HomeServicesAudit & AssuranceInternal Audit & SEBI Compliance Review for Brokers

Audit & Assurance · Capital Market & SEBI Audit

Internal Audit & SEBI Compliance Review for Brokers

Stock broking is one of the most tightly supervised businesses in India — client funds and securities segregation, running account settlement, margin reporting, and Unique Client Code discipline are all monitored by SEBI and the stock exchanges in near real time.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Stock broking is one of the most tightly supervised businesses in India — client funds and securities segregation, running account settlement, margin reporting, and Unique Client Code discipline are all monitored by SEBI and the stock exchanges in near real time. A single lapse in client fund handling or a missed half-yearly internal audit submission can trigger an exchange inspection, a monetary penalty, or in serious cases suspension of trading terminals. At PNPC Global, we conduct the half-yearly internal audit mandated for trading members, clearing members, and depository participants with the rigour SEBI and the exchanges expect — testing client fund segregation, margin collection, UCC mapping, and back-office controls against the actual regulatory framework your registration operates under, not a generic audit checklist. We have supported regulated financial intermediaries since 1986, across India and the UAE.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Internal Audit & SEBI Compliance Review for Brokers is

Internal Audit of stock brokers is a SEBI-mandated, periodic, risk-based examination of a registered broker's operations, systems, and controls — distinct from the statutory financial audit conducted under the Companies Act or the tax audit conducted under the Income-tax Act. SEBI requires every registered stock broker (trading member) and depository participant to have its operations internally audited by a practising Chartered Accountant, Company Secretary, or Cost Accountant who is not connected with the broker, on a half-yearly basis, covering the two half-years of the financial year (April–September and October–March). The audit report must be placed before the broker's management and, in the manner prescribed by SEBI and the respective stock exchange or depository, submitted within the stipulated timeline. This is a compliance obligation layered on top of — not a replacement for — the broker's regular statutory audit under the Companies Act and the tax audit applicable to businesses above the prescribed turnover threshold (historically conducted under Section 44AB of the Income-tax Act, 1961; carried forward under the corresponding tax-audit provision of the Income Tax Act, 2025, which took effect from 1 April 2026).

The scope of a stock-broker internal audit is fundamentally different from a general corporate internal audit because it is anchored to a specific, detailed regulatory framework: the SEBI (Stock Brokers) Regulations, 1992 (as amended), SEBI circulars on client fund and securities segregation and the Client Funds/Securities running account settlement mechanism, exchange bye-laws and business rules of the National Stock Exchange (NSE), BSE, and Multi Commodity Exchange (MCX) where applicable, SEBI's margin trading and margin collection/reporting framework, Know Your Client (KYC) and Client Registration norms under the KYC Registration Agency (KRA) system, Unique Client Code (UCC) mapping and validation requirements, the SEBI (Depositories and Participants) Regulations, 2018 for brokers also registered as Depository Participants, and the exchange-prescribed formats for reporting margin, client collateral, and segregation compliance. A broker internal auditor is therefore testing not just financial controls but adherence to a dense, exchange-specific and SEBI-specific rulebook that changes frequently through circulars.

Core areas typically covered in a broker internal audit include: verification that client funds and client securities are kept segregated from the broker's own funds/securities and are not co-mingled or used for proprietary purposes; testing of the running account settlement of funds and securities with clients at the periodicity the client has opted for (monthly or quarterly, as permitted); verification of margin collection from clients against exchange-reported margin obligations and reconciliation of any shortfall reporting; testing of Unique Client Code (UCC) allotment, modification, and mapping to ensure trades are executed only for validly registered and KYC-compliant clients; verification of contract note generation and dispatch, brokerage and statutory levy computation (STT, stamp duty, SEBI turnover fees, GST, exchange transaction charges); review of risk management system (RMS) controls including exposure limits, margin calls, and square-off triggers; testing of client bank account and client securities account (demat pool/client unpaid securities account) reconciliation; and verification of compliance with SEBI circulars on investor grievance redressal (SCORES) and periodic, risk-based Client Due Diligence under SEBI's AML/KYC framework, where applicable.

A related but distinct obligation is the Cyber Security and Cyber Resilience audit (System Audit) mandated by SEBI for stock brokers and depository participants meeting prescribed criteria — typically conducted periodically (annually or once in two years depending on the broker's category and client base, per SEBI's applicable circular) — along with separate reporting obligations under SEBI's framework addressing technical glitches in brokers' electronic trading systems and its algorithmic trading governance requirements for larger, algorithmic, and colocation-enabled brokers. These are all separate engagements from the half-yearly internal audit but are frequently coordinated together by the same compliance and audit calendar. PNPC's engagement is scoped precisely to what your broker registration category (trading member, clearing member, depository participant, or a combination) actually requires — over-scoping wastes fees, and under-scoping leaves genuine regulatory exposure.

