Skip to main content
Image coming soon

The Brokerage IT Auditor's SOX, Reg SCI and SEC 17a-4 Workpaper Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Brokerage IT Auditor's SOX, Reg SCI and SEC 17a-4 Workpaper Playbook

Workpapers, evidence templates and walkthrough scripts a brokerage IT auditor can put in front of the external auditor next week without rework.

The external auditor sent back the first walkthrough draft asking for clearer privileged-access evidence and a tighter link between the Reg SCI critical-system inventory and the SOX ITGC scope. You own the rewrite. The course gives you the workpaper templates, the evidence lists, and the cross-reference matrix that turn the rewrite into a one-pass job.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Senior IT auditors at US broker-dealers sit at the junction of three regulators with different vocabularies. SOX cares about ICFR and the ITGC layer underneath. Reg SCI cares about resilience, capacity, security, and BCP testing for SCI systems and SCI security systems. SEC 17a-4 cares about WORM retention of order, trade, and customer records. FINRA 4370 cares about BCP. The externals want a workpaper set that speaks all four. The internal audit standard templates, written for a generic ICFR audit, do not. Each cycle the senior rewrites the IT walkthroughs to add the regulatory citation, the IPE provenance, the privileged-access review evidence, the change-management ticket linkage, and the disaster-recovery test trace, then defends that rewrite to the externals while also feeding the same evidence into the RCSA and the SOC 1 / SOC 2 service-provider review. The work is not hard. The translation is. This course gives the senior the prebuilt workpaper set so the translation happens once.

What you walk away with

  • Walkthrough scripts and workpaper templates that satisfy SOX, Reg SCI, and SEC 17a-4 in one pass.
  • An IPE evidence checklist that survives the external auditor's first-pass review.
  • A cross-reference matrix linking each ITGC to the SOX assertion, the Reg SCI system class, and the 17a-4 record class.
  • Privileged-access review evidence templates that close the recurring finding category.
  • A BCP-DR test review workpaper that ties FINRA 4370, Reg SCI BCP, and the firm's RCSA together.
  • A service-provider review file (SOC 1 / SOC 2 plus complementary user entity controls) ready for the externals.

