SSAE 16 / ISAE 3402
REPORT ON CONTROLS PLACED IN OPERATION AND
TESTS OF OPERATING EFFECTIVENESS
SVB ASSET MANAGEMENT
FOR THE PERIOD
OCTOBER 1, 2013 THROUGH SEPTEMBER 30, 2014
SVB ASSET MANAGEMENT
REPORT ON CONTROLS PLACED IN OPERATION AND
TESTS OF OPERATING EFFECTIVENESS
TABLE OF CONTENTS
SECTION I
3
INDEPENDENT SERVICE AUDITORS’ REPORT PROVIDED BY KPMG LLP
3
SECTION II
7
MANAGEMENT ASSERTION
7
SECTION III
10
DESCRIPTION OF CONTROLS PROVIDED BY SVB ASSET MANAGEMENT
10
CONTROL OBJECTIVES AND RELATED CONTROLS
COMPLEMENTARY USER ENTITY CONTROLS
29
29
SECTION IV
31
CONTROL OBJECTIVES, RELATED CONTROLS AND TESTS OF OPERATING
EFFECTIVENESS
31
SVB ASSET MANAGEMENT (SAM) OPERATIONAL CONTROLS
BACKGROUND
GENERAL COMPUTER CONTROLS
32
32
46
SECTION I
INDEPENDENT SERVICE AUDITORS’ REPORT
PROVIDED BY KPMG LLP
KPMG LLP
Suite 1400
55 Second Street
San Francisco, CA 94105
Independent Service Auditors’ Report
The Board of Directors
SVB Asset Management
Scope
We have examined SVB Asset Management (SAM)’s description of its system for asset management
services and related IT general controls throughout the period October 1, 2013 to September 30, 2014 and
the suitability of the design and the operating effectiveness of controls to achieve the related control
objectives stated in the description. The description indicates that certain control objectives specified in the
description can be achieved only if complementary user entity controls contemplated in the design of SAM's
controls are suitably designed and operating effectively, along with related controls at the service
organization. We have not evaluated the suitability of the design or operating effectiveness of such
complementary user entity controls.
SAM uses the following subservice organizations: U.S. Bank for investment custodial services; Clearwater
Analytics for client communication and reporting services; and Bloomberg for trading activities and
accounting reconciliations. The description in Section III includes only the controls and related control
objectives of SAM and excludes the control objectives and related controls of the above sub-service
organizations. Our examination did not extend to controls of U.S. Bank, Clearwater Analytics, or Bloomberg.
Service Organization’s Responsibilities
In Section II of the description, SAM has provided an assertion about the fairness of the presentation of the
description, the suitability of the design and the operating effectiveness of the controls to achieve the related
control objectives stated in the description. SAM is responsible for preparing the description and for the
assertion, including the completeness, accuracy, and method of presentation of the description and the
assertion, providing the services covered by the description, specifying the control objectives and stating
them in the description, identifying the risks that threaten the achievement of the control objectives, selecting
and using suitable criteria, and designing, implementing, and documenting controls to achieve the related
control objectives stated in the description.
Service Auditors’ Responsibilities
Our responsibility is to express an opinion on the fairness of the presentation of the description, the suitability
of the design and the operating effectiveness of the controls to achieve the related control objectives stated
in the description, based on our examination. We conducted our examination in accordance with attestation
standards established by the American Institute of Certified Public Accountants and International Standard
on Assurance Engagements 3402, “Assurance Reports on Controls at a Service Organization,” issued by the
International Auditing and Assurance Standards Board. Those standards require that we plan and perform
our examination to obtain reasonable assurance about whether, in all material respects, the description is
KPMG LLP is a Delaware limited liability partnership,
the U.S. member firm of KPMG International Cooperative
(“KPMG International”), a Swiss entity.
fairly presented, the controls were suitably designed and the controls were operating effectively to
achieve the related control objectives stated in the description throughout the period October 1, 2013 to
September 30, 2014.
An examination of a description of a service organization's system and the suitability of the design and
operating effectiveness of the service organization's controls to achieve the related control objectives stated
in the description involves performing procedures to obtain evidence about the fairness of the presentation
of the description and the suitability of the design and the operating effectiveness of those controls to achieve
the related control objectives stated in the description. Our procedures included assessing the risks that the
description is not fairly presented and that the controls were not suitably designed or operating effectively to
achieve the related control objectives stated in the description. Our procedures also included testing the
operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the
related control objectives stated in the description were achieved. An examination engagement of this type
also includes evaluating the overall presentation of the description and the suitability of the control objectives
stated therein, and the suitability of the criteria specified by the service organization and described in
management’s assertion. We believe that the evidence we obtained is sufficient and appropriate to provide a
reasonable basis for our opinion.
Inherent Limitations
Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors
or omissions in processing or reporting transactions. Also, the projection to the future of any evaluation of
the fairness of the presentation of the description, or conclusions about the suitability of the design or
operating effectiveness of the controls to achieve the related control objectives is subject to the risk that
controls at a service organization may become inadequate or fail.
Opinion
In our opinion, in all material respects, based on the criteria described in SAM’s assertion in Section II,
a. The description fairly presents the aforementioned SAM controls that were designed and implemented
throughout the period October 1, 2013 to September 30, 2014,
b. The controls related to the control objectives stated in the description were suitably designed to provide
reasonable assurance that the control objectives would be achieved if the controls operated effectively
throughout the period October 1, 2013 to September 30, 2014, and user entities applied the
complementary user entity controls contemplated in the design of SAM’s controls throughout the period
October 1, 2013 to September 30, 2014, and;
c. The controls tested, which together with the complementary user entity controls referred to in the scope
paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance
that the control objectives stated in the description in Section IV were achieved, operated effectively
throughout the period October 1, 2013 to September 30, 2014.
Description of Tests of Controls
The specific controls and the nature, timing, extent, and results of the tests are listed in Section IV.
Restricted Use
This report, including the description of tests of controls and results thereof in Section IV, is intended solely
for the information and use of SAM, user entities of SAM’s system of asset management services during
some or all of the period October 1, 2013 to September 30, 2014, and the independent auditors of such user
entities, who have a sufficient understanding to consider it, along with other information including
information about controls implemented by user entities themselves, when assessing the risks of material
misstatements of user entities’ financial statements. This report is not intended to be and should not be used
by anyone other than these specified parties.
November 14, 2014
San Francisco, California
SECTION II
MANAGEMENT ASSERTION
SECTION III
DESCRIPTION OF CONTROLS PROVIDED BY SVB
ASSET MANAGEMENT
Section III
SCOPE OF REPORT
This report describes certain controls of SVB Asset Management (SAM) related to its management
of and financial reporting for client assets as a Registered Investment Advisor (RIA). It is designed
to provide information for use by SAM’s corporate clients and their independent accountants who
audit the financial statements of an entity that uses SAM as a service organization for third-party
management of corporate assets.
OVERVIEW OF SVB ASSET MANAGEMENT
SVB Asset Management (SAM) is a Securities and Exchange Commission (SEC) registered
investment advisor that manages fixed income portfolios primarily for public and private
corporations.
As of August 31, 2014, SAM had 461 corporate clients with over $17.0 billion of assets under
management. Approximately 70% of its assets are from public firms. All of SAM’s clients require
specific, regular and detailed disclosure around the status of their portfolios, including regular
examination of the controls in place around its asset management service.
SAM provides timely and comprehensive asset accounting reporting to its clients as well as regular
performance, risk and compliance verification reporting. Additionally, the firm claims compliance
with the Global Investment Performance Standards (GIPS®), which serve as best practice standards
for the calculation and presentation of client and overall portfolio performance.
SAM’s headquarters are at 555 Mission Street, Suite 900, San Francisco, CA 94105 and has sales
and service offices in Boston, New York, Palo Alto, Phoenix, Portland, Santa Clara, and Seattle.
11
Section III
DESCRIPTION OF
ORGANIZATIONS
SERVICES
PROVIDED
BY
SUBSERVICE
SAM utilizes a number of third-party service providers in its normal course of business to provide
a variety of value added services. Significant third parties include custodial services (U.S. Bank),
client communication and reporting (Clearwater), and trading and reconciliation (Bloomberg).
Control activities provided by these third-party providers are not included in this report. A
description of the key third-party providers and the services they perform for SAM are described
below.
Custodial Services
SAM has a relationship with U.S. Bank through its Institutional Trust & Custody (IT&C) division,
which focuses on custody, retirement, and investment services for institutional clients, and is a
division of U.S. Bancorp’s Private Client, Trust and Asset Management practice. The custody
service covers the following:
 Independent third party custody and safekeeping of all securities through the Depository
Trust Company (DTC), the Federal Reserve book-entry system, and other depositories and
custodians,
 Collection of interest and dividends for all securities SAM holds. Most income, with the
exception of securities with a late or nonpayment history, is posted on the payable date
and is available for investment the same day,
 Notification and processing of voluntary actions (e.g., tenders, puts, rights), mandatory
actions (e.g., calls, exchanges), and other corporate actions (e.g., tender offers, class
actions),
 Settlement of trades directly with brokers or through the DTC and the Federal Reserve
book-entry systems. Trades are settled on a delivery versus payment method. Settlement
policies are designed to maximize predictability of funds and investment returns.
Purchases and sales are posted on actual settlement date in immediately available funds,
 Collection of principal and interest on called bonds, redemptions, and maturities, with
proceeds credited to the account, and;
 Cash Sweep. All available cash in accounts is automatically invested on a daily basis,
except permissible amounts held un-invested, typically for operational reasons.
