Upload Login /
...

Report on controls over the Exchange Settlement Account System

by user

on
Category: Documents
>> Downloads: 3
19

views

Report

Comments

Description

Transcript

Report on controls over the Exchange Settlement Account System
Report on controls over
the Exchange Settlement
Account System
For year ended 30 June 2013
Reserve Bank of New Zealand
Report on controls over the
Exchange Settlement Account System
Table of Contents
Section I
Purpose, scope and use of this report
2
Section II
Report by management
3
Section III
Description of the Exchange Settlement Account System
5
Section IV
Exchange Settlement Account System control objectives
11
Section V
Independent assurance report
13
Section VI
Definition of testing terms
16
Section VII
Auditor’s tests of operating effectiveness of key controls
17
Page | 1
Section I
Purpose, scope and use of this report
This report is designed to provide information to be used for financial reporting purposes by Exchange
Settlement Account System (“ESAS”) accountholders and their independent auditors in respect of the year
ended 30 June 2013.
This report is prepared pursuant to clause 14.2 (d) of the ESAS Terms and Conditions which requires that an
external audit of ESAS (also referred to as the “System”) be undertaken annually. Schedule D of the ESAS
Terms and Conditions requires that the Audit Report shall describe:
(a)
system risks identified in discussion with the Reserve Bank of New Zealand (the “Reserve Bank”);
(b)
control objectives established by the Reserve Bank to mitigate the System risks; and
(c)
policies and procedures developed to achieve the determined control objectives.
The report has been prepared in compliance with the requirements of the International Standard on
Assurance Engagements (New Zealand) 3402 “Assurance Reports on Controls at a Service Organisation”
issued by the External Reporting Board. This report comprises:

a report by management which describes the services provided by the Reserve Bank, operator of
ESAS including information on key internal controls for that System;

an assurance report by PricewaterhouseCoopers (“PwC”) - on behalf of the Auditor-General (‘the
Auditor’); and

