leap technologies, inc. type 2 soc 1 2020 1 type 2-fina… · report on management’s description...

Leap Technologies, Inc. Type 2 SOC 1 2020

REPORT ON MANAGEMENT’S DESCRIPTION OF LEAP TECHNOLOGIES, INC.’S SYSTEM AND ON THE SUITABILITY OF THE DESIGN AND OPERATING

EFFECTIVENESS OF CONTROLS

Pursuant to Statement on Standards for Attestation Engagements No. 18 (SSAE 18) Type 2

November 15, 2019 to May 15, 2020

Proprietary and Confidential

Table of Contents

SECTION 1 ASSERTION OF LEAP TECHNOLOGIES, INC.’S MANAGEMENT ..................... 1

SECTION 2 INDEPENDENT SERVICE AUDITOR’S REPORT ................................................ 4

SECTION 3 DESCRIPTION OF LEAP TECHNOLOGIES, INC.’S FINANCE AUTOMATION SERVICES SYSTEM ................................................................................................................. 8

OVERVIEW OF OPERATIONS ............................................................................................... 9 Company Background ......................................................................................................... 9 Description of Services Provided ......................................................................................... 9 Boundaries of the System ...................................................................................................10 Subservice Organizations ...................................................................................................10 Significant Changes Since the Last Review ........................................................................11

CONTROL ENVIRONMENT ..................................................................................................12 Integrity and Ethical Values ................................................................................................12 Commitment to Competence ..............................................................................................12 Management’s Philosophy and Operating Style..................................................................12 Organizational Structure and Assignment of Authority and Responsibility ..........................13 Human Resources Policies and Practices ..........................................................................13

RISK ASSESSMENT .............................................................................................................13 CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES .......................................14

Integration with Risk Assessment .......................................................................................14 Selection and Development of Control Activities Specified by the Service Organization .....14

MONITORING .......................................................................................................................14 On-Going Monitoring ..........................................................................................................14 Reporting Deficiencies ........................................................................................................15

INFORMATION AND COMMUNICATION SYSTEMS ............................................................15 Information Systems ...........................................................................................................15 Communication Systems ....................................................................................................16

COMPLEMENTARY USER ENTITY CONTROLS ..................................................................16

SECTION 4 DESCRIPTION OF LEAP TECHNOLOGIES, INC.’S CONTROL OBJECTIVES AND RELATED CONTROLS, AND INDEPENDENT SERVICE AUDITOR’S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS .................................................................................18

GUIDANCE REGARDING DESCRIPTION OF LEAP TECHNOLOGIES, INC.’S CONTROL

OBJECTIVES AND RELATED CONTROLS, AND INDEPENDENT SERVICE AUDITOR’S

DESCRIPTION OF TESTS OF CONTROLS AND RESULTS .................................................19 DATA INPUT ......................................................................................................................20 DATA TRANSMISSION ......................................................................................................22 DATA PROCESSING .........................................................................................................24 DATA OUTPUT/AGGREGATED FINANCIALS ...................................................................26

Proprietary and Confidential 1

SECTION 1

ASSERTION OF LEAP TECHNOLOGIES, INC.’S MANAGEMENT


Assertion of Leap Technologies, Inc.’s Management May 22, 2020 We have prepared the description of Leap Technologies, Inc.’s (‘Leapfin’ or ‘the Company’) Finance Automation Services System for processing user entities’ transactions entitled “Description of Leap Technologies, Inc.’s Finance Automation Services System” throughout the period November 15, 2019 to May 15, 2020, (description) for user entities of the system during some or all of the period November 15, 2019 to May 15, 2020, and their user auditors who audit and report on such user entities’ financial statements or internal control over financial reporting and have a sufficient understanding to consider it, along with other information, including information about controls implemented by subservice organizations and user entities of the system themselves, when assessing the risks of material misstatements of user entities’ financial statements. Leapfin uses Amazon Web Services (‘AWS’ or ‘subservice organization’) for cloud hosting services. The description includes only the control objectives and related controls of Leapfin and excludes the control objectives and related controls of the subservice organization. The description also indicates that certain control objectives specified by Leapfin in the description can be achieved only if complementary subservice organization controls assumed in the design of Leapfin’s controls are suitably designed and operating effectively, along with the related controls at Leapfin. The description does not extend to controls of the subservice organization. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls assumed in the design of Leapfin controls are suitably designed and operating effectively, along with related controls at the service organization. The description does not extend to controls of the user entities. We confirm, to the best of our knowledge and belief, that:

a. The description fairly presents the Finance Automation Services System made available to user entities of the system during some or all of the period November 15, 2019 to May 15, 2020, for processing their transactions as it relates to controls that are likely to be relevant to user entities’ internal control over financial reporting. The criteria we used in making this assertion were that the description:

i. presents how the system made available to user entities of the system was designed and

implemented to process relevant transactions, including: (1) the types of services provided including, as appropriate, the classes of transactions

processed.

(2) the procedures, within both automated and manual systems, by which services are provided, including, as appropriate, procedures by which transactions are initiated, authorized, recorded, processed, corrected as necessary, and transferred to reports and other information prepared for user entities.

(3) the related accounting records, supporting information, and specific accounts that are

used to initiate, authorize, record, process, and report transactions; this includes the correction of incorrect information and how information is transferred to the reports and other information prepared for user entities.

(4) how the system captures significant events and conditions, other than transactions.

(5) the process used to prepare reports and other information for user entities.


(6) services performed by a subservice organization, if any, including whether the inclusive method or the carve-out method has been used in relation to them.

(7) the specified control objectives and controls designed to achieve those objectives,

including as applicable, complementary user entity controls contemplated in the design of the service organization’s controls.

(8) other aspects of our control environment, risk assessment process, information and communication systems (including related business processes), control activities, and monitoring controls that are relevant to processing and reporting transactions of user entities of the system.

ii. includes relevant details of changes to the service organization’s system during the period covered by the description.

iii. does not omit or distort information relevant to the scope of the Finance Automation Services System, while acknowledging that the description is prepared to meet the common needs of broad range of user entities of the system and the independent auditors of those user entities, and may not, therefore, include every aspect of the Finance Automation Services System that each individual user entity of the system and its auditor may consider important in its own particular environment.

b. the controls related to the control objectives stated in the description were suitably designed

and operated effectively throughout the period November 15, 2019 to May 15, 2020, to achieve those control objectives if subservice organizations and user entities applied the complementary controls assumed in the design of Leapfin’s controls throughout the period November 15, 2019 to May 15, 2020. The criteria we used in making this assertion were that: i. the risks that threaten the achievement of the control objectives stated in the description

have been identified by the service organization;

ii. the controls identified in the description would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved; and

iii. the controls were consistently applied as designed, including whether manual controls were applied by individuals who have the appropriate competence and authority.

Raymond Lau Chief Executive Officer Leap Technologies, Inc.


SECTION 2

INDEPENDENT SERVICE AUDITOR’S REPORT


INDEPENDENT SERVICE AUDITOR’S REPORT To: Leap Technologies, Inc. Scope We have examined Leap Technologies, Inc.’s (‘Leapfin’ or ‘the Company’) description of its Finance Automation Services System for processing user entities’ transactions entitled “Description of Leap Technologies, Inc.’s Finance Automation Services System” throughout the period November 15, 2019 to May 15, 2020, (description) and the suitability of the design and operating effectiveness of Leapfin's controls included in the description to achieve the related control objectives stated in the description, based on the criteria identified in “Assertion of Leap Technologies, Inc.’s Management” (assertion). Leapfin uses Amazon Web Services (‘AWS’ or ‘subservice organization’) for cloud hosting services. The description includes only the control objectives and related controls of Leapfin and excludes the control objectives and related controls of the subservice organization. The description also indicates that certain control objectives specified by Leapfin can be achieved only if complementary subservice organization controls assumed in the design of Leapfin are suitably designed and operating effectively, along with the related controls at Leapfin. Our examination did not extend to controls of the subservice organization, and we have not evaluated the suitability of the design or operating effectiveness of such complementary subservice organization controls. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls contemplated in the design of Leapfin’s controls are suitably designed and operating effectively, along with related controls at the service organization. Our examination did not extend to such complementary user entity controls, and we have not evaluated the suitability of the design and operating effectiveness of such complementary user entity controls. Service Organization’s Responsibilities In Section 1 of this report, Leapfin has provided their assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. Leapfin is responsible for preparing the description and their assertion, including the completeness, accuracy, and method of presentation of the description and the assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the description. Service Auditor’s Responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, based on the criteria in management’s assertion, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period November 15, 2019 to May 15, 2020. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.


An examination of a description of a service organization’s system and the suitability of the design and operating effectiveness of controls involves:

• Performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the description, based on the criteria in management’s assertion

• Assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description

• Testing the operating effectiveness of those controls that management considers necessary to provide reasonable assurance that the related control objectives stated in the description were achieved

• Evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization in their assertion

Inherent Limitations The description is prepared to meet the common needs of a broad range of user entities and their auditors who audit and report on user entities’ financial statements, and may not, therefore, include every aspect of the system that each individual user entity may consider important in its own particular environment. Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives, is subject to the risk that controls at a service organization may become inadequate or fail. Description of Tests of Controls The specific controls tested, and the nature, timing, and results of those tests are listed in Section 4. Opinion In our opinion, in all material respects, based on the criteria described in Leapfin’s assertion,

a. the description fairly presents the Finance Automation Services System that was designed and implemented throughout the period November 15, 2019 to May 15, 2020.

b. the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period November 15, 2019 to May 15, 2020 and subservice organizations and user entities applied the complementary user entity controls contemplated in the design of Leapfin’s controls throughout the period November 15, 2019 to May 15, 2020.

c. the controls operated effectively to provide reasonable assurance that the control objectives stated in the description were achieved throughout the period November 15, 2019 to May 15, 2020, if complementary subservice organization and user entity controls assume in the design of Leapfin’s controls operated effectively throughout the period November 15, 2019 to May 15, 2020.


Restricted Use This report, including the description of tests of controls and results thereof in Section 4 is intended solely for the information and use of Leapfin, user entities of Leapfin’s Finance Automation Services System during some or all of the period November 15, 2019 to May 15, 2020, and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities’ financial statements. This report is not intended to be and should not be used by anyone other than these specified parties.

