SYSTEM AUDIT REPORT FOR THE PERIOD FROM JULY 01, 2009 TO JUNE 30, 2010
Part A
CTCL Version
The installed CTCL system parameters • Order Gateway Version
are as per NSE norms • Risk Administration / Manager Version
• Front End / Order Placement Version
Location Confirmation for DMA Whether order routing server for DMA is located
in India. Provide address of the DMA server
location
The installed DMA system features are Risk Management Tools
as prescribed by the NSE. • Should allow for risk management of the
orders placed and online risk monitoring
of the orders being placed.
Results Opinions
Trading Process
The installed CTCL system allows Client ID Verification
for placing of trades only for Only duly authorized client’s orders are
authorized clients allowed to be placed.
Risk Management
The installed CTCL system is Order Parameters
capable of assessing the risk of the There is online risk assessment of all orders
client as soon as the order comes in placed through the CTCL system.
and informs the client of
acceptance/rejection of the order
Controls / Processes Test Case Results, Auditor’s
Observations Risk
& Control
Risk
within a reasonable period.
Order /Trade Limit Controls Only orders that are within the parameters
The installed CTCL system provides specified by the risk management systems are
a system based control facility on allowed to be placed
the trading limits of the clients and
exposures taken by the clients
including set pre-defined limits on
the exposure and turnover of each
client.
Order Reconfirmation Facility The system has a manual override facility for
The installed CTCL system provides allowing orders that do not fit the system
for reconfirmation of orders which based risk control parameters
are larger than that as specified by
the member’s risk management
system.
Order Matching
The system does not have any order matching
function and all orders are passed on to the
exchange trading system for matching
User Creation
New CTCL User IDs are created as per the
CTCL guidelines.
User ID
Controls / Processes Test Case Results, Auditor’s
Observations Risk
& Control
Risk
All users are uniquely identified through issue
of unique CTCL ids.
User Disablement
Users not compliant with the Exchange
Requirements are disabled and event logs
maintained
User Deletion
Users are deleted as per the NSE guidelines
Results Opinions
Vendor Certified Network diagram Date of submission of network diagram to NSE
The Installed CTCL systems backup Are backups of the following system generated Results Opinions
capability is adequate as per the files maintained as per the NSE guidelines?
requirements of the NSE for • At the CTCL server/gateway level
overcoming loss of product integrity. • Database
• Audit Trails
• Reports
Part B
Results Opinions
Execution of Orders / Order Order Entry
Controls / Processes Test Case Results, Auditors
Observations & Opinion
control Risk
Logic The system has order placement controls that
The installed CTCL allow only orders matching the system parameters
system provides a system to be placed.
based control facility over
the order input process Order Modification
The system allows for modification of orders
placed.
Order Cancellation
The system allows for cancellation of orders
placed
Results Opinions
Additional Access Control Extra Authentication Security
Security • The systems uses additional authentication
The installed CTCL measures like smart cards, biometric
system provides a dual authentication or tokens etc.
factor authentication • The system has a second level of password
system for access to the control for critical features
various CTCL
components.
To ensure information Does the organization’s documented policy and Results Opinions
security for the Organisation procedures include the following policies and if so
in general and the installed are they in line with the NSE requirements?
CTCL system in particular • Information Security Policy
policy and procedures as per • Password Policy
the NSE requirements must • User Management and Access Control
be established, implemented Policy
and maintained.
Controls / Processes Test Case Results, Auditors
Observations & Opinion
control Risk
• Network Security Policy
• Application Software Policy
• Change Management Policy
• Backup Policy
• BCP and Response Management Policy
• Audit Trail Policy
Does the Organisation have a Is there any documentation on Business Continuity / Results Opinions
suitable documented Business Disaster Recovery / Incident Response?
Continuity or Disaster
Recovery or Incident Does a BCP / DRP plan exist?
Response process
commensurate with the If a BCP/DRP plan exists, has it been tested?
organisation size and risk
profile to ensure a high Are there any documented incident response
degree of availability of the procedures?
installed CTCL system
Are there any documented risk assessments?
Change Approval
Is the implemented change duly approved and
process documented?
Pre-implementation process
Is the change request process documented?
Unplanned Changes
In case of unplanned changes, are the same duly
authorized and the manner of change documented
later?
Disaster Recovery
Are there suitable provisions for Books and records
Controls / Processes Test Case Results, Auditors
Observations & Opinion
control Risk
backup and recovery (hard copy and electronic).
In case of failure, is there an Details of the various response procedures incl. for
escalation procedure Access Control failure
implemented? Day Begin failure
Day End failure
Other system Processes failure
1 Whether the required details of all the CTCL ids created in the CTCL server of the YES / NO
trading member, for any purpose (viz. administration, branch administration, mini-
administration, surveillance, risk management, trading, view only, testing, etc) and
any changes therein, have been uploaded as per the requirement of the Exchange?
If no, please give details
2 Whether all the CTCL user ids created in the CTCL server of the trading member YES / NO
have been mapped to 12 digit codes on a one-to-one basis and a record of the same is
maintained?
If no, please give details
3 All the audit recommendations given in relation to the system audit certificate for the YES / NO
year ended June 30, 2009 have been duly implemented. IF NOT, please give details
DECLARATION:
I) All the branches where CTCL facility is provided have been audited and ONE consolidated
report has been submitted for all segments.
II) All the audit recommendations given in relation to the system audit certificate for the year ended
June 30, 2009 have been duly implemented. If not, the same have been reported hereunder.
1)
2)
III) There is no conflict of interest with respect to the member being audited. If any such instance
arises, it shall be brought to the notice of the Exchange immediately before undertaking the audit.
_______________________________
Signature
Date:
Place:
Stamp/Seal:
SUMMARY SHEET
Strong The controls are defined as Strong if the following criteria are met
Implemented controls fully comply with the stated objectives and
no material weaknesses are found.
Medium The controls are defined as Medium if the following criteria are met
Implemented controls substantially comply with the stated
objectives and no material weakness result in substantial risk
exposure due to the non-compliance with the criteria
Compensatory controls exist which reduce the risk exposure to
make it immaterial vis-à-vis the non-compliance with the criteria.
Weak The controls are defined as Weak if the following criteria are met
Implemented controls materially fail to comply with the stated
control objectives.
Compensating controls fail to reduce the risk so as to make it
immaterial vis-à-vis the non-compliance with the compliance
criteria.
To,
CTCL Department
This is to certify that the following are the list of applications for which the system audit has been
Conducted by me/ us for the trading member <TM code> < TM Name> for the year ended June 30, 2010.
S.No Name of the application Version Type of the product Developed by Vendor Name
(CTCL/IBT/DMA/Algo)
Signature
Date:
Place:
Stamp/Seal:
To,
CTCL Department
Following are the list of applications which has been approved by Exchange as on June 30,2010..
S.No Name of the application Version Type of the product Developed by Vendor Name
(CTCL/IBT/DMA/Algo)
Yours faithfully,
Signature
Name, Designation