Audit & Assurance · Capital Market & SEBI Audit
Internal Audit & SEBI Compliance Review for Brokers
Stock broking is one of the most tightly supervised businesses in India — client funds and securities segregation, running account settlement, margin reporting, and Unique Client Code discipline are all monitored by SEBI and the stock exchanges in near real time.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Stock broking is one of the most tightly supervised businesses in India — client funds and securities segregation, running account settlement, margin reporting, and Unique Client Code discipline are all monitored by SEBI and the stock exchanges in near real time. A single lapse in client fund handling or a missed half-yearly internal audit submission can trigger an exchange inspection, a monetary penalty, or in serious cases suspension of trading terminals. At PNPC Global, we conduct the half-yearly internal audit mandated for trading members, clearing members, and depository participants with the rigour SEBI and the exchanges expect — testing client fund segregation, margin collection, UCC mapping, and back-office controls against the actual regulatory framework your registration operates under, not a generic audit checklist. We have supported regulated financial intermediaries since 1986, across India and the UAE.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
Internal Audit of stock brokers is a SEBI-mandated, periodic, risk-based examination of a registered broker's operations, systems, and controls — distinct from the statutory financial audit conducted under the Companies Act or the tax audit conducted under the Income-tax Act. SEBI requires every registered stock broker (trading member) and depository participant to have its operations internally audited by a practising Chartered Accountant, Company Secretary, or Cost Accountant who is not connected with the broker, on a half-yearly basis, covering the two half-years of the financial year (April–September and October–March). The audit report must be placed before the broker's management and, in the manner prescribed by SEBI and the respective stock exchange or depository, submitted within the stipulated timeline. This is a compliance obligation layered on top of — not a replacement for — the broker's regular statutory audit under the Companies Act and the tax audit applicable to businesses above the prescribed turnover threshold (historically conducted under Section 44AB of the Income-tax Act, 1961; carried forward under the corresponding tax-audit provision of the Income Tax Act, 2025, which took effect from 1 April 2026).
The scope of a stock-broker internal audit is fundamentally different from a general corporate internal audit because it is anchored to a specific, detailed regulatory framework: the SEBI (Stock Brokers) Regulations, 1992 (as amended), SEBI circulars on client fund and securities segregation and the Client Funds/Securities running account settlement mechanism, exchange bye-laws and business rules of the National Stock Exchange (NSE), BSE, and Multi Commodity Exchange (MCX) where applicable, SEBI's margin trading and margin collection/reporting framework, Know Your Client (KYC) and Client Registration norms under the KYC Registration Agency (KRA) system, Unique Client Code (UCC) mapping and validation requirements, the SEBI (Depositories and Participants) Regulations, 2018 for brokers also registered as Depository Participants, and the exchange-prescribed formats for reporting margin, client collateral, and segregation compliance. A broker internal auditor is therefore testing not just financial controls but adherence to a dense, exchange-specific and SEBI-specific rulebook that changes frequently through circulars.
Core areas typically covered in a broker internal audit include: verification that client funds and client securities are kept segregated from the broker's own funds/securities and are not co-mingled or used for proprietary purposes; testing of the running account settlement of funds and securities with clients at the periodicity the client has opted for (monthly or quarterly, as permitted); verification of margin collection from clients against exchange-reported margin obligations and reconciliation of any shortfall reporting; testing of Unique Client Code (UCC) allotment, modification, and mapping to ensure trades are executed only for validly registered and KYC-compliant clients; verification of contract note generation and dispatch, brokerage and statutory levy computation (STT, stamp duty, SEBI turnover fees, GST, exchange transaction charges); review of risk management system (RMS) controls including exposure limits, margin calls, and square-off triggers; testing of client bank account and client securities account (demat pool/client unpaid securities account) reconciliation; and verification of compliance with SEBI circulars on investor grievance redressal (SCORES) and periodic, risk-based Client Due Diligence under SEBI's AML/KYC framework, where applicable.
A related but distinct obligation is the Cyber Security and Cyber Resilience audit (System Audit) mandated by SEBI for stock brokers and depository participants meeting prescribed criteria — typically conducted periodically (annually or once in two years depending on the broker's category and client base, per SEBI's applicable circular) — along with separate reporting obligations under SEBI's framework addressing technical glitches in brokers' electronic trading systems and its algorithmic trading governance requirements for larger, algorithmic, and colocation-enabled brokers. These are all separate engagements from the half-yearly internal audit but are frequently coordinated together by the same compliance and audit calendar. PNPC's engagement is scoped precisely to what your broker registration category (trading member, clearing member, depository participant, or a combination) actually requires — over-scoping wastes fees, and under-scoping leaves genuine regulatory exposure.