When this engagement applies to you

You are a SEBI-registered stock broker (trading member) on NSE, BSE, or MCX and are statutorily required to have a half-yearly internal audit conducted by an independent practising CA, CS, or CWA

You are registered as a Depository Participant (DP) with NSDL or CDSL and require an internal audit of your depository operations under the SEBI (Depositories and Participants) Regulations, 2018

You are a clearing member handling client funds and securities settlement and need assurance that segregation and running account norms are being followed correctly

Your compliance team or Board wants an independent, pre-inspection health check ahead of a scheduled SEBI or exchange inspection

You have received an exchange query, deficiency memo, or show-cause notice relating to margin reporting, UCC mismatches, or client fund segregation and need a documented remediation review

You are launching or have recently launched broking operations and need your internal audit function, RMS controls, and compliance calendar designed correctly from the first audit cycle

You operate in multiple segments (cash, F&O, currency, commodity) or across multiple exchanges and need a coordinated audit covering all registrations under one engagement

When a different engagement may be more relevant

You need the broker's annual statutory financial audit under the Companies Act — that is a separate, distinct engagement from the SEBI-mandated internal audit, though PNPC can coordinate both

You need a Cyber Security and Cyber Resilience (System) Audit specifically — this is a specialised technical audit with its own SEBI framework and is typically scoped and quoted separately from the operational internal audit, though we coordinate the calendar for clients who need both

You are an individual investor or trader looking for tax or compliance advice on your own trading activity — that falls under our Income Tax and capital gains advisory services, not broker internal audit

You are a mutual fund distributor, investment adviser, or portfolio manager without a stock broking or depository participant registration — these SEBI intermediary categories have their own distinct compliance and audit obligations

You need general internal audit for a company that has no SEBI broker or depository registration — our standard risk-based Internal Audit service is the correct fit, not this specialised broker-audit engagement

Structure Comparison

SEBI Broker Internal Audit vs other audits and reviews a stock broker undergoes

FeatureSEBI Broker Internal AuditStatutory Financial AuditCyber Security / System AuditExchange InspectionTax Audit
Governing frameworkSEBI (Stock Brokers) Regulations 1992 + SEBI/exchange circularsCompanies Act 2013, Standards on AuditingSEBI cyber security & cyber resilience circularsExchange bye-laws and business rulesTax-audit provisions of the Income Tax Act, 2025 (successor to Section 44AB of the erstwhile Income-tax Act, 1961)
Who conducts itIndependent practising CA, CS, or CWA not connected with the brokerStatutory auditor appointed under the Companies ActEmpanelled CERT-In auditor or specialised systems auditorExchange's own inspection/surveillance teamIndependent chartered accountant
FrequencyHalf-yearly (Apr–Sep and Oct–Mar cycles)Annual, at financial year endPeriodic per SEBI's prescribed cycle for the broker categoryAs scheduled by the exchange, risk-basedAnnual, alongside the tax return
Primary focusClient fund/securities segregation, margin, UCC, RMS, running accountTrue and fair view of financial statementsIT infrastructure, data security, business continuity, access controlsOverall regulatory and operational complianceTax computation accuracy and Form 3CD particulars
Report goes toBroker's management/Board, and exchange/depository as prescribedShareholders, via the Board, filed with MCASEBI/exchange as prescribed by the applicable circularExchange management, may escalate to SEBIIncome-tax Department
Mandatory forEvery registered trading member, clearing member, and DPEvery company registered under the Companies ActBrokers/DPs meeting SEBI's prescribed threshold criteriaAll registered members, at the exchange's discretionBusinesses above prescribed turnover limits
Consequence of defaultExchange penalty, deficiency memo, possible suspension of trading facilityMCA penalty, audit qualification, director liabilityRegulatory action, potential trading facility restrictionWarning, monetary penalty, membership action in serious casesStatutory penalty for non-compliance and consequential disallowances (provision carried forward from erstwhile Section 271B)

These audits are complementary and frequently run on overlapping but distinct calendars for the same broker. A broker with cash, F&O, and DP registrations may simultaneously be subject to the half-yearly internal audit, an annual statutory audit, a periodic system audit, and exchange inspections. Applicability and exact periodicity should always be confirmed against your specific SEBI registration category and the exchange(s) you are a member of.

How it works
#Stage & What PNPC DoesWhat Generic Providers MissTimeline
1Registration & Scope MappingWe first confirm your exact SEBI registration category — trading member, clearing member, depository participant, or a combination — and which exchanges (NSE, BSE, MCX) and segments (cash, F&O, currency, commodity) you operate in, since the applicable circulars and reporting formats differ by segment and exchange.Week 1
2Prior Audit & Compliance History ReviewWe review your last two half-yearly internal audit reports, any exchange inspection findings, deficiency memos, or show-cause notices received, and the current status of every open item — a broker's compliance history materially shapes where this cycle's audit should focus.Week 1
3Client Fund & Securities Segregation TestingWe independently reconcile the client bank account balances and client securities/demat pool account holdings against the broker's own books and the exchange-reported client obligations — verifying that client money and securities are not co-mingled with the broker's proprietary funds at any point in the cycle, including intraday.Week 2
4Running Account Settlement VerificationWe test whether client funds and securities running accounts were settled at the periodicity the client actually opted for (monthly or quarterly), whether the settlement calculation matches the prescribed methodology, and whether retained amounts for margin obligations were within permissible limits.Week 2
5Margin Collection & Reporting ReconciliationWe reconcile margin actually collected from clients (cash, FDR, bank guarantee, and pledged securities under the margin pledge/re-pledge system) against the margin obligation reported by the exchange, and verify that any shortfall was reported and penalised through the exchange's own mechanism rather than being quietly absorbed.Week 2–3
6UCC Mapping & Client Registration ReviewWe sample-test Unique Client Code allotment and mapping to confirm trades were executed only for clients with valid, current KYC on the KRA system, and that no trading occurred against a code that should have been blocked, suspended, or was never properly mapped.Week 3
7Risk Management System (RMS) Controls TestingWe test the configuration and actual operation of exposure limits, margin-based square-off triggers, and pre-trade risk checks in the RMS — verifying the system worked as configured, not just that a policy document describing it exists.Week 3
8Contract Notes, Brokerage & Statutory Levy VerificationWe test a sample of contract notes for timely generation and dispatch, and verify correct computation and remittance of Securities Transaction Tax (STT), stamp duty, exchange transaction charges, SEBI turnover fees, and GST on brokerage.Week 3–4
9Depository Operations Testing (where DP-registered)For brokers also registered as a Depository Participant, we test demat account opening (KYC and in-person verification), transaction instruction processing, Basic Services Demat Account (BSDA) eligibility classification, and DP-level charges against the SEBI (Depositories and Participants) Regulations, 2018.Week 3–4
10Grievance Redressal & SCORES ComplianceWe verify that client complaints, including those routed through SEBI's SCORES platform and the exchange's own grievance mechanism, were logged, responded to, and resolved within the prescribed timelines, and that root-cause patterns across complaints are being tracked, not just individually closed.Week 4
11Findings Rating & Draft ReportEvery finding is rated by severity, mapped to the specific SEBI regulation or circular it relates to, and accompanied by a specific, implementable remediation recommendation — not a generic 'strengthen controls' comment that will not satisfy an exchange reviewer.Week 4–5
12Management Review & Sign-offThe draft report is walked through with your compliance officer and management before finalisation, management's response to each finding is documented, and the report is finalised in the format expected for submission to the exchange/depository within the SEBI-prescribed timeline.Week 5
13Submission Support & Follow-upWe support submission of the finalised report through the prescribed exchange/depository portal or process within the stipulated deadline, and carry forward open items into the next half-yearly cycle's scope for mandatory re-verification.Per cycle deadline

