SEBI Annual Compliance Audit for Research Analysts: Regulation 25(3) Guide (2026)
Once a year, every SEBI-registered Research Analyst has to be audited for compliance by an external professional and report the result to RAASB. Miss the 31 October deadline, or hand the auditor a shoebox of WhatsApp screenshots, and a routine audit turns into a problem. Here is who can audit you, the deadlines that matter, what the auditor checks, and how to prepare so the report comes back clean.
Note: General information for Research Analysts, not legal or audit advice. SEBI rules and deadlines change. Confirm the current requirements with your auditor and the SEBI circulars before relying on them.
What the audit is
Regulation 25(3) of the SEBI (Research Analysts) Regulations, 2014 requires every RA to conduct an annual audit of compliance with the regulations. It is an independent check, by an outside professional, that you are doing what the rules require: keeping records, making disclosures, charging fees within the cap, and handling clients and complaints correctly. It is not the same as your annual return, which is a separate filing.
Who can audit you
The audit must be done by a member of one of these professional bodies:
- The Institute of Chartered Accountants of India (ICAI), a practising CA.
- The Institute of Company Secretaries of India (ICSI), a practising CS.
- The Institute of Cost Accountants of India (ICMAI), added by a SEBI circular dated 25 March 2026.
The auditor should be independent of you. Many solo RAs use the same professional who handles their company filings, which is fine as long as that person is genuinely independent of the research function being audited.
The deadlines that matter
- Within 6 months of financial year-end: complete the audit. For a year ending 31 March, that means by 30 September.
- Within 1 month of the audit report: submit the report to RAASB, and in any case not later than 31 October for the preceding financial year.
- After the report: publish the audit status on your website and disclose any adverse findings with the corrective action taken, and share the report with your clients.
The 31 October date is the one to anchor your calendar to. Working backwards, brief your auditor by August so there is time to fix anything before the report is finalised.
What the auditor checks
Registration and certification
Your SEBI RA registration, the deposit requirement, and a valid NISM Series XV (or applicable) certification for you and any persons associated with research.
Client KYC and agreements
KYC records, the signed RA-client agreement, the Most Important Terms and Conditions (MITC), and risk profiling where applicable.
Regulation 25 records
Research reports signed and dated, recommendation rationale, public-appearance records, and proof they are retained for 5 years in a tamper-evident form.
Disclosures and conflicts
Mandatory research-report disclosures, financial-interest and 1%-ownership disclosures, and the AI-use disclosure where you use AI tools.
Fees
Fees charged within the SEBI cap and only through permitted modes, with receipts and records.
Complaints
The complaint register, SCORES and ODR handling, and the periodic complaints disclosure on your website.
Advertising
Advertisement-code compliance across your website and social media, including the registered-name and registration-number display.
How to prepare a clean report
The audit is only painful when the records are scattered. The analysts who breeze through it have one thing in common: a single, tamper-evident trail of what they sent each client and when. If your research notes live in WhatsApp chats and a folder of PDFs with editable timestamps, the auditor cannot easily verify when a recommendation was first made, which is exactly the point of Regulation 25.
Aktai keeps that trail automatically: every note you mark as sent is SHA-256 hashed and stored for five years, with date, recipient and content, and you can export the full log as a CSV to hand straight to the auditor. The complaint register, KYC records and disclosures still need to be in order, but the heaviest piece, the research-report record, is already audit-ready.
FAQ
Who can conduct a SEBI Research Analyst compliance audit?
A member of the Institute of Chartered Accountants of India (ICAI) or the Institute of Company Secretaries of India (ICSI). By a SEBI circular dated 25 March 2026, members of the Institute of Cost Accountants of India (ICMAI) are also eligible. The auditor should be independent of the RA being audited.
What is the deadline for the RA annual compliance audit?
The audit must be completed within six months of the end of the financial year, and the audit report submitted to RAASB within one month of the audit report date, but in any case not later than 31 October for the preceding financial year.
Do I have to publish the audit result?
Yes. You must publish the status of the compliance audit on your website, disclose any adverse findings together with the corrective action you took, and share the report with your clients. The point is transparency, not just filing.
What do auditors actually check?
Your registration and NISM certification status, the client KYC and agreement records, the Regulation 25 record-keeping (signed and dated research reports, recommendation rationale, retention for 5 years), conflict-of-interest and disclosure compliance, fee compliance against the cap, the complaint register, and your advertisement and social-media compliance. Clean, tamper-evident records make the audit short.
Is the annual compliance audit the same as the annual return?
No. They are two separate obligations. The compliance audit under Regulation 25(3) is conducted by an external CA, CS or Cost Accountant and reported to RAASB. The annual return is a separate filing. You have to do both.