Leap Technologies, Inc. Type 1 SOC 1 2019 1 Type 1-Fina… · REPORT ON MANAGEMENT’S DESCRIPTION...

Leap Technologies, Inc. Type 1 SOC 1 2019

REPORT ON MANAGEMENT’S DESCRIPTION OF LEAP TECHNOLOGIES, INC.’S SYSTEM AND ON THE SUITABILITY OF THE DESIGN OF CONTROLS

Pursuant to Statement on Standards for Attestation Engagements No. 18

(SSAE 18) Type 1

September 30, 2019

Proprietary and Confidential

Table of Contents

SECTION 1 ASSERTION OF LEAP TECHNOLOGIES, INC. MANAGEMENT ........................ 1

SECTION 2 INDEPENDENT SERVICE AUDITOR’S REPORT ................................................ 4

SECTION 3 DESCRIPTION OF LEAP TECHNOLOGIES, INC.’S FINANCE AUTOMATION SERVICES SYSTEM ................................................................................................................. 7

OVERVIEW OF OPERATIONS ............................................................................................... 8 Company Background ......................................................................................................... 8 Description of Services Provided ......................................................................................... 8 Boundaries of the System .................................................................................................... 9 Subservice Organizations .................................................................................................... 9

CONTROL ENVIRONMENT ..................................................................................................11 Integrity and Ethical Values ................................................................................................11 Commitment to Competence ..............................................................................................11 Management’s Philosophy and Operating Style..................................................................11 Organizational Structure and Assignment of Authority and Responsibility ..........................12 Human Resources Policies and Practices ..........................................................................12

RISK ASSESSMENT .............................................................................................................12 CONTROL OBJECTIVE AND RELATED CONTROL ACTIVITIES .........................................13

Integration with Risk Assessment .......................................................................................13 Data Input ...........................................................................................................................13 Data Transmission ..............................................................................................................13 Data Processing .................................................................................................................14 Data Output/Aggregated Financials ....................................................................................14

MONITORING .......................................................................................................................14 On-Going Monitoring ..........................................................................................................14 Reporting Deficiencies ........................................................................................................15

INFORMATION AND COMMUNICATION SYSTEMS ............................................................15 Information Systems ...........................................................................................................15 Communication Systems ....................................................................................................16

COMPLEMENTARY USER ENTITY CONTROLS ..................................................................16

SECTION 4 INFORMATION PROVIDED BY THE SERVICE AUDITOR .................................18

GUIDANCE REGARDING INFORMATION PROVIDED BY THE SERVICE AUDITOR ..........19

Proprietary and Confidential 1

SECTION 1

ASSERTION OF LEAP TECHNOLOGIES, INC. MANAGEMENT


Assertion of Leap Technologies, Inc. Management October 5, 2019 We have prepared the description of Leap Technologies, Inc.’s (‘Leapfin’ or ‘the Company’) Finance Automation Services system for processing user entities’ transactions entitled “Description of Leap Technologies, Inc.’s Finance Automation Services System” as of September 30, 2019, (description) for user entities of the system as of September 30, 2019, and their user auditors who audit and report on such user entities’ financial statements or internal control over financial reporting and have a sufficient understanding to consider it, along with other information, including information about controls implemented by user entities of the system themselves, when assessing the risks of material misstatements of user entities’ financial statements. Leapfin uses Amazon Web Services (‘AWS’ or ‘subservice organization’) for cloud hosting services. The description includes only the controls objectives and related controls of Leapfin and excludes the control objectives and related controls of the subservice organizations. The description also indicates that certain control objectives specified by Leapfin in the description can be achieved only if complementary subservice organizations controls assumed in the design of Leapfin’s controls are suitably designed and operating effectively, along with the related controls at Leapfin. The description does not extend to controls of the subservice organizations. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls assumed in the design of Leapfin controls are suitably designed and operating effectively, along with related controls at the service organization. The description does not extend to controls of the user entities. We confirm, to the best of our knowledge and belief, that:

a. The description fairly presents the Finance Automation Services system made available to user entities of the system as of September 30, 2019, for processing their transactions as it relates to controls that are likely to be relevant to user entities’ internal control over financial reporting. The criteria we used in making this assertion were that the description:

i. presents how the system made available to user entities of the system was designed and

implemented to process relevant transactions, including: (1) the types of services provided including, as appropriate, the classes of transactions

processed.