Realistic timeline: a half-yearly internal audit cycle for a mid-sized broker with cash and F&O segments typically runs 4–6 weeks from fieldwork start to submission-ready report; brokers with additional DP registration, multiple exchange memberships, or a larger client base should plan for a longer cycle. Exact submission deadlines are prescribed by SEBI and the respective exchange/depository circulars in force at the time and should always be confirmed for the specific cycle — PNPC tracks these as part of the engagement.

Document Checklist
Registration & Governance Documents

SEBI registration certificate(s) — trading member, clearing member, and/or depository participant, as applicable

Exchange membership documents for each exchange (NSE, BSE, MCX) and segment (cash, F&O, currency, commodity)

Board/management structure, compliance officer appointment letter, and designated Principal Officer details

Prior two half-yearly internal audit reports and status of all open findings from those cycles

Any SEBI or exchange inspection reports, deficiency memos, or show-cause notices received in the period, with responses filed

Client Fund & Securities Segregation Records

Client bank account statements for all designated client bank accounts, for the full audit period

Broker's own (proprietary) bank account statements, to test for any co-mingling with client funds

Client securities/demat pool account and Client Unpaid Securities Account (CUSA) statements from the depository

Daily/periodic client fund and securities segregation reconciliation working papers prepared internally

Running account settlement working papers and client settlement statements for the sampling period

Margin & Risk Management Records

Margin obligation reports as reported by the exchange for the sampling period

Margin collected from clients — cash, fixed deposit receipts (FDR), bank guarantees, and pledged/re-pledged securities under the margin pledge system

Margin shortfall reports filed with the exchange, if any, and evidence of penalty payment where applicable

RMS configuration documentation — exposure limit parameters, square-off trigger logic, and any manual override log

Client-wise exposure and margin utilisation reports for the sample period

Client Registration & UCC Records

Client Registration Documents (client agreements, KYC forms) for a sample of clients across the period

KRA (KYC Registration Agency) status confirmation for sampled clients

Unique Client Code (UCC) allotment, modification, and deactivation logs

Client risk profiling and suitability documentation, where applicable to the products offered

Transaction & Billing Records

Sample contract notes with dispatch/delivery timestamps for the audit period

Brokerage computation records and statutory levy workings — STT, stamp duty, exchange transaction charges, SEBI turnover fees, GST

Trade log/order log extracts from the trading and back-office systems for the sample period

Bank reconciliation statements for all client and proprietary accounts for the audit period

Compliance & Grievance Records

SCORES (SEBI Complaints Redress System) portal complaint log and resolution status for the period

Exchange investor grievance mechanism complaint log and resolution status

Compliance calendar and evidence of filings made to SEBI/exchange/depository during the period

Internal policies — risk management policy, client fund handling policy, and code of conduct — as currently in force

Depository Participant Records (where applicable)

Demat account opening files for a sample of clients, including KYC and in-person verification records

Delivery Instruction Slip (DIS) / e-DIS processing logs and control checks over unused/blank DIS booklets

Basic Services Demat Account (BSDA) eligibility classification working for sampled accounts

