Audit

Internal Audit Commission

The Internal Audit Commission is the controlling body responsible for internal control over NSD’s financial and business activities. Members of the Internal Audit Commission are elected at annual General Meetings of Shareholders.

The members of the Internal Audit Commission elected by the annual General Meetings of Shareholders on 2 June 2020 are:

1. Olga Melentyeva;

2. Maxim Nikonov;

3. Vladimir Sukhachev.

The proceedings of NSD’s Internal Audit Commission are governed by the Regulations on the Internal Audit Commission approved by the General Meeting.

Material Aspects of Interaction with External Auditors

On 2 June 2020, NSD’s annual General Meeting of Shareholders resolved to approve the appointment of Deloitte & Touche CIS as NSD’s auditor to conduct audits under the Russian Accounting Standards (RAS) and the International Financial Reporting Standards (IFRS) for the period until NSD’s annual General Meeting of Shareholders to take place in 2021.

Deloitte & Touche CIS is authorized under Russian laws to conduct independent audits of NSD’s accounting system, financial statements (accounts), tax reports, financial results, and NSD’s internal control system, as well as to prepare and present an auditor’s report on NSD’s financial statements prepared under the RAS and IFRS, and, if any material shortcomings in the accounting or internal control system are identified, issue an information letter, describing the shortcomings, to NSD’s executives.

Deloitte & Touche CIS does not have any significant common interests with NSD or the Moscow Exchange Group.

Interaction with the external auditor is maintained under the Audit and Review Services Agreement. An audit is only intended to express an opinion on the validity of NSD’s financial statements and on whether the accounting records are maintained by NSD in compliance with applicable Russian law. Validity means the degree of accuracy of the data contained in the financial statements and whether it enables a user of such financial statements to draw conclusions, on the basis of such data, regarding NSD’s performance results, financial position, and assets, and to make informed decisions. During the audit period, the auditors also examine the tax accounting books and tax reports filed by NSD in the forms required (i.e., tax returns, tax calculations, etc.) and determine whether all tax reliefs were obtained lawfully. The purpose of a review is to express a conclusion whether, on the basis of the review, anything has come to the auditor’s attention that causes the auditor to believe that NSD’s interim financial statements for the first six months of the year are not prepared, in all material respects, in accordance with IAS 34 «Interim Financial Reporting».

Interaction with the auditor includes several phases:

• Phase 1: analysis of NSD’s information systems;
• Phase 2: review of the company’s IFRS interim financial statements for the first six months of the year;
• Phase 3: intermediate procedures: audit of the state of accounting and controls, account balances, and tax filings for the nine months of the financial year;
• Phase 4: final procedures: audit of the state of accounting and controls, account balances, RAS and IFRS financial statements and tax filings for 12 months of the financial year.

For the purposes of conducting an audit, NSD designates an employee to be in charge of liaising with NSD’s business units and ensuring that the information needed for the audit is delivered in a timely fashion.

Under the Audit and Review Services Agreement, the auditor undertakes to strictly comply with the laws of the Russian Federation and other regulations, including Federal Law No. 307- FZ dated 30 December 2008 «On Audit Activities», and international standards on auditing adopted in the Russian Federation. Furthermore, the auditor is required to:

• ensure that any documents received by the auditor in the course of an audit are kept safe and returned in due course, and that their contents or any other information are not disclosed without NSD’s consent, except as provided by Russian law;
• if so requested by NSD, supply NSD with the necessary information on the requirements of the Russian laws with respect to the conduct of audits (including tax audits), and references to the regulations on which the auditor’s comments and conclusions are based; and
• inspect the documents related to NSD’s financial and business activities and the availability of any assets recorded in those documents.

Where the auditor discovers any breach of the tax laws or any material misstatements in NSD’s financial statements or tax reports, the auditor will notify NSD’s executives that they may be held liable for such breaches and that it is necessary to make amendments to the financial statements or make adjustments to the tax returns and calculations.