Tampa, Florida May 22, 2020


SECTION 3

DESCRIPTION OF LEAP TECHNOLOGIES, INC.’S FINANCE AUTOMATION SERVICES SYSTEM


OVERVIEW OF OPERATIONS Company Background Leapfin was founded in March 2015 with the objective of providing a completely automated financial close solution for high growth companies. Leapfin’s mission is to provide financial leaders with real-time access to accurate financial data and insights. Leapfin’s platform reduces reliance on error prone manual processes and greatly increases productivity. The organization is based in San Francisco, California. Industries served by Leapfin include Internet, Software-as-a-Service, Technology, Logistics, eCommerce, Education, and Media & Entertainment. Description of Services Provided Leapfin automates complex financial close processes for high growth organizations, including revenue recognition, order-to-cash reconciliation, revenue allocation, COGS attribution, and financial reporting. Leapfin’s core platform leverages Robotic Process Automation (RPA) to automate and streamline complex and manual processes, which includes:

• Unifying transactional data from fragmented data silos

• Standardizing, cleansing, and normalizing financial data

• Ensuring data immutability and data integrity

• Automating revenue recognition related activities

• Automating reconciliation from sales orders to cash settlements

• Automating allocation of revenues

• Automating COGS recognition and attribution

• Providing financial reports and journal entries required for month-end close activities Data imports and process automations are completed on demand or on scheduled cadence, and users have access to latest financial reports and data from Leapfin’s UI. Transactions Processing & Reporting Leapfin uses enterprise level systems to provide customized levels of service to its customers. Customers are able to access information and reporting via a secure portal. Leapfin imports source data from a variety of systems in order to perform its services. Source data may include the following:

• Transactional data from payment processors

• Billing data from billing systems

• Customer data from Customer Relationship Management systems

• Product usage data

• Shipping data Source data could be imported from a third-party service provider such as Stripe, Adyen, Braintree, PayPal, Salesforce. The source data could also be imported from internal data warehouses if the customer elects to maintain such data in house. Once all relevant source data is imported into Leapfin, they are processed, cleansed, and standardized. Leapfin’s Rules Engine applies the appropriate business logic based on the customer’s business requirements to process the data to accommodate the customer’s reporting needs.


The necessary financial reports and journal entries are available for the customer from Leapfin’s UI or csv exports. Significant Events Leapfin has implemented automated and manual procedures to capture and address significant events and conditions. The following are examples of the procedures Leapfin has placed into operation:

• Automated alert notifications are utilized to notify operations personnel of data transmission errors

• Data validation checks and monitoring are configured to proactively prevent processing errors

• An Intrusion Detection System (IDS) is employed to monitor the network for unauthorized access attempts

• Enterprise monitoring software is used to identify and evaluate ongoing system performance, security threats, changing resource utilization needs, and unusual system activity. This software sends a message to the operations personnel when specific predefined thresholds are met

In addition, detailed monitoring and risk assessment procedures are in place to provide management with detailed information that impacts Leapfin’s platform. Please see the monitoring and risk assessment procedures described in the relevant sections of this report for further details. Functional Areas of Operation The Leapfin staff provides support for the above services in each of the following functional areas:

• Executive management - provides general oversight and strategic planning of operations

• Product and engineering - responsible for development and maintaining the Leapfin platform and software, which includes:

o Integrations with other service providers (e.g. Stripe, Adyen, Braintree, Salesforce, NetSuite)

o ETL pipeline which ingest data from the above mentioned data providers and other data sources

o Data cleansing, standardization, and normalization processes o Transformation of data which applies business logic to the standardized data based on

customer requirements o Production of financial reports and journal entries based on customers’ requirements o Verify that the system complies with the functional specification through functional testing

procedures o Responsible for effective provisioning, installation/configuration, operation, and

maintenance of systems hardware and software relevant to the system

• Customer Success - serves customers by providing product and service information that includes resolving product and service issues

• Audit and Compliance - performs regularly scheduled audits relative to defined standards, provides continuous improvement feedback, and assesses legal and regulatory requirements

Boundaries of the System The scope of this report includes the Finance Automation Services System performed in the San Francisco, California facilities. This report does not include the cloud hosting services provided by AWS (‘Amazon Web Services’) at multiple facilities. Subservice Organizations This report does not include the cloud hosting services provided by AWS at multiple facilities.


Subservice Description of Services AWS provides cloud hosting services (or whatever service you are listing), which includes implementing physical (and environmental - if testing availability) security controls to protect the housed in-scope systems. Controls include, but are not limited to, visitor sign-ins, required use of badges for authorized personnel, and monitoring and logging of the physical access to the facilities. Complementary Subservice Organization Controls Leapfin’s services are designed with the assumption that certain controls will be implemented by subservice organizations. Such controls are called complementary subservice organization controls. It is not feasible for all of the control objectives related to Leapfin’s services to be solely achieved by Leapfin control procedures. Accordingly, subservice organizations, in conjunction with the services, should establish their own internal controls or procedures to complement those of Leapfin. The following subservice organization controls have been implemented by AWS and included in this report to provide additional assurance that the control objectives are met:

Subservice Organization - AWS

Control Objective Control

Physical Security Customer master keys used for cryptographic operations in KMS are physically and logically secured so that no single AWS employee can gain access to the key material.

