SIMPLE FUND 360: AN AUDITORS GUIDE. Australia s leading cloud SMSF admin solution AN AUDITORS GUIDE.

Similar documents
PREDICTIVE INTELLIGENCE SECURITY, PRIVACY, AND ARCHITECTURE

Security overview. 2. Physical security

SSL ClearView Reporter Data Sheet

Report on controls over Devon Funds Management Limited s investment management services. For the period from 1 January 2014 to 31 December 2014

Concur App Center - Client FAQ

ENTERPRISE OPERATIONS SERVICES

Sarbanes-Oxley Compliance Kit

Admin. Provides a simple interface to create employees, assign them to groups and relate to responsibility tags Encompasses universal broking methods

Service Organization Control 3 (SOC 3) Report Report on Software AG s ARIS Cloud Systems

Sense of Security Security Advisory SOS SAP Work Manager, SAP CRM Service Manager and ios Client Multiple Vulnerabilities 14 December 2014.

Top. Reasons Enterprises Select kiteworks by Accellion

UniWeb. Our electronic banking services system available directly on the Internet

Virtual Terminal User Guide

The LBi HR HelpDesk. The Features of a Solution Engineered to Empower Employees and Maximize HR in Companies of Any Size. LBiSoftware.

PCI Requirements Office of Business and Finance Issued July 2015

BENEFITS OF AN EFFECTIVE OUTSOURCING STRATEGY. March 1, 2017

Primavera Analytics and Primavera Data Warehouse Security Overview

Buyers Guide to ERP Business Management Software

SAP Business One Administrator's Guide

HP Agile Manager. Key Benefits. At a glance. Project Management. Key Software Capabilities. Administration. Enterprise SaaS.

Harbinger Escrow Services Backup and Archiving Policy. Document version: 2.8. Harbinger Group Pty Limited Delivered on: 18 March 2015

Prepare for GDPR today with Microsoft 365

SELF MANAGED SUPERANNUATION FUNDS

Construction & Engineering Global Business Unit Service Descriptions and Metrics February 12, 2018

Regulation Systems Compliance and Integrity Considerations for the AWS Cloud

Infor CloudSuite solutions Flexible, proven solutions designed for your industry. Infor CloudSuite

ISAE 3402 Type 2. Independent auditor s report on general IT controls regarding operating and hosting services for to

Ticketing: How ACME s Cloud-Based Enterprise Platform Benefits Your Business

Jetstream Certification and Testing

UniWeb. Our electronic banking services system available directly on the Internet

Secure Online Collaboration & Teamwork. Store & Share Documents Secure and Convenient. idgard.de/en. Project work spaces & audit proof data rooms

ACCOUNTING SERVICES ON-LINE ACCOUNTING SOFTWARE RECEIVABLES LITE PLUS

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 04/29/2016

Mobile Money in Jamaica. Kavin Hewitt CEO MCONEC Mobile Payment Services

PCI Requirements Office of Business and Finance Issued July 2015

IBM Business Process Manager on Cloud

CHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS

GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

OpenBank - banking platform for e-money management based on blockchain technology (version 0.2)

RM ASSESSOR. Discover the most widely used & innovative e-marking platform in the world. rmresults.co.uk

SMARSH SERVICE DESCRIPTIONS

This specifications document describes key features and functionalities of SAP SuccessFactors Onboarding, as of the Q2017 release.

Practice Management Software for the Legal Profession

Keep your customers up-to-date. Software Update System (ESUS) Easy Software Management

WHITE PAPER SERIES. Ellucian Elevate Integration

Policy Outsourcing and Cloud-Based File Sharing

VULNERABILITY MANAGEMENT BUYER S GUIDE

EMPLOYEE TRAINING MANAGER GETTING STARTED. January 2018

BillQuick MYOB Integration

Case Study Online Mobile Topup and Internet Recharge System for US Military Personnel

Quality in SAS Solutions OnDemand Title

SOX 404 & IT Controls

Workspace ONE. Insert Presenter Name. Empowering a Digital Workspace. Insert Presenter Title

evaluate UCaaS providers and ensure you make an informed decision

Mobile Print For Business Made Easy

Oracle Customer Service and Support Cloud Services Descriptions and Metrics October, 2017

Enterprise Collaboration Patterns

Comparing Alternatives for Business-Grade File Sharing. intermedia.net CALL US US ON THE WEB

This topic focuses on how to prepare a customer for support, and how to use the SAP support processes to solve your customer s problems.