DP-level charge computation and billing records for the sample period

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Registration & OnboardingSEBI/exchange broker or DP registration grantedWe help set up the internal audit calendar, RMS documentation baseline, and client fund segregation controls correctly from the first operating cycle, so the first half-yearly audit is a genuine test of working controls, not a scramble to create documentation retroactively.No baseline controls at launch → the first internal audit cycle surfaces a large volume of foundational findings, some of which may already have caused undetected client fund or margin exposure.
First Half-Yearly CycleApril–September or October–March period endFull-scope testing across segregation, margin, UCC, RMS, and grievance handling; findings documented against the specific SEBI regulation or circular breached, not generic language.Findings not properly evidenced or rated → weak basis for management remediation and limited defensibility if the exchange later reviews the same period.
Ongoing Half-Yearly CyclesEach subsequent half-year endPrior findings re-tested for actual closure; scope refreshed for new circulars, new products, or new exchange segments added since the last cycle.Recurring unresolved findings across cycles → pattern visible to exchange reviewers as a governance weakness, increasing the likelihood of a targeted inspection.
Exchange Inspection or QueryExchange surveillance flags an anomaly or schedules a routine inspectionWe support preparation of the response, reconcile the specific data point in question, and use the inspection as an input to sharpen the next internal audit cycle's scope.Unprepared or inconsistent response to an exchange query → escalation to formal deficiency memo or penalty proceedings that a well-documented internal audit trail could have pre-empted.
Margin Shortfall or Segregation Breach DetectedInternal audit or exchange reporting identifies a shortfall or co-mingling instanceRoot-cause investigation, immediate corrective action plan, and assessment of whether the instance requires proactive disclosure or penalty payment under the applicable circular.Unreported or unresolved segregation breach → escalating regulatory exposure, potential suspension of trading facility in serious or repeated cases.
Business Expansion (new segment, new exchange, DP registration)Broker adds F&O, currency, commodity segment, or depository participant registrationInternal audit scope and compliance calendar updated to reflect the new registration's specific circulars and reporting formats before the next half-yearly cycle.Audit scope not updated for new registration → gaps in a segment that is fully live and generating client exposure but not being tested.
System/Technology ChangeNew trading platform, RMS upgrade, or back-office system migrationInternal audit incorporates system change management testing — verifying the new system's controls (limits, segregation logic, reporting feeds) were validated before go-live and reconcile correctly post-migration.Untested system migration → silent control gaps in the new system that persist until the next audit cycle surfaces them, by which point multiple trading cycles may be affected.

A stock broker's internal audit obligation is continuous and cyclical for as long as the SEBI/exchange registration remains active — it does not end with a single engagement. Each half-yearly cycle builds on the findings and remediation status of the one before it, and the compliance calendar must be updated whenever a new segment, exchange membership, or registration category is added.

Frequently asked
What exactly is a SEBI broker internal audit, in plain terms?

It is a mandatory, independent review — conducted by a practising Chartered Accountant, Company Secretary, or Cost Accountant who has no connection with the broker — of how well your broking or depository participant operations actually comply with SEBI and exchange rules on client money handling, margin, client registration, and risk management. It is separate from your annual statutory financial audit and your income-tax audit, and it is submitted to the exchange or depository within the timeline they prescribe.

Practitioner noteNew brokers sometimes assume their statutory auditor's sign-off covers this obligation. It does not — the SEBI internal audit tests a completely different rulebook, focused on client fund segregation, margin, and UCC, not financial statement accuracy.
Is the internal audit mandatory for every stock broker, or only larger ones?

SEBI's framework requires every registered trading member and depository participant to have their operations internally audited on a half-yearly basis by an independent practising professional, regardless of size — there is no small-broker exemption from the requirement itself, though the depth and complexity of the audit will naturally scale with the volume and nature of the broker's business.

Practitioner noteWe regularly see smaller and newer brokers underestimate this obligation because they associate 'internal audit' with the larger, discretionary corporate function. For a SEBI-registered broker, this is not discretionary — it is a registration condition.
How often must the internal audit be conducted?

Half-yearly, covering the two half-years of the financial year — broadly April to September and October to March — with the report to be placed before management and submitted to the relevant exchange or depository within the timeline stipulated by SEBI and exchange circulars in force at the time of the relevant cycle.

Practitioner noteSubmission deadlines and formats are updated periodically through SEBI and exchange circulars. We track the current deadline for each client's specific cycle rather than relying on a fixed calendar date that may have since changed.
Who is eligible to conduct a stock broker's internal audit?

An independent practising Chartered Accountant, Company Secretary, or Cost Accountant who is not connected with the broker — meaning not an employee, and without the kind of relationship that would compromise independence, similar in spirit to the independence requirements for a statutory auditor. The person conducting the audit should also, in practice, have working familiarity with the SEBI and exchange regulatory framework specific to broking operations, since a generalist internal auditor without this specific domain exposure is unlikely to catch broker-specific control gaps.

Practitioner noteWe have taken over broker internal audit engagements where the prior auditor was independent in the formal sense but had no real broking-sector exposure — the reports were technically compliant but substantively thin. Domain familiarity matters as much as formal independence.
Can our statutory auditor also serve as our SEBI internal auditor?

Generally, no, if your broking entity is a company. Section 144 of the Companies Act, 2013 specifically bars a company's statutory auditor from also rendering internal audit services to that same company, precisely to preserve independence — and SEBI's internal audit is, in substance, an internal audit engagement. For broking entities structured as partnerships or other non-company forms where Section 144 does not directly apply, the same independence logic still generally counsels appointing a different CA firm for the two functions. We recommend confirming your specific position with your compliance officer and legal counsel, since the precise application can depend on your entity type and existing auditor engagement terms.

Practitioner noteWe keep the two functions with different firms as a matter of course, not just where strictly required by law — a second, independent set of eyes on client fund handling and margin compliance is valuable in its own right, beyond any statutory independence rule.
What is the difference between client fund segregation testing and a bank reconciliation?

A standard bank reconciliation confirms that your books match your bank statement. Client fund segregation testing goes further — it verifies that client money was kept entirely separate from the broker's own (proprietary) funds throughout the period, was not used to fund the broker's own trading or operating expenses even temporarily, and that any client fund balance held by the broker corresponds to a genuine, currently valid client obligation. It is a substantive compliance test, not just an arithmetic reconciliation.

