Professional Documents
Culture Documents
Ssae 16 Examination Scoping Questionnaire: Section 1: Background Information
Ssae 16 Examination Scoping Questionnaire: Section 1: Background Information
# Question Response
1 of 9
SECTION 2: NATURE OF SERVICES
# Question Response
2 of 9
# Question Response
3 of 9
SECTION 3: PRIOR EXAMINATION INFORMATION
# Question Response
4 of 9
SECTION 4: SCOPING INFORMATION
# Question Response
5 of 9
SECTION 5: INFORMATION TECHNOLOGY
# Question Response
6 of 9
APPENDIX 1: GENERAL INFORMATION TECHNOLOGY CONTROL OBJECTIVES
The following table outlines the typical general information technology control objectives utilized by the
vast majority of BrightLine’ clients for SSAE 16 Examinations. Please review this list of control objectives
and identify any that you would like to use for the purposes of the requested examination. Space is also
provided to add any additional control objectives that might be necessary. Please note that there is no
requirement that any of the control objectives listed below be used for the purposes of your organization’s
examination.
Include in
Control Area Control Objective Specified by the Service Organization
Scope?
Insert Control Area Insert any additional general IT control objectives that are required.
Insert Control Area Insert any additional general IT control objectives that are required.
Application controls are controls related to the service provided by your organization. Such controls are
typically organization specific. Application control objectives should be inserted below if it was
determined in Section 2 of this document that your organization plays a role in the financial reporting
controls of your clients. Sample application controls provided by the AICPA are included below for
example purposes.
We recommend that the respondent formulate the application control objectives following an inspection of
standard contracts and service level agreements. Application control objectives are often built around
these requirements because clients have a reasonable expectation that such services are being provided.
Defining application control objectives is necessary for developing a draft arrangement letter since they
have a significant impact on the scope of the examination. The control activities that are in place to meet
the defined objective will be identified and tested at a later point in the examination process.
7 of 9
Control Area Control Objective Specified by the Service Organization
The attached file includes sample application control objectives provided in the AICPA
SOC 1 Guide. The document includes examples from multiple industries and is
provided for informational purposes. These sample control objectives are for example Sample Application
purposes and may not be relevant to the respondent’s organization. Control Objectives
8 of 9
APPENDIX 2: DESCRIPTION OF IN-SCOPE IT INFRASTRUCTURE
Please provide a high-level description of the significant application(s) and system(s) that are considered
to be within the scope of the SSAE 16 examination.
In-Scope Application #1
Application Name:
Application Description:
Database:
Operating System:
Hardware:
Physical Location:
In-Scope Application #2
Application Name:
Application Description:
Database:
Operating System:
Hardware:
Physical Location:
In-Scope Application #3
Application Name:
Application Description:
Database:
Operating System:
Hardware:
Physical Location:
In-Scope Application #4
Application Name:
Application Description:
Database:
Operating System:
Hardware:
Physical Location:
9 of 9