Session Number: 5 Proactive Remote Service Support

SigningHub Release Notes

Asset Management. Visit us at: or call SCAN

SAP SuccessFactors Onboarding

e-auction under MP e- Procurement Implementation

ORACLE FUSION FINANCIALS CLOUD SERVICE

gopayroll QuickStart

SANTANDER TREASURY LINK Built for the way you do business

Ayla Architecture. Focusing on the Things and Their Manufacturers. WE RE DRIVING THE NEXT PHASE OF THE INTERNET of THINGS

Payment Card Industry Data Security Standard Self-Assessment Questionnaire B Guide

More information for FREE VS ENTERPRISE LICENCE :

ANNEX 2 Security Management Plan

Back Office System. The most advanced and modern tolling and transportation system in the market.

Medidata Clinical Cloud (MCC) Validation

Oracle Cloud Hosting and Delivery Policies Effective Date: Dec 1, 2015 Version 1.6

Bar Scan tracks fixed assets in a cost effective manner using the latest handheld technology.

GlobalViewer Enterprise

FINAL REPORT ON THE DRAFT RTS AND ITS ON THE EBA REGISTER UNDER THE PSD2 EBA/RTS/2017/10 EBA/ITS/2017/ December 2017.

Maximize the use of your HSM 8000

BS&A Software Application Design Approach

Cost Accounting CONSTRUCTION COMPUTER SOFTWARE

Oracle PaaS and IaaS Universal Credits Service Descriptions

Support SLA & Guidelines v1.03

Auto Bag Drop Application Architecture

SellWise Year-End Procedures 2016

Ten Ways to Catch ERP Software Companies Faking It with Cloudwashing

SapphireIMS 4.0 ITAM Suite Feature Specification

General Electric Power Supplier Summit. The Benefits of Collaborative Business Commerce with General Electric Power

SAP Hybris Commerce, cloud edition and SAP Hybris Commerce, Edge cloud edition Supplemental Terms and Conditions

Pre-Installation Instructions

Payment Provider Guide

Data protection in light of the GDPR

esocket POS Integrated POS solution Knet

Align with the Experts in Payroll Process Outsourcing

ACA 1095 Reporting Software

WHY COMMERCIAL REAL ESTATE FIRMS ARE EMBRACING OFFICE 365. Find out how out-of-the-box Cloud services in Office 365 can help you grow your practice

Free On-Line Microsoft PDF

An end to end compliance solution for GST. A Complete GST. Compliance Solution with Integrated ASP Services. For further information log on to

Top 5 Must Do IT Audits

CRITICAL COMMUNICATIONS RECORDING WITH CONFIDENCE

payshield 9000 The hardware security module securing the world s payments

Transcription:

Australia s leading cloud SMSF admin solution AN AUDITORS GUIDE www.bglcorp.com

Prepared by BGL Corporate Solutions Pty Ltd March 2018

CONTENTS 1.0 Overview of BGL s Web Applications 2.0 Data Sources and Services 2.1 Bank Data 2.2 Dividends / Distributions Received 2.3 Contract Notes (for security purposes and sales) 2.4 Wraps and Platforms 2.5 Registry Data 3.0 Audit Features in Simple Fund 360 3.1 Gaining Access to Simple Fund 360 3.2 Audit Reports 3.3 Other Functions and Reports 3.4 Audit and the Documents Screen 3.5 Using Document Tags to Help the Auditor 3.6 Integration with Third-Party Audit Software 4.0 Overview of BGL Web Application Infrastructure and Controls 4.1 Policies 4.2 Physical Data Hosting and Security 4.3 Data Backup Controls 4.4 AWS Access Control 4.5 Change Control Process 4.6 Infrastructure Monitoring 4.7 Transport of Data 4.8 Internal Security Assessments 4.9 External Vulnerability Assessments 4.10 Sensitive Database Fields 5.0 User Security 5.1 User Access 5.2 Logging of User Activity 6.0 Privacy of Data

