SEBI Responsible AI / ML Framework: What Statutory Auditors of SEBI-Regulated Entities Need to Know
In June 2025, SEBI released a consultation paper on a Responsible AI / ML Framework for SEBI-regulated entities — mutual funds, NBFCs (registered with RBI but using AI for SEBI activities), stock brokers, depositories, AIFs (Alternative Investment Funds), portfolio managers, RTAs, investment advisers. The framework introduces:
- AI model registration with SEBI
- Periodic AI reporting to SEBI
- 5-year retention of AI model parameters / weights
- Governance + risk management around AI use
- Transparency + explainability requirements
For statutory auditors of these regulated entities, this adds a new layer of audit work. This post covers what's in the framework, the audit implications, and practical procedures for the FY 2026-27 audit season.
What the SEBI Responsible AI Framework covers
Based on the June 2025 consultation paper and subsequent SEBI signaling:
Scope of "AI / ML systems"
- Trading systems using ML / algorithmic decisions
- Investment recommendation engines (robo-advisors)
- Risk management AI (credit risk, market risk, ECL models)
- Compliance / surveillance AI (AML, market manipulation detection)
- Customer service AI (chatbots, etc.)
- Operational AI (KYC processing, document verification)
For most large SEBI-regulated entities, multiple AI systems are in scope.
Key obligations on regulated entities
- Model registration with SEBI — entities must register significant AI / ML systems with SEBI before deployment
- Periodic reporting — quarterly / annual reporting on AI system performance, incidents, model changes
- 5-year retention — model parameters / weights / training data retained for 5 years post-deployment
- Governance framework — board-approved AI governance policy, named AI officer / committee
- Risk management — defined risk thresholds, monitoring, escalation
- Transparency — model decisions explainable; consumer-facing AI clearly disclosed
- Audit trail — every significant AI decision logged with timestamp + version
- Independent testing — periodic third-party validation of AI systems
Penalties
SEBI can impose monetary penalties under the SEBI Act 1992 + suspend AI deployments + issue directions to discontinue specific AI use. Severity scales with the size of the regulated entity and the risk impact.
What this means for statutory auditors
For a CA firm auditing a SEBI-regulated entity (FY 2026-27 onwards), the Responsible AI Framework requires additional procedures:
1. AI System Inventory Review
Step 1: Confirm the entity has inventoried its AI / ML systems. The inventory should include:
- System name + purpose
- Department + owner
- Date of deployment
- Risk classification
- Regulatory categorisation under SEBI framework
If the entity hasn't done this — that's a regulatory concern (Section 11 SEBI Act + Responsible AI Framework requirements). The auditor reports this in the management letter and considers KAM / EOM treatment depending on materiality.
2. Model Registration Verification
For each significant AI system, verify:
- Has it been registered with SEBI as required?
- Is the registration current (model changes re-registered)?
- Is the entity's compliance with SEBI's periodic reporting verified?
Documentation: SEBI portal evidence of registration + reporting submissions.
3. Governance + Documentation Review
The board-approved AI governance policy should:
- Define roles + responsibilities (AI officer, AI committee)
- Establish risk thresholds + escalation
- Define model change management procedures
- Set monitoring + KPI frameworks
Auditor reviews the policy, confirms board approval, verifies application in practice.
4. Model Retention Verification
5-year retention requirement is a record-keeping obligation. Auditor verifies:
- Model parameters / weights / training data retention systems in place
- Retention periods aligned with framework
- Backup + recovery procedures
- Access controls
This is similar to SA 230 audit working paper retention, applied to AI artifacts.
5. Independent Validation Testing
The framework requires periodic third-party validation of AI systems. Auditor verifies:
- Validation has been performed
- Reports reviewed by the AI committee
- Findings addressed / remediated
- Documentation maintained
Auditor doesn't typically perform the AI validation itself (that's a specialist task — SA 620 expert), but verifies the entity has done it appropriately.
6. Disclosures in Financial Statements
For SEBI-regulated entities, AI / ML system use may need disclosure in:
- Director's Report (governance + control framework discussion)
- Notes to financial statements (operational risk + AI dependency)
- KAM in audit report (where AI is material to FS preparation)
For example: an NBFC using ML-based ECL models under Ind AS 109 — the model is material to the ECL provision; KAM disclosure likely required.
7. Specific Audit Areas
For specific AI-using regulated entities, the audit work expands:
NBFC with ML-based credit risk model — auditor must test the ECL model (Ind AS 109) including the AI components. SA 540 (Auditing Estimates) procedures apply with depth on ML model assumptions.
Mutual Fund with AI-driven portfolio construction — auditor reviews investment management framework + AI decisions vs investor disclosure.
Stock broker with algorithmic trading — auditor reviews trade execution + market manipulation surveillance.
RTA with AI document processing — auditor reviews KYC accuracy + customer data handling under DPDPA.
Practical audit procedures for FY 2026-27
For a CA firm taking on a SEBI-regulated entity audit:
Planning phase (SA 315)
- Add AI / ML systems to the entity-level risk assessment
- Document which AI systems are in scope of the audit
- Identify which financial statement assertions are affected
- Plan auditor's expert (SA 620) engagement if AI specialist expertise needed
Substantive testing
- Confirm SEBI registration evidence
- Review periodic SEBI reporting submissions
- Test model retention systems
- Review independent validation reports
- Test governance framework application
- For AI-affected estimates (ECL, valuation) — apply SA 540 procedures with depth
Reporting
- KAM consideration for material AI use
- Modified opinion if regulatory non-compliance is material + pervasive
- Management letter for non-material findings
Documentation
- SA 230 working papers covering AI procedures
- Cross-reference with Form 3CD-specific working papers (clause 18 - depreciation; clause 23 - RPT; clause 31 - cash; clause 41 - notes)
Indirect implications for the audit firm itself
For audit firms using AI tools (Claude, ChatGPT, CORAA), the SEBI framework's principles influence what's becoming the wider regulatory expectation:
- Model registration / inventory
- Governance + risk management
- Retention + audit trail
- Transparency + explainability
- Independent validation
The audit firm's own AI adoption should align with these principles even though SEBI framework doesn't directly apply to CA firms. Forward-thinking firms voluntarily adopt these governance frameworks because:
- ICAI's emerging Information Systems Audit Standards (ISAS — being released through 2026-27) reference similar principles
- AQMM v2.0 (Audit Quality Maturity Model) Level 4 expects formal AI governance
- Peer Review Phase IV expects documentation of AI use in engagement files
- Client expectations (especially for SEBI-regulated audits) are rising
See AI Audit Tool Evaluation Checklist for the criteria — many align with SEBI Responsible AI Framework expectations applied to vendor selection.
Where mid-tier firms get caught
Three common gaps for mid-tier firms auditing SEBI-regulated entities:
Gap 1: Treating AI use as "IT general control" rather than substantive
If the AI affects financial reporting (ECL, valuation, revenue recognition for derivatives), it's substantive. Not just an ITGC. SA 540 (Estimates) procedures apply.
Gap 2: Accepting management's AI explanations without independent verification
For a complex ML model, the auditor needs an expert (SA 620). Don't rely solely on management's assertion about model accuracy.
Gap 3: Inadequate documentation of AI-specific procedures
The audit working paper should explicitly show what AI-related procedures were performed. "AI controls tested" is insufficient. "Tested model retention via... reviewed SEBI registration via... verified governance policy via..." is the documentation expected.
The competitive angle
Auditing SEBI-regulated entities is a substantial market segment. Mutual funds, NBFCs, stock brokers, AIFs together represent thousands of audited entities annually with significant fees.
The Responsible AI Framework raises the audit complexity. Firms that build the capability to handle this — through AI specialist staff, partnerships with IT audit specialists, or technology adoption — gain competitive advantage in this segment.
The Big-4 are positioning for this aggressively (see Mid-tier vs Big-4 race post). Mid-tier firms can compete by:
- Specialising in specific SEBI-regulated entity types (e.g., focus on NBFC audits)
- Building documented methodology
- Partnering with information systems audit specialists
- Adopting audit-tech (CORAA, others) that timestamps and documents AI use
Bottom line
SEBI's Responsible AI / ML Framework (from June 2025 consultation paper through to substantive implementation in 2026-27) creates new audit obligations for statutory auditors of SEBI-regulated entities. The framework requires:
- AI system inventory + registration
- Periodic reporting + 5-year retention
- Governance + transparency + audit trail
- Independent validation
For audit work:
- Add AI procedures to engagement planning
- Verify SEBI registration + reporting
- Test model retention systems
- Review governance framework + validation reports
- Consider KAM / disclosure implications
- Document explicitly in SA 230 working papers
For CA firms:
- Build capability in audit of AI-using entities
- Engage SA 620 expert where needed
- Specialise in SEBI-regulated entity segments where appropriate
- Align own AI adoption with SEBI Framework principles
For practitioner resources:
- AI Audit Tool Evaluation Checklist — aligns with SEBI Framework principles
- SA 240 JE Risk Scorer — for SEBI-regulated entity transaction screening
- Going Concern Indicator Scorer — SA 570 for SEBI-regulated entities with material AI dependency
- NFRA Enforcement Tracker — see how AI / model failures translate to enforcement
The SEBI Framework will be substantive law from FY 2026-27 (or as SEBI notifies). Auditors should be ready before then.
Try CORAA → Audit-grade infrastructure that aligns with SEBI Responsible AI Framework principles — model documentation, audit trail, independent validation supportable. India-hosted. See pricing · AI Audit Tool Evaluation Checklist · Trust Centre.