Skip to main content
Image coming soon

The Index and ESG Provider Internal Audit Workpaper

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Index and ESG Provider Internal Audit Workpaper

How to scope, sample, and conclude on index calculation, ESG rating, and client SOC report controls when the auditee is a regulated data and analytics provider.

Your auditee is not a bank, not a typical SaaS, and not what the Big4 manual covers. It calculates indices that move asset allocations, publishes ESG ratings that change capital flows, and signs SOC 1 carve-outs that asset managers rely on for their own SOX evidence. The workpaper templates that worked in external assurance do not map cleanly to that auditee.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

An internal audit senior who moved from a mid-tier UK external audit firm to an index, ESG ratings, and analytics provider walks into a control environment that has no off-the-shelf workpaper set. The flagship equity index has a methodology committee whose minutes are themselves a control artefact. The ESG ratings function has an override log where an analyst can deviate from the algorithmic score with documented rationale, and that log is what an asset manager auditor will ask to see. The climate risk analytics product ingests third-party emissions data, and the provenance chain is the control. Client asset managers cite SOC 1 Type 2 carve-outs in their service agreements and expect the report by a fixed window after period close. Sales escalates client questions to internal audit when contractual clauses are invoked. The role demands a workpaper set that fits these specific auditees, sampling logic that holds up to AICPA SOC 1 SSAE 18 standards, and a CSA grid that lets the external auditor walkthrough run on schedule rather than as a fire drill.

What you walk away with

  • Walk into a methodology committee meeting able to extract the three control points an external SOC 1 auditor will sample against.
  • Write a sampling rationale memo for ESG rating overrides that holds up to AICPA SSAE 18 scrutiny and survives client asset manager review.
  • Map the provenance chain for a third-party climate data feed end to end, and document the user entity control assumptions that have to be disclosed in the SOC 1 report.
  • Respond to a sales-escalated client question about the SOC 1 carve-out clause with a written reply that reduces the friction on renewal.
  • Hand the external auditor a CSA grid against the AICPA SOC 1 trust services criteria that lets the walkthrough run on schedule.
  • Stand up an annual IA testing plan that covers index calculation, ESG ratings, and analytics ingestion without depending on the external firm to define scope.

The 12 modules

Module 1. The auditee is an index and analytics provider, not a bank or SaaS
Why the standard external audit workpