Professional Documents
Culture Documents
Test Case
Trading Process
The installed NNF systems allow for
placing of trades only for authorized
clients
Results,
Observations
& Control
Risk
Auditors
Risk
Results
Opinions
Results
Opinions
Order Parameters
There is online risk assessment of all orders
placed through the CTCL / IBT / DMA /
SOR / STWT system.
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 1 of 19
Controls / Processes
Exchanges
Test Case
Results,
Observations
& Control
Risk
Auditors
Risk
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 2 of 19
Controls / Processes
Test Case
Results,
Observations
& Control
Risk
Auditors
Risk
Session Security
The installed NNF system provides
for session security for all sessions
established with the server by the
front end application.
Session Security
The system uses session identification
and authentication measures to restrict
sessions to authorized NNF user only
The system uses session security
measures like encryption to ensure
confidentiality of sessions initiated
Session login details should not be
stored on the devices used for STWT
In case of no activity by the client, the
system provides for automatic trading
session logout for IBT / STWT systems
Database Security
The installed NNF system has
sufficient controls over the access to
and integrity of the database
Database Security
The access to the database is allowed
only to authorized NNF users /
applications
The database is hosted on a secured
platform
The database stores the user names /
passwords securely
Storage of passwords is encrypted with
Results
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 3 of 19
Opinions
Controls / Processes
Test Case
Results,
Observations
& Control
Risk
Auditors
Risk
Session Encryption
The systems use SSL or similar session
confidentiality protection mechanisms
The systems use a secure storage
mechanism for storing of usernames and
passwords
The systems adequately protect the
confidentiality of the users trade data
The installed CTCL / IBT / DMA / SOR / STWT
systems has a provision for On-line surveillance
and risk management as per the requirements of
NSE and includes
Number of Users Logged in / hooked on
to the network incl. privileges of each
Results
Opinions
Results
Opinions
User Creation
New User IDs are created as per the
guidelines.
User ID
All users are uniquely identified through issue
of unique user ids.
User Disablement
Users not compliant with the Exchange
requirements are disabled and event logs are
maintained
User Deletion
Users are deleted as per the NSE guidelines
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 4 of 19
Controls / Processes
The
installed
NNF
system
authentication mechanism is as per the
guidelines of the NSE
Test Case
Results,
Observations
& Control
Risk
Results
Auditors
Risk
Opinions
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 5 of 19
Controls / Processes
Test Case
Controls / Processes
Test Case
Results,
Observations
& Control
Risk
Auditors
Risk
Results,
Observations
& Control
Risk
Auditors
Risk
Results
Opinions
Results
Opinions
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 6 of 19
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 7 of 19
Controls / Processes
Does the Organization have a suitable
documented Business Continuity or
Disaster
Recovery
or
Incident
Response process commensurate with
the organization size and risk profile to
ensure a high degree of availability of
the installed NNF system?
Test Case
Is there any documentation on Business
Continuity / Disaster Recovery / Incident
Response?
Results,
Observations
& Control
Risk
Results
Auditors
Risk
Opinions
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 8 of 19
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 9 of 19
Part B
Controls / Processes
Test Case
Main Features
Results,
Observations
& control
Risk
Auditors
Opinion
Results
Opinions
Results
Opinions
Price Broadcast
The system has a feature for receipt of price
broadcast data
Order Processing : The system has a feature :
Which allows order entry and
confirmation of orders
which allows for modification or
cancellation of orders placed
Trade Confirmation
The system has a feature which enables
confirmation of trades
The system has a feature which provides
history of trades for the day to the user
Gateway Parameters
Trader ID
Market Segment - CM
CTCL ID
IP Address
(NSE Network)
VSAT ID
Leased Line ID
Market Segment F&O
CTCL ID
IP Address
(NSE Network)
VSAT ID
Leased Line ID
Market Segment CDS
CTCL ID
IP Address
(NSE Network)
VSAT ID
Leased Line ID
Order Entry
The system has order placement controls that
allow only orders matching the system
parameters to be placed.
Order Modification
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 10 of 19
Controls / Processes
Test Case
Results,
Observations
& control
Risk
Auditors
Opinion
Results
Results
Opinions
Opinions
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 11 of 19
Controls / Processes
Test Case
relevant?
Copy of Undertaking provided regarding the
CTCL system as per relevant circulars.
Results,
Observations
& control
Risk
Auditors
Opinion
Results
Opinions
Results
Opinions
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 12 of 19
Controls / Processes
Test Case
router
Network Switch
Results,
Observations
& control
Risk
Auditors
Opinion
Results
Opinions
Results
Opinions
Day Begin
Day End
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 13 of 19
Controls / Processes
Test Case
Access Control
Firewall
Is a firewall implemented?