details of the controls supporting each control objective, as well as the related tests performed by and
the Auditor and the results of that testing.
The scope of this report is limited to controls which apply to the operation of ESAS by the Reserve Bank for
the use of ESAS by accountholders pursuant to the ESAS Terms and Conditions. This report is strictly
confidential. It is intended for use by the Reserve Bank, ESAS accountholders and their independent
auditors. Unauthorised use of this report in whole or part is strictly prohibited.
Page | 2
Section II
Report by management
We are responsible for describing the ESAS system and ensuring that the description fairly presents the
System as designed and implemented. We are also responsible for ensuring that the controls related to the
control objectives stated in the description were suitably designed and operated effectively throughout the
period.
The accompanying description of the Reserve Bank of New Zealand’s (the “Reserve Bank”) ESAS system
has been prepared for user entities of the ESAS system and their auditors. Users of this report are expected
to have a sufficient understanding to consider the description, along with other information, including
information about controls operated by the user entities of the System in order to assess the risks of material
misstatements in financial statements prepared by the user entities. We confirm, to the best of our
knowledge and belief, that:
a.
the accompanying description fairly presents the Reserve Bank’s ESAS system for processing user
accountholders’ transactions throughout the year ended 30 June 2013. The criteria used in making
this assertion were that the accompanying description:
i
presents how the System was designed and implemented, including:
(1)
the types of services provided including, as appropriate, classes of transactions
processed;
(2)
the procedures, within both information technology and manual systems, by which those
transactions were initiated, recorded, processed, corrected as necessary, and
transferred to the reports prepared for user entities of the System;
(3)
the related accounting records, supporting information, and specific accounts that were
used to initiate, record, process, and report transactions; this includes the correction of
incorrect information and how information was transferred to the reports prepared for user
entities of the System;
(4)
how the System dealt with significant events and conditions, other than transactions;
(5)
the process used to prepare reports to user entities of the System;
(6)
relevant control objectives and controls designed to achieve those objectives;
(7)
controls that we assumed, in the design of the System, would be implemented by user
entities, and which, if necessary to achieve control objectives stated in the accompanying
description, are identified in the description along with the specific control objectives that
cannot be achieved by the Reserve Bank alone; and
Page | 3
(8)
other aspects of the Reserve Bank’s control environment, risk assessment process,
information system (including the related business processes) and communication,
control activities, and monitoring controls that were relevant to processing and reporting
transactions of user entities of the System.
ii
the description includes relevant details of changes to the Reserve Bank’s ESAS system during
the year ended 30 June 2013.
iii
does not omit or distort information relevant to the scope of the System being described, while
acknowledging that the description is prepared to meet the common needs of a broad range of
user entities of the System and their auditors, and may not, therefore, include every aspect of
the System that each individual user entity of the System and its auditor may consider important
in its own particular environment.
b.
the controls related to the control objectives stated in the description were suitably designed and
operated effectively throughout the year ended 30 June 2013. The criteria used in making this
assertion were that:
i
the risks that threatened the achievement of the control objectives stated in the description were
identified;
ii
the controls identified in the description would, if operated as described, provide reasonable
assurance that those risks did not prevent the stated control objectives from being achieved;
and
iii
the controls were consistently applied as designed, including that manual controls were applied
by individuals who have the appropriate competence and authority, throughout the year ended
30 June 2013.
Mike Wolyncewicz
Nathan Lewer
Chief Financial Officer
Manager, Payments and Settlement Services
31 July 2013
Page | 4
Section III
Description of the Reserve Bank’s ESAS System
Background on ESAS
ESAS is New Zealand’s principal high-value payments system which is used to settle payment instructions
between accountholders. Accountholders largely comprise financial institutions, and each accountholder has
an exchange settlement account with the Reserve Bank. The Reserve Bank is also an accountholder. The
System is charged with providing an efficient and safe process for the real time electronic settlement of
payments between accountholders.
The Reserve Bank has provided ESAS as a real-time gross settlement system since 1998. Accountholders
electronically submit instructions to debit an account and credit another account using an authorised
electronic submitting mechanism. Authorised submitting mechanisms include closed user groups which
utilise the SWIFT electronic messaging system, the NZClear system and direct entry of transaction details to
ESAS. The System is available for use by accountholders for 23.5 hours each business day. Each business
day commences at 9.00am on a working day and ends at 8.30am the following working day.
A payment will be settled (i.e. funds are transferred from one ESAS accountholder’s exchange settlement
account to another ESAS accountholder’s exchange settlement account) once a transaction instruction is
authenticated, the payment instruction is authorised by the payor and the payor has sufficient funds in their
exchange settlement account to effect the transaction. Once a transaction is settled it cannot be revoked.
Generally, each transaction is settled individually rather than in batches. The ESAS system allows for two or
more payment instructions to be settled simultaneously, and where that occurs the ESAS Terms and
Conditions stipulate that each such payment instruction is settled gross and there is no netting of payment
instructions. The Reserve Bank has issued a notice to accountholders pursuant to the ESAS Terms and
Conditions which stipulates the order and method by which payment instructions are to be tested to
determine whether the relevant accountholder(s) have sufficient funds available to settle one or more
payment instructions. The Reserve Bank determines the minimum balance that each accountholder must
maintain in their exchange settlement account and the interest rate(s), if any, paid on end of day balances.
The ESAS system is operated by the Reserve Bank. The Reserve Bank’s Financial Services Group (“FSG”)
is responsible for the administration of the operational aspects of the System. FSG is headed by Mike
Wolyncewicz, the Reserve Bank’s Chief Financial Officer, and day-to-day business support is provided by
the Payment and Settlement Services Team within FSG that is managed by the Manager of Payments and
Settlement Services, Nathan Lewer.
Page | 5
1
FSG reports on the operation of ESAS to Mr. Geoff Bascand , Deputy Governor and Head of Operations.
The Reserve Bank’s Knowledge Services Group (“KSG”) supports the telecommunications network and
related security features utilised by the System. Software support, software development and operational
support services are provided by Datacom Systems (Wellington) Limited (“Datacom”).
ESAS is a designated settlement system under Part 5C of the Reserve Bank Act 1989. The regulator is the
Prudential Supervision Department of the Reserve Bank.
Exchange Settlement Account Operations
The Reserve Bank is the operator of the ESAS system. The Reserve Bank provides services to ESAS
Accountholders in accordance with the ESAS Terms and Conditions. The ESAS system allows:
1.
Accountholders to give instructions for amounts to be transferred between exchange settlement
accounts. The Rules provide that once a transaction is settled, the settlement is irrevocable.
2.
Accountholders with requisite repurchase facilities with the Reserve Bank, to raise funds which are
credited to their account using the Reserve Bank’s Overnight Reverse Repurchase Facility (“ORRF”).
This facility allows certain accountholders to sell eligible securities to the Reserve Bank under a
repurchase agreement on specified terms. The required transfers of securities are effected in the
NZClear system and payment for the securities is effected in ESAS.
3.
Accountholders to earn interest on end of day balances, in accordance with terms specified by the
Reserve Bank.
4.
Accountholders to interrogate the ESAS system in order to report exchange settlement account
balances and the status of transactions.
5.
Accountholders to allocate systems access rights to their own staff in respect of the accountholder’s
own exchange settlement account.
ESAS accountholders submit instructions to the System via electronic means, primarily via one or more of
the dedicated telecommunications networks, via the internet or via the SWIFT system. In all cases the
System has security features in place designed to ensure that access is authorised and instructions received
are authenticated.
There are three primary interfaces or “Accountholder Submitting Systems” which are used by ESAS
Accountholders to submit payment instructions to ESAS:

1
directly from the NZClear system.
Mr. Bascand was appointed to the role of Deputy Governor and Head of Operations with effect from 27 May 2013.
Page | 6

via the SWIFT system where members of the Assured Value Payment “AVP” closed user group use
ESAS to pay other members of that closed user group. The Reserve Bank is the administrator of
the AVP closed user group.

via the SWIFT system where members of the Settlement Before Interchange“SBI” closed user
group use ESAS to pay other members of that closed user group. Payments NZ Limited is the
administrator of the SBI closed user group. Once an SBI settlement has been effected in ESAS, a
confirmation is sent to SWIFT which then allows an associated interchange file containing
underlying payment details to be released to the destination bank.
SWIFT is a secure system through which members of that System communicate in real time and transmit
messages including payment instructions. The operation of ESAS includes elements of the administration of
the SWIFT system which are the responsibility of the Reserve Bank. This includes servers on which the
Reserve Bank’s interface to SWIFT resides, administration and security including allocation of user privileges
to Reserve Bank staff, change control of elements of SWIFT software, administration of the SWIFT AVP
closed user group including administration of accountholders’ access to the closed user group, backing up
data, business continuity and problem management. In most other respects, reliance is placed on the SWIFT
organisation itself for operation of SWIFT. As noted earlier, software support, software development and
operational support services for ESAS are provided to the Reserve Bank by Datacom. The Reserve Bank
manages Datacom’s provision of services through a services contract and related service level agreement.
The management process includes assessment of performance at monthly review meetings, monthly
performance reports, review of problem management reports and relevant project steering committees.
The ESAS system resides on the same computer equipment as the NZClear system, and NZClear and
ESAS share common computer code and are accessed via the same network, internet and SWIFT channels.
As a result, the internal controls for NZClear are substantially the same as those for ESAS.
The contractual relationships between the Reserve Bank and all accountholders are governed by the ESAS
Terms and Conditions.
The ESAS system produces a range of reports which are generated either on request or automatically. The
main reports include:

Statements showing account balances and details of settled transactions

On-line reports showing the status of transactions during the transaction lifecycle and the balance of
the accountholder’s exchange settlement account.
Page | 7
During the year ended 30 June 2013 there has been no major functional changes to the ESAS system. On
23 July 2012, the Reserve Bank implemented a major hardware upgrade replacing the computers used by
the ESAS and NZClear systems and adding additional computers to the environment. There are two
computers in each Wellington and Auckland on which the ESAS and NZClear applications operate.
Risk management
The internal controls of the ESAS system are audited each year by PricewaterhouseCoopers (“PwC”), as
required by the ESAS Terms and Conditions. PwC act on behalf of the Reserve Bank’s external auditor, the
Auditor-General. The scope of this audit includes the controls performed by the Reserve Bank’s third party
independent service provider, Datacom. The Auditor’s annual assurance report is addressed to the Governor
of the Reserve Bank and is reviewed by the Reserve Bank’s Audit Committee, with external auditors,
Reserve Bank governors and management in attendance. A copy of the assurance report is sent to
accountholders.
The main elements of risk management for the System entail:

procedures and controls are adhered to;

measures to manage operational risk, as described below;

business continuity plans are in place and tested regularly; and

information on transactions and balances is provided to accountholders without human intervention.
Managing operational risk in the Reserve Bank is seen as an integral part of day-to-day operations.
Operational risk management includes Bank-wide corporate policies that describe the standard of conduct
required of staff, a number of mandated requirements (e.g. a project management template), and specific
internal control systems designed around the particular characteristics of various Reserve Bank activities.
Operational risk management is supported by:

an induction programme for new employees that makes them aware of the requirements;

a quarterly management affirmation by the Chief Financial Officer that corporate policies and
departmental internal control systems have been complied with;

a proactive problem management process whereby problems and incidents are reported and analysed
for potential risk management improvements;

periodic review of risks and internal controls; and

an active internal audit function.
In addition to administering system controls the Reserve Bank commissions a third party to undertake
reviews of system security with a view to improving system security.
Page | 8
Information Technology activities outsourced to a service organisation
Within the Information Technology (“IT”) processes described above, specific responsibilities supporting
ESAS have been outsourced to a third-party IT service organisation, Datacom Systems (Wellington) Limited
(“Datacom”). The significant activities and controls undertaken by Datacom include:
Security:

User administration of the operating system and database is performed by Datacom on approval by
the client account manager of the Bank.

Datacom manage a data centre in Auckland that houses the computer equipment on which the
system operates. Environmental and physical security controls over this equipment are operated by
Datacom. The Reserve Bank also houses computers in Wellington on which the system operates.
Datacom are also responsible for ensuring they have appropriate technical personnel available to
restore and move production between the Wellington and Auckland sites.
Change control:

Development of software changes is performed by Datacom staff on the approval of a change
elaboration document approved by the Reserve Bank.

Initial testing of software changes is performed by Datacom before the Reserve Bank’s user testing
and subsequent implementation.

Implementation of software changes to the production system is performed by authorised Datacom
staff when authorised by the Reserve Bank.

A backup of the System and a back-out plan is prepared by Datacom before any implementation of
program changes.
Operations:

On a daily basis, Datacom is responsible for monitoring the system and completing daily checklists.
This will ensure that the System is operating adequately and automated processes and controls
have been completed successfully. For example, Datacom will monitor data backups, system usage
and performance processing statistics.

On a monthly basis, the controls and services performed by Datacom are required to be assessed
and reported to the Reserve Bank. For example, Datacom reports that administrator accounts on the
System have been accessed appropriately and relate to authorised work. A monthly meeting is also
held between Datacom and the Reserve Bank to discuss management and operation of the System.
Page | 9
Accountholders’ Controls
The controls described in Section IV cover only a portion of the overall internal controls for each
accountholder. Achievement of each of the control objectives will also be dependent on accountholders
maintaining an effective control environment implementing controls such as:

Documented policies and procedures (including transaction processing procedures, risk management
policies such as conditions and restrictions for system use, good password practices, software
copyright restrictions and virus protection);

Restricted access to operating systems, applications, databases and underlying records (including role
based security mechanisms);

User administration management;

Transaction processing, authorisation, monitoring and reporting mechanisms;

Segregation of duties in transaction processing;

Reconciliation of transactions and balances;

Physical security of system infrastructure;