Monthly reporting on statements. Monthly statements list all transactions and assets on a
settlement date or trade date / full accrual basis. Summary reports contain management
information that can serve to independently verify balances and transactions with SAM’s
reporting.
SAM reviews the SSAE 16 reports on controls (SOC1 reports) for Clearwater and U.S. Bank on a
regular and ongoing basis.
Clearwater Analytics, LLC
SAM uses Clearwater Analytics (Clearwater) as a third-party reporting and reconciliation service
for its clients. Clearwater also provides tools for verification of compliance, risk and performance
measurement. In order to do this, SAM relies on the pricing provided by Clearwater.
12
Section III
Bloomberg
Bloomberg AIM is the trading system used to manage client orders and executions. Trades are
transmitted electronically via SWIFT messaging to U.S. Bank. In addition, Bloomberg Gateway is
used to receive daily cash and position files from U.S. Bank for reconciliation against the
Bloomberg AIM system. Bloomberg is also responsible for setting up new securities in Bloomberg
AIM trading system. New securities and maintenance of the security data is managed by the
Bloomberg back-office team.
RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK
ASSESSMENT, AND MONITORING
The most widely used framework for internal controls in US organizations was developed by the
Committee of Sponsoring Organizations of the Treadway Commission (COSO). To help ensure
that operations and entity level controls are effective, the Company has processes in place for each
of the key elements of the 1992 version of the COSO model: Control Environment, Risk
Assessment, Monitoring, Information and Communications, and Control Activities
CONTROL ENVIRONMENT
Ethics and Compliance Administration
SAM in conjunction with its parent, SVB Financial Group, maintains clear processes and practices
around its hiring practices, compliance policies and procedures, and its Code of Ethics to ensure
the appropriate qualifications, training, and control environment exist for all employees of SAM.
Applicants must meet educational and experience requirements deemed relevant to the execution
of their duties, and background checks are conducted prior to employment. Once hired, employees
must sign an acknowledgement agreeing to abide by the policies and procedures of the firm, the
SAM Code of Ethics, and the SVB Code of Conduct. Finally, all new employees are provided with
detailed internal training that emphasizes critical components of SAM’s compliance programs.
In order to document the compliance programs, SAM has detailed policies and procedures designed
to facilitate compliance with regulatory rules and regulations. These include SAM’s Compliance
Policies and Procedures Manual and SAM’s Code of Ethics Manual, which are provided to all
employees. SAM’s Compliance Policies and Procedures Manual details all supervisory methods
employed to properly supervise its business and comply with SEC Rule 206(4)-7. SAM’s Code of
Ethics (Code) is designed to detail the high conduct standards to which SAM employees are held
and to comply with Advisors Act Rule 204A-1. This Code is provided to all employees by the
Compliance Department staff upon employment and annually thereafter. Every employee must
acknowledge receipt and review, and pledge adherence to the Code in writing. This Code includes:



Rules governing conflicts of interest (non-compliance with the conflict of interest policies
may result in internally imposed fines or dismissal from SAM),
Prohibitions from engaging in initial public offerings (IPOs), private placements or limited
offerings without pre-approval. Employees’ security transactions in their personal accounts
are reviewed quarterly for potential conflicts of interest. In addition, an annual securities
account listing is required to be submitted by each employee. Insider trading prohibition
and policy,
Rules of conduct, including limitations on receiving gifts and involvement in certain
activities apart from SAM,
13
Section III


Policy on protecting the confidentiality of client information, and;
A statement that SAM maintains a separate written detailed Compliance Policies and
Procedures Manual.
A prerequisite to providing quality service for SAM’s clients is employees that are adequately
trained in their respective job duties. In this regard, each department provides supervised, functional
on-the-job training to all new employees and recurring training for all employees.
Organization and Personnel
SAM is a wholly-owned subsidiary of SVB Financial Group (SVBFG), a California State chartered
bank and member of the Federal Reserve System. SVBFG provides a variety of essential services
to SAM including information technology, human resources, and administrative support.
SVB Asset Management (SAM) is an affiliate of:
 SVB Securities, a licensed Broker Dealer and member of Financial Industry Regulatory
Authority (FINRA) and Securities Investor Protection Corporation (SIPC). Some
employees of SAM are dual employees of SAM and SVB Securities,
 SVB Financial Group UK Limited, a licensed entity with the Financial Services Authority
in London, England,
 SVB Analytics, a wholly-owned subsidiary of SVB Financial Group, which provides
valuation opinions to support client management pricing decisions for newly issued
employee stock options, and;
 SVB Wealth Advisory Inc., a wholly-owned subsidiary of SVBFG, which offers
comprehensive wealth advisory services to private clients, leveraging a deep understanding
of private investments, cash flow issues and the investing lifecycle.
The following diagram depicts the relationship between SAM and its parent company, SVB
Financial Group, and its other wholly-owned investment subsidiaries, as of September 30, 2014,
except as indicated.
14
Section III
SVB Financial Group
Ticker: SIVB
Market Cap: $5.812 B Assets: $ 33.309 B
1,786 employees, 28 U.S. offices and 4
international subsidiaries in India, China,
Israel, and England
*as of 6/30/14
Silicon Valley Bank
A state member bank regulated by the
Federal Reserve Board and CA Department
of Business Oversight
SVB Securities
SVB Asset Management
Registered Investment Advisor with SEC
•
•
Registered Broker Dealer with FINRA
•
•
$17.41 B in client assets
471 clients
Fiduciary oversight of client cash
management per our clients’ investment
policies.
$3.34 B in client assets
716 clients
Self -directed platform allows firms to
choose from a variety of money market
mutual fund solutions.
All clients utilize 3rd party custody and
independent reporting benefits.
Description of Organization, Services, and Processing by Department
SAM’s organizational structure is established along the functional lines of Portfolio Management
and Trading, Marketing/Sales Services, Operations, Portfolio Advisory, Credit Research and
Compliance. Inherent to this structure is the principle of segregation of duties, in which no one
person has the responsibility of making investment decisions, processing transactions, or approving
transactions.
15
Section III
The following is a brief description of functional responsibilities and procedures for key areas as
of September 30, 2014:
Portfolio Management & Trading
Investment decisions and dealer trades are performed by designated Portfolio Managers (PMs) and
Fixed Income Trader. The PMs and Fixed Income Trader report to the Head of Portfolio
Management & Investment Strategy (HoIS), who is the chair of the Investment Committee and
reports to the President of SVB Asset Management; HoIS only deals with authorized brokers
approved by the SAM Investment Committee. The list of authorized brokers is maintained by the
compliance group.
SAM utilizes the Bloomberg AIM trading system to provide pre-trade compliance and help ensure
that securities conform with client investment policy (IP) parameters before being applied to client
portfolios. Parameters include credit rating, average and maximum maturity, liquidity
requirements, concentration limits, and prohibited securities. SAM does not trade on margin on
behalf of any of its clients.
In March 2013, SAM initiated a project to perform a detailed review of all Bloomberg rules and
investment policy configuration setups and update their programming logic where appropriate.
During 2013, interim processes were developed to manually monitor trade compliance in
conjunction with existing automated checks being performed through the trading system and
reporting system compliance modules.
16
Section III
SAM tests Bloomberg compliance rules against test accounts and client accounts based on their
stated IP and client-directed guidance.
The portfolio manager (PM) and the portfolio advisor (PA) cross verify the client investment policy
and any subsequent investing preferences to the trading system configuration report and cross
verify the client investment policy to the reporting system configuration report within 10 business
days after trading has commenced (new accounts),
October 1, 2013 to December 31, 2013
A manual trade review process is followed including pre and post trade checks for clients not yet
configured for automated compliance monitoring (auto trade) as part of the trading system rule
coding project. Trades in accounts on manual trading are compared to the client investment policy
and preferences and are reviewed by two members of PM before the trade is executed. After
execution, the trade is reviewed by two members of the management team.
Accounts that are on an auto trade status follow PM and PA cross verification process after all
their investment policy rules have completed testing.
To execute trades, trade tickets are prepared via Bloomberg AIM by an authorized trader and
transmitted to the appropriate custodian for trade settlement. The authorized trader verifies
transaction details to custodian confirmations for all transactions. Transactions are executed by
SAM as an agent for its customers. Securities transferred into SAM client accounts are reviewed
and approved for suitability and credit risk prior to receipt by the PM and Credit Research. Portfolio
Managers conduct a quarterly review with clients to discuss current holdings and portfolio
performance and to discuss investment strategy.
The HoIS or his Designee reviews trade overrides and provide a monthly trade exception report to
the Head of Investment Operations (HoIO) or Designee. PMs, traders, and the HoIS are required
to place trading notes for each trade override. The HoIS and the Sr. Manager of Operations review
and sign-off on the monthly report. Post-trade compliance is monitored using Clearwater.
Beginning in June, SAM also started using Bloomberg to monitor for post-trade compliance.
Authorized traders are responsible for reviewing trade errors and for ensuring that trade errors are
corrected per SAM’s trade error policy.
Marketing/Sales Services
The Sales Services group is responsible for the origination of new business and continued
communications between SAM and its clients. The Marketing department is responsible for the
generation of published literature that is presented to existing and potential clients.
Operations - Portfolio & Corporate Accounting
The SAM Operations group (Operations) is responsible for performing reconciliations of client
portfolios to client designated prime brokers and/or custodian banks. It also performs position
reconciliation between its custodians and Bloomberg AIM. Operations investigates and resolves
differences on a daily basis. Configuration of position reconciliation reports is housed in
Bloomberg Gateway, which serves as the central data hub for Bloomberg AIM (trade system) and
external custodial position data. SAM business restricts access to the Gateway and reviews access
lists monthly.