(2) the procedures, within both automated and manual systems, by which services are provided, including, as appropriate, procedures by which transactions are initiated, authorized, recorded, processed, corrected as necessary, and transferred to reports and other information prepared for user entities.

(3) the related accounting records, supporting information, and specific accounts that are

used to initiate, authorize, record, process, and report transactions; this includes the correction of incorrect information and how information is transferred to the reports and other information prepared for user entities.

(4) how the system captures significant events and conditions, other than transactions.

(5) the process used to prepare reports and other information for user entities.

(6) services performed by a subservice organization, if any, including whether the inclusive method or the carve-out method has been used in relation to them.


(7) the specified control objectives and controls designed to achieve those objectives, including as applicable, complementary user entity controls contemplated in the design of the service organization’s controls.

(8) other aspects of our control environment, risk assessment process, information and communication systems (including related business processes), control activities, and monitoring controls that are relevant to processing and reporting transactions of user entities of the system.

ii. includes relevant details of changes to the service organization’s system during the period covered by the description.

iii. does not omit or distort information relevant to the scope of the Finance Automation Services system, while acknowledging that the description is prepared to meet the common needs of broad range of user entities of the system and the independent auditors of those user entities, and may not, therefore, include every aspect of the Finance Automation Services system that each individual user entity of the system and its auditor may consider important in its own particular environment.

b. the controls related to the control objectives stated in the description were suitably designed

as of September 30, 2019, to achieve those control objectives if user entities applied the complementary controls assumed in the design of Leapfin’s controls as of September 30, 2019. The criteria we used in making this assertion were that: i. the risks that threaten the achievement of the control objectives stated in the description

have been identified by the service organization; and

ii. the controls identified in the description would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved.

Raymond Lau Chief Executive Officer Leap Technologies, Inc.


SECTION 2

INDEPENDENT SERVICE AUDITOR’S REPORT


INDEPENDENT SERVICE AUDITOR’S REPORT To Leap Technologies, Inc.: Scope We have examined Leapfin description of its Finance Automation Services system for processing user entities’ transactions entitled, “Description of Leap Technologies, Inc.’s Finance Automation Services System” as of September 30, 2019, (description) and the suitability of the design of the controls included in the description to achieve the related control objectives stated in the description, based on the criteria identified in “Leap Technologies, Inc.’s Assertion” (assertion). Leapfin uses AWS for cloud hosting services. The description includes only the controls objectives and related controls of Leapfin and excludes the control objectives and related controls of the subservice organizations. The description also indicates that certain control objectives specified by Leapfin can be achieved only if complementary subservice organizations controls assumed in the design of Leapfin are suitably designed and operating effectively, along with the related controls at Leapfin. Our examination did not extend to controls of the subservice organizations, and we have not evaluated the suitability of the design or operating effectiveness of such complementary subservice organizations controls. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls contemplated in the design of Leapfin’s controls are suitably designed and operating effectively, along with related controls at the service organization. Our examination did not extend to such complementary user entity controls, and we have not evaluated the suitability of the design and operating effectiveness of such complementary user entity controls. Service Organization’s Responsibilities In Section 1 of this report, Leapfin has provided their assertion about the fairness of the presentation of the description and suitability of the design of the controls to achieve the related control objectives stated in the description. Leapfin is responsible for preparing the description and the assertion, including the completeness, accuracy, and method of presentation of the description and the assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the description. Service Auditor’s Responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, based on the criteria in management’s assertion, the description is fairly presented and the controls were suitably designed to achieve the related control objectives stated in the description as of September 30, 2019. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. An examination of a description of a service organization’s system and the suitability of the design of controls involves:

• Performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design of those controls to achieve the related control objectives stated in the description, based on the criteria in management’s assertion


• Assessing the risks that the description is not fairly presented and that the controls were not suitably designed to achieve the related control objectives stated in the description

• Evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization in its assertion

Inherent Limitations The description is prepared to meet the common needs of a broad range of user entities and their auditors who audit and report on user entities’ financial statements, and may not, therefore, include every aspect of the system that each individual user entity may consider important in its own particular environment. Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design of the controls to achieve the related control objectives, is subject to the risk that controls at a service organization may become inadequate or fail. Other Matter We did not perform any procedures regarding the operating effectiveness of the controls stated in the description and, accordingly, do not express an opinion thereon. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Opinion In our opinion, in all material respects, based on the criteria described in Leapfin’s assertion,

a. the description fairly presents the Finance Automation Services system that was designed and implemented as of September 30, 2019.

b. the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively as of September 30, 2019 and user entities applied the complementary user entity controls contemplated in the design of Leapfin’s controls as of September 30, 2019.

Restricted Use This report is intended solely for the information and use of Leapfin, user entities of Leapfin’s Finance Automation Services system as of September 30, 2019, and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities’ financial statements. This report is not intended to be and should not be used by anyone other than these specified parties.

October 5, 2019 Tampa, Florida


SECTION 3

DESCRIPTION OF LEAP TECHNOLOGIES, INC.’S FINANCE AUTOMATION SERVICES SYSTEM


OVERVIEW OF OPERATIONS Company Background Leapfin was founded in March 2015 with the objective of providing a completely automated financial management solution for high growth companies. Leapfin’s mission is to provide financial leaders with real-time access to accurate financial data and insights. Leapfin’s platform reduces reliance on error prone manual processes and greatly increases productivity. The organization is based in San Francisco, California. Industries served by Leapfin include Internet, Software-as-a-Service, Technology, Logistics, eCommerce, Education, and Media & Entertainment. Description of Services Provided Leapfin automates complex financial processes for high growth organizations, including revenue recognition, order-to-cash reconciliation, revenue allocation, and financial reporting. Leapfin’s core platform leverages Robotic Process Automation (RPA) to automate and streamline complex and manual processes, which includes:

• Unifying transactional data from fragmented data silos

• Standardizing, cleansing, and normalizing financial data

• Ensuring data immutability and data integrity

• Automating revenue recognition related activities

• Automating reconciliation from sales orders to cash settlements

• Automating allocation of revenues

• Providing financial reports and journal entries required for month-end close activities Data imports and process automations are completed on demand or on scheduled cadence, and users have access to latest financial reports and data from Leapfin’s UI. Transactions Processing & Reporting Leapfin uses enterprise level systems to provide customized levels of service to clients. Clients are able to access information and reporting via a secure client portal. Leapfin imports source data from a variety of systems in order to perform its services. Source data may include the following:

• Transactional data from payment processors

• Billing data from billing systems

• Customer data from Customer Relationship Management systems

• Product usage data

• Shipping data Source data could be imported from a third-party service provider such as Stripe, Adyen, Braintree, PayPal, Salesforce. The source data could also be imported from internal data warehouses if the customer elects to maintain such data in house. Once all relevant source data is imported into Leapfin, they are processed, cleansed, and standardized. Leapfin’s Rules Engine applies the appropriate business logic based on the customer’s business requirements to process the data to accommodate the customer’s reporting needs.


