Welcome to Part-3 of SSAE16 How to Review and Map Controls for Equity Edge

In part 1, we’ve talked about

  • What to review to ensure what to rely on the report
  • What’s an unqualified opinion is
  • How long the report is good for
  • What a “bridge letter” is

In part 2, its all about

  • What are “user control considerations?”

 

In this final part, we will focus on

I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.

 

What controls am I relying on?

After addressing user control consideration, now you’re going to ask what controls am I relying on from Equity Edge.

These are the report you are going to review.

Look at the Equity Edge at SOC 1 Report Section 4.

 
Basically these are all the test results.

Test of Operating Effectiveness and Results of Tests

In this report we will discuss the controls of ETrade and how it relates to the information technology general control system for the StockPlans, Equity Edge Online hosting services performed at the Alparetta, Georgi, facility. Brightline CPAs and Associates, Inc. (BrightLine) conducted the examination testing over the period, October 1, 2014, through March 31, 2015.

Test of Operating Effectiveness

The following are some of the type of procedures we do:

  • Inquire
  • Observe
  • Inspect

Screenshot of test of operating effectiveness in excel

Test of Operating Effectiveness

Sampling

Sampling Methods

Sampling
Test Results

Test Results on report

Test Results
Security Awareness

This image shows different columns, their Control Activity, Auditors Test and Test Results. This will be on every page of the report.

Control Activity, Auditors Test and a Test Results columns

Security Awareness
First Objective

Note: We need to focus on Test Results and identify items that indicate exceptions.

“No exceptions noted” – means it’s a clean report

More Exception – means more work to verify

Physical Security

This page shows no exceptions noted.

Physical Security test results has no exceptions

Physical Security
Environmental Security

This page shows no exceptions noted.

Environmental Security test results with no exceptions

Physical Security
Computer Operations

This page shows no exceptions noted.

Computer operations test results with no exceptions

Physical Security
Change Control

This page shows no exceptions noted.

change control test results with no exceptions

Change Control
Information Security

This page shows no exceptions noted.

Information security test results with no exceptions

Information Security

As a conclusion, this report is clean.

 

What do I do after I review the SSAE 16 report?

This is usually the finishing touch after reviewing the entire report that talks about the following topic:

  • Conclusions
  • Management Review for Major Findings
  • Roll Forward Procedures

We will go back to our working paper and it says:

Conclusions – Based on the results below, review of SSAE16 was effective and ETrade controls over equity and stock administration can be relied upon. The Bridge letter covers period between 4/1/15 – 8/31/15, which is within 3 months from 10/31/15.

conclusion is effective and can be relied on for SSAE 16 review

Conclusion on the report – review of SSAE16 was effective and ETrade controls over equity and stock administration can be relied upon

Management Review for Major Findings – Done
Roll Forward Procedures – Obtained Bridge Letter covering 4/1/15- – 8/31/15

Management review

Conclusion on the report – review of SSAE16 was effective and ETrade controls over equity and stock administration can be relied upon

Anyone who wishes to go back to your report will always look for the conclusion.

As a recap, we discussed the following:

 

watch video in youtube

 

If you found this post helpful and
want to receive the next segment
sign up for blog