Title: The Canadian Depository for Securities Limited Audit Procedures on Trust Services
1The Canadian Depository for Securities Limited
Audit Procedures on Trust Services
- Hannah Huang
- Gloria Lee
- Fei Qi
2Canadian Depository for Securities Limited (CDS)
- National securities depository, clearing and
settlement hub - Supports Canada's equity, fixed income and money
markets, holding over 2.7 trillion on deposit
and handling over 77 million securities trades
annually - Incorporated federally on June 9, 1970 under
Canada Corporation Act - Over 400 employees and has offices in Toronto,
Montreal, Vancouver, Calgary and Halifax - A private corporation and is owned by major
Canadian chartered banks, IDA and the TSX Inc. - Regulated by the Ontario and Quebec securities
- commissions and the Bank of Canada
3What does CDS do?
- Trade clearing and settlement services
- Cross-border services
- Depository/Custodial/Entitlement Services
- Information and Supporting Services
- Other services including consulting, delivery
services and onsite contingency backup
4CDSs Internal Control
- Three major committees including Audit Committee
- Other internal and external committees including
Operations Committee, Risk Committee, and
Strategic Review Committee - Security controls
- Business continuity controls
- Data processing controls
5Trust Services Principles
- A set of guidance and common framework for
professional assurance and advisory services - Principles are used to address the risks and
opportunities of information technology - Developed by CICA/AICPA
- Trust Services includes WebTrust SysTrust
6SysTrust
- SysTrust is professional accountings answers to
concerns relating to system reliability, which
constitute professional guidance as well as
serving as best practices for system
reliability. - - Information Technology Center,
AICPA
7Trust Services Principles
- 1. Security System is protected against
- unauthorized access
- 2. Availability System is available for
operation - and use as committed
- 3. Processing Integrity System processing
complies with - CAAT
- 4. Online Privacy Personal information is
- collected, used,
retained as committed - and agreed upon
- 5. Confidentiality Confidential information is
protected
8Trust Services Principles
- 1. Security System is protected against
- unauthorized access
- 2. Availability System is available for
operation - and use as committed
- 3. Processing Integrity System processing
compiles with - CAAT
- 4. Online Privacy Personal information is
- collected, used,
retained as committed - and agreed upon
- 5. Confidentiality Confidential information is
protected
9Trust Services Principles
- 1. Security System is protected against
- unauthorized access
- 2. Availability System is available for
operation - and use as committed
- 3. Processing Integrity System processing
compiles with - CAAT
- 4. Online Privacy Personal information is
- collected, used,
retained as committed - and agreed upon
- 5. Confidentiality Confidential information is
protected
10Trust Services Principles
- 1. Security System is protected against
- unauthorized access
- 2. Availability System is available for
operation - and use as committed
- 3. Processing Integrity System processing
compiles with - CAAT
- 4. Online Privacy Personal information is
- collected, used,
retained as committed - and agreed upon
- 5. Confidentiality Confidential information is
protected
11 Security
- The Security Principle refers to the protection
of system components from unauthorized access,
both logical and physical -
12Security Audit Objective
- Audit Objective To determine key elements for
protection which includes permitting authorized
access and preventing unauthorized access to the
system
13Security - Audit Procedures
- 1. Security policies
- 2. Communication to users
- 3. Procedures on _____ access
- 4. Procedures on logical access
- 5. Monitoring
14Security - Audit Procedures
- 1. Security policies
- To verify that the entity security policies are
established and periodically reviewed and
approved by designed individuals or groups - CDS Management Control ? Policies and procedures
on security are reviewed regularly
15Security - Audit Procedures
- 2. Communication to users
- To determine the security obligations of users
and whether if the entitys security commitments
to users are communicated to authorized users - CDS Management Control ? Uses Intranet to
communicate to internal users
16Security - Audit Procedures
- 3. Procedures on _____ access
- To verify that the entity uses procedures to
restrict ______ access to the defined system
including, but not limited to facilities, backup
media, and other system components such as
firewalls, routers, and servers - CDS Management Control ? Premise Security Modern
system of physical security
17Security - Audit Procedures
- 4. Procedures on logical access
- To verify that procedures exist to protect
against unauthorized logical access to the
defined system - CDS Management Control ? Information Security
Security system software and related procedures
18Security - Audit Procedures
- 5. Monitoring
- The entitys system is periodically reviewed and
compared with the defined system security
policies - CDS Management Control ? Whistleblower Program
- unlawful actions
- incorrect financial reporting
- failure to comply corporate policies
19Availability
- The Availability Principle refers that the
system, - products or services are available for
- operations and use as advertised or committed
- by contract or other agreed agreements
20Availability Audit Objective
- Audit Objective To verify that CDS has
- physical and internal control provisions in
- place to provide at least the minimum
- acceptable level of uninterrupted services and
- products as agreed with other parties