Practitioner noteThe most common finding we see in this area is not outright fraud but operational sloppiness — client and proprietary funds briefly intermingled during a settlement cycle due to a manual process gap. It is still a reportable finding and needs a process fix, even when there is no intent to misuse funds.
What happens if client funds and securities are found to be co-mingled with the broker's own funds?

This is treated as a serious compliance breach under SEBI's client fund and securities segregation framework. Depending on severity and whether it is an isolated operational lapse or a pattern, consequences can range from a documented finding requiring immediate remediation, to exchange-level penalty action, to more serious regulatory consequences including restrictions on the broker's trading facility in egregious or repeated cases. The specific consequence depends on the facts, the amount involved, and whether the broker proactively identified and disclosed the issue.

Practitioner noteSelf-identification and prompt remediation, documented through the internal audit process, is always a materially better position than the same issue being discovered first by the exchange or SEBI. We treat any segregation finding as high-priority and escalate it immediately to management, not just in the routine draft report cycle.
What is a running account, and how does the audit test it?

A running account is the mechanism under which a broker can retain client funds and securities beyond a single settlement, rather than paying out or delivering after every trade, subject to the client's specific written authorisation and periodic mandatory settlement — either monthly or quarterly, as the client has opted. The audit tests whether the running account was actually settled at the periodicity the client selected, whether amounts retained beyond settlement were within the limits permitted for margin obligations, and whether the settlement calculation itself followed the prescribed methodology.

Practitioner noteWe frequently find running account settlement calculated correctly in aggregate but with individual client-level errors that would not show up in a portfolio-level reconciliation. Sample testing at the individual client level, not just aggregate reconciliation, is essential to catch this.
How is margin collection tested, and why does it matter so much?

We reconcile the margin the broker actually collected from each sampled client — cash, fixed deposit receipts, bank guarantees, and pledged or re-pledged securities under the margin pledge mechanism — against the margin obligation the exchange reported for that client's positions. Any gap is a margin shortfall, which the broker is required to report to the exchange and which typically attracts a penalty. Margin discipline is central to systemic market stability — under-collateralised positions are exactly the exposure SEBI's margin framework is designed to prevent, which is why this is one of the most heavily tested areas in any broker internal audit.

Practitioner noteA margin shortfall that was correctly identified, reported, and penalty-paid by the broker itself is a routine, expected finding — it happens in the ordinary course of business. A shortfall that was neither reported nor reflected anywhere in the broker's own records is a materially more serious finding, because it suggests the monitoring process itself failed.
What is a Unique Client Code (UCC) and why is UCC testing part of the audit?

Every client must be allotted a Unique Client Code before any trade can be executed on their behalf, and that code must be correctly mapped to the client's KYC-verified identity on the KYC Registration Agency (KRA) system. UCC testing verifies that trades in the sample were executed only against validly allotted, correctly mapped, and currently active client codes — and flags any instance of trading against a code that should have been blocked, was allotted to the wrong client, or lacked current KYC.

Practitioner noteUCC mismatches are a recurring finding in high-volume, high-client-turnover broking businesses, particularly around onboarding and offboarding timing gaps. We specifically sample newly onboarded and recently closed client codes, since errors cluster around those transition points.
Does the internal audit cover the broker's Risk Management System (RMS)?

Yes. RMS testing is a core part of the engagement — we review the configured exposure limits, margin-based square-off trigger logic, and pre-trade risk checks, and test whether the system actually operated as configured during the period, including reviewing any manual overrides applied by the risk desk and whether those overrides were properly authorised and documented.

Practitioner noteManual RMS overrides are not inherently a problem — brokers legitimately need this flexibility for specific client situations — but undocumented or unauthorised overrides are a red flag we specifically look for, since they can mask a control that was effectively disabled.
How does the audit treat depository participant (DP) operations if we are also registered as a DP?

Where a broker also holds a Depository Participant registration with NSDL or CDSL, the internal audit separately tests demat account opening procedures (KYC and in-person verification), Delivery Instruction Slip processing controls, Basic Services Demat Account eligibility classification, and DP-level charge computation, against the SEBI (Depositories and Participants) Regulations, 2018 and the applicable depository bye-laws — this is scoped as an additional, specific stream of testing, not folded generically into the broking-side review.

Practitioner noteBrokers combining trading member and DP registrations sometimes assume one internal audit report can loosely cover both. The two frameworks are related but distinct, and we structure the report with clearly separated sections so it is defensible against either regulatory lens independently.
What is the SCORES platform and how does it factor into the audit?

SCORES (SEBI Complaints Redress System) is SEBI's centralised online platform through which investors can lodge complaints against registered intermediaries, including stock brokers. The audit reviews the broker's SCORES complaint log and resolution timeline for the period, alongside the exchange's own investor grievance mechanism, to verify complaints were acknowledged and resolved within the prescribed timelines and that recurring complaint patterns are being identified and addressed at a root-cause level, not just closed individually.

Practitioner noteA cluster of similar complaints — for example, repeated grievances about contract note delays or a specific product mis-selling pattern — is itself a finding worth escalating, even if each individual complaint was technically resolved within the timeline.
What documents do we need to have ready before the audit begins?

Broadly: client and proprietary bank statements, client securities/demat pool account statements, margin obligation and collection records, UCC allotment and KYC records, contract notes and brokerage computation records, RMS configuration documentation, SCORES and exchange grievance logs, and your prior internal audit reports with the status of open findings. PNPC provides a detailed, engagement-specific document request list at kick-off, scoped to your exact registration category and segments.

Practitioner noteThe single biggest cause of audit delay we see is client and proprietary bank statements not being readily separable, or reconciliation working papers not being maintained contemporaneously through the period. We flag this as a process improvement in almost every first-cycle engagement with a new client.
How long does a half-yearly internal audit cycle take?

