Infosek
INFOSEK
Book Free 30-Min Assessment

SEBI IAAP Accessibility Audit: What It Is, Who Must Comply, and How to Pass

If you searched for "SEBI accessibility audit" and landed here, you are likely looking for SEBI's IAAP — the Information Assurance Audit Programme. This is SEBI's annual IS audit requirement for market intermediaries, and it is separate from CSCRF. This guide explains exactly what it covers, who needs it, and how to prepare.

SEBI Audit
7 min read

Infosek Team

20 May, 2025
SEBI IAAP Accessibility Audit
by Infosek Team 20 May, 2025

What Is SEBI IAAP?

IAAP stands for Information Assurance Audit Programme. This is SEBI's framework for annual information security audits of market intermediaries. A quick note on terminology: when market participants search for "SEBI accessibility audit," they are typically referring to IAAP — which is about information systems assurance and accessibility, not web accessibility for persons with disabilities. The two are completely different.

IAAP was established to ensure that market intermediaries maintain adequate information security controls and that those controls are independently verified on a regular basis. The audit is conducted by CERT-In empanelled information security auditing organisations.

Important: IAAP is a separate requirement from SEBI CSCRF. CSCRF is the broader cybersecurity framework (governance, controls, policies, VAPT). IAAP is the annual IS audit programme that verifies whether those controls are in place. You need to comply with both.

Who Must Get the IAAP Audit?

SEBI has mandated IAAP audits for a range of market intermediaries, including:

  • Stock brokers (all categories)
  • Depository Participants (DPs)
  • Investment Advisers (IAs)
  • Research Analysts
  • Portfolio Managers
  • Mutual Fund distributors (where applicable)
  • KYC Registration Agencies (KRAs)

The requirement applies regardless of size, though smaller intermediaries may have a lighter scope. If you are registered with SEBI as any of the above, you must check your applicable circular to confirm audit frequency requirements.

What Does the IAAP Audit Cover?

IAAP auditors examine whether your information security controls are actually in place and functioning, not just documented. Key areas of review include:

  • Information Security Controls: Are access controls, patch management, and change management policies implemented and evidenced?
  • System Access and Authentication: Are user accounts reviewed regularly? Are privileged accounts managed? Is MFA in place?
  • Data Integrity and Protection: Is sensitive client data protected at rest and in transit? Are there controls against unauthorised modification?
  • Network Security: Are firewalls configured correctly? Are network segments separated? Are intrusion detection systems in place?
  • Business Continuity: Is the BCP/DR plan documented and tested? Are backup and recovery procedures verified?
  • Vendor and Third-Party Controls: Are third-party vendors assessed for security? Are contracts reviewed for security obligations?
  • Incident Response: Is there a documented IRP? Has it been tested?

How to Choose a CERT-In Empanelled Auditor

SEBI requires that the IAAP audit be conducted by an organisation empanelled with CERT-In (the Indian Computer Emergency Response Team) as an Information Security Auditing Organisation (ISAO). You can verify empanelment status on the CERT-In website.

Key factors to evaluate when selecting an auditor:

  • Current CERT-In empanelment status (check the official CERT-In ISAO list)
  • Prior experience auditing SEBI-regulated entities specifically
  • Understanding of SEBI circulars and CSCRF requirements
  • Qualified audit team (CISA, CISSP, or equivalent certified professionals)
  • Turnaround time for the audit report (most firms need the report within SEBI's submission deadline)

For a broader comparison of auditor vs. compliance partner models, read our guide on CERT-In Empanelled Auditor vs. Full-Service Compliance Partner.

Timeline and Frequency

IAAP audits must be conducted annually. The audit report must be submitted to SEBI (typically through the exchange or directly, depending on your intermediary type) within the specified deadline. Most firms schedule their audit in Q3 or Q4 of the financial year to allow time for gap remediation before the submission deadline.

Common Preparation Mistakes

  • Confusing IAAP with CSCRF: Treating the annual IS audit as if it covers everything CSCRF requires. They have overlapping scope but different objectives.
  • Starting too late: Engaging an auditor 2–3 weeks before the deadline and expecting a clean report. Auditors need access to your systems, documentation, and staff — this takes time.
  • No pre-audit internal review: Not checking your own controls before the formal audit. A simple internal walkthrough against the audit scope often uncovers fixable issues before the auditor arrives.
  • Missing evidence files: Having the right policies but being unable to produce evidence of implementation (user access review records, patch logs, BCP test reports).

The IAAP audit is not an assessment of your intentions — it is an evidence-based review. Auditors will ask to see records, logs, and approvals. If those do not exist, no amount of explaining will substitute for them.

Infosek Team

Need help preparing for your IAAP audit?

Infosek handles both the preparation and the audit. We assess your current controls, help you close gaps, and co-ordinate the CERT-In empanelled audit — so you go in with confidence.

Book Free 30-Min Assessment