SEBI CSCRF audit cycle for the FY 2025-26 is live. SEBI’s supervisory teams are reviewing submissions. This is an execution challenge now. What your entity submits, and when, determines your compliance standing for the year ahead. In this blog, we map the SEBI CSCRF annual audit cycle 2026, verified against NSE circular NSE/INSP/73849 (April 22, 2026) and SEBI circular SEBI/HO/ITD 1/ITD_CSC_EXT/P/CIR/2024/113 (August 20, 2024) so your team knows what to do and by when.
Annual vs half-yearly: which cycle applies to your entity
Not all Regulated Entities (REs) follow the same audit frequency. Your tier determines your cadence.
Qualified REs and the half-yearly cycle
Qualified REs, and Mid-size or Small-size REs that provide internet-based trading (IBT) or algorithmic trading facilities, follow a half-yearly cycle. For the audit period covering October 2025 to March 2026, the preliminary audit report is due by June 30, 2026.
Annual cycle for the rest of REs
All other REs, excluding Self-certified REs, follow an annual cycle. For the period covering April 2025 to March 2026, the preliminary audit report is also due by June 30, 2026.
If your entity changed its RE category at the start of the financial year, the unaudited period must be folded into the current cycle. Per Clause 4.4.1 of the SEBI CSCRF circular, no audit period can be left unaudited.
The two deadlines every regulated entity must meet
The NSE submission portal for audit-related submissions opened on April 27, 2026. Two deadlines now govern this cycle.
June 30, 2026
Preliminary audit report submission deadline for both half-yearly and annual cycle entities. The report is considered complete only after management comments are attached. A submission without management comments does not fulfil the requirement.
September 30, 2026
Corrective Action Taken Report (ATR) submission deadline, applicable where findings require remediation. NSE circular NSE/INSP/73849 references a separate annexure that details financial disincentives and disciplinary actions for non-compliant trading members. Missing either deadline is a compliance failure, not a procedural one.
What the audit must cover
Clause 4.4 of the SEBI CSCRF circular (August 20, 2024) defines the scope formula. Your audit must cover 100% of your critical systems. For non-critical systems, 25% must be sampled and the sampling rationale and chosen sample size must be explicitly stated in the audit report.
Your RE category whether Qualified, Mid-size, Small or Self-certification must be reviewed and approved by your Board of Directors, Designated Director or the relevant authority for each financial year. Per NSE/INSP/73849, auditors are required to verify and validate that your categorisation aligns with the SEBI CSCRF framework during the audit itself.
This is not a self-declaration exercise. The board approval record must exist before your auditor begins.
Five things to have ready before the auditor arrives
The audit evaluates whether controls exist and whether evidence of those controls is documented, structured and accessible. These five areas determine audit outcomes.
Board-approved RE categorisation on record
The category determination for FY 2025-26 must be formally approved and documented. A categorisation that exists only in internal emails will not satisfy the requirement.
Asset inventory with critical vs non-critical classification/ Asset data with criticality classification
Your asset inventory must clearly distinguish critical systems from non-critical ones. The audit covers 100% of the former and a documented 25% sample of the latter. An undifferentiated list is not audit-ready.
VAPT evidence for the audit period
Vulnerability Assessment and Penetration Testing outputs from FY 2025-26 must be documented — what was tested, what was found, what was remediated and what remains open. Auditors reconcile VAPT findings against your risk register.
Previous cycle finding closure documentation
Auditors are required to verify the closure status of all prior audit observations and reflect this in the current report. Any finding raised again must be explicitly flagged as a repeat observation. Have your closure evidence organised before engagement begins.
Management comment drafts for each TOR item
Per NSE/INSP/73849, the audit report is complete only when management comments are attached. For each Terms of Reference (TOR) item, compliant, non-compliant or not applicable, your team should prepare management responses in advance. Where a TOR item is marked not applicable, justification is mandatory.
Managing carry-forward findings from the previous cycle
Entities entering their second audit cycle face a layer of scrutiny that first-cycle entities do not. Auditors must verify the closure of all previous observations and note their status in the current report. If an observation from FY 2024-25 remains open, it must be flagged as a repeat observation.
This is not a minor notation. Repeat observations carry higher risk ratings and draw direct regulatory attention. Mapping every prior finding to a documented closure – or an active remediation plan, before your auditor begins is the most effective preparation step available to a returning entity.
For entities yet to appoint a CERT-In empanelled auditor, our cyber audit under SEBI CSCRF guide covers auditor selection norms, conflict-of-interest requirements and the three-year rotation rule in full.
Conclusion
The SEBI CSCRF annual audit cycle 2026 is operational and submissions are on record. Board-approved categorisation, classified asset inventories, VAPT reconciliation, prior finding closures and management comment drafts are not audit-day tasks. Instead, they are the infrastructure your compliance programme should be running continuously.
CyberNX supports regulated entities across the full CSCRF audit lifecycle – from readiness assessment and evidence structuring to submission preparation. If your team is working toward the June 30, 2026 deadline, connect with our SEBI CSCRF consulting team today.
FAQs on SEBI CSCRF Annual Audit Cycle 2026
What is the maximum number of consecutive years the same auditor can conduct the CSCRF audit?
Per NSE/INSP/73849 (April 22, 2026), a CERT-In empanelled auditing organisation can conduct a maximum of three consecutive years of audits for the same RE. A two-year cooling-off period then applies before reappointment. Entities completing their third consecutive cycle with the same firm must plan for an auditor change before FY 2026-27.
What makes a CSCRF audit report submission complete?
Submission is considered complete only after the trading member attaches management comments to the audit report and submits it to the exchange. A report submitted without management comments does not fulfil the requirement, regardless of the findings it contains.
