System Audit Report - Format (TO BE ON THE LETTERHEAD OF THE SYSTEM AUDITOR) DATE: NAME OF TRADING MEMBER: SYSTEM AUDIT

REPORT FOR THE PERIOD FROM JULY 01, 2009 TO JUNE 30, 2010 Part A Controls / Processes Test Case Results, Observations & Control Risk
Results

Auditor’s Risk
Opinions

The installed CTCL system features are as prescribed by the NSE.

Risk Management Tools • Should allow for risk management of the orders placed and online risk monitoring of the orders being placed. CTCL Version • Order Gateway Version • Risk Administration / Manager Version • Front End / Order Placement Version Whether order routing server for DMA is located in India. Provide address of the DMA server location Risk Management Tools • Should allow for risk management of the orders placed and online risk monitoring of the orders being placed.

The installed CTCL system parameters are as per NSE norms

Location Confirmation for DMA

The installed DMA system features are as prescribed by the NSE.

Results Trading Process The installed CTCL system allows for placing of trades only for authorized clients Client ID Verification Only duly authorized client’s orders are allowed to be placed. Proprietary order entry mechanism Order entry for Pro types of orders is executed through specific user ids. Risk Management The installed CTCL system is capable of assessing the risk of the client as soon as the order comes in and informs the client of acceptance/rejection of the order Order Parameters There is online risk assessment of all orders placed through the CTCL system.

Opinions

Application Access Control The installed CTCL / DMA system provides a system based access control over the CTCL / DMA server as well as the risk management and front end dealing applications while providing for security Session Security The installed CTCL system provides for session security for all sessions established with the CTCL server by the front end application. Results Opinions . • The DMA system has appropriate authority levels to ensure that the limits can be setup only by persons authorized by the risk / compliance manager Session Security • The system uses session identification and authentication measures to restrict sessions to authorized user only.Controls / Processes Test Case Results. Observations & Control Risk Auditor’s Risk within a reasonable period. Order Reconfirmation Facility The installed CTCL system provides for reconfirmation of orders which are larger than that as specified by the member’s risk management system. Execution of Orders / Order Logic The installed CTCL / DMA system provides a system based control facility over the order input process Only orders that are within the parameters specified by the risk management systems are allowed to be placed The system has a manual override facility for allowing orders that do not fit the system based risk control parameters Order Numbering Methodology If the system is enabled for internet trading the system has an internal unique order numbering system Order Matching The system does not have any order matching function and all orders are passed on to the exchange trading system for matching Whether Broker is using similar logic/ priorities as used by Exchange to treat DMA client orders. Access controls • The system allows access to only authorized users • The system has a password mechanism which restricts access to authenticate users. Order /Trade Limit Controls The installed CTCL system provides a system based control facility on the trading limits of the clients and exposures taken by the clients including set pre-defined limits on the exposure and turnover of each client. Whether DMA orders are having unique flag/ tag as specified by the Exchange.

Observations & Control Risk Auditor’s Risk Database Security The installed CTCL system has sufficient controls over the access to and integrity of the database • The system uses session security measures like encryption to ensure confidentiality of sessions initiated. authorized user terminal and transactions processed for clients or otherwise and the same is not susceptible to manipulation. • The CTCL database stores the user names / passwords securely. User ID The installed CTCL system provides a system based event logging and system monitoring facility which monitors and logs all activities / events arising from actions taken on the gateway / database server. The installed CTCL systems has a provision for On-line surveillance and risk management as per the requirements of NSE and includes • Number of Users Logged In / hooked on to the network incl. Session Encryption • The system uses SSL or similar session confidentiality protection mechanisms • The system uses a secure storage mechanism for storing of usernames and passwords. privileges of each The installed CTCL systems has a provision for off line monitoring and risk management as per the requirements of NSE and includes reports / logs on • Number of Authorized Users • Activity logs • Systems logs • Number of active clients Approved Users • Only users approved by the NSE are allowed to access the CTCL system and documentation regarding the same is maintained in the form of  User Approval Application  Copy of User Qualifications User Creation New CTCL User IDs are created as per the CTCL guidelines. Database Security • The access to the CTCL database is allowed only to authorized users / applications. • The CTCL database is hosted on a secure platform.Controls / Processes Test Case Results. Results Opinions . Results Opinions The installed CTCL system has an User Management system as per the requirements of the NSE. Encryption The installed CTCL system uses confidentiality protection measures to ensure session confidentiality. • The system adequately protects the confidentiality of the users’ trade data.

• System controls to ensure that the Password should be of minimum six characters and not more than twelve The installed CTCL system Authentication mechanism is as per the guidelines of the NSE Results Opinions .Controls / Processes Test Case Results. The installed CTCL system’s uses passwords for authentication. Locked User Accounts Users whose accounts are locked are unlocked only after documented unlocking requests are made. Observations & Control Risk Auditor’s Risk All users are uniquely identified through issue of unique CTCL ids. The system requests for identification and new password before login into the system. User Disablement Users not compliant with the Exchange Requirements are disabled and event logs maintained User Deletion Users are deleted as per the NSE guidelines Reissue of User Ids User Ids are reissued as per the NSE guidelines. • System mandated changing of password when the user logs in for the first time. • System controls to ensure that the changed password cannot be the same as of the last password • System controls to ensure that the Login id of the user and password should not be the same. The installed CTCL system’s Password features include • The Password is masked at the time of entry. instead of just being alphabets or just numerical. • System controls to ensure that the password is alphanumeric (preferably with one special character). The password policy / standard is documented. • Automatic disablement of the user on entering erroneous password on three consecutive occasions. • Automatic expiry of password on expiry of 14 calendar days.

Results Opinions Vendor Certified Network diagram Date of submission of network diagram to NSE (Only in case of change in network setup. member need to submit revised scanned copy network diagram along with this report) Verify number of nodes in diagram with actual Verify location(s) of nodes in the network Physical Security Are adequate provisions in respect of physical security of the hardware / systems at the hosting location and controls on admission of personnel into the location (audit trail of all entries-exits at location etc.)? Are backups of the following system generated files maintained as per the NSE guidelines? • At the CTCL server/gateway level • Database • Audit Trails • Reports At the CTCL user level • Market Watch • Logs • History • Reports • Audit Trails Are backup procedures documented? Are backup logs maintained? Have the backups been verified and tested? Are the backup media stored safely in line with the risk involved? Results Opinions The Installed CTCL systems backup capability is adequate as per the requirements of the NSE for overcoming loss of product integrity.Controls / Processes Test Case Results. . Observations & Control Risk Auditor’s Risk • characters. System controls to ensure that the Password is encrypted at members end so that employees of the member cannot view the same at any point of time.

CM • CTCL ID • IP Address • (NSE Network) • VSAT ID • Leased Line ID Market Segment – F&O • CTCL ID • IP Address • (NSE Network) • VSAT ID • Leased Line ID Market Segment – CDS • CTCL ID • IP Address • (NSE Network) • VSAT ID • Leased Line ID Results Opinions Order Entry Execution of Orders / Order . Test Case Main Features Price Broadcast The system has a feature for receipt of price broadcast data Order Processing : The system has a feature : • which allows order entry and confirmation of orders. Observations & control Risk Results Auditors Opinion Opinions The installed CTCL system parameters are as per NSE norms Gateway Parameters • Trader ID Market Segment . Observations & Control Risk Auditor’s Risk Are there any recovery procedures and have the same been tested? Part B Controls / Processes The installed CTCL system features are as prescribed by the NSE.Controls / Processes Test Case Results. • which allows for modification or cancellation of orders placed Trade Confirmation The system has a feature which enables confirmation of trades Results.

the orders that have not yet traded or partially traded. • The system has a second level of password control for critical features Opinions Does the organization’s documented policy and procedures include the following policies and if so are they in line with the NSE requirements? • Information Security Policy • Password Policy • User Management and Access Control Policy Results Opinions . biometric authentication or tokens etc. Results Extra Authentication Security • The systems uses additional authentication measures like smart cards.e. Order Modification The system allows for modification of orders placed. Observations & control Risk Auditors Opinion Trades Information The installed CTCL system provides a system based control facility over the trade confirmation process Settlement of Trades The installed CTCL system provides a system based reports on contracts. Results. margin requirements. Trade Confirmation and Reporting Feature Should allow confirmation and reporting of the orders that have resulted in trade Margin Reports feature Should allow for the reporting of client wise / user wise margin requirements as well as payment and delivery obligations. implemented and maintained. To ensure information security for the Organisation in general and the installed CTCL system in particular policy and procedures as per the NSE requirements must be established. payment and delivery obligations Additional Access Control Security The installed CTCL system provides a dual factor authentication system for access to the various CTCL components. Order Cancellation The system allows for cancellation of orders placed Order Outstanding Check The system has a feature for checking the outstanding orders i.Controls / Processes Logic The installed CTCL system provides a system based control facility over the order input process Test Case The system has order placement controls that allow only orders matching the system parameters to be placed.

has it been tested? Are there any documented incident response procedures? Are there any documented risk assessments? Does the installation have a Call List for emergencies maintained? How will the organization assure customers prompt access to their funds and securities in the event the organization determines it is unable to continue its business in the primary location Network / Communication Link Backup • Is the backup network link adequate in case of failure of the primary link to the NSE? • Is the backup network link adequate in case of failure of the primary link connecting the CTCL users. • Is there an alternate communications path between customers and the firm. • Is there an alternate communications path with critical business constituents. Does the Organisation have a suitable documented Business Continuity or Disaster Recovery or Incident Response process commensurate with the organisation size and risk profile to ensure a high degree of availability of the installed CTCL system Is there any documentation on Business Continuity / Disaster Recovery / Incident Response? Does a BCP / DRP plan exist? If a BCP/DRP plan exists. banks and regulators? Copy of Undertaking provided regarding the CTCL system as per relevant circulars Copy of application of approval for Internet Trading.Controls / Processes • • • • • • Test Case Network Security Policy Application Software Policy Change Management Policy Backup Policy BCP and Response Management Policy Audit Trail Policy Results. Observations & control Risk Auditors Opinion Does the organisation follow any other policy or procedures or documented practices that are relevant. • Is there e an alternate communications path between the firm and its employees. if any Insurance The insurance policy of the Member covers the additional risk of usage of CTCL and or Internet Trading Planned Changes Are changes to the installed CTCL system made in a Results Opinions Results Opinions The CTCL system has been installed after complying with the various NSE circulars Results Opinions To ensure system integrity and stability all changes to .

approved and documented. evaluated for risk. Results. are the same duly authorized and the manner of change documented later? In case of members self developed CTCL system SDLC documentation and procedures if the installed CTCL system is developed in-house.Controls / Processes the installed CTCL system are planned. Test Case planned manner? Are they made by duly authorized personnel? Risk Evaluation Process Is the risk involved in the implementation of the changes duly factored in? Change Approval Is the implemented change duly approved and process documented? Pre-implementation process Is the change request process documented? Change implementation process Is the change implementation process supervised to ensure system integrity and continuity Post implementation process Is user acceptance of the change documented? Unplanned Changes In case of unplanned changes. tested. Observations & control Risk Auditors Opinion Results How will the organization assure customers prompt access to their funds and securities in the event the organization determines it is unable to continue its business in the primary location System Failure Backup Are there suitable backups for failure of any of the critical system components like • Gateway / Database Server • CTCL router • Network Switch Infrastructure breakdown backup Are there suitable arrangements made for the breakdown in any infrastructure components like • Electricity • Water • Air Conditioning Primary Site Unavailability Have any provision for alternate physical location of employees been made in case of non availability of the primary site Disaster Recovery Are there suitable provisions for Books and records Opinions .

then • Are the definition files up-to-date? • Any instances of infection? • Last date of virus check of entire system Results Opinions . for Access Control failure Day Begin failure Day End failure Other system Processes failure Access Control Firewall Anti virus As given in Area (e) Is a firewall implemented? Is a malicious code protection system implemented? If Yes. is there an escalation procedure implemented? Details of the various response procedures incl.Controls / Processes Test Case backup and recovery (hard copy and electronic). Observations & control Risk Auditors Opinion Are documented practices available for various system processes Day Begin Day End Other system processes • Audit Trails • Access Logs • Transaction Logs • Backup Logs • Alert Logs • Activity Logs • Retention Period • Misc Results Opinions Is a log of success / failure of the process maintained Day Begin Day End Other system processes In case of failure. Have all mission-critical systems been identified and provision for backup for such systems been made? Results.

