certent, inc. pleasanton, california … inc. pleasanton, california information technology general...

CERTENT, INC. PLEASANTON, CALIFORNIA INFORMATION TECHNOLOGY GENERAL CONTROL SYSTEM FOR THE CERTENT EQUITY MANAGEMENT PLATFORM SYSTEM AND ORGANIZATION CONTROL (SOC) 1 TYPE 2 REPORT REPORT ON CERTENT, INC.’S DESCRIPTION OF ITS SYSTEM AND ON THE SUITABILITY OF THE DESIGN AND OPERATING EFFECTIVENESS OF ITS CONTROLS FOR THE PERIOD

SEPTEMBER 1, 2016 THROUGH AUGUST 31, 2017

This report was issued by BDO USA, LLP, a Delaware limited liability partnership, and the U.S. member of BDO International Limited, a UK company limited by guarantee.

STRICTLY PRIVATE AND CONFIDENTIAL

Table of Contents

1. INDEPENDENT SERVICE AUDITOR’S REPORT ..................................................... 4

2. MANAGEMENT OF CERTENT’S ASSERTION ....................................................... 9

3. DESCRIPTION OF CERTENT’S INFORMATION TECHNOLOGY GENERAL CONTROL SYSTEM FOR THE CERTENT EQUITY MANAGEMENT PLATFORM ....................................... 12

OVERVIEW OF CERTENT .................................................................................. 12

SCOPE OF THE DESCRIPTION ............................................................................. 12

INTERNAL CONTROL FRAMEWORK ........................................................................ 13

CONTROL ENVIRONMENT .............................................................................. 13

PERSONNEL POLICIES AND PROCEDURES ............................................................. 13

SECURITY PROGRAM POLICIES ...................................................................... 14

APPLICATION SECURITY ............................................................................. 14

POLICY FOR TRAINING .............................................................................. 14

ORGANIZATIONAL STRUCTURE ...................................................................... 14

RISK ASSESSMENT PROCESS ............................................................................ 15

MONITORING ACTIVITIES .............................................................................. 15

MONITORING OF THE SUBSERVICE ORGANIZATION ...................................................... 15

INFORMATION AND COMMUNICATIONS .................................................................. 15

INFORMATION SYSTEMS OVERVIEW ..................................................................... 16

DESCRIPTION OF THE CERTENT EM PLATFORM ...................................................... 16

DESCRIPTION OF CERTENT’S ENVIRONMENTS AND NETWORK ........................................ 16

CONTROL ACTIVITIES .................................................................................... 16

COMPLEMENTARY SUBSERVICE ORGANIZATIONS CONTROLS ............................................... 16

COMPLEMENTARY USER ENTITY CONTROLS ............................................................... 17

4. DESCRIPTION OF CERTENT’S CONTROL OBJECTIVES, RELATED CONTROLS, AND INDEPENDENT SERVICE AUDITOR’S TESTS OF CONTROLS AND RESULTS OF TESTS ..... 19

INFORMATION PROVIDED BY THE INDEPENDENT SERVICE AUDITOR ........................................ 19

INTRODUCTION ........................................................................................ 19

INTERNAL CONTROL FRAMEWORK ...................................................................... 19

TESTS OF CONTROLS .................................................................................. 19

CONTROL OBJECTIVE 1 – CERTENT EQUITY MANAGEMENT PLATFORM SOFTWARE DEVELOPMENT ...... 21

CONTROL OBJECTIVE 2 – LOGICAL SECURITY ......................................................... 26

CONTROL OBJECTIVE 3 – NETWORK SECURITY ........................................................ 36

CONTROL OBJECTIVE 4 – INTERNET APPLICATION SECURITY .......................................... 39

CONTROL OBJECTIVE 5 – PHYSICAL SECURITY ........................................................ 41

CONTROL OBJECTIVE 6 – DATA BACKUP .............................................................. 44

5. OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION ......................... 46

DATACENTER PHYSICAL SECURITY ........................................................................ 46

SYSTEM PROTECTION .................................................................................... 47

AVAILABILITY AND CONTINUITY .......................................................................... 47

1. Independent Service Auditor’s Report

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the

international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms.

Tel: 415-397-7900 Fax: 415-397-2161 www.bdo.com

One Bush Street Suite 1800 San Francisco, CA 94104

1. INDEPENDENT SERVICE AUDITOR’S REPORT To Management of Certent, Inc.: Scope We have examined Certent, Inc.’s (“Certent,” or the “service organization”) description of its information technology general control system for the Certent Equity Management Platform entitled “Description of Certent’s Information Technology General Control System for the Certent Equity Management Platform” for processing user entities’ transactions throughout the period September 1, 2016 to August 31, 2017 (description), and the suitability of the design and operating effectiveness of controls included in the description to achieve the related control objectives stated in the description based on the criteria identified in “Management of Certent’s Assertion” (assertion). The controls and control objectives included in the description are those that management of Certent believes are likely to be relevant to user entities’ internal control over financial reporting, and the description does not include those aspects of the information technology general control system for the Certent Equity Management Platform that are not likely to be relevant to user entities’ internal control over financial reporting. The information in Section 5, "Other Information Provided by the Service Organization," is presented by management of Certent to provide additional information and is not a part of Certent’s description of its information technology general control system for the Certent Equity Management Platform made available to user entities during the period September 1, 2016 to August 31, 2017. Information about Certent’s datacenter physical security, system protection, and availability and continuity has not been subjected to the procedures applied in the examination of the description of the information technology general control system for the Certent Equity Management Platform and of the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description of the information technology general control system for the Certent Equity Management Platform and, accordingly, we express no opinion on it. Certent used CyberTrails, LLC (CyberTrails) through June 18, 2017, and uses Sungard Availability Services (Sungard AS) beginning June 18, 2017, both subservice organizations, to provide datacenter services to house the production, development, test and corporate systems. The description includes only the control objectives and related controls of Certent and excludes the control objectives and related controls of the subservice organizations. The description also indicates that certain control objectives specified by Certent can be achieved only if complementary subservice organization controls assumed in the design of Certent’s controls are suitably designed and operating effectively, along with the related controls at the service organization. Our examination did not extend to controls of the subservice organizations and we have not evaluated the suitability of the design or operating effectiveness of such complementary subservice organization controls. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls assumed in the design of Certent’s controls are suitably designed and operating effectively, along with related controls at the service organization. Our examination did not extend to such complementary user entity controls and we have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls.

1. INDEPENDENT SERVICE AUDITOR’S REPORT (CONT’D) Service Organization’s Responsibilities In Section 2, Certent has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. Certent is responsible for preparing the description and its assertion, including the completeness, accuracy, and method of presentation of the description and assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria stated in the assertion, and designing, implementing, and documenting controls that are suitably designed and operating effectively to achieve the related control objectives stated in the description. Service Auditor’s Responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether, in all material respects, based on the criteria in management’s assertion, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period September 1, 2016 to August 31, 2017. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. An examination of a description of a service organization's system and the suitability of the design and operating effectiveness of controls involves:

Performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the description, based on the criteria in management’s assertion.

Assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description.

Testing the operating effectiveness of those controls that management considers necessary to provide reasonable assurance that the related control objectives stated in the description were achieved.

Evaluating the overall presentation of the description, suitability of the control objectives stated therein, and suitability of the criteria specified by the service organization and described in its assertion.

