Menu Close

#8 | Part 1 of SSAE16 – How to Review and Map Controls for Equity Edge

Welcome to SSAE16 How to review and Map Controls for Equity Edge – Part 1. Many of our clients who are required to be SOX compliant used Equity Edge for their stock based compensation calculations and as a result after reviewing the SSAE16, otherwise known as the SOC 1 Report. We get so many questions like:

  • How to review the report?
  • How to document it, so that it’s effective and have just even read it.

I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.

We’ve put together this practical training video, so that you can do it, follow step by step, and understand why some of these things are documented and how to read them.

Here’s how we’ve broken out the content. Because there’s so much content in this, we’re going to cover it in 3 parts.

In Part 2 and 3, you can see the user considerations, the controls that you are relying on, and the things to do after reviewing the SSAE 6 report. Again, this is meant to be very practical and hands on because so many of our clients are dying for this type of information to get through their work on a daily basis.

The image shows how this content is divided into 3 parts.

SSAE 16 table of Contents
Table of contents

Is this SSAE 16 a Type 1 or Type 2 Report?

Type 1 Report

This is an ETrade Report, which actually owns the Equity Edge.

ETrade Report front page
ETrade Report

One of the first things I’ll do is look at the date of the report to make sure that it covers the period I’m interested in. I’m going to assume that you have calendar year-end 12/31 year-end company. So, the latest report from Equity Edge actually goes from October 1, 2014 to March 2015. At least, it covers 3 months of the year we are interested in. That’s good. Even before we figure out if this report is effective or not, I just asses if I should be reviewing this report.

The next part I do is, go to the Auditors Report: Section 1. That’s typically the case on page 1.

Section 1: Auditors Report
ETrade Auditor’s Report

Here is where you will see that it will say that this is the general auditor’s opinion. You’ll see that it says that we examined ETrade Equity Edge Product. It’s the period you’re interested in. Not only that, but it says that suitability design, that’s the design effectiveness, and it talks about operating effectiveness of the controls. That’s what we are looking for. We are looking to ensure that we have both design and operating effectiveness. So, we have a Type 2 report, which is very important.

What is an “unqualified opinion?”

Now that we know that we have a Type 2 report, we need to make sure that it’s an unqualified opinion. An unqualified opinion means that the opinions from the auditors are clean. There are no qualifications about whether you can rely on it or not. So, I’ll take you to the report and show you where we can see the opinion.

To find out if you have a clean opinion or not, we’re going to look at the auditor’s report.
The first paragraph is the Introduction that we already covered.

First paragraph is the introduction of auditor’s report
First paragraph of the auditor’s report

But the second part that we are looking for is the Opinion

Point A usually says that the description of the information technology general description of the system is accurate.

opinion
Point A – Description of the Information Technology

The one that you’re really interested in is Point B and C. Point B talks about whether the control objectives were suitably designed. Words that: controls designed well to do what they’re supposed to do. In this case, they’re saying this was designed well
Point C is even more important because it says that the controls tested together with the user entity controls that they referenced were operating effectively. Ow, you have a clean opinion, and you can actually rely on this report.

opinion – Auditors report
Point B and C – Opinion

How long is this report good for?

Now that you know that you can rely on this report because it covers up to March 31st, how long is this report good for. Because if your calendar year end, you have 12 months of operations that you need to ensure all the controls were working.

In this report, it actually only covers up to March 31st. The typical guideline is that there is no bright line in the SEC Guidance or the PCAOB guidance, but, usually, if your report is within the 90 days of your year-end, September 30th is the last day that you should be getting it if you’re a calendar year end.

In this case, it’s March, so you have 9 months that you don’t know if the controls were working well. What that means is that you’re going to do alternative procedures or additional procedures. That’s where you would get what’s called a Bridge Letter.

What is a Bridge Letter?

A Bridge Letter – It takes the period from the latest report date that they’ve given us to whatever period that they’re willing to say our environment and controls have not change.

This is a separate letter that you have to get from ETrade (Company) whoever your Stock Administrator is. This is dated August 31st and it references and says:

Etrade Bridge Letter
Example Bridge Letter

They are going to say that in the outsourced operations of so and so, it was completed. The report was done according to the AICPA Standards. The SSAE 16 report emphasizes the accuracy of the procedures and controls that were built around it. It confirmed the operating effectiveness. It confirms the designs of the control. The report covered the period from October 1st to March 31st. Then this person just says that they are attesting in that the examination conducted, there were no material changes up to August 1st, which is basically the date of this report.

SO, the alternative procedure that you’re saying is I then reached out to the company up to August 31st. This person is confirming that the report that we are relying on March 31st, everything was still operating up that point.

Typically, many of these companies will do 2 SOC reports. They will do one as of March 31st and do another one as of September 30. So, if you’re a December 31st year-end,  you can wait until around November or December and ask them for a follow up, but, sometimes, the reports don’t get issued until January when it is not as helpful to you. But, in this case, you at least know that for the period of 2015 up to August 31st, the controls were working and were in place.

To recap, we discussed the first part of how to review and map controls for equity edge. These are the following:

Catch us on our Part 2 of SSAE16 – How to Review and Map Controls for Equity Edge.

Leave a Reply

Your email address will not be published.

Share This

Copy Link to Clipboard

Copy