Upload Login /
...

Document 2676822

by user

on
Category: Documents
>> Downloads: 4
32

views

Report

Comments

Description

Transcript

Document 2676822
iv
ed
System Operator: Reserve Bank of New Zealand
Custodian Trustee: New Zealand Central Securities Depository Limited (NZCSD)
Ar
ch
Report on controls over
the NZClear system
For the year ended 30 June 2014
Reserve Bank of New Zealand
Table of contents
Purpose, scope and use of this report
3
Section II
Report by management
4
Section III
Description of the Reserve Bank’s NZClear system
7
Section IV
NZClear control objectives
13
Section V
Independent assurance report
15
Section VI
Definition of testing terms
17
Section VII
Auditor’s tests of operating effectiveness of key controls
18
Ar
ch
iv
ed
Section I
2
Section I
Purpose, scope and use of this report
This report is designed to provide information to be used for financial reporting purposes by members of
NZClear (“the System”) and their independent auditors in respect of the year ended 30 June 2014.
This report is prepared pursuant to Rule 19.2.1 of the NZClear Rules which requires that an audit report for
1
the System be prepared and published each year . The report has been prepared in compliance with the
requirements of the International Standard on Assurance Engagements (New Zealand) 3402 “Assurance
Reports on Controls at a Service Organisation” issued by the External Reporting Board.
This report comprises:

a report by management which describes the services provided by the Reserve Bank of New
controls for NZClear;

iv
ed
Zealand (the “Reserve Bank”) as operator of the System including information on key internal
an assurance report by Chris Barber with the assistance of PricewaterhouseCoopers (“PwC”) – on
behalf of the Auditor-General (“the Auditor”); and

details of the controls supporting each control objective, as well as the related tests performed by
ch
the Auditor and the results of that testing.
The scope of this report is limited to the controls which apply to the operation of the System by the Reserve
Bank and its use by members pursuant to the NZClear Rules.
This report is strictly confidential. It is intended for use by the Reserve Bank, members of the NZClear
Ar
system and their independent auditors. Unauthorised use of this report in whole or part is strictly prohibited.
1
The NZClear Rules require that the Auditor issue a report on NZClear controls annually in respect of the period ended 30 June. In
addition, the NZClear Rules require that for each three months ended 31 March, 30 September and 31 December the auditor will test
the reconciliation of securities recorded in the NZClear system and those recorded in the respective registry records and issue a report
on its findings.
3
iv
ed
ch
Ar
iv
ed
ch
Ar
iv
ed
ch
Ar
Section III
Description of the Reserve Bank’s NZClear system
Background on NZClear
NZClear is New Zealand’s principal high-value securities depository. The System is charged with providing
an efficient and safe process for the electronic transfer and safekeeping of securities.
NZClear, known formerly as the Austraclear New Zealand System, has been operating in New Zealand since
1990 and is used principally for transferring fixed interest securities and equity securities on a delivery versus
iv
ed
payment basis. The System is also used to make transfers of cash between participants.
For a transaction to be settled both parties must enter the relevant details of the transaction and those
transaction details must be “matched” by the System. Once a transaction is matched, to be further
processed a payor of funds must have sufficient funds or credit facilities with its clearing bank (known in the
Rules as the Participating ESAS Account Holder) and the seller of securities must have sufficient securities
in its security account to complete the transaction. Settlement is effected by a process called Delivery versus
ch
Payment (“DvP”) (Bank for International Settlements Model 1) whereby settlement of securities and
associated cash payments occurs on an irrevocable and simultaneous basis. Cash payments involving more
than one Participating ESAS Account Holder are made across the Reserve Bank’s Exchange Settlement
Ar
Account System, while title to securities is transferred in the NZClear system. Once a transaction is settled it
cannot be revoked.
NZClear is a designated settlement system under part 5C of the Reserve Bank Act 1989. NZClear is jointly
regulated by the Financial Markets Authority and the Prudential Supervision Department of the Reserve
Bank of New Zealand. Designation provides statutory backing to the rules of the settlement system and
2
provides additional legal certainty to settlements effected through those systems .
The NZClear system is operated by the Reserve Bank. The Reserve Bank’s Financial Services Group
(“FSG”) is responsible for the administration of the operational aspects of the System. FSG is headed by
Mike Wolyncewicz, the Reserve Bank’s Chief Financial Officer, and day-to-day operational support is
provided by the Payment and Settlement Services Team within FSG that is managed by the Payments and
Settlement Services Manager, Nathan Lewer.
FSG reports on the operation of NZClear to Mr Geoff Bascand, Deputy Governor and Head of Operations.
The Reserve Bank’s Knowledge Services Group (“KSG”) supports the telecommunications network and
2
Reserve Bank of New Zealand (Designated settlement system – NZClear) Order 2012.
7
related security features utilised by the System. Software support, software development and operational
support services are provided by Datacom Systems (Wellington) Limited (“Datacom”). The Reserve Bank
manages Datacom’s provision of services through a services contract and related service level agreement.
The management process includes assessment of performance at monthly review meetings, monthly
performance reports, review of problem management reports, a relationship governance committee and
relevant project steering committees.
All securities beneficially owned by members and lodged into the System are registered in the name of New
Zealand Central Securities Depository Limited (“NZCSD”), which is a wholly-owned subsidiary of the
Reserve Bank. NZCSD operates as a bare trustee and is the custodian for securities beneficially owned by
members of NZClear.
NZClear service
iv
ed
The Reserve Bank is the operator of the NZClear system. The Reserve Bank provides services to members
of NZClear in accordance with the NZClear Rules (“the Rules”) dated 1 March 2012. The NZClear system
allows members of that System to:
1. Hold their debt and equity securities in their securities accounts within the System, with the securities
held for members at the relevant securities registries in the name of NZCSD, which has been
ch
appointed custodian trustee.
2. Record cash transactions in cash accounts which are provided to members by their relevant clearing
Ar
bank.
3. Record in members’ securities accounts and cash accounts, the settlement of sales and purchases
of securities transactions and cash transfers in accordance with members’ instructions. The Rules
provide that once a transaction is settled, the settlement is irrevocable.
4. Give instructions to the Reserve Bank to deal with securities. This includes lodging securities into the
System, uplifting securities from the System and issuing instructions to effect corporate actions
relevant to the securities. Corporate actions include receiving interest and dividend revenue from
securities and the processing of a range of other entitlements associated with ownership of
securities, such as rights issues, bonus issues, takeover offers, dividend reinvestment plans, stock
conversions and other like events.
5. Use a function known as “FINEWISS” to create and issue fixed interest securities. Members who use
this service enter into a “FINEWISS Registry Agreement” with the Reserve Bank. Under that
arrangement, the Reserve Bank is the registrar for the relevant securities and uses the NZClear
system for that purpose, with NZCSD being the sole registered holder of those securities.
8
Members submit instructions to the System via electronic means, primarily through one or more of the
dedicated telecommunications networks (the internet or the SWIFT system). In all cases the System has
security features in place designed to ensure that access is authorised and instructions received are
authenticated. In the case of corporate actions, processing involves giving instructions either through the
NZClear system, or in the case of more complex events, through manual communications. SWIFT is a
secure system through which authorised NZClear members communicate in real time and transmit
messages including settlement instructions. The operation of NZClear includes elements of the
administration of the SWIFT system which are the responsibility of the Reserve Bank. This includes servers
on which the Reserve Bank’s interface to SWIFT resides, SWIFT system administration and security
including allocation of user privileges to Reserve Bank staff, change control of elements of SWIFT software,
administration of the SWIFT system so that authenticated SWIFT messages from authorised members’ are
accepted for processing by NZClear, backing up data, business continuity readiness and problem
management. In most other respects, reliance is placed on the SWIFT organisation itself for operation of that
iv
ed
System.
The contractual relationships between all members, and between the Reserve Bank and all members, are
governed by the Rules.
The NZClear system produces a range of reports which are generated either on request or automatically.