For a mid-sized broker with cash and F&O segments, a typical cycle runs roughly 4–6 weeks from fieldwork start to a submission-ready report, assuming documents are made available promptly. Brokers with additional depository participant registration, multiple exchange memberships, a larger or more complex client base, or open findings from the prior cycle requiring deeper follow-up testing should expect a longer cycle.

Practitioner noteWe recommend starting the engagement well ahead of the submission deadline — a compressed timeline is the most common reason findings get under-tested or documentation gets rushed, neither of which serves the broker well if the report is later scrutinised by the exchange.
What happens to findings from one cycle — are they carried forward?

Yes. Every open finding from a half-yearly cycle is carried into the scope of the next cycle and specifically re-tested to confirm actual remediation, not accepted on management's word alone. A finding that recurs across multiple consecutive cycles is flagged distinctly in the report, since a persistent, unremediated finding is a materially different risk signal than a one-off operational lapse.

Practitioner noteExchange reviewers who examine internal audit reports over time can and do notice a finding that appears, worded almost identically, across several consecutive cycles. That pattern reads as a governance failure even if each individual finding is relatively minor.
What is the difference between the half-yearly internal audit and a Cyber Security / System Audit?

The half-yearly internal audit covers operational and financial compliance — client fund segregation, margin, UCC, RMS, grievance handling. The Cyber Security and Cyber Resilience Framework (CSCRF) audit and the separate System Audit are distinct, more technically specialised reviews of the broker's IT infrastructure, data security controls, business continuity and disaster recovery arrangements, and cyber-incident response readiness, each governed by its own SEBI circular framework and typically conducted by an auditor with specific systems-audit or CERT-In empanelment credentials in addition to CA qualification. These may be required of the same broker depending on its category and client base, but are generally scoped, quoted, and conducted as separate engagements from the half-yearly internal audit.

Practitioner noteWe coordinate the calendar for clients who need both, so the two engagements do not create duplicate document requests or conflicting timelines, even though the technical scope and reporting format differ.
What triggers an exchange inspection, and how does a strong internal audit history help?

Exchanges conduct both scheduled, risk-based inspections and targeted inspections triggered by a specific surveillance alert, investor complaint pattern, or reported anomaly (such as a margin shortfall or unusual trading pattern). A consistent history of thorough, well-documented half-yearly internal audits — with findings properly rated, root-caused, and demonstrably remediated — is a meaningful mitigating factor: it signals a broker with functioning internal controls and gives the exchange team a documented trail to review rather than starting from a blank slate.

Practitioner noteWe have supported clients through exchange inspections where a strong internal audit paper trail materially shortened the inspection process, because much of what the inspection team needed to verify had already been tested and documented in prior cycles.
Can PNPC help if we've already received a deficiency memo or show-cause notice from an exchange?

Yes. We support brokers in investigating the specific issue flagged, reconciling the underlying data, preparing a factual and well-evidenced response, and — where the issue points to a genuine control gap — designing and implementing the corrective action, which we then verify in the next internal audit cycle. Responding to a deficiency memo with a rushed or incomplete explanation typically escalates the matter; a thorough, evidenced response is the better path even when it takes a few extra days to prepare properly.

Practitioner noteWe always recommend involving your compliance officer and, where the matter is significant, legal counsel alongside the audit response — a deficiency memo response has both a technical/audit dimension and a regulatory-relationship dimension that benefit from being handled together.
Does the audit scope differ for cash market, F&O, currency, and commodity segments?

Yes, materially. While the core principles — segregation, margin, UCC, RMS — apply across segments, the specific margin methodology, product-level risk controls, and certain reporting formats differ between cash market, equity derivatives (F&O), currency derivatives, and commodity derivatives (MCX). A broker operating across multiple segments needs a scope that explicitly covers each segment's specific rules, not a single generic test applied uniformly.

Practitioner noteWe map each client's specific segment mix at the start of every engagement and build the audit programme around that exact combination — a broker active only in cash and F&O has a different testing programme from one also active in commodity derivatives.
What if we are a new broker in our first year of operations — is the first audit different?

Yes, typically. The first cycle for a newly registered broker often has a shorter operating history to test but tends to surface more foundational process gaps, simply because compliance processes, reconciliation discipline, and documentation habits are still being established. We treat the first cycle as an opportunity to help the compliance officer and operations team build the right habits from the outset, rather than only flagging what went wrong.

Practitioner noteNew brokers who engage PNPC before their first live trading day, so we can review the RMS setup, segregation account structure, and compliance calendar pre-launch, consistently have a materially cleaner first internal audit cycle than those who only engage us once the half-year is already over.
How is brokerage and statutory levy computation tested?

We sample-test contract notes and the underlying trade data to verify that brokerage was computed per the agreed client rate, and that statutory levies — Securities Transaction Tax (STT), stamp duty, exchange transaction charges, SEBI turnover fees, and GST on brokerage — were correctly computed, collected, and remitted. Errors here typically surface either as under-collection (a revenue leakage and potential compliance issue for the broker) or over-collection (a client-facing compliance and reputational issue).

Practitioner noteStamp duty computation in particular has state-specific and instrument-specific nuances that automated systems sometimes misconfigure at setup and never get revisited. We specifically test this against the current applicable rates for the client's registered state and instrument mix.
Do you also help with the annual statutory audit and tax audit for brokers, or only the SEBI internal audit?