1. INDEPENDENT SERVICE AUDITOR’S REPORT (CONT’D)

Inherent Limitations The description is prepared to meet the common needs of a broad range of user entities and their auditors who audit and report on user entities’ financial statements and may not; therefore, include every aspect of the system that each individual user entity may consider important in its own particular environment. Because of their nature, controls at a service organization may not prevent, or detect and correct, all misstatements in processing or reporting transactions in its information technology general control system. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives, is subject to the risk that controls at a service organization may become ineffective. Description of Tests of Controls The specific controls tested and the nature, timing, and results of those tests are listed in Section 4. Opinion In our opinion, in all material respects, based on the criteria described in Certent’s assertion:

a. The description fairly presents the information technology general control system for the Certent Equity Management Platform that was designed and implemented throughout the period September 1, 2016 to August 31, 2017.

b. The controls related to the control objectives stated in the description were suitably

designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period September 1, 2016 to August 31, 2017, and the subservice organizations and user entities applied the complementary controls assumed in the design of the service organization’s controls throughout the period September 1, 2016 to August 31, 2017.

c. The controls operated effectively to provide reasonable assurance that the control

objectives stated in the description were achieved throughout the period September 1, 2016 to August 31, 2017, if complementary subservice organization and user entity controls assumed in the design of the service organization’s controls operated effectively throughout the period September 1, 2016 to August 31, 2017.

1. INDEPENDENT SERVICE AUDITOR’S REPORT (CONT’D) Restricted Use This report, including the description of tests of controls and results thereof in Section 4, is intended solely for the information and use of Certent, user entities of Certent’s information technology general control system for the Certent Equity Management Platform during some or all of the period September 1, 2016 to August 31, 2017, and their auditors who audit and report on such user entities’ financial statements or internal control over financial reporting and have a sufficient understanding to consider it, along with other information, including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities' financial statements. This report is not intended to be and should not be used by anyone other than these specified parties.

October 30, 2017

2. Management of Certent’s Assertion

Section 2

2. MANAGEMENT OF CERTENT’S ASSERTION We have prepared the description of Certent, Inc.’s (“Certent,” or the “service organization”) information technology general control system for the Certent Equity Management Platform entitled “Description of Certent’s Information Technology General Control System for the Certent Equity Management Platform” for processing user entities’ transactions throughout the period September 1, 2016 to August 31, 2017, (description) for user entities of the system during some or all of the period September 1, 2016 to August 31, 2017, and their auditors who audit and report on such user entities’ financial statements or internal control over financial reporting and have a sufficient understanding to consider it, along with other information, including information about controls implemented by the subservice organizations and user entities of the system themselves, when assessing the risks of material misstatements of user entities' financial statements. Certent used CyberTrails, LLC (CyberTrails) through June 18, 2017, and uses Sungard Availability Services (Sungard AS) beginning June 18, 2017, both subservice organizations, to provide datacenter services to house the production, development, test and corporate systems. The description includes only the control objectives and related controls of Certent and excludes the control objectives and related controls of the subservice organizations. The description also indicates that certain control objectives specified by Certent can be achieved only if complementary subservice organization controls assumed in the design of Certent’s controls are suitably designed and operating effectively, along with the related controls at the service organizations. The description does not extend to controls of the subservice organizations. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls assumed in the design of Certent’s controls are suitably designed and operating effectively, along with related controls at the service organization. The description does not extend to controls of the user entities. We confirm, to the best of our knowledge and belief, that:

a. the description fairly presents Certent’s information technology general control system for the Certent Equity Management Platform made available to user entities of the system during some or all of the period September 1, 2016 to August 31, 2017 for processing their transactions as it relates to controls that are likely to be relevant to user entities’ internal control over financial reporting. The criteria we used in making this assertion were that the description:

1. presents how the system made available to user entities of the system was designed and

implemented to process relevant user entity transactions, including: the types of services provided including, as appropriate, the classes of transactions

processed.

the procedures, within both automated and manual systems, by which those services are provided, including, as appropriate, procedures by which transactions are initiated, authorized, recorded, processed, corrected as necessary, and transferred to reports and other information prepared for user entities of the system.

Section 2

2. MANAGEMENT OF CERTENT’S ASSERTION (CONT’D)

the information used in the performance of the procedures, including, if applicable, related accounting records, whether electronic or manual, and supporting information involved in initiating, authorizing, recording, processing, and reporting transactions; this includes the correction of incorrect information and how information is transferred to the reports and other information prepared for user entities.

how the system captures and addresses significant events and conditions, other than transactions.

the process used to prepare reports and other information for user entities.

services performed by subservice organizations, if any, including whether the inclusive method or the carve-out method has been used in relation to them.

the specified control objectives and controls designed to achieve those objectives, including, as applicable, complementary user entity and subservice organization controls assumed in the design of the service organization’s controls.

other aspects of our control environment, risk assessment process, information and communications (including related business processes), control activities, and monitoring activities that are relevant to the services provided.

2. includes relevant details of changes to the service organization’s system during the period covered by the description.

3. does not omit or distort information relevant to the service organization’s system, while acknowledging that the description is prepared to meet the common needs of a broad range of user entities of the system and their user auditors, and may not, therefore, include every aspect of the information technology general control system for the Certent Equity Management Platform that each individual user entity of the system and its auditor may consider important in its own particular environment.

b. The controls related to the control objectives stated in the description were suitably

designed and operating effectively throughout the period September 1, 2016 to August 31, 2017, to achieve those control objectives if subservice organizations and user entities applied the complementary controls assumed in the design of Certent’s controls throughout the period September 1, 2016 to August 31, 2017. The criteria we used in making this assertion were that: 1. The risks that threaten the achievement of the control objectives stated in the

description have been identified by management of the service organization.

2. The controls identified in the description would, if operating effectively, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved.

3. The controls were consistently applied as designed, including whether manual controls were applied by individuals who have the appropriate competence and authority.

3. Description of Certent’s Information Technology General Control System for the Certent Equity Management Platform

Section 3

3. DESCRIPTION OF CERTENT’S INFORMATION TECHNOLOGY GENERAL CONTROL SYSTEM FOR THE CERTENT EQUITY MANAGEMENT PLATFORM

Overview of Certent Certent is a software development company with headquarters in Pleasanton, California. Certent offers a Software as a Service (SaaS) web-based stock plan administration software platform that combines financial reporting with recordkeeping, which is referred to as the Certent Equity Management Platform (the Certent EM Platform) in this report. Certent delivers a self-service software solution that requires a web browser for enterprise wide access. Features include:

Fully automated regression testing for over 200 reports,

Full date sensitivity allowing restatement of prior periods,

Real time, historical reporting,

Support for Options, Restricted Stock Units (RSUs,) Restricted Stock Awards (RSAs,) Stock Appreciation Rights (SARs,) and Performance Awards,

User and date stamping of transactions, allowing audit of post-dated entry,

Self Service “Roles” that allow preferred broker & transfer agent access,

Integrated Employee Stock Purchase Plan (ESPP) with online employee enrollment, contribution changes and roll forward features,

Global mobility tracking,

Unlimited user definable tax jurisdictions, and

Hosted (web-based).

Scope of the Description This description addresses only Certent’s information technology (IT) general control system for the Certent EM Platform provided to its user entities and excludes other services provided by Certent. The description is intended to provide user entities and their independent auditors who audit and report on such user entities’ financial statements or internal control over financial reporting, with information about the information technology general control system for the Certent EM Platform and the controls over that system that are likely to be relevant to user entities’ internal control over financial reporting. The description of the system includes the IT general controls that support the delivery of the Certent EM Platform. The description does not encompass all aspects of the services provided or controls performed by Certent. The description is prepared to meet the common needs of a broad range of user entities of the system and their user auditors, and may not, therefore, include every aspect of the information technology general control system for the Certent EM Platform that each individual user entity of the system and its auditor may consider important in its own particular environment. Unique processes or control situations not described herein are outside the scope of this description.

Section 3

Certent used CyberTrails through June 18, 2017, and uses Sungard AS, beginning June 18, 2017, both subservice organizations, to provide datacenter services to house the production, development, test and corporate systems. The description includes only the control objectives and related controls of Certent and excludes the control objectives and related controls of the subservice organizations.