Provisions of data backup and restoration and other computer operations; and

Business continuity planning.
This report expressly excludes consideration by the Reserve Bank and PwC of the effectiveness of
accountholders’ own internal controls as distinct from internal control objectives and key controls of the
ESAS system, which are the responsibility of the Reserve Bank.
Page | 10
Section IV
Exchange Settlement Account System control objectives
A summary of the control objectives relevant to the ESAS System are listed below. Following these are the
specific key controls that are designed and implemented to achieve these stated control objectives.
Section 1 – Security
1.
ESAS security management procedures and application controls are adequate.
2.
The Reserve Bank’s internal and external network is adequately secured.
3.
Access to system privileges within the underlying operating system is adequately secured.
4.
ESAS functionality is only available to appropriate users at appropriate levels.
5.
Access to the underlying database is adequately secured.
6.
Adequate environmental and physical security controls are in place over computing equipment.
Section 2 – Accountholder Detail Administration
1.
Authorisation is obtained for all additions, changes and deletions to accountholder details.
2.
Additions, changes and deletions to accountholder details are correctly input into the System.
Section 3 – Change Control
1.
Changes migrated into production are tested and approved.
2.
Emergency changes migrated into production are appropriate and authorised.
Section 4 – Problem Management
1.
Problems are identified and resolved in a timely manner.
Section 5 – Backup and Recovery
1.
Adequate processes are in place for data recovery.
2.
Timely recovery of business operations is possible.
3.
System issues over the ESAS system are identified and resolved in a timely manner.
Section 6 – SLA Monitoring
1.
Third party service level agreements are monitored to ensure compliance with agreed contractual
requirements.
Page | 11
Section 7 – Period End Processing
1.
End of day processing is complete, accurate and timely.
Section 8 – Transaction Fees, Auto Repo and Interest
1.
Transaction fees are calculated in accordance with ESAS terms and conditions.
2.
Auto repo limits are not exceeded.
3.
Changes in interest rates and interest tiers are accurately recorded.
Page | 12
Section V
Independent assurance report on the description of controls, their design
and operating effectiveness
To the Governor, Reserve Bank of New Zealand
Scope
In accordance with the terms of our engagement letter dated 2 November 2012, we were engaged to report on
the Reserve Bank of New Zealand’s (the “Reserve Bank”) description at Section III of its Exchange Settlement
Account System (the “System”) for processing accountholder transactions throughout the year ended 30
June 2013, and on the design and operation of controls related to the control objectives stated at Sections IV
and VII. The Reserve Bank’s description of the System includes control objectives and controls performed by
an independent service provider, Datacom Systems (Wellington) Limited (“Datacom”). Our audit procedures
were extended to include controls performed by Datacom in relation to the Reserve Bank’s System. The
description indicates that certain control objectives specified in the description can be achieved only if
complementary accountholder controls contemplated in the design of the Reserve Bank’s controls are
suitably designed and operating effectively, along with related controls at the Reserve Bank. We have not
evaluated the suitability of the design or operating effectiveness of such accountholder controls.
The Reserve Bank of New Zealand’s responsibilities
The Reserve Bank is responsible for: preparing the description and accompanying assertion at Section II,
including the completeness, accuracy and method of presentation of the description and assertion; providing
the services covered by the description; stating the control objectives in Section IV; and designing,
implementing and effectively operating controls to achieve the stated control objectives.
Auditor’s responsibilities
Our responsibility is to express an opinion on the Reserve Bank’s description and on the design and
operation of controls related to the control objectives stated in that description, based on our procedures. We
conducted our engagement in accordance with International Standard on Assurance Engagements (New
Zealand) 3402, “Assurance Reports on Controls at a Service Organisation,” issued by the External Reporting
Board. That standard requires that we comply with relevant ethical requirements and plan and perform our
PricewaterhouseCoopers, 113-119 The Terrace, PO Box 243, Wellington 6140
T: +(64) 4 462 7000, F: +(64) 4 462 7001, www.pwc.com/nz
Page | 13
procedures to obtain reasonable assurance about whether, in all material respects, the description is fairly
presented and the controls are suitably designed and operating effectively.
An assurance engagement to report on the description, design and operating effectiveness of controls at a
service organisation involves performing procedures to obtain evidence about the disclosures in the service
organisation’s description of its System, and the design and operating effectiveness of controls. The
procedures selected depend on our judgement, including the assessment of the risks that the description is
not fairly presented, and that controls are not suitably designed or operating effectively. Our procedures
included testing the operating effectiveness of those controls that we consider necessary to provide
reasonable assurance that the control objectives stated in the description were achieved. An assurance
engagement of this type also includes evaluating the overall presentation of the description, the suitability of
the objectives stated therein, and the suitability of the criteria specified by the service organisation and
described in Section II.
We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our
opinion.
Limitations of controls at a service organisation
The Reserve Bank’s description is prepared to meet the common needs of a broad range of accountholders
and their auditors and may not, therefore, include every aspect of the System that each individual
accountholder may consider important in its own particular environment. In addition to this, because of
their nature, controls at a service organisation may not prevent or detect all errors or omissions in processing
or reporting transactions. Section III also indicates that certain control objectives specified in the description
can be achieved only if complementary accountholder controls contemplated in the design of the Reserve
Bank’s controls are suitably designed and operating effectively, along with related controls at the Reserve
Bank. Further, the projection of any evaluation of effectiveness to future periods is subject to the risk that
controls at a service organisation may become inadequate or fail.
Opinion
Our opinion has been formed on the basis of the matters outlined in this report. The criteria we used in
forming our opinion are those described in management’s report at Section II. In our opinion, together with
the complementary accountholder controls referred to in the scope paragraph of this report, in all
material respects:
Page | 14
`
(a) The description fairly presents the System as designed and implemented throughout the year ended 30
June 2013.
(b) The controls related to the control objectives stated in the description were suitably designed throughout
the year ended 30 June 2013.
(c) The controls tested, which were those necessary to provide reasonable assurance that the control
objectives stated in the description were achieved, operated effectively throughout the year ended 30
June 2013.
Description of tests of controls
The specific controls tested and the nature, timing and results of those tests are listed in Section VII.
Intended users and purpose of the report
This report and the description of tests of controls in Sections IV and VII are intended only for
accountholders who have used the System during the year ended 30 June 2013, and their auditors, who have
a sufficient understanding to consider it, along with other information including information about controls
operated by accountholders themselves, when assessing the risks of material misstatements of
accountholders’ financial reports/statements.
Our audit was completed on 31 July 2013. This is the date at which our opinion is expressed.
Chris Barber
PricewaterhouseCoopers
On behalf of the Auditor-General
Wellington, New Zealand
Page | 15
Section VI
Definition of testing terms
The following are definitions of the terms used in the testing of key controls.
1.
2.
Enquiry:

Enquired of appropriate personnel.