17
Section III
Positions originate in Bloomberg AIM and are delivered to Bloomberg Gateway via a secure file
transfer protocol (FTP) transmission. Custodial position data is also delivered to Bloomberg
Gateway via a secure FTP transmission and reconciliation reports are automatically generated.
Failures due to corrupted data are captured in the Gateway event log and prevent the reconciliation
reports from generating. In the event that reconciliation reports fail to generate, the Operations team
will submit a request to support to open Bloomberg Gateway and re-run the reconciliation reports.
Tickets are tracked through SVB’s Help Desk ticketing system. Bloomberg application support will
also investigate what specific data corruptions occurred and either reach out to Bloomberg or the
custodians for resolution. Discrepancies in positions between Bloomberg AIM and the custodian
are flagged as exceptions on the daily reconciliation report.
With the exception of commercial paper, Bloomberg is responsible for setting up new securities in
Bloomberg AIM trading system. New securities and maintenance of the security data is managed
by the Bloomberg back-office team located in Princeton, NJ. SAM periodically performs a due
diligence review of the processes and procedures Bloomberg uses to ensure accuracy and timeliness
of data.
SAM utilizes SWIFT messaging via Bloomberg network to communicate trades to brokers and the
custodian. In the event Bloomberg errors are identified, the broker would alert SAM and the tickets
would be re-issued. SAM has never experienced trade failures or errors that result from
inconsistencies with Bloomberg data because all partners utilize the same data provider. Bloomberg
engages with debt issuers and receives direct feeds into their back-office that are used to create and
update security data.
Clearwater is a third-party vendor that provides client asset reporting functionality to SAM. One of
the services provided by Clearwater is calculation of the monthly rates of return for client portfolios.
The SAM GIPS Committee is responsible for maintaining SAM’s client portfolios in compliance
with the Certified Financial Analyst (CFA) Institute’s GIPS®. Individual portfolio performance is
calculated by Clearwater. Clearwater also provides ongoing reporting of individual client asset
activity and investment policies.
The Operations team is also responsible for basic support processes related to the opening of new
accounts. The client account opening documents include SAM Discretionary Account Agreement,
U.S. Bank Custody Agreement, W-9, and Articles of Incorporation (or similar identifying
documentation). The Operations team reviews these documents for completeness and performs a
Customer Identification Program (CIP) and Office of Foreign Assets Control (OFAC) review.
Documents are approved by an authorized signer and submitted to U.S. Bank to open the account.
Upon modification or termination of an account, Operations is responsible for coordinating the
change or closing the account. Key documents pertaining to client accounts and terminated
accounts are scanned and maintained with other active account documentation in cabinets in a
secured location on site in the San Francisco office.
The Operations team is responsible for approving and processing wired funds (incoming and
outgoing). Outgoing wire instructions are either transmitted by the client via SVB eConnect or
emailed/faxed manually to the Operations area. Available funds are verified as well as client
authorization. Approval is required by SAM personnel and documented on the wire paperwork.
SAM authorized client wires are sent to U.S. Bank, who then transmits the funds per client
instructions. The authorized signer’s list delineates SAM approval requirements for same name and
18
Section III
third party wires. All third party beneficiary wires (for incoming wires) and third party remitters
(for incoming wires) are reviewed against the OFAC list.
Incoming wire notices are sent to SAM via email by U.S. Bank. All wires are entered in Bloomberg
for processing daily. Daily wire packets are created with all wire documentation and are reviewed
by a preparer and reviewer. At a minimum, the HoIO or Designee performs a daily review of all
third party wires and a weekly review of a full daily wire packet to ensure that appropriate approval
was obtained and evidenced. Additionally, all third party wires are reviewed on a quarterly basis
by the Compliance Department to ensure that appropriate approval was obtained and evidenced.
Monthly management fees are calculated using reconciled, month-end Clearwater position data that
is received from Clearwater via secure FTP. Positions are loaded into the billing system and fee
calculations are performed based on the fee schedule described in SAM’s Discretionary Account
Agreement. The agreement is signed by both parties prior to opening the account. Fee data is
extracted from RevPort, a fee-calculation system, and reviewed and approved prior to manual
transmission of the fee transaction data to the asset custodian. The custodian then charges the fees
to the respective client portfolios. The transaction is reflected on the monthly client statement.
Operations staff reports to the Head of Investment Operations. The Head of Investment Operations
reports to the President of SVB Asset Management.
Portfolio Advisory
Portfolio advisors (PAs) support the accounting, audit, and relationship requirements of SAM’s
corporate clients by advising the client on a variety of portfolio management topics such as
liquidity, portfolio reviews, audit support, investment horizons, and funds transfer. The PA group,
in conjunction with the PMs, manages the client’s Board approved Investment policies in
Clearwater, SAM’s third party reporting software.
Access to Clearwater is controlled by the Operations group who monitors new, terminated and
transferred employees on a weekly and monthly basis to ensure that access to the system is
appropriate.
Daily Compliance:
The Portfolio Advisory team receives a compliance report from Clearwater via email on a daily
basis. The assigned PA will review the email by the end of each day and save a soft copy to the
daily compliance folder. If there is a new violation on the daily compliance e-mail, on that day, the
PA responsible for that account must provide details and any supporting documentation showing
resolution or reason for violation. The Portfolio Advisory team will ensure the violations that
appear on the logs matches the violations that appear on the Clearwater daily compliance report emails. On a bi-weekly basis the Head of Portfolio Advisory (HoPA) will review the log and sign
off validating that the logs and emails were completed and saved.
Investment Policy creation:
At account inception and when a new investment policy has been provided, the PA for the client
enters the investment policy parameters into Clearwater to create a Portfolio Compliance Policy
report. This report is reviewed and signed by the respective PM and PA for the account. It is then
saved in the client’s investment policy (IP) folder. Clients that fund before IP guidelines are
19
Section III
provided are invested in money market funds. Transition calls are performed for all clients who are
set up to trade, to confirm IPs are accurate.
PAs also assist in reviewing the account agreements, restrictions, and guidelines as they relate to
money market fund sweep options or fees, and facilitating the establishment of each account in the
various systems utilized by SAM. They verify available cash and securities upon inception of the
account. PAs also work alongside the PMs to handle critical customer calls and email requests.
Monthly reports are available to clients via Clearwater within one business day of the close of their
reporting period (either month-end or client-specific close dates) and include schedules such as:
summary reconciliation, compliance verification, amortization & accretion, general ledger entries,
purchases and sales, realized gains & losses, transaction history, holdings by type and by maturity,
yield to maturity, and accrued interest. These and other accounting, risk and compliance schedules
are also available on-demand intra-month.
Performance reports, available to clients in Clearwater, are updated daily and include: Compliance
Verification, Performance vs. Appropriate Benchmarks, Yield to Maturity Analysis, Concentration
and Maturity Analysis, and Time Weighted Return Analysis.
SAM also provides a monthly newsletter including commentary, overview of the money market
environment, economic release calendar, and news from the technology and life science sectors.
PAs report to the HoPA who reports to the President of SVB Asset Management.
Credit Research
The Credit Research group is responsible for recommending, approving, monitoring and reviewing
of all issuers authorized for investment for SAM clients. SAM implements a rigorous credit review
process to assess issuers and asset classes, before recommending for inclusion as possible options
for a client’s investment portfolios from credit view point. The team’s credit research generally
includes, among other things, conducting extensive analysis of the issuers and the applicable
industry or sector as well as reviewing financial publications, corporate rating agency reports,
selected issuer filings with the SEC or press releases, independent third party research and other
material items that might be relevant.
Additionally, investments are subject to on-going credit surveillance. In addition to conducting its
own fundamental financial analysis, the Credit Research group thoroughly reviews research from
third party research including Moody’s, Standard & Poor’s (S&P), and Fitch. The Credit Research
group monitors approved issuers for information that may have material negative impact to the
credit risk of an issuer or its related industry.
The Credit Research group maintains a list of credit related rules within the Bloomberg AIM trading
and compliance system to ensure that the portfolios follow the credit approvals and limits that are
implemented.
The Credit Research group also reviews all incoming securities transfers, which are then approved
by the HoIS, HoCR (or Designee) and HoIO.
Credit Research reports to the Head of Credit Research (HoCR). The Head of Credit Research
reports to the President of SVB Asset Management.
20
Section III
Compliance
The compliance function is managed by members of the SVB Financial Group Corporate
Compliance (Compliance) department. Among other tasks, the Compliance department conducts
an annual policy and procedures review. The Compliance department manages the annual
certification by employees to the SAM Code of Ethics, and provides annual compliance training.
The Compliance department also completes annual testing of policies and procedures for SAM.
Regulatory Environment
SAM is registered with the SEC under the Investment Advisers Act of 1940 (Advisers Act) and, as
such, is subject to the regulations of the Advisers Act. SAM files an updated registration no less
than annually and is subject to periodic examinations by the SEC.
