Welcome to Part 2 of SSAE16 – How to Review and Map Controls for Equity Edge. Many of our public clients used Equity Edge and part of SOX compliance; they have to review the SOC 1 reports to see if they can rely on the controls and what else they need to do to document them.
So, we put together this information to be very practical and hands-on.
In part 1 of the series, we’ve already addressed the following:
- Whether the report is a type 1 or type 2
- What an unqualified opinion is
- How long the report is good for
- What a “Bridge Letter” is
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
This section is concentrated on the following:
In part 3, we’ll talk about controls that I’m relying on and what do I do after I review the SSAE16 reports.
As you remember in the opinion that talks about user entity control or user entity consideration. What that means is that our equity edges processes are working great, but you as the user need also to have controls in your processes before you can rely on ours.
I’ll show you the part of the opinion that you can see where you find it and ensure that you’ve mapped out your controls.
We will go back to the equity edge report and scroll through on page 26.
Equity Edge Report: Page 26
Complementary Controls at User Entities
Basically, it says Equity Edge works great as long as you (user) also have complementary control.
This is to ensure that both processes work well.
And here you will see that the ETrade is divided into 2 parts
- Information Security
- Change Control
This is great because they only have six (6) list of control. Most of the time, they used to have a lot more controls.
What I’m going to do is to show you on an excel how we mapped out and document our review.
This will serve as a template to map out and document our review in SSAE16 – Excel Format
- Objective – this is the objective of the report
- Control Reference – make control reference number if applicable.
- Sample – once a year
- Source – refer to what is the report and name of the report attached
- Procedures – indicates the various steps that we will take as our work program
- Conclusions – serves as a judgment to the report
List of user control considerations
- Equity and Stock Administration – this is what we are reviewing
- Report Auditor – the name of auditor (Brightline) who will give the opinion
- Report Period – coverage of the report (Oct.1 – Mar.31, 2015)
- Opinion on Design Effectiveness – Unqualified with page number (see page 5)
- Opinion on Operating Effectiveness – Unqualified with page number (see page 5)
- Notes – a description of where the result of the report is base from. (Company name, Page number)
Note: Reference number is important to easily come up with the same conclusion if someone will re-perform all these things.
This is to show you how we go and list out the user entity controls.
- Number – Notice number
- Type – Type of Control
- (Company Name) Identified User Control Consideration – Information Security (List all the ETrade Controls as per their advice)
- Company Control Number – A number referred to a Description
- Company Control Description – Whatever your controls are you need to reference it here
- Company Response to User Control Consideration – Reference of controls address
- Conclusion Effective or Deficiency – Sometimes we don’t have effective controls
- Comments – We put here the Mitigating Controls and we need it, to match those as well
Notice that there are 6 lists in the report and here we listed it.
We have multiple controls that fit one of their objectives.
Multiple Controls is advantage when one of your control fails you have at least mitigated controls. These are the three other controls that would have caught this particular issue
for us found in the comments column of these report.
To recap, we discussed the following:
This is how we review the user control considerations.