The necessary financial reports and journal entries are available for the customer from Leapfin’s UI or csv exports. Significant Events Leapfin has implemented automated and manual procedures to capture and address significant events and conditions. The following are examples of the procedures Leapfin has placed into operation:

• Automated alert notifications are utilized to notify operations personnel of data transmission errors

• Data validation checks and monitoring are configured to proactively prevent processing errors

• An Intrusion Detection System (IDS) is employed to monitor the network for unauthorized access attempts

• Enterprise monitoring software is used to identify and evaluate ongoing system performance, security threats, changing resource utilization needs, and unusual system activity. This software sends a message to the operations personnel when specific predefined thresholds are met

In addition, detailed monitoring and risk assessment procedures are in place to provide management with detailed information that impacts Leapfin’s platform. Please see the monitoring and risk assessment procedures described in the relevant sections of this report for further details. Functional Areas of Operation The Leapfin staff provides support for the above services in each of the following functional areas:

• Executive management - provides general oversight and strategic planning of operations

• Product and engineering - responsible for development and maintaining the Leapfin platform and software, which includes:

o Integrations with other service providers (e.g. Stripe, Adyen, Braintree, Salesforce, NetSuite)

o ETL pipeline which ingest data from the above mentioned data providers and other data sources

o Data cleansing, standardization, and normalization processes o Transformation of data which applies business logic to the standardized data based on

customer requirements o Production of financial reports and journal entries based on customers’ requirements o Verify that the system complies with the functional specification through functional testing

procedures o Responsible for effective provisioning, installation/configuration, operation, and

maintenance of systems hardware and software relevant to the system

• Customer Success - serves customers by providing product and service information that includes resolving product and service issues

• Audit and Compliance - performs regularly scheduled audits relative to defined standards, provides continuous improvement feedback, and assesses legal and regulatory requirements

Boundaries of the System The scope of this report includes the Finance Automation Services System performed in the San Francisco, California facilities. This report does not include the cloud hosting services provided by AWS. Subservice Organizations This report also includes the data center hosting services provided by AWS at the San Francisco, California facilities.


Subservice Description of Services AWS offers cloud web hosting solutions that provide organizations with low-cost ways to deliver their websites and web applications. Complementary Subservice Organization Controls Leapfin’s services are designed with the assumption that certain controls will be implemented by subservice organizations. Such controls are called complementary subservice organization controls. It is not feasible for all of the control objectives related to Leapfin’s services to be solely achieved by Leapfin control procedures. Accordingly, subservice organizations, in conjunction with the services, should establish their own internal controls or procedures to complement those of Leapfin. The following subservice organization controls have been implemented by AWS and included in this report to provide additional assurance that the control objectives are met.

Subservice Organization - AWS

Control Objective Control

Physical Security Customer master keys used for cryptographic operations in KMS are physically and logically secured so that no single AWS employee can gain access to the key material.

Physical access to data centers is approved by an authorized individual.

Physical access is revoked within 24 hours of the employee or vendor record being deactivated.

Physical access to data centers is reviewed on a quarterly basis by appropriate personnel.

Physical access points to server locations are recorded by closed circuit television camera (CCTV). Images are retained for 90 days, unless limited by legal or contractual obligations.

Physical access points to server locations are managed by electronic access control devices.

Electronic intrusion detection systems are installed within data server locations to monitor, detect, and automatically alert appropriate personnel of security incidents.

Leapfin management, along with the subservice organization, define the scope and responsibility of the controls necessary to meet all the relevant control objectives through written contracts, such as service level agreements. In addition, Leapfin performs monitoring of the subservice organization controls, including the following procedures:

• Reviewing and reconciling output reports

• Holding periodic discussions with vendors and subservice organization(s)

• Making regular site visits to vendor and subservice organization(s’) facilities

• Testing controls performed by vendors and subservice organization(s)

• Reviewing attestation reports over services provided by vendors and subservice organization(s)

• Monitoring external communications, such as customer complaints relevant to the services by the subservice organization


CONTROL ENVIRONMENT Integrity and Ethical Values The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of Leapfin’s control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior are the product of Leapfin’s ethical and behavioral standards, how they are communicated, and how they are reinforced in practices. They include management’s actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct, as well as by example. Specific control activities that the service organization has implemented in this area are described below:

• Formally, documented organizational policy statements and codes of conduct communicate entity values and behavioral standards to personnel

• Policies and procedures require employees sign an acknowledgment form indicating they have been given access to the employee manual and understand their responsibility for adhering to the policies and procedures contained within the manual