Risk Assessment
SAM prepares an analysis of its inherent risk level based on its business and the regulatory
environment. This risk level is then assessed against mitigating controls in place to determine a
residual risk rating on each area. SAM has a risk assessment program made up of the following
components:



SAM management documents its processes and key financial controls within a SarbanesOxley narrative document. This narrative is updated quarterly by management and the
Internal Audit (IA) department evaluates the design and operational effectiveness of these
controls annually. In addition, IA may perform periodic internal audits of SAM. These
audits are risk-based and may include testing of financial and operational controls and
compliance with applicable laws and regulations,
On an annual basis, the Compliance department of SAM reviews the prepared assessment
of the risks associated with SAM primarily from the compliance and regulatory
perspective. The risks are documented in the SVB Asset Management Compliance Risk
Assessment and are revised annually and tested as part of the annual review process, and;
On an annual basis, SAM management works with the Enterprise Risk Management
(ERM) group to review risks to the business in areas such as legal, human resource,
compliance, and financial reporting. These risks and corresponding controls are
documented and reviewed by SAM management and the ERM review committee annually.
MONITORING
SAM and IT managers in their supervisory roles are responsible for reviewing internal controls,
conducting periodic meetings, and reviewing the status of key projects. The senior managers, and
when appropriate, the entire team under the Portfolio Management, Portfolio Advisory, and
Operations teams participate in those meetings. Efforts are made to ensure practices and procedures
are in accordance with the SEC registration requirements of SAM and that the outcome of these
efforts results in timely and accurate compliance. The Chief Compliance Officer periodically holds
training sessions and conducts meetings to facilitate the exchange of information and changes to
regulatory guidelines, while raising and resolving questions to ensure the requirements are met and
the decisions made are documented.
21
Section III
SAM has in place tools and procedures to monitor client assets, potential risks to client principal,
and the safety and security of client information and client data. This is achieved through a daily
reconciliation process that integrates data from the custodian provided data and portfolio
compliance and trading systems. SAM additionally places reliance on the reconciliation that the
client data reporting partner, Clearwater performs with the asset custodian. These complementary
systems are central to procedures that are conducted and run on a daily basis.
22
Section III
INFORMATION AND COMMUNICATION
COMMUNICATION
SAM’s management has established several key committees to ensure effective oversight of SAM’s
business and fiduciary activities. The following is a description of the functions and responsibilities
of the key committees and team meetings that are generally considered to be part of the control
environment.
Committee/Meeting
Role/Participants
Meeting
Frequency
Investment Committee
Responsible for reviewing changes in approved Monthly
issuers, brokers, investment strategy, market
analysis,
strategic
initiatives,
compliance
environment (Attendees: President of SVB Asset
Management, Investment Committee members,
Head of Investment Strategy & Portfolio
Management, Chief Credit Officer, and Credit
Research team).
Investment Strategy
Meeting
Responsible for reviewing procedures for 6 Week
investments, portfolio strategy, and segregation of Intervals
duties (Attendees: Portfolio Management team,
Portfolio Advisory team, and Credit Research team).
SAM Team Meeting
Monthly meeting to review business activity, client Monthly
issues, business process, and bank wide perspective
(Attendees: President of SVB Asset Management,
Operations team, Portfolio Management team,
Portfolio Advisory team, Credit Research team,
Compliance group, and Marketing group).
PA/Ops Meeting
Responsible for reviewing incoming/outgoing Monthly
wires, outstanding client facing issues, and other
responsibilities shared by the Operations and
Portfolio Advisory team (Attendees: Portfolio
Advisory team and Operations team).
23
Section III
INFORMATION SYSTEMS
Overview
SAM makes use of various information systems to foster communication and provide financial
reporting internally and externally. The following describes the Information Technology (IT)
organization utilized by SAM and key aspects of the IT general control environment.
SVBFG’s IT Group provides SAM with centralized IT services and is responsible for data security,
user support, day-to-day technical support for bank-wide applications and systems software,
development support for in-house developed applications, hardware and network facilities, as well
as the backup and recovery services for all of SAM’s computerized data and information.
Description of Information Technology Organization
The Information Technology department is comprised of the following core functional teams: IT
Business Management, Technology Office, Quality Assurance & Release Management, IT Client
services, IT Operations, Technology Project Management Office, Architectural Review board and
System Change Management. These teams collectively provide SVB and its subsidiaries with
technical business and industry application expertise to deliver and support technology which
enables the overall bank strategy and core business focus.
The IT Business Management team supports SVB’s businesses by providing quality controls, risk
assessments, management, regulatory & compliance frameworks, systems quality assurance, and
support programs. As an integral part of IT, IT Business Management works to improve SVB’s
relationship with its internal and external clients by providing the tools, information and best
practices that are necessary to support and grow the company through stronger communication and
knowledge.
The Technology Office is primarily focused on forward looking activities such as delivery and
Research & Development. Technology Office provides technology leadership, standards and
procedures, and implementation skill sets for the IT department
Quality Assurance & Release Management team ensures quality solutions, methods, tools &
resources, as well as, well planned and coordinated software releases.
The IT Client Services team covers the management of systems’ health within various business
units, development process through business analysis, Tier 3 & 4 support for core technologies
within the support structure. This functional area also provides direction and technical leadership,
as well as, facilitates actionable solutions providing value to their business partners. They also focus
on the organization's ability to process data and share information, in an efficient and cost-effective
manner by delivering a framework of strategy, architecture, governance, and standards.
The IT Operations team is responsible for the server, storage, network, and data center
infrastructures, and ensuring systems are available in support of SVB business units.
Technology Project Management Office is responsible for improved project methods and tools,
reporting and discipline, and partnering with the Enterprise Project Management Office.
24
Section III
The Architecture Review team covers the IT domains of architecture, design and implementation
(i.e. business, security, networking, infrastructure, operational, application, information and
support) on each initiative.
The System Change Management team defines standard methods and procedures for the efficient
and prompt handling of changes to SVBFG production environment. The goal is to safeguard the
integrity, reliability and security of the production environment, including business applications
and services.
Processing Environment
The processing environment for SAM comprises vendor-packaged applications that support SAM’s
business processes. These systems are utilized for maintaining portfolio models, portfolio
construction and securities transaction processing, and client reporting.
There are separate quality assurance (QA), user acceptance testing (UAT), and production servers
for vendor applications. SAM operating environments adhere to strict operating standards that are
unique for each environment. Production applications are housed on separate servers with unique
databases to ensure separation of system information and to control the active directory group
membership. SAM specific information is kept on a unique network with access limited to SAM
business and support personal. SAM data interfaces with SVB’s data warehouse where adjunct
reports can be run by various personal in finance, accounting, and client service teams. User
authentications are mainly corporate Active Directory based. Production access is granted through
user access approval through the manager and application owner. There are monthly operating
system and database maintenance activities, but application maintenance such as version upgrades
or required patches are performed on an as-needed basis and are managed through SVB project
controls and executed by SVB IT channels.
Applications that support portfolio management and trade processing at SAM include, but are not
limited to, the following:

Clearwater – This vendor-managed portfolio reporting system is used to generate
SAM’s client reports. Clearwater receives client data from the asset custodian on a
nightly basis, and provides reporting of investment activity and performance,

RevPort – This vendor-packaged system is used to calculate fees based on a data feeds
from Clearwater describing client assets under management (AUM) and their pricing,
and agreed upon fee arrangements, and;

Bloomberg - Bloomberg AIM is the trading system used to manage client orders and
executions. Trades are transmitted electronically via SWIFT messaging to U.S. Bank.
In addition, Bloomberg Gateway is used to receive daily cash and position files from
U.S. Bank for reconciliation against the Bloomberg AIM system. Additionally,
Bloomberg is responsible for setting up new securities in Bloomberg AIM trading
system. New securities and maintenance of the security data is managed by the
Bloomberg back-office team.
Information Technology General Controls (ITGC)
Identified below are the ITGC processes and control activities that support SAM’s processing
environment.
25
Section III
Computer Operations
The IT Operations group is responsible for oversight of computer operations controls that provide
reasonable assurance that computer operations are properly controlled and monitored and
operational failures are identified and resolved. Production-related systems are situated in a
restricted, environmentally controlled data center protected against fire, water, and power outages.
Systems are monitored continuously for availability and enhanced by automated reporting
capabilities in the event of a network issue. Trend analysis is periodically performed to identify
critical problems that require further attention.
Incident management is handled by the End User Services (EUS) group, which documents
incidents in tickets and routes the tickets to the appropriate IT support group. IT managers and the
application support personnel review a weekly report on aged tickets to monitor for appropriate
disposition.
The IT Operations group is responsible for data backup and recovery. SAM applications and data
are protected with systems that are configured with redundant disk arrays and applications and data
are backed up on a nightly basis. The IT Operations group monitors backups on a daily basis for
failures and communicates to IT Management for rerun when necessary. All backup tapes are stored
offsite.
Program Development
SVB Financial Group’s project management process follows the SVB project development
methodology known as the “Control Framework”. This System Development Life Cycle (SDLC)
methodology is modeled on common industry best practices and is aligned with the Project
Management Institute (PMI) methodology standards. The methodology utilizes controls designed
to provide reasonable assurance that new systems, applications and operating system installations,
and development are prioritized, authorized, tested, properly implemented, and documented.
Three committees (Product Development (PDC), Banking Operations (BOC), and Enterprise
Infrastructure (EIC)) reviews and prioritizes projects in an annual review; each committee
chairperson provides final approval based on these recommendations. Approved projects are
documented in the Project Approval Report published by the Enterprise Project Management
Office.
Approved projects are assigned a project manager from the Technology Project Management
Office who organizes the team and the work and is responsible for developing the project charter.