Conducted enquiries seeking relevant information or representations from personnel, performed
to obtain, among other things:
-
Corroborating evidence of the controls.
Inspected documents and records indicating performance of the controls. This may include,
among other things:
-
Inspection of reconciliations and management reports that age and/or quantify reconciling
items to assess whether balances and reconciling items appear to be properly monitored,
controlled and resolved on a timely basis, as required by the related control.
-
Examination of source documentation and authorisations related to selected transactions
processed.
-
Examination of documents or records for evidence of performance, such as the existence
of initials or signatures.
-
Inspection of the Reserve Bank’s systems documentation, such as operations, manuals,
flow charts and job descriptions.
Observation:

4.
Knowledge, additional information and affirmation regarding the control of procedures.
Inspection:

3.
-
Observed the application or existence of specific controls as represented.
Re-performance:

Re-performed the control or processing application of the controls to check the accuracy of their
operation. This may include, among other things:
-
Obtaining evidence of the arithmetical accuracy and correct processing of transactions by
performing independent calculations.
-
Re-performing the matching of various system records by independently matching the
same records and comparing reconciling items to reconciliations prepared by the Reserve
Bank.
Page | 16
Section VII
Auditor’s tests of operating effectiveness of key controls
Section 1 – Security
Control Objective 1
ESAS security management procedures and application controls are adequate.
Ref
Key Controls
PwC Testing
a)
Procedures are in place for
the creation and deletion
of user accounts.
Enquiry and Inspection
Results
No exceptions noted.
Confirmed with management that a
user administration policy exists for
the creation and addition of users.
Inspected user listings to confirm new
and terminated users processed
during the period 1 July 2012 – 30
June 2013 were appropriately
approved.
b)
c)
Password parameters and
login settings in the
application are
appropriate and comply
with good practice.
Inspection
Administrator access in the
application is
appropriately restricted to
users in line with business
requirements.
Inspection
No exceptions noted.
Obtained and inspected password
parameters on the ESAS application
and noted that passwords complied
with good practice.
No exceptions noted.
Inspected a user access listing and
confirmed administrator access was
restricted to appropriate users based
on their role and responsibilities.
Inspected a sample of the monthly
user account reviews conducted over
user access rights.
d)
System education and
training programs have
been established and
undertaken.
Enquiry and Inspection
No exceptions noted
Confirmed and corroborated with
management that all new employees
are involved in an induction process
prior to using the System.
Inspected the Reserve Bank’s security
policies.
Inspected security declaration signoffs for a sample of employees.
Page | 17
Control Objective 2
The Reserve Bank’s internal and external network is adequately secured.
Ref
Key Controls
PwC Testing
a)
Accountholders must
agree and sign the ESAS
rules to abide by the
Reserve Bank’s network
and access rules.
Inspection
The Reserve Bank network
topology is documented to
ensure appropriate
security mechanisms are in
place.
Inspection
Only Reserve Bank staff
can configure the routers
supplied to members.
Observation and Inspection
b)
c)
Results
No exceptions noted.
Inspected the firewall configuration,
confirming no new accountholders
were granted access to the Reserve
Bank network.
No exceptions noted.
Inspected the Reserve Bank network
diagram to ensure appropriate
security mechanisms are in place such
as firewalls.
No exceptions noted.
Observed that access was restricted to
authorised users through two factor
authentication.
Inspected the list of users who are able
to configure to routers and assessed
the appropriateness of access.
Inspected router settings that limit
configuration access to the Reserve
Bank operations team.
d)
Annually, the Reserve
Bank performs a network
security review.
Vulnerabilities are
identified and reviewed by
senior management.
Enquiry and Inspection
No exceptions noted.
Enquired with management that an
independent third party was engaged
to perform a network security review
on behalf of the Reserve Bank.
Inspected evidence of the review and
reporting of key findings. Confirmed
through inspection that identified
vulnerabilities were reviewed by
management.
e)
Network security is
regularly reviewed.
Inspection
Exceptions noted:
For a sample of weeks, inspected
evidence of weekly network security
reviews identifying potential network
vulnerabilities.
Evidence of scans were
not available for a
number of sampled
weeks.
There is no formal
process to track the
resolution of identified
vulnerabilities.
Reserve Bank Response:
By 31 August 2013 the
Reserve Bank will
document and comply
with a process for
formally responding to
alerts which are
generated in the
monitoring of systems
including formal
escalation and sign off
procedures and
documentation there-of.
Page | 18
Control Objective 3
Access to system privileges within the underlying operating system is adequately secured.
Ref
Key Controls
PwC Testing
Results
a)
Access to system privileges
at the operating system level
requires manager approval.
Enquiry and Inspection
No exceptions noted.
Confirmed with Datacom that all new
users must be approved by a manager
at Datacom or the Reserve Bank.
Inspected a sample of approvals of
new users added during the period.
b)
c)
d)
Administrative access to the
operating system is
appropriately restricted.
Inspection
Password parameters and
login settings at the
operating system level are
appropriate and comply
with good practice.
Inspection
Access to the operating
system is logged and
reviewed.
Inspection
No exceptions noted.
Inspected a listing of all administrator
users and confirmed with
management that their access was
appropriate.
No exceptions noted.
Obtained and inspected the operating
system password settings and noted
that passwords complied with good
practice.
No exceptions noted.
Inspected a sample of monthly SLA
reports that confirmed direct access to
the operating system is logged and
reviewed.
Page | 19
Control Objective 4
ESAS functionality is only available to appropriate users at appropriate levels.
Ref
Key Controls
PwC Testing
Results
a)
Administrator access in the
application is
appropriately restricted to
users in line with business
requirements.
Inspection
No exceptions noted.
Inspected a user access listing and
confirmed administrator access was
restricted to appropriate users based
on their role and responsibilities.
Inspected a sample of the monthly
user account reviews conducted over
user access rights.
b)
User accounts and access
rights are reviewed
regularly to ensure that
these are appropriate.
Inspection
No exceptions noted.
Inspected a sample of the monthly
user account reviews conducted over
the user accounts and rights allocated.
Control Objective 5
Access to the underlying database is adequately secured.
Ref
Key Controls
PwC Testing
Results
a)
Access to system privileges
at the database level
requires manager
approval.
Enquiry and inspection
No exceptions noted.
Confirmed with Datacom that all new
users must be approved by a manager
at Datacom or the Reserve Bank.
Inspected a sample of approvals of
new users added during the period.
b)
c)
d)
User accounts at the
database level are
regularly reviewed for
appropriateness.
Inspection
Password parameters and
login settings at the
database level are
appropriate.
Inspection
Privileged access to the
database is logged and
reviewed.
Inspection
No exceptions noted.
Obtained and inspected a sample of
user accounts reviews at the database
level.
No exceptions noted.
Obtained and inspected the database
password settings and noted that
passwords complied with good
practice.
No exceptions noted.
Inspected a sample of monthly SLA
reports in which the third party
vendor reports access over the
database.
Control Objective 6
Page | 20
Adequate environmental and physical security controls are in place over computing equipment.
Ref
Key Controls
PwC Testing
Results
a)
Environmental and
physical security controls
are in place over
computing equipment.
Observation
No exceptions noted.
Observed during a walkthrough of the
Wellington and Auckland sites that:

Access to the premises and
computing equipment is physically
locked and not publicly accessible

Electronic swipe cards are
required to access the premises
and computing equipment

Environmental controls are in
place in the server rooms,
including:
o
air conditioning units;
o
raised floor;
o
dry pipe sprinkler system;
o
fire extinguisher;
o
fire alarms;
o
racks for all equipment;
o
UPS systems; and
o
backup generators.
Page | 21
Section 2 – Accountholder Detail Administration
Control Objective 1
Authorisation is obtained for all additions, changes and deletions to accountholder details.
Ref
Key Controls
PwC Testing
Results
a)
New accountholders are
assessed for eligibility
prior to being accepted as
an ESAS accountholder.
Inspection
No exceptions noted.
Inspected the new accountholder,
amending accountholder and deleting
accountholder procedures document.
This requires that all accountholders
are assessed for eligibility.
For a sample of new accountholders,
inspected evidence of eligibility
assessment prior to being accepted as
an ESAS accountholder.
b)
Approval for new
accountholders is required
from the Manager of the
Payments and Settlements
Services and Chief
Financial Officer.
Inspection
No exceptions noted.
Inspected the new accountholder,
amending accountholder and deleting
accountholder procedures document.
This requires that all accountholders
are assessed for eligibility.
For a sample of new accountholders,
inspected evidence of approval from
the Manager of the Payments and
Settlements Services and CFO.
c)
A request for deletion must
be authorised by the
accountholder.
Enquiry and Inspection
No exceptions noted.
Inspected the procedures document
for deleting accountholders.
Confirmed and corroborated with
management that there has not been
any deletion of accountholders in the
current audit period.
d)
All changes to
accountholder details are
subject to a peer review
process.
Enquiry and Inspection
No exceptions noted.
Inspected the amending accountholder
procedures document.
Confirmed and corroborated with
management that there has been no
changes to accountholder details in
the current audit period.
Page | 22
Control Objective 2
Additions, changes and deletions to accountholder details are correctly input into the System.
Ref
Key Controls
PwC Testing
Results
a)
A documentation checklist
is completed to confirm
that all of the required
forms have been received
for new accountholders.
Inspection
No exceptions noted.
All changes to
accountholder details are
subject to a peer review
process.
Enquiry and Inspection
b)
Inspected a register for accountholder
administration activities in the period.
For a sample of new accountholders
inspected evidence to ensure that
documentation checklists confirming
that all forms have been received was
completed.
No exceptions noted.
Inspected the amending accountholder
procedures document.
Confirmed and corroborated with
management that there has been no
changes to accountholder details in
the current audit period.
Page | 23
Section 3 – Change Control
Control Objective 1
Changes migrated into production are tested and approved.
Ref
Key Controls
PwC Testing
Results
a)
Documented change
control procedures are in
place that require
authorisation by multiple
persons for all changes.
Inspection
No exceptions noted.
A central database is in
place to record all change
requests.
Enquiry and Observation
b)
Inspected the documented change
control procedures and workflows.
Confirmed with management that
these are current.
No exceptions noted.
Enquired of management to confirm
that all changes are logged within a
central application.
Observed the central application and
noted the change details were logged
in the application.
c)
Separate development, test
and production
environments are used.
Inspection
No exceptions noted.
Inspected evidence to confirm that
separate development, test and
production environments exist.
For a sample of months, inspected
evidence confirming that deployments
to the production environment were
monitored.
d)
e)
f)
g)
Appropriate segregation of
duties exists throughout
the change management
process.
Inspection
Changes are authorised
prior to development.
Inspection
Changes cannot be
released into production
unless they are tested.
Inspection
Changes cannot be
released into production
unless they have been
authorised by the required
personnel.
Inspection
No exceptions noted.
For a sample of changes released,
inspected evidence that there were
multiple staff members involved in
each stage of the process, including
development, testing and
authorisations.
No exceptions noted.
For a sample of changes released
during the period obtained evidence of
authorisation prior to the change
being developed.
No exceptions noted.
For a sample of changes released
during the period obtained evidence of
testing prior to the change being
implemented.
No exceptions noted.
For a sample of changes released
during the period obtained evidence of
authorisation prior to the change
being implemented.
Page | 24
Ref
Key Controls
PwC Testing
Results
h)
Third party vendors are
monitored to ensure they
have appropriate controls
in place, and that the
procedures are followed to
develop, test, review and
implement changes.
Inspection
No exceptions noted.
Inspected the Service Level Agreement
and noted that service offerings by
Datacom are adequately addressed.
Confirmed that Change Management is
supported by Datacom.
For a sample of months, inspected the
monthly reports provided by Datacom
to the Reserve Bank which reports on
KPIs and Datacom’s obligations,
including Change Management
procedures.
For a sample of months, inspected the
minutes from meetings held between
the Reserve Bank and Datacom.
i)
Back-out plans are
prepared for all changes
prior to migration where
appropriate.
Inspection
No exceptions noted.
For a sample of changes released
during the period, inspected evidence
that back-out plans had been
prepared.
Control Objective 2
Emergency changes migrated into production are appropriate and authorised.
Ref
Key Controls
PwC Testing
Results
a)
Emergency changes are
authorised before
implementation.
Inspection
No exceptions noted.
First Aid (a defined user
account for the migration
of emergency changes) log
is authorised and
documented for all
emergency changes.
Inspection
b)
For a sample of emergency changes
released during the period obtained
evidence of approval by senior ESAS
team members prior to
implementation.
No exceptions noted.
For a sample of emergency changes
released during the period, reviewed
the authorisation and documentation
for the use of the First Aid account and
the emergency change.
Inspected the Change log to confirm
that all emergency changes were
promoted as a FirstAid change.
Page | 25
c)
Third party vendors are
monitored to ensure they
have appropriate controls
in place, and that the
procedures are followed to
develop, test, review and
implement changes.
Inspection
No exceptions noted.
Inspected the Service Level Agreement
and noted that service offerings by
Datacom are adequately addressed.
Confirmed that Change Management is
supported by Datacom.
For a sample of months, inspected the
monthly reports provided by Datacom
to the Reserve Bank which reports on
KPIs and Datacom’s obligations,
including Change Management
procedures.
For a sample of months, inspected the
minutes from meetings held between
the Reserve Bank and Datacom.
Section 4 – Problem Management
Control Objective 1
Problems are identified and resolved in a timely manner.
Ref
Key Controls
PwC Testing
Results
a)
Proactive Problem
Management (PPM)
processes and procedures
are documented.
Inspection
No exceptions noted.
A PPM form is completed
for each problem
encountered, outlining a
description of the problem,
consequences of the
problem, cause of the
problem and the actions
taken to remedy the
problem.
Inspection
All PPMs are subject to
review by the Chief
Financial Officer.
Inspection
b)
c)
Inspected the PPM policy document
and noted that it covered the process
for logging and resolving a PPM.
No exceptions noted.
Inspected a sample of PPMs raised in
the period related to ESAS and verified
that it was completed in detail
including a description, consequences,
cause and actions taken to remedy the
problem.
No exceptions noted.