Physical access to data centers is approved by an authorized individual.

Physical access is revoked within 24 hours of the employee or vendor record being deactivated.

Physical access to data centers is reviewed on a quarterly basis by appropriate personnel.

Physical access points to server locations are recorded by closed circuit television camera (CCTV). Images are retained for 90 days, unless limited by legal or contractual obligations.

Physical access points to server locations are managed by electronic access control devices.

Electronic intrusion detection systems are installed within data server locations to monitor, detect, and automatically alert appropriate personnel of security incidents.

Leapfin management, along with the subservice organization, define the scope and responsibility of the controls necessary to meet all the relevant control objectives through written contracts, such as service level agreements. In addition, Leapfin performs monitoring of the subservice organization controls, including the following procedures:

• Reviewing attestation reports over services provided by vendors and subservice organization

• Monitoring external communications, such as customer complaints relevant to the services by the subservice organization

Significant Changes Since the Last Review No significant changes have occurred to the services provided to user entities since the organization’s last review.


CONTROL ENVIRONMENT Integrity and Ethical Values The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of Leapfin’s control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior are the product of Leapfin’s ethical and behavioral standards, how they are communicated, and how they are reinforced in practices. They include management’s actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct, as well as by example. Specific control activities that the service organization has implemented in this area are described below:

• Formally, documented organizational policy statements and codes of conduct communicate entity values and behavioral standards to personnel

• Policies and procedures require employees sign an acknowledgment form indicating they have been given access to the employee manual and understand their responsibility for adhering to the policies and procedures contained within the manual

• A confidentiality statement agreeing not to disclose proprietary or confidential information, including customer information, to unauthorized parties is a component of the employee handbook

• Background checks are performed for employees as a component of the hiring process Commitment to Competence Leapfin’s management defines competence as the knowledge and skills necessary to accomplish tasks that define employees’ roles and responsibilities. Management’s commitment to competence includes management’s consideration of the competence levels for particular jobs and how those levels translate into the requisite skills and knowledge. Specific control activities that the service organization has implemented in this area are described below:

• Management has considered the competence levels for particular jobs and translated required skills and knowledge levels into written position requirements

• Thorough evaluation of the employee’s skill sets during the hiring process

• Training is provided to maintain the skill level of personnel in certain positions Management’s Philosophy and Operating Style Leapfin’s management philosophy and operating style are encompassed by Leapfin’s six core values:

1) Obsess with every customer’s success - vigorously work to earn their customer’s trust. Pay attention to the competitors but obsess over Leapfin customers.

2) Ownership mindset - think long term and don’t sacrifice long term value for short term results. Act on behalf of the entire company.

3) Succeed together - Understand how actions impact the rest of the team. Leapfin teams will not always necessarily agree but will always respect other point of views.

4) Refuse to be complacent - Leapfin team members are never done learning and always seeking to improve and innovate. Leapfin employees are curious and actively learning to improve.


5) Insist on the highest standards - Continuously challenge themselves and hold themselves to the highest standards. Deliver the quality products and services with the resources they have.

6) Bias for action - speed matters. Decisions to act are better than indecisions. Don’t wait around and value calculated risk taking. Sometimes mistakes are made, but they learn from them and never make the same mistakes twice.

Specific control activities that the service organization has implemented in this area are described below:

• Management is periodically briefed on regulatory and industry changes affecting the services provided

• Executive management meetings are held to discuss major initiatives and issues that affect the business as a whole

Organizational Structure and Assignment of Authority and Responsibility Leapfin’s organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and monitored. Management believes establishing a relevant organizational structure includes considering key areas of authority and responsibility. An organizational structure has been developed to suit its needs. This organizational structure is based, in part, on its size and the nature of its activities. Specific control activities that the service organization has implemented in this area are described below:

• Organizational charts are in place to communicate key areas of authority and responsibility

• Organizational charts are communicated to employees and updated as needed

• Objectives and Key Results (OKRs) are set and reviewed annually and quarterly Human Resources Policies and Practices Leapfin’s success is founded on sound business ethics, reinforced with a high level of efficiency, integrity, and ethical standards. The result of this success is evidenced by its proven track record for hiring and retaining top quality personnel who ensures the service organization is operating at maximum efficiency. Leapfin’s human resources policies and practices relate to employee hiring, orientation, training, evaluation, counseling, promotion, compensation, and disciplinary activities. Specific control activities that the service organization has implemented in this area are described below:

• New employees are required to sign acknowledgement forms for the employee handbook and a confidentiality agreement following new hire orientation on their first day of employment

• Evaluations for each employee are performed on a quarterly basis

• Employee termination procedures are in place to guide the termination process and are documented in a termination checklist

RISK ASSESSMENT Leapfin’s risk assessment process identifies and manages risks that could potentially affect Leapfin’s ability to provide reliable services to user organizations. This ongoing process requires that management identify significant risks inherent in products or services as they oversee their areas of responsibility. Leapfin identifies the underlying sources of risk, measures the impact to organization, establishes acceptable risk tolerance levels, and implements appropriate measures to monitor and manage the risks. This process has identified risks resulting from the nature of the services provided by Leapfin, and management has implemented various measures designed to manage these risks. Risks identified in this process include the following:

• Operational risk - changes in the environment, staff, or management personnel

• Strategic risk - new technologies, changing business models, and shifts within the industry

• Compliance - legal and regulatory changes


Leapfin will identify risks to the entity and monitor the operation of the firm’s internal controls. The approach is intended to align the entity’s strategy more closely with its key stakeholders, assist the organizational units with managing uncertainty more effectively, minimize threats to the business, and maximize its opportunities in the rapidly changing market environment. Leapfin attempts to actively identify and mitigate significant risks through the implementation of various initiatives and continuous communication with other leadership committees and senior management.

CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES Integration with Risk Assessment Leapfin’s systems; as well as the nature of the components of the system result in risks that the criteria will not be met. Leapfin addresses these risks through the implementation of suitably designed controls to provide reasonable assurance that the criteria are met. Because each system and the environment in which it operates are unique, the combination of risks to meeting the criteria and the controls necessary to address the risks will be unique. As part of the design and operation of the system, Leapfin identifies the specific risks that the criteria will not be met and the controls necessary to address those risks. Selection and Development of Control Activities Specified by the Service Organization Control activities are a part of the process by which Leapfin strives to achieve its business objectives. Leapfin has applied a risk management approach to the organization in order to select and develop control activities. After relevant risk have been identified and evaluated, controls are established, implemented, monitored, reviewed and improved when necessary to meet the overall objectives of the organization. Leapfin’s control objectives and related control activities are included in Section 4 (the “Testing Matrices”) of this report to eliminate the redundancy that would result from listing the items in this section and repeating them in the Testing Matrices. Although the control objectives and related control activities are included in the Testing Matrices, they are, nevertheless, an integral part of Leapfin’s description of the Finance Automation services system. The description of the service auditor’s tests of operating effectiveness and the results of those tests are also presented in the Testing Matrices, adjacent to the service organization’s description of control activities. The description of the tests of operating effectiveness and the results of those tests are the responsibility of the service auditor and should be considered information provided by the service auditor.

MONITORING Leapfin and AWS management monitors controls to ensure that they are operating as intended and that controls are modified as conditions change. Leapfin’s management performs monitoring activities to continuously assess the quality of internal control over time. Necessary corrective actions are taken as required to correct deviations from company policies and procedures. Employee activity and adherence to company policies and procedures is also monitored. This process is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. On-Going Monitoring Leapfin’s management conducts quality assurance monitoring on a regular basis and additional training is provided based upon results of monitoring procedures. Monitoring activities are used to initiate corrective action through department meetings, internal conference calls, and informal notifications. Management’s close involvement in Leapfin’s operations helps to identify significant variances from expectations regarding internal controls. Upper management evaluates the facts and circumstances related to any suspected control breakdown. A decision for addressing any control’s weakness is made based on whether the incident was isolated or requires a change in the company’s procedures or personnel. The goal of this process is to ensure legal compliance and to maximize the performance of Leapfin’s personnel.


Vendor Management Leapfin has defined the following activities to oversee controls performed by vendors that could impact the Finance Automation Services System:

• Reviewing and reconciling output reports

• Holding periodic discussions with vendors and subservice organization

• Reviewing attestation reports over services provided by vendors and subservice organization

• Monitoring external communications, such as customer complaints relevant to the services by the subservice organization

Reporting Deficiencies An internal tracking tool is utilized to document and track the results of on-going monitoring procedures. Escalation procedures are maintained for responding and notifying management of any identified risks. Risks receiving a high rating are responded to immediately. Corrective actions, if necessary, are documented and tracked within the internal tracking tool. Annual meetings are held for management to review reported deficiencies and corrective actions.

INFORMATION AND COMMUNICATION SYSTEMS Information Systems Leapfin has implemented mechanisms to track and record operational data to make strategic decisions and ensure objectives are consistently achieved. Information gathered from systems enable Leapfin to understand business trends in order to maximize efforts and provide optimal services. Infrastructure Primary infrastructure used to provide Leapfin’s Finance Automation Services System includes the following:

Primary Infrastructure

Hardware Type Purpose

Network Infrastructure AWS VPC Connect, segment, and protect internal services from broader Internet.

App Servers AWS EC2 Hosts and serve web traffic, perform offline and batch computation.

Database Servers AWS RDS Store, serve, and backup data required for application function.

Event Triggers AWS Lambda Trigger various parts of the systems based on notifications or other events.

Cache Server AWS ElastiCache Store ephemeral data during system operations.

Storage Server AWS S3 Longer term storage for infrequently accessed data.

Analytics Database Server

AWS Redshift Data lake for ad-hoc analytics functionality.

Secrets Server AWS SSM/KMS Encrypt, store, and audit usage of secrets.

SFTP Server AWS Transfer for SFTP Securely share customer requested exports.


Software Primary software used to provide Leapfin’s Finance Automation Services System includes the following:

Primary Software

Software Operating System Purpose

Leapfin Linux Custom software supporting the Leapfin service.

Prometheus Linux Collect metrics on system performance and functionality.