When this engagement applies to you
You are a SEBI-registered stock broker (trading member) on NSE, BSE, or MCX and are statutorily required to have a half-yearly internal audit conducted by an independent practising CA, CS, or CWA
You are registered as a Depository Participant (DP) with NSDL or CDSL and require an internal audit of your depository operations under the SEBI (Depositories and Participants) Regulations, 2018
You are a clearing member handling client funds and securities settlement and need assurance that segregation and running account norms are being followed correctly
Your compliance team or Board wants an independent, pre-inspection health check ahead of a scheduled SEBI or exchange inspection
You have received an exchange query, deficiency memo, or show-cause notice relating to margin reporting, UCC mismatches, or client fund segregation and need a documented remediation review
You are launching or have recently launched broking operations and need your internal audit function, RMS controls, and compliance calendar designed correctly from the first audit cycle
You operate in multiple segments (cash, F&O, currency, commodity) or across multiple exchanges and need a coordinated audit covering all registrations under one engagement
When a different engagement may be more relevant
You need the broker's annual statutory financial audit under the Companies Act — that is a separate, distinct engagement from the SEBI-mandated internal audit, though PNPC can coordinate both
You need a Cyber Security and Cyber Resilience (System) Audit specifically — this is a specialised technical audit with its own SEBI framework and is typically scoped and quoted separately from the operational internal audit, though we coordinate the calendar for clients who need both
You are an individual investor or trader looking for tax or compliance advice on your own trading activity — that falls under our Income Tax and capital gains advisory services, not broker internal audit
You are a mutual fund distributor, investment adviser, or portfolio manager without a stock broking or depository participant registration — these SEBI intermediary categories have their own distinct compliance and audit obligations
You need general internal audit for a company that has no SEBI broker or depository registration — our standard risk-based Internal Audit service is the correct fit, not this specialised broker-audit engagement
SEBI Broker Internal Audit vs other audits and reviews a stock broker undergoes
| Feature | SEBI Broker Internal Audit | Statutory Financial Audit | Cyber Security / System Audit | Exchange Inspection | Tax Audit |
|---|---|---|---|---|---|
| Governing framework | SEBI (Stock Brokers) Regulations 1992 + SEBI/exchange circulars | Companies Act 2013, Standards on Auditing | SEBI cyber security & cyber resilience circulars | Exchange bye-laws and business rules | Tax-audit provisions of the Income Tax Act, 2025 (successor to Section 44AB of the erstwhile Income-tax Act, 1961) |
| Who conducts it | Independent practising CA, CS, or CWA not connected with the broker | Statutory auditor appointed under the Companies Act | Empanelled CERT-In auditor or specialised systems auditor | Exchange's own inspection/surveillance team | Independent chartered accountant |
| Frequency | Half-yearly (Apr–Sep and Oct–Mar cycles) | Annual, at financial year end | Periodic per SEBI's prescribed cycle for the broker category | As scheduled by the exchange, risk-based | Annual, alongside the tax return |
| Primary focus | Client fund/securities segregation, margin, UCC, RMS, running account | True and fair view of financial statements | IT infrastructure, data security, business continuity, access controls | Overall regulatory and operational compliance | Tax computation accuracy and Form 3CD particulars |
| Report goes to | Broker's management/Board, and exchange/depository as prescribed | Shareholders, via the Board, filed with MCA | SEBI/exchange as prescribed by the applicable circular | Exchange management, may escalate to SEBI | Income-tax Department |
| Mandatory for | Every registered trading member, clearing member, and DP | Every company registered under the Companies Act | Brokers/DPs meeting SEBI's prescribed threshold criteria | All registered members, at the exchange's discretion | Businesses above prescribed turnover limits |
| Consequence of default | Exchange penalty, deficiency memo, possible suspension of trading facility | MCA penalty, audit qualification, director liability | Regulatory action, potential trading facility restriction | Warning, monetary penalty, membership action in serious cases | Statutory penalty for non-compliance and consequential disallowances (provision carried forward from erstwhile Section 271B) |
These audits are complementary and frequently run on overlapping but distinct calendars for the same broker. A broker with cash, F&O, and DP registrations may simultaneously be subject to the half-yearly internal audit, an annual statutory audit, a periodic system audit, and exchange inspections. Applicability and exact periodicity should always be confirmed against your specific SEBI registration category and the exchange(s) you are a member of.
