The Canadian Depository for Securities Limited Audit Procedures on Trust Services

1
The Canadian Depository for Securities Limited
Audit Procedures on Trust Services

• Hannah Huang
• Gloria Lee
• Fei Qi

2
Canadian Depository for Securities Limited (CDS)

• National securities depository, clearing and
  settlement hub
• Supports Canada's equity, fixed income and money
  markets, holding over 2.7 trillion on deposit
  and handling over 77 million securities trades
  annually
• Incorporated federally on June 9, 1970 under
  Canada Corporation Act
• Over 400 employees and has offices in Toronto,
  Montreal, Vancouver, Calgary and Halifax
• A private corporation and is owned by major
  Canadian chartered banks, IDA and the TSX Inc.
• Regulated by the Ontario and Quebec securities
• commissions and the Bank of Canada

3
What does CDS do?

• Trade clearing and settlement services
• Cross-border services
• Depository/Custodial/Entitlement Services
• Information and Supporting Services
• Other services including consulting, delivery
  services and onsite contingency backup

4
CDSs Internal Control

• Three major committees including Audit Committee
• Other internal and external committees including
  Operations Committee, Risk Committee, and
  Strategic Review Committee
• Security controls
• Business continuity controls
• Data processing controls

5
Trust Services Principles

• A set of guidance and common framework for
  professional assurance and advisory services
• Principles are used to address the risks and
  opportunities of information technology
• Developed by CICA/AICPA
• Trust Services includes WebTrust SysTrust

6
SysTrust

• SysTrust is professional accountings answers to
  concerns relating to system reliability, which
  constitute professional guidance as well as
  serving as best practices for system
  reliability.
• - Information Technology Center,
  AICPA

7
Trust Services Principles

• 1. Security System is protected against
• unauthorized access
• 2. Availability System is available for
  operation
• and use as committed
• 3. Processing Integrity System processing
  complies with
• CAAT
• 4. Online Privacy Personal information is
• collected, used,
  retained as committed
• and agreed upon
• 5. Confidentiality Confidential information is
  protected

8
Trust Services Principles

• 1. Security System is protected against
• unauthorized access
• 2. Availability System is available for
  operation
• and use as committed
• 3. Processing Integrity System processing
  compiles with
• CAAT
• 4. Online Privacy Personal information is
• collected, used,
  retained as committed
• and agreed upon
• 5. Confidentiality Confidential information is
  protected

9
Trust Services Principles

• 1. Security System is protected against
• unauthorized access
• 2. Availability System is available for
  operation
• and use as committed
• 3. Processing Integrity System processing
  compiles with
• CAAT
• 4. Online Privacy Personal information is
• collected, used,
  retained as committed
• and agreed upon
• 5. Confidentiality Confidential information is
  protected

10
Trust Services Principles

• 1. Security System is protected against
• unauthorized access
• 2. Availability System is available for
  operation
• and use as committed
• 3. Processing Integrity System processing
  compiles with
• CAAT
• 4. Online Privacy Personal information is
• collected, used,
  retained as committed
• and agreed upon
• 5. Confidentiality Confidential information is
  protected

11
Security

• The Security Principle refers to the protection
  of system components from unauthorized access,
  both logical and physical

12
Security Audit Objective

• Audit Objective To determine key elements for
  protection which includes permitting authorized
  access and preventing unauthorized access to the
  system

13
Security - Audit Procedures

• 1. Security policies
• 2. Communication to users
• 3. Procedures on _____ access
• 4. Procedures on logical access
• 5. Monitoring

14
Security - Audit Procedures

• 1. Security policies
• To verify that the entity security policies are
  established and periodically reviewed and
  approved by designed individuals or groups
• CDS Management Control ? Policies and procedures
  on security are reviewed regularly

15
Security - Audit Procedures

• 2. Communication to users
• To determine the security obligations of users
  and whether if the entitys security commitments
  to users are communicated to authorized users
• CDS Management Control ? Uses Intranet to
  communicate to internal users

16
Security - Audit Procedures

• 3. Procedures on _____ access
• To verify that the entity uses procedures to
  restrict ______ access to the defined system
  including, but not limited to facilities, backup
  media, and other system components such as
  firewalls, routers, and servers
• CDS Management Control ? Premise Security Modern
  system of physical security

17
Security - Audit Procedures

• 4. Procedures on logical access
• To verify that procedures exist to protect
  against unauthorized logical access to the
  defined system
• CDS Management Control ? Information Security
  Security system software and related procedures

18
Security - Audit Procedures

• 5. Monitoring
• The entitys system is periodically reviewed and
  compared with the defined system security
  policies
• CDS Management Control ? Whistleblower Program
• unlawful actions
• incorrect financial reporting
• failure to comply corporate policies

19
Availability

• The Availability Principle refers that the
  system,
• products or services are available for
• operations and use as advertised or committed
  
• by contract or other agreed agreements

20
Availability Audit Objective

• Audit Objective To verify that CDS has
• physical and internal control provisions in
• place to provide at least the minimum
• acceptable level of uninterrupted services and
  
