1 / 37

The Canadian Depository for Securities Limited Audit Procedures on Trust Services

The Canadian Depository for Securities Limited Audit Procedures on Trust Services. Hannah Huang Gloria Lee Fei Qi. Canadian Depository for Securities Limited (CDS). “National securities depository, clearing and settlement hub”

prem
Download Presentation

The Canadian Depository for Securities Limited Audit Procedures on Trust Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Canadian Depository for Securities Limited Audit Procedures on Trust Services Hannah Huang Gloria Lee Fei Qi

  2. Canadian Depository for Securities Limited (CDS) • “National securities depository, clearing and settlement hub” • “Supports Canada's equity, fixed income and money markets, holding over $2.7 trillion on deposit and handling over 77million securities trades annually” • Incorporated federally on June 9, 1970 under Canada Corporation Act • Over 400 employees and has offices in Toronto, Montreal, Vancouver, Calgary and Halifax • A private corporation and is owned by major Canadian chartered banks, IDA and the TSX Inc. • Regulated by the Ontario and Quebec securities commissions and the Bank of Canada

  3. What does CDS do? • Trade clearing and settlement services • Cross-border services • Depository/Custodial/Entitlement Services • Information and Supporting Services • Other services including consulting, delivery services and onsite contingency backup

  4. CDS’s Internal Control • Three major committees including Audit Committee • Other internal and external committees including Operations Committee, Risk Committee, and Strategic Review Committee • Security controls • Business continuity controls • Data processing controls

  5. Trust Services Principles • A set of guidance and common framework for professional assurance and advisory services • Principles are used to address the risks and opportunities of information technology • Developed by CICA/AICPA • Trust Services includes WebTrust & SysTrust

  6. SysTrust • “SysTrust is professional accounting’s answers to concerns relating to system reliability, which constitute professional guidance as well as serving as best practices for system reliability.” - Information Technology Center, AICPA

  7. Trust Services Principles 1. Security – System is protected against unauthorized access 2. Availability – System is available for operation and use as committed 3. Processing Integrity – System processing complies with CAAT 4. Online Privacy – Personal information is collected, used, retained as committed and agreed upon 5. Confidentiality – Confidential information is protected

  8. Trust Services Principles 1.Security – System is protected against unauthorized access 2. Availability – System is available for operation and use as committed 3. Processing Integrity – System processing compiles with CAAT 4. Online Privacy – Personal information is collected, used, retained as committed and agreed upon 5. Confidentiality – Confidential information is protected

  9. Trust Services Principles 1.Security – System is protected against unauthorized access 2.Availability – System is available for operation and use as committed 3. Processing Integrity – System processing compiles with CAAT 4. Online Privacy – Personal information is collected, used, retained as committed and agreed upon 5. Confidentiality – Confidential information is protected

  10. Trust Services Principles 1.Security – System is protected against unauthorized access 2.Availability – System is available for operation and use as committed 3.Processing Integrity – System processing compiles with CAAT 4. Online Privacy – Personal information is collected, used, retained as committed and agreed upon 5. Confidentiality – Confidential information is protected

  11. Security • The Security Principle refers to the protection of system components from unauthorized access, both logical and physical

  12. Security – Audit Objective • Audit Objective: To determine key elements for protection which includes permitting authorized access and preventing unauthorized access to the system

  13. Security - Audit Procedures 1. Security policies 2. Communication to users 3. Procedures on _____ access 4. Procedures on logical access 5. Monitoring

  14. Security - Audit Procedures 1. Security policies • To verify that the entity security policies are established and periodically reviewed and approved by designed individuals or groups • CDS Management Control  Policies and procedures on security are reviewed regularly

  15. Security - Audit Procedures 2. Communication to users • To determine the security obligations of users and whether if the entity’s security commitments to users are communicated to authorized users • CDS Management Control  Uses Intranet to communicate to internal users

  16. Security - Audit Procedures 3. Procedures on _____ access • To verify that the entity uses procedures to restrict ______ access to the defined system including, but not limited to facilities, backup media, and other system components such as firewalls, routers, and servers • CDS Management Control  Premise Security: Modern system of physical security

  17. Security - Audit Procedures 4. Procedures on logical access • To verify that procedures exist to protect against unauthorized logical access to the defined system • CDS Management Control  Information Security: Security system software and related procedures

  18. Security - Audit Procedures 5. Monitoring • The entity’s system is periodically reviewed and compared with the defined system security policies • CDS: Management Control  Whistleblower Program: • unlawful actions • incorrect financial reporting • failure to comply corporate policies

  19. Availability • The Availability Principle refers that the system, products or services are available for operations and use as advertised or committed by contract or other agreed agreements