| # | Stage & What PNPC Does | What Generic Providers Miss | Timeline |
|---|---|---|---|
| 1 | Registration & Scope Mapping | We first confirm your exact SEBI registration category — trading member, clearing member, depository participant, or a combination — and which exchanges (NSE, BSE, MCX) and segments (cash, F&O, currency, commodity) you operate in, since the applicable circulars and reporting formats differ by segment and exchange. | Week 1 |
| 2 | Prior Audit & Compliance History Review | We review your last two half-yearly internal audit reports, any exchange inspection findings, deficiency memos, or show-cause notices received, and the current status of every open item — a broker's compliance history materially shapes where this cycle's audit should focus. | Week 1 |
| 3 | Client Fund & Securities Segregation Testing | We independently reconcile the client bank account balances and client securities/demat pool account holdings against the broker's own books and the exchange-reported client obligations — verifying that client money and securities are not co-mingled with the broker's proprietary funds at any point in the cycle, including intraday. | Week 2 |
| 4 | Running Account Settlement Verification | We test whether client funds and securities running accounts were settled at the periodicity the client actually opted for (monthly or quarterly), whether the settlement calculation matches the prescribed methodology, and whether retained amounts for margin obligations were within permissible limits. | Week 2 |
| 5 | Margin Collection & Reporting Reconciliation | We reconcile margin actually collected from clients (cash, FDR, bank guarantee, and pledged securities under the margin pledge/re-pledge system) against the margin obligation reported by the exchange, and verify that any shortfall was reported and penalised through the exchange's own mechanism rather than being quietly absorbed. | Week 2–3 |
| 6 | UCC Mapping & Client Registration Review | We sample-test Unique Client Code allotment and mapping to confirm trades were executed only for clients with valid, current KYC on the KRA system, and that no trading occurred against a code that should have been blocked, suspended, or was never properly mapped. | Week 3 |
| 7 | Risk Management System (RMS) Controls Testing | We test the configuration and actual operation of exposure limits, margin-based square-off triggers, and pre-trade risk checks in the RMS — verifying the system worked as configured, not just that a policy document describing it exists. | Week 3 |
| 8 | Contract Notes, Brokerage & Statutory Levy Verification | We test a sample of contract notes for timely generation and dispatch, and verify correct computation and remittance of Securities Transaction Tax (STT), stamp duty, exchange transaction charges, SEBI turnover fees, and GST on brokerage. | Week 3–4 |
| 9 | Depository Operations Testing (where DP-registered) | For brokers also registered as a Depository Participant, we test demat account opening (KYC and in-person verification), transaction instruction processing, Basic Services Demat Account (BSDA) eligibility classification, and DP-level charges against the SEBI (Depositories and Participants) Regulations, 2018. | Week 3–4 |
| 10 | Grievance Redressal & SCORES Compliance | We verify that client complaints, including those routed through SEBI's SCORES platform and the exchange's own grievance mechanism, were logged, responded to, and resolved within the prescribed timelines, and that root-cause patterns across complaints are being tracked, not just individually closed. | Week 4 |
| 11 | Findings Rating & Draft Report | Every finding is rated by severity, mapped to the specific SEBI regulation or circular it relates to, and accompanied by a specific, implementable remediation recommendation — not a generic 'strengthen controls' comment that will not satisfy an exchange reviewer. | Week 4–5 |
| 12 | Management Review & Sign-off | The draft report is walked through with your compliance officer and management before finalisation, management's response to each finding is documented, and the report is finalised in the format expected for submission to the exchange/depository within the SEBI-prescribed timeline. | Week 5 |
| 13 | Submission Support & Follow-up | We support submission of the finalised report through the prescribed exchange/depository portal or process within the stipulated deadline, and carry forward open items into the next half-yearly cycle's scope for mandatory re-verification. | Per cycle deadline |
Realistic timeline: a half-yearly internal audit cycle for a mid-sized broker with cash and F&O segments typically runs 4–6 weeks from fieldwork start to submission-ready report; brokers with additional DP registration, multiple exchange memberships, or a larger client base should plan for a longer cycle. Exact submission deadlines are prescribed by SEBI and the respective exchange/depository circulars in force at the time and should always be confirmed for the specific cycle — PNPC tracks these as part of the engagement.
