This is part 2 of the NetSuite SSAE 16 review and mapping of controls series. As reminder, in part 1, we discussed how to review the report and see whether the report is a Type I or Type II report that you can rely on. We also discussed what an unqualified opinion is and how to read it.
In this practical training session, we walk you through the steps and answer the following questions:
- How long is the SSAE 16 report good for?
- What is a bridge letter?
- What are user control considerations?
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
Once we know that we can rely on SSAE 16 report, the next question is how long the report will be good for? Below is a sample report and it covers the period April 1, 2014 to March 30, 2015.
If your company has a calendar year-end December 31, 2015 and the report date covers part of the year, what do you do? From April 1st to December 31, we don’t know if NetSuite’s controls continued working.
The PCAOB has not established clear and explicit instructions to help us decide if we can rely on a report if it covers less than 6 months of a fiscal year. But the PCAOB maintains that additional procedures are needed if more than 6 months has passed between the fiscal year end and the date of SSAE 16 report.
So let’s say our year-end is December 31, 2015. Notice the report or opinion date is NOT March 31st. The report date is actually May 28, 2015. Why the difference? Because the auditors test controls up to March 31 and in order to do that, they have to wait for March 31 to pass. They spent April and May doing the testing and quality review. From June 1st to December 31st, 6 months has passed and so can we still rely on this report?
The bottom line of this is we are looking at this report to see how much of the year this report covers. In the example above, the report covers 3 months. This means that you are now exposed for the period from April 1, 2015 to December 31, 2015. In this case, you’re going to have to do additional procedures to continue to rely on this report.
So what do you do for alternative procedure? Remember that alternative procedures are done to ensure that the environment has not changed so that the report can still be relied on. So what you have to get in this case is called a “bridge letter”. Below is an example of a bridge letter from NetSuite.
This is dated August 28, 2015 and actually tells you that it is a SOC1 Type II report. The letter tells us that a person fairly high up in the organization, to the best of his knowledge, guarantees that there have been no significant changes in the internal controls described in the SOC1 report. The bottom line is that NetSuite is giving you some comfort that it hasn’t change anything significantly and that you should be able to use the report.
Another thing that should be taken into account when looking at an SSAE16 report is user control considerations. Below is the table of contents of a sample report and in this report we are going to look at the section COMPLEMENTARY USER ENTITY CONTROLS. In some reports, it can be labelled as “end-user considerations”.
In this example, Netsuite is saying that it has controls in place but we can rely on NetSuite’s controls if we also have the controls they have listed. Below is an example of what this section contains.
In the image above, NetSuite talks about system development and change management. Basically, NetSuite has controls in place to provide reasonable assurance that changes to production application systems are properly authorized, tested, approved, implemented and documented.
On the other hand, they are saying that you as users are also responsible for promptly communicating any bugs to them so that they would know your problems. You also have to do your own user acceptance testing and validating of those activities because their environment is global while yours might have been customized to fit your environment.
You are also responsible for validating the changes in the internal system that interacts with NetSuite. This applies if you are using another system that connects with NetSuite. It is up to you to make sure that this integration is validated as it could impact how the NetSuite environment works. Any customization should also be validated for accuracy and appropriateness.
In terms of security, NetSuite will ensure that logical access to important information is only given to properly authorized individual. They list several things that you are responsible for when it comes to security. First is setting security policies to access NetSuite system. Aside from setting the policy, it is also the duty of the client to communicate these to employees and contractors.
Another security-related responsibility by the client is to establish password configuration settings as well as authentication requirements. These settings and requirements should be able to meet strict requirements set by the company, industry, or a regulatory board.
Now that you know where to find these user control considerations, the next thing to do is to map them out like in the image below.
In this case, simply take the data from the User Controls Consideration as shown above and add them to the proper column in a spreadsheet. In this example, the “type” column System Development and Change Management has been copied from NetSuite. After that, it is only a matter of copying the different user controls considerations.
After that, add the appropriate control number or reference. In cases where no control exists, include a procedure that you. By mapping these, you ensure that you have the user control considerations asked for by NetSuite in this example.
That’s it for this segment.