Internal Control Framework This section provides information about the five interrelated components of internal controls at Certent, including:

Control Environment,

Risk Assessment Process,

Monitoring Activities,

Information and Communications, and

Control Activities. Control Environment

Personnel Policies and Procedures Background checks are performed on all employees upon hire. Due to Certent’s international growth background checks vary based upon local applicable laws and employee work location. For United States Employees: Checks performed include, Social Security Number Trace, Multi-State Instant Criminal Check, Criminal County Search, Federal Criminal Search, Nationwide Sex Offender Check, Global Blacklist, Education Verification and Employment Verification. Office of Foreign Assets Control (OFAC) checks are performed for employees who touch client data (accounting, services) all management, and HR. Professional References are checked prior to hire. An Employee Handbook is provided to all employees via our HR self-service portals. The Employee Handbook includes policies on job performance evaluations, anti-harassment, guidelines for appropriate conduct, employee safety and health, employment of relatives, complaint resolution procedure, company property, at-will employment, equal employment opportunity, acceptable use (e.g., use of systems, internet code of conduct, social network and online message boards, company property, wireless communications device guidelines), state specific policies and an Employee Handbook acknowledgement. In addition, employees are required to sign the “Confidential Information, Invention Assignment, and Arbitration Agreement” upon hire, which addresses confidential information and conflict of interest, amongst other topics. For Canadian and other International Employees: Checks performed include, International Criminal Search, Employment Verification, and Education Verification. Professional References are checked prior to hire. Office of Foreign Assets Control (OFAC) checks are performed for employees who touch client data (accounting, services) all management, and HR. In addition, Employment Contracts for non-U.S. employees contain language based upon our U.S. “Confidential Information, Invention Assignment, and Arbitration Agreement” to address confidential information and conflict of interest, amongst other topics. Performance evaluations are conducted on an ongoing basis by the employee's manager using a web-based performance evaluation tool which includes a review of various areas, such as, individual

Section 3

objectives, job knowledge, service above self, and leadership. Individual objectives address the following categories: employee engagement, scale business, and customer success. The Performance Review is digitally acknowledged by the employee and the manager to document the review was completed. Security Program Policies Certent maintains an Information Security Program document which addresses the following areas: risk assessment, information security, asset management, physical and environmental security, access control, information security incident management, business continuity management, compliance and security awareness training. Application Security Certent performs vulnerability scans of the production infrastructure on a regular basis (minimally once per year) using the Qualys Vulnerability Management application. Certent performs web application scans on a regular basis (minimally once per year) using Qualys Web Application Scanning application. Additionally, Certent engages an independent third-party to perform an annual penetration test of the EM platform. Policy for Training Certent’s employees receive annual security awareness training. Job specific training consists principally of on-the-job training, supplemented by in-house training classes and external seminars. Employees are encouraged to obtain professional certifications and designations within their field of expertise. (e.g., Certified Equity Professional). Organizational Structure Certent is organized into the following groups in support of the information technology general control system for the Certent EM Platform provided as a software-as-a-service system:

Engineering - responsible for programming changes to the Certent EM Platform.

Finance and Human Resources - responsible for financial and employee services.

Marketing - responsible for marketing, events, and communications.

Product Management - responsible for creating Backlog Items that provide guidance for the Engineering Group in the development of the Certent EM Platform.

Quality Assurance - responsible for the testing of changes to the Certent EM Platform.

Sales and Partnerships - responsible for identifying potential user entities, communicating the product’s features to potential user entities, initiating contracts with new user entities, and negotiating agreements for custom enhancement projects.

Services and Support - responsible for assisting in the setup of new user entities on the Certent EM Platform and providing professional services (consulting and training).

TechOps - responsible for the maintenance of the Certent EM Platform production, development, test and corporate hardware and software infrastructure, and to provide help desk services to employees.

Section 3

Certent in the past utilized Lawrence & Schiller TeleServices to augment its staffing needs, however, this relationship did not exist for the examination period. Risk Assessment Process Certent’s risk assessment process involves weekly management meetings to identify and monitor risks related to the Certent EM Platform provided as a software-as-a-service system. For any significant risks identified, management implements the appropriate measures to monitor and manage the risks. In addition, recurring risk management meetings are held involving all functional teams within Certent. Strategic issues affecting the overall business are presented and reviewed by the functional managers. The status of outstanding risks is reviewed and new risks are assigned an owner, prioritized, and the management of the risks are discussed and agreed to. Monitoring Activities Certent management and supervisory personnel monitor the quality of internal control performance via frequent observance, interaction, and performance of their assigned duties. To assist them in monitoring, Certent uses a Customer Relationship Management (CRM) system to log and track cases submitted by user entities. Dashboards also assist managers in evaluating case management metrics. The TechOps Group receives weekly metric reports detailing the Certent EM Platform system availability. Monitoring of the Subservice Organization Certent receives the system and organization controls (SOC) 2 Type 2 reports of CyberTrails and Sungard AS on an annual basis. In addition, through its daily operational activities, management of Certent monitors the services performed by CyberTrails and Sungard AS to ensure that operations and controls expected to be implemented at the subservice organization are functioning effectively. Management also hold periodic calls with the subservice organizations to relay any issues or concerns. Information and Communications

Certent uses various methods of communication to help ensure that employees understand their individual roles and responsibilities as they relate to the information technology general control system for the Certent EM Platform provided as a software-as-a-service and to help ensure that information is communicated on a timely basis. These methods include job descriptions, training, and management and group meetings. Certent has implemented various methods of communication with its user entities to help ensure they understand their individual roles and responsibilities as they relate to the information technology general control system for the Certent EM Platform. These methods include user entity training, release notes issued to the user entity, and a service agreement that is required to be signed by Certent and the user entity.

Section 3

Information Systems Overview

Description of the Certent EM Platform The Certent EM Platform is a web-based application which is developed and supported by Certent. The Certent EM Platform, with the Oracle database in the background, is designed to offer user entities the ability to track and account for equity awards. The Certent EM Platform is accessed by Certent personnel and user entities via the Internet through application processing servers. Certent is responsible for the Certent EM Platform hardware and software support, including technical assistance and system monitoring. Description of Certent’s Environments and Network The Certent production, development, test and corporate systems are located at the Sungard AS datacenter facility in Scottsdale, Arizona beginning June 18, 2017. Prior to June 18, 2017, the Certent production, development, test and corporate systems were located at the CyberTrails datacenter facility in Phoenix, Arizona. Certent has a Local Area Network (LAN) installed at corporate offices which is used by employees for Internet access, email and printing. The network rooms house the necessary routers, switches, and an authentication server for connecting the corporate office to the Internet.

Control Activities Certent has specified the control objectives and identified the controls that are designed to achieve the related control objectives. The specified control objectives, related controls, and complementary user entity controls are presented in Section 4, “Description of Certent’s Control Objectives, Related Controls, and Independent Service Auditor’s Test of Controls and Results of Tests” and are an integral component of Certent’s description of its information technology general control system for the Certent EM Platform.

Complementary Subservice Organizations Controls Certent’s controls related to the information technology general control system for the Certent EM Platform cover only a portion of overall internal control for each user entity of Certent. It is not feasible for the control objectives related to information technology general control system for the Certent EM Platform to be achieved solely by Certent. Therefore, each user entity’s internal control over financial reporting must be evaluated in conjunction with Certent’s controls and related tests and results described in Section 4, taking into account the related complementary subservice organization controls expected to be implemented at the subservice organizations as described below.