SEBI registration certificate(s) — trading member, clearing member, and/or depository participant, as applicable
Exchange membership documents for each exchange (NSE, BSE, MCX) and segment (cash, F&O, currency, commodity)
Board/management structure, compliance officer appointment letter, and designated Principal Officer details
Prior two half-yearly internal audit reports and status of all open findings from those cycles
Any SEBI or exchange inspection reports, deficiency memos, or show-cause notices received in the period, with responses filed
Client bank account statements for all designated client bank accounts, for the full audit period
Broker's own (proprietary) bank account statements, to test for any co-mingling with client funds
Client securities/demat pool account and Client Unpaid Securities Account (CUSA) statements from the depository
Daily/periodic client fund and securities segregation reconciliation working papers prepared internally
Running account settlement working papers and client settlement statements for the sampling period
Margin obligation reports as reported by the exchange for the sampling period
Margin collected from clients — cash, fixed deposit receipts (FDR), bank guarantees, and pledged/re-pledged securities under the margin pledge system
Margin shortfall reports filed with the exchange, if any, and evidence of penalty payment where applicable
RMS configuration documentation — exposure limit parameters, square-off trigger logic, and any manual override log
Client-wise exposure and margin utilisation reports for the sample period
Client Registration Documents (client agreements, KYC forms) for a sample of clients across the period
KRA (KYC Registration Agency) status confirmation for sampled clients
Unique Client Code (UCC) allotment, modification, and deactivation logs
Client risk profiling and suitability documentation, where applicable to the products offered
Sample contract notes with dispatch/delivery timestamps for the audit period
Brokerage computation records and statutory levy workings — STT, stamp duty, exchange transaction charges, SEBI turnover fees, GST
Trade log/order log extracts from the trading and back-office systems for the sample period
Bank reconciliation statements for all client and proprietary accounts for the audit period
SCORES (SEBI Complaints Redress System) portal complaint log and resolution status for the period
Exchange investor grievance mechanism complaint log and resolution status
Compliance calendar and evidence of filings made to SEBI/exchange/depository during the period
Internal policies — risk management policy, client fund handling policy, and code of conduct — as currently in force
Demat account opening files for a sample of clients, including KYC and in-person verification records
Delivery Instruction Slip (DIS) / e-DIS processing logs and control checks over unused/blank DIS booklets
Basic Services Demat Account (BSDA) eligibility classification working for sampled accounts
DP-level charge computation and billing records for the sample period
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Registration & Onboarding | SEBI/exchange broker or DP registration granted | We help set up the internal audit calendar, RMS documentation baseline, and client fund segregation controls correctly from the first operating cycle, so the first half-yearly audit is a genuine test of working controls, not a scramble to create documentation retroactively. | No baseline controls at launch → the first internal audit cycle surfaces a large volume of foundational findings, some of which may already have caused undetected client fund or margin exposure. |
| First Half-Yearly Cycle | April–September or October–March period end | Full-scope testing across segregation, margin, UCC, RMS, and grievance handling; findings documented against the specific SEBI regulation or circular breached, not generic language. | Findings not properly evidenced or rated → weak basis for management remediation and limited defensibility if the exchange later reviews the same period. |
| Ongoing Half-Yearly Cycles | Each subsequent half-year end | Prior findings re-tested for actual closure; scope refreshed for new circulars, new products, or new exchange segments added since the last cycle. | Recurring unresolved findings across cycles → pattern visible to exchange reviewers as a governance weakness, increasing the likelihood of a targeted inspection. |
| Exchange Inspection or Query | Exchange surveillance flags an anomaly or schedules a routine inspection | We support preparation of the response, reconcile the specific data point in question, and use the inspection as an input to sharpen the next internal audit cycle's scope. | Unprepared or inconsistent response to an exchange query → escalation to formal deficiency memo or penalty proceedings that a well-documented internal audit trail could have pre-empted. |
| Margin Shortfall or Segregation Breach Detected | Internal audit or exchange reporting identifies a shortfall or co-mingling instance | Root-cause investigation, immediate corrective action plan, and assessment of whether the instance requires proactive disclosure or penalty payment under the applicable circular. | Unreported or unresolved segregation breach → escalating regulatory exposure, potential suspension of trading facility in serious or repeated cases. |
| Business Expansion (new segment, new exchange, DP registration) | Broker adds F&O, currency, commodity segment, or depository participant registration | Internal audit scope and compliance calendar updated to reflect the new registration's specific circulars and reporting formats before the next half-yearly cycle. | Audit scope not updated for new registration → gaps in a segment that is fully live and generating client exposure but not being tested. |
| System/Technology Change | New trading platform, RMS upgrade, or back-office system migration | Internal audit incorporates system change management testing — verifying the new system's controls (limits, segregation logic, reporting feeds) were validated before go-live and reconcile correctly post-migration. | Untested system migration → silent control gaps in the new system that persist until the next audit cycle surfaces them, by which point multiple trading cycles may be affected. |
A stock broker's internal audit obligation is continuous and cyclical for as long as the SEBI/exchange registration remains active — it does not end with a single engagement. Each half-yearly cycle builds on the findings and remediation status of the one before it, and the compliance calendar must be updated whenever a new segment, exchange membership, or registration category is added.
What exactly is a SEBI broker internal audit, in plain terms?
It is a mandatory, independent review — conducted by a practising Chartered Accountant, Company Secretary, or Cost Accountant who has no connection with the broker — of how well your broking or depository participant operations actually comply with SEBI and exchange rules on client money handling, margin, client registration, and risk management. It is separate from your annual statutory financial audit and your income-tax audit, and it is submitted to the exchange or depository within the timeline they prescribe.
Is the internal audit mandatory for every stock broker, or only larger ones?
SEBI's framework requires every registered trading member and depository participant to have their operations internally audited on a half-yearly basis by an independent practising professional, regardless of size — there is no small-broker exemption from the requirement itself, though the depth and complexity of the audit will naturally scale with the volume and nature of the broker's business.
How often must the internal audit be conducted?
Half-yearly, covering the two half-years of the financial year — broadly April to September and October to March — with the report to be placed before management and submitted to the relevant exchange or depository within the timeline stipulated by SEBI and exchange circulars in force at the time of the relevant cycle.
Who is eligible to conduct a stock broker's internal audit?
An independent practising Chartered Accountant, Company Secretary, or Cost Accountant who is not connected with the broker — meaning not an employee, and without the kind of relationship that would compromise independence, similar in spirit to the independence requirements for a statutory auditor. The person conducting the audit should also, in practice, have working familiarity with the SEBI and exchange regulatory framework specific to broking operations, since a generalist internal auditor without this specific domain exposure is unlikely to catch broker-specific control gaps.
Can our statutory auditor also serve as our SEBI internal auditor?
Generally, no, if your broking entity is a company. Section 144 of the Companies Act, 2013 specifically bars a company's statutory auditor from also rendering internal audit services to that same company, precisely to preserve independence — and SEBI's internal audit is, in substance, an internal audit engagement. For broking entities structured as partnerships or other non-company forms where Section 144 does not directly apply, the same independence logic still generally counsels appointing a different CA firm for the two functions. We recommend confirming your specific position with your compliance officer and legal counsel, since the precise application can depend on your entity type and existing auditor engagement terms.
What is the difference between client fund segregation testing and a bank reconciliation?
A standard bank reconciliation confirms that your books match your bank statement. Client fund segregation testing goes further — it verifies that client money was kept entirely separate from the broker's own (proprietary) funds throughout the period, was not used to fund the broker's own trading or operating expenses even temporarily, and that any client fund balance held by the broker corresponds to a genuine, currently valid client obligation. It is a substantive compliance test, not just an arithmetic reconciliation.
What happens if client funds and securities are found to be co-mingled with the broker's own funds?
This is treated as a serious compliance breach under SEBI's client fund and securities segregation framework. Depending on severity and whether it is an isolated operational lapse or a pattern, consequences can range from a documented finding requiring immediate remediation, to exchange-level penalty action, to more serious regulatory consequences including restrictions on the broker's trading facility in egregious or repeated cases. The specific consequence depends on the facts, the amount involved, and whether the broker proactively identified and disclosed the issue.
What is a running account, and how does the audit test it?
A running account is the mechanism under which a broker can retain client funds and securities beyond a single settlement, rather than paying out or delivering after every trade, subject to the client's specific written authorisation and periodic mandatory settlement — either monthly or quarterly, as the client has opted. The audit tests whether the running account was actually settled at the periodicity the client selected, whether amounts retained beyond settlement were within the limits permitted for margin obligations, and whether the settlement calculation itself followed the prescribed methodology.
How is margin collection tested, and why does it matter so much?
We reconcile the margin the broker actually collected from each sampled client — cash, fixed deposit receipts, bank guarantees, and pledged or re-pledged securities under the margin pledge mechanism — against the margin obligation the exchange reported for that client's positions. Any gap is a margin shortfall, which the broker is required to report to the exchange and which typically attracts a penalty. Margin discipline is central to systemic market stability — under-collateralised positions are exactly the exposure SEBI's margin framework is designed to prevent, which is why this is one of the most heavily tested areas in any broker internal audit.
What is a Unique Client Code (UCC) and why is UCC testing part of the audit?
Every client must be allotted a Unique Client Code before any trade can be executed on their behalf, and that code must be correctly mapped to the client's KYC-verified identity on the KYC Registration Agency (KRA) system. UCC testing verifies that trades in the sample were executed only against validly allotted, correctly mapped, and currently active client codes — and flags any instance of trading against a code that should have been blocked, was allotted to the wrong client, or lacked current KYC.
Does the internal audit cover the broker's Risk Management System (RMS)?
Yes. RMS testing is a core part of the engagement — we review the configured exposure limits, margin-based square-off trigger logic, and pre-trade risk checks, and test whether the system actually operated as configured during the period, including reviewing any manual overrides applied by the risk desk and whether those overrides were properly authorised and documented.
How does the audit treat depository participant (DP) operations if we are also registered as a DP?
Where a broker also holds a Depository Participant registration with NSDL or CDSL, the internal audit separately tests demat account opening procedures (KYC and in-person verification), Delivery Instruction Slip processing controls, Basic Services Demat Account eligibility classification, and DP-level charge computation, against the SEBI (Depositories and Participants) Regulations, 2018 and the applicable depository bye-laws — this is scoped as an additional, specific stream of testing, not folded generically into the broking-side review.
What is the SCORES platform and how does it factor into the audit?
SCORES (SEBI Complaints Redress System) is SEBI's centralised online platform through which investors can lodge complaints against registered intermediaries, including stock brokers. The audit reviews the broker's SCORES complaint log and resolution timeline for the period, alongside the exchange's own investor grievance mechanism, to verify complaints were acknowledged and resolved within the prescribed timelines and that recurring complaint patterns are being identified and addressed at a root-cause level, not just closed individually.
What documents do we need to have ready before the audit begins?
Broadly: client and proprietary bank statements, client securities/demat pool account statements, margin obligation and collection records, UCC allotment and KYC records, contract notes and brokerage computation records, RMS configuration documentation, SCORES and exchange grievance logs, and your prior internal audit reports with the status of open findings. PNPC provides a detailed, engagement-specific document request list at kick-off, scoped to your exact registration category and segments.
How long does a half-yearly internal audit cycle take?
For a mid-sized broker with cash and F&O segments, a typical cycle runs roughly 4–6 weeks from fieldwork start to a submission-ready report, assuming documents are made available promptly. Brokers with additional depository participant registration, multiple exchange memberships, a larger or more complex client base, or open findings from the prior cycle requiring deeper follow-up testing should expect a longer cycle.
What happens to findings from one cycle — are they carried forward?
Yes. Every open finding from a half-yearly cycle is carried into the scope of the next cycle and specifically re-tested to confirm actual remediation, not accepted on management's word alone. A finding that recurs across multiple consecutive cycles is flagged distinctly in the report, since a persistent, unremediated finding is a materially different risk signal than a one-off operational lapse.
What is the difference between the half-yearly internal audit and a Cyber Security / System Audit?
The half-yearly internal audit covers operational and financial compliance — client fund segregation, margin, UCC, RMS, grievance handling. The Cyber Security and Cyber Resilience Framework (CSCRF) audit and the separate System Audit are distinct, more technically specialised reviews of the broker's IT infrastructure, data security controls, business continuity and disaster recovery arrangements, and cyber-incident response readiness, each governed by its own SEBI circular framework and typically conducted by an auditor with specific systems-audit or CERT-In empanelment credentials in addition to CA qualification. These may be required of the same broker depending on its category and client base, but are generally scoped, quoted, and conducted as separate engagements from the half-yearly internal audit.
What triggers an exchange inspection, and how does a strong internal audit history help?
Exchanges conduct both scheduled, risk-based inspections and targeted inspections triggered by a specific surveillance alert, investor complaint pattern, or reported anomaly (such as a margin shortfall or unusual trading pattern). A consistent history of thorough, well-documented half-yearly internal audits — with findings properly rated, root-caused, and demonstrably remediated — is a meaningful mitigating factor: it signals a broker with functioning internal controls and gives the exchange team a documented trail to review rather than starting from a blank slate.
Can PNPC help if we've already received a deficiency memo or show-cause notice from an exchange?
Yes. We support brokers in investigating the specific issue flagged, reconciling the underlying data, preparing a factual and well-evidenced response, and — where the issue points to a genuine control gap — designing and implementing the corrective action, which we then verify in the next internal audit cycle. Responding to a deficiency memo with a rushed or incomplete explanation typically escalates the matter; a thorough, evidenced response is the better path even when it takes a few extra days to prepare properly.
Does the audit scope differ for cash market, F&O, currency, and commodity segments?
Yes, materially. While the core principles — segregation, margin, UCC, RMS — apply across segments, the specific margin methodology, product-level risk controls, and certain reporting formats differ between cash market, equity derivatives (F&O), currency derivatives, and commodity derivatives (MCX). A broker operating across multiple segments needs a scope that explicitly covers each segment's specific rules, not a single generic test applied uniformly.
What if we are a new broker in our first year of operations — is the first audit different?