PNPC supports brokers across the full audit and compliance calendar — the SEBI-mandated half-yearly internal audit, the annual statutory financial audit under the Companies Act, the applicable tax audit where the broker's turnover crosses the prescribed threshold (under the tax-audit provisions of the Income Tax Act, 2025, successor to the erstwhile Section 44AB), and, where the broker needs it, coordination with a specialised Cyber Security/System auditor. Running these under one coordinated engagement calendar, with one firm holding institutional knowledge of your operations across all of them, reduces duplicated document requests and keeps your compliance calendar coherent.

Practitioner noteWe do recommend keeping the statutory auditor and the SEBI internal auditor as genuinely separate functions even when both are handled by PNPC-affiliated teams, to preserve the independence and fresh-perspective value of each — we structure our engagement letters to make this separation explicit.
What does the PNPC broker internal audit package include?

A typical engagement includes: registration and scope mapping against your exact SEBI/exchange registrations; review of prior audit history and open findings; client fund and securities segregation testing; running account settlement verification; margin collection and reporting reconciliation; UCC mapping and client registration review; RMS controls testing; contract note, brokerage, and statutory levy verification; depository participant operations testing where applicable; SCORES and grievance redressal review; a risk-rated findings report mapped to the specific SEBI regulation or circular; management review and sign-off support; and submission support within the prescribed deadline. Exact scope and fee are agreed in writing before the engagement begins, based on your registration category, segments, and client base size.

Practitioner noteAsk any provider quoting a flat, very low fee for this engagement exactly which of the above testing areas are included — fee compression in broker internal audit typically shows up as skipped segregation testing depth or token UCC sampling, which are precisely the areas exchanges scrutinise most closely.
How much does a SEBI broker internal audit engagement with PNPC cost?

Fees depend on your registration category (trading member, clearing member, DP, or a combination), the number of exchanges and segments you operate in, your client base size and transaction volume, and whether the engagement is a fresh first-cycle audit or a continuing engagement with an established control baseline. We provide a written scope and fee proposal, structured as a per-half-yearly-cycle or annual retainer fee, before any engagement begins.

Practitioner noteWe price based on actual testing scope required for your specific operations, not a flat generic fee — a single-segment, low-volume broker and a multi-segment, high-volume broker with a DP registration require materially different levels of testing effort, and the fee should reflect that honestly.
Why should we engage PNPC rather than a lower-cost generic auditor for this engagement?

A genuinely useful broker internal audit requires an auditor with real working familiarity with SEBI and exchange circulars specific to broking operations — not a general-purpose internal auditor applying a generic checklist to a specialised, fast-moving regulatory framework. PNPC has been a practising CA firm since 1986, with teams across Chennai, Bangalore, Hyderabad, and Dubai, and we approach every broker internal audit with substantive segregation and margin testing, clear findings mapped to the specific regulation breached, and follow-up re-testing every cycle — the depth exchange reviewers actually expect to see.

Practitioner noteClients who come to us after a low-cost provider's engagement often bring reports with generic, boilerplate findings language and no evidence of substantive segregation or margin reconciliation testing — technically a report was filed, but it would not withstand real scrutiny if the exchange looked closely at the underlying work.
Can PNPC support brokers with operations or group entities in the UAE as well as India?

Yes. PNPC operates from Chennai, Bangalore, and Hyderabad in India, and from Dubai in the UAE. For broking groups with an Indian SEBI-registered entity and a related UAE entity — for example, a UAE-based advisory or introducing arrangement feeding into the Indian broking business — we coordinate the India-side SEBI internal audit with the appropriate India-UAE cross-border and group-level compliance review, rather than treating the two as disconnected engagements handled by separate, uncoordinated firms.

Practitioner noteCross-border referral and introducing-broker arrangements between an Indian broker and a UAE entity have their own regulatory considerations on both sides — we flag this specifically where relevant during scope-setting, since it is easy to overlook if the audit is scoped narrowly to the Indian entity alone.
What happens if we simply skip or delay the half-yearly internal audit?

Non-submission or late submission of the mandated half-yearly internal audit report is treated as a compliance lapse by the exchange/depository and can attract monetary penalties, formal deficiency communication, and, in the case of repeated or serious non-compliance, more significant regulatory consequences up to restrictions on the broker's trading facility. Beyond the direct penalty, skipping the audit also means genuine control gaps — segregation issues, margin shortfalls, UCC errors — go undetected internally until an external party, such as the exchange itself, finds them first.

Practitioner noteWe have never seen a case where deferring or skipping this audit turned out to be the cheaper option once the eventual regulatory and remediation cost is factored in. We build reminders into our compliance calendar well ahead of each half-yearly deadline specifically to prevent this.
Does the audit look at algorithmic trading or colocation arrangements if we offer them to clients?

Where a broker offers algorithmic trading facilities or has colocation arrangements with an exchange, these carry additional SEBI requirements around algo approval, risk controls specific to algorithmic order flow, and system audit obligations that go beyond the standard half-yearly internal audit scope. We scope this explicitly as part of the engagement for brokers offering these facilities, and coordinate with a specialised systems auditor where the technical depth required exceeds a standard operational internal audit.

Practitioner noteAlgo trading risk controls are an area where we specifically recommend brokers not rely solely on the half-yearly internal audit cycle — the risk profile changes fast enough that more frequent, targeted review of algo-specific controls is usually warranted alongside the standard cycle.
How does PNPC handle confidentiality of client and trading data during the audit?