ch
The main reports include those which list:
securities held in the System (and registered in NZCSD’s name) for a member together with details
of securities transactions posted to members’ securities account(s);
details of cash transactions that have been posted to a member’s cash account with their clearing
Ar

bank (the Participating ESAS Account Holder) which are recorded in the NZClear system;

details of cash transactions for each clearing bank (the Participating ESAS Account Holder) which
are recorded in the NZClear system in respect of each member; and

the status of transactions during the transaction lifecycle.
During the year ended 30 June 2014 there have been no major upgrades to the functionality provided by the
NZClear system.
The Reserve Bank interacts with members in several ways. A regular newsletter is emailed to every
member, an annual report on the NZClear system is published, a User Advisory Committee is elected and
meets with Reserve Bank management four times each year, a user meeting is held every six months, a
customer survey is conducted every year and the results are reported back to the User Advisory Committee
and members, and Reserve Bank management will meet with individual members (and with clients of
members) from time to time.
9
Risk management
The internal controls of NZClear are audited each year by Chris Barber with the assistance of
PricewaterhouseCoopers (“PwC”), as required by the NZClear Rules, who act on behalf of the Reserve
Bank’s external auditor, the Auditor-General (“the Auditor”). The scope of this audit includes the controls
performed by the Reserve Bank’s third party independent service provider, Datacom. In addition, the
NZClear Rules require that the auditor will undertake a quarterly limited procedures review of key securities
reconciliations and report on their findings.
The annual report on NZClear controls and the limited procedures reviews of key reconciliations are
reviewed by the Reserve Bank’s Audit Committee, with external auditors, Reserve Bank governors and
management in attendance. NZClear is also subject to internal audit by the Reserve Bank’s Audit Services
division.
The main elements of risk management for NZClear entail:
reconciliations are performed and reviewed daily;

procedures and controls are adhered to;

measures to manage operational risk, as described below; and

business continuity plans are in place and tested regularly.
iv
ed

ch
Managing operational risk in the Reserve Bank is seen as an integral part of day-to-day operations.
Operational risk management includes Bank-wide corporate policies that describe the standard of conduct
required of staff, a number of mandated requirements (e.g. a project management template), and specific
internal control systems designed around the particular characteristics of various Reserve Bank activities.
Ar
Operational risk management is supported by:

an induction programme for new employees that makes them aware of the requirements;

monthly reporting to joint regulators including attestations by Reserve Bank management that the
conditions of designation for NZClear have been complied with;

a quarterly management affirmation by the Chief Financial Officer that corporate policies and
departmental internal control systems have been complied with;

a proactive problem management process whereby problems and incidents are reported internally
and also to the joint regulators and analysed for potential risk management improvements;

periodic review of risks and internal controls; and

an active internal audit function.
In addition to administering system controls the Reserve Bank commissions a third party to undertake
reviews of system security with a view to improving system security.
10
Information Technology activities outsourced to a service organisation
Within the Information Technology (“IT”) processes described above, specific responsibilities supporting
NZClear have been outsourced to a third-party IT service organisation, Datacom Systems (Wellington)
Limited (“Datacom”). The significant activities and controls undertaken by Datacom include:
Security:

User administration of the operating system and database is performed by Datacom on approval by
the client account manager of the Reserve Bank.

Datacom manage a data centre in Auckland that houses the computer equipment on which the
system operates. Environmental and physical security controls over this equipment are operated by
Datacom. The Reserve Bank also houses computers in Wellington on which the system operates.
Datacom are also responsible for ensuring they have appropriate technical personnel available to
Change control:

iv
ed
restore and move production between the Wellington and Auckland sites.
Development of software changes is performed by Datacom staff on the approval of a change
elaboration document approved by the Reserve Bank.