Yes, typically. The first cycle for a newly registered broker often has a shorter operating history to test but tends to surface more foundational process gaps, simply because compliance processes, reconciliation discipline, and documentation habits are still being established. We treat the first cycle as an opportunity to help the compliance officer and operations team build the right habits from the outset, rather than only flagging what went wrong.
How is brokerage and statutory levy computation tested?
We sample-test contract notes and the underlying trade data to verify that brokerage was computed per the agreed client rate, and that statutory levies — Securities Transaction Tax (STT), stamp duty, exchange transaction charges, SEBI turnover fees, and GST on brokerage — were correctly computed, collected, and remitted. Errors here typically surface either as under-collection (a revenue leakage and potential compliance issue for the broker) or over-collection (a client-facing compliance and reputational issue).
Do you also help with the annual statutory audit and tax audit for brokers, or only the SEBI internal audit?
PNPC supports brokers across the full audit and compliance calendar — the SEBI-mandated half-yearly internal audit, the annual statutory financial audit under the Companies Act, the applicable tax audit where the broker's turnover crosses the prescribed threshold (under the tax-audit provisions of the Income Tax Act, 2025, successor to the erstwhile Section 44AB), and, where the broker needs it, coordination with a specialised Cyber Security/System auditor. Running these under one coordinated engagement calendar, with one firm holding institutional knowledge of your operations across all of them, reduces duplicated document requests and keeps your compliance calendar coherent.
What does the PNPC broker internal audit package include?
A typical engagement includes: registration and scope mapping against your exact SEBI/exchange registrations; review of prior audit history and open findings; client fund and securities segregation testing; running account settlement verification; margin collection and reporting reconciliation; UCC mapping and client registration review; RMS controls testing; contract note, brokerage, and statutory levy verification; depository participant operations testing where applicable; SCORES and grievance redressal review; a risk-rated findings report mapped to the specific SEBI regulation or circular; management review and sign-off support; and submission support within the prescribed deadline. Exact scope and fee are agreed in writing before the engagement begins, based on your registration category, segments, and client base size.
How much does a SEBI broker internal audit engagement with PNPC cost?
Fees depend on your registration category (trading member, clearing member, DP, or a combination), the number of exchanges and segments you operate in, your client base size and transaction volume, and whether the engagement is a fresh first-cycle audit or a continuing engagement with an established control baseline. We provide a written scope and fee proposal, structured as a per-half-yearly-cycle or annual retainer fee, before any engagement begins.
Why should we engage PNPC rather than a lower-cost generic auditor for this engagement?
A genuinely useful broker internal audit requires an auditor with real working familiarity with SEBI and exchange circulars specific to broking operations — not a general-purpose internal auditor applying a generic checklist to a specialised, fast-moving regulatory framework. PNPC has been a practising CA firm since 1986, with teams across Chennai, Bangalore, Hyderabad, and Dubai, and we approach every broker internal audit with substantive segregation and margin testing, clear findings mapped to the specific regulation breached, and follow-up re-testing every cycle — the depth exchange reviewers actually expect to see.
Can PNPC support brokers with operations or group entities in the UAE as well as India?
Yes. PNPC operates from Chennai, Bangalore, and Hyderabad in India, and from Dubai in the UAE. For broking groups with an Indian SEBI-registered entity and a related UAE entity — for example, a UAE-based advisory or introducing arrangement feeding into the Indian broking business — we coordinate the India-side SEBI internal audit with the appropriate India-UAE cross-border and group-level compliance review, rather than treating the two as disconnected engagements handled by separate, uncoordinated firms.
What happens if we simply skip or delay the half-yearly internal audit?
Non-submission or late submission of the mandated half-yearly internal audit report is treated as a compliance lapse by the exchange/depository and can attract monetary penalties, formal deficiency communication, and, in the case of repeated or serious non-compliance, more significant regulatory consequences up to restrictions on the broker's trading facility. Beyond the direct penalty, skipping the audit also means genuine control gaps — segregation issues, margin shortfalls, UCC errors — go undetected internally until an external party, such as the exchange itself, finds them first.
Does the audit look at algorithmic trading or colocation arrangements if we offer them to clients?
Where a broker offers algorithmic trading facilities or has colocation arrangements with an exchange, these carry additional SEBI requirements around algo approval, risk controls specific to algorithmic order flow, and system audit obligations that go beyond the standard half-yearly internal audit scope. We scope this explicitly as part of the engagement for brokers offering these facilities, and coordinate with a specialised systems auditor where the technical depth required exceeds a standard operational internal audit.
How does PNPC handle confidentiality of client and trading data during the audit?