Communication Systems Communication is an integral component of Leapfin’s internal control system. It is the process of identifying, capturing, and exchanging information in the form and time frame necessary to conduct, manage, and control the entity’s operations. This process encompasses the primary classes of transactions of the organization, including the dependence on, and complexity of, information technology. At Leapfin, information is identified, captured, processed, and reported by various information systems, as well as through conversations with customers, vendors, regulators, and employees. Various weekly calls are held to discuss operational efficiencies within the applicable functional areas and to disseminate new policies, procedures, controls, and other strategic initiatives within the organization. Additionally, all hands meetings are held bi-weekly to provide staff with updates on the firm and key issues affecting the organization and its employees. Senior executives lead the all hands meetings with information gathered from formal automated information systems and informal databases, as well as conversations with various internal and external colleagues. General updates to entity-wide security policies and procedures are usually communicated to the appropriate Leapfin personnel via e-mail messages.

COMPLEMENTARY USER ENTITY CONTROLS Leapfin’s services are designed with the assumption that certain controls will be implemented by user entities. Such controls are called complementary user entity controls. It is not feasible for all of the control objectives related to Leapfin’s services to be solely achieved by Leapfin control procedures. Accordingly, user entities, in conjunction with the services, should establish their own internal controls or procedures to complement those of Leapfin’s. The following complementary user entity controls should be implemented by user entities to provide additional assurance that the control objectives described within this report are met. As these items represent only a part of the control considerations that might be pertinent at the user entities’ locations, user entities’ auditors should exercise judgment in selecting and reviewing these complementary user entity controls. Control Objective 1 - Data Input

1. User entities are responsible for authorizing the integrations used to ingest customer data to the entity’s environment.

2. User entities are responsible for ensuring the appropriateness of users with access to the Leapfin application.

3. User entities are responsible for ensuring the accuracy and completeness of the data entered into the source systems that integrate with Leapfin.

4. User entities are responsible for ensuring the confidentiality of their data prior to ingestion to the entity’s environment.


Control Objective 2 - Data Transmission

5. User entities are responsible for authorizing the integrations used to ingest customer data to the entity’s environment.



8. User entities are responsible for ensuring the confidentiality of their data prior to ingestion into the entity’s environment.

9. User entities are responsible for ensuring the appropriateness of users with access to Leapfin data outputs.

10. User entities are responsible for ensuring the confidentiality, completeness, and accuracy of the data in the data output and aggregated financials.

Control Objective 3 - Data Processing

11. User entities are responsible for authorizing the integrations used to accept customer data.

12. User entities are responsible for ensuring the appropriateness of users with access to the Leapfin data outputs.


14. User entities are responsible for ensuring the accuracy and completeness of the data in the data output and aggregated financials.


Control Objective 4 - Data Output

16. User entities are responsible for ensuring the confidentiality of data residing on their workstation and network.

17. User entities are responsible for ensuring the appropriateness of users with access to Leapfin data outputs.


19. User entities are responsible for ensuring the accuracy and completeness of the data in the data output and aggregated financials.


SECTION 4

DESCRIPTION OF LEAP TECHNOLOGIES, INC.’S CONTROL OBJECTIVES AND RELATED CONTROLS, AND INDEPENDENT SERVICE AUDITOR’S

DESCRIPTION OF TESTS OF CONTROLS AND RESULTS


GUIDANCE REGARDING DESCRIPTION OF LEAP TECHNOLOGIES, INC.’S CONTROL OBJECTIVES AND RELATED CONTROLS, AND INDEPENDENT SERVICE AUDITOR’S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS

A-LIGN’s examination of the controls of Leapfin was limited to the control objectives and related control activities specified by the management of Leapfin and did not encompass all aspects of Leapfin’s operations or operations at user organizations. Our examination was performed in accordance with American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements No. 18 (SSAE 18). Our examination of the control activities was performed using the following testing methods:

TEST DESCRIPTION

Inquiry The service auditor made inquiries of service organization personnel. Inquiries were made to obtain information and representations from the client to determine that the client’s knowledge of the control and corroborate policy or procedure information.

Observation The service auditor observed application of the control activities by client personnel.

Inspection The service auditor inspected among other items, source documents, reports, system configurations to determine performance of the specified control activity and in some instances the timeliness of the performance of control activities.

Re-performance The service auditor independently executed procedures or controls that were originally performed by the service organization as part of the entity’s internal control.

In determining whether a SSAE 18 report meets the user auditor’s objectives, the user auditor should perform the following procedures:

• Understand the aspects of the service organization’s controls that may affect the processing of the user organization’s transactions;

• Understand the flow of significant transactions through the service organization;

• Determine whether the control objectives are relevant to the user organization’s financial statement assertions;

• Determine whether the service organization’s controls are suitably designed to prevent or detect processing errors that could result in material misstatements in the user organization’s financial statements and determine whether they have been implemented.


CONTROL AREA 1 DATA INPUT

Control Objective Specified by the Service Organization:

Control activities provide reasonable assurance that the input of data for associated transactions are entered correctly and reviewed for accuracy.

Control Point

Control Activity Specified by the Service Organization

Test Applied by the Service Auditor Test Results

1.1 Documented policies and procedures are in place regarding data input, processing, output, classification, and security.

Inspected the Data Input, Processing, and Output policy, Information Security policy and the Data Classification policy to determine that a documented policies and procedures were in place regarding data input, processing, output, classification, and security.