Working in conjunction with the Project Management Center of Excellence, the project manager
documents the minimum deliverables from the IT Control Framework that must be met by the
project. The project delivery methodology follows formal stages governing planning, requirements,
design, development, testing, and implementation. Functional testing is performed by either the
Quality Assurance (QA) group or by testers assigned to the project team. The business owner is
responsible for assigning resources to perform user acceptance testing (UAT). Separate
environments exist for development, testing (QA and UAT), and production. On a quarterly basis,
developer access to the separate environments is reviewed by the IT Operations Manager to ensure
appropriate segregation of duties for systems developed by the IT Development team. Production
environment access is limited to the IT Operations team. Developers are restricted from having
access to the QA and UAT environments, as well as to the production environment.
26
Section III
Production-ready projects are documented using the Production Change Control (PCC) process.
The PCC form must be approved by IT Operations management before the changes are moved to
production. Implementation occurs after approval by IT management and agreement by the
business owner that the solution is appropriate. Relevant documentation is completed and an
implementation strategy with corresponding procedures, including back out procedures and an
escalation call list, is documented for each project prior to the actual production implementation.
Program Change
Change requests are submitted in the form of a business case to the Enterprise Project Management
Office (EPMO). The EPMO reviews the changes and submits the request for approval by one of
three sub-committees depending on the nature of the change (infrastructure, operations, or
products). Approved change requests are prioritized by the EPMO office. Change requests also
adhere to the Control Framework. Where applicable, development testing is performed after which
a final version is presented to the business for UAT and sign off. Upon completion of UAT, the
business will make a determination that the system is fit for use (“Go Live” approval) and IT senior
management will review that the developed solution has met IT standards for deployment
(Implementation Readiness), review documentation for completeness, and finally approve the code
and system infrastructure changes to be released into production environments. Once these
approvals have been received, the solution is ready for implementation into production. At critical
milestones of the SDLC (i.e., project charter, requirements definition, design documentation,
QA/UAT testing, go live, production readiness), authorization is obtained from the stake holders
of the project.
Emergency Changes
Occasionally system problems are identified that require an expedited emergency change to be
initiated. In such cases, an e-mail or verbal request is made to the IT Operations Director or the IT
Head of IT Client Service for authorization to make the emergency change. It is then followed up
retroactively with a PCC form, which has a section that marks the change as already completed.
All emergency changes still require the creation of an application support ticket, per the normal IT
change process, to track all requests submitted by business users for any type of maintenance. The
ticket will be classified as an incident to expedite and track accordingly ticket.
Logical Security
SAM utilizes SVBFG’s Information Security program as approved by the board of Directors. The
Information Security program has been published and communicated to all employees. All SVBFG
employees are required to attend information security training annually. New employee orientation
training includes information security topics.
User administration is performed by SVBFG’s End User Services (EUS) group, which forwards
access requests approved by the respective business owner to the appropriate provisioning
authority. Network account requests are created automatically via a feed from the HR system when
an employee is hired or a contingent worker is brought on board; database user account access
requests are provisioned by the database support team; and the application support team provisions
application access requests.
The business unit monitors monthly reports to ascertain appropriateness of user access to
applications, file folder access, and Active Directory group memberships for their respective
27
Section III
business unit applications. Inappropriate access is disabled if identified. Through weekly
notification from Human Resources, EUS disables and deletes application and database accounts.
Network accounts are automatically disabled upon termination.
Privileged access is audited by Information Security on a quarterly basis to help ensure privileges
remain commensurate with job responsibilities. Information Security performs daily monitoring of
SAM database administrator (DBA) ID’s. Additionally, the user privilege logs are reviewed by
SAM business owners to ensure proper application membership is enforced as duties and
responsibilities shift. In the event changes are necessary, an application support ticket is submitted
to begin work on application membership. Once the work is complete, the ticket is closed by
application support and the completion of work is confirmed back to the business owner.
Application membership logs are reviewed and signed off monthly by the business.
SAM-specific applications require user identification and authentication for access, and the use of
passwords.
Physical Security
Physical access to IT facilities is controlled through use of a proximity badge and administered by
Facility Security as approved by the IT Operations Director. On a semiannual basis, the IT
Operations manager reviews the list of personnel with access to the data center both in SVB’s
headquarters in Santa Clara, California and SVB’s redundancy center in Salt Lake City, Utah for
appropriateness. Only approved personnel have access to physical servers in both locations and
access is restricted to IT and facilities personnel only. Upon notification from Human Resources,
SVBFG’s Facility Security group disables the access cards on the last day worked for terminated
employees. Individuals who have lost or damaged their access badge are required to notify SVB
Security in order for the badge to be disabled and to have a new badge issued. The access badge is
returned to the Facility Security group during the terminated employee’s exit interview.
28
Section III
CONTROL OBJECTIVES AND RELATED CONTROLS
SAM’s control objectives and related controls are included in Section IV, Control Objectives,
Related Controls, and Tests of Operating Effectiveness of this report to eliminate the redundancy
that would result from listing them in Section III and repeating them again in Section IV. Although
the control objectives and related controls are included in Section IV, they are nevertheless an
integral part of SAM’s description of controls.
COMPLEMENTARY USER ENTITY CONTROLS
The SVB Asset Management’s controls were designed with the assumption that certain controls
would be implemented by user organizations. In certain situations, the application of specific
controls at user organizations is necessary to achieve certain control objectives included in this
report. In such instances, the required user-organization controls are identified under the related
control objective in Section IV of this report.
This section describes additional controls that should be in operation at user organizations to
complement the controls at SVB Asset Management. The list of complementary user entity controls
presented below does not represent a comprehensive set of all the controls that should be employed
by user organizations. Other controls may be required at user organizations.
User auditors should consider whether the following controls have been placed in operation at user
organizations:
Complimentary User Entity Control(s)
Related Objective(s)
Users should maintain sufficient controls to ensure that
instructions and information communicated to SAM is in
accordance with the provisions provided in the Discretionary
Account Agreement (DAA) or any other applicable
governing instrument between SAM and the user.
Users should maintain sufficient controls to ensure that
investment guidelines or restrictions are properly
communicated to SAM, as appropriate. Approved changes to
investment guidelines or restrictions should be communicated
promptly and in writing to SAM.
Users should maintain sufficient controls to ensure that the
reports from the custodial service providers and reporting
service providers are periodically reviewed.
CO-01 Client Agreement
Users should assess the appropriateness of the source of
pricing data utilized by the reporting service provider.
Users should periodically review the accuracy of investment
policy configuration maintained within the reporting service
provider system.
Users should maintain sufficient controls to ensure that the
names of individuals authorized to direct activities related to
client user accounts, and changes therein, are communicated
promptly and in writing to SAM.
CO-01 Client Agreement
CO-02 Portfolio Management
CO-04 Record-keeping
(Corporation Actions Investment
Income)
CO-04 Record-keeping
(Corporation Actions Investment
Income)
CO-02 Portfolio Management
CO-04 Record-keeping
(Corporation Actions Investment
Income)
CO-01 Client Agreement
CO-02 Portfolio Management
29
Section III
Complimentary User Entity Control(s)
Related Objective(s)
Users should maintain sufficient controls to ensure user
account statements received from Clearwater and Investment
Policies established in Clearwater are reviewed promptly and
carefully; discrepancies should be reported to SAM in a
timely manner.
Users should be familiar with SAM’s Disclosure Statement
included as part of each user account statement package and
should understand the scope of reports available based on the
type of account they hold.
Users should work with their independent auditors in
assessing the impact of the accounting policies as presented
in this Disclosure Statement if user account statements are
used for external financial statement and reporting purposes.
CO-01 Client Agreement
CO-01 Client Agreement
CO-01 Client Agreement
CO-02 Portfolio Management
30
SECTION IV
CONTROL OBJECTIVES, RELATED CONTROLS AND
TESTS OF OPERATING EFFECTIVENESS
Section IV
SVB ASSET MANAGEMENT (SAM) OPERATIONAL CONTROLS
BACKGROUND
This section includes KPMG LLP’s (KPMG) tests of operating effectiveness. The control
objectives and related control techniques placed in operation have been provided by SVB Asset
Management (SAM) and form an integral part of their testing description of controls
Client Agreement
Control Objective # 1: Controls provide reasonable assurance that accounts are established in
SAM’s systems after proper approvals are received.
#
1.1
1.2
SAM’s Description of
Controls
New account opening
documents are reviewed and
approved by SAM clients,
SAM management and by the
asset custodian.
KPMG’s Tests of Operating
Effectiveness
Inspected the account opening
documents for a selection of new
accounts to determine whether
the documents had been
appropriately approved.
Results of Testing
SAM personnel (PM/PA)
conduct a transition call with
the client to verify the
Investment Policy (IP)
guidelines, investment
objectives, and any additional
instructions.
Inspected the “Transition Call”
notes for a selection of new
accounts and to determine
whether the a) IP guidelines, b)
investment objectives, and c)
any additional instructions
provided by the client during the
transition call were appropriately
incorporated into the account
configuration.
No exceptions noted.
No exceptions noted.
32
Section IV
Portfolio Management
Control Objective # 2: Controls provide reasonable assurance that client investment
guidelines/restrictions are properly maintained and adhered to.
#
2.1
SAM’s Description of
Controls
System access to add,
change or delete client
investment guidelines
restrictions in the trading
system and in the reporting
system is restricted to
authorized individuals.
KPMG’s Tests of Operating
Effectiveness
Inspected the user access setup
of the reporting system to
determine whether the user
access to add, change or delete
client investment guidelines
restrictions is restricted to the
Investment Services Advisory
group.
Results of Testing
No exceptions noted.
Inspected the user access setup
of the trading system to
determine whether user access
to add, change or delete client
investment guidelines in the
trading system is restricted to
the Operations group.