The auditor determines, at its own discretion, the forms and methods of the audit based on the requirements imposed by the applicable Russian laws and regulations, subject to the specific terms and conditions of the Audit and Review Services Agreement.

In the course of an audit, NSD undertakes to make the relevant arrangements and provide assistance to the auditor to ensure that the financial and tax audits are completed in a timely fashion and in full. NSD provides the auditor with all the information and documents requested and needed for the audit, provides full clarifications and confirmations as may be requested by the auditor, and requests any information necessary for the audit from third parties.

Internal Control

In compliance with the requirements set forth by Russian laws and Bank of Russia’s regulations, NSD implements internal controls that are appropriate to the nature and scope of NSD’s business (as the central securities depository and as a non-banking credit institution, professional securities market participant, clearing house, and trade repository), and to NSD’s risk profile.

Internal controls are implemented to ensure that NSD pursues the following objectives:

• ensure that NSD’s financial and commercial performance in the course of banking and any other operations and transactions is efficient and effective, and ensure the efficient management of assets and liabilities (including protection of assets) as well as efficient risk management;
• ensure that NSD’s financial statements, accounting, statistical, and other reports (both internal and external) are accurate, complete and objective and are prepared and submitted in a timely fashion, and maintain information security (safeguard the company’s interests and objectives in the information field defined as a totality of information, information infrastructure, parties involved in information collection, generation, distribution, and use, and the framework of regulation of resulting relations);
• ensure compliance with the applicable Russian laws, Bank of Russia’s regulations, self- regulatory organizations' standards, and NSD’s constitutional documents and internal regulations; and
• prevent NSD’s or its employees' involvement in illegal activities (including money laundering and terrorist financing), and ensure that relevant information is reported to competent authorities and the Bank of Russia in a timely fashion in accordance with the Russian laws.

NSD’s Supervisory Board, Executive Board, and Executive Board Chairman are actively involved in managing the internal control system. NSD has the Audit Committee, a standing advisory body of the Supervisory Board established to ensure the effectiveness of internal controls and internal audits, to assess the effectiveness of the risk management system, and to make recommendations to NSD’s Supervisory Board and executive bodies to enable them to take decisions on those matters in accordance with their authority.

NSD’s internal control system is based on the principle of three lines of defence, as required by the global best practices. The maturity level of the internal control system is confirmed by an independent auditor.

At NSD, there are two departments responsible for internal control on a continuous basis: the Internal Audit Department and the Internal Control Department.

The Internal Audit Department is responsible for assessing the reliability and effectiveness of internal controls, risk management, corporate governance, and business processes at NSD, provides NSD’s management bodies with information upon completion of internal audits, and gives advice on matters relating to internal controls.

The Internal Control Department is responsible for ongoing control over NSD’s operations, including NSD’s operations as CSD, clearing house, and trade repository, as well as over the work of the AML/CFT/WMD Officer in order to counter the misuse of insider information and market manipulation.

In 2020, in the field of AML/CFT/WMD, the main focus was on automation of processes amid changing requirements of Russian laws, and on preventing questionable transactions attempted to be made using new instruments or services.

Compliance efforts were focused on ensuring compliance with licensing regulatory requirements to NSD’s operations, development of control measures to manage regulatory risks and mitigate geopolitical risks.

• The Internal Control Department improves its control and monitoring tools on a continuous basis, including:
• access to insider information;
• quality of handling client enquiries that could be classified as complaints; and
• compliance with the AML/CFT/WMD requirements of the laws and Bank of Russia’s regulations.

The multi-level internal control system enables NSD to effectively identify, assess and manage risks in all areas of its business.

Information Security

To deliver on its strategic objectives, it is crucial for NSD to implement information management and protection practices, as information protection is the overarching factor of effective and sustainable performance.

NSD has the status of central securities depository, and its Payment System is recognized as nationally and systemically important. NSD also provides banking, trade repository, clearing, and other services to financial market participants. All these factors make information and cybersecurity one of NSD’s priorities.

The work to ensure information security (IS) at NSD is organized in accordance with the Russian laws, Bank of Russia’s requirements and recommendations, the package of standardization documents issued by the Bank of Russia (entitled «Ensuring Information Security at Organizations of the Banking Industry of the Russian Federation») (the «BR ISBS Package»), NSD’s Information Security Policy, and the best practices and international standards.

The focus of IS activities is to ensure the security of clients' assets, as well as the security of the company’s banking, depository, settlement, and information systems, to ensure NSD’s sustainable and effective performance, and to safeguard interests of NSD and its shareholders, investors, and clients against information security threats. The Information Security Division (ISD) is responsible for putting in place an effective system to manage IS risks and conducting works designed to identify and counter any possible threats.

In accordance with the requirements of the Russian laws and the requirements set out in the BR ISBS Package, the ISD plays an active role in analyzing business processes, drafting terms of reference, rolling out hardware and software, and performing an expert review of contracts and agreements. In addition, the ISD regulates processes designed to separate users' access, sets up and maintains information protection tools, allocates access rights, and holds keying information.

Thanks to regular IS audits, NSD can objectively assess the current level of information security. On a quarterly basis, the ISD issues a cybersecurity report describing the current security status of IT systems; reports are provided to the Executive Board, Executive Board Chairperson, Risk Management Department, and the Audit Committee of NSD’s Supervisory Board.

In 2020, NSD’s information security system was independently assessed for conformity to Bank of Russia’s Regulations No. 683-P and 684-P, as well as to the Government Standard GOST R 57580.1−2017 «Security of Financial (Banking) Operations. Information Protection at Financial Institutions. Basic Organizational and Technical Measures.» A plan of actions was prepared and is being implemented to ensure the achievement of the target level of conformity.

To maintain and raise its IS level, NSD took steps to improve its information protection tools and IS-related internal regulations and to enhance security of source codes of business IT systems under development.

In 2020, the ISD took steps to:

• ensure security of the company’s internal systems, focusing on those accessible online, by addressing vulnerabilities identified by penetration and other tests;
• update IS-related internal regulations;
• identify and promptly address vulnerabilities in NSD’s information infrastructure;
• automate IS processes and procedures;
• support the transition to remote work and put in place mechanisms designed to ensure secure use of NSD’s IT systems by employees;
• optimize information security processes in the context of remote work; and
• provide cybersecurity training for employees.

NSD took steps to improve the process of vulnerability management, which allowed the company to identify and address vulnerabilities in NSD’s information infrastructure before they have caused negative effects as a result of such vulnerabilities being exploited by intruders.

In 2020, the following measures were implemented:

• The list of IT systems covered by static code analysis to identify potential vulnerabilities was expanded, and tools designed for security screening of third-party libraries and IT systems being tested were implemented. These steps helped improve effectiveness and further decrease the number of vulnerabilities identified by subsequent penetration tests, as compared to previous periods.
• NSD introduced the practice of security screening of external systems and components before they are integrated into NSD’s IT systems and processes. Due to their low security level, some components were discarded or replaced with more secure ones.
• To ensure full compliance with the requirements of Federal Law No. 152-FZ «On Personal Data», a deep analysis of personal data available in NSD’s IT systems was launched in order to determine how and when that personal data is to be destroyed upon completion of its processing.
• Tools designed to protect the integrity of key executable files in IT systems throughout their lifecycle were tested and deployed.
• Thanks to the implementation of additional information protection tools, improvements were made to the access management and user account management processes.
• The account lifecycle management process was automated.
• The Kaspersky ASAP platform-based program for raising information security awareness for NSD’s employees was adapted and expanded.
• Special attention was paid to measures to prevent potential frauds in NSD’s payment processes.

NSD’s Interests in Other Entities