IS Audit of Stock Brokers CA Kinjal j Shah M.Com, M C ,F F.C.A, C A, D D.I.S.A I S A (ICAI) ( ) T l : 9892100844 Tel E: kinjal@scononline [email protected] com Acronyms y IML Intermediate Message layer CTCL Computer to Computer Link ITORS Internet Trading Order Routing System IBT Internet based Trading g Algo Algorithmic Trading DMA Direct Market Access STWT S Securities iti T Trading di th through h Wi Wireless l T Technology h l SOR Smart Order Routing CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 2 CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 3 CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 4 CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 5 Auditor Requirements q • The System Th S t A dit should Audit h ld be b carried i d outt by b CISA / ISA / CISSP Certified Systems Auditor and their Name, Name R i t ti Number, Registration N b along l with ith the th Stamp, St S l place Seal, l and date should be mentioned at the end of the report. Every page of the report should be initialed by System Auditor. • The System Auditor should be independent of the E Empanelled ll d vendors d off the th E h Exchange and/or d/ partners/Directors of the Trading members • One consolidated report should be submitted for all the b branches h and d for f both b h the h segments g (CM, F&O and ((CM, d Currency Derivatives Segment). Segment) CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 6 Trading g Network Architecture CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 7 CTCL / IML Audit Areas Features and system y parameters p implemented p in the system y 1 The installed system parameters are as per Exchange 1. norms: 1 CTCL Version 1. 2 Order Gateway Version 2. 3. Risk Administration / Manager g Version 4 Front End / Order Placement Version 4. 2 The system has a feature for receipt of price broadcast 2. data 3 If the system is enabled for internet trading the system 3. h an internal has i t l unique iq order d numbering b i g system y t 4 The system does not have any order matching function 4. and all orders are p passed on to the exchange g trading g system for matching CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 9 Adequacy q y of input, input p processing p g and output p controls The system has a feature for: 1. Allowing only orders matching the system parameters to be placed. placed 2 Modification of orders placed. 2. placed 3 Cancellation 3. C ll ti off orders d pl placed d 4 Checking the outstanding orders i.e. 4. i e the orders that have not yet traded or partially traded. 5 Reporting 5. R ti off client li t wise i / user wise i margin i requirements as well as payment and delivery obligations. g CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 10 Online Risk Management g relating g to orders are observed and adequate adequate. q The system Th y t h a feature has f t f for: 1 Placing of trades only for authorized clients 1. 2. Assessing g the risk of the client as soon as the order comes in and informs the client of acceptance/rejection of the order within a reasonable p i d period 3 System based control facility on the trading limits of 3. the clients and exposures taken by the clients i l di sett pre-defined including d fi d limits li it on the th exposure and d turnover of each client. client 4. Reconfirmation f off orders which are larger g than that as specified by the member member’s s risk management system. CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 11 Application pp security y & Database security y The system has a feature for: 1 Providing 1. P idi g a system y b based d access controll over the h CTCL server as well as the risk management and front end dealing applications 2 Allowing 2. All i access to t only l authorized th i d users i.e. i a password mechanism which restricts access to authenticate users. 3 Sufficient controls over the access to and integrity of the 3. database 4 Extra 4. E t Authentication A th ti ti Security S ity measures like lik 1 Smart cards, 1. cards biometric authentication or tokens etc 2. Seco Second d level e e o of pass password o d co control t o for o c critical t ca features eatu es CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 12 Adequacy q y of measures to protect p the confidentiality y of sessions 1 The system uses SSL or similar session confidentiality 1. protection mechanisms. 2 The system 2. s stem uses ses a secure sec re storage mechanism for storing of usernames and passwords. passwords 3 The 3. Th system y adequately d q ly p protects the h confidentiality fid i li y off the users trade data 4. The installed system provides for session security for allll sessions i established t bli h d with ith the th application li ti server by b the front end application. application 5. The system y uses session identification and authentication measures to restrict sessions to authorized user only. only CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 13 Event logging gg g and system y monitoring g activities. activities 1 Th 1. The system t provides id a system t b based d eventt logging and system monitoring facility which monitors and logs all activities / events arising from actions taken on the gateway / database server authorized user terminal and transactions server, processed p ocessed for o c clients e ts a and d tthe e sa same e is s not ot susceptible to manipulation 2 The following reports / logs should be generated: 2. • Number N b off Users U L gg d In Logged I / hooked h k d on to the h network incl. incl privileges of each • Number N b off Authorized A th i d Users U • Activity logs • Systems S t l logs • Number of active clients CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 14 User management g norms defined and observed 1 Th 1. The system y t h has an User U M Management g t p procedure d as per the requirements of the exchange. exchange 2. Only users approved by the exchanges are allowed to access the system and documentation regarding the same is maintained in the form of User Approval Appli i & Copy Application C py off User U Q lifi i Qualifications 3 New User IDs are created as per the exchange 3. guidelines. 4 All users are uniquely 4. i l identified id tifi d through th h issue i off unique i CTCL / IML ids. ids 5. Users not compliant p with the Exchange g Requirements q are disabled and event logs maintained 6 Users whose accounts are locked are unlocked only 6. after ft documented d t d unlocking l ki g requests q t are made. d CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 15 Password policy p y / standards defined and observed 1 Th 1. The installed i t ll d CTCL system’s t ’ uses passwords d for f authentication. authentication 2. The p password p policy y / standard is documented. 3 The system requests for identification and new 3. password before login into the system. system CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 16 Password Features 1. The Password is masked at the time of entry. y 2 System mandated changing of password when the user 2. logs g in for the first time. 3 Automatic disablement of the user on entering 3. erroneous p password d on th three consecutive ti occasions. i 4 Automatic expiry of password on expiry of 14 days 4. days. 5 System 5. Sy t controls t l to t ensure that th t the th password p d is i alphanumeric 6 System 6. S t controls t l to t ensure that th t the th changed h d password d cannot be the same as of the last password 7 System controls to ensure that the Login id of the user 7. and password should not be the same. 8 System controls to ensure that the Password should be 8. of minimum six characters and not more than twelve characters characters. CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 17 Working g processes p to be in adherence with the p policies and p ocedu procedures d es The organization’s organization s documented policy and procedures p d should h ld include i l d the th following f ll i g p policies li i which should be in in line with the exchange requirements q i t 1.Information 1 Information Security Policy 2P 2.Password dP Policy li y 3 User Management and Access Control Policy 3.User 4N t 4.Network k Security S it Policy P li 5 Application Software Policy 5.Application 6 Change Management Polic 6.Change Policy 7.Backup Policy 8 BCP and Response Management Policy 8.BCP 9.Audit Trail Policy CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 18 Change g management g and version controls documented and practiced p To ensure system integrity and stability all changes to th system the y t are p planned, l d, evaluated l t d ffor risk, i k, tested, t t d, approved and documented. documented 1. Whether changes are made in a planned manner 1 2 Whether 2. Wh th made d by by duly d ly authorized th i d p personnell 3 Is the risk involved in the implementation of the 3. changes h d l factored duly f t d in i 4 Is the implemented change duly approved and 4. process documented doc mented 5. Is the change request process documented 6 Is the change implementation process supervised to 6. ensure system integrity and continuity 7 Is user acceptance of the change documented 7. CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 19 Procedure for Backup p documented documented, and practiced p Backups B k off the th following f ll i system t generated t d files fil should be maintained: At the server / gateway level • Database • Audit Trails • Reports At the user level • Market M k t Watch W t h • Logs • History Hi t y • Reports • Audit A dit Trails T il CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 20 Procedure for Backup p documented documented, and practiced p Verification of Backup procedures include: Are backup procedures documented? 1 Are 1. A backup b k p logs l g maintained? i t i d? 2 Have the backups been verified and tested? 2. 3. Are the backup media stored safely in line with the risk i involved? l d? 4 Are there any recovery procedures and have the same 4. been tested? ? CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 21 Business continuity y and disaster recovery y planning p g The Organization should have a suitable documented Business Continuity or Disaster Recovery or Incident Response process commensurate with the organization size and risk profile Verification of BCP / DRP includes: 1 Is 1. I there th any y documentation d t ti on Business B i C ti ity / Continuity Disaster Recovery / Incident Response? 2 Does 2. D a BCP / DRP p plan l exist? i t? 3 If a BCP/DRP plan exists, 3. exists has it been tested? 4 Are 4. A th there any documented d t d incident i id t response procedures? 5 Are 5. A there th any documented d t d risk i k assessments? t ? 6. Does the installation have a Call List for emergencies maintained? CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 22 Business continuity y and disaster recovery y planning p g Verification of BCP / DRP includes: 7 How will the organization assure customers prompt 7. access to their funds and securities in the event of disaster. disaster 8 Are there suitable backups for failure of any of the critical 8. system y components p lik like 1 Gateway / Database Application Server 1. 2. Router, Network Switch 3 Electricity, 3. El t i it Air Ai Conditioning C diti i 9 Have any provision for alternate physical location of 9. employees p y been made 10 Are there suitable provisions for Books and records 10. backup and recovery (hard copy and electronic). electronic) CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 23 Additional Security y Features • • • • • Adequate provisions for physical security of the hardware / systems at the hosting location and controls t l on admission d i i off p personnell into i t the th location l ti Implementation of Firewall Is a malicious code protection system (Anti Virus) i l implemented t d and d the th definition d fi iti files fil up-to-date t d t Last date of virus check of entire system The insurance p policy y of the Member covers the additional risk of usage of CTCL / IML and or Internet Trading CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 24 Backup p link for Network / Communication failure 1 IIs the 1. h backup b k p network k link li k adequate d q i case off in failure of the primary link to the Exchanges 2. Is the backup network link adequate in case of f il failure off the th primary i li k connecting link ti the th IML / CTCL users 3. Is the backup p network link adequate q in case of failure of the primary internet connectivity 4 Is there an alternate communications path between 4. 1 customers 1. t and d the th firm. fi 2 firm and its employees. 2. employees 3. c 3 critical t ca bus business ess co constituents, st tue ts, ba banks s a and d regulators CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 25 CTCL ID Details 1. Whether the required q details of all the CTCL ids created in the CTCL server of the trading member, member f for any y p purpose p ((viz. i administration, d i i i , branch b h administration mini-administration, administration, mini-administration surveillance, surveillance risk i k management, g t trading, t di g view i only, ly testing, t ti g etc) t ) and any changes therein, therein have been uploaded as per the th requirement i t off the th Exchange E h 2 Wh 2. Whether th allll the th CTCL / IML user ids id created t d in i the th server of the trading member have been mapped to 12 digit codes / 16 digit codes for NSE and BSE respectively on a one one-to-one to one basis and a record of the same is maintained CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 26 Auditors Declaration 1. All the branches where CTCL / IML facility y is p provided have been audited and ONE consolidated report has b been submitted. b i d 2 All the 2. th audit dit recommendations d ti given g i i relation in l ti t the to th system audit certificate for the previous year have been d l implemented. duly i l t d If not, t the th same have h b been reported t d hereunder. hereunder 3 There is no conflict of interest with respect to the 3. member being audited. audited If any such instance arises, arises it shall be brought to the notice of the Exchange immediately before undertaking the audit. audit CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 27 Documentation Requirements q 1. Members who have been rated overall as “Medium” Medium by Exchange empanelled System Auditor prior to granting approval app o a for o IBT/STWT/DMA/Algo/ /S / / go/ SO SOR a are e required equ ed to o submit “Action Action taken Report Report” duly certified by their System y auditors detailing g the actions taken by y the member on various individual “ Medium / Weak area along l g with i h the h System Sy audit di report. p 2 O 2. Only ly the th Trading T di g Members M b who h are p providing idi g Internet I t t trading facility are requested to submit the SSL certificate tifi t .The Th certificate tifi t mustt have h d t il like details lik name off website validity period etc. website, etc CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 28 No IML Audit for BSE if A Trading Member is not required to submit the System Audit Report, Report & SSL certificate provided the Trading Member has as taken a e the e IML facility ac y bu but is used only y for viewing gp purpose. p or no trading di g has h b been d done using i g the h IML facility f ili y during d i g the year ended March 31, 31 2010. 2010 CA. Kinjal Shah - IS Audit of CA Stock Broker WIRC of ICAI 29 Thank you CA. Kinjal Shah CA T l : 9892100844 Tel E: kinjal@scononline [email protected] j @ com
© Copyright 2024 ExpyDoc