33
Section IV
#
2.2
SAM’s Description of
Controls
The portfolio manager (PM)
and the portfolio advisor
(PA) cross verify the client
investment policy and any
subsequent investing
preferences to the
Bloomberg CMGR report
within 10 business days after
trading has commenced
(new accounts).
October 1, 2013 to
December 31, 2013
A manual trade review
process is followed in
addition to pre-trade
compliance checks in
Bloomberg for clients not
yet approved for auto trading
as part of the trading system
rule coding project. Trades
in accounts on manual
trading are compared to the
client investment policy and
preferences and are reviewed
by two members of PM
before the trade is executed.
After execution, the trade is
then reviewed by two
members of the management
team.
2.3
The trading system
automatically screens trades
for compliance with account
guidelines.
Prior to rule activation, rule
setup is tested and approved
by an individual different
than the individual who
configured the rule to ensure
setup is consistent with the
description of the rule.
KPMG’s Tests of Operating
Effectiveness
Inspected documentation for a
selection of new customers to
determine whether the IP
guidelines entered into the
trading system were cross
verified by the PM and PA
timely within 10 business days.
Results of Testing
No exceptions noted.
Re-performed the cross
verifications for a selection of
new and existing clients to
determine whether investment
configurations were consistent
with the client investment
policy/
October 1, 2013 to
December 31, 2013
Inspected a selection of trades
to determine whether trades
executed on accounts in a
manual trading status are
reviewed by two members of
PM and two members of the
management group.
Inspected a selection of
customers set to auto trade
status to determine whether the
IP guidelines entered into the
trading system were cross
verified by the PM and PA.
Inspected a selection of rules to
determine whether rule coding
was consistent with rule
description, and whether the
rule created the alerts as
anticipated.
Noted that for 3 out of 40 IP
rules selected for testing
from Bloomberg,
appropriate approval
documentation was not
maintained for the changes.
Inspected a selection of rules
created / modified during the
period to determine whether the
rule was appropriately reviewed
by an individual different than
the coder.
34
Section IV
#
SAM’s Description of
KPMG’s Tests of Operating
Results of Testing
Controls
Effectiveness
Management Response:
Rule ID *$10M1-2: Change made on 4/25/14. This rule is unique to one account and was
changed from final to effective maturity methodology to coincide with our interpretative
definition document as the maturity and WAM rules for the account are based on effective
maturity.
Rule ID *IS2%A1: Change made on 6/9/14. The rule’s custom logic expression was slightly
modified to be more conservative and account for the very rare circumstance that a corporate
security has a parent issuer of “United States.” The rule modification did not affect securities
in the one account impacted by the update.
Rule ID *IS3%AA: Change made on 6/9/14. The rule’s custom logic expression was slightly
modified to be more conservative and account for the very rare circumstance that a corporate
security has a parent issuer of “United States.” The rule modification did not affect securities
in the one account impacted by the update.
SAM is working with Bloomberg and our IT group to develop customized audit reports to
track rule change configurations so that they can be reviewed and signed off by
management. In the interim and to further tighten controls, we have implemented a process
that requires all rule changes to be revalidated and retested by an SVB tester. The reason for
the rule change must be documented as well. Additionally, all rule changes must result in an
updated CMGR Rule Report to be signed-off by the PM and PA.
2.4
The Head of Portfolio
Management & Investment
Strategy (HoIS) or Designee
reviews a listing of overrides
to the trading system
compliance checks. On a
monthly basis, a cumulative
report of compliance
overrides is reviewed by the
HoIS and the Sr. Manager of
Operations or Designee to
ensure that all overrides
have been reviewed.
Inspected a selection of trade
overrides to determine whether
there was evidence of the HoIS
and MDO’s review and any
follow up was performed if
necessary.
No exceptions noted.
Inspected a selection of monthly
trade override reports to
determine whether there was
evidence of appropriate review.
35
Section IV
#
2.5
SAM’s Description of
Controls
The HoIS or Designee
reviews the daily trade
blotter and follows up with
the authorized traders with
compliance-related
questions.
KPMG’s Tests of Operating
Effectiveness
Inspected a selection of daily
transaction reviews to determine
whether there was evidence of
review by the HoIS or MDO
and whether follow up was
performed if applicable.
Results of Testing
Noted that for one of 15
daily transaction reviews
selected for testing, the
daily trade packet was not
provided. Selected an
additional 10 days and
noted no exception.
Re-performed a selection of
daily transaction reviews to
determine whether the trade
brokers were on the listing of
brokers approved by the
investment committee.
Re-performed a selection of
daily transaction reviews to
determine whether the traders
were on the listing of traders
approved by the head of
portfolio management.
Management Response:
SAM believes this is an isolated documentation exception and has implemented a month-end
check to ensure that all packets are accounted for, properly signed and digitally scanned each
month.
2.6
The Portfolio Advisor
(PA) reviews IP compliance
report from Clearwater daily
for any exceptions.
Exceptions are researched
and resolved by the PA.
2.7
Portfolio Managers and
Portfolio Advisors conduct a
quarterly review with clients
to discuss current holdings
and portfolio performance
and to discuss investment
strategy.
Inspected documentation for a
selection of daily compliance
exception notifications from
Clearwater to determine
whether exceptions are
reviewed and tracked to
resolution by the PA.
Inspected a selection of
customers to determine whether
a quarterly review was offered
or performed.
No exceptions noted.
No exceptions noted.
36
Section IV
#
2.8
SAM’s Description of
Controls
On an annual basis, the
Corporate Compliance
Monitoring team conducts a
review of SAM under
Investment Advisers Act. As
part of this review, they
inspect a selection of
customers and compare their
portfolio balances to their
investment policy.
KPMG’s Tests of Operating
Effectiveness
Inspected a selection of reviews
performed by the Corporate
Compliance team to determine
whether the review is
performed.
Results of Testing
No exceptions noted.
37
Section IV
Trade Order, Execution, Confirmation & Settlement
Control Objective # 3: Controls provide reasonable assurance that investment transactions are
properly authorized, executed, and settled on a timely basis.
#
3.1
SAM’s Description of
Controls
The master list of authorized
brokers and dealers is
approved by the Investment
Committee. Traders and
Portfolio Managers do not
have the ability to set up
brokers.
KPMG’s Tests of Operating
Effectiveness
Inspected documented minutes
of Investment Committee
meetings in the audit period to
determine whether the new
brokers / dealers added during
the testing period were approved
by the Investment Committee.
Results of Testing
No exceptions noted.
Inspected the listing of active
brokers in the trading system to
determine whether the brokers
were on the listing approved by
the Investment Committee.
Inspected the listing of users
with access to set up brokers to
determine whether traders and
portfolio managers are restricted
from setting up brokers.
3.2
The PM or Trader verifies the
net amount of the security
trade from the trading system
against the trade
confirmations.
Inspected trade tickets from a
selection of trading system
reports / blotters to determine
whether there was evidence of
review and that the net amount
of the security trade matched the
trade confirmation.
No exceptions noted.
3.3
On a quarterly basis, the
Compliance Officer reviews a
selection of trades to
determine whether the trades
agreed to the third party
confirmations, and trades
were executed at the best
price available, based on
broker offers for trades in
competition.
Inspected documentation for a
selection of quarterly reviews to
determine whether the
compliance officer reviews
trades performed to determine
whether they were executed at
the best available price.
No exceptions noted.
3.4
Notifications of failed trades
from the custodian are
researched and resolved in a
timely manner.
Inspected documentation for a
selection of the failed trades to
determine whether there was
evidence of timely research and
resolution of the failure.
No exceptions noted.
38
Section IV
#
3.5
SAM’s Description of
Controls
Trade errors are corrected and
documented in the trade error
file and are reviewed by the
HoIS and HoIO.
KPMG’s Tests of Operating
Results of Testing
Effectiveness
No exceptions noted.
Inspected trade file
memorandum and supporting
documentation for a selection of
trade errors to determine whether
there is evidence that the errors
were corrected and reviewed by
the HoIS and HoIO in a timely
manner.
39
Section IV
Record-keeping (Corporation Actions & Investment Income)
Control Objective # 4: Controls provide reasonable assurance that corporate actions and
investment income are recorded completely, accurately, and in a timely manner and that
securities are valued accurately using information obtained from the asset custodian or the asset
reporting service provider.
#
4.1
SAM’s Description of
Controls
The receipt of voluntary
corporate actions and
resolutions is documented
and maintained on file.
4.2
The Operations Analyst
performs a daily
reconciliation of customer
positions, including a review
of independent security
prices from client
custodians, wire activity,
cash inflows and outflows
and trade exceptions.
4.3
The Sr. Ops Mgr. or the
HoIO performs a weekly
check of the daily
reconciliation review
process.
KPMG’s Tests of Operating
Effectiveness
Inspected documentation of the
resolution of a selection of
voluntary corporate actions to
determine whether the receipt
of voluntary corporate actions
and resolutions were
documented and maintained on
file.
Inspected the daily
reconciliation checklist and
supporting documentation for
cash, fixed income and pricing
exception reviews for a
selection of days to determine
whether variances were
identified and any action taken
was noted by an operations
specialist.
Inspected the daily
reconciliation packets for a
selection of weeks to determine
whether the Operations
manager reviewed and signed
off.
Results of Testing
No exceptions noted.
No exceptions noted.
Noted that for 2 out of 25
dates selected for testing,
the weekly review of one
full cash reconciliation
packet was not completed
timely by Operations
Management.
