Audit Is

Author: Devendra Kulkarni
Format of System Audit Report

(To be on the letter head of the System Auditor)
System Audit Report for the period from April 1, 2012 to March 31, 2013
Date:
Annexure A
Areas of Audit Auditors Remars
(Supporting Observations,
Findings, References &
Substantiation)
1 !r"ani#ation $olicies % $rocedures
Description &es ' (o
Are olicies related to !nformation Technology &
!nformation Security are available, approved by
management and complied

!s organi"ation structure & roles and responsibilities
defined for !T

Are assets (li#e application, database, servers, net$or#s
etc) identified and o$nership assigned to$ards complete
lifecycle of these assets by management%

Are operators certified for operating the trading systems
&o incident response procedures e'ists
Are incidents reported, resolved ( closed and analy"ed for
root cause
!s escalation of incidents done to management and
government organi"ation as applicable, based on
criticality, impact and type of incidents

&o lans related to business continuity and disaster
recovery e'ist

Are plans related to business continuity and disaster
recovery tested and records related to test available

2 $erimeter % )n*ironmental Security
Member Name: BSE Clearing Number
Page 1 of 2
Auditor Name C!SA "egi#tration No:
Are e)uipment and resources (people, systems, database,
net$or# and application) are sited in a manner to protect and
prevent ris#s from environmental threats & ha"ards, and
opportunities for unauthori"ed access%

hysical Access to the area is controlled by reliable controls
and only authori"ed users have access to these areas and to
prevent misuse of facility by unauthori"ed persons

*ogs of access to these areas maintained and revie$ed
!s storage of bac#up secured commensurate to the ris#s
involved and bac#up stored at a geographically separate
location from primary

+ontact list for emergency ( crisis e'ists and updated

3 Access +ontrol
Representation
A+,ro- Access +ontrol rocedure ( rocess
A+,Auth- Access +ontrol Authentication
A+,$d- Access +ontrol ass$ord
.ach of the above have specific attributes specified in number%
A+,ro/ !s approval and authori"ation a re)uired process for
creating user and providing access (physical, system, database,
application)

A+,ro0 Are users created by authori"ed personnel
A+,ro1 !s there trac# of user id2s created, disabled, enabled,
deleted, unloc#ed, log of all such events maintained

A+ ro3 Are pass$ords (of systems ( database ( application)
changed in event of employee ( vendor staff leaving the
company ( transfers%

A+ ro4 !n case of ne$ user ( pass$ord resets5 is pass$ord
communicated to user securely

A+ ro6 A process e'ists to bloc# ( suspend the user (id) on
Page 2 of 2
re)uest from user (case of loss of device ( malicious activity)
A+,Auth/ &oes the system (Application ( System ( &atabase)
challenges (prompts) all user for authentication

A+,Auth0 !s the mechanism for authentication strong enough
so as to control the threats that may be applicable

A+,Auth1 Are users uni)uely identifiable $ith a uni)ue user id
A+,Auth3 Are there generic ids e'isting for access
A+,Auth4 Are t$o factor authentication for login session
implemented for all orders emanating using internet protocol%
A+,Auth6 !s ublic 7ey !nfrastructure (7!) based
implementation using digital signatures deployed for
authentication, supported by one of the agencies certified by
government of !ndia%
A+,Auth8 Are the t$o factors in the t$o factor authentication
frame$or# different
A+,$d/ &oes System re)uires changing of pass$ord $hen
the user logs in for the first time%

A+,$d0 Are users automatically disabled (*oc#ed) on
entering erroneous pass$ord on three consecutive occasions

A+,$d1 &oes system disable (bloc#(loc#) user automatically
on e'piry of pass$ord%

A+,$d 3 Are controls implemented to ensure that pass$ord
is alphanumeric (preferably $ith one special character), instead
of 9ust being alphabets or 9ust numerical%

A+,$d4 Are controls e'isting to ensure that the changed
pass$ord cannot be the same as of the last pass$ord

A+,$d6 Are controls e'isting to ensure that the *ogin id of
the user and pass$ord should not be the same%

A+,$d8 Are controls e'isting to ensure that the ass$ord
should be of minimum si' characters and not more than t$elve
characters%

Page $ of 2
A+,$d: Are controls e'isting to ensure that all pass$ord are
secured by encryption mechanism and that encryption
mechanism is ade)uate enough to provide safety from
applicable ris#s

A+,;&< System ensures that pass$ord is mas#ed at time of
entry%
A+,SS &oes the system allo$ only authori"ed administrative
users to terminate a user2s session%

, -. Systems and System Security

Are systems ade)uately managed, controlled and secured
&o systems provide security to applications, database and data
stored (data at rest) ade)uately using mechanism such as
encryption

File system-
All volumes of the server hosting the database and ( application
has file system that offers enhanced security = For .'- .FS (
>TFS for $indo$s, ?'fs@ for A Bni', e't1 for *inu' etc%
&irectory ( File Sharing-
&efault file &directory shares and simple file sharing if offered
by the operating system are disabled%
Sharing if any is authori"ed
Are guest accounts disabled ( hashed out ( deleted
atches, hot fi'es and service pac#s are updated after
appropriate testing

Auditing is enabled for events li#e Account logon events,
Account Canagement, Ob9ect access, olicy change, privilege
use, system events

&o all users adhere to Access +ontrols li#e described in
(Section 1 of Anne'ure A)

A+,ro- Access +ontrol rocedure ( rocess
Page % of 2
/ A+,ro/
0 A+,ro0
1 A+,ro1
3 A+,ro3
3 A+,ro4
4 A+,ro6
A+,Auth- Access +ontrol Authentication
/ A+,Auth/
0 A+,Auth0
1 A+,Auth1
A+,$d- Access +ontrol ass$ord
/ A+,$d/
0 A+,$d0
1 A+,$d1
3 A+,$d3
4 A+,$d4
6 A+,$d6
8 A+,$d8
: A+,$d:
< A+,SS
Are system cloc#s synchroni"ed to atomic cloc# to ensure
synchroni"ation%

Are critical systems located behind fire$all $ith default rules
to deny all traffic and only identified specific application,
database and system protocols are allo$ed%

The system is ade)uately protected from mal$are (such as
viruses, spy$are %%etc) $ith controls such as antimal$are (

Page & of 2
antivirus system and that rules ( definitions are updated
The entire system is scanned periodically to ensure protection%

/ (et0or and (et0or Security

Are net$or#s ade)uately managed, controlled and monitored
&oes net$or# provide security to the data, systems and
applications in the net$or#%

The net$or# security protocols and interface standards
deployed are as per prevalent industry standards


!s information travelling over net$or# (;ired & ( $ireless)
ade)uately protected $ith mechanism such as ?>, T*S (SS* (
% ;A0%

!s bac#up net$or# lin# available in case of failure of the
primary lin# to the DS.

!s bac#up net$or# lin# available in case of failure of the
primary lin# connecting the customers

&oes alternate communications path bet$een employees and
the firm e'ists

&oes alternate communications path $ith critical business
constituents, ban#s and regulators e'ists

E ?erify location(s) of nodes in the net$or#
E ?erify number of nodes in diagram $ith actual
E &ate of submission to DS.%
Are parameters identified and logged to enable traceability and
non@repudiation of orders ( actions performed $ith relevant
details li#e ! address, CA+ address, time and other data
Page ' of 2
Are net$or# device cloc#s synchroni"ed to atomic cloc#
Are net$or# segments used to segregate critical, non critical
and user systems

Are net$or# devices appropriately patched ( upgraded $ith
latest firm$are

*og events are identified, monitored, revie$ed and escalated
1 Data2ase and Data2ase Security


A+3$ro: Access +ontrol $rocedure ' $rocess
/ A+,ro/
0 A+,ro0
1 A+,ro1
3 A+,ro3
3 A+,ro4
4 A+,ro6
A+3Auth: Access +ontrol Authentication
/ A+,Auth/
0 A+,Auth0
1 A+,Auth1
A+3$0d: Access +ontrol $ass0ord
/ A+,$d/
0 A+,$d0
1 A+,$d1
3 A+,$d3
4 A+,$d4
6 A+,$d6
Page ( of 2
8 A+,$d8
: A+,$d:
< A+,SS
&atabase = Fire$all
&D F;/ @ !s the database server located behind a fire$all $ith
default rules to deny all traffic%
&D F;0 @ !s the database server fire$all is opened only to
specific application or $eb servers, and fire$all rules do not
allo$ direct client access%
&D F;1 @ Fire$all rule change control procedures are in place
and notification of rule changes are distributed to System
Administrators (SAs) and &atabase Administrators (&DAs)%
&D F;3 @ Are fire$all rules for database servers maintained
and revie$ed on a regular basis by SAs and &DAs%
Secured .nvironment
&D,S./ @ !s the database soft$are installed by e'clusive user%
!s this user, super user ( Administrator
&D,S.0 @!s the database soft$are o$ner account granted the
minimum set of operating system rights necessary for database
operation%
&D,S.1 @!S the database soft$are version is currently
supported by the vendor or open source pro9ect%
&D,S.3 @Are all unused or unnecessary services or functions
of the database are removed or turned off%
&D,S.4 @Are unneeded default accounts are removed, or else
pass$ords are changed from defaults%
&D,S.6 @Are >ull pass$ords used, and have the temporary
files from the install process that may contain pass$ords are
removed%
&D,S.8 @&atabase soft$are is patched to include all current
security patches% rovisions are made to maintain security patch
levels in a timely fashion%
Page ) of 2
&D,S. : Are all old setup files ( test databases ( sample
databases deleted ( secured ( access removed
&D,S. < log events are identified audit trails enabled,
revie$ed and monitored
&D S. /F the cloc# of the system hosting the database is
synchroni"ed $ith atomic cloc#
&atabase = !C*
&D,!C*/@ &o all users of system adhere to Access +ontrols
li#e described in Section 3 Anne'ure A
&D,!C*0@ The !C* database is hosted on a secure platform
and adheres controls li#e mentioned in Section 3 Anne'ure A%%
&D,!C*1@ The information in the database used to store(
retrieve transaction information is secured $ith controls
Are system cloc#s of system hosting the database synchroni"ed
to atomic cloc#%

4 )ncryption
!s all data transmission bet$een the client & bro#er ( member
secured through end to end encryption through a secure
standardi"ed protocolG

&oes the #ey si"e used for encryption adhere to the policies & (
guidelines mandated by relevant authoritiesG

7ey management procedures for decrypting are documented,
available to more than one (authori"ed) person2s, approved by
the data proprietor and procedures for secure #ey management
follo$ed%

Are the encryption #eys stored in secure location and access
procedures documented%

SS* ( T*S used by $eb based application
Are certificates issued to the member ( bro#er organi"ation
Are the certificates used on the server facilitating confidential
information = li#e trade data

Page of 2
!s the login page and all subse)uent authenticated pages
e'clusively accessed over T*S(SS*

rovide the follo$ing details
+ertificate !ssuer- (>ame)
?alidity >ot Defore- (&ate)
?alidity >ot After- (&ate)
!n case of +lient Server application model (Thic# +lient)
&oes the application architecture ade)uately ensure security of
information sent over internal ( e'ternal net$or#

!s the information transmitted in encrypted form
lease provide supporting letter from vendor on his letterhead%
&o the encryption deployed and procedures related to it align to
policies and regulations of &oT (&epartment of Telecom) & (
!nformation Technology Act 0FFF

5 Audit 6o" % Monitorin"
A*C/ @ Are audit logs for systems, databases, net$or#s and
applications appropriately identified and enabled for recording
of relevant actions and events%

A*C0 @ All session initiation and termination events are logged
and audited%

A*C1 @ Are logs revie$ed and e'ceptions ( findings if any
escalated%

A*C3 @ Are systems ade)uately capable of noting all
transactions conducted $ith sound audit trails available for all
transactions

7 +apacity Mana"ement
+C/ @ Are the resources monitored, tuned and calculations
made for future capacity re)uirements to ensure the re)uired
performance%

Page 1* of 2
+C0 @ Are data storage, bac#up systems, system capacities
ade)uately available for handling data transfer, and arranged
for alternative means of communications in case of !nternet lin#
failure%

+C1 @ &o systems have built@in high system availability to
address any single point of failure

+C3 @ Are bac#up resources available to ensure that all
essential information and soft$are can be bac#ed up and tested
for restoration

10 $re8.rade Ris +ontrol: 9alue 6imit per !rder etc:
Are the follo$ing S.D! and DS. *imited circulars complied to
/ @ S.D! circular +!R(CR&(&(13(0F/0 dated &ecember /1,
0F/0
0 = DS. *imited circular no% 0F/0/0/3@/3 dated &ecember /3,
0F/0
1 @ DS. *imited circular no% 0F/1F/F:@0F dated F: Han 0F/1
11 !nline Ris Mana"ement .ools % !rder )ntry
Description: &es ' (o

;hether .'change circular 0F/0//F/@/6 dated >ovember /,
0F/0 has been complied $ith I
The Ris# Canagement Tool has provisions for setting
parameters such as
Trading *imits
.'posure *imits
Order Juantity *imits
Order ?alue *imits
rice range chec#s
>et osition *imits
The ris# management tool ensures the follo$ing for all orders,
before being placed
Online ris# assessment of the orders to be placed%
Online ris# monitoring of the orders being placed%
Online ris# management of the orders being placed%
Page 11 of 2
&oes system allo$ only authori"ed administrative user to alter
the ris# parameters of users
&oes system allo$ manual placement (through approved
mechanism) for allo$ing orders that do not fit the system based
ris# control parameter%

Are orders successful ( unsuccessful or valid ( invalid are
logged, revie$ed and auditedby the ris# management system

Appropriate validation of all ris# parameters is done before
placing the order

Order .ntry
&escription Kes ( >o
Only duly authori"ed client2s orders are allo$ed to be placed%
Order entry for ro types of orders is e'ecuted through specific
user ids%

The system does not have an order matching system and all
orders are passed on to the e'change trading system for
matching% on the basis of priority of receipt of the orders from
the clients

12 Features of System
Scope- Application
Are all servers used for routing orders to DS. *td trading
system are hosted (geographically located) in !ndia%

&oes system allo$s only authori"ed and validated users to
establish a session $ith the system%

&oes system allo$ only authori"ed administrative users to
terminate a users session%

System deployed routes the orders in neutral manner
Page 12 of 2
Features of system have been submitted to DS. *td%
&oes system have uni)ue identification numbering system for
all orders to identify trades uni)uely and all orders $ith time
stamp are available $ith reference to the uni)ue identification
number

!n case no activity by the client, does the system provide
automatic trading session logout

!n case of failure of service ( system ( facility (for e' @ net$or#,
application) , alternative modes of communications for placing
orders are available

rice Droadcast
&oes system allo$s order entry and confirmation of order is
provided to the user on submission of the order%

&oes system provide order modification ( cancellation
facilities%

&oes system have capability to provide trade confirmation to
the user, along $ith history of trades for the day%

Allo$ for chec#ing the pending orders i%e% the orders that have
not yet traded or partially traded%

rovides feature of reporting the trades happened
Allo$s for the reporting of client $ise ( user $ise margin
re)uirements as $ell as payment and delivery obligations%

;hether the System uses authentication measures li#e smart
cards, biometric authentication etc%

;hether the system has a second level of pass$ord control for
critical features

!s periodic verification of B++ & location details of data done
;herever applicable session login credential details are not
stored on the devices used for trading

Are features available in the system to identify !C*@!DT(
ST;T (Cobile) ( SOR ( &CA orders, trades and related data%

Page 1$ of 2
Reporting
R/- Are there features ( facilities available to generate C!S
reports for reporting to e'change, S.D! or other relevant
regulators%
R0- Are procedures ( processes set for reporting and lists (
chec#list used for such purposes%
13 -M6 ;-<. =-nternet <ased .radin"> =!rder Routin" System>
Scope- Application, &atabase, System & >et$or# as applicable
Organi"ational policies & procedures e'ists and are follo$ed
for !C* ( !DT (Ref Section / of Anne'ure A)

erimeter & .nvironmental Security controls e'ists and are
follo$ed (Ref Section 0 of Anne'ure A)

+ontrols related to access e'ists (Ref Section 1 of Anne'ure A)
!T Systems and System Security +ontrols e'ists and are
adhered to
(Ref Section 3 of Anne'ure A)

>et$or# and >et$or# Security controls e'ists and are adhered
to (Ref Section 4 of Anne'ure A)

&atabase deployed adhere to database and database security
controls (Ref Section 6 of Anne'ure A)

.ncryption controls are deployed and applicable procedures are
adhered to (Ref Section 8 of Anne'ure A)

Audit logs for activities are registered and monitoring controls
e'ist (Ref Section : of Anne'ure A)

+apacity related procedures, processes and controls are
deployed and monitored (Ref Section < of Anne'ure A)

Online Ris# Canagement Tools and Order .ntry controls as
applicable are follo$ed for all orders placed (Ref Section /F of
Anne'ure A)

Are features of system ade)uately available, controlled as
applicable (Ref Section // of Anne'ure A)

Page 1% of 2
rovide !nstallation &etails (!C*)
Total number of !C* !&s
!C* version (!C* Trading Soft$are ?ersion
Ris# Administration ( Canager ?ersion
Front .nd ( Order lacement ?ersion
>umber of Bsers *ogged !n ( hoo#ed on to the net$or# incl%
privileges of each
>umber of authori"ed users on the system
>umber of active clients
Activity & System *ogs

Are processes & procedures implemented to ensure that norms
mentioned in S.D! +ircular ( &irectives regarding to !nternet
Dased Trading adhered to
(refer
/ @ SC&R(O*!+K(+!R@F6 (0FFF &ated Hanuary 1/, 0FFF
0 @ +!R(CR&(&(:(0F// &ated Hune 1F, 0F//)
Are they complied

;ith reference to DS. *imited notice = notice no @ 0F/1F/0:@
05 dated 0: Han 0F/1
;ith the implementation of T$o@factor authentication, is the
automatic e'piry of pass$ord revised %
1, Securities .radin" ?sin" @ireless .echnolo"y AMo2ile .radin"B
Scope- Application, &atabase, System & >et$or# as applicable
Are all relevant re)uirements as applicable to internet based
trading being adhered to securities trading using $ireless
technology

!s ST;T order routing is available to all clients and they are
communicated all features, possible ris#s, rights,
responsibilities and liabilities associated $ith the ST;T
facility%
&oes the client desirous of availing such (ST;T) facility has to
do so by entering into a bro#er@client agreement, as applicable%
For the e'isting clients, is the same implemented through an
addendum to the e'isting bro#er@client agreement, as
Page 1& of 2
applicable%
!n case of issues due to form factor, has it been ensured that
minimum information has been given $ith addresses of the
internet $eb site ($eb page $here detailed information $ould
be available%
The application used for mobile trading is
/ = 1
rd
party solution from empanelled vendor $ith DS.
0 = in house developed mobile trading solution approved by
DS.%
lease provide references for the above applicable cases%
!s mobile trading an e'tension of internet based trading (Thin
+lient)

!n case it is a thic# client provide the details of the architecture
Order Status information is ade)uately informed to the user
through appropriate mechanism

Appropriate validation of all ris# parameters before placing the
order is done prior to placing order in Cobile Trading

for ST;T (Ref Section / of Anne'ure A)


adhered to




Page 1' of 2


applicable are follo$ed (Ref Section /F of Anne'ure A)


mentioned in S.D! +ircular ( &irectives regarding to ST;T
adhered to
(refer @
/ @ +!R(CR&(&(04(0F/F &ated August 08,0F/F
0 @ +!R(CR&(&(:(0F// &ated Hune 1F, 0F//)
Are they complied

;ith reference to DS. *imited notice = notice no @ 0F/1F/0:@
05 dated 0: Han 0F/1
;ith the implementation of T$o@factor authentication, is the
automatic e'piry of pass$ord revised%
1/ Smart !rder Routin" =S!R>
Scope- Application, &atabase, System
Description Details
!s smart order routing is available to all clients and they are
communicated all features, possible ris#s, rights,
responsibilities and liabilities associated $ith the smart order
routing facility%

&oes the client desirous of availing such (SOR) facility has to
do so by entering into a bro#er@client agreement, as applicable%
For the e'isting clients, is the same implemented through an
addendum to the e'isting bro#er@client agreement, as
applicable%
Page 1( of 2
Are all type of trades ( orders e'ecutable as chosen by the user
and user re)uests for specific orders not to be used under SOR
facility recorded and documented

!s SOR permitted for all orders $ithout restricting any specific
type of order, and that choice of orders is left to client%

for SOR (Ref Section / of Anne'ure A)

adhered to
Anne'ure A)
Order &ecision
O&/- Are all activities related to orders and trade logged to
facilitate audit trail and records maintained along $ith the
details such as orders, trades and data points for the basis of
decision
Page 1) of 2
O&0- is there facility for logging data related to orders ( trades
(on random sampling ( continuous basis) used to support the
decision of trade ( order% !s it being used, revie$ed and audited%
&oes the application monitors best bids and offers and updates
instantly as the mar#et moves-

&oes the application provide transparency in terms of time
delays

Are controls available and implemented to ensure that orders
thorough SOR are placed at recogni"ed stoc# e'changes only%
&oes functionality e'ists to specify for individual orders for
$hich they do not $ant to route the order using SOR

Are $ell documented records available to support of not using
SOR for particular order by client ($ho has availed SOR
facility)
mentioned in S.D! +ircular ( &irectives regarding to ST;T
adhered to
(for .'
/ @ +!R(CR&(&(06(0F/F &ated August 08, 0F/F
0 @ +!R(CR&(&(16(0F/F &ated &ecember F<, 0F/F)
Are they complied

11 Direct Maret Access
Scope- Application, &atabase, System
+lients having access to &CA have been provided access after
e'ecution of agreement $ith conditions as prescribed in the
LCodel AgreementM by DS. and such agreement is valid
currently%

for SOR (Ref Section / of Anne'ure A)


Page 1 of 2
adhered to
Anne'ure A)
Are uni)ue identification numbers given as in case of internet
based trading, to identify trades and orders done using &CA
and log of events $ith timestamp are available $ith reference
to the uni)ue identification number and such records are
available for minimum of 4 years
Are there controls available and implemented in the system for
&CA order mas#ing to prevent front running of the orders%

Appropriate validation of all ris# parameters is done to ensure
that trading limits( e'posure limits( position limits are set for all
&CA clients

Details of the -M6 -DCs used 2y the tradin" mem2ers:
Page 2* of 2
+learin" (o: 33333333333333333
-M6 -D Soft0are
Details=-nhouse'
9endor (ame>
$urpose of
procurement
-M6 6ocation
=Address>
Date of
acti*ation:
/%
;hether the re)uired details of all the !ds created in the !C*
server of the trading member, for any purpose (vi"%
administration, branch administration, surveillance, ris#
management, trading, testing, etc) and any changes therein, have
been uploaded to the .'changeI
!f no, please give details
K.S(>O
0% ;hether all the !C* user ids created in the !C* server of the
trading member has been mapped to /6 digits *O+AT!O> !& on
one@to@one basis and a record of the same is maintainedI
K.S(>O
Page 21 of 2
Annexure < =!ptional>
Areas of Audit Auditors
Remars
(Supporting
Observations,
Findings,
References &
Substantiation)
14 $olicies, $rocedures and Documents A*aila2ility
!nformation Security olicy
ass$ord olicy
Bser Canagement and Access +ontrol olicy
>et$or# Security olicy
Application Soft$are olicy
Dac#up olicy
+hange Canagement olicy
D+ and Response Canagement olicy
Audit Trail olicy
Other policies follo$ed if any and its reference
15 Appro*als, undertain", a"reements, policies:
/ @ !nternet Trading
0 @ SOR
1 @ ;ireless (Cobile Trading)
3 @ &CA
For the above segments are the follo$ing documents available
+opy of application to e'change
Approval ( +opy of approval from e'change
Bnderta#ing(s) provided as per relevant circulars as re)uired by
e'change ( S.D!
Bnderta#ing provided regarding the !C* system as per relevant
circulars
;hether the !nsurance policy of the Cember covers the additional ris#
of usage of !C* and or !nternet Trading
17 +han"e Mana"ement
+hanges to the system supporting trading are made in a planned
manner
+hanges are made by duly authori"ed personnel
Ris# involved in the implementation of the changes duly factored in
Page 22 of 2
The implemented change duly approved and process documented
The change re)uest process documented
+hange implementation process supervised to ensure system integrity
and continuity
Bser acceptance of the change documented
Bnplanned changes duly authori"ed and the manner of change
documented later
S&*+ documentation and procedures if the installed !C* system is
developed in@house

20 ?ser Mana"ement
>o% of user !ds created
All users are uni)uely identified through issue of uni)ue !C* ids%
>o% of Bsers are deleted and logs are maintained
>o% of Bsers are disabled and logs are maintained
>o% of users reissued and logs are maintained
>o% of users $hose accounts are loc#ed $ith logs
The users in the system are created by authori"ed personnel at server
level
21 Redundancy % <acup in case of System Failure
<acups for the critical system components
Nate$ay ( &atabase Server
Audit Trails
!C* router
>et$or# S$itch
+ommunication lines
-nfrastructure 2reado0n 2acup
.lectricity
;ater
Air +onditioning
Alternate physical location of employees been made in case of non
availability of the primary site
rovisions for Doo#s and records bac#up and recovery (hard copy and
electronic)%
Cission@critical systems been identified and provision for bac#up for
such systems been made
Are bac#up and recovery procedures defined, approved and
documented
Are bac#up and restoration records and logs maintained%
Page 2$ of 2
Are bac#up media stored safely in line $ith ris#s
22 Daily !perational Acti*ities
rovision for Degin of day activity
Audit Trails
Access *ogs
Transaction *ogs
Dac#up *ogs
Alert *ogs
Activity *ogs
Cisc (lease specify)-
rovision for .nd of day activity
System for log monitoring, escalation & corrective measures ta#en,
if any%
The !C* solution should not in any manner suggest to the user by
default the name of .'change, scrip and segment etc% !t is the user
$ho should have the option to select the same%
23 Response $rocedures
Description
Access +ontrol failure
Deginning of &ay failure
.nd of &ay failure
Other system rocesses failure
2,:!ther information
Description
Date0ay $arameters
E Trader !&
+ash Se"ment
E !C* !&
E ! Address
E (DS. >et$or#)
E ?SAT !&
E *eased *ine !&
F%! Se"ment
E &!C* !&
E ! Address
E (DS. >et$or#)
E ?SAT !&
E *eased *ine !&
Page 2% of 2
2/: Auditor comments to0ards data and information related to trade and orders
+onfidentiality:
-nte"rity:
A*aila2ility:
(on8Repudiation:
Page 2& of 2
Annexure + =Mandatory>
!>FORCAT!O> SKST.C AB&!T OF,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Sr
(o
Area of Audit +lassification
of +ontrols in
Annexure A
S ' A ' -
+lassification of
+ontrols in
Annexure <
S ' A ' -
/ Organi"ation structure e'ists and supports governance through
policies, procedures, proceses and guidelines%
>A
0 Systems & processes related to perimeter and environmental
security controls e'ists
>A
1 Access, Authentication and Authori"ation to systems (systems,
database, os, net$or#s etc) is commiserate $ith the importance
of the systems
>A
3 Systems follo$ policies & procedures to protect from threats
that might e'ploit the system%
>A
4 >et$or# & >et$or# Security follo$ policies & procedures to
protect from threats that might e'ploit the system%
>A
6 &atabase systems follo$ policies & procedures to protect from
threats that might e'ploit the system%
>A
8 rocesses and procedures for encryption deployed for protection
of data is established
>A
: Audit logging and monitoring are established to identify and
determine accountability of actions performed%
>A
< rocesses and procedures follo$ed for capacity management are
established%
>A
/F re@Trade ris# control- ?alue limit per order etc% are
implemented and adhere to all applicable circulars from S.D! &
DS. *imited
>A
// Online ris# management tool and order entry are supported% >A
/0 Features of system are established and implemented >A
/1 !C* ( !DT systems are controlled and adhere to all applicable
circulars from S.D! & DS. *imited
>A
Page 2' of 2
/3 Securities Trading using ;ireless Technology (Cobile Trading)
systems are controlled and adhere to all applicable circulars
from S.D! & DS. *imited
>A
/4 Smart Order Routing systems are controlled and adhere to all
applicable circulars from S.D! & DS. *imited
>A
/6 &irect Car#et Access systems are controlled and adhere to all
applicable circulars from S.D! & DS. *imited
>A
/8 Are policies available, implemented and revie$ed for
implementation%
>A
/: Are communication documents vi" application, approval, &
underta#ing available, valid and secured%
>A
/< !s change management an established process and procedures
for change are implemented in controlled manner%
>A
0F !s user management done according to policy defined and
procedures adhere to the policy, records for implementation and
adherence are available%
>A
0/ !s redundancy and bac#up available and tested in case of system
failure%
>A
00 Are daily operational activities controlled and logged to
demonstrate control
>A
01 Are response procedures available and records of use indicate
established procedure%
>A
03 !s information related to parameters available and updated
periodically
>A
04 Any other comment by auditor to$ards data and information
related to trade and orders
>A
Page 2( of 2
Declaration:
Mem2er Summary
Sr O Trading Facilities
Trading Facility OfferedI
(Kes ( >o)
Trading Facility AuditedI
(Kes ( >o)
/ !C* = !DT Trading
(!nternet Dased Trading)
0 ST;T (Securities Trading Bsing
;ireless Technology)
1 SOR (Smart Order Routing)
3 &CA (&irect Car#et Access)
All the branches $here !C*@!DT ( ST;T( &CA facility is provided, have been audited and consolidated
report has been submitted%
! undersigned assure of circulars issued by S.D! an DS. *imited have been referenced for chec#ing the
compliances and that the contents of the report as per audit performed by me and declare there is no
conflict of interest $ith respect to the member being audited%
Audit recommendations (if any) in relation to System Audit report for the year ended Carch 1/, 0F/0 that
have been duly implemented ( not implemented are mentioned separately as anne'ure (as a part of System
Audit report)%
!n case you have been rated as LCedium(;ea#M in any areas by System auditor bet$een April /, 0F/0 to
Carch 1/, 0F/1 (prior to granting approval for !nternet based Trading( &irect Car#et Access( SOR(
;ireless securities trading e'cept for Algorithmic Trading) please submit LAction Ta#en ReportM duly
certified by your system auditor detailing the actions ta#en by you on various individual LCedium( ;ea#
areas%
,,,,,,,,,,,,
Signature
(Full >ame of the Auditor & Auditing firm)
+!SA Registration >umber-
&ate-
lace-
Page 2) of 2
(ote: +riteria for )*aluation of +ontrols are indicated 2elo0, 2ased on these EArea of AuditF as
mentioned in Annexure A % < are to 2e rated:
.valuation of +ontrols &escription
Strong +ontrols are said to be Strong if ob9ectives are
fully complied $ith and no material $ea#nesses
are found%
Ade)uate +ontrols are said to be Ade)uate if ob9ectives
are substantially complied $ith and no material
$ea#ness result in substantial ris# e'posure due
to non@compliance
+ompensatory controls e'ist $hich reduce the
ris# e'posure to ma#e it immaterial vis =a@vis
the non@compliance $ith the criteria%
!nade)uate +ontrols are said to be !nade)uate if ob9ectives
are not complied $ith%
+ompensatory controls fail to reduce the ris# so
as to ma#e it immaterial vis@P@vis the non@
compliance $ith the compliance criteria%
Page 2 of 2

Audit Is

Uploaded by

Copyright:

Available Formats

Audit Is

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Audit Is

Uploaded by

Copyright:

Available Formats

Author: Devendra Kulkarni

Format of System Audit Report

You might also like