The 12 modules

Module 1. The brokerage IT audit universe and the SCI / SOX cross-reference
Build the master scoping sheet that lists every application, infrastructure component, and service provider, then tags each row with SOX in-scope status, Reg SCI critical-system status, SEC 17a-4 record class, and FINRA 4370 BCP relevance. The sheet is the spine the rest of the workpapers hang off and the document the external auditor asks for first. Includes the templates, the scoping memo, and the inheritance logic for cloud control-plane components.
Module 2. Walkthrough scripts for the trading and order-management platforms
Scripted walkthroughs for the order-management, smart-order-router, and execution venue connectivity layers. Each script names the control owner, the interview prompts, the screen captures the senior should request, the IPE the auditor needs alongside, and the SOX assertion plus Reg SCI control objective the walkthrough addresses. Includes a handoff template for the manager review and the external-auditor walkthrough deck.
Module 3. Logical access reviews under SOX and Reg SCI
The privileged-access review workpaper set. Joiner-mover-leaver evidence, segregation-of-duties matrices for trade authorisation and customer-account maintenance, privileged-account inventory, periodic recertification evidence, and the linkage from each user-access exception back to the SOX deficiency-evaluation worksheet and the Reg SCI access-control objective. Includes the SQL the senior runs against the IAM data lake to extract the population and the sampling memo template.
Module 4. Change management for trading-system code and configuration
The change-management workpaper for code releases, schema changes, parameter updates, and emergency changes on the trading path. Includes the population query, the sampling memo, the evidence checklist (ticket, approvals, test results, deployment record, rollback plan), the SOX-deficiency mapping, the Reg SCI capacity-and-resilience linkage when the change affects an SCI system, and the change-advisory-board minutes evidence template.
Module 5. Operations, batch, and incident management for clearance and settlement
Batch monitoring evidence, incident-management workpapers for trading-day disruptions, and the linkage to Reg SCI's SCI event notification regime. Includes the evidence templates for each of the SCI event categories, the timing-of-notification matrix, the post-mortem workpaper format the externals will accept, and the cross-reference to the firm's customer-disclosure obligations under SEC and FINRA rules.
Module 6. SEC 17a-4 WORM retention and the order audit trail
The 17a-4 evidence set: designated third-party access letter, audit-system trail of the WORM storage, retention-period evidence for each record class (order, trade, customer onboarding, electronic communications), the new electronic recordkeeping rule's audit trail option, and the workpaper that ties the retention configuration of the underlying storage layer back to the regulatory requirement. Includes the senior's interview script with the records officer and the IT storage owner.
Module 7. BCP, DR, and Reg SCI BCP testing review
The BCP and DR workpaper set. Reg SCI BCP testing evidence (annual industry test plus the firm's own test plan), FINRA 4370 written BCP review, recovery-time-objective and recovery-point-objective evidence per critical system, third-party BCP review for the major service providers, and the linkage to the firm's RCSA risk ratings. Includes the after-action workpaper template and the residual-risk memo format the audit committee expects.
Module 8. Cloud-control-plane audit for the brokerage workload
Audit of the cloud control plane that hosts trading-adjacent workloads. IAM in the cloud console, network segmentation around the order-routing VPC, key-management for the customer-data stores, logging and monitoring evidence, and the linkage from each cloud control to the SOX ITGC layer and to the Reg SCI security objective. Includes the workpaper for shared-responsibility-model evidence and the cloud-provider SOC 2 review checklist.
Module 9. Service-provider review and complementary user-entity controls
The third-party review file. SOC 1 and SOC 2 reports for the major brokerage service providers (clearing, market data, customer record-keeping platforms, identity, cloud), the complementary user-entity control (CUEC) tracker that ties each provider's CUEC back to an internal control the firm operates, the bridge-letter evidence, and the workpaper format the externals expect for service-provider IT controls.
Module 10. Market-data, surveillance, and the audit of supervisory technology
Audit workpapers for the market-data feeds, the trade-surveillance application, and the supervisory-technology stack. Covers the data-integrity controls on the feed handlers, the surveillance-alert tuning and disposition evidence, the supervisory-record retention under SEC and FINRA rules, and the linkage to the firm's broader market-conduct risk assessment. Includes interview scripts with the surveillance owner and the data-feed engineering lead.
Module 11. IPE, sampling, and the deficiency evaluation worksheet
The mechanics most IT auditors lose time on. How to evidence the completeness and accuracy of every system-generated report used as audit evidence, the sampling memo that the externals will accept, the deficiency-evaluation worksheet that turns a control failure into a SOX-significance call, and the management-letter-comment template. Includes the formulas the senior uses to size samples and the IPE evidence checklist that closes the recurring finding category.
Module 12. Reporting, audit-committee deck, and continuous-monitoring handoff
The end-of-cycle workpapers. The audit-committee deck for the IT audit results, the residual-risk heatmap, the management-action-plan tracker, and the handoff to the continuous-monitoring function so the next cycle starts ahead. Includes the briefing memo the senior writes for the CAE and the cross-reference to the next cycle's risk assessment that keeps the IT audit universe living rather than refreshed once a year.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Module 1 to 3 close the scoping-and-access finding category that consumes most of the rewrite cycle.
Module 4 to 6 build the change, operations, and records workpapers the externals ask for first.
Module 7 to 8 close BCP, DR, and the cloud-control-plane gaps that the Reg SCI program office tracks.
Module 9 to 12 cover service-providers, surveillance technology, IPE, and the audit-committee reporting that closes the cycle.

