1.   A CSD's operational risk-management framework and systems shall be subject to audits. The frequency of those audits shall be based on a documented risk assessment and shall be conducted at least once every two years.

2.   The audits referred to in the previous paragraph shall include both the activities of the internal business units of the CSD and those of the operational risk-management function.

3.   A CSD shall regularly evaluate and, where necessary, adjust the system for the management of operational risk.

4.   A CSD shall periodically test and review the operational arrangements, policies and procedures with users. The testing and review shall also be performed where substantive changes occur to the securities settlement system operated by the CSD or after operational incidents that affect the smooth provision of services by the CSD.

5.   A CSD shall ensure that data flows and processes associated with the operational risk-management system are accessible to the auditors without delay.