Initial testing of software changes is performed by Datacom before the Reserve Bank’s user testing
and subsequent implementation.
Implementation of software changes to the production system is performed by authorised Datacom
ch

staff when authorised by the Reserve Bank.

A backup of the System and a back-out plan is prepared by Datacom before any implementation of
Operations:

Ar
program changes.
The Reserve Bank uses an online monitoring web-portal (Nagios) to ensure that the System is
operating adequately and automated processes and controls have been completed successfully.
For example, the portal monitors data backups, system usage and performance processing
statistics.

On a monthly basis, the controls and services performed by Datacom are required to be assessed
and reported to the Reserve Bank. For example, Datacom reports that administrator accounts on the
System have been accessed appropriately and relate to authorised work. A monthly meeting is also
held between Datacom and the Reserve Bank to discuss management and operation of the System.
11
Members’ controls
The controls described in Section IV cover only a portion of the overall internal controls for each member.
Achievement of each of the control objectives will also be dependent on members maintaining an effective
control environment through implementing controls such as:

Documented policies and procedures (including transaction processing procedures, risk
management policies such as conditions and restrictions for System use, good password practices,
software copyright restrictions and virus protection);

Restricted access to operating systems, applications, databases and underlying records (including
role-based security mechanisms);
User administration management;

Transaction processing, authorisation, monitoring and reporting mechanisms;

Segregation of duties in transaction processing;

Reconciliation of transactions and holdings;

Physical security of system infrastructure;

Provisions of data backup and restoration and other computer operations; and

Business continuity planning.
iv
ed

This report expressly excludes consideration by the Reserve Bank, and the Auditor of the effectiveness of
ch
members’ own internal controls as distinct from internal control objectives and key controls of the NZClear
Ar
system, which are the responsibility of the Reserve Bank.
12
Section IV
NZClear control objectives
A summary of the control objectives relevant to the NZClear System are listed below. Following these are
the specific key controls that are designed and implemented to achieve these stated control objectives.
Section 1 – Security
1. NZClear security management procedures and application controls are adequate.
2. The Bank’s internal and external network is adequately secured.
3. Access to system privileges within the underlying operating system is adequately secured.
4. NZClear functionality is only available to appropriate users at appropriate levels.
5. Access to the underlying database is adequately secured.
iv
ed
6. Adequate environmental and physical security controls are in place over computing equipment.
Section 2 – Member Detail Administration
1. Authorisation is obtained for all additions, changes and deletions to member details.
2. Additions, changes and deletions to member details are correctly input into the System.
ch
Section 3 – Application Controls
1. All lodgements and uplifts from the various registries are processed completely, accurately and in a
timely manner.
Ar
2. Errors in performing lodgements and uplifts are identified and corrected in a timely manner.
3. NZClear holdings are complete and accurate.
4. Corporate actions are completely and accurately processed.
Section 4 – Change Control
1. Changes migrated into production are tested and approved.
2. Emergency changes migrated into production are appropriate and authorised.
Section 5 – Problem Management
1. Problems are identified and resolved in a timely manner.
Section 6 – Backup and Recovery
1. Adequate processes are in place for data recovery.
2. Timely recovery of business operations is possible.
3. System issues over NZClear system are identified and resolved in a timely manner.
13
Section 7 – SLA Monitoring
1. Third party service levels are monitored to ensure compliance with agreed contractual requirements.
Section 8 – Period End Processing
Ar
ch
iv
ed
1. End of day processing is complete, accurate and timely.
14
Independent assurance report on the description of
controls, their design and operating effectiveness
To the Governor, Reserve Bank of New Zealand
Scope
In accordance with the terms of our engagement letter dated 6 November 2013, we were engaged to
0
June 2014, and on the design and operation of controls related to the control objectives stated at
controls performed by an independent service provider, Datacom Systems (Wellington) Limited
iv
ed
specified in the description can be achieved only if complementary member controls contemplated in
related controls at the Reserve Bank. We have not evaluated the suitability of the design or operating
effectiveness of such member controls.
ch
The Reserve Bank and Datacom are responsible for: preparing the description at Section III and
accompanying assertion at Section II, including the completeness, accuracy and method of
presentation of the description and assertion; providing the services covered by the description;
stating the control objectives in Section IV; and designing, implementing and effectively operating
controls to achieve the stated control objectives.
Ar
operation of controls related to the control objectives stated in that description, based on our
procedures. We conducted our engagement in accordance with International Standard on Assurance
by the External Reporting Board. That standard requires that we comply with relevant ethical
requirements and plan and perform our procedures to obtain reasonable assurance about whether, in
all material respects, the description is fairly presented and the controls are suitably designed and
operating effectively.
An assurance engagement to report on the description, design and operating effectiveness of controls
at a service organisation involves performing procedures to obtain evidence about the disclosures in
f its System, and the design and operating effectiveness of
controls. The procedures selected depend on our judgement, including the assessment of the risks that
the description is not fairly presented, and that controls are not suitably designed or operating
effectively. Our procedures included testing the operating effectiveness of those controls that we
consider necessary to provide reasonable assurance that the control objectives stated in the description
were achieved. An assurance engagement of this type also includes evaluating the overall presentation
of the description, the suitability of the objectives stated therein, and the suitability of the criteria
specified by the service organisation and described in Section II. Also, we did not evaluate the security
and controls over the electronic publication of this report.
PricewaterhouseCoopers, 113-119 The Terrace, PO Box 243, Wellington 6140, New Zealand
T: +64 4 462 7000, F: +64 4 462 7001, pwc.co.nz
We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our
opinion.
Limitations of controls at a service organisation
and their auditors and may not, therefore, include every aspect of the System that each individual
member may consider important in its own particular environment. In addition to this, because of
their nature, controls at a service organisation may not prevent or detect all errors or omissions in
processing or reporting transactions. Section III also indicates that certain control objectives specified
in the description can be achieved only if complementary member controls contemplated in the design
controls at the Reserve Bank. Further, the projection of any evaluation of effectiveness to future
periods is subject to the risk that controls at a service organisation may become inadequate or fail.
iv
ed
Opinion
Our opinion has been formed on the basis of the matters outlined in this report. The criteria we used in
assertion at Section II. In our opinion,
formi
together with the complementary member controls referred to in the scope paragraph of this report, in
all material respects:
Ar
ch
(a) The description fairly presents the System as designed and implemented throughout the year
ended 30 June 2014.
(b) The controls related to the control objectives stated in the description were suitably designed
throughout the year ended 30 June 2014.
(c) The controls tested, which were those necessary to provide reasonable assurance that the control
objectives stated in the description were achieved, operated effectively throughout the year ended
30 June 2014.
Description of tests of controls
The specific controls tested and the nature, timing and results of those tests are listed in Section VII.
Intended users and purpose of the report
This report and the description of tests of controls in Sections IV and VII are intended only for
members who have used the NZClear system during the year ended 30 June 2014, and their auditors,
who have a sufficient understanding to consider it, along with other information including information
about controls operated by members themselves, when assessing the risks of material misstatements
rts/statements.
Our audit was completed on 28 July 2014. This is the date at which our opinion is expressed.
Chris Barber
On behalf of the Auditor-General
Wellington, New Zealand
PricewaterhouseCoopers
Section VI
Definition of testing terms
The following are definitions of the terms used in the testing of key controls.
1. Enquiry:

Enquired of appropriate personnel.

Conducted enquiries seeking relevant information or representations from personnel, performed
to obtain, among other things:
- Knowledge, additional information and affirmation regarding the control of procedures.
2. Inspection:

iv
ed
- Corroborating evidence of the controls.
Inspected documents and records indicating performance of the controls. This may include,
among other things:
- Inspection of reconciliations and management reports that age and/or quantify reconciling
items to assess whether balances and reconciling items appear to be properly monitored,
controlled and resolved on a timely basis, as required by the related control.
ch
- Examination of source documentation and authorisations related to selected transactions
processed.
Ar
- Examination of documents or records for evidence of performance, such as the existence of
initials or signatures.
- Inspection of the Reserve Bank’s systems documentation, such as operations, manuals, flow
charts and job descriptions.
3. Observation:
Observed the application or existence of specific controls as represented.
4. Re-performance:

Re-performed the control or processing application of the controls to check the accuracy of their
operation. This may include, among other things:
- Obtaining evidence of the arithmetical accuracy and correct processing of transactions by
performing independent calculations.
- Re-performing the matching of various system records by independently matching the same
records and comparing reconciling items to reconciliations prepared by the Reserve Bank.
17
Section VII
Auditor’s tests of operating effectiveness of key controls
Se c tion 1 – Se c urity
ControlO b je c tive 1
NZClear security management procedures and application controls are adequate.
Ref
Key Controls
PwC Testing
Results
a)
Procedures are in place for
the creation and deletion
of user accounts.
Enquiry and Inspection
No exceptions noted.
iv
ed
Confirmed with management that a
user administration policy exists for
the creation and addition of users.
Inspected user listings to confirm new
and terminated users processed
during the period 1 July 2013 – 30
June 2014 were appropriately
approved.
d)
Inspection
Administrator access in the
application is
appropriately restricted to
users in line with business
requirements.
Inspection
System education and
training programs have
been established and
undertaken.
Enquiry and Inspection
ch
c)
No exceptions noted.
Password parameters and
login settings in the
application are
appropriate and comply
with good practice.
Inspected password parameters on the
NZClear application and noted that
passwords complied with good
practice.
Ar
b)
No exceptions noted.
Inspected a user access listing and
confirmed administrator access was
restricted to appropriate users based
on their role and responsibilities.
Confirmed with management that all
new employees are involved in an
induction process prior to using the
System.
Inspected the Reserve Bank’s security
policies.
Inspected security declaration signoffs for a sample of employees.
Inspected a sample of quarterly
management affirmations to confirm
employees were aware and have
complied with security policies.
18
No exceptions noted.
ControlO b je c tive 2
The Reserve Bank’s internal and external network is adequately secured.
Ref
Key Controls
PwC Testing
a)
Members must agree and
sign the NZClear rules to
abide by the Reserve
Bank’s network and access
rules.
Inspection
The Reserve Bank network
topology is documented to
ensure appropriate
security mechanisms are in
place.
Inspection
Only Reserve Bank staff
can configure the routers
supplied to members.
Observation and Inspection
c)
No exceptions noted.
Inspected a sample of new members
added during the period ensuring a
copy of the Reserve Bank’s network
and access rules had been signed.
No exceptions noted.
Inspected the Reserve Bank network
diagram to ensure appropriate
security mechanisms are in place such
as firewalls.
No exceptions noted.
Observed that access was restricted to
authorised users through two factor
authentication.
iv
ed
b)
Results
Inspected the list of users who are able
to configure to routers and assessed
the appropriateness of access.
Inspected router settings that limit
configuration access to the Reserve
Bank operations team.
Annually, the Reserve
Bank performs a network
security review.
Vulnerabilities are
identified and reviewed by
senior management.
Enquiry and Inspection
No exceptions noted.
ch
d)
Enquired with management that an
independent third party was engaged
to perform a network security review
on behalf of the Reserve Bank.
e)
Ar
Inspected evidence of the review and
reporting of key findings. Confirmed
through inspection that identified
vulnerabilities were reviewed by
management.
Network security is
regularly reviewed.
Inspection
Exception noted:
For a sample of weeks, inspected
evidence of weekly network security
reviews identifying potential network
vulnerabilities.
Evidence of scans was
not accessible for periods
prior to September 2013.
Reserve Bank Response:
With a move to a new
solution for scanning
network security, this
matter has now been
resolved.
19
ControlO b je c tive 3
Access to system privileges within the underlying operating system is adequately secured.
Ref
Key Controls
PwC Testing
Results
a)
Access to system privileges
at the operating system level
requires manager approval.
Enquiry and Inspection
No exceptions noted.
Confirmed with Datacom that all new
users must be approved by a manager
at Datacom or the Reserve Bank.
Inspected a sample of approvals of
new users added during the period.
Password parameters and
login settings at the
operating system level are
appropriate and comply
with good practice.
Inspection
Privileged access to the
operating system is logged
and reviewed.
Inspection
No exceptions noted.
Inspected a listing of all administrator
users and confirmed with
management that their access was
appropriate.
No exceptions noted.
iv
ed
d)
Inspection
Obtained and inspected the operating
system password settings and noted
that passwords complied with good
practice.
No exceptions noted.
Inspected a sample of monthly SLA
reports that confirmed direct access to
the operating system is logged and
reviewed.
ch
c)
Administrative access to the
operating system is
appropriately restricted.
Ar
b)
20
ControlO b je c tive 4
NZClear functionality is only available to appropriate users at appropriate levels.
Ref
Key Controls
PwC Testing
Results
a)
Administrator access in the
application is appropriately
restricted to users in line
with business requirements.
Inspection
No exceptions noted.
User accounts and access
rights are reviewed
regularly to ensure that
these are appropriate.
Inspection
No exceptions noted
Inspected a sample of the monthly
user account reviews conducted over
the user accounts and rights allocated.
iv
ed
b)
Inspected a user access listing and
confirmed administrator access was
restricted to appropriate users based
on their role and responsibilities.
ControlO b je c tive 5
Access to the underlying database is adequately secured.
Key Controls
PwC Testing
a)
Access to system privileges
at the database level
requires manager
approval.
Results
ch
Ref
Enquiry and Inspection
No exceptions noted.
Ar
Confirmed with Datacom that all new
users must be approved by a manager
at Datacom or the Reserve Bank.
Inspected a sample of approvals of
new users added during the period.
b)
c)
d)
Privileged user accounts at
the database level are
regularly reviewed for
appropriateness.
Inspection
Password parameters and
login settings at the
database level are
appropriate.
Inspection
Privileged access to the
database is logged and
reviewed.
Inspection
No exceptions noted.
Obtained and inspected a sample of
user accounts reviews at the database
level.
No exceptions noted.
Obtained and inspected the database
password settings and noted that
passwords complied with good
practice.
No exceptions noted.
Inspected a sample of monthly SLA
reports in which the third party
vendor reports access over the
database.
21
ControlO b je c tive 6
Adequate environmental and physical security controls are in place over computing equipment.
Ref
Key Controls
PwC Testing
Results
a)
Environmental and
physical security controls
are in place over
computing equipment.
Observation
No exceptions noted.
Observed during a walkthrough of the
Wellington and Auckland sites that:

Access to the premises and
computing equipment is physically
locked and not publicly accessible

Electronic swipe cards are
required to access the premises
and computing equipment

Environmental controls are in
place in the server rooms,
including:
o
air conditioning units;
raised floor;
o
dry pipe sprinkler system;
o
fire extinguisher;
o
fire alarms;
o
racks for all equipment;
o
UPS systems; and
o
backup generators.
Ar
ch
iv
ed
o
22
Se c tion 2 – M e m b e rDe ta ilAd m inistra tion
ControlO b je c tive 1
Authorisation is obtained for all additions, changes and deletions to member details.
Ref
Key Controls
PwC Testing
Results
a)
New members are
assessed for eligibility
prior to being accepted as
an NZClear member.
Inspection
No exceptions noted.
Inspected the new member addition
procedures document.
For a sample of new members added
during the period inspected evidence
of assessment for eligibility prior to
the member being accepted.
Inspection
No exceptions noted.
If a change is to a
member's clearing bank or
account number, NZClear
personnel will only act if
the new clearing bank
confirms it is acting for the
member and, in the case of
a new account number, a
deposit slip is provided.
Enquiry and Inspection
For a sample of new members added
during the period inspected evidence
of sign-off by the Manager of NZClear
and CFO.
iv
ed
c)
Approval for new
members is required from
the Manager of NZClear
and Chief Financial Officer
(CFO).
No exceptions noted.
Inspected the amending current
member procedures document.
Confirmed with management a change
in the bank account must be confirmed
with the new clearing bank and, in the
case of a new account number,
confirmed to a deposit slip.
ch
b)
d)
Ar
For a sample of bank account changes,
inspected the confirmation letter was
received by the clearing bank.
A request for deletion must
be authorised by the
member.
Inspection
No exceptions noted.
Inspected the deleting existing
member procedures document.
For a sample of deletions during the
period, inspected evidence of
authorisation by the member before
deletion.
e)
All changes to member
details are subject to a
peer review process.
Enquiry and Inspection
Inspected the amending current
member procedures document.
Confirmed with management that all
changes to member details must be
peer reviewed.
For a sample of changes to member
details, inspected the documentation
to ensure they had been peer
reviewed.
23
No exceptions noted.
ControlO b je c tive 2
Additions, changes and deletions to member details are correctly input into the System.
Ref
Key Controls
PwC Testing
Results
a)
A documentation checklist
is completed to confirm
that all of the required
forms have been received
for new members.
Inspection
No exceptions noted.
All changes to member
details are subject to a
peer review process.
Enquiry and Inspection
b)
For a sample of new members added
during the period inspected the
documentation checklists to ensure
that all required forms had been
received and peer reviewed.
No exceptions noted.
Inspected the amending current
member procedures document.
Confirmed with management that all
changes to member details must be
peer reviewed.
Enquiry and Inspection
Inspected the amending current
member procedures document.
Confirmed with management a change
in the bank account must be confirmed
with the new clearing bank and, in the
case of a new account number,
confirmed to a deposit slip.
ch
If a change is to a
member's clearing bank or
account number, NZClear
personnel will only act if
the new clearing bank
confirms it is acting for the
member and, in the case of
a new account number, a
deposit slip is provided.
For a sample of bank account changes,
inspected the confirmation letter was
received from the clearing bank.
Ar
c)
iv
ed
For a sample of changes to member
details, inspected the documentation
to ensure they had been peer
reviewed.
24
No exceptions noted.
Se c tion 3 – Applic a tion c ontrols
ControlO b je c tive 1
All lodgements and uplifts from the various registries are processed completely, accurately and in a timely
manner.
Ref
Key Controls
PwC Testing
Results
a)
Processes and procedures
are documented and
current.
Inspection
No exceptions noted.
Lodges and uplifts
completed manually are
independently reviewed.
Inspection
Where the lodge or uplift is
performed automatically,
the System accurately and
completely settles the
lodge or uplift at the
registry.
Observation
d)
iv
ed
For a sample of lodges and uplifts
completed manually inspected
evidence of independent review and
sign-off.
No exceptions noted.
For a sample of lodges and uplifts
processed automatically traced the
completion of each lodge and uplift to
the registry to ensure that it had
settled correctly.
ch
c)
No exceptions noted.
Rejection of lodges and
uplifts via the Registry
Interface and NZX
Interface are reported to
NZClear operator.
Observation
Observed onscreen the tracking of
lodges and uplifts and noted that any
lodges and uplifts that have failed
were highlighted to the NZClear
operator.
Ar
b)
Inspected the lodges and uplifts
procedure documentation for both
manual and automated processes.
Noted that each procedure covered the
relevant steps to complete a lodge or
uplift.
25
No exceptions noted.
ControlO b je c tive 2
Errors in performing lodgements and uplifts are identified and corrected in a timely manner.
Ref
Key Controls
PwC Testing
Results
a)
Lodges and uplifts
completed manually are
independently reviewed.
Inspection
No exceptions noted.
Regular reconciliations are
prepared reconciling the
number of securities in the
NZClear system and those