2009 have been duly implemented. please give details YES / NO Area of Audit Compliance Part C YES / NO Remarks (if “No”) 3 All the audit recommendations given in relation to the system audit certificate for the year ended June 30. testing. 1) . If not. YES / NO/ NA DECLARATION: I) All the branches where CTCL facility is provided have been audited and ONE consolidated report has been submitted for all segments. branch administration. 2009 have been duly implemented. 1 Whether the required details of all the CTCL ids created in the CTCL server of the trading member. view only. for any purpose (viz. etc) and any changes therein. surveillance. please give details 2 Whether all the CTCL user ids created in the CTCL server of the trading member have been mapped to 12 digit codes on a one-to-one basis and a record of the same is maintained? If no. the same have been reported hereunder. administration.PART .C Sr. II) All the audit recommendations given in relation to the system audit certificate for the year ended June 30. please give details YES / NO 4 All DMA orders are routed through electronic/automated risk management systems of the broker to carry out appropriate validations of all risk parameters before the orders are released to the Exchange. trading. miniadministration. IF NOT. No. have been uploaded as per the requirement of the Exchange? If no. risk management.

2) III) There is no conflict of interest with respect to the member being audited. If any such instance arises. _______________________________ Signature (Name of the Auditor & Auditing firm) CISA/CISSP/ISA Reg. : Date: Place: Stamp/Seal: . it shall be brought to the notice of the Exchange immediately before undertaking the audit. No.

processing and output controls in respect of CTCL operations adequate Is the application security commensurate to the size and nature of application Is Event logging and system monitoring observed.SUMMARY SHEET NAME OF THE AUDIT FIRM : ____________________________________________________ Sr. Are User management norms defined and observed Are Password policy/standards defined and observed Are working processes in adherence with the policies and procedures defined Is the Network managed adequately in relation to size and nature of operations and are necessary controls present Are Change management and version controls documented and practiced? Are Backup systems present. of adequate size and are procedures for backup prescribed Is there a Business continuity and disaster recovery plan in place and made known to all employees Is documentation for system processes maintained NA 2 3 4 5 6 NA 7 NA 8 NA 9 NA NA 10 11 NA NA 12 . No. Area of Audit Compliance Part A S/M/W Compliance Part B S/M/W Report Reference 1 Are existing features and system parameters implemented in the CTCL system in place at the member’s premises Are input.

Compensating controls fail to reduce the risk so as to make it immaterial vis-à-vis the non-compliance with the compliance criteria.13 Are Security features such as access control. Medium The controls are defined as Medium if the following criteria are met Implemented controls substantially comply with the stated objectives and no material weakness result in substantial risk exposure due to the non-compliance with the criteria Compensatory controls exist which reduce the risk exposure to make it immaterial vis-à-vis the non-compliance with the criteria. firewalls and virus protection present and updated regularly Is there any other area/aspect which in the auditors opinion is not complied with and which is significant and material in relation to the size and the nature of the operations NA 14 NA Note: Process Area Controls Evaluation Criteria Control Evaluation Criteria Strong Description The controls are defined as Strong if the following criteria are met Implemented controls fully comply with the stated objectives and no material weaknesses are found. ( To be on the letter head of the AUDITOR) . network. Weak The controls are defined as Weak if the following criteria are met Implemented controls materially fail to comply with the stated control objectives.

Bandra-Kurla Complex. S. Bandra (E).Date : To. 2010. CTCL Department National Stock Exchange of India Limited Exchange Plaza. No. Mumbai – 400 051 This is to certify that the following are the list of applications for which the system audit has been Conducted by me/ us for the trading member <TM code> < TM Name> for the year ended June 30.No 1 2 3 4 Name of the application Version Type of the product Developed by Vendor Name (CTCL/IBT/DMA/Algo) Signature (Name of the Auditor & Auditing firm) CISA/CISSP/ISA Reg. : Date: Place: Stamp/Seal: ( To be on the letter head of the MEMBER) .

Bandra (E). Signature Name. S. CTCL Department National Stock Exchange of India Limited Exchange Plaza.No 1 2 3 4 Name of the application Version Type of the product (CTCL/IBT/DMA/Algo) Developed by Vendor Name Yours faithfully. Designation .. Mumbai – 400 051 Following are the list of applications which has been approved by Exchange as on June 30. Bandra-Kurla Complex.2010.Date : To.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.