Management Response:
The process for the management review of reconciliation has been enhanced so that the
reviews can be accomplished digitally, making it more efficient and easier to
monitor. Additionally, Operations has implemented a month-end check to ensure that all
packets are accounted for, properly signed and digitally scanned each month.
40
Section IV
#
4.4
SAM’s Description of
Controls
On a daily basis, Bloomberg
AIM (trading system)
delivers via secure FTP a
prior day position file. In
addition, the custody bank
also delivers via secure FTP
a prior day position file.
Both files are received and
uploaded into the Bloomberg
reconciliation tool.
Operations reviews data
import error notifications on
a daily basis to ensure that
data is imported in a
complete, accurate, and
timely manner.
Access to update account
mappings for the error
reporting is restricted to
members of the Operations
team, and the application
support team.
4.5
On an annual basis, SAM
conducts a review of the
service auditor reports
(SSAE16 reports) as they are
received, from the asset
custodian and the reporting
service provider to assess the
impact of any exceptions
noted in the reports on SAM
Operations.
KPMG’s Tests of Operating
Effectiveness
Inspected the simulation of a
system error that would result
in the creation of an error on the
interface posting error report
and on the reconciliation report
to determine whether the errors
are accurately reflected on the
report.
Results of Testing
No exceptions noted.
Inspected the interface posting
error report and reconciliation
report for a selection of days to
determine whether they are
monitored by the Operations
reconciliation team.
Inspected a selection of users
with access to update account
mappings for error reporting,
and noted that access is
restricted to members of
Operations and the Application
support team.
Inspected the evidence of SAM
review of the SSAE16 report
for the asset custodian and the
reporting service providers to
determine whether the SAM
Operations management
conducted an impact
assessment if any observations
noted in the respective reports.
No exceptions noted.
41
Section IV
#
4.6
SAM’s Description of
Controls
The Operations Analyst
performs a daily
reconciliation of customer
cash and positions between
the asset custodian and the
reporting service provider.
On a weekly basis, the
Senior Operations Manager
or Designee reviews to
ensure that reconciliations
are being prepared.
KPMG’s Tests of Operating
Effectiveness
Inspected the daily Clearwater
to U.S. Bank reconciliation and
supporting documentation for a
selection of days to determine
whether variances were
identified and actions taken
were noted by an operations
specialist.
Results of Testing
No exceptions noted.
For a selection of weeks,
inspected evidence to
demonstrate that the Senior
Operations Manager is
performing a review of the
recon report in a timely manner.
42
Section IV
Record-keeping (Contributions from and Distributions to)
Control Objective # 5: Controls provide reasonable assurance that cash and security
contributions to and distributions from clients are recorded completely, accurately, and in a
timely manner.
#
SAM’s Description of
Controls
KPMG’s Tests of Operating
Effectiveness
Results of Testing
5.1
Wire and security
withdrawals are verified by
Operations before posting to
client accounts on a daily
basis.
Inspected wire disbursements
for a selection of days to
determine whether the terms of
the disbursements were
reviewed by Operations prior to
posting.
No exceptions noted.
5.2
A member of the Operations
team reconciles the
custodian’s detail of cash
contributions and
distributions to the
accounting / trading system,
and prepares a wire packet to
ensure that wires have
adequate support and
approvals. Third Party wire
packets are reviewed in detail
daily, and one full daily cash
recon packet is reviewed by
the HoIO or a Designee each
week.
Inspected the cash
reconciliation packets for a
selection of days to determine
whether they were prepared by
Operations, whether reconciling
items were identified and
resolved, and whether the
packets were reviewed by the
MD of Inv Ops or a Designee in
a timely manner.
No exceptions noted
SAM account closures
require a letter of
authorization from the
account holder, which is
approved by a SAM
authorized signer.
Inspected documentation for a
selection of SAM account
closures to determine whether
the letters of authorization were
signed by the client and
approved by an authorized
signer.
5.3
Inspected the wire
reconciliation packets for a
selection of days to determine
whether they were prepared by
Operations, the packets
included adequate support and
approvals, and were reviewed
by the MD of Inv Ops or a
Designee in a timely manner.
No exceptions noted.
43
Section IV
#
SAM’s Description of
Controls
KPMG’s Tests of Operating
Effectiveness
Results of Testing
5.4
Cash distributions to be
transferred directly to a bank
external to SVB and its
affiliates require designated
manager approval. On a
quarterly basis, the
Compliance Officer monitors
third party wire activity to
determine whether it was
appropriately approved by a
designated manager.
Inspected evidence to
demonstrate that the
compliance analyst monitors
third party wire activity on a
monthly basis.
No exceptions noted.
Inspected a selection of
distributions to determine
whether the terms of the
disbursement were approved by
a designated senior bank officer
as delineated in the authorized
signers list.
44
Section IV
Record-keeping (Fee Calculation)
Control Objective # 6: Controls provide reasonable assurance that investment management fees
are calculated and recorded completely, accurately, and in a timely manner.
SAM’s Description of
Controls
Estimated fees receivable and
actual fees are systemically
calculated by RevPort based
on the client’s fee structure.
KPMG’s Tests of Operating
Effectiveness
Inspected the RevPort fee
configuration settings for a
selection of fee calculations to
determine whether fees are
accurately calculated based on
the client’s fee structure.
Results of Testing
6.2
The fee structure for a SAM
client is agreed to in SAM’s
signed Discretionary Account
Agreement (DAA) by both
parties prior to opening the
account.
Inspected account files for a
selection of new clients to
determine whether there was
evidence that the DAA outlines
the fee policy and whether there
was evidence that the DAAs are
signed by the client and SAM.
No exceptions noted.
6.3
The President of SVB Asset
Management or Designee’s
approval is required for
amendments to the fee
schedule.
Inspected documentation for a
selection of fee schedule
amendments to determine
whether the changes were
approved by the President of
SVB Asset Management or their
delegate.
No exceptions noted.
6.4
Variations to the standard fee
schedule are input into
RevPort accurately and
completely.
Inspected a selection of fee
adjustments to determine
whether the fee variations
approved by the President of
SVB Asset Management or their
delegate were appropriately
configured in RevPort.
No exceptions noted.
6.5
Manual transmission of fee
transaction data to the asset
custodian is approved by HoIO
or Designee.
Inspected fee transactions
submitted to the asset custodian
for a selection of months to
determine whether it was
appropriately approved by an
authorized member of SAM.
No exceptions noted.
#
6.1
No exceptions noted.
45
Section IV
GENERAL COMPUTER CONTROLS
Computer Operations
Control Objective # 7: Controls provide reasonable assurance that computer operations are
monitored, and that operational problems or deviations are identified and resolved in a timely
manner.
#
SAM’s Description of
Controls
KPMG’s Tests of Operating
Effectiveness
Results of Testing
7.1
Issues are tracked through the
helpdesk system where users
prioritize issues into urgent,
high, medium and low.
Inspected tickets for a selection
of incidents from the incident
log to determine whether they
were tracked and prioritized.
No exceptions noted.
7.2
The processing check off sheet
serves as a task check off log
to ensure completeness and
continuity over operator shift
changes.
Inspected daily shift operations
turnover log for a selection of
days to determine whether they
were prepared in a timely
manner.
No exceptions noted.
The Operations specialist
manually triggers a job to
process the incoming files
from Clearwater and the asset
custodian.
Inspected the RevPort job
monitoring history for a
selection of months to determine
whether data had been
completely received from the
custodian prior to the monthly
assessment of management fees.
Alerts are sent to the
appropriate support personnel
in the event of an operating
system issue or an application
issue for research and
resolution.
Observed the monitoring system
configuration to determine
whether it was configured to
alert support personnel in the
event of an operating systems or
an application status.
7.3
No exceptions noted.
Inspected documentation for a
selection of alerts to determine
whether support personnel took
corrective action to resolve the
issues.
46
Section IV
Data Backup and Recovery
Control Objective # 8: Controls provide reasonable assurance that systems and application data
is backed up and archive data is available for restoration in the event of processing errors and/or
unexpected interruptions.
SAM’s Description of
Controls
Incremental backups of
systems are performed daily.
Full backups are performed
weekly.
KPMG’s Tests of Operating
Effectiveness
Inspected a selection of daily
and weekly backup logs to
determine whether backups were
conducted according to the
schedule.
Results of Testing
8.2
Backup failures are logged and
communicated to IT
Management for re-run or are
held until the next scheduled
backup.
Inspected a selection of tickets
generated for backup failures to
determine whether the reason for
the failure was identified and
resolved.
No exceptions noted.
8.3
Backup media is moved offsite
for storage on a daily basis.
Inspected shipment receipts for a
selection of days to determine
whether tapes were sent off-site
for storage.
No exceptions noted.
8.4
SVB assesses the usability of
backup tape as part of an
annual recovery exercise.
Included in the recovery
exercise is an assessment of
the usability of backup data.
Inspected evidence to
demonstrate that the usability of
backup data was assessed on an
annual basis as part of business
continuity exercises.
No exceptions noted.
#
8.1
No exceptions noted.
47
Section IV
Program Development and Implementation
Control Objective # 9: Controls provide reasonable assurance that new system installations and
application developments are prioritized, authorized, tested, properly implemented, and
documented.
SAM’s Description of
Controls
The IT Delivery group uses
System Development Life
Cycle (SDLC) methodology
for project management
process, including
development, acquisitions, and
maintenance of information
systems.
KPMG’s Tests of Operating
Effectiveness
Inspected project collateral for a
selection of projects and Change
Requests (CR) to determine
whether Projects and CRs have
appropriate materials based on
project phase identified on the
“Project, CR, and Release
Master.”