• A confidentiality statement agreeing not to disclose proprietary or confidential information, including client information, to unauthorized parties is a component of the employee handbook

• Background checks are performed for employees as a component of the hiring process Commitment to Competence Leapfin’s management defines competence as the knowledge and skills necessary to accomplish tasks that define employees’ roles and responsibilities. Management’s commitment to competence includes management’s consideration of the competence levels for particular jobs and how those levels translate into the requisite skills and knowledge. Specific control activities that the service organization has implemented in this area are described below:

• Management has considered the competence levels for particular jobs and translated required skills and knowledge levels into written position requirements

• Thorough evaluation of the employee’s skill sets during the hiring process

• Training is provided to maintain the skill level of personnel in certain positions

Management’s Philosophy and Operating Style Leapfin’s management philosophy and operating style are encompassed by Leapfin’s six core values:

1) Obsess with every customer’s success - vigorously work to earn their customer’s trust. Pay attention to the competitors but obsess over Leapfin customers.

2) Ownership mindset - think long term and don’t sacrifice long term value for short term results. Act on behalf of the entire company.

3) Succeed together - Understand how actions impact the rest of the team. Leapfin teams will not always necessarily agree but will always respect other point of views.

4) Refuse to be complacent - Leapfin team members are never done learning and always seeking to improve and innovate. Leapfin employees are curious and actively learning to improve.

5) Insist on the highest standards - Continuously challenge themselves and hold themselves to the highest standards. Deliver the quality products and services with the resources they have.

6) Bias for action - speed matters. Decisions to act are better than indecisions. Don’t wait around and value calculated risk taking. Sometimes mistakes are made, but they learn from them and never make the same mistakes twice.


Specific control activities that the service organization has implemented in this area are described below:

• Management is periodically briefed on regulatory and industry changes affecting the services provided

• Executive management meetings are held to discuss major initiatives and issues that affect the business as a whole

Organizational Structure and Assignment of Authority and Responsibility Leapfin’s organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and monitored. Management believes establishing a relevant organizational structure includes considering key areas of authority and responsibility. An organizational structure has been developed to suit its needs. This organizational structure is based, in part, on its size and the nature of its activities. Specific control activities that the service organization has implemented in this area are described below:

• Organizational charts are in place to communicate key areas of authority and responsibility

• Organizational charts are communicated to employees and updated as needed

• Objectives and Key Results (OKRs) are set and reviewed annually and quarterly Human Resources Policies and Practices Leapfin’s success is founded on sound business ethics, reinforced with a high level of efficiency, integrity, and ethical standards. The result of this success is evidenced by its proven track record for hiring and retaining top quality personnel who ensures the service organization is operating at maximum efficiency. Leapfin’s human resources policies and practices relate to employee hiring, orientation, training, evaluation, counseling, promotion, compensation, and disciplinary activities. Specific control activities that the service organization has implemented in this area are described below:

• New employees are required to sign acknowledgement forms for the employee handbook and a confidentiality agreement following new hire orientation on their first day of employment

• Evaluations for each employee are performed on a quarterly basis

• Employee termination procedures are in place to guide the termination process and are documented in a termination checklist

RISK ASSESSMENT Leapfin’s risk assessment process identifies and manages risks that could potentially affect Leapfin’s ability to provide reliable services to user organizations. This ongoing process requires that management identify significant risks inherent in products or services as they oversee their areas of responsibility. Leapfin identifies the underlying sources of risk, measures the impact to organization, establishes acceptable risk tolerance levels, and implements appropriate measures to monitor and manage the risks. This process has identified risks resulting from the nature of the services provided by Leapfin, and management has implemented various measures designed to manage these risks. Risks identified in this process include the following:

• Operational risk - changes in the environment, staff, or management personnel

• Strategic risk - new technologies, changing business models, and shifts within the industry

• Compliance - legal and regulatory changes Leapfin will identify risks to the entity and monitor the operation of the firm’s internal controls. The approach is intended to align the entity’s strategy more closely with its key stakeholders, assist the organizational units with managing uncertainty more effectively, minimize threats to the business, and maximize its opportunities in the rapidly changing market environment. Leapfin attempts to actively identify and mitigate significant risks through the implementation of various initiatives and continuous communication with other leadership committees and senior management.