No exceptions noted.

1.2 A network diagram is documented to ensure that appropriate end-point protection mechanisms have been considered by management.

Inspected the entity’s network diagram to determine that a network diagram was documented to ensure that appropriate end-point protection mechanisms have been considered by management.


1.3 Data coming into the environment is secured and monitored through the use of firewalls and an Intrusion Detection System (IDS).

Inspected the IDS and firewall configuration settings to determine that data coming into the environment was secured and monitored through the use of firewalls and an IDS.


1.4 The IDS is configured to alert management of potential security events.

Inspected the IDS configuration settings and an example alert e-mail to determine that the IDS was configured to alert management of potential security events.


1.5 Customer data input requirements are evaluated by the entity prior to accepting data inputs into the environment.

Inspected the Data Assessment Questionnaire template to determine that customer data input requirements were evaluated by the entity prior to accepting data inputs into the environment.


Inspected the completed Data Assessment Questionnaire for a sample of new customers to determine that customer data input requirements were evaluated by the entity prior to accepting data inputs into the environment.


1.6 Appropriate authorizations are received prior to data ingestion.

Inspected the customer authorization setup page to determine that appropriate authorizations were received prior to data ingestion.



CONTROL AREA 1 DATA INPUT


Control activities provide reasonable assurance that the input of data for associated transactions are entered correctly and reviewed for accuracy.

Control Point



1.7 Data entering the entity’s environment is subject to validation against defined schema and logical checks enforced by the application.

Inspected system data validation checks and an example alert to determine that data entering the entity’s environment was subject to validation against defined schema and logical checks enforced by the application.


1.8 A warning message is displayed to customers when manual data inputs do not comply with the configured logical checks.

Inspected application edit checks to determine that a warning message was displayed to customers when manual data inputs do not comply with the configured logical checks.


1.9 The entity monitors customer integrations to ensure the complete and accurate input of data.

Inspected the customer authorization setup page to determine that the entity monitored customer integrations to ensure the complete and accurate input of data.


1.10 The entity has an established incident management process to ensure the timely remediation of data input errors.

Inspected the resolution tickets for a sample of data input errors to determine that the entity had an established incident management process to ensure the timely remediation of data input errors.


1.11 The entity updates its API integrations on at least an annual basis to ensure that the entity is able to process customer data inputs completely and accurately.

Inspected the API update, related ticket, and announcement to determine that the entity updated its API integrations on at least and annual basis to ensure that the entity was able to process customer data inputs completely and accurately.


1.12 The entity reviews the available API updates on at least an annual basis to ensure that the application remains up to date with the necessary features required to process customer data inputs completely and accurately.

Inspected an API review to determine that the entity reviewed the available API updates on at least an annual basis to ensure that the application remained up to date with the necessary features required to process customer data inputs completely and accurately.



CONTROL AREA 2 DATA TRANSMISSION


Control activities provide reasonable assurance that data transmissions between the customer and the Company are complete and secure.

Control Point



2.1 Documented policies and procedures are in place regarding data input, processing, output, classification, and security.

Inspected the Data Input, Processing, and Output policy, Information Security policy and the Data Classification policy to determine that a documented policies and procedures were in place regarding data input, processing, output, classification, and security.


2.2 A network diagram is documented to ensure that appropriate end-point protection mechanisms have been considered by management.

Inspected the entity’s network diagram to determine that a network diagram was documented to ensure that appropriate end-point protection mechanisms have been considered by management.


2.3 Data coming in and out of the environment is secured and monitored through the use of firewalls and an Intrusion Detection System (IDS).

Inspected the IDS and firewall configuration settings to determine that data coming in and out of the environment was secured and monitored through the use of firewalls and an IDS.


2.4 The IDS is configured to alert management of potential security events.

Inspected the IDS configuration settings and an example alert e-mail to determine that the IDS was configured to alert management of potential security events.


2.5 Access to sensitive resources is restricted to authorized personnel.

Inquired of the President regarding access to determine that access to sensitive resources was restricted to authorized personnel.


Inspected the user and admin access listings to determine that access to sensitive resources was restricted to authorized personnel.


2.6 Access to the Bastion host requires multi-factor authentication.

Inspected the Bastion host authentication settings to determine that access to the Bastion host required multi-factor authentication.



CONTROL AREA 2 DATA TRANSMISSION


Control activities provide reasonable assurance that data transmissions between the customer and the Company are complete and secure.

Control Point



2.7 Data within the entity’s environment is protected from unauthorized access and manipulation through the use of encryption methods.

Inspected the Encryption Policy and encryptions methods to determine that data within the entity’s environment was protected from unauthorized access and manipulation through the use of encryption methods.


2.8 Server certificate-based authentication is used as part of the SSL/TLS encryption with a trusted certificate authority.

Inspected encryption configurations for data in transit and digital certificates to determine that server certificate-based authentication was used as part of the SSL/TLS encryption with a trusted certificate authority.


2.9 Critical data is stored in encrypted format using AES-256.

Inspected encryption configurations for data at rest to determine that critical data was stored in encrypted format using AES-256.


2.10 The entity receives appropriate authorization from the customers prior to initiating the ingestion into their environment.

