, and constant exchange-level inspection.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Stock and commodity brokers registered with SEBI and trading on NSE, BSE, or MCX operate under one of the most tightly supervised compliance regimes in Indian financial services — half-yearly internal audits, periodic system audits, client fund segregation rules, net worth certification, and constant exchange-level inspection. A missed internal audit filing, a client-fund segregation lapse, or a weak system audit report can trigger exchange penalties, SEBI show-cause proceedings, or in serious cases suspension of trading membership. PNPC Global has served broking and commodity trading members across NSE, BSE, and MCX since 1986, conducting the internal audits, net worth certifications, and regulatory compliance reviews that exchanges and SEBI require — with the depth that protects your membership, not just a signed certificate that ticks a box.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
A Stock or Commodity Broker Audit refers to the set of mandatory audit and assurance engagements that SEBI-registered trading members and clearing members of NSE, BSE, and MCX must undergo as a condition of holding and retaining their exchange membership. Unlike a Companies Act statutory audit, which is an annual, entity-wide opinion on financial statements, broker audits are exchange-and-regulator-mandated, activity-specific reviews conducted at defined intervals — most centrally, the half-yearly Internal Audit prescribed by SEBI for all stock brokers and depository participants, covering areas such as client registration (KYC), Unique Client Code (UCC) usage, order and trade management, margin collection and reporting, client fund and securities segregation, brokerage and contract note compliance, risk management systems, and grievance redressal. The internal audit must be conducted by a practising Chartered Accountant, Company Secretary, or Cost Accountant who is independent of the broking entity's day-to-day operations and, under the exchanges' revised empanelment framework applicable from the half-year ended March 2024 onwards, formally empanelled with an exchange and meeting the prescribed minimum audit-experience and securities-market certification criteria — exchanges no longer accept internal audit reports from auditors outside this empanelled list. The auditor's report and follow-up action taken on observations must be placed before the broker's Board or the equivalent governing body and, in prescribed form, reported to the exchange.
Beyond the half-yearly internal audit, brokers face several other recurring audit and certification obligations. A System Audit — examining the broker's trading technology, algo-trading controls, cybersecurity and cyber-resilience framework, data centre and disaster recovery arrangements, and API/access controls — is mandated periodically for brokers meeting SEBI's specified criteria (based on factors such as trading turnover, number of algo strategies deployed, or colocation access), and must be performed by an auditor empanelled with the relevant exchange holding the prescribed information-systems qualification (such as CISA, DISA, CISM, or CISSP), consistent with SEBI's technical qualification criteria for system audits. A Net Worth Certificate, certified by a practising Chartered Accountant, must be furnished periodically to demonstrate that the broker continues to meet the minimum net worth prescribed by the exchange and SEBI for its category of membership (which differs for cash, F&O, and commodity segments, and for trading versus clearing members). Depository Participants operating under NSDL or CDSL face a parallel, separately-mandated half-yearly Internal Audit of DP operations under the respective depository's byelaws — distinct from, though often coordinated alongside, the broking-side internal audit.
Commodity brokers trading on MCX operate under a closely analogous framework, since SEBI has regulated commodity derivatives exchanges since the erstwhile Forward Markets Commission was merged into SEBI in 2015 — bringing commodity broking members under materially the same internal audit, net worth, risk management, and client-fund segregation discipline that applies to equity and F&O brokers on NSE and BSE, with MCX-specific circulars governing the exact reporting formats and timelines. A member operating across multiple exchanges and segments — say, NSE cash and F&O plus MCX commodities — typically consolidates these audits under a single audit firm engagement for consistency, even though each exchange requires its own report submission in its own prescribed format and window.
The reason this audit family carries real consequence — beyond the professional discipline of any audit — is the client-money dimension. Brokers hold client funds and client securities in a fiduciary capacity, and SEBI's client fund and securities segregation and monitoring framework (including the requirement to run client accounts on a designated 'client bank/demat account' basis, upstreaming/downstreaming of client funds to clearing corporations, and periodic settlement of running accounts) exists specifically to prevent commingling of client money with the broker's own funds or its use to fund the broker's proprietary trading or another client's shortfall. The internal audit is one of the principal mechanisms SEBI and the exchanges rely on to detect segregation breaches, UCC misuse, unauthorised trading, and margin-reporting misstatements before they escalate into investor-harm events — which is why exchanges review internal audit reports and follow-up compliance status as part of their own periodic inspection of trading members.
When a broker/commodity member audit applies
Every entity holding trading membership, clearing membership, or both, with NSE, BSE, or MCX — the half-yearly SEBI-mandated Internal Audit applies irrespective of the member's turnover, profitability, or number of active clients
Depository Participants registered with NSDL and/or CDSL — a parallel, separately-mandated half-yearly Internal Audit of DP operations is required under the depositories' byelaws, alongside the broking-side internal audit
Brokers offering algorithmic trading, co-location/proximity hosting, Direct Market Access (DMA), or API-based trading access to clients — System Audit obligations under SEBI's algo-trading and cybersecurity/cyber-resilience circulars apply with particular emphasis for these members
Members renewing or upgrading exchange membership category (e.g., trading member to clearing member, or adding a new segment such as commodity derivatives to an existing equity membership) — a fresh or updated Net Worth Certificate and eligibility documentation is required
Members undergoing an exchange inspection or a SEBI-directed special audit following a client complaint, a margin-reporting discrepancy, or an identified segregation lapse — an independent audit response is often required within a tight regulatory timeline
Sub-brokers, Authorised Persons (APs), and franchise arrangements operating under a broker's registration — while the primary audit obligation rests with the registered trading member, the internal audit scope typically extends to reviewing AP-level client onboarding, order routing, and brokerage-sharing compliance
Brokers preparing for a change in control, a strategic investment, or an acquisition — buyers and their advisors routinely require a review of internal audit history, exchange inspection findings, and outstanding regulatory observations as part of financial and regulatory due diligence
What this audit is not, and where it differs from other engagements
Not a substitute for the Companies Act statutory audit under Section 143 — a broker incorporated as a company still requires its own annual statutory audit of financial statements in addition to, and independent of, the exchange-mandated internal audit
Not applicable in this specific form to entities that merely trade through a broker as clients (individuals, HUFs, corporates placing orders) — the SEBI/exchange internal-audit obligation applies to the registered trading/clearing member and DP, not to the member's clients
Not the same engagement as a tax audit under Section 44AB of the Income-tax Act, which a broking entity crossing the applicable turnover threshold — including, for derivatives trading, turnover computed per the specific method prescribed for F&O transactions — separately requires
Not a one-time certification — the internal audit is a recurring half-yearly obligation for the entire period the entity holds exchange membership, with follow-up action reports typically required after each cycle, not a single annual exercise
Not identical across segments — a member active on NSE cash, NSE F&O, BSE, and MCX may face overlapping but not identical audit scope, periodicity nuances, and reporting formats across each exchange, and each exchange's specific circular governs the exact requirement for that segment
Not a service PNPC can provide on a fully independent basis where PNPC also handles the broker's day-to-day accounting or compliance function for the same period without addressing the independence expectations that SEBI and exchange circulars place on the internal auditor — we structure engagements to preserve that independence
Broker/Commodity Member Audit obligations vs other audit and assurance engagements
| Feature | SEBI Internal Audit (Broker/DP) | System Audit | Net Worth Certificate | Companies Act Statutory Audit | Tax Audit (Sec 44AB) |
|---|---|---|---|---|---|
| Governing framework | SEBI circulars on internal audit of stock brokers/DPs; exchange circulars (NSE/BSE/MCX) | SEBI circulars on system audit, algo trading, cyber security & cyber resilience | SEBI (Stock Brokers) Regulations 1992 + exchange membership norms | Companies Act 2013, Section 143 | Income-tax Act 1961, Section 44AB |
| Who it applies to | Every registered trading/clearing member and Depository Participant | Members meeting SEBI's prescribed criteria (turnover, algo usage, colocation access) | All trading/clearing members, periodically, by membership category | Every company registered under the Companies Act | Businesses crossing prescribed turnover/receipts thresholds |
| Periodicity | Half-yearly (April–September and October–March cycles, broadly) | Periodic, per applicable SEBI cycle for the member's category | Periodic, as prescribed by the exchange for the membership category | Every financial year, without exception | Every financial year, if threshold crossed |
| Who can perform it | Independent, exchange-empanelled CA, CS, or Cost Accountant meeting prescribed experience/certification criteria (empanelment mandatory from HY March 2024) | Exchange-empanelled auditor holding prescribed IS-audit certification (CISA/DISA/CISM/CISSP) | Practising Chartered Accountant | Chartered Accountant appointed under Section 139 | Chartered Accountant |
| Reported to | Broker's Board/governing body, and to the relevant exchange in prescribed format | SEBI / exchange, per the applicable system audit circular | Exchange, as part of membership eligibility/renewal documentation | RoC via AOC-4 (annexed to financial statements) | Income-tax e-filing portal |
| Core focus | KYC/UCC, order & trade management, margin, client fund/securities segregation, grievance redressal | Trading technology, algo controls, cybersecurity, data centre & DR, access controls | Minimum net worth compliance for the membership category held | True and fair view of financial statements, Ind AS/AS compliance | Compliance of accounts with Income-tax Act provisions |
| Consequence of default | Exchange penalty, show-cause, adverse inspection finding, risk to membership continuation | Regulatory action for inadequate technology controls, especially post-incident | Membership eligibility questioned; may restrict segment-wise trading activity | Company + officers penalised under Sec 147; audit report itself may be qualified | Penalty under Section 271B, up to prescribed limits |
These are overlapping but distinct obligations, and a single broking entity typically carries several of them simultaneously. Exact periodicity, applicability thresholds, and reporting formats are governed by SEBI master circulars and exchange-specific circulars that are periodically updated — PNPC confirms the current applicable framework for your specific membership category and segment mix before scoping any engagement, rather than relying on a generic checklist.
| # | Stage & What PNPC Does | CA Advice Portals Never Give | Timeline |
|---|---|---|---|
| 1 | Membership & Segment Mapping — Understanding exactly what you are registered for | Before any audit begins, we map out precisely which exchange memberships you hold — NSE cash, NSE F&O, NSE currency derivatives, BSE, MCX commodities — and whether you operate as a trading member, clearing member, or self-clearing member, and whether you also hold DP registration with NSDL/CDSL. Each combination carries its own applicable circulars and reporting windows, and getting this map wrong at the outset produces an audit scoped to the wrong requirements. | Week 1 |
| 2 | Engagement Letter & Independence Confirmation | SEBI and exchange circulars expect the internal auditor to be independent of the broker's day-to-day dealing and back-office operations, and to be formally empanelled with the relevant exchange meeting its prescribed experience and certification criteria. We confirm our empanelment status and document our independence position before accepting the engagement — including where PNPC may already provide other services to the same broking entity — and set out the scope, the reporting period, and the deliverable format expected by the relevant exchange(s). | Week 1 |
| 3 | KYC & Client Onboarding Review — UCC allotment and documentation | We test a sample of client registrations for KYC completeness, correct Unique Client Code (UCC) allotment and usage across all orders placed for that client, in-person verification or its permitted digital equivalent, and adherence to risk-profiling and suitability documentation — areas where exchanges frequently raise observations during their own inspections. | Week 2 |
| 4 | Order & Trade Management Review — Unauthorised trading and modification controls | We review order placement, modification, and cancellation logs for evidence of unauthorised trading, verify that client instructions (where not placed directly by the client through an approved trading terminal or app) are properly authorised and recorded, and check dealer-level access controls and audit trails on the trading system. | Week 2–3 |
| 5 | Margin Collection & Reporting Verification | We reconcile margin collected from clients against margin reported to the exchange/clearing corporation for a test period, checking for any shortfall in upfront margin collection, incorrect margin category classification, or discrepancies between the broker's internal ledger and the exchange's margin reporting file — a recurring focus area in exchange inspections and one where penalties for reporting mismatches are common. | Week 3 |
| 6 | Client Fund & Securities Segregation Testing | We verify that client funds are maintained in designated client bank accounts separate from the broker's own accounts, that the running account settlement of client funds is carried out at the prescribed frequency chosen by each client, that client securities are held in the appropriate client-designated demat/pool accounts, and that no evidence of commingling, use of one client's funds/securities to meet another client's obligation, or use of client money for the broker's proprietary positions is found. | Week 3–4 |
| 7 | Contract Note, Brokerage & Statement of Accounts Review | We test contract notes for timely issuance and completeness of prescribed disclosures, verify brokerage charged is within the rates disclosed to and agreed by the client, and check that periodic statements of accounts (funds and securities) are issued to clients within the prescribed timelines. | Week 4 |
| 8 | Risk Management System (RMS) Review | We examine how the broker's Risk Management System enforces exposure limits, margin calls, and auto-square-off/liquidation triggers for clients with insufficient margin, and whether RMS parameters are properly documented, Board-approved, and consistently applied rather than manually overridden without an audit trail. | Week 4–5 |
| 9 | Grievance Redressal & SCORES Compliance Check | We review the broker's investor grievance register, resolution turnaround against the prescribed timelines, and reconciliation with complaints logged on SEBI's SCORES platform and the exchange's own investor grievance mechanism, to confirm nothing is being resolved informally without proper record. | Week 5 |
| 10 | System Audit Coordination (Where Applicable) | Where the broker meets SEBI's criteria for a mandatory System Audit (based on algo trading activity, colocation access, or other prescribed factors), we coordinate the technology-focused audit — cybersecurity controls, data centre and disaster recovery arrangements, algo strategy approvals and kill-switch mechanisms — either through PNPC's own qualified resources or by liaising with an exchange-empanelled system auditor holding the prescribed IS-audit certification, so that findings from both audits are read together, not in isolation. | Parallel track, as applicable |
| 11 | Draft Findings, Board Discussion & Management Response | We share draft observations with the broker's management and Board/governing body before finalising the report, giving time to provide explanations, produce missing documentation, or commit to specific corrective action — which then forms the 'action taken' component the exchange expects alongside the audit report itself. | Week 5–6 |
| 12 | Final Report & Exchange Submission Support | We finalise the internal audit report in the format prescribed by the relevant exchange, generate UDIN for the signed report on the ICAI portal, and support the broker's compliance team in uploading or submitting the report within the exchange's prescribed window for that half-year cycle. | Week 6 |
| 13 | Next-Cycle Tracking & Regulatory Update Monitoring | SEBI and exchange circulars on broker audit, margin, and segregation norms are updated periodically. We track your next half-yearly audit due date, any interim compliance obligations, and flag relevant regulatory circular changes that affect your scope before the next cycle begins — rather than starting each half-year's audit from a blank slate. | Ongoing, every half-year cycle |
Realistic timeline for a mid-sized broking/commodity trading member with organised records: 5-6 weeks from engagement letter to final report submission, timed to the exchange's half-yearly reporting window. Members with multiple exchange memberships, active algo trading, or a first-time engagement with PNPC typically need a longer runway — we recommend beginning each half-year's audit planning at least 6-8 weeks before the exchange submission deadline for that cycle.
SEBI Certificate of Registration as stock broker / trading member / clearing member, and any segment-specific registration (F&O, currency derivatives, commodity derivatives)
Exchange membership approval letters from NSE, BSE, and/or MCX, including details of trading member ID, clearing member ID, and Depository Participant ID where applicable
Latest Net Worth Certificate submitted to the exchange and the underlying computation working papers
Details of Authorised Persons (APs) and sub-broker/franchise arrangements operating under the member's registration, with their respective agreements
Constitution documents — Certificate of Incorporation/Partnership Deed/LLP Agreement as applicable, and any changes in shareholding, directorship, or partners during the audit period
Sample or complete client master data extract, including UCC allotment records for all active clients during the audit period
KYC documentation for a representative sample of clients — PAN, address proof, bank and demat account details, risk profiling/suitability assessment
Client registration agreements (Rights and Obligations documents, tariff sheets, risk disclosure documents) duly signed and acknowledged
In-person verification (IPV) or digital KYC equivalent records for the sample tested
Records of client account modifications, reactivations, or closures during the period
Order logs, trade logs, and modification/cancellation logs for the audit period, extracted from the trading system
Margin collection records — client-wise upfront margin collected against exchange-prescribed margin requirements
Margin reporting files submitted to the exchange/clearing corporation for the corresponding period, for reconciliation against internal records
Risk Management System (RMS) parameter documentation, Board-approved exposure limits, and any manual override/exception logs
Details of any auto square-off, forced liquidation, or debit-balance client accounts during the period
Bank statements for all designated client bank accounts, separately identifiable from the broker's own operating/proprietary bank accounts
Client-wise fund ledger reconciled to the designated client bank account balances as at period-end
Running account settlement records — evidence of settlement at the frequency (monthly/quarterly, or as elected) chosen by each client
Demat/pool account statements for client securities, separately identifiable from the broker's proprietary demat holdings
Details of any pledge, re-pledge, or margin funding arrangements involving client securities, with supporting client authorisation
Sample of contract notes issued during the period, for completeness and timeliness verification
Brokerage rate cards agreed with clients and a sample reconciliation of brokerage charged against the agreed rate
Periodic statements of accounts (funds and securities) issued to clients, with evidence of issuance timelines
Investor grievance register, including complaints received directly and through SCORES/exchange investor grievance mechanisms, with resolution status and turnaround time
Any arbitration references, exchange investor grievance escalations, or SEBI correspondence relating to client complaints during the period
Details of trading technology architecture, including any algo trading strategies deployed, colocation/proximity hosting arrangements, and API access provided to clients or vendors
Previous System Audit report and closure status of prior observations, where a System Audit is applicable to the member
Cybersecurity and cyber-resilience policy documentation, business continuity/disaster recovery plan, and evidence of periodic testing
Minutes of Board/governing body meetings at which the previous internal audit report and compliance status were placed and discussed
Prior half-year's internal audit report, management response, and evidence of closure of previous audit observations
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| New Membership Onboarding | SEBI registration granted / exchange membership approved | Net worth certification support at registration, and structuring of the compliance calendar for the first half-yearly internal audit cycle, client fund segregation account setup, and UCC/KYC process design before the first client is onboarded. | Weak onboarding-stage processes for KYC, UCC allotment, and client fund segregation create findings in the very first internal audit cycle and can attract early exchange scrutiny. |
| First Half-Yearly Internal Audit | First reporting cycle after commencing trading operations | Full-scope internal audit covering KYC, order/trade management, margin, segregation, contract notes, RMS, and grievance redressal, benchmarked against the applicable SEBI and exchange circulars current at the time, with findings placed before the Board before exchange submission. | A poorly scoped or superficial first audit sets a weak baseline, and issues not caught early tend to compound across subsequent half-yearly cycles. |
| Ongoing Half-Yearly Cycle | Every April-September and October-March period (or the applicable cycle) | Recurring internal audit with continuity from the prior cycle — tracking closure of earlier observations, adjusting scope for any new products, segments, or regulatory circulars introduced during the period, and timely report submission within the exchange's prescribed window. | Late or superficial audit submissions accumulate as an adverse compliance pattern that exchanges weigh during their own periodic inspections and any subsequent regulatory action. |
| System Audit Cycle | Member crosses SEBI's prescribed criteria for mandatory system audit applicability (algo trading, colocation, turnover-linked criteria) | Coordination of the technology-focused system audit alongside the operational internal audit, ensuring cybersecurity, algo control, and data centre/DR findings are read together with operational findings rather than treated as an unrelated exercise. | Weak algo-trading controls or cybersecurity gaps identified only after an incident (unauthorised access, erroneous algo behaviour) draw materially more severe regulatory scrutiny than issues identified and remediated through a timely system audit. |
| Exchange Inspection | Routine or trigger-based inspection by NSE/BSE/MCX | Preparation support — reconciling internal audit history, prior observation closure status, and documentation readiness before the inspection team's visit or remote review, and coordinating the broker's response to inspection queries. | A poor inspection outcome, especially one inconsistent with a member's own internal audit reports, can trigger a more detailed SEBI-level review, monetary penalty, or in serious cases restriction on further client onboarding or trading activity. |
| Segment Expansion | Adding a new exchange membership or trading segment (e.g., adding MCX commodities to an existing NSE/BSE equity membership) | Fresh net worth eligibility assessment for the new segment, mapping the additional circulars and reporting obligations that come with the new membership, and integrating the new segment into the existing half-yearly audit scope rather than running a parallel, disconnected compliance process. | Treating a new segment's compliance obligations as identical to the existing one, without confirming segment-specific circulars, risks a gap in coverage that surfaces only when the new segment's own reporting deadline is missed. |
| Client Complaint / Regulatory Query Escalation | SEBI SCORES complaint, exchange investor grievance escalation, or arbitration reference | Independent review of the specific transaction or account at issue, supporting documentation preparation, and coordination of the broker's formal response — informed by, but distinct from, the routine half-yearly audit process. | An unaddressed or poorly documented response to a client complaint can escalate from an individual grievance into a broader exchange or SEBI inquiry into the broker's overall compliance standards. |
| Membership Surrender / Business Wind-Down | Voluntary surrender of exchange membership or cessation of broking business | Final settlement verification of all client funds and securities, closure confirmation of client accounts, a closing net worth and compliance position, and coordination of the exchange's membership surrender formalities alongside any final statutory audit requirements for the entity. | Surrendering membership with unresolved client fund balances or open grievances can result in the exchange withholding final clearances, delaying the broker's own exit and creating personal exposure for the entity's principals/directors. |
The half-yearly internal audit cycle runs for the entire life of a broker's exchange membership — it does not taper off once initial onboarding issues are resolved. PNPC recommends treating each phase above as a trigger to revisit audit scope rather than assuming the prior cycle's programme automatically covers a changed business.
What exactly is a 'Broker Audit' — is it one audit or several different ones?
It is a family of related but distinct audit and certification obligations that a SEBI-registered stock or commodity broker faces because of its exchange membership — principally the half-yearly Internal Audit mandated by SEBI for all trading/clearing members and Depository Participants, alongside periodic System Audit (for members meeting specified technology/algo-trading criteria), Net Worth Certification, and the entity's own Companies Act statutory audit if it is incorporated as a company. PNPC typically scopes these together for a client so the overall compliance picture is coherent, even though each has its own periodicity and reporting format to the relevant exchange or regulator.
How often is the SEBI-mandated Internal Audit required for a stock broker?
The Internal Audit of stock brokers and Depository Participants is a half-yearly obligation under SEBI's applicable circulars, meaning it is conducted twice a year, with the report and follow-up compliance status typically required to be placed before the broker's Board or governing body and reported to the relevant exchange within the timeline that exchange's circular prescribes for that half-year cycle. Exact submission windows are set by exchange circulars, which PNPC confirms as current before each cycle rather than assuming a fixed calendar date applies indefinitely.
Who is eligible to conduct a broker's internal audit — can any Chartered Accountant do it?
SEBI and exchange circulars require the internal auditor to be an independent practising professional — a Chartered Accountant, Company Secretary, or Cost Accountant holding a valid Certificate of Practice — who is not part of the broker's day-to-day dealing or back-office operations. Since the half-year ended March 2024, exchanges have also tightened this further: the audit firm must be formally empanelled with an exchange, hold a minimum prescribed audit track record, and have a partner or employee holding the relevant securities-market certification, and exchanges accept internal audit reports only from firms on this empanelled list. Not every practising CA/CS/Cost Accountant automatically qualifies any more. PNPC confirms and documents this empanelment and independence position at the engagement letter stage for every broker audit we accept.
What does the internal auditor actually check during a broker audit?
The scope spans client onboarding and KYC/UCC compliance, order and trade management controls (including checks for unauthorised trading), margin collection and reporting accuracy against exchange records, client fund and securities segregation, contract note and brokerage compliance, Risk Management System (RMS) functioning, and investor grievance redressal turnaround including reconciliation with SCORES complaints. The precise checklist and its emphasis areas are periodically updated by SEBI and the exchanges, and PNPC scopes each cycle against the currently applicable framework for the member's specific segment mix.
What is client fund and securities segregation, and why does the audit focus on it so heavily?
Segregation refers to SEBI's requirement that a broker keep client funds and client securities in designated accounts that are legally and operationally distinct from the broker's own (proprietary) funds and securities, so that client money cannot be commingled with, or used to meet, the broker's own obligations or another client's shortfall. This is the single most important investor-protection mechanism in the broking framework, because a broker in financial difficulty that has kept segregation intact leaves client assets largely unaffected, whereas commingling can expose client money directly to the broker's own solvency risk. The internal audit specifically tests bank and demat account segregation, running account settlement discipline, and the absence of any client-to-client or client-to-proprietary fund movement.
What is a Unique Client Code (UCC) and what happens if it is used incorrectly?
The UCC is the unique identifier every client must have, allotted before any order is placed on their behalf, so that every trade on the exchange can be traced to the specific client for whom it was executed. Placing an order under the wrong UCC, using a UCC that has not been properly KYC-verified, or allowing trades to be modified between client codes after execution without proper authorisation are all treated as serious compliance failures, because they undermine the exchange's ability to attribute trades correctly and can be a vector for unauthorised proprietary trading dressed up as client activity. The internal audit specifically tests UCC allotment records and order-level UCC usage.
What is a System Audit, and does every broker need one?
A System Audit is a technology-focused examination of a broker's trading systems, cybersecurity controls, data centre and disaster recovery arrangements, and — where applicable — algorithmic trading controls (strategy approval process, risk controls, kill-switch mechanisms). It is mandated by SEBI for brokers meeting specified criteria, which can include factors such as offering algo trading facilities, holding colocation/proximity hosting access, or crossing prescribed turnover thresholds — it is not universally required for every broker regardless of scale and technology footprint. PNPC confirms applicability for each client against the current SEBI framework rather than assuming either that it is or is not required.
What is a Net Worth Certificate, and how often does it need to be renewed?
A Net Worth Certificate is a Chartered Accountant's certification of the broker's computed net worth as at a specific date, submitted to the exchange to demonstrate continued compliance with the minimum net worth prescribed for the member's specific category — which differs by segment (cash, F&O, currency derivatives, commodity derivatives) and by whether the member is a trading member, self-clearing member, or professional clearing member. Exchanges prescribe the periodicity at which an updated certificate must be filed, and additional certification is typically required when a member applies for a new segment or membership category.
Do commodity brokers on MCX face the same audit requirements as equity/F&O brokers on NSE and BSE?
Broadly yes, in framework — since commodity derivatives exchanges came under SEBI's direct regulation, MCX members are subject to materially the same internal audit, net worth, risk management, and client-fund segregation discipline that applies to NSE and BSE members, with MCX's own circulars governing the exact reporting formats, timelines, and any commodity-specific nuances (such as delivery-related processes for physically settled commodity contracts). A member active across NSE, BSE, and MCX typically needs a coordinated audit approach that respects each exchange's specific submission requirements rather than a single generic report.
What happens if the internal audit report is submitted late to the exchange?
Late or non-submission of the mandated internal audit report is treated by exchanges as a compliance default, and depending on the exchange's specific enforcement framework and the extent of the delay, can attract a monetary penalty, a formal notice, or be factored into the exchange's broader risk assessment of the member during subsequent inspections. Repeated defaults across cycles compound the member's compliance risk profile with the exchange. PNPC builds in enough runway before each submission window specifically to avoid this outcome.
Can the same CA firm that handles our accounting also perform our internal audit?
This needs to be approached carefully, in the same spirit as the independence expectations under the Companies Act framework for statutory auditors. SEBI and exchange circulars expect the internal auditor to be independent of the broker's day-to-day operations, so PNPC structures engagements — where we also provide accounting or other advisory services to a broking client — to preserve that independence, including by using a separate, appropriately independent engagement team, or recommending a different independent firm for the internal audit where that better protects the credibility of the audit for the client's own regulatory standing.
Our brokerage firm is a partnership, not a company. Does the internal audit still apply?
Yes. The SEBI/exchange internal audit obligation attaches to the trading/clearing membership itself, not to the legal form of the entity holding it — partnership firms, LLPs, and companies that hold SEBI registration and exchange membership are all subject to the same half-yearly internal audit requirement. The entity's legal form does, however, affect which other audits apply — for instance, a company additionally requires a Companies Act statutory audit, while a partnership firm does not, though it may still require a tax audit under Section 44AB depending on turnover.
What are Authorised Persons (APs), and does the internal audit cover them too?
An Authorised Person is an individual or entity engaged by a registered trading member to provide broking-related services to clients on the member's behalf — effectively an extension of the broker's distribution — operating under an agreement with, and under the regulatory umbrella of, the principal trading member's registration. While APs are not separately SEBI-registered as brokers in their own right, the internal audit of the principal trading member typically extends to reviewing AP-level client onboarding practices, order routing arrangements, and brokerage-sharing compliance, because the principal member remains responsible for the AP's conduct under exchange rules.
What is 'running account settlement' and why does the internal audit test it?
Running account settlement refers to the periodic settlement of the credit balance in a client's trading account back to the client, at a frequency the client has elected (commonly monthly or quarterly, subject to the prescribed maximum interval), rather than the broker holding client funds indefinitely. SEBI's framework is designed to prevent brokers from retaining client credit balances beyond what is operationally necessary, since prolonged retention increases the client's exposure to the broker's own financial health. The internal audit tests whether settlements are actually occurring at the elected frequency and whether any client's running account shows an unexplained pattern of retained balances.
How does PNPC handle a broker with membership across multiple exchanges and segments — NSE, BSE, and MCX together?
We first map the complete membership and segment matrix — trading member/clearing member status on each exchange, each segment (cash, F&O, currency derivatives, commodity derivatives), and any DP registration — and identify the specific circular framework applicable to each. We then run a coordinated audit programme that tests common control areas (KYC, segregation, RMS, grievance redressal) once across the entity while still producing the segment-specific and exchange-specific reports each exchange separately requires in its own prescribed format and submission window.
What documentation should we start preparing before engaging PNPC for our first broker audit?
At minimum: your SEBI registration certificate and exchange membership approvals, the prior half-year's internal audit report (if this is not your first cycle) and evidence of closure of its observations, a client master data extract with UCC details, bank statements for designated client accounts, margin reporting files submitted to the exchange for the period, and Board/governing body minutes discussing the previous audit's findings. PNPC issues a tailored document request at the engagement letter stage based on your specific membership, segment mix, and whether algo trading or DP operations are involved.
Does PNPC also handle the Companies Act statutory audit for a broking company, or only the exchange-mandated internal audit?
PNPC provides both, where appropriate, structured to respect the independence expectations that apply to each. A broking entity incorporated as a company requires its Companies Act statutory audit under Section 143 in addition to the SEBI/exchange internal audit — these are separate, non-substitutable engagements with different scopes, appointing authorities, and reporting destinations. Where PNPC is engaged for both, we ensure the two engagements are properly delineated and, where independence considerations require it, staffed by separate teams within our practice.
What is the consequence of a serious segregation or margin-reporting lapse found during the audit?
Findings of this nature are reported to the broker's Board/governing body as part of the audit process and, depending on the exchange's own framework and the severity of the lapse, may need to be reported to the exchange as part of the audit submission or flagged for the exchange's separate attention. Depending on severity, exchanges can respond with monetary penalties, enhanced monitoring, additional inspection, or in serious and repeated cases, restrictions on the member's trading or client onboarding activity — the specific enforcement action is at the exchange's and SEBI's discretion based on the facts.
Are there any exemptions from the half-yearly internal audit for smaller or newly registered brokers?
The internal audit obligation is applied broadly across registered trading/clearing members and Depository Participants rather than being scaled purely on business size, though the depth and complexity of testing naturally reflects the scale and nature of the member's actual operations. A newly registered broker with a small client base still needs a properly scoped internal audit for its first applicable half-yearly cycle. PNPC confirms current applicability and any specific relief that may exist for a given category directly against the exchange's current circulars rather than assuming a blanket exemption based on size alone.
How does PNPC's UAE presence help a broker with cross-border clients or a related entity in Dubai?
For India-registered brokers with NRI clients based in the UAE, or a broking group that also operates a related entity in Dubai (for instance, under DFSA or other UAE regulatory frameworks for financial services), PNPC's Dubai office coordinates with our India audit team so that client onboarding for UAE-resident clients, any intercompany arrangements between the Indian and UAE entities, and cross-jurisdictional regulatory correspondence are handled consistently rather than by two disconnected advisors.
What is the difference between a trading member and a clearing member, and does it change the audit scope?
A trading member is registered to place orders and execute trades on the exchange on behalf of clients or itself. A clearing member additionally has the responsibility (either for itself as a self-clearing trading member, or on behalf of other trading members as a professional clearing member) for settling trades with the clearing corporation — managing margin obligations, settlement obligations, and default fund contributions at the clearing level. A clearing member's audit scope typically extends further into clearing-level margin and settlement controls, in addition to the trading-member-level scope that applies regardless.
How does PNPC price a broker/commodity member audit engagement?
Fees are structured based on the number of exchange memberships and segments covered, client base size and transaction volume (which drives sample sizes for KYC, order, and margin testing), whether System Audit coordination is required, whether DP operations are also in scope, and the quality and organisation of records provided. PNPC provides a written scope and fee estimate before the engagement letter is signed for each half-yearly cycle, so there are no surprises once the engagement begins.
What happens during an exchange inspection, and how does our internal audit history factor into it?