# Complementary Subservice Organization Controls Related Control

Objective

1 Logical, physical and environmental safeguards are in place at Sungard AS and CyberTrails.

CO 2, 3, 4 & 5

Section 3

Complementary User Entity Controls The Certent controls cover only a portion of the overall internal control structure of each user entity. Each user entity’s internal control structure must be evaluated in conjunction with Certent’s controls and related testing detailed in Section 4 and take into account the related complementary user entity controls identified under each control objective. In order for user entities to rely on the controls reported on herein, each user entity must evaluate its own internal control structure to determine if the identified complementary user entity controls are in place and operating effectively. BDO USA, LLP, the service auditor, has determined the nature, timing, and extent of testing to be performed. Details of the tests of controls and the results of those tests performed are included in Section 4 and are the responsibility of BDO USA, LLP.

4. Description of Certent’s Control

Objectives, Related Controls, and Independent Service Auditor’s Tests of Controls and Results of Tests

Section 4

4. DESCRIPTION OF CERTENT’S CONTROL OBJECTIVES, RELATED CONTROLS, AND INDEPENDENT SERVICE AUDITOR’S TESTS OF CONTROLS AND RESULTS OF TESTS

Information Provided by the Independent Service Auditor

Introduction This report, when combined with an understanding of the controls at the user entity, is intended to assist user auditors in planning the audit of the user entities’ financial statements or user entities’ internal control over financial reporting, and in assessing control risk for assertions in user entities’ financial statements that may be affected by controls at Certent. This report is also intended to provide information about the controls that were tested. Our examination was limited to the control objectives and related controls specified by Certent in Section 4, and did not extend to controls at the subservice organizations or user entities. It is each user entity’s and its independent auditors’ responsibility to evaluate this information in conjunction with the evaluation of internal control over financial reporting at the user entity in order to assess the total internal control. If internal control is not effective at the user entities, Certent’s controls may not compensate for such weaknesses.

The scope of the examination included tests of the operating effectiveness of information technology general controls over the Certent Equity Management Platform including controls related to changes to the Certent Equity Management Platform. Internal Control Framework The Certent internal control environment represents the collective effect of various factors on establishing or enhancing the effectiveness of controls specified by the service organization and mitigating the risks the business may encounter. In addition to tests of specific controls described in this section of the report, our procedures included a review of relevant elements of Certent’s control environment, risk assessment process, monitoring activities, and information and communications. Our review of the internal control framework included the following procedures to the extent we considered necessary: (a) a review of Certent’s organizational structure, including the segregation of responsibilities and personnel policies; (b) discussions with management, operations, administrative, and other personnel who are responsible for developing, ensuring adherence to, and applying control procedures during performance of their assigned duties; (c) observations of personnel in the performance of their assigned duties; and (d) examination of selected Certent documentation. The control environment, risk assessment process, monitoring activities, and information and communications were considered in determining the nature, timing, and extent of our testing of controls relevant to achievement of the control objectives specified by the service organization. Tests of Controls Our examination of the description of the service organization's system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description involved performing procedures to obtain evidence about the fairness of the

Section 4

presentation of the description of the system and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the description were achieved throughout the period September 1, 2016 to August 31, 2017. Our examination also included evaluating the overall presentation of the description, the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described in Certent’s assertion in Section 2. Our tests of controls were designed to cover a representative number of activities throughout the period from September 1, 2016 to August 31, 2017, for each of the controls listed in this section of the report, which are designed to achieve the specified control objectives. In performing particular tests of controls, we considered: (a) the types and competence of available evidential matter; (b) the control objectives to be achieved; (c) the assessed level of control risk; and (d) the expected efficiency and effectiveness of the test. The following table summarizes the terms used in this section to describe the nature of the tests performed:

Test Description

Inquiry Made inquiries of appropriate personnel and corroborated responses with management.

Observation Observed the application, performance, or existence of the control.

Inspection Inspected documents and reports indicating performance of the control.

Reperformance Reperformed application of the control.

BDO USA, LLP’s tests of controls of Certent were restricted to the controls specified by Certent in this section of the report, and were not extended to controls in effect at user entities or other controls which were not documented as tested under each control objective listed in this section of the type 2 report. The description of BDO USA, LLP’s tests of controls and results of those tests are presented in this section of the report and are the responsibility of BDO USA, LLP, the service auditor. The description of control objectives, the related controls, and the complementary user entity controls to achieve the objectives have been specified by and are the responsibility of Certent.

Section 4

CONTROL OBJECTIVE 1 – Certent Equity Management Platform Software Development

Controls provide reasonable assurance that the Certent Equity Management Platform software and related database changes are authorized, tested, approved, properly

implemented and documented to result in the complete accurate, and timely processing and reporting of transactions and balances relevant to user entities’ internal control over

financial reporting. The Certent EM Platform software is developed using the Agile Framework and Scrum methodologies. Certent’s Software Development Life Cycle (SDLC) comprises four phases: Define, Design and Develop, Test, and Deploy. As Certent utilizes the Agile Framework each of the first three phases may take place simultaneously. Each phase is addressed independently below. Certent deploys its Certent EM Platform software releases in sprints. Each sprint may have more than one work item, depending on the nature of change. The final QA testing and approval for deployment in the Release Candidate (RC) phase of testing occurs at the sprint level prior to production implementation. Certent has implemented separate production, development, and test environments. Define Product Owners manage the Product Backlog which consists of User Stories (enhancements) and Bugs. Both are also referred to as a “Backlog Item” by Certent. User Stories and Bugs are both tracked in Team Foundation Server (TFS) and follow the same development process. Design and Develop In addition to tracking Backlog Items, Certent uses TFS to maintain version control over the Certent EM Platform source code. TFS serves as a master library for all source code. The source code is checked out of TFS into the developer’s development environment to ensure the correct version of the software is modified and to alert other developers that changes are in progress. The developer makes the required changes and performs unit testing in the development environment. The source code is then checked into TFS. Write access to TFS is restricted to authorized personnel. Test Once a Backlog Item is checked in, Quality Assurance (QA) testing can be performed. The Certent EM Platform software changes are tested by QA, Support Services personnel or by partners/customers depending on the changes being tested. The objective of the testing is to confirm that the changes meet the requirements specified in the Backlog Item. The individual performing the test provides their electronic approval in TFS or via email to evidence the testing is complete. Accounting Report Testing Within each sprint, QA performs automated regression testing on over 200 reports during the testing phase to ensure that related calculations are performing according to specifications.

Section 4

CONTROL OBJECTIVE 1 – Certent Equity Management Platform Software Development (Cont’d)



financial reporting. Additionally, as of June 5, 2017, Certent has identified the 19 key reports listed in Table 1 below. These reports undergo additional testing in the RC phase of testing. QA testing verifies calculation results before and after code changes are made for all reports. Unexpected differences are tracked and corrected. The QA notes the completion of the additional testing for the 19 reports with a note that differences have been reviewed and verified. Upon completion of testing, QA documents the test results status as "Closed" in the TFS User Story. Once testing is complete for all items in a sprint, the sprint moves into the deployment phase.

Table 1

1. All Awards - Expense Accrual - by Subsidiary 11. Disclosure Report - Option Summary

2. APIC FAS 123 Pool 12. Disclosure Report - RS Award Summary

3. Common Equivalents - Dilution Summary 13. Disclosure - RS Awards Detail

4. Common Equivalents Detail - All Others 14. Option & SAR Exercises Report

5. Common Equivalents Detail – Rest. Stock 15. Option Forfeitures

6. Deferred Tax - DTA Tracking – Options 16. Options Granted

7. Deferred Tax - DTA Tracking – RS 17. Restricted Stock Future Vesting Report

8. Deferred Tax - Option Awards - ISO DDs 18. Restricted Stock Cancellation Report

9. Deferred Tax Reconciliation Report 19. Terminated Employee List

10. Disclosure - Option Detail

Deploy The Release Manager coordinates with the Product Owners, Team Leads, database administrator (DBA), and network administrator to deploy the changes into the production environment. Before the sprint is deployed to production, a lockdown meeting is held with the above listed personnel to ensure all Backlog Items are either approved or removed from the release prior to lockdown. Once the code is locked down, it is deployed to the RC server and a final check is performed by QA. Noted issues are resolved as needed. Upon successful RC testing, QA documents the results in the TFS work item description. The QA Manager then sends an email to the Release Team providing approval for the sprint to be deployed to the production environment.