Inspected the customer authorization setup page to determine that the entity received appropriate authorization from the customers prior to initiating the ingestion into their environment.


2.11 Data entering the entity’s environment is subject to validation against defined schema and logical checks enforced by the application.

Inspected system data validation checks and an example alert to determine that data entering the entity’s environment was subject to validation against defined schema and logical checks enforced by the application.


2.12 A warning message is displayed to customers when manual data inputs do not comply with the configured logical checks.

Inspected application edit checks to determine that a warning message was displayed to customers when manual data inputs do not comply with the configured logical checks.


2.13 Data transmissions between the entity and its customers are monitored for completeness.

Inspected the data validation checks to determine that data transmissions between the entity and its customers were monitored for completeness.



CONTROL AREA 3 DATA PROCESSING


Control activities provide reasonable assurance that customer data is accepted from the customer and prepared for printing completely, timely, and accurately.

Control Point



3.1 Edit checks are in place to prevent incomplete or incorrect data from being entered into the system.

Inspected the edit check configurations to determine that edit checks were in place to prevent incomplete or incorrect data from being entered into the system.


3.2 Validation checks are in place to prevent incomplete or incorrect data from being processed by the system.

Inspected the data validation check configurations to determine that validation checks were in place to prevent incomplete or incorrect data from being processed by the system.


3.3 Data flow diagrams, process flowcharts, narratives, and procedures manuals are documented and maintained by management to identify the relevant internal and external information sources of the system.

Inspected the data flow diagram and application flow chart to determine that data flow diagrams, process flowcharts, narratives, and procedures manuals were documented and maintained by management to identify the relevant internal and external information sources of the system.


3.4 Information processed by the application is monitored for incomplete or inaccurate data.

Inspected the application data output monitoring configurations to determine that information processed by the application is monitored for incomplete or inaccurate data.


3.5 Integrations feeding source data to the application are configured based on customer specifications.

Inspected the integrations panel within the application to determine that integrations feeding source data to the application were implemented based on customer specifications.


3.6 Monitoring software is used to identify and evaluate ongoing system performance, capacity, security threats, changing resource utilization needs and unusual system activity and IT personnel are alerted when thresholds are exceeded.

Inspected the system monitoring configurations and an example alert notification to determine that monitoring software was used to identify and evaluate ongoing system performance, capacity, security threats, changing resource utilization needs and unusual system activity and IT personnel were alerted when thresholds were exceeded.



CONTROL AREA 3 DATA PROCESSING


Control activities provide reasonable assurance that customer data is accepted from the customer and prepared for printing completely, timely, and accurately.

Control Point



3.7 Access to application outputs are restricted to the

following authorized personnel:

• President

• CEO

• Head of Engineering

• Software Engineer

Inquired of the CEO regarding the application

administrative user access to determine that access to

application outputs were restricted to the following

authorized personnel:

• President

• CEO




Inspected the application administrative user listing and

access rights to determine that access to application

outputs were restricted to the following authorized

personnel:

• President

• CEO





CONTROL AREA 4 DATA OUTPUT/AGGREGATED FINANCIALS


Control activities provide reasonable assurance that the output of data for statements and reports are produced completely, accurately and in accordance with customer specifications.

Control Point



4.1 The entity performs testing to ensure completeness of output data during customer implementation.

Inspected the implementation plan for a sample of new customers to determine that the entity performed testing to ensure completeness of output data during customer implementation.


4.2 Customer approvals are obtained to ensure completeness of data output prior to closing out work on customer implementations.

Inspected the approval message for a sample of approved customers to determine that customer approvals were obtained to ensure completeness of data output prior to closing out work on customer implementations.


4.3 The entity generates accurate aggregate financials based on customer specifications.

Inspected the application output and audit timeline to determine that the entity generated accurate financials based on customer specifications.


4.4 The entity’s service agreement defines customer specifications for aggregated financials.

Inspected the service agreements for a sample of new customers to determine that the entity’s service agreement defined customer specifications for aggregated financials.


4.5 The entity’s service agreement defines time requirements for the delivery of data outputs.

Inspected the service agreements for a sample of new customers to determine that the entity’s service agreement defined time requirements for the delivery of data outputs.


4.6 The entity maintains communication with customers to ensure application outputs are configured in accordance with customer specifications.

Inspected the meeting minutes for a customer status meeting to determine that the entity maintained communication with customers to ensure application outputs were configured in accordance with customer specifications.


4.7 Application outputs are monitored for incomplete or inaccurate data.

Inspected the application data output monitoring configurations to determine that application outputs were monitored for incomplete or inaccurate data.



CONTROL AREA 4 DATA OUTPUT/AGGREGATED FINANCIALS


Control activities provide reasonable assurance that the output of data for statements and reports are produced completely, accurately and in accordance with customer specifications.

Control Point



4.8 Access to application outputs are restricted to the

following authorized personnel:

• President

• CEO



Inquired of the CEO regarding application

administrative user access to determine that access to

application outputs were restricted to the following

authorized personnel:

• President

• CEO




Inspected the application administrative user listing and

access rights to determine that access to application

outputs were restricted to the following authorized

personnel:

• President

• CEO




leap technologies, inc. type 2 soc 1 2020 1 type 2-fina… · report on management’s description...

Documents