Exchanges conduct their own periodic or trigger-based inspections of trading members, independent of the member's own internal audit process, examining many of the same control areas — KYC, segregation, margin, RMS — often with direct access to the exchange's own trade and margin data. A member's internal audit reports and the evidence of closure of prior observations are typically reviewed by the inspection team as part of assessing the member's overall compliance culture — a consistent pattern of thorough internal audits with promptly closed findings is viewed very differently from a pattern of superficial audits or unresolved recurring observations.
Can PNPC help with the response if SEBI or an exchange raises a show-cause notice following an inspection?
Yes. Where a broking client receives a show-cause notice or inspection finding from SEBI or an exchange, PNPC can support the preparation of the factual and documentary response — reconciling the specific transactions or periods at issue, coordinating with the client's legal counsel where the matter has legal/enforcement dimensions, and helping identify and implement the corrective action the regulator or exchange is likely to expect as part of the resolution.
Why should a broking firm choose PNPC over a firm that only offers a signature-only internal audit?
A signature-only internal audit — minimal sampling, boilerplate observations, quick turnaround to unlock the exchange submission — creates the appearance of compliance without the underlying protection the audit exists to provide. If a segregation lapse, margin misreporting, or UCC misuse is present but not caught because the audit was superficial, the broker remains fully exposed to it surfacing later through an exchange inspection or, worse, an investor complaint — at that point with the added complication of an internal audit report on file that did not flag it. PNPC's audits test the actual control environment, document findings clearly, and follow through to confirm closure before the next cycle — which is what genuinely reduces the broker's regulatory risk, not just the paperwork burden.
What does the PNPC broker/commodity member audit engagement include, in full?
Membership and segment mapping across all your exchanges. Engagement letter with documented auditor independence. Full-scope internal audit covering KYC/UCC, order and trade management, margin collection and reporting, client fund and securities segregation, contract notes and brokerage, RMS, and grievance redressal/SCORES reconciliation. System Audit coordination where applicable. Draft findings shared with management and your Board/governing body before finalisation. Final report in the exchange-prescribed format with UDIN generated on the ICAI portal. Submission support within the exchange's window. Tracking of your next half-yearly cycle and monitoring of relevant regulatory circular updates in between.
If we are a new broking entity that has not yet completed our first trading cycle, when should we engage PNPC?
We recommend engaging your internal auditor before your first client is onboarded, not after your first half-year cycle has already closed. Early engagement allows PNPC to review your KYC/UCC process design, client fund segregation account setup, RMS parameter documentation, and contract note templates before they go live — so the first internal audit cycle tests a properly designed control environment rather than uncovering foundational gaps after months of live trading activity.
What is a Depository Participant (DP) internal audit, and is it different from the broker internal audit?
A Depository Participant registered with NSDL and/or CDSL faces a separately mandated half-yearly internal audit of its DP operations, prescribed under the respective depository's byelaws and operating instructions — covering demat account opening (KYC), transmission and dematerialisation/rematerialisation requests, pledge and unpledge processing, delivery instruction handling, and account closure procedures. Where a broking entity is also a registered DP (a very common combination), PNPC coordinates both audits so that findings on client account handling are consistent across the broking and depository sides of the business, while still producing the two separate reports each regulator requires.
What is 'upstreaming' and 'downstreaming' of client funds, and why does it matter for the audit?
Upstreaming refers to SEBI's framework requiring brokers to place client funds collected for margin purposes with the clearing corporation (rather than holding them indefinitely with the broker or in bank fixed deposits/overnight instruments outside the clearing ecosystem), with downstreaming being the corresponding return flow of funds back to the broker or client as obligations are met or funds are no longer required as margin. This framework was specifically designed to reduce the risk of client margin funds being available for a broker to use inappropriately. The internal audit tests whether the broker's upstreaming/downstreaming practice is being followed as prescribed, rather than funds being retained outside the permitted structure.
What is the difference between an 'internal audit' finding and a 'statutory' compliance breach — does a finding automatically mean the broker is in trouble?
Not necessarily. An internal audit finding is simply the auditor's observation that a specific process did not operate as prescribed for the sample or period tested — it could range from a minor documentation gap (a missing signature on a KYC form) to a serious control failure (evidence of client fund commingling). The audit report itself is a diagnostic tool: findings, management's response, and the corrective action taken are what the exchange and, if escalated, SEBI actually evaluate. A broker that identifies issues through its own internal audit and closes them promptly is generally viewed far more favourably than one where the same issue is later discovered externally.
Can a broker be penalised even if no client complaint was ever received, purely based on internal audit or inspection findings?
Yes. Exchange and SEBI enforcement action is not solely complaint-driven — internal audit findings, exchange inspection observations, and system-level surveillance (such as margin reporting discrepancies detected through the exchange's own data, or UCC/order-pattern anomalies flagged by exchange surveillance systems) can independently trigger regulatory scrutiny and action, entirely apart from whether any specific client has raised a grievance. This is part of why the internal audit's testing of margin reporting accuracy and segregation, not just grievance-register review, carries real weight.
What role does the Board or governing body play in the internal audit process — is it just a formality to present the report to them?
SEBI and exchange expectations treat presentation of the internal audit report to the Board (or equivalent governing body for a partnership/LLP) as a genuine governance checkpoint, not a formality — the Board is expected to discuss the findings, direct and track corrective action, and be able to demonstrate that it exercised oversight over the compliance function, not merely receive the report as an information item. This becomes particularly relevant if an issue later escalates to an exchange inspection or SEBI action, where the quality of Board-level engagement with prior audit findings is itself scrutinised.
How does the internal audit treat dormant or inactive client accounts?