  20. Availability – Audit Objective • Audit Objective: To verify that CDS has physical and internal control provisions in place to provide at least the minimum acceptable level of uninterrupted services and products as agreed with other parties

  21. Availability – Audit Procedures 1. Access Control 2. Physical Construction 3. Fault Tolerance Controls 4. Disaster Recovery Plan 5. Performance measurement and maintenance

  22. Availability – Audit Procedures 1. Access Control • Observe how access privileges are granted and determine whether the access is given only to authorizes employees • Verify that the ability to create, and modify user access privileges is only limited to a ______ ___________ team • Determine the existence of physical access controls (i.e. ______ ) and other information security controls (i.e. _________)

  23. Availability – Audit Procedures 2. Physical Construction • Determine and observe whetherthe computer facility is built with solid material and located in a remote area • Determine if the entity has an air filtration system and temperature control

  24. Availability – Audit Procedures 3. Fault Tolerance Controls • Test whether the system can continue operations even when system failure occurs due to hardware failure and application errors • Verify whether backup power supplies are available in case of a power outage • Determine whether multiple processing or RAID( Redundant array of inexpensive disks) is utilizes

  25. Availability – Audit Procedures 4. Disaster Recovery Plan • The auditor should determine whether disaster recovery and contingency plans have proper documentation • Backup sites and verify the backup supplies • Review the ______ ________ list • Verify that critical data files are have backup • Verify the disaster recovery plans are tested annually and management approves changes to the plans

  26. Availability – Audit Procedures 5. Performance Measurement and Maintenance • Verify that the system availability and performance are measured and evaluated against the predetermined performance goals periodically • Establishes that the preventive maintenance is performed regularly • Determine whether if customer complaints about the system availability are monitored • IT department maintains a list of all software and their versions

  27. Processing Integrity • The Processing Integrity Principle refers to the completeness, accuracy, authorization, and timeliness of system processing (CAAT) • Processing integrity exists if a system performs its intended function in an unimpaired manner and free from manipulation

  28. Completeness ensures that all transactions and services are processed and that transactions are not processed more than once • Accuracy includes assurances that all relevant information related to the transaction remains updated and accurate

  29. Authorization includes assurances that processing is performed in accordance with the required approvals and privileges defined • Timeliness of goods and services make certain that the delivery of those goods and services are in the context of the commitments made

  30. Processing Integrity – Audit Objective • Audit Objective: To ensure that all system components including processing integrity controls exist and are operational within the system

  31. Processing Integrity - Audit Procedures 1. Policy documentations 2. Communication to authorized users 3. Control and processing activities 4. Monitoring and maintaining compliance 5. Backup and testing

  32. Processing Integrity – Audit Procedures 1. Policy Documentations • Ensure that identification and documentation of the system policies are adequate and complete • CDS’s provisions are consistent with laws and regulations • System prevents unauthorized access and modifies access levels of existing users • Policies are established and reviewed regularly

  33. Processing Integrity - Audit Procedures 2. Communication to authorized users • CDS’s policies and revisions reviewed with internal users, while key elements and its impact are discussed • New and existing employees sign statement agreement to verify their understanding of the policies each year • Standard service agreement including commitments and obligations to CDS’s external users are posted on company’s website • IT security policies are published for review

  34. Processing Integrity - Audit Procedures 3.Control and processing activities • Order processing and credit and cash receipts should be segregated • Control clerks reconcile control totals of transactions; any errors are logged, investigated, and resolved • CDS’s information system controls should contain edit and validation system functions to check for incomplete or inaccurate data; errors can be corrected on a timely basis • Operations manager performs regular review of customer complaints, and other transaction evaluations

  35. Processing Integrity - Audit Procedures 4. Monitoring and maintaining compliance • System and security performance is periodically reviewed; ie. using processing logs • Evaluate on customer service, ie. with customer complaints, prepare monthly reports, and provide recommendations for improvement • Monitor information security, assesses potential risks, and proposed for implementation • Hold monthly IT staff meetings to address system processing capacity, and security concerns and trends

  36. Processing Integrity - Audit Procedures 5. Backup and testing • Automated backup processes for testing the integrity of backup data • Offsite storage for backup data • Backup systems and data are tested as part of the disaster recovery test • CDS’s usability of backups should be verified at least annually, while the storage site is reviewed biannually for physical access security

  37. Conclusion CDS : • Internal controls by Audit Committee, Operations Committee, Risk Committee, and Strategic Review Committee • Security controls, business continuity controls, and data processing controls Trust Services Principles: • Security and protection against access • System availability • Processing integrity using CAAT

More Related