Client trading data, personal KYC information, and financial records reviewed during the engagement are handled under the same professional confidentiality obligations that apply to all our audit and assurance work, governed by our engagement letter and applicable professional standards. Access to underlying systems and data is scoped to what is necessary for the specific testing being performed, and working papers are retained and secured per our firm's data-retention and confidentiality policy.

Practitioner noteBrokers handling sensitive client financial data are understandably careful about who gets system access during an audit — we agree the specific access model (read-only reporting extracts versus direct system access) with your IT and compliance team at the start of every engagement.
What is a margin pledge and re-pledge system, and how does the audit test it?

The margin pledge and re-pledge mechanism allows clients to pledge their securities held in their own demat account as collateral for margin, with the broker re-pledging that collateral (where structured to do so) to the clearing corporation, rather than the older system of securities being transferred into a broker-controlled account. The audit verifies that pledge creation, invocation (in case of a margin call default), and release are correctly processed and documented, and that the broker is not holding client securities as collateral outside this prescribed pledge mechanism.

Practitioner noteThis mechanism replaced an older Power of Attorney-based collateral model industry-wide, and we specifically check that no residual old-model practices — client securities held or transferred outside the current pledge framework — persist in a broker's operations, since this is exactly the kind of legacy practice that can be overlooked.
Can the internal audit identify issues before they become client complaints or exchange findings?

That is the core value of a genuinely substantive internal audit — testing segregation, margin, and UCC controls proactively, on a representative sample, is designed to surface a control gap before it manifests as a client complaint, a margin default, or an exchange-detected anomaly. A checklist-only audit that merely confirms policy documents exist, without substantively testing whether those policies were followed in practice, will miss exactly the kind of operational gap that later surfaces as a real problem.

Practitioner noteWe measure the value of a broker internal audit cycle by whether it found something the broker's own team had not already identified — a cycle that only confirms what management already knew is a compliance formality, not genuine assurance.
How does PNPC stay current with frequently changing SEBI circulars relevant to broker audits?

SEBI and the exchanges issue circulars on margin methodology, segregation reporting formats, running account rules, and related operational matters on an ongoing basis, and the applicable framework for a given half-yearly cycle should always be confirmed against circulars in force at that time rather than assumed to be static. PNPC's audit teams track circular updates relevant to the broking sector as part of maintaining our audit methodology, and we confirm the current applicable framework for each client's specific cycle before finalising scope.

Practitioner noteWe explicitly flag to clients when a circular update mid-cycle changes a reporting format or methodology, since it is common for a broker's own back-office system configuration to lag behind a regulatory update by several weeks or more.
Why PNPC Global
FeatureLow-Cost / Generic AuditorIn-House Compliance Team OnlyPNPC Global
Broking-sector familiarityGeneric internal audit checklist applied to a specialised businessDeep on own operations, but lacks independent cross-broker benchmarkingPractising CA teams with specific working familiarity with SEBI/exchange broker circulars
Segregation & margin testing depthAggregate-level reconciliation only, token samplingDepends entirely on internal team's independence and bandwidthClient-level segregation and margin reconciliation, not just portfolio aggregates
Findings mapped to specific regulationGeneric 'strengthen controls' languageVaries by team maturityEvery finding mapped to the specific SEBI regulation or circular breached
Follow-up & re-testingRarely re-tested — accepted as 'closed' on management's wordDepends on team disciplineEvery open finding re-tested in the next half-yearly cycle before closure
Coordination with statutory & tax auditNot offered — separate, uncoordinated engagementsInternal team manages coordination manuallyCoordinated compliance calendar across internal, statutory, and tax audit engagements
India-UAE coordinationNot offeredNot applicable unless the group has its own multi-jurisdiction teamUnified support for India-UAE broking/advisory group structures from Chennai/Bangalore/Hyderabad and Dubai offices
Exchange inspection supportEngagement ends at report submissionInternal team handles response aloneDirect support preparing responses to deficiency memos and inspection queries
Relationship modelTransactional, priced to minimise scopeEmployment relationship, subject to internal pressuresIndependent, practising-CA relationship with engagement continuity across cycles

What the PNPC package includes

  1. 01

    Registration and scope mapping against your exact SEBI trading member, clearing member, and/or DP registrations

  2. 02

    Client fund and securities segregation testing at the individual client level, not just portfolio aggregates

  3. 03

    Running account settlement verification against the periodicity each client opted for

  4. 04

    Margin collection and shortfall reporting reconciliation against exchange-reported obligations

  5. 05

    Unique Client Code (UCC) mapping and KYC/KRA validation sample testing

  6. 06

    Risk Management System (RMS) configuration and operating-effectiveness testing, including manual override review

  7. 07

    Contract note, brokerage, and statutory levy (STT, stamp duty, exchange charges, GST) verification

  8. 08

    Depository Participant operations testing for brokers also registered as a DP

  9. 09

    SCORES and exchange grievance redressal timeline and root-cause review

  10. 10

    Risk-rated findings report mapped to the specific SEBI regulation or circular for each finding

  11. 11

    Management review, sign-off support, and submission support within the prescribed deadline

  12. 12

    Every open finding carried forward and re-tested in the next half-yearly cycle

  13. 13

    Coordinated calendar with your statutory audit, tax audit, and Cyber Security/System audit where needed

  14. 14

    Direct contact with your engagement CA — by phone and WhatsApp — not a support queue

Speak directly with a PNPC Chartered Accountant about your broker internal audit obligations and compliance calendar. Not a generic checklist bolted onto a broking business — a practising CA firm that has worked with regulated financial intermediaries since 1986, and that tests client fund segregation and margin discipline with the rigour your exchange expects.

← Back to Audit & Assurance
Talk to a CA