Entire Section

  • COB 14.5 COB 14.5 Technology audit reports

    • COB 14.5.1 COB 14.5.1

      (1) This Rule applies to an Authorised Firm that:
      (a) is Operating a Facility for Investment Tokens;
      (b) holds or controls Client Investments that include Investment Tokens;
      (c) relies on DLT or similar technology to carry on one or more of the Financial Services specified in COB Rule 14.4.1 relating to Investment Tokens; or
      (d) is Managing a Collective Investment Fund where:
      (i) Units of the Fund are Security Tokens; or
      (ii) 10% or more of the gross asset value of the Fund Property of the Fund consists of Investment Tokens.
      (2) The Authorised Firm must:
      (a) appoint a suitably qualified independent third party professional to:
      (i) carry out an annual audit of the Authorised Firm’s compliance with the technology resources and governance requirements that apply to it, including those specified in this chapter; and
      (ii) produce a written report which sets out the methodology and results of that annual audit, confirms whether the requirements referred to in (i) have been met and lists any recommendations or areas of concern;
      (b) submit to the DFSA a copy of the report referred to in (a)(ii) within 4 months of the Authorised Firm’s financial year end; and
      (c) be able to satisfy the DFSA that the independent third party professional appointed to carry out the annual audit has the relevant expertise to do so, and that the Authorised Firm has done proper due diligence to satisfy itself of that fact.


      Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]

      • COB 14.5.1 Guidance

        1. An Authorised Firm may appoint an Auditor to carry out the functions specified in COB Rule 14.5.1(2)(a), provided it is satisfied that the Auditor has the relevant expertise.
        2. Credentials that may indicate an independent third party professional is suitably qualified under COB Rule 14.5.1(2)(a):
        a. designation as a Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM) by the Information Systems Audit and Control Association (ISACA);
        b. designation as a Certified Information Systems Security Professional (CISSP) by the International Information System Security Certification Consortium (ISC); or
        c. accreditation by a recognised and reputable body to certify compliance with relevant ISO/IEC 27000 series standards.


        Derived from DFSA RMI311/2021 (Made 30th June 2021). [VER39/10-21]