Results of Testing
9.2
The SVB Financial Group
Steering Committee approves
and prioritizes IT projects on
an annual basis.
Inspected the project
documentation for a selection of
projects and change requests to
determine whether they were
prioritized and approved.
No exceptions noted.
9.3
The IT Development Team
and Business Owner reviews
and validates the business and
technical requirements prior to
development to ensure that all
business and IT Architecture
requirements have been
included and that changes to
data structures are assessed for
the impact of changes.
Inspected the business and
technical requirements
documentation for a selection of
projects / CRs to determine
whether the IT Development
team and business owner
reviewed and validated.
No exceptions noted.
9.4
Testing results are documented
and reviewed by the project
team and/or the business as
appropriate. The business
provides a user acceptance
sign-off when testing has been
completed.
Inspected the test results for a
selection of projects / CRs to
determine whether they were
reviewed by appropriate
personnel.
No exceptions noted.
#
9.1
No exceptions noted.
Inspected the user acceptance
sign offs for a selection of
projects / CRs to determine
whether they were approved by
the business representative.
48
Section IV
SAM’s Description of
Controls
Implementation readiness is
assessed and approved by the
business prior to the move to
Production. The "Go/ No Go"
decision is approved by the
business owner and IT
Operations.
KPMG’s Tests of Operating
Effectiveness
Inspected the readiness review
documentation for a selection of
projects / CRs to determine
whether the business approved
the “Go/No Go” decision.
9.6
An implementation strategy is
documented for each project.
Inspected the implementation
strategy for a selection of
projects / CRs to determine
whether the project team
prepared the documents.
No exceptions noted.
9.7
Developers are restricted from
accessing the production
environment.
Inspected privileged user access
lists for in-scope applications,
databases, and servers to
determine whether privileged
access is restricted to authorized
individuals and granted to
individuals requiring such access
to support their assigned job
function.
Noted that two developers
were granted access to the
administrative Active
Directory group (thus
granting them access to the
production environment).
#
9.5
Results of Testing
No exceptions noted.
Inspected the readiness review
documentation for a selection of
projects / CRs to determine
whether IT operations approved
the “Go/No Go” decision.
Inspected a selection of in-scope
server user access lists and the
list of developers to determine
whether developers are restricted
from accessing the production
environment.
Management Response:
The managers of the two developers verified that this user group membership was not approved
for them. The developers’ user membership to the production servers has been removed. IT has
further verified that these users did not exercise their access rights to access any of SAM servers
between 10/20/2013-10/20/2014, which offers reasonable comfort as the two developers were
hired in June 2014. IT also plans to correct the access grant process to avoid a recurrence of
similar instances.
49
Section IV
Program Change
Control Objective # 10: Controls provide reasonable assurance that changes to existing
applications and system software are authorized, tested, properly implemented, and documented.
#
10.1
10.2
SAM’s Description of
Controls
Changes are documented and
approved by the project team
and the business and tested if
applicable. Minor changes that
do not impact application
functionality are tracked in the
service ticketing system, tested
where applicable, and
documented.
Emergency changes / fixes are
approved and documented in
the helpdesk and they are
tested if applicable.
KPMG’s Tests of Operating
Effectiveness
Inspected the corresponding
Program Change Control (PCC)
forms and /or InfraDesk tickets
for a selection of changes to
determine whether changes were
approved and testing conducted
as applicable.
Results of Testing
Inspected the corresponding
Program Change Control (PCC)
forms for a selection of tickets to
determine whether emergency
change approvals were
documented on a timely basis
and testing was conducted as
applicable.
No exceptions noted.
No exceptions noted.
Inspected the Production Change
Control (PCC) log for the
examination period to determine
whether emergency changes
were approved and testing
conducted as applicable.
10.3
Developers are restricted from
accessing the production
environment.
Inspected privileged user access
lists for in-scope applications,
databases, and servers to
determine whether privileged
access is restricted to authorized
individuals and granted to
individuals requiring such access
to support their assigned job
function.
Refer to control 9.7 for
testing results.
Inspected a selection of in-scope
server user access lists and the
list of developers to determine
whether developers are restricted
from accessing the production
environment.
50
Section IV
Logical Security
Control Objective # 11: Controls provide reasonable assurance that logical access to system
resources (i.e., programs, data, operating system, and parameters) is restricted to properly
authorized individuals.
#
11.1
11.2
SAM’s Description of
Controls
New user account requests are
approved by the requestor’s
manager and the request is
completed by the appropriate
IT department.
KPMG’s Tests of Operating
Effectiveness
Inspected the access request
form for a selection of users to
determine whether managers
approved access granted.
Results of Testing
Noted that approval
documentation was not
provided for one user out of
8 selected for testing.
Management Response:
IT acknowledges that access request form was not filled out. The access granted is an appropriate
level of access for the user noted and is required to perform their duties. IT will continue
following the existing process where access requests must be approved by the requestor’s
manager.
No exceptions noted.
Inspected an employee
Employee and Contractor
terminated in the HR system to
network accounts are
automatically terminated based determine whether Active
Directory was accurately
on a daily interface from HR.
updated to reflect the termination
status.
Manually provisioned
accounts are reviewed against
Inspected the active user account
the termination and transfer
list to determine whether active
reports on a weekly basis to
accounts belong to terminated
ensure other user access is
users for in-scope applications
revoked as applicable.
and infrastructure.
Inspected terminations / transfer
reports for a selection of weeks,
to determine whether the
business owners reviewed them
against the applications’ user
lists.
11.3
Monthly, the business owner
reviews users’ access levels to
determine whether
administrator and user
function are segregated.
Inspected the reviews of
administrator functions of inscope applications, for a
selection of months, to
determine whether the business
owners reviewed users’ access
levels for segregation of duties
and resolved any access issues
identified.
No exceptions noted.
51
Section IV
#
11.4
SAM’s Description of
Controls
Privileged accounts are
restricted to authorized
individuals and granted to
individuals requiring such
access to support their
assigned job function.
Administrative access is
reviewed on a monthly basis.
KPMG’s Tests of Operating
Effectiveness
Inspected a selection of monthly
reviews of administrative access
to determine whether a process
is in place to periodically review
administrative user access.
Inspected privileged user access
lists for in-scope applications,
databases, and servers to
determine whether privileged
access is restricted to authorized
individuals and granted to
individuals requiring such access
to support their assigned job
function.
Results of Testing
Noted that for one Active
Directory group with
administrative privileges on
the SVB Asset Management
servers, access certification
reviews were not performed
throughout the period.
Also, refer to control 9.7 for
testing results.
Management Response:
Server Level Access (SLA) groups are not attested by design, as each attested group requires a
manager that can adequately certify its membership. SLA groups are numerous and often have
many members. IT falls back on attesting the membership of the support team groups that reside
in SLA groups. IT researched the group membership and discovered the only member of the
SLA_SAL-VS-BODI01 is a group named Group Dart Support. The sub-group Group Dart
Support was not certified.
IT acknowledges that access certification reviews of SAL-VS-BODI01’s sub-group: Group Dart
Support was not performed. In order to mitigate the lack of certification risk in the future, SVB,
will add this group to our automated Quest attestation system. The system sends automated
reminders to certifiers, tracks status and provides certification reporting.
11.5
Access to network resources is
controlled by Active Directory
which enforces the Company's
password policy. Network
passwords expire after a
maximum number of days. A
user ID is locked after a preset
number of invalid logon
attempts. A minimum
password length is required.
The password must include
unique characteristics.
Inspected the Active Directory
password configuration to
determine whether it is
configured to support SAM’s
password policies.
No exceptions noted.
52
Section IV
Physical Security
Control Objective # 12: Controls provide reasonable assurance that physical access to computing
equipment in the SVB Asset Management data center is restricted to properly authorized
personnel.
#
12.1
12.2
12.3
SAM’s Description of
Controls
Physical access to IT facilities
is requested through the
access card request form,
which is approved by the
Chief Information Officer, the
Director of IT Operations, or
the data center manager.
KPMG’s Tests of Operating
Effectiveness
Inspected access control request
forms for a selection of badges
granted data center access, to
determine whether physical
access to IT facilities was
approved by the Chief
Information Officer, the Director
of IT Operations, or the data
center manager and granted to
appropriate personnel.
Results of Testing
Facilities Security receives
copies of the termination and
transfer list and removes
physical access to the data
center for the terminated
employees.
Inspected the active data center
badge list to determine whether
active badges belong to
terminated individuals.
No exceptions noted.
Production related systems
are in an environmentally
controlled data center. This
facility contains
environmental controls that
include:
- Air conditioning
- Raised flooring
- Halon fire protection
- Smoke and water detectors
- UPS and generators
Inspected a list of production
systems and their physical
locations to determine whether
they reside in the data center.
No exceptions noted.
Inspected the on-line badge
profiles (C*Cure System) for a
selection of terminated
employees to determine whether
Facilities Security terminated the
badges in a timely manner.
No exceptions noted.
Observed the data center to
determine whether the facility
contains environmental controls
that include:
- Air conditioning
- Raised flooring
- Halon fire protection
- Smoke and water detectors
- UPS and generators.
53
Section IV
#
12.4
SAM’s Description of
Controls
Santa Clara and Salt Lake
City data centers have
physical entry controls
consisting of a card reader.
KPMG’s Tests of Operating
Effectiveness
Observed the Santa Clara and
Salt Lake City data center doors
to determine whether electronic
physical entry controls,
including badge authentication
are in place.
Results of Testing
No exceptions noted.
54