What you get with this course

  • All twelve modules in the Art of Service learning environment.
  • Downloadable workpaper templates and walkthrough scripts for every module.
  • The IT-audit universe scoping sheet with SOX, Reg SCI, 17a-4, and FINRA 4370 columns pre-populated.
  • The CUEC tracker template for brokerage service providers.
  • The deficiency-evaluation worksheet and the IPE evidence checklist.
  • The hand-built implementation playbook tailored to the buyer's audit universe and reporting cadence.
  • 30-day no-questions refund.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Week 1: scoping sheet and walkthrough scripts adapted to the buyer's IT audit universe.

Week 2 to 4: workpaper templates worked into the current SOX / Reg SCI cycle.

End of cycle: audit-committee deck and continuous-monitoring handoff.

Before and after

Before

Each cycle the senior rewrites the IT walkthroughs from the generic IIA template, adds the regulatory citations by hand, defends the IPE choices to the external auditor, and explains why a privileged-access exception is or is not a SOX deficiency. The translation work eats two of every four review weeks.

After

Walkthroughs are written once against the SOX / Reg SCI / 17a-4 cross-reference, IPE is evidenced with the prebuilt checklist, privileged-access reviews land with the recertification workpaper attached, and the external auditor's first-pass review comes back with clarification questions rather than rewrite requests.

What happens if you do not address this

If the rewrite cycle stays manual, the same finding categories repeat (IPE provenance, privileged-access evidence, SCI / SOX scope linkage), the externals keep asking for rework, and the audit-committee deck reads as a list of repeat findings rather than a closed cycle. The senior's reputation inside the IT audit function tracks how clean the externals' first-pass review comes back. The course gives that first-pass review back.

Who it is for

A senior IT auditor inside a US broker-dealer or wealth-management firm. Sits in the internal audit function but spends most of the cycle interfacing with the external auditor, the SOX PMO, the Reg SCI program office, and the technology owners of the trading and clearance platforms. Owns or co-owns IT walkthroughs, ITGC testing, privileged-access reviews, change-management sampling, BCP-DR test review, and the SCI / SOX cross-reference. Has a CISA or is working toward one. Reports to a director of IT audit who reports to the CAE.

Who this is NOT for. Not for first-line technology operators, not for compliance officers in the broker-dealer compliance function, not for external auditors. Not for IT auditors at firms outside the US broker-dealer, wealth, or asset-management space — the regulatory crosswalk is specific to SOX, Reg SCI, SEC 17a-4, FINRA 4370, and SOC 1 / SOC 2.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Forty to fifty hours across a normal SOX cycle. Modules are sized so a senior can work one module against one walkthrough in a single review week.

Why $199 is the right number

ISACA and IIA reference material is excellent on principles but does not produce a ready-to-file workpaper. Big four advisory engagements price the same outcome at six figures and a quarter of the work-product is recycled. This course is one senior IT auditor's prebuilt workpaper set for the exact regulatory stack a US broker-dealer audits against, at 199 USD.

FAQ

Is this aligned to the new SEC electronic recordkeeping rule, not just classic 17a-4?
Yes. Module 6 covers both the classic WORM regime and the audit-trail alternative under the amended rule, with the evidence templates for each.
Do the workpapers map to the IIA standards as well as the regulatory citations?
Each workpaper carries the IIA standard reference in the header so the QAR review and the regulatory review both land cleanly.
How tailored is the implementation playbook?
It is hand-built against the buyer's audit universe, regulatory exam history, external auditor, and reporting cadence. The questionnaire arrives with the course access email.
Can the templates be used inside a firm's existing GRC platform?
Yes. Templates are delivered in editable formats that import into the major IT-audit and GRC tools used in brokerage internal audit functions.
What if the firm is dual-registered as a broker-dealer and an investment adviser?
The cross-reference sheet has an investment-adviser column that adds the SEC Marketing Rule and books-and-records overlay so the same workpaper set serves both registrations.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!