Dormant or long-inactive client accounts are typically tested for continued KYC validity (since KYC records can lapse or require periodic re-verification), any residual credit balance that should have been settled under the running account framework, and whether any activity occurred on an account that appeared otherwise dormant — which can be a red flag for unauthorised use of an inactive client code. Brokers are expected to have a defined policy for handling and periodically reviewing dormant accounts rather than leaving them unexamined indefinitely.
What is a kill-switch mechanism in algo trading, and does the audit test it?
A kill-switch is a control mechanism — required as part of SEBI's algo trading framework for brokers offering algorithmic trading facilities — that allows an algo strategy or a client's trading activity to be immediately halted if it breaches predefined risk parameters (such as an order-rate limit, a loss threshold, or erratic order patterns suggestive of a malfunctioning algorithm). Where a broker offers algo trading, the system audit and, to the extent operationally relevant, the internal audit test whether kill-switch mechanisms are properly configured, tested periodically, and have actually been triggered and logged where warranted.
Does PNPC's broker audit cover cybersecurity incidents that occurred during the period?
Where a cybersecurity incident (unauthorised access attempt, data breach, denial-of-service event, or similar) occurred during the audit period, it falls within the scope of the internal audit's review of the broker's cybersecurity and incident-response framework, and separately within the System Audit where one applies — including whether the incident was reported to the appropriate authority (such as CERT-In, where its reporting framework applies) within the prescribed timeline, and whether remedial action was taken and documented.
What is the relationship between SEBI's SCORES platform and the exchange's own investor grievance mechanism?
SCORES (SEBI Complaints Redress System) is SEBI's centralised online platform through which investors can lodge complaints against SEBI-registered intermediaries, including brokers, with the complaint routed to the intermediary for response within prescribed timelines and escalated within SEBI's framework if unresolved. Exchanges separately maintain their own investor grievance redressal mechanisms (including arbitration facilities for monetary disputes). The internal audit reviews both channels together, reconciling the broker's own grievance register against complaints logged on SCORES and with the exchange, to confirm nothing is being handled informally outside these official channels.
Is a stock broker required to maintain a separate audit trail for orders placed through a mobile trading app versus a desktop terminal?
The underlying regulatory expectation is that every order, regardless of the channel through which it was placed — desktop terminal, mobile app, API, or call-and-trade — must be traceable to the specific client and properly logged with a complete audit trail, rather than the channel itself dictating a different standard of record-keeping. The internal audit tests order logs across whichever channels the broker actually offers, verifying that multi-channel access has not created gaps in traceability or authorisation control.
| Feature | Signature-Only Audit Provider | Generic Local CA Practice | PNPC Global |
|---|---|---|---|
| Audit Scope & Testing Depth | Minimal sampling, boilerplate observations, fast turnaround to unlock exchange submission | Reasonable coverage but often generic across broker clients | Full-scope testing of KYC/UCC, margin, segregation, RMS, and grievance redressal, tailored to your actual membership and segment mix |
| Independence Discipline | Frequently blurred — same person handles compliance and 'signs off' the audit | Variable, depends on firm size and existing relationship | Documented independence position at engagement, structured to meet SEBI/exchange expectations |
| Segregation & Margin Testing | Surface-level check that accounts exist | Reasonable but not always reconciled against exchange margin files | Full reconciliation of client fund/securities segregation and margin reporting against exchange records, tested for commingling risk |
| System Audit Coordination | Not offered, or referred out with no follow-through | Rarely offered in-house | Coordinated alongside the operational audit, using exchange-empanelled system audit resources where required, so findings are read together |
| Findings Communication | Report delivered at the last moment before the deadline | Direct but often only reactive to client queries | Draft observations shared with management and Board before finalisation, real time to respond, no last-minute surprises |
| Multi-Exchange Coordination | Separate, disconnected engagements per exchange | Not typically offered as a coordinated service | Single coordinated audit programme across NSE, BSE, and MCX memberships, with exchange-specific reporting |
| Cross-Border / NRI Client Support | Not offered | Not offered | PNPC Dubai office coordination for NRI client onboarding and related-entity matters |
| Fee Transparency | Low headline fee, scope narrows to match | Generally transparent but informal | Written scope and fee agreed before each half-yearly engagement letter is signed |
What the PNPC package includes
- 01
Full membership and segment mapping across NSE, BSE, and MCX before scoping the audit
- 02
Documented auditor independence position at every engagement, structured to meet SEBI and exchange expectations
- 03
Complete half-yearly Internal Audit — KYC/UCC, order and trade management, margin collection and reporting, client fund and securities segregation, contract notes and brokerage, RMS, grievance redressal and SCORES reconciliation
- 04
System Audit coordination for members meeting SEBI's algo-trading, colocation, or turnover-linked criteria
- 05
Net Worth Certificate preparation using the exchange-prescribed computation method for your specific membership category
- 06
Client fund and securities segregation testing specifically focused on commingling and running-account settlement discipline
- 07
Draft findings shared with management and your Board/governing body well before finalisation, with real time to respond
- 08
Final report in the exchange-prescribed format with UDIN generated on the ICAI portal for every signed report
- 09
Coordinated multi-exchange reporting for members active across NSE, BSE, and MCX under a single engagement
- 10
Prior-cycle observation tracking, so closure status is verified rather than assumed at the start of each new half-year
- 11
India-UAE coordination through PNPC's Dubai office for brokers with NRI clients or a related UAE entity
- 12
Support preparing responses to exchange inspection queries or SEBI show-cause notices, alongside your legal counsel where required
Speak directly with a PNPC Chartered Accountant about your broker or commodity member audit. Not a signature-only provider racing to unlock your exchange submission — a practising CA firm that has served broking and commodity trading members since 1986, and that treats client fund segregation, margin integrity, and UCC discipline as the real substance behind the report, not a formality to get past.