Menu Close

#10 | Part 3 SSAE – 16 How to Review and Map Controls for Equity Edge

Welcome to Part-3 of SSAE16 How to Review and Map Controls for Equity Edge

In part 1, we’ve talked about

  • What to review to ensure what to rely on the report
  • What’s an unqualified opinion is
  • How long the report is good for
  • What a “bridge letter” is

In part 2, its all about

  • What are “user control considerations?”

In this final part, we will focus on

I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.

What controls am I relying on?

After addressing user control consideration, now you’re going to ask what controls am I relying on from Equity Edge.

These are the report you are going to review.

Look at the Equity Edge at SOC 1 Report Section 4.

Basically these are all the test results.

Test of Operating Effectiveness and Results of Tests

In this report we will discuss the controls of ETrade and how it relates to the information technology general control system for the StockPlans, Equity Edge Online hosting services performed at the Alparetta, Georgi, facility. Brightline CPAs and Associates, Inc. (BrightLine) conducted the examination testing over the period, October 1, 2014, through March 31, 2015.

Test of Operating Effectiveness

The following are some of the type of procedures we do:

  • Inquire
  • Observe
  • Inspect
Screenshot of test of operating effectiveness in excel
Test of Operating Effectiveness

Sampling

Sampling Methods
Sampling
 
Test Results

Test Results on report
Test Results
Security Awareness

This image shows different columns, their Control Activity, Auditors Test and Test Results. This will be on every page of the report.

Control Activity, Auditors Test and a Test Results columns
Security Awareness
First Objective

Note: We need to focus on Test Results and identify items that indicate exceptions.

“No exceptions noted” – means it’s a clean report

More Exception – means more work to verify

Physical Security

This page shows no exceptions noted.

Physical Security test results has no exceptions
Physical Security
Environmental Security

This page shows no exceptions noted.

Environmental Security test results with no exceptions
Environmental Security
Computer Operations

This page shows no exceptions noted.

Computer operations test results with no exceptions
Computer Operations
Change Control

This page shows no exceptions noted.

change control test results with no exceptions
Change Control
Information Security

This page shows no exceptions noted.

Information security test results with no exceptions
Information Security

As a conclusion, this report is clean.

What do I do after I review the SSAE 16 report?

This is usually the finishing touch after reviewing the entire report that talks about the following topic:

  • Conclusions
  • Management Review for Major Findings
  • Roll Forward Procedures

We will go back to our working paper and it says:

Conclusions – Based on the results below, review of SSAE16 was effective and ETrade controls over equity and stock administration can be relied upon. The Bridge letter covers period between 4/1/15 – 8/31/15, which is within 3 months from 10/31/15.

conclusion is effective and can be relied on for SSAE 16 review
Conclusion on the report – review of SSAE16 was effective and ETrade controls over equity and stock administration can be relied upon

Management Review for Major Findings – Done
Roll Forward Procedures – Obtained Bridge Letter covering 4/1/15- – 8/31/15

Management review
Roll Forward Procedures

Anyone who wishes to go back to your report will always look for the conclusion.

As a recap, we discussed the following:

ldhuyALiQbc

Leave a Reply

Your email address will not be published.

Share This

Copy Link to Clipboard

Copy