Section 4




financial reporting. Access to implement changes into the Certent EM Platform and database production environments is restricted to authorized personnel. Changes are generally deployed to the production environment during off-peak hours and/or periods of low activity. Hot fixes, i.e., emergency changes, may be deployed as needed. Hot fixes follow the same development process as sprints except that the RC testing is not performed on hot fixes. The Release Team is able to restore the production environment to the prior version if a problem occurs with the release. Database Changes Developers write code to effect specific changes to the databases. All changes are handled as described in the narrative above for the Certent EM Platform software changes. The Accounting Report Testing details are applicable to specific reports and hence, not applicable to database changes.

Controls Specified by Certent Tests of Controls Performed by

BDO USA, LLP

1.1 Certent has implemented separate production, development and test, environments.

Inquired of Certent personnel and corroborated the control procedure described.

Inspected the production, development and test environments and determined they were separate from each other.

1.2 Certent uses TFS to maintain version control over the Certent EM Platform source code.


Inspected TFS and determined that it was used to maintain version control over the Certent EM Platform source code.

1.3 Write access to TFS is restricted to authorized personnel.


Inspected the TFS source code user list and the organization chart; reviewed the list with Certent personnel, and determined that write access to TFS are restricted to authorized personnel.

Section 4




financial reporting.


BDO USA, LLP

1.4 The Certent EM Platform software and database changes are tested by the QA, Support Services personnel or by partners/customers depending on the changes being tested. The individual performing the test provides their electronic approval in TFS or via email to evidence the testing is complete.


For a selection of Certent EM Platform software and database changes, inspected the TFS work item and determined that the individual performing the test provided their electronic approval in TFS providing evidence of the control procedure described.

1.5 Within each sprint, QA performs automated regression testing within the RC server to ensure that related calculations are performing according to specifications. As of June 5, 2017, Certent has identified 19 reports for which additional testing is performed in the RC phase of testing wherein unexpected differences are tracked and corrected. The QA notes the completion of the additional testing with a note that differences have been reviewed and verified. Upon completion of testing, QA documents the test result status as “Closed” in the TFS User Story. The QA Manager then sends an email to the Release Team providing approval for the sprint to be deployed to the production environment.


For a selection of sprints, including the sprints released after June 5, 2017, inspected the TFS work item and determined that QA documented the test result status as “Closed” in the TFS User Story providing evidence of the control procedure described.

For a selection of sprints after June 5, 2017 which included the 19 reports identified by Certent for additional testing during the RC phase of testing, inspected the TFS work item and determined that QA documented the additional testing with a note that differences have been reviewed and verified in the TFS User Story providing evidence of the control procedure described.

For a selection of sprints, including the sprints released after June 5, 2017, inspected the email and determined that the QA Manager approved the sprint to be deployed into the production environment.

Section 4




financial reporting.


BDO USA, LLP

1.6 Access to implement changes into the Certent EM Platform and database production environments is restricted to authorized personnel.


Inspected the production server and database user lists and the organization chart; reviewed the lists with Certent personnel; and determined that access to implement changes into the Certent EM Platform and database production environments are restricted to authorized personnel.

Results of Tests Performed

No exceptions noted.

Complementary User Entity Controls

1. User entities are responsible for notifying Certent of issues or requesting enhancements requiring software development and testing and approving the software changes requested.

2. User entities are responsible for validating the completeness and accuracy of their data as presented / reported by Certent.

Section 4

CONTROL OBJECTIVE 2 – Logical Security

Controls provide reasonable assurance that logical access to the: (1) network, Certent Equity Management Platform and related databases relevant to user entities’ internal control over financial reporting is restricted to authorized and appropriate Certent personnel and such personnel are restricted to performing authorized and appropriate actions and (2) Certent

Equity Management Platform relevant to user entities’ internal control over financial reporting is restricted to users authorized by the user entity.

The TechOps Group is responsible for assigning and maintaining access rights to the network and the Certent EM Platform database. The TechOps leadership shares responsibility with Services and Support leadership for authorizing the Certent EM Platform administrator access. Certent Personnel Access Authorization Network and Certent EM Platform Database Administrator Access: Network administrator access is restricted to authorized IT personnel. The Certent EM Platform database administrator access is restricted to authorized database administrators. To authorize administrator access for the network and the Certent EM Platform database, an Access Authorization Form is completed for the employee and signed by the Vice President of TechOps or SVP Product Development. Corporate (non-production) local and remote network access is authorized for all employees. Non-employee consultant and contractor network and remote access requires a request from the manager level or higher. Upon request, an Access Authorization Form is completed and signed by a Network Administrator or the Vice President of TechOps. Access to administer the operating system for the database is restricted to database administrators by means of the superuser do (sudo) command. The Root password is known to database administrators only. Certent EM Platform Administrator Access: Administrator access to the Certent EM Platform is restricted to employees in the Services and Support, QA groups and employees in production support roles. To authorize administrator access for the Certent EM Platform, an Access Authorization Form is completed for the employee and signed by one of the following: Vice President of TechOps, a VP, or executive staff. Access modifications also follow the access authorization process described above. Certent Personnel Access/ Disablement/Deletion When employees terminate, Human Resources (HR) notifies the TechOps Group to disable/delete the terminated employee’s network, the Certent EM Platform administrator, and the Certent EM Platform database access, as applicable. The TechOps Group disables/deletes the terminated employee’s network, and Certent EM Platform database, as applicable, and coordinates with

Section 4

CONTROL OBJECTIVE 2 – Logical Security (Cont’d)



Services and Support to remove the Certent EM Platform administrator access. The TechOps Group creates or updates a ticket in the ticketing system to evidence that the terminated employee’s access was disabled/deleted. When network access is disabled, remote access is also disabled. User List Review The Vice President of TechOps reviews the network, remote, the Certent EM Platform administrator, network administrator, and the Certent EM Platform database administrator user lists annually to verify that the access is restricted to authorized personnel. The Vice President of TechOps creates a ticket in the ticketing system, attaches the version of the log reviewed to evidence the review performed, and closes the ticket. Production and Corporate Networks, Remote, Network Administrator, Certent EM Platform Database Access, and Certent EM Platform System Administrator, Network and remote access is restricted to authorized personnel. Access to the production and corporate networks requires a user to enter a user ID and password for each network. Password security parameters for the production and corporate networks include the following requirements:

Minimum password length

Password expiration

Password history

Password complexity is enabled

Account lockout after a set number of unsuccessful logon attempts with an automatic reset after a set time

Remote network access is available through Virtual Private Network (VPN) client software configured for two factor authentication. Remote access requires the user to enter their network user ID and password for initial authentication. Once the VPN software authenticates the validity of the user ID and password, a one-time unique password is sent to the user’s email. The second factor password must be entered in the VPN software before a connection is made. Certent EM Platform Database Access Access to the Certent EM Platform database requires a user to enter in a user ID and password.