Client trading data, personal KYC information, and financial records reviewed during the engagement are handled under the same professional confidentiality obligations that apply to all our audit and assurance work, governed by our engagement letter and applicable professional standards. Access to underlying systems and data is scoped to what is necessary for the specific testing being performed, and working papers are retained and secured per our firm's data-retention and confidentiality policy.
What is a margin pledge and re-pledge system, and how does the audit test it?
The margin pledge and re-pledge mechanism allows clients to pledge their securities held in their own demat account as collateral for margin, with the broker re-pledging that collateral (where structured to do so) to the clearing corporation, rather than the older system of securities being transferred into a broker-controlled account. The audit verifies that pledge creation, invocation (in case of a margin call default), and release are correctly processed and documented, and that the broker is not holding client securities as collateral outside this prescribed pledge mechanism.
Can the internal audit identify issues before they become client complaints or exchange findings?
That is the core value of a genuinely substantive internal audit — testing segregation, margin, and UCC controls proactively, on a representative sample, is designed to surface a control gap before it manifests as a client complaint, a margin default, or an exchange-detected anomaly. A checklist-only audit that merely confirms policy documents exist, without substantively testing whether those policies were followed in practice, will miss exactly the kind of operational gap that later surfaces as a real problem.
How does PNPC stay current with frequently changing SEBI circulars relevant to broker audits?
SEBI and the exchanges issue circulars on margin methodology, segregation reporting formats, running account rules, and related operational matters on an ongoing basis, and the applicable framework for a given half-yearly cycle should always be confirmed against circulars in force at that time rather than assumed to be static. PNPC's audit teams track circular updates relevant to the broking sector as part of maintaining our audit methodology, and we confirm the current applicable framework for each client's specific cycle before finalising scope.
| Feature | Low-Cost / Generic Auditor | In-House Compliance Team Only | PNPC Global |
|---|---|---|---|
| Broking-sector familiarity | Generic internal audit checklist applied to a specialised business | Deep on own operations, but lacks independent cross-broker benchmarking | Practising CA teams with specific working familiarity with SEBI/exchange broker circulars |
| Segregation & margin testing depth | Aggregate-level reconciliation only, token sampling | Depends entirely on internal team's independence and bandwidth | Client-level segregation and margin reconciliation, not just portfolio aggregates |
| Findings mapped to specific regulation | Generic 'strengthen controls' language | Varies by team maturity | Every finding mapped to the specific SEBI regulation or circular breached |
| Follow-up & re-testing | Rarely re-tested — accepted as 'closed' on management's word | Depends on team discipline | Every open finding re-tested in the next half-yearly cycle before closure |
| Coordination with statutory & tax audit | Not offered — separate, uncoordinated engagements | Internal team manages coordination manually | Coordinated compliance calendar across internal, statutory, and tax audit engagements |
| India-UAE coordination | Not offered | Not applicable unless the group has its own multi-jurisdiction team | Unified support for India-UAE broking/advisory group structures from Chennai/Bangalore/Hyderabad and Dubai offices |
| Exchange inspection support | Engagement ends at report submission | Internal team handles response alone | Direct support preparing responses to deficiency memos and inspection queries |
| Relationship model | Transactional, priced to minimise scope | Employment relationship, subject to internal pressures | Independent, practising-CA relationship with engagement continuity across cycles |
What the PNPC package includes
- 01
Registration and scope mapping against your exact SEBI trading member, clearing member, and/or DP registrations
- 02
Client fund and securities segregation testing at the individual client level, not just portfolio aggregates
- 03
Running account settlement verification against the periodicity each client opted for
- 04
Margin collection and shortfall reporting reconciliation against exchange-reported obligations
- 05
Unique Client Code (UCC) mapping and KYC/KRA validation sample testing
- 06
Risk Management System (RMS) configuration and operating-effectiveness testing, including manual override review
- 07
Contract note, brokerage, and statutory levy (STT, stamp duty, exchange charges, GST) verification
- 08
Depository Participant operations testing for brokers also registered as a DP
- 09
SCORES and exchange grievance redressal timeline and root-cause review
- 10
Risk-rated findings report mapped to the specific SEBI regulation or circular for each finding
- 11
Management review, sign-off support, and submission support within the prescribed deadline
- 12
Every open finding carried forward and re-tested in the next half-yearly cycle
- 13
Coordinated calendar with your statutory audit, tax audit, and Cyber Security/System audit where needed
- 14
Direct contact with your engagement CA — by phone and WhatsApp — not a support queue
Speak directly with a PNPC Chartered Accountant about your broker internal audit obligations and compliance calendar. Not a generic checklist bolted onto a broking business — a practising CA firm that has worked with regulated financial intermediaries since 1986, and that tests client fund segregation and margin discipline with the rigour your exchange expects.