Results,
Observations
& control
Risk
Results
Auditors
Opinion
Opinions
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 14 of 19
PART C
Sr.
Area of Audit
No
.
1
Compliance
Part C
Whether the required details of all the NNF user ids created in the server of the trading
member, for any purpose (viz. administration, branch administration, miniadministration, surveillance, risk management, trading, view only, testing, etc) and any
changes therein, have been uploaded as per the requirement of the Exchange?
Remarks (if
No)
YES / NO
Whether all the NNF user ids created in the server of the trading member have been
mapped to 12 digit codes on a one-to-one basis and a record of the same is
maintained?
YES / NO
All the audit recommendations given in relation to the system audit certificate for the
year ended June 30, 2012 have been duly implemented. IF NOT, please give details.
YES / NO
All orders routed through CTCL / IBT / STWT / DMA / SOR are routed through
electronic / automated Risk Management System of the broker to carry out appropriate
validations of all risk parameters before the orders are released to the Exchange.
YES / NO
The system and system records with respect to Risk Controls are maintained as
prescribed by the Exchange which are as follows :
YES / NO
The limits are setup after assessing the risks of the corresponding user ID and
branch ID
The limits are setup after taking into account the members capital
adequacy requirements
All the limits are reviewed regularly and the limits in the system are up to
date
All the branch or user have got limits defined and that No user or branch
in the system is having unlimited limits on the above stated parameters
Daily record of these limits is preserved and shall be produced before the
Exchange as and when the information is called for
Compliance officer of the member has certified the above in the quarterly
compliance certificate submitted to the Exchange
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 15 of 19
Recommendations
DECLARATION:
I) All the branches where CTCL/IBT/DMA/SOR/STWT facility is provided have been audited
and ONE consolidated report has been submitted for all segments.
II) All the audit recommendations given in relation to the system audit certificate for the year
ended June 30, 2012 have been duly implemented. If not, the same have been reported
hereunder:
1)
2)
III) There is no conflict of interest with respect to the member being audited. If any such instance
arises, it shall be brought to the notice of the Exchange immediately before undertaking the
audit.
_______________________________
Signature
(Name of the Auditor & Auditing firm)
CISA/CISSP/DISA/ISA Reg. No. :
Date:
Place:
Stamp/Seal:
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 16 of 19
SUMMARY SHEET
(The detailed findings are grouped under the broad categories as below and classified as
Strong, Medium or Weak and overall audit rating has been given)
NAME OF THE AUDIT FIRM: ____________________________________________________
Sr.
No.
Area of Audit
Compliance
Compliance
Part A
Part B
S/M/W
S/M/W
2.
NA
NA
NA
NA
10
11
Report
Reference
NA
NA
NA
NA
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 17 of 19
12
13
14
NA
NA
NA
Description
The controls are defined as Strong if the following criteria are met
Implemented controls fully comply with the stated objectives and
no material weaknesses are found.
Medium
The controls are defined as Medium if the following criteria are met
Implemented controls substantially comply with the stated
objectives and no material weakness result in substantial risk
exposure due to the non-compliance with the criteria
Compensatory controls exist which reduce the risk exposure to
make it immaterial vis--vis the non-compliance with the criteria.
Weak
The controls are defined as Weak if the following criteria are met
Implemented controls materially fail to comply with the stated
control objectives.
Compensating controls fail to reduce the risk so as to make it
immaterial vis--vis the non-compliance with the compliance
criteria.
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 18 of 19
Name of the
application
Version
Segment
Developed by (Name
of empanelled
vendor / In-house)
1
2
3
Signature
(Name of the Auditor & Auditing firm)
CISA/CISSP/DISA/ISA Reg. No. :
Date:
Place:
Stamp/Seal:
1. We confirm and certify that the softwares have undergone tests by us and we are satisfied
about the same. Further, we undertake to comply with and be bound by the Rules, Bye-laws,
Regulations of the Exchange, SEBI, RBI, any other statutory and regulatory body(ies) as may
be applicable from time to time.
2. We undertake that any modifications / Change to the software to be effected only on prior
approval of Exchange.
3. We certify that all the statements are true and correct to the best of our knowledge. We are
aware that in case any of the statements are found to be incorrect or false, we are liable for
disciplinary action
Countersigned, sealed and delivered by the Authorized representative of the MEMBER.
Date:
Place:
Regd. Office : Exchange Plaza, BandraKurlaComplex, Bandra (E), Mumbai 400 051
Page 19 of 19