CONTROL OBJECTIVE AND RELATED CONTROL ACTIVITIES Integration with Risk Assessment Leapfin’s systems; as well as the nature of the components of the system result in risks that the criteria will not be met. Leapfin addresses these risks through the implementation of suitably designed controls to provide reasonable assurance that the criteria are met. Because each system and the environment in which it operates are unique, the combination of risks to meeting the criteria and the controls necessary to address the risks will be unique. As part of the design and operation of the system, Leapfin identifies the specific risks that the criteria will not be met and the controls necessary to address those risks. Selection and Development of Control Activities Specified by the Service Organization DATA INPUT Control Objective 1: Control activities provide reasonable assurance that the input of data for associated transactions are entered correctly and reviewed for accuracy. Control Activities Specified by the Service Organization:

1.1 Documented policies and procedures are in place regarding data input, processing, output, classification, and security.

1.2 Data coming into the environment is secured and monitored through the use of firewalls and an Intrusion Detection System (IDS).

1.3 The entity only inputs authorized customer data that is supported by an approved vendor.

1.4 Data entering the entity’s environment is subject to validation against defined schema and logical checks enforced by the application.

1.5 The entity monitors customer integrations to ensure the complete and accurate input of data.

1.6 The entity has an established incident management process to ensure the timely remediation of data input errors.

1.7 The entity updates its API integrations on an as-needed basis to ensure that they are able to process customer data inputs completely and accurately.

1.8 The entity reviews the available API updates on an annual basis to ensure they remain up to date with the necessary features required to process customer data inputs completely and accurately.

DATA TRANSMISSION Control Objective 2: Control activities provide reasonable assurance that data transmissions between the client and the Company are complete. Control Activities Specified by the Service Organization:

2.1 Documented policies and procedures are in place regarding data input, processing, output, classification, and security.

2.2 Data coming in and out of the environment is secured and monitored through the use of firewalls and an Intrusion Detection System (IDS).

2.3 Access to sensitive resources is restricted to authorized personnel.

2.4 Data within the entity’s environment is protected from unauthorized access and manipulation through the use of encryption methods.

2.5 The entity receives appropriate authorization from the customer prior to initiating the ingestion into their environment.

2.6 Data entering the entity’s environment is subject to validation against defined schema and logical checks enforced by the application.

2.7 Data transmissions between the entity and its customers are monitored for completeness.


DATA PROCESSING Control Objective 3: Control activities provide reasonable assurance that client data is accepted from the client and prepared for printing completely and timely. Control Activities Specified by the Service Organization:

3.1 Edit checks are in place to prevent incomplete or incorrect data from being entered into the system.

3.2 Validation checks are in place to prevent incomplete or incorrect data from being processed by the system.

3.3 Data flow diagrams, process flowcharts, narratives, and procedures manuals are documented and maintained by management to identify the relevant internal and external information sources of the system.

3.4 Application processing is monitored for incomplete or inaccurate data.

3.5 Integrations feeding source data to Leap Technologies are configured based on customer specifications.

3.6 Monitoring software is used to identify and evaluate ongoing system performance, capacity, security threats, changing resource utilization needs and unusual system activity.

3.7 Access to application outputs are restricted to authorized personnel.

DATA OUTPUT / AGGREGATED FINANCIALS Control Objective 4: Control activities provide reasonable assurance that the output of data for statements and reports are produced completely, accurately and in accordance with customer specifications Control Activities Specified by the Service Organization:

4.1 The entity performs testing to ensure completeness of output data during customer implementation.

4.2 The entity generates accurate aggregate financials based on customer specifications.

4.3 Application outputs are delivered timely based on the entity’s policy and customer specifications.

4.4 Application outputs are monitored for incomplete or inaccurate data.

4.5 Access to application outputs are restricted to authorized personnel.

MONITORING Management monitors controls to ensure that they are operating as intended and that controls are modified as conditions change. Leapfin’s management performs monitoring activities to continuously assess the quality of internal control over time. Necessary corrective actions are taken as required to correct deviations from company policies and procedures. Employee activity and adherence to company policies and procedures is also monitored. This process is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. On-Going Monitoring Leapfin’s management conducts quality assurance monitoring on a regular basis and additional training is provided based upon results of monitoring procedures. Monitoring activities are used to initiate corrective action through department meetings, internal conference calls, and informal notifications. Management’s close involvement in Leapfin’s operations helps to identify significant variances from expectations regarding internal controls. Upper management evaluates the facts and circumstances related to any suspected control breakdown. A decision for addressing any control’s weakness is made based on whether the incident was isolated or requires a change in the company’s procedures or personnel. The goal of this process is to ensure legal compliance and to maximize the performance of Leapfin’s personnel.


Vendor Management Leapfin has defined the following activities to oversee controls performed by vendors that could impact the finance automation services system:

• Reviewing and reconciling output reports

• Holding periodic discussions with vendors and subservice organization(s)

• Testing controls performed by vendors and subservice organization(s)

• Reviewing attestation reports over services provided by vendors and subservice organization(s)

• Monitoring external communications, such as customer complaints relevant to the services by the subservice organization

Reporting Deficiencies An internal tracking tool is utilized to document and track the results of on-going monitoring procedures. Escalation procedures are maintained for responding and notifying management of any identified risks. Risks receiving a high rating are responded to immediately. Corrective actions, if necessary, are documented and tracked within the internal tracking tool. Annual meetings are held for management to review reported deficiencies and corrective actions.

INFORMATION AND COMMUNICATION SYSTEMS Information Systems Leapfin has implemented mechanisms to track and record operational data to make strategic decisions and ensure objectives are consistently achieved. Information gathered from systems enable Leapfin to understand business trends in order to maximize efforts and provide optimal services. Infrastructure Primary infrastructure used to provide Leapfin’s Finance Automation Services System includes the following:

Primary Infrastructure

Hardware Type Purpose

Network Infrastructure AWS VPC Connect, segment, and protect internal services from broader Internet.

App Servers AWS EC2 Hosts and serve web traffic, perform offline and batch computation.

Database Servers AWS RDS Store, serve, and backup data required for application function.

Event Triggers AWS Lambda Trigger various parts of the systems based on notifications or other events.

Cache Server AWS ElastiCache Store ephemeral data during system operations.

Storage Server AWS S3 Longer term storage for infrequently accessed data.

Analytics Database Server

AWS Redshift Data lake for ad-hoc analytics functionality.

Secrets Server AWS SSM/KMS Encrypt, store, and audit usage of secrets.


Primary Infrastructure

Hardware Type Purpose

SFTP Server AWS Transfer for SFTP Securely share customer requested exports.

Software Primary software used to provide Leapfin’s Finance Automation Services System includes the following:

Primary Software

Software Operating System Purpose

Leapfin Linux Custom software supporting the Leapfin service.

Prometheus Linux Collect metrics on system performance and functionality.

Communication Systems Communication is an integral component of Leapfin’s internal control system. It is the process of identifying, capturing, and exchanging information in the form and time frame necessary to conduct, manage, and control the entity’s operations. This process encompasses the primary classes of transactions of the organization, including the dependence on, and complexity of, information technology. At Leapfin, information is identified, captured, processed, and reported by various information systems, as well as through conversations with clients, vendors, regulators, and employees. Various weekly calls are held to discuss operational efficiencies within the applicable functional areas and to disseminate new policies, procedures, controls, and other strategic initiatives within the organization. Additionally, all hands meetings are held bi-weekly to provide staff with updates on the firm and key issues affecting the organization and its employees. Senior executives lead the all hands meetings with information gathered from formal automated information systems and informal databases, as well as conversations with various internal and external colleagues. General updates to entity-wide security policies and procedures are usually communicated to the appropriate Leapfin personnel via e-mail messages.