held in various registries
under the name of NZCSD.
These are peer reviewed
with discrepancies
followed up immediately.
Inspection
Exception noted
For a sample of reconciliations
inspected evidence that registry
holdings were reconciled to NZClear.
Inspected evidence of peer review and
discrepancy resolution.
For one sampled
reconciliation evidence
of independent peer
review was not available.
This reconciliation was
reviewed as a part of the
weekly reconciliation
reports.
iv
ed
b)
For a sample of lodges and uplifts
completed manually inspected
evidence of independent review and
sign-off.
Reports on reconciliations
are reviewed by senior
management on a weekly
basis to review completion
and nature of any
occurring problems.
Inspection
For a sample of weeks inspected
evidence of sign off by management to
confirm that they had reviewed and
confirmed that the reports on
reconciliations had been prepared and
problems followed up.
Ar
c)
ch
Reserve Bank Response:
26
All staff have been
reminded of the second
level check requirement
and further emphasis
placed on weekly
assessment to identify
any failings in the daily
reconciliations process.
No exceptions noted.
ControlO b je c tive 3
NZClear holdings are complete and accurate.
Ref
Key Controls
PwC Testing
Results
a)
Regular reconciliations are
prepared reconciling the
number of securities in the
NZClear system and those
held in various registries
under the name of NZCSD.
These are peer reviewed
with discrepancies
followed up immediately.
Inspection
Exception noted
For a sample of reconciliations
inspected evidence that registry
holdings were reconciled to NZClear.
Inspected evidence of peer review and
discrepancy resolution.
For one sampled
reconciliation evidence
of independent peer
review was not available.
This reconciliation was
reviewed as a part of the
weekly reconciliation
reports.
Reserve Bank Response:
Inspection
No exceptions noted.
For a sample of weeks inspected
evidence of sign-off by management to
confirm that they had reviewed and
confirmed that the reports on
reconciliations had been prepared and
issues resolved.
ch
Reports on reconciliations
are reviewed by senior
management on a weekly
basis to review completion
and nature of any
occurring problems.
Ar
b)
iv
ed
All staff have been
reminded of the second
level check requirement
and further emphasis
placed on weekly
assessment to identify
any failings in the daily
reconciliations process.
27
ControlO b je c tive 4
Corporate actions are completely and accurately processed.
Ref
Key Controls
PwC Testing
Results
a)
Processes and procedures
are documented and
current.
Inspection
No exceptions noted.
A check-sheet is completed
for every corporate action
and peer reviewed
independently.
Inspection
A second person is
responsible for checking
the diary of actions.
Enquiry and Inspection
For a sample of corporate actions,
inspected evidence that a check-sheet
was completed and an independent
peer review performed.
No exceptions noted.
iv
ed
Confirmed with management that at
least two people are responsible for
updating the corporate action diary in
the corporate actions checklist. For a
sample of weeks inspected evidence of
sign off by management to confirm
that they had reviewed and confirmed
that the diary of actions had been
reviewed by two people.
ch
c)
No exceptions noted.
Ar
b)
Inspected the corporate actions
procedure documentation. Noted that
each procedure covered the relevant
steps to complete each type of
corporate action event.
28
Se c tion 4 – Cha ng e Control
ControlO b je c tive 1
Changes migrated into production are tested and approved.
Ref
Key Controls
PwC Testing
Results
a)
Documented change
control procedures are in
place that require
authorisation by multiple
persons for all changes.
Inspection
No exceptions noted.
A central database is in
place to record all change
requests.
Enquiry and Observation
b)
Inspected the documented change
control procedures and workflows.
Confirmed with management that
these are current.
No exceptions noted.
Enquired of management to confirm
that all changes are logged within a
central application.
c)
Separate development, test
and production
environments are used.
iv
ed
Observed the central application and
noted the change details were logged
in the application.
Inspection
No exceptions noted.
Inspected evidence to confirm that
separate development, test and
production environments exist.
Appropriate segregation of
duties exists throughout
the change management
process.
Inspection
Changes are authorised
prior to development.
Inspection
Changes cannot be
released into production
unless they are tested.
Inspection
Changes cannot be
released into production
unless they have been
authorised by the required
personnel.
Inspection
No exceptions noted.
For a sample of changes released,
inspected evidence that there were
multiple staff members involved in
each stage of the process, including
development, testing and
authorisations.
Ar
d)
ch
For a sample of months, inspected
evidence confirming that deployments
to the production environment were
monitored.
e)
f)
g)
No exceptions noted.
For a sample of changes released
during the period obtained evidence of
authorisation prior to the change
being developed.
No exceptions noted.
For a sample of changes released
during the period obtained evidence of
testing prior to the change being
implemented.
No exceptions noted.
For a sample of changes released
during the period obtained evidence of
authorisation prior to the change
being implemented.
29
Ref
Key Controls
PwC Testing
Results
h)
Third party vendors are
monitored to ensure they
have appropriate controls
in place, and that the
procedures are followed to
develop, test, review and
implement changes.
Inspection
No exceptions noted.
Inspected the Service Level Agreement
and noted that service offerings by
Datacom are adequately addressed.
Confirmed that Change Management is
supported by Datacom.
For a sample of months, inspected the
monthly reports provided by Datacom
to the Reserve Bank which reports on
KPIs and Datacom’s obligations,
including Change Management
procedures.
For a sample of months, inspected the
minutes from meetings held between
the Reserve Bank and Datacom.
Inspection
No exceptions noted.
iv
ed
For a sample of changes released
during the period, inspected evidence
that back-out plans had been
prepared.
ch
Back-out plans are
prepared for all changes
prior to migration where
appropriate.
Ar
i)
30
ControlO b je c tive 2
Emergency changes migrated into production are appropriate and authorised.
Ref
Key Controls
PwC Testing
Results
a)
Emergency changes are
authorised before
implementation.
Inspection
No exceptions noted.
First Aid (a defined user
account for the migration
of emergency changes) log
is authorised and
documented for all
emergency changes.
Inspection
b)
For a sample of emergency changes
released during the period obtained
evidence of approval by senior
NZClear team members prior to
implementation.
No exceptions noted.
For a sample of emergency changes
released during the period, reviewed
the authorisation and documentation
for the use of the First Aid account and
the emergency change.
Inspection
No exceptions noted.
Inspected the Service Level Agreement
and noted that service offerings by
Datacom are adequately addressed.
Confirmed that Change Management is
supported by Datacom.
ch
Third party vendors are
monitored to ensure they
have appropriate controls
in place, and that the
procedures are followed to
develop, test, review and
implement changes.
For a sample of months, inspected the
monthly reports provided by Datacom
to the Reserve Bank which reports on
KPIs and Datacom’s obligations,
including Change Management
procedures.
Ar
c)
iv
ed
Inspected the Change log to confirm
that all emergency changes were
promoted as a First Aid change.
For a sample of months, inspected the
minutes from meetings held between
the Reserve Bank and Datacom.
31
Se c tion 5 – Prob le m M a na g e m e nt
ControlO b je c tive 1
Problems are identified and resolved in a timely manner.
Ref
Key Controls
PwC Testing
Results
a)
Proactive Problem
Management (PPM)
processes and procedures
are documented.
Inspection
No exceptions noted.
A PPM form is completed
for each problem
encountered, outlining a
description of the problem,
consequences of the
problem, cause of the
problem and the actions
taken to remedy the
problem.
Inspection
All PPMs are subject to
review by the Chief
Financial Officer.
Inspection
iv
ed
Inspected a sample of PPMs raised in
the period related to NZClear and
verified that it was completed in detail
including a description, consequences,
cause and actions taken to remedy the
problem.
Reviewed the PPM register and the
NZClear operational issues log to
confirm that problems and issues
logged from 1 July 2013 to 30 June
2014 had not impacted the control
objectives under review.
No exceptions noted.
Inspected a sample of PPMs raised in
the period and obtained the PPM form
and confirmed that all sampled PPM’s
were signed off by the CFO and
forwarded to a Governor when
relevant.
ch
c)
No exceptions noted.
Ar
b)
Inspected the PPM policy document
and noted that it covered the process
for logging and resolving a PPM.
32
Se c tion 6 – Ba c kup & Re c ove ry
ControlO b je c tive 1
Adequate processes are in place for data recovery.
Ref
Key Controls
PwC Testing
Results
a)
Data backup and restore
procedures are in place.
Enquiry and Inspection
No exceptions noted.
Daily backups are
scheduled to occur
automatically.
Inspection:
No exceptions noted.
Inspected the web portal used for the
monitoring of backups to confirm that
the portal is configured for backups to
occur multiple times per week.
Confirmed that an automatic alert is
raised when a backup related incident
occurs.
iv
ed
b)
Confirmed with management that
system backup and operator restore
procedures are in place. Inspected the
backup and restore procedures,
confirming they are current.
Inspected a sample of backup related
incidents that have been reported to
the service desk to confirm that they
had been investigated and resolved.
Inspection
No exceptions noted.
For a sample of months inspected
evidence to confirm that data
restorations had been completed.
ch
Regular tests of data
restoration are
undertaken.
Ar
c)
33
ControlO b je c tive 2
Timely recovery of business operations is possible.
Ref
Key Controls
PwC Testing
Results
a)
An up-to-date business
continuity plan is in place.
Inspection
No exceptions noted.
Technically trained
persons are available for
restoration of Systems.
Enquiry and Inspection
b)
Inspected the Business Continuity plan
last updated in May 2014 confirming
that it was relevant and current.
No exceptions noted.
Confirmed with management and
Datacom that operational staff at the
Reserve Bank and at Datacom have
sufficient training to conduct System
restores.
c)
Redundant equipment
(including a fully
operational alternative
site) is available for
restoration purposes.
iv
ed
Inspected evidence to confirm that a
switchover process had occurred
during the period, which alternates
processing between the Auckland and
Wellington sites.
Enquiry and Inspection
No exceptions noted.
Confirmed with management that
