#10 | Part 3 SSAE – 16 How to Review and Map Controls for Equity Edge
Welcome to Part-3 of SSAE16 How to Review and Map Controls for Equity Edge
In part 1, we’ve talked about
- What to review to ensure what to rely on the report
- What’s an unqualified opinion is
- How long the report is good for
- What a “bridge letter” is
In part 2, its all about
- What are “user control considerations?”
In this final part, we will focus on
- What controls am I relying on?
- What do I do after I review the SSAE 16 report as evidenced of my review and documentation?
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
What controls am I relying on?
After addressing user control consideration, now you’re going to ask what controls am I relying on from Equity Edge.
These are the report you are going to review.
Look at the Equity Edge at SOC 1 Report Section 4.
Basically these are all the test results.
Test of Operating Effectiveness and Results of Tests
In this report we will discuss the controls of ETrade and how it relates to the information technology general control system for the StockPlans, Equity Edge Online hosting services performed at the Alparetta, Georgi, facility. Brightline CPAs and Associates, Inc. (BrightLine) conducted the examination testing over the period, October 1, 2014, through March 31, 2015.
Test of Operating Effectiveness
The following are some of the type of procedures we do:
- Inquire
- Observe
- Inspect
Sampling
Test Results
Security Awareness
This image shows different columns, their Control Activity, Auditors Test and Test Results. This will be on every page of the report.
First Objective
Note: We need to focus on Test Results and identify items that indicate exceptions.
“No exceptions noted” – means it’s a clean report
More Exception – means more work to verify
Physical Security
This page shows no exceptions noted.
Environmental Security
This page shows no exceptions noted.
Computer Operations
This page shows no exceptions noted.
Change Control
This page shows no exceptions noted.
Information Security
This page shows no exceptions noted.
As a conclusion, this report is clean.
What do I do after I review the SSAE 16 report?
This is usually the finishing touch after reviewing the entire report that talks about the following topic:
- Conclusions
- Management Review for Major Findings
- Roll Forward Procedures
We will go back to our working paper and it says:
Conclusions – Based on the results below, review of SSAE16 was effective and ETrade controls over equity and stock administration can be relied upon. The Bridge letter covers period between 4/1/15 – 8/31/15, which is within 3 months from 10/31/15.
Management Review for Major Findings – Done
Roll Forward Procedures – Obtained Bridge Letter covering 4/1/15- – 8/31/15
Anyone who wishes to go back to your report will always look for the conclusion.
As a recap, we discussed the following:
- What controls am I relying on?
- What do I do after I review the SSAE 16 report as evidenced of my review and documentation?
ldhuyALiQbc
Leave a Reply