SEBI auditors do not evaluate intent. They evaluate a cybersecurity policy approved last year, an asset inventory last updated six months ago, and an access review described but never logged are all findings waiting to be written.
SEBI CSCRF audit readiness is the discipline of closing that gap before the auditor arrives. This blog identifies the five failure patterns that generate the most frequent non-compliance observations, explains what auditors verify in each area and tells you how to address it. For a full breakdown of audit scope, frequency, auditor selection requirements and reporting timelines, see our cyber audit under SEBI CSCRF guide.
What CSCRF audit readiness means
Under CSCRF, mandatory controls that are absent or lack evidence generate direct non-compliance observations. Recommended controls that are absent require documented risk justification or a compensating control. Both being absent is also a finding.
Auditors are, in fact, looking for evidence that your controls are operational, current and producing measurable outputs. Gaps in documentation are treated the same as gaps in controls because from an auditor’s position, they are indistinguishable.
Finding 1: Category misidentification
What auditors check
Auditors verify whether the RE has correctly categorised itself under CSCRF before reviewing a single technical control. The April 2025 and August 2025 SEBI clarification circulars revised thresholds across entity types for brokers (dual-parameter rule), portfolio managers (collapsed to single AUM threshold) and AIFs (manager-level corpus aggregation). Your categorisation must be reviewed and approved by your Board of Directors, Designated Director, Proprietor or Partner at the start of each financial year. If the category on file does not match the current threshold table, that is an audit observation, and every downstream obligation mapped to the wrong category compounds it.
How to address it
Reverify your category against the April 2025 and August 2025 circulars before your audit window opens. Document the determination, record the data points used (client count, AUM, trading volume as applicable) and obtain the relevant authority’s approval. Keep this as a dated, version-controlled record, auditors will ask to see it.
Finding 2: Incomplete or outdated asset inventory
What auditors check
CSCRF requires a comprehensive inventory of critical systems, applications and data assets. Auditors review this inventory for completeness and currency and must include an assessment of asset classification – critical versus non-critical – in their report. The most flagged gaps are cloud assets provisioned without formal onboarding, third-party integrations connected but never added to the inventory and legacy systems classified as non-critical without documented rationale. The list of critical systems must be approved by the Board, Partners or Proprietor.
How to address it
Run a full asset discovery exercise ahead of the audit. Include on-premise systems, cloud environments, SaaS applications and third-party integrations. Classify each asset as critical or non-critical with documented rationale. Ensure the inventory is dated and reflects the current state. Smaller REs with minimal IT infrastructure may maintain the inventory manually, but it must be kept current and meet CSCRF asset management requirements.
Finding 3: Stale access rights
What auditors check
Access control is one of the highest-scrutiny domains in a CSCRF audit. Auditors look specifically for access rights that were not updated when employees changed roles or left the organisation. They verify whether guidelines have been implemented as stated in CSCRF and must document relevant evidence for each standard reviewed. Accounts retaining elevated privileges beyond a role change or an exit are a finding. The absence of a periodic access review log compounds it because the auditor cannot distinguish between a review that happened informally and one that never happened.
How to address it
Conduct a full access rights review before your audit. Compare system access lists against current roles. Revoke or modify access where role or employment status has changed. Log the review formally – date, reviewer name, systems covered and actions taken. If periodic access reviews are not already calendared, schedule them and document each cycle going forward.
Finding 4: Remediation lag
What auditors check
CSCRF mandates that vulnerabilities identified during VAPT are closed within three months of report submission. An Action Taken Report confirming finding closure must be submitted to the relevant reporting authority within three months of the preliminary audit report submission. Auditors in the subsequent cycle verify the closure status of prior observations and flag any that remain open as repeat observations. Repeat observations are explicitly noted as such in the audit report and carry greater weight in the regulatory record.
How to address it
Map every open finding from your previous audit and VAPT cycle. Assign ownership, document closure evidence and verify that re-validation – the re-scan or third-party confirmation of fix – has been completed within the compliance window. Do not enter an audit cycle with unresolved prior-period observations. Where high-severity patch-related vulnerabilities are identified, the closure timeline is one week, not three months.
Finding 5: Undocumented periodic reviews
What auditors check
CSCRF requires annual reviews of the cybersecurity policy, the risk management policy and various operational controls. It requires periodic IT Committee meetings with formal minutes. It requires evidence of cybersecurity awareness training, VAPT revalidation and vendor risk assessments at defined cadences. Auditors must provide an appropriate description of evidence verified for each standard and guideline. A review that happened but left no record is, from the auditor’s position, a review that did not happen.
How to address it
Before your audit, compile the full evidence set for every periodic activity required in your RE category. Policy reviews must show the previous version, the review date and the approving authority. IT Committee meetings must have dated minutes with attendees and agenda items listed. Awareness training must have an attendance log. Version-control your policies and store review evidence alongside the document.
A pre-audit readiness check
Before your empanelled auditor begins, run through these five checks:
- Category: Is your CSCRF category approved by the relevant authority for the current financial year and mapped to the correct threshold table?
- Asset inventory: Is your critical system and asset inventory current, complete, classified and dated?
- Access rights: Have you reviewed and reconciled access rights against current roles and confirmed leavers are offboarded?
- Prior findings: Are all findings from your last audit and VAPT cycle closed, evidenced and re-validated within the prescribed timelines?
- Review evidence: Do you have dated, version-controlled records for every periodic review activity your RE category requires?
For a structured approach to mapping your controls against CSCRF requirements before audit, see our SEBI CSCRF gap assessment checklist.
Conclusion
Most CSCRF audit findings are not caused by missing controls. They are caused by controls that exist but cannot be evidenced, categorisations that were not reverified after the 2025 amendments, inventories that drifted since the last review and prior-cycle findings that carried forward unclosed.
SEBI CSCRF audit readiness means building the evidence layer continuously – not assembling it when the auditor schedules a visit.
At CyberNX, we work with regulated entities across India to build and maintain audit-ready compliance programmes aligned to CSCRF. Our team is CERT-In empanelled and has direct experience across the audit cycle – from gap assessment to follow-on verification. Connect with our SEBI CSCRF consulting team to get started.
SEBI CSCRF audit readiness FAQs
What is the difference between SEBI CSCRF compliance and audit readiness?
Compliance is the state of having implemented the required controls. Audit readiness is the state of being able to demonstrate that those controls are operating – through evidence, documentation and closed findings. An entity can be technically compliant and still generate audit observations if the evidence layer is incomplete.
How long before the audit should readiness preparation begin?
Ninety days is a practical minimum. That gives time for asset discovery, access rights review, prior-finding closure and evidence compilation. Entities with open findings from the previous cycle need to begin earlier since the three-month remediation window may already be running.
What happens if mandatory controls are absent or lack evidence?
Absent mandatory controls, or mandatory controls without supporting evidence, generate direct non-compliance observations. These are submitted to the relevant reporting authority – stock exchange, depository or SEBI depending on your category – and must be addressed within the prescribed timelines.