• products as agreed with other parties

21
Availability Audit Procedures

• 1. Access Control
• 2. Physical Construction
• 3. Fault Tolerance Controls
• 4. Disaster Recovery Plan
• 5. Performance measurement and
• maintenance

22
Availability Audit Procedures

• 1. Access Control
• Observe how access privileges are granted and
  determine whether the access is given only to
  authorizes employees
• Verify that the ability to create, and modify
  user access privileges is only limited to a
  ______ ___________ team
• Determine the existence of physical access
  controls (i.e. ______ ) and other information
  security controls (i.e. _________)

23
Availability Audit Procedures

• 2. Physical Construction
• Determine and observe whether the computer
  facility is built with solid material and located
  in a remote area
• Determine if the entity has an air filtration
  system and temperature control

24
Availability Audit Procedures

• 3. Fault Tolerance Controls
• Test whether the system can continue operations
  even when system failure occurs due to hardware
  failure and application errors
• Verify whether backup power supplies are
  available in case of a power outage
• Determine whether multiple processing or RAID(
  Redundant array of inexpensive disks) is utilizes

25
Availability Audit Procedures

• 4. Disaster Recovery Plan
• The auditor should determine whether disaster
  recovery and contingency plans have proper
  documentation
• Backup sites and verify the backup supplies
• Review the ______ ________ list
• Verify that critical data files are have backup
• Verify the disaster recovery plans are tested
  annually and management approves changes to the
  plans

26
Availability Audit Procedures

• 5. Performance Measurement and Maintenance
• Verify that the system availability and
  performance are measured and evaluated against
  the predetermined performance goals periodically
• Establishes that the preventive maintenance is
  performed regularly
• Determine whether if customer complaints about
  the system availability are monitored
• IT department maintains a list of all software
  and their versions

27
Processing Integrity

• The Processing Integrity Principle refers to the
  completeness, accuracy, authorization, and
  timeliness of system processing (CAAT)
• Processing integrity exists if a system performs
  its intended function in an unimpaired manner and
  free from manipulation

28

• Completeness ensures that all transactions and
  services are processed and that transactions are
  not processed more than once
• Accuracy includes assurances that all relevant
  information related to the transaction remains
  updated and accurate

29

• Authorization includes assurances that processing
  is performed in accordance with the required
  approvals and privileges defined
• Timeliness of goods and services make certain
  that the delivery of those goods and services are
  in the context of the commitments made

30
Processing Integrity Audit Objective

• Audit Objective To ensure that all system
  components including processing integrity
  controls exist and are operational within the
  system

31
Processing Integrity - Audit Procedures

• 1. Policy documentations
• 2. Communication to authorized users
• 3. Control and processing activities
• 4. Monitoring and maintaining compliance
• 5. Backup and testing

32
Processing Integrity Audit Procedures

• 1. Policy Documentations
• Ensure that identification and documentation of
  the system policies are adequate and complete
• CDSs provisions are consistent with laws and
  regulations
• System prevents unauthorized access and modifies
  access levels of existing users
• Policies are established and reviewed regularly

33
Processing Integrity - Audit Procedures

• 2. Communication to authorized users
• CDSs policies and revisions reviewed with
  internal users, while key elements and its impact
  are discussed
• New and existing employees sign statement
  agreement to verify their understanding of the
  policies each year
• Standard service agreement including commitments
  and obligations to CDSs external users are
  posted on companys website
• IT security policies are published for review

34
Processing Integrity - Audit Procedures

• 3.Control and processing activities
• Order processing and credit and cash receipts
  should be segregated
• Control clerks reconcile control totals of
  transactions any errors are logged,
  investigated, and resolved
• CDSs information system controls should contain
  edit and validation system functions to check for
  incomplete or inaccurate data errors can be
  corrected on a timely basis
• Operations manager performs regular review of
  customer complaints, and other transaction
  evaluations

35
Processing Integrity - Audit Procedures

• 4. Monitoring and maintaining compliance
• System and security performance is periodically
  reviewed ie. using processing logs
• Evaluate on customer service, ie. with customer
  complaints, prepare monthly reports, and provide
  recommendations for improvement
• Monitor information security, assesses potential
  risks, and proposed for implementation
• Hold monthly IT staff meetings to address system
  processing capacity, and security concerns and
  trends

36
Processing Integrity - Audit Procedures

• 5. Backup and testing
• Automated backup processes for testing the
  integrity of backup data
• Offsite storage for backup data
• Backup systems and data are tested as part of the
  disaster recovery test
• CDSs usability of backups should be verified at
  least annually, while the storage site is
  reviewed biannually for physical access security

37
Conclusion

• CDS
• Internal controls by Audit Committee, Operations
  Committee, Risk Committee, and Strategic Review
  Committee
• Security controls, business continuity controls,
  and data processing controls
• Trust Services Principles
• Security and protection against access
• System availability
• Processing integrity using CAAT