Section 4




Certent EM Platform System Administrator Access The Certent EM Platform access is restricted to authorized Certent personnel and users authorized by the user entity. Access to the Certent EM Platform requires a user to enter a user ID and password. Password security parameters for the Certent EM Platform include the following requirements:


Password expiration

Password history

Idle session time out


Account lockout after a set number of unsuccessful logon attempts with an administrator reset required

Upon successful logon, users are provided access to a drop down list of companies for which the user has access. The user can only access company data to which they have been provided access. User Entity Certent EM Platform Access Authorization The Certent EM Platform Stock Option Administrator (SOA), Security Administrator, or Group Administrator access to user entity accounts is restricted to the Certent Services and Support and Quality Assurance Groups. Each user entity assumes responsibility for setting up and maintaining access within its own organization. The Services and Support Group sets up security or group administrator access each user entity. The user entity personnel with security or group administrator access are then responsible for the creation of additional security or group administrator roles, as well as SOA and lower roles for the given user entity. User administration activities performed by the user entity personnel are outside the scope of this SOC report. The security and group administrator level access provides the user the ability to:

1. Add new users 2. Update user information 3. Grant additional user roles 4. Delete users 5. Unlock user access 6. Reset user passwords

Section 4




To authorize a new user entity security or group administrator access, the authorized user entity representative emails the Services and Support Group. A Services and Support Group member with the Certent EM Platform system administrator access sets up the user entity’s security or group administrator access. Certent will communicate the user ID for the newly created user account. Passwords are not provided. The new user must perform a self-service password reset on the Certent EM Platform access log in page to set up their password. User Entity Certent EM Platform Access Disablement/Deletion It is the responsibility of the user entity to manage their user access, including any access disablement and deletion. Thus, user entity controls for user access disablement or deletion are outside the scope of this report. The information provided here is only for clarity of the responsibility boundaries. When a security or group administrator terminates with a client entity, the user entity creates a support ticket to identify the administrator leaving and designate a new user as a replacement. The Certent EM Platform access authorization for the designated replacement follows the same access approval and setup as mentioned above. The newly designated security or group administrator is then responsible for managing the terminated administrator account.


BDO USA, LLP

Certent Personnel Access Authorization

2.1 To authorize administrator access for the network and the Certent EM Platform database, an Access Authorization Form is completed for the employee and signed by the Vice President of TechOps or SVP Product Development. To authorize administrator access for the Certent EM Platform, an Access Authorization Form is completed for the employee and signed by one of the following: Vice President of TechOps, a VP, or executive staff.


For a selection of users requiring administrator access to the network, inspected the Access Authorization Form and determined that the form was completed and signed by the Vice President of TechOps or SVP Product Development.

For the only user requiring administrator access to the Certent EM Platform database, inspected the Access Authorization Form and determined that the form was completed and signed by the Vice President of TechOps or SVP Product Development

Section 4





BDO USA, LLP

For a selection of new users requiring administrator access to the Certent EM Platform, inspected the Access Authorization Form and determined that the form was signed by either the Vice President of TechOps, a VP, or executive staff.

2.2 Access to administer the operating system for the database is restricted to database administrators by means of the sudo command.


Inspected the database operating system administrator user and the organization chart; reviewed the list with Certent personnel, and determined that access was restricted to database administrators by means of the sudo command.

2.3 Network administrator access is restricted to authorized IT personnel.


Inspected the network administrator user list and the organization chart; reviewed the list with Certent personnel, and determined that access was restricted to authorized IT personnel.

2.4 The Certent EM Platform database administrator access is restricted to authorized database administrators.


Inspected the Certent EM Platform database administrator user list and the organization chart; reviewed the list with Certent personnel, and determined that access was restricted to authorized database administrators.

Section 4





BDO USA, LLP

2.5 Non-employee consultant and contractor network and remote access requires a request from the manager level or higher. Upon request, an Access Authorization Form is completed and signed by a Network Administrator or Vice President of TechOps.


For a selection of non-employee consultants and contractors requiring network and remote access, inspected the Access Authorization Form and determined that the form was completed and signed by a Network Administrator or Vice President of TechOps.

Certent Personnel Access Disablement/Deletion

2.6 To delete the access of a terminated employee, HR notifies the TechOps Group to disable/delete the terminated employee’s network, the Certent EM Platform administrator, and the Certent EM Platform database access, as applicable. The TechOps Group disables/deletes the terminated employee’s network and Certent EM Platform database access, as applicable, and coordinates with Services and Support to remove the Certent EM Platform administrator access. The TechOps Group creates or updates a ticket in the ticketing system to evidence that the terminated employee’s access was disabled/deleted.


For a selection of terminated employees, inspected the ticket and determined that network access was disabled/deleted providing evidence of the control procedure performed.

For the only two employees with administrator access to the Certent EM Platform, inspected the ticket and determined that the Certent EM Platform access was disabled providing evidence of the control procedure performed.

The operating effectiveness of this control as it relates to Certent EM Platform database access removal could not be tested other than by inquiry as there were no terminated employees requiring such access removed during the examination period.

For a selection of terminated employees, inspected the network, the Certent EM Platform administrator, and the Certent EM Platform database user lists and determined that the terminated employees were not listed.

Section 4





BDO USA, LLP

User List Review

2.7 The Vice President of TechOps reviews the network, remote, the Certent EM Platform administrator, network administrator, and the Certent EM Platform database administrator user lists annually to verify that the access is restricted to authorized personnel. The Vice President of TechOps creates a ticket in the ticketing system, attaches the version of the log reviewed to evidence the review performed, and closes the ticket.


Inspected the Access Authorization Log and ticket and determined that the Vice President of TechOps closed the ticket providing evidence that the network, remote, the Certent EM Platform administrator, network administrator, and the Certent EM Platform database administrator user lists were reviewed.

Network Access

2.8 Password security parameters for the production and corporate networks include the following requirements:


Password expiration

Password history


Account lockout after a set number of unsuccessful logon attempts with an automatic reset after a set time


Inspected the network password configurations for the production and corporate networks and determined that the stated parameters were applied.

Network Access

2.9 Access to the production and corporate networks requires a user to enter a user ID and password.


Observed the production and corporate network logon prompts and determined that a user ID and password were required for access.

Section 4





BDO USA, LLP

Remote Access

2.10 Remote access requires the user to enter their network user ID and password for initial authentication. Once the VPN software authenticates the validity of the user ID and password, a one-time unique password is sent to the user’s email. The second factor password must be entered in the VPN software before a connection is made.


Inspected the VPN logon prompt and determined that a valid user ID and password are required for initial authentication. Once initial authentication was validated a one-time unique password is required for remote access.

Certent EM Platform Database Access

2.11 Access to the Certent EM Platform database requires a user to enter in a user ID and password.


Observed the Certent EM Platform database logon prompt and determined that a user ID and password were required for access.

Certent EM Platform Access

2.12 Access to the Certent EM Platform requires a user to enter a user ID and password.


Observed the Certent EM Platform logon prompt and determined that a user ID and password were required for access.

2.13 Password security parameters for the Certent EM Platform include the following requirements:


Password expiration

Password history



Account lockout after a set number of unsuccessful logon attempts with an administrator reset required


Inspected the Certent EM Platform password configuration and determined that the stated parameters were applied.

Section 4





BDO USA, LLP

2.14 Upon successful logon, users are provided access to a screen with a drop down list of companies for which the user has access. The user can only access company data to which they have been provided access.


Observed logon to the Certent EM Platform and determined that the user was only able to view the company for which the user was provided access.

User Entity Certent EM Platform Access Authorization

2.15 To authorize a new user entity security or group administrator access, the authorized user entity representative emails the Services and Support Group. A Services and Support Group member with the Certent EM Platform system administrator access sets up the user entity’s security or group administrator access.


For a selection of user entity Certent EM Platform security or group administrator access required, inspected the email and SOA user list and determined that the email was received from an authorized user entity representative or SOA providing evidence of the control procedure performed.

2.16 The Certent EM Platform SOA or security/group administrator access to user entity accounts is restricted to the Certent Services and Support and Quality Assurance Groups.


Inspected the Certent EM Platform administrator user list and the organization chart; reviewed the list with Certent personnel; and determined that the Certent EM Platform SOA and security/group administrator access to user entity accounts is restricted to Certent Services and Support Group and Quality Assurance Groups.



Section 4




Complementary User Entity Controls

1. User entities should provide authorization to Certent to add or modify the Certent EM Platform security administrator or group administrator access.