21Availability Audit Procedures
- 1. Access Control
- 2. Physical Construction
- 3. Fault Tolerance Controls
- 4. Disaster Recovery Plan
- 5. Performance measurement and
- maintenance
22Availability Audit Procedures
- 1. Access Control
- Observe how access privileges are granted and
determine whether the access is given only to
authorizes employees - Verify that the ability to create, and modify
user access privileges is only limited to a
______ ___________ team - Determine the existence of physical access
controls (i.e. ______ ) and other information
security controls (i.e. _________)
23Availability Audit Procedures
- 2. Physical Construction
- Determine and observe whether the computer
facility is built with solid material and located
in a remote area - Determine if the entity has an air filtration
system and temperature control
24Availability Audit Procedures
- 3. Fault Tolerance Controls
- Test whether the system can continue operations
even when system failure occurs due to hardware
failure and application errors - Verify whether backup power supplies are
available in case of a power outage - Determine whether multiple processing or RAID(
Redundant array of inexpensive disks) is utilizes
25Availability Audit Procedures
- 4. Disaster Recovery Plan
- The auditor should determine whether disaster
recovery and contingency plans have proper
documentation - Backup sites and verify the backup supplies
- Review the ______ ________ list
- Verify that critical data files are have backup
- Verify the disaster recovery plans are tested
annually and management approves changes to the
plans
26Availability Audit Procedures
- 5. Performance Measurement and Maintenance
- Verify that the system availability and
performance are measured and evaluated against
the predetermined performance goals periodically - Establishes that the preventive maintenance is
performed regularly - Determine whether if customer complaints about
the system availability are monitored - IT department maintains a list of all software
and their versions
27Processing Integrity
- The Processing Integrity Principle refers to the
completeness, accuracy, authorization, and
timeliness of system processing (CAAT) - Processing integrity exists if a system performs
its intended function in an unimpaired manner and
free from manipulation
28- Completeness ensures that all transactions and
services are processed and that transactions are
not processed more than once - Accuracy includes assurances that all relevant
information related to the transaction remains
updated and accurate
29- Authorization includes assurances that processing
is performed in accordance with the required
approvals and privileges defined - Timeliness of goods and services make certain
that the delivery of those goods and services are
in the context of the commitments made
30Processing Integrity Audit Objective
- Audit Objective To ensure that all system
components including processing integrity
controls exist and are operational within the
system
31Processing Integrity - Audit Procedures
- 1. Policy documentations
- 2. Communication to authorized users
- 3. Control and processing activities
- 4. Monitoring and maintaining compliance
- 5. Backup and testing
32Processing Integrity Audit Procedures
- 1. Policy Documentations
- Ensure that identification and documentation of
the system policies are adequate and complete - CDSs provisions are consistent with laws and
regulations - System prevents unauthorized access and modifies
access levels of existing users - Policies are established and reviewed regularly
33Processing Integrity - Audit Procedures
- 2. Communication to authorized users
- CDSs policies and revisions reviewed with
internal users, while key elements and its impact
are discussed - New and existing employees sign statement
agreement to verify their understanding of the
policies each year - Standard service agreement including commitments
and obligations to CDSs external users are
posted on companys website - IT security policies are published for review
34Processing Integrity - Audit Procedures
- 3.Control and processing activities
- Order processing and credit and cash receipts
should be segregated - Control clerks reconcile control totals of
transactions any errors are logged,
investigated, and resolved - CDSs information system controls should contain
edit and validation system functions to check for
incomplete or inaccurate data errors can be
corrected on a timely basis - Operations manager performs regular review of
customer complaints, and other transaction
evaluations
35Processing Integrity - Audit Procedures
- 4. Monitoring and maintaining compliance
- System and security performance is periodically
reviewed ie. using processing logs - Evaluate on customer service, ie. with customer
complaints, prepare monthly reports, and provide
recommendations for improvement - Monitor information security, assesses potential
risks, and proposed for implementation - Hold monthly IT staff meetings to address system
processing capacity, and security concerns and
trends
36Processing Integrity - Audit Procedures
- 5. Backup and testing
- Automated backup processes for testing the
integrity of backup data - Offsite storage for backup data
- Backup systems and data are tested as part of the
disaster recovery test - CDSs usability of backups should be verified at
least annually, while the storage site is
reviewed biannually for physical access security
37Conclusion
- CDS
- Internal controls by Audit Committee, Operations
Committee, Risk Committee, and Strategic Review
Committee - Security controls, business continuity controls,
and data processing controls - Trust Services Principles
- Security and protection against access
- System availability
- Processing integrity using CAAT