Basically here the global schema for an exchange :

1- Daemons: Each coin traded must be backed by a fully synced daemon as he manages all the coins operations.
2- User interface : A use can ask for an address, this address is provided by the daemon, in an internal request.
3- Trade room: Usually, exchanges use an internal escrow for transactions as an amount of coins is held in exchange of annother coin, so they are escrowed internally, and when the price meets the users demande, funds are released to both parties.
4- Balances: They are managed by the server, there is a synchronisation between the database of the exchange, and the different daemons "accounts" RPC methods.
5- Withdrawals: they are operated at the request of the user, from his own account in the database, and in the daemon. If there are no funds in the daemon, the transaction won't be processed.

This is how an exchange works globally, now you can have several diffrences from an exchange to annother. The main difference is in the security level, Poloniex is known to be not so secure, if you have a look at your console when opening pages in poloniex, you will notice that every information sent or requested by the server, are using the 'GET' method, and this is prohibited especially when handling passwords and forms. They had been advised to revise these mechanisms, and to use 'POST' instead, but i don't think they did it.
The bitfinex hacking had something to do with this, they forgot to add a simple option to input text fields, coinables knows more about this then i, as he made a video explaining how the hacker managed to take the bitcoins.