2. User entities should delete or provide notification to Certent to delete the Certent EM Platform security administrator or group administrator access on a timely basis.

3. User entities should administer user system access to ensure that set up and removal of access to SOA and lower roles is performed as appropriate on a timely basis.

4. User entities should perform periodic reviews of the Certent EM Platform SOA and user access to verify that access is restricted to authorized personnel and should delete user accounts assigned to terminated employees on a timely basis.

Section 4

CONTROL OBJECTIVE 3 – Network Security

Controls provide reasonable assurance that connections to the Internet or other networks are configured to protect data relevant to user entities’ internal control over financial reporting

from unauthorized access. Network based security measures, including industry standard firewalls and diagnostic logs, are used to protect the production and corporate networks. The firewalls reside on the production and corporate networks and analyze the data and packets routed through the production and corporate networks. The firewall rules are configured by the Network Administrator based on the concept of least privilege, meaning unless specifically granted access is denied. The Network Administrator reviews the Diagnostic Log maintained by the firewall on a weekly basis and closes a ticket in the ticketing system to evidence the review of the log. Administrator access to the firewall is restricted to the TechOps Group. Access to the firewalls requires a user to enter a user ID and password. Password security parameters for the firewall include the following requirements:


Password expiration

Password history



Account lockout after a set number of unsuccessful logon attempts.

Antivirus software is used to protect the Windows servers and workstations from malicious code or viruses. Virus signature definition files are updated continuously on servers and workstations. Virus scans are also scheduled daily. The Network Administrator reviews the antivirus software weekly to verify that the daily updates and daily virus scans completed successfully and closes a ticket in the ticketing system to evidence the review of the log.


BDO USA, LLP

3.1 Firewalls reside on the production and corporate networks.


Inspected the network diagram and firewalls configurations and determined that firewalls were installed on the production and corporate networks.

Section 4

CONTROL OBJECTIVE 3 – Network Security (Cont’d)


from unauthorized access.


BDO USA, LLP

3.2 The Network Administrator reviews the Diagnostic Log maintained by the firewall on a weekly basis and closes a ticket in the ticketing system to evidence the review of the log.


For a selection of weeks, inspected the ticket and determined that the Network Administrator closed the ticket providing evidence of the control procedure performed.

3.3 Administrator access to the firewall is restricted to the TechOps Group.


Inspected the firewall user list and organization chart; reviewed the list with Certent personnel; and determined that access is restricted to the TechOps Group.

3.4 Access to the firewalls requires a user to enter a user ID and password.


Inspected the logon prompts for the firewalls and determined that a user ID and password were required for access.

3.5 Password security parameters for the firewall is configured to include the following requirements:


Password expiration

Password history



Account lockout after a set number of unsuccessful logon attempts.


Inspected the firewall password configurations and determined that the stated parameters were applied.

3.6 Antivirus software is used to protect the Windows servers and workstations from malicious code or viruses.


Inspected the antivirus software on the list of servers and workstations and determined that the antivirus software is installed.

Section 4

CONTROL OBJECTIVE 3 – Network Security (Cont’d)


from unauthorized access.


BDO USA, LLP

3.7 Virus signature definition files are automatically updated continuously on servers and workstations.


Inspected the virus signature definition files and determined that the files are configured to automatically update continuously on servers and workstations.

3.8 Virus scans are also scheduled daily. Inquired of Certent personnel and corroborated the control procedure described.

Inspected the scan settings and determined that virus scans are scheduled daily.

3.9 The Network Administrator reviews the antivirus software weekly to verify that the daily updates and daily virus scans are completed successfully and closes a ticket in the ticketing system to evidence the review of the log.


For a selection of weeks, inspected the ticket and determined that the Network Administrator closed the ticket providing evidence of the control procedure performed.



Section 4

CONTROL OBJECTIVE 4 – Internet Application Security

Controls provide reasonable assurance that connections to the https://app.easiadmin.com and https://em.certent.com websites are configured to protect data relevant to user

entities’ internal control over financial reporting from unauthorized access and that data relevant to user entities’ internal control over financial reporting is transferred securely.

The websites hosted by Certent is located at:

https://app.easiadmin.com/

https://em.certent.com/

To protect against disclosure to third parties, the above websites transmit data utilizing Hypertext Transfer Protocol Secure (HTTPS) using Secure Socket Layer (SSL) encryption which enables 256-bit encryption when communicating with Internet browsers. In addition, from September 1, 2016 to February 1, 2017, Certent used Network Solutions Certificate Authority as the trusted certificate authority to inform user entities that the websites https://app.easiadmin.com and https://em.certent.com/ were authentic. Beginning on February 2, 2017, Certent uses Comodo RSA Certificate Authority as the trusted certificate authority to inform user entities that the websites https://app.easiadmin.com and https://em.certent.com/ are authentic. Users are authenticated against the Certent EM Platform server upon login. Users are required to enter a user ID and password to access the Certent EM Platform.


BDO USA, LLP

4.1 The websites transmit data utilizing HTTPS using SSL encryption which enables 256-bit encryption when communicating with Internet browsers.


Inspected the https://app.easiadmin.com and https://em.certent.com/ websites and determined that 256-bit SSL encryption was used.

4.2 From September 1, 2016 to February 1, 2017, Certent used Network Solutions Certificate Authority as the trusted certificate authority to inform user entities that the website https://app.easiadmin.com and https://em.certent.com/ were authentic. Beginning on February 2, 2017, Certent uses Comodo RSA Certificate Authority as the trusted certificate authority to inform user entities that the website https://app.easiadmin.com and https://em.certent.com/ are authentic.


Inspected the https://app.easiadmin.com and https://em.certent.com/ websites and determined that from September 1, 2016 to February 1, 2017, a valid certificate was issued to Certent by Network Solutions Certificate Authority and beginning on February 2, 2017, a valid certificate has been issued to Certent by Comodo RSA Certificate Authority.















Section 4

CONTROL OBJECTIVE 4 – Internet Application Security (Cont’d)

Controls provide reasonable assurance that connections to the https://app.easiadmin.com and https://em.certent.com websites are configured to protect data relevant to user

entities’ internal control over financial reporting from unauthorized access and that data relevant to user entities’ internal control over financial reporting is transferred securely.


BDO USA, LLP

4.3 Users are required to enter a user ID and password to access the Certent EM Platform.


Inspected the Certent EM Platform logon prompt and determined that a user ID and password were required for access.




Section 4

CONTROL OBJECTIVE 5 – Physical Security

Controls provide reasonable assurance that physical access to the Certent Pleasanton and Roseville, California offices and network rooms relevant to user entities’ internal control

over financial reporting is restricted to authorized and appropriate personnel. The Certent corporate offices are located in Pleasanton and Roseville, California. Access to the offices is restricted via electronic access card reader at all times. The main entrance of each office is monitored by an Office Administrator during business hours, Monday to Friday from 8:00 AM to 5:00 PM. Visitors are required to sign the electronic visitor’s log upon arrival and are escorted into the office. Employees are authorized to access each office as needed. For new or additional office access requests, the TechOps Group completes and signs the Access Authorization Form authorizing office access. An additional electronic access card reader restricts access to the corporate network room within Pleasanton and Roseville offices. Access to the corporate network rooms is restricted to authorized TechOps personnel. Access to the corporate network rooms is granted to TechOps personnel by default. For new or additional datacenter access requests, the Vice President of TechOps or SVP Product Development completes and signs the Access Authorization Form authorizing datacenter access. For terminated employees and other access removals, the TechOps Group creates or updates a help desk ticket to document that the terminated employee’s office access was disabled or deleted.

The Access Authorization Log is reviewed annually to verify that access to the corporate offices, network rooms, and datacenter is restricted to authorized personnel. The Vice President of TechOps documents the review in a help desk ticket.