Inspected a sample of PPMs raised in
the period and obtained the PPM form
and confirmed that all sampled PPM’s
were signed off by the CFO and
forwarded to a Governor when
relevant.
Page | 26
Section 5 – Backup & Recovery
Control Objective 1
Adequate processes are in place for data recovery.
Ref
Key Controls
PwC Testing
Results
a)
Data backup and restore
procedures are in place.
Enquiry and Inspection
No exceptions noted.
Daily backups are
performed.
Inspection
Regular tests of data
restoration are
undertaken.
Inspection
b)
c)
Confirmed with management that
system backup and operator restore
procedures are in place. Inspected the
backup and restore procedures,
confirming they are current.
No exceptions noted.
For a sample of days inspected
evidence that daily backups were
performed automatically and
monitored.
No exceptions noted.
For a sample of weeks inspected
evidence that test file restores were
conducted.
Control Objective 2
Timely recovery of business operations is possible.
Ref
Key Controls
PwC Testing
Results
a)
An up-to-date business
continuity plan is in place.
Inspection
No exceptions noted.
Technically trained
persons are available for
restoration of Systems.
Enquiry and Inspection
b)
Inspected the Business Continuity plan
last updated in June 2013 confirming
that it was relevant and current.
No exceptions noted.
Confirmed with management and
Datacom that operational staff at the
Reserve Bank and at Datacom have
sufficient training to conduct System
restores.
Inspected evidence to confirm that a
switchover process had occurred
during the period, which alternates
processing between the Auckland and
Wellington sites.
Page | 27
c)
Redundant equipment
(including a fully
operational alternative
site) is available for
restoration purposes.
Enquiry and Inspection
No exceptions noted.
Confirmed with management that
there are two identical sites in both
Auckland and Wellington to support
ESAS operations.
Inspected evidence to confirm that a
switchover process had occurred
during the period, which alternates
processing between the Auckland and
Wellington sites.
d)
UPS for all critical systems
are maintained and tested
on a regular basis.
Observation and Inspection
No exceptions noted.
During a walkthrough of the Auckland
and Wellington server rooms observed
that UPS facilities are available.
Obtained and inspected a sample of
UPS test reports performed during the
period.
e)
Backup power generators
are available and tested on
a regular basis.
Inspection
No exceptions noted.
Obtained and inspected a sample of
the backup power generators being
tested during the period.
Control Objective 3
System issues over ESAS are identified and resolved in a timely manner.
Ref
Key Controls
PwC Testing
Results
a)
A data centre monitoring
system through a web
portal is used which
generates alerts on a
priority basis for issues
relating to file-system
usage, disk space and other
key metrics.
Observation and Inspection
No exceptions noted.
Observed the Web Portal with
management to confirm that it is used
as a Data centre monitoring system
which generates alerts to the operator
on a priority basis for issues relating
to capacity and when the system is
down.
Inspected a sample of months for
evidence confirming the reserve bank
had received system health reporting
as part of the monthly SLA reporting
process.
b)
Automatic alerts are paged
to support personnel when
the System self-diagnoses
unexpected conditions.
Enquiry and Observation
No exceptions noted.
Confirmed with management that
alerts are generated for unexpected
conditions.
Observed an example of an alert sent
to the Operations team email account.
Inspected the alert settings on the
system showing the conditions being
monitored and alerts being sent.
Page | 28
Section 6 – SLA Monitoring
Control Objective 1
Third party service level agreements are monitored to ensure compliance with agreed contractual requirements.
Ref
Key Controls
PwC Testing
Results
a)
An SLA is in place between
third parties and the
Reserve Bank for the
management of the ESAS
environment.
Enquiry and Inspection
No exceptions noted.
A monthly meeting is held
between the Reserve Bank
and third parties to discuss
any issues with the
environment and ensure
compliance with
contractual requirements.
Inspection
Third party reports are
performed detailing any
issues during the month
and reporting against KPIs
as detailed in the SLA.
Inspection
b)
c)
Confirmed with management that a
SLA is in place with Datacom. Obtained
and inspected the agreement and
noted that service offerings by
Datacom are adequately addressed.
No exceptions noted.
For a sample of months, inspected the
minutes from meetings held between
the Reserve Bank and Datacom.
No exceptions noted.
For a sample of months, inspected the
monthly reports provided by Datacom
to the Reserve Bank which reports on
KPIs and Datacom’s obligations and
inspected for reporting on the
obligations per the SLA.
Page | 29
Section 7 – Period End Processing
Control Objective 1
End of day processing is complete, accurate and timely.
Ref
Key Controls
PwC Testing
Results
a)
The nightly close reports
list the automated
processes that have run
and whether each process
has completed
successfully. Failures are
identified and managed to
resolution.
Inspection
No exceptions noted.
Inspected the nightly close reports and
confirmed that the automated
processes are identified in the report.
For a sample of days inspected the
Operations Checklist that checks the
nightly close reports to ensure the
automated processes have been
completed successfully.
Where a failure was identified,
confirmed that appropriate
resolution/escalation procedures
were followed through follow-up
narrations on the nightly close reports.
b)
ESAS Operations Checklists
are used to monitor
processing.
Inspection
No exceptions noted.
For a sample of days inspected the
Operations Checklist to ensure that all
operational activities were performed.
Confirmed that the Checklist was
reviewed for any failures and
resolution actions taken were
appropriate.
Page | 30
Section 8 – Transaction Fees, Auto Repo and Interest
Control Objective 1
Transaction fees are calculated in accordance with the ESAS terms and conditions.
Ref
Key Controls
PwC Testing
Results
a)
Processes and procedures
are documented and
current.
Inspection
No exceptions noted.
ESAS transaction fees are
reviewed on a regular
basis.
Inspection
A segregation of duties
exists between the
calculation, checking and
approval functions.
Inspection
The monthly fee
calculations and invoices
are independently
reviewed before
distribution to
accountholders.
Inspection
b)
c)
d)
Inspected the ESAS transaction fee
procedure calculation manual.
Confirmed with management that
these are current.
No exceptions noted.
Inspected evidence that the ESAS
transaction fee was reviewed within
the last six months.
No exceptions noted.
Obtained and inspected evidence that
showed multiple staff members were
involved in the completion of the
transaction fee calculation, checking
and approval.
No exceptions noted.
Obtained and inspected evidence that
showed ESAS fee calculations and
invoices were independently reviewed
before distribution to accountholders.
Control Objective 2
Auto repo limits are not exceeded.
Ref
Key Controls
PwC Testing
Results
a)
Auto repo processes and
procedures are
documented.
Inspection
No exceptions noted.
The System does not allow
accountholders to borrow
more than their preauthorised limits.
Enquiry and Observation
b)
Obtained and inspected the automated
repo procedure document. Confirmed
with management that these are
current.
No exceptions noted.
Confirmed and corroborated with
management that the System enforces
rules to ensure that account holders
cannot borrow more than what they
have been authorised.
Confirmed through observation that
the System will not allow
accountholders to borrow more than
their pre-defined limits.
Page | 31
Control Objective 3
Changes in interest rates and interest tiers are accurately recorded.
Ref
Key Controls
PwC Testing
Results
a)
All changes to interest
rates and tiers are
independently reviewed.
Inspection
No exceptions noted.
For a sample of changes to interest
rates and tiers, inspected evidence
that they were independently
reviewed.
Page | 32
Fly UP