SSAE 16 EXAMINATION SCOPING QUESTIONNAIRE

SECTION 1: BACKGROUND INFORMATION

# Question Response

1. Provide the legal name of your organization.

2. What is the ownership type of your organization?

(i.e., privately held, publicly traded, subsidiary of
publicly traded, etc.)

3. For the purposes of drafting an arrangement letter,

please provide the name and contact information for
the person that will have signatory responsibilities for
the document. At a minimum, name, title and
mailing address should be provided.

4. What is the timeframe for selecting an accounting

firm?

5. What is the name and title of key personnel that will

be involved in the selection process?

6. Approximately, how many employees does your

organization employ? Please narrow the answer to
relevant divisions, if applicable.

7. What are the primary reasons for performing a SSAE

16 examination? (e.g. contractual obligation,
Sarbanes-Oxley related, etc.)

8. If a third party is requiring the examination, has the

third party provided any guidance regarding the
desired scope of the examination? If yes, please
describe.

9. Does your organization undergo an annual financial

statement audit? If yes, please identify the
accounting firm.

10. BrightLine is obligated by professional standards to

inquire whether any members of senior management
have ever been convicted of crimes involving theft,
fraud or deception prior to agreeing to provide
attestation services to an organization. Please
identify any such instances.

1 of 9
SECTION 2: NATURE OF SERVICES

# Question Response

1. Describe the services, systems and/or processes

that your organization plans to include in the scope
of the SSAE 16 examination. For discussion
purposes, please provide the term used internally by
your personnel to refer to the services, systems
and/or processes described above?

2. Where are the services, systems and/or processes

described above physically located?

3. What is the profile of the typical client of the

services, systems and/or processes described
above?

4. Does your organization have any international

clients? If yes, is your organization required to
report in accordance with ISAE 3402?

5. Does your organization provide services to

governmental agencies? If so, please describe.

If yes, do you anticipate that this report will be

reviewed by a governmental body, commission
or other regulatory agency?

6. Does your organization provide information

technology general controls (ITGCs) for customers
whose systems are likely to be relevant to their own
financial reporting?
(Note: This includes, but is not limited to, colocation and
managed services whereby the service organization has
responsibility for general computing controls and the
customers have responsibility for application specific
controls.)

7. Does your organization provide services that impact

classes of transactions that affect significant
accounts or groups of accounts at your clients? If
so, please describe.

(Note: Major classes of transactions are considered those

classes of transactions that are significant to your clients’
financial statements.)

8. Does your organization initiate, record, process,

and/or report transactions for clients? If so, please
describe.

9. Does your organization maintain records, whether

electronic or manual, related to the services provided
that are used by clients for financial reporting
purposes? If so, please describe.

2 of 9
# Question Response

10. Does your organization provide services that

generate and/or capture information regarding non-
transaction processing related events or conditions
that impact the financial reporting of your
organization’s clients? If so, please describe.

11. Does your organization provide services that affect

the financial reporting process used to prepare
clients’ financials statements, including significant
accounting estimates and/or disclosures? If so,
please describe.

12. Does your organization maintain a system of record

for its client?

(Note: A system of record is an information storage system

which is considered to be the data source for a given data
element or piece information. The distinction may be made
based on whether your clients obtain detail information
from their own systems or from your organization’s
systems, regardless of where the information was originally
generated.)

3 of 9
SECTION 3: PRIOR EXAMINATION INFORMATION

# Question Response

1. Has a SAS 70, SSAE 16, or any other type of SOC

review ever been performed for the services,
systems and/or processes in question?

2. If yes, what type(s) of audits were previously

performed?

3. If yes, when were the previous audits

performed?

4. If yes, was an unqualified opinion issued by the

service auditor?

5. If yes, does the organization intend to use the

previous audit report as the basis for future
reports?

6. If yes, who performed the previous audits?

7. If yes, will BrightLine be provided with a copy of

the prior report(s)?

(Note: Providing a copy of prior reports is the best

way to assist BrightLine in scoping your project.)

8. Has your organization undergone an information

security review within the last two years? If so,
please describe the nature and extent of the review.

4 of 9
SECTION 4: SCOPING INFORMATION

# Question Response

1. Does your organization intend to engage the

selected CPA firm to a single or multi-year
engagement? If multi-year (or multi-project), how
many years should the BrightLine contemplate in it’s
draft arrangement letter?

(Note: Approximately 80% of BrightLine’ clients enter into

three to five year arrangements. Clients tend to prefer the
multi-year arrangement because it locks in the fixed fees
over an extended period of time and contracts do not have
to be renegotiated each year. Additionally, contracts are
able to be cancelled without penalty, further reducing the
risk to the client.)

2. What type of SSAE 16 examinations will be

performed? If multiple examinations are being
requested, please describe the types and
approximate timing for each examination. Please
select Type 1 or 2.
Please complete the control objectives in Appendix
A.

3. Is a readiness assessment required in preparation

for the initial examination?

4. Are there any intended users of this report besides

existing clients of the services and their financial
statement auditors?

5. For a Type 1 examination, does your organization

have a preference as to the review date of the
report?

6. For a Type 2 examination, does your organization

have a preference as to the length of the review
period?

7. For a Type 2 examination, does your organization

have a preference as to the timing of the review
period?

(Note: Review periods are generally six to 12 months in

length, and may begin and end at any point in a calendar
year. Additionally, review periods may begin and end in
different calendar years.)

8. What geographic locations will the engagement

fieldwork be limited to?

5 of 9
SECTION 5: INFORMATION TECHNOLOGY

# Question Response

1. Where is the data center located?

2. Is the data center in a co-sourced or outsourced

facility? If so, who is the hosting company and what
are their responsibilities for the information
technology infrastructure? (e.g., simple hosting with
no physical access to equipment, managed
infrastructure, etc.)

3. Has the data center recently completed a SSAE 16

examination? If so, has a copy of the report been
obtained?

4. Will services provided by the data center be included

in the scope of your organization’s SSAE 16
examination? (e.g., physical security, environmental
security, etc.)
(Note: All third parties are excluded from the scope of the
examination unless specifically noted in the arrangement
letter. Additionally, the decision whether to include a
significant subservice organization in the scope of the
examination will determine whether the inclusive or carve-
out reporting methods is applied by the service auditor.
Both methods result in a modification to standard opinion
letter wording.)

5. Are there other any major outsourcing or co-sourcing

relationships between your organization and third
parties (“subservice organizations”) that impact the
description of controls? If so, please describe.

6. Please describe the applications (or systems) that

will be included in the scope of the examination.
Please include the application name, description,
supporting database, operating system and network
infrastructure.

6 of 9
APPENDIX 1: GENERAL INFORMATION TECHNOLOGY CONTROL OBJECTIVES
The following table outlines the typical general information technology control objectives utilized by the
vast majority of BrightLine’ clients for SSAE 16 Examinations. Please review this list of control objectives
and identify any that you would like to use for the purposes of the requested examination. Space is also
provided to add any additional control objectives that might be necessary. Please note that there is no
requirement that any of the control objectives listed below be used for the purposes of your organization’s
examination.

Include in
Control Area Control Objective Specified by the Service Organization
Scope?

Control activities provide reasonable assurance that business

Physical Security premises and information systems are protected from Yes/No
unauthorized access, damage and interference.

Control activities provide reasonable assurance that critical

Environmental Security information technology infrastructure is protected from certain Yes/No
environmental threats.

Control activities provide reasonable assurance that system

information, once entered into the system, is protected from
Information Security Yes/No
unauthorized or unintentional use, modification, addition or
deletion.

Control activities provide reasonable assurance of timely system

backups of critical files, off-site backup storage, and regular off- Yes/No
site rotation of backup files.
Computer Operations
Control activities provide reasonable assurance that systems are
Yes/No
maintained in a manner that helps ensure system availability.

Application Change Control activities provide reasonable assurance that unauthorized

Yes/No
Control changes are not made to production application systems.

Control activities provide reasonable assurance that data

Data Communications maintains its integrity and security as it is transmitted between Yes/No
third parties and the service organization.

Insert Control Area Insert any additional general IT control objectives that are required.

Insert Control Area Insert any additional general IT control objectives that are required.

Application controls are controls related to the service provided by your organization. Such controls are
typically organization specific. Application control objectives should be inserted below if it was
determined in Section 2 of this document that your organization plays a role in the financial reporting
controls of your clients. Sample application controls provided by the AICPA are included below for
example purposes.

We recommend that the respondent formulate the application control objectives following an inspection of
standard contracts and service level agreements. Application control objectives are often built around
these requirements because clients have a reasonable expectation that such services are being provided.

Defining application control objectives is necessary for developing a draft arrangement letter since they
have a significant impact on the scope of the examination. The control activities that are in place to meet
the defined objective will be identified and tested at a later point in the examination process.

7 of 9
 Control Area Control Objective Specified by the Service Organization

Example: ACME Co. has a major contractual obligation to process insurance

claims within 30 days. It might develop a “Claims Processing” control objective
Insert Control Area that states:
Control activities provide reasonable assurance that claims are processed
within 30 days of receipt.

Insert Control Area Insert control objective.

Insert Control Area Insert control objective.

Insert Control Area Insert control objective.

Insert Control Area Insert control objective.

Insert Control Area Insert control objective.

Insert Control Area Insert control objective.

Insert Control Area Insert control objective.

Insert Control Area Insert control objective.

Insert Control Area Insert control objective.

The attached file includes sample application control objectives provided in the AICPA
SOC 1 Guide. The document includes examples from multiple industries and is
provided for informational purposes. These sample control objectives are for example Sample Application
purposes and may not be relevant to the respondent’s organization. Control Objectives

8 of 9
APPENDIX 2: DESCRIPTION OF IN-SCOPE IT INFRASTRUCTURE
Please provide a high-level description of the significant application(s) and system(s) that are considered
to be within the scope of the SSAE 16 examination.
In-Scope Application #1

Application Name:
Application Description:
Database:
Operating System:
Hardware:
Physical Location:
In-Scope Application #2

Application Name:
Application Description:
Database:
Operating System:
Hardware:
Physical Location:
In-Scope Application #3

Application Name:
Application Description:
Database:
Operating System:
Hardware:
Physical Location:
In-Scope Application #4

Application Name:
Application Description:
Database:
Operating System:
Hardware:
Physical Location:

9 of 9