BDO USA, LLP

5.1 Access to the Pleasanton and Roseville, California offices is restricted via electronic access card reader at all times. The main entrance of each office is monitored by an Office Administrator during business hours, Monday to Friday from 8:00 AM to 5:00 PM.


Observed that access to the Pleasanton and Roseville, California offices is restricted via electronic access card reader.

Observed that the main entrance to the Pleasanton and Roseville, California offices were monitored by an Office Administrator during business hours.

5.2 Visitors are required to sign the electronic visitor’s log upon arrival and are escorted into the office.


Observed that visitors were required to sign the electronic visitor's log upon arrival and were escorted into the offices.

Section 4

CONTROL OBJECTIVE 5 – Physical Security (Cont’d)


over financial reporting is restricted to authorized and appropriate personnel.


BDO USA, LLP

5.3 For new or additional office access requests, the TechOps Group completes and signs the Access Authorization Form authorizing office access. Access to corporate network rooms is granted to TechOps personnel by default. For new or additional datacenter access requests, the Vice President of TechOps or SVP Product Development completes and signs the Access Authorization Form authorizing datacenter access.


For a selection of office access requests, inspected the Access Authorization Form and determined that the TechOps Group completed and signed the form providing evidence of the control procedure performed.

For a selection of corporate network room access requests, inspected the Access Authorization Form and determined that the TechOps Group completed and signed the form providing evidence of the control procedure performed.

For the only two datacenter access requests, inspected the Access Authorization Form and determined that either the Vice President of TechOps or SVP Product Development completed and signed the form providing evidence of the control procedure performed.

5.4 An additional electronic access card reader restricts access to the corporate network room within Pleasanton and Roseville offices. Access to the corporate network rooms is restricted to authorized TechOps personnel.


Observed that access to the corporate network room within Pleasanton and Roseville offices is restricted via an additional electronic access card reader.

Inspected the corporate network room user lists and the organization chart; reviewed the lists with Certent personnel; and determined that access to the corporate network rooms is restricted to authorized TechOps personnel.

Section 4

CONTROL OBJECTIVE 5 – Physical Security (Cont’d)


over financial reporting is restricted to authorized and appropriate personnel.


BDO USA, LLP

5.5 For terminated employees and other access removals, the TechOps Group creates or updates a help desk ticket to document that the terminated employee's office access was disabled or deleted.


For a selection of office access removals, inspected the help desk ticket and determined that the TechOps Group completed the ticket providing evidence of the control procedure performed.

For a selection of office access removals, inspected the office access user list and determined that the employee was not listed.

For the only network room access removal, inspected the help desk ticket and determined that the TechOps Group completed the ticket providing evidence of the control procedure performed

The operating effectiveness of this control as it relates to datacenter access removal could not be tested other than by inquiry as there were no employees who had datacenter access removed during the examination period.

5.6 The Access Authorization Log is reviewed annually to verify that access to the corporate offices, network rooms, and datacenter is restricted to authorized personnel. The Vice President of TechOps documents the review in a help desk ticket.


Inspected the help desk ticket and determined that the Access Authorization Log was reviewed to verify that all access was appropriate and authorized and the Vice President of TechOps documented the review in a ticket providing evidence of the control procedure performed.



Section 4

CONTROL OBJECTIVE 6 – Data Backup

Controls provide reasonable assurance that data relevant to user entities’ internal control over financial reporting is backed up at appropriate intervals, and are independently stored. The Certent EM Platform production databases housed at the CyberTrails data center prior to June 18, 2017, and at the Sungard AS datacenter beginning June 18, 2017, are scheduled for back up to a disk on a file server at a disaster recovery datacenter in California on a daily basis (Monday through Sunday). Failed backup jobs are investigated and resolved by the DBA. The DBA documents the results of the review in the IT Operational Log.


BDO USA, LLP

6.1 The Certent EM Platform production databases housed at the Sungard AS datacenter in Arizona are scheduled for back up to a disk on a file server at a disaster recovery datacenter in California on a daily basis (Monday through Sunday).


Inspected the backup schedule configurations and determined that the schedules were established as described.

6.2 Failed backup jobs are investigated and resolved by the DBA. The DBA documents the results of the review in the IT Operational Log.


For a selection of failed backup jobs, inspected the IT Operational Log and determined that the DBA documented the results of the review.



5. Other Information Provided By the Service Organization

Section 5

5. OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION Certent respects the privacy and security of customer data. Certent has implemented a number of processes and controls to provide security and protection of customer data. The Certent Information Security Program (ISP) document provides additional information regarding physical security, system protection, and availability and continuity as summarized below.

Datacenter Physical Security Certent utilizes a number of techniques to ensure its facilities, computers, network and data are secure and access restricted to authorized personnel. In addition, a variety of environmental devices are maintained to protect the facilities and equipment. An overview of the facilities’ security and environmental protection employed by Certent are described below. Datacenter Locations

Production System Location from September 1, 2016 through June 18, 2017 Phoenix, Arizona (PHX) Datacenter: CyberTrails, 1919 West Lone Cactus Drive, Phoenix, AZ 85027, Phone: 888.462.9237

Production System Location beginning June 18, 2017 Scottsdale, Arizona (will still be called PHX): Sungard AS, 7499 E Paradise Ln Suite 108, Scottsdale, AZ 85260, Phone: 408.245.5924

Disaster Recovery System Location Sacramento, California (SAC) Datacenter: Sungard AS, 11085 Sun Center Dr., Rancho Cordova, CA 95670, Phone: 916.877.4005

PHX Datacenter Service Description Certent utilizes Sungard AS to host production equipment and supporting IT infrastructure as well as the corporate, development and test IT infrastructure. The equipment in the PHX Datacenter is installed in a dedicated, locked cage and the system software (i.e., operating system and all applications) is managed by Certent. Sungard AS’ service includes 24 x 7 x 365 monitoring of environmental controls and on-site technical support is available as a separate service (Remote Hands). Certent maintains all of its own equipment, backups, etc. Sungard AS is responsible for maintaining the environmental security and controls of the datacenter and undergoes an annual SOC 2 Type 2 audit. SAC Datacenter Service Description Certent utilizes Sungard AS to host the disaster recovery IT infrastructure. The equipment in the SAC Datacenter is installed in a dedicated, locked cage and Certent manages the system software (i.e. operating system and all applications). Sungard AS service includes 24 x 7 x 365 monitoring of environmental controls and on-site technical support is available as a separate service (Remote Hands). Certent maintains all of its own equipment, backups, etc. Sungard AS is responsible for maintaining the environmental security and controls of the datacenter and undergoes an annual SOC 2 Type 2 audit.

Section 5

System Protection The infrastructure utilized by Certent is configured and maintained with up to date versions of software to maximize protection. The Certent EM Platform is protected using a variety of techniques as listed below:

Separate environments

Data destruction

System hardening

Cryptography

Patch management

Availability and Continuity Certent places a high priority on keeping its equipment and facilities well maintained and operational. Certent employs redundant hardware and websites, world-class datacenters with 24 hour monitoring, a stand-by website for failover, backup generators, system monitoring software with real-time alerts, and support contracts with Dell and Oracle. Certent has considered a number of areas in making the application and services continuously available and managing risk as listed below:

Scheduled releases

Redundancy and failover

System monitoring

System activity auditing

Audit logs

Data backup

Website monitoring

Disaster recovery

Business continuity

Environmental controls and backup power

Incident response

Cloud based CRM, Email and phone systems

Business Continuity service contracts for Certent offices Disaster Recovery and Business Continuity Testing Certent performs testing of its disaster recovery of the Certent production system once per year. The test involves a complete shutdown of the primary production system, startup of the disaster recovery system and verification that the website and all external system integrations are operational. The aforementioned items are described in detail in the Certent ISP document. The Certent ISP document can be obtained from Certent Customer Support upon request.

certent, inc. pleasanton, california … inc. pleasanton, california information technology general...

Documents