there are two identical sites in both
Auckland and Wellington to support
NZClear operations.
UPS for all critical systems
are maintained and tested
on a regular basis.
Observation and Inspection
No exceptions noted.
Ar
d)
ch
Inspected evidence to confirm that a
switchover process had occurred
during the period, which alternates
processing between the Auckland and
Wellington sites.
During a walkthrough of the Auckland
and Wellington server rooms observed
that UPS facilities are available.
Obtained and inspected a sample of
UPS test reports performed during the
period.
e)
Backup power generators
are available and tested on
a regular basis.
Inspection
No exceptions noted.
Obtained and inspected a sample of
the backup power generators being
tested during the period.
34
ControlO b je c tive 3
System issues over NZClear system are identified and resolved in a timely manner.
Ref
Key Controls
PwC Testing
Results
a)
A data centre monitoring
system, via a web portal, is
used to monitor automated
processes and generates
alerts on a priority basis
for issues relating to filesystem usage, disk space,
backups, batch processes
and other key metrics.
Failures are identified and
managed to resolution.
Observation and Inspection
No exceptions noted.
Automatic alerts are paged
to support personnel when
the System self-diagnoses
unexpected conditions.
Enquiry and Observation
Inspected a sample of identified
failures to ensure that they had been
investigated and resolved.
iv
ed
Inspected a sample of months for
evidence confirming the Reserve Bank
had received all system related
failures that had occurred as part of
the monthly Services Agreement
reporting process.
Confirmed with management that
alerts are generated for unexpected
conditions.
Observed an example of an alert sent
to the Operations team email account.
ch
Inspected the alert settings on the
system showing the conditions being
monitored and alerts being sent.
Ar
b)
Inspected the web portal used for
monitoring key metrics to confirm that
an automatic alert is raised when an
incident occurs.
35
No exceptions noted.
Se c tion 7– SLA M onitoring
ControlO b je c tive 1
Third party service levels are monitored to ensure compliance with agreed contractual requirements.
Ref
Key Controls
PwC Testing
Results
a)
An service agreement is in
place between third
parties and the Reserve
Bank for the management
of the NZClear
environment.
Enquiry and Inspection
No exceptions noted.
A monthly meeting is held
between the Reserve Bank
and third parties to discuss
any issues with the
environment and ensure
compliance with
contractual requirements.
Inspection
Third party reports are
performed detailing any
issues during the month
and reporting against KPIs
as detailed in the service
agreement.
Inspection
iv
ed
For a sample of months, inspected the
minutes from meetings held between
the Reserve Bank and Datacom.
No exceptions noted.
For a sample of months, inspected the
monthly reports provided by Datacom
to the Reserve Bank which reports on
KPIs and Datacom’s obligations and
inspected for reporting on the
obligations per the service agreement.
ch
c)
No exceptions noted.
Ar
b)
Confirmed with management that a
service agreement is in place with
Datacom. Obtained and inspected the
agreement and noted that service
offerings by Datacom are adequately
addressed.
36
Se c tion 8 – Pe riod End Proc e ssing
ControlO b je c tive 1
End of day processing is complete, accurate and timely.
Ref
Key Controls
PwC Testing
Results
a)
The nightly close reports
list the automated
processes that have run
and whether each process
has completed
successfully. Failures are
identified and managed to
resolution.
Inspection
No exceptions noted.
Inspected for the period 1 July 2013 to
28 March 2014 the nightly close
reports and confirmed that the
automated processes are identified in
the report.
iv
ed
For the period 1 July 2013 to 28 March
2014, inspected for a sample of days
the Operations Checklist that checks
the nightly close reports to confirm the
automated processes have been
completed successfully.
Where a failure was identified,
confirmed that appropriate
resolution/escalation procedures
were followed through follow-up
narrations on the nightly close reports.
Operations Checklists are
used to monitor
processing.
Inspection
No exceptions noted.
For the period 1 July 2013 to 28 March
2014 a sample of days inspected the
Operations Checklist to ensure that all
operational activities were performed.
Ar
b)
ch
Confirmed that subsequent to 28
March 2014, a new system for system
monitoring was implemented as
validated within control procedure (c).
Confirmed that the Checklist was
reviewed for any failures and
resolution actions taken were
appropriate.
Confirmed that subsequent to 28
March 2014, a new system for system
monitoring was implemented as
validated within control procedure (c).
c)
A data centre monitoring
system, via a web portal, is
used to monitor automated
processes and generates
alerts on a priority basis
for issues relating to filesystem usage, disk space,
backups, batch processes
and other key metrics.
Failures are identified and
managed to resolution.
Observation and Inspection
Inspected the web portal used for
monitoring key metrics to confirm that
an automatic alert is raised when an
incident occurs.
Inspected a sample of identified
failures to ensure that they had been
investigated and resolved.
Inspected a sample of months for
evidence confirming the Reserve Bank
had received all system related
failures that had occurred as part of
the monthly Services Agreement
reporting process.
37
No exceptions noted.
Fly UP