COMPLEMENTARY USER ENTITY CONTROLS Leapfin’s services are designed with the assumption that certain controls will be implemented by user entities. Such controls are called complementary user entity controls. It is not feasible for all of the control objectives related to Leapfin’s services to be solely achieved by Leapfin control procedures. Accordingly, user entities, in conjunction with the services, should establish their own internal controls or procedures to complement those of Leapfin’s. The following complementary user entity controls should be implemented by user entities to provide additional assurance that the control objectives described within this report are met. As these items represent only a part of the control considerations that might be pertinent at the user entities’ locations, user entities’ auditors should exercise judgment in selecting and reviewing these complementary user entity controls.

Control Objective 1 - Data Input

1. User entities are responsible for authorizing the integrations used to ingest customer data to the entity’s environment.

2. User entities are responsible for ensuring the appropriateness of users with access to the Leapfin application.


3. User entities are responsible for ensuring the accuracy and completeness of the data entered into the source systems that integrate with Leapfin.

4. User entities are responsible for ensuring the confidentiality of their data prior to ingestion to the entity’s environment.

Control Objective 2 - Data Transmission

5. User entities are responsible for authorizing the integrations used to ingest customer data to the entity’s environment.



8. User entities are responsible for ensuring the confidentiality of their data prior to ingestion into the entity’s environment.

9. User entities are responsible for ensuring the appropriateness of users with access to Leapfin data outputs.

10. User entities are responsible for ensuring the confidentiality, completeness, and accuracy of the data in the data output and aggregated financials.

Control Objective 3 - Data Processing

11. User entities are responsible for authorizing the integrations used to accept customer data.

12. User entities are responsible for ensuring the appropriateness of users with access to the Leapfin data outputs.


14. User entities are responsible for ensuring the accuracy and completeness of the data in the data output and aggregated financials.


Control Objective 4 - Data Output

16. User entities are responsible for ensuring the confidentiality of data residing on their workstation and network.

17. User entities are responsible for ensuring the appropriateness of users with access to Leapfin data outputs.


19. User entities are responsible for ensuring the accuracy and completeness of the data in the data output and aggregated financials.


SECTION 4

INFORMATION PROVIDED BY THE SERVICE AUDITOR


GUIDANCE REGARDING INFORMATION PROVIDED BY THE SERVICE AUDITOR

A-LIGN ASSURANCE’s examination of the controls of Leapfin was limited to the control objectives and related control activities specified by the management of Leapfin and did not encompass all aspects of Leapfin’s operations or operations at user organizations. Our examination was performed in accordance with American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements No. 18 (SSAE 18). Our examination of the control activities was performed using the following testing methods:

TEST DESCRIPTION

Inquiry The service auditor made inquiries of service organization personnel. Inquiries were made to obtain information and representations from the client to determine that the client’s knowledge of the control and corroborate policy or procedure information.

Observation The service auditor observed application of the control activities by client personnel.

Inspection The service auditor inspected among other items, source documents, reports, system configurations to determine performance of the specified control activity and in some instances the timeliness of the performance of control activities.

Re-performance The service auditor independently executed procedures or controls that were originally performed by the service organization as part of the entity’s internal control.

In determining whether a SSAE 18 report meets the user auditor’s objectives, the user auditor should perform the following procedures:

• Understand the aspects of the service organization’s controls that may affect the processing of the user organization’s transactions;

• Understand the flow of significant transactions through the service organization;

• Determine whether the control objectives are relevant to the user organization’s financial statement assertions;

• Determine whether the service organization’s controls are suitably designed to prevent or detect processing errors that could result in material misstatements in the user organization’s financial statements and determine whether they have been implemented.

Leap Technologies, Inc. Type 1 SOC 1 2019 1 Type 1-Fina… · REPORT ON MANAGEMENT’S DESCRIPTION...

Documents

Transcript of Leap Technologies, Inc. Type 1 SOC 1 2019 1 Type 1-Fina… · REPORT ON MANAGEMENT’S DESCRIPTION...