INTRODUCTION The purpose of this guide is to assist auditors in gaining a better understanding of BGL s web applications and how auditing in the Cloud can streamline the audit process. This guide is divided into six sections: Section 1 provides an overview of BGL s web applications. Section 2 contains an overview of BGL s data sources and how the data is used in each BGL application. Section 3 contains an overview of the Simple Fund 360 audit functionality. Section 4 contains an overview of BGL Web Application Infrastructure and Controls. Section 5 contains an overview of User Security. Section 6 contains details of BGL s Privacy Policy

1.0 Overview of BGL s Web Applications BGL Corporate Solutions Pty Ltd (BGL) is a privately owned Australian company and Australia s leading developer of self-managed super fund (SMSF) administration and corporate compliance software solutions. BGL s cloud solutions include Simple Fund 360, Australia s leading cloud SMSF administration software solution, and CAS 360, the next generation cloud corporate compliance software solution. BGL software solutions are used to administer over 70 percent of SMSFs and over 45 percent of Australian companies. Simple Fund 360 has revolutionised the SMSF administration space, with intelligent algorithms that significantly reduce the amount of time required to process an SMSF. Simple Fund 360 is the complete SMSF compliance solution that automatically matches bank, broker, corporate action and dividend data overnight using BGL s SmartPost technology, while Australian Securities Exchange s (ASX s) managed funds and international share prices provide daily portfolio valuations. BGL has been providing software solutions to accountants, SMSF administrators, lawyers, financial planners and professional firms for over 25 years. The economies of scale that BGL s services offer, together with our cloud hosting provider Amazon Web Services (AWS), make it possible for BGL to provide higher levels of physical and digital security than many of our clients have on their own systems. 2.0 Data Sources and Services 2.1 Bank Data All BGL bank data is received directly from the banks. Eighteen financial institutions are currently supported, with more added on a regular basis. Simple Fund 360 ensures the bank balance in the bank data file received from the bank reconciles with the balance in the software each day. Balances are displayed on the Fund Dashboard screen, with any differences highlighted. 2.2 Dividends / Distributions Received Dividends / distributions received in cash are matched with the ASX dividend / distribution data. Simple Fund 360 ensures the dividend / distribution amount per share x units on hand agrees with the dividend / distribution amount. If not, the cash dividend / distribution transaction is flagged for user review. If Simple Fund 360 does not receive a cash dividend / distribution, a corporate action for a potential dividend reinvestment plan (DRP) is automatically created. 2.3 Contract Notes (for security purchases and sales) BGL s Contract Note Service extracts the buy / sell data from the PDF formatted contract notes received from brokers. Over 110 brokers are supported. The data is matched against buy and sell cash transactions. The contract note PDF is then attached to the Simple Fund 360 transaction and can then be viewed on Transaction List and in Document Management. Simple Fund 360 will automatically match unlimited, multiple buy and sell transactions against a single cash amount on a single day. 2.4 Wraps and Platforms All wraps and platform data is received directly from the wrap or platform. Simple Fund 360 ensures the wrap / platform balance in the wrap / platform file received from the wrap / platform provider reconciles with the balance in the Simple Fund 360 software each day.

2.5 Registry Data Simple Fund 360 provides a direct link for holding balances to the Computershare and Link registry data. On the Simple Fund 360 Investments Balance Review screen, holding balance data received from the registries is compared with holding balances in Simple Fund 360 with differences highlighted. This data is obtained from input of the fund s HI N(s). The registry data cannot be accessed by Simple Fund 360 clients. The registry is the Source of Truth for all listed holding balances. These connections ensure holding balances in Simple Fund 360 are independently verified. 3.0 Audit Features in Simple Fund 360 3.1 Gaining Access to Simple Fund 360 Auditor access to Simple Fund 360 can be provided by the software administrator. The simplest way to invite an auditor is to go to the Fund Fund Dashboard and select Share With Auditor. Complete the auditor s name and e-mail details and click Invite. This will provide the auditor with audit access to Simple Fund 360 based on the auditor s user role. The auditor will receive an e-mail invitation to log in and create a password. The auditor then will be able to access: Some dashboards; Reports; Live reports; Documents. The software administrator can provide the auditor with access to additional functions.

3.2 Audit Reports Simple Fund 360 provides users with a full set of audit documentation and reports provided by TAG Financial Services Pty Ltd. These reports are available from Reports Audit Reports. The settings available for these reports are: Audit Planning Memorandum; Audit Working Papers; Compendium Index; Engagement Letter; File Index; Management Letter; Trustee Representation Letter. The settings available for these reports are: Compliance Checklist; Fraud Checklist.

3.3 Other Functions and Reports In addition to audit reports, the following reports can assist the auditor: Fund Dashboard Bank Statement Report: Provides a verified bank balance taken from the data file provided by the relevant financial institution; Fund Dashboard Bank Balance; There are a number of reports to assist auditors in the Reports Work Paper Reports and Reports Investment Reports areas of Simple Fund 360. The reports provide the General Ledger Audit View and many other reconciliation and comparison reports covering most Operating Statement items. The Reports Documents screen provides access to all source documents and reports created and uploaded for the fund. Tags can be created to classify documents by audit year. Simple Fund 360 also provides a transaction drill down tool for all ledger accounts. This is accessed through Reports Live Reports. This tool is available for Accounting Performance, General Ledger and Trial Balance Reports. 3.4 Audit and the Documents Screen The Reports Documents screen allows the trustee, administrator and auditor to store and share the fund s documents. Trustees can upload permanent documents, such as trust deeds or annual documents, including dividend, distribution and tax statements. The accountant can add working papers and other documents to support fund transactions. The auditor can then log in, view and / or download documents. 3.5 Using Document Tags to Help the Auditor BGL recommends that the accountant create document tags for group documents. Tags are similar to folders on a desktop computer except multiple tags can be applied to multiple documents, whereas a document only can be placed in a single folder. To add a new tag, select Add Custom Tag on the left of the software screen.

The New Tag screen will appear. Input the tag name and click Submit. To apply the tag to the document(s), select the checkbox to the left of the document(s) and select Tag As at the top of the screen. Select the appropriate tag(s) and then select Apply Tags. BGL recommends creating a Permanent tag and an Audit (Year) tag for each financial year. Audit Reports including Engagement, Representation and Management letters can all be stored in Simple Fund 360. 3.6 Integration with Third-Party Audit Software Simple Fund 360 also provides integration with Caseware, Cloudoffis, Evolv White and MyWorkpapers Audit. Audit integration with Simple Fund 360 is implemented through the BGL Application Programming Interface (API). While the process is different in each package, the data extracted through the API consists of: 1. Import of the Simple Fund 360 fund list: Fund, member and trustee data is loaded. 2. Import of the Trial Balance: The audit application dynamically creates and populates folders, lead schedules and lead schedule summaries. 3. Report data and Report PDFs For more information on the data extracted by each supplier and how to integrate, refer to website of each software supplier. 4.0 Overview of BGL Web Application Infrastructure and Controls 4.1 Policies BGL has documented policies and procedures for risk assessment, data security, release management, security operations, incident management, privacy, visitor policy, confidential trash, new employment, employee conduct and termination of employment. Background screening, professional credential checks and police checks are conducted on team members. Policies are reviewed as required. BGL has employment contracts with all team members that comply with the Fair Work Act.

4.2 Physical Data Hosting and Security All BGL client web data is hosted in Australia by Amazon Web Services (AWS). Data is stored across multiple zoned replicas. AWS services are isolated from BGL s own internal office networks. No BGL staff can physically access any of the servers. BGL employs team members who maintain the data and servers housed at AWS. These team members are appropriately authorised to remotely access the servers. BGL regularly reviews these access controls. AWS s data centres are state of the art, utilising innovative architectural and engineering designs. AWS has many years of experience in designing, constructing and operating large-scale data centres throughout the world. This experience has been applied to the BGL Hosting Platform and Infrastructure. The Australian data centres are housed in nondescript facilities. Physical access is strictly controlled, both at the perimeter and building ingress points, by security staff utilizing video surveillance, intrusion detection systems and other electronic means. Authorised staff must pass two factor authentication at least twice to gain access to the data centre. All visitors and contractors are required to present identification, are signed in and then escorted by authorised staff. When an employee no longer has a need for access, this is immediately revoked, even if the individual continues to be employed by AWS. All access to the data centres is logged and routinely audited. When a storage device reaches the end of its useful life, a decommissioning process ensures data is not exposed to unauthorised individuals. AWS uses techniques detailed in DoD 5220.22M ( National Industrial Security Program Operating Manual ) or NIST 800-88 ( Guidelines for Media Sanitization ) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry standards. AWS is built in an environment with extensive and validated security and controls, including: Service Organization Controls 1 (SOC 1) Type 2 report (formerly SAS 7011 Type II report), with periodic independent audits to confirm security features and controls to safeguard customer data. ISO 270001 Certification, an internationally-recognized information security management standard that specifies leading practices and comprehensive security controls that follow ISO 27002 best practices guidelines. PCI DSS 12 Level 1 compliance, an independent validation of the platform for the secure use of processing, transmitting and storing credit card data. Relevant government agency and public sector compliance qualifications, such as an ITAR-compliant environment. More information on AWS security can be found at: https://d0.awsstatic.com/whitepapers/security/aws_security_whitepaper.pdf No BGL client web data is hosted at BGL s offices. BGL s offices are protected by card controlled entrances and monitored alarms, with all actions logged. BGL clients can share data with BGL support consultants. This can be authorised when a user logs a support call with BGL and selects the appropriate option in the software. This option provides the BGL support consultant with access to fund data for five days. After five days, access is automatically revoked. The client can revoke access at any time. 4.3 Data Backup Controls BGL web applications use mission critical databases. Databases are replicated across multiple servers and multiple AWS availability zones. Data backups occur every two hours during the day. Full data backups are also taken each night. BGL has a documented disaster recovery plan.

4.4 AWS Access Control Access to the AWS production environment is available to authorised BGL team members via a virtual private network (VPN). A list privilege model determines who has access. BGL follows AWS security best practices and rotates access keys. All activity is logged and accounts are reviewed on a regular basis. 4.5 Change Control Process BGL uses mixed Agile methodologies to releases updates every three weeks. The release cycle for application changes is described below BGL has three environments: User Acceptance Testing (UAT), Staging, and Production. A Configuration Management Tool confirms that patches and updates have been successfully applied to the servers. BGL s continuous integration deployment will not commit unconfirmed changes to production servers until integration tests are passed. BGL has a separate policy for updating Amazon Relational Database Service (RDS) instances. All minor upgrades to RDS are done in test environments before being placed into production. All major updates reside in the UAT environment for at least two sprints. 4.6 Infrastructure Monitoring AWS tools are utilised to monitor server and database health, in addition to third-party software utilised for additional monitoring of application servers. These services send e-mails and SMS messages to notify team members of any critical alerts. All access and changes to the database are tracked and logged.

4.7 Transport of Data BGL s web applications are signed by a secure sockets layer (SSL) certificate, meaning all data transferred between AWS and the Internet browser is done with strong encryption and authentication, the same certification as Internet banking. The SSL connections utilise the latest Perfect Forward Secrecy. This security feature uses a derived session key to provide additional safeguards against the eavesdropping of encrypted data and prevents the decoding of captured data, even if the secret long-term key is compromised. The load balancer utilises the latest industry standard cipher suites. Most major browsers now support these newer and more secure cipher suites. BGL encourages clients to use the latest browser versions that include these stronger cipher suites for communication. 4.8 Internal Security Assessments Regular security training is conducted by necessary BGL team members. Open Web Application Security Project (OWASP) methods for security testing are conducted by BGL testers and developers. The application code is regularly scanned for vulnerabilities. 4.9 External Vulnerability Assessments BGL s infrastructure and online software security are regularly reviewed by external security experts. These highly trained specialists run penetration testing to identify and exploit any security flaws in BGL s web applications. The testing conforms with the Application Security Verification Standard 3.0 Open Web Application Security Project. 4.10 Sensitive Database Fields All sensitive database fields, such as tax numbers and bank account details, are encrypted using the latest cryptographic algorithm method. www.bglcorp.com

5.0 User Security 5.1 User Access A user role and identity system prevents users from accessing data that is not their own. Users can access the system by invite only, with access to information determined by user roles. Access is username and password protected. Access to BGL web applications is role-based, meaning the BGL client administrator has complete control over who can access data. Users are required to change their password at the first log in, with the new password sent to the user s e-mail address. BGL enforces complex passwords. Users are automatically logged out due to inactivity after a set period of time. 5.2 Logging of User Activity All user access is logged, including IP address, log-ins, failed log-ins and activity in the application. 6.0 Privacy of Data BGL treats all data with the utmost privacy. BGL s privacy policy can be found at: http://www.bglcorp.com/about-bgl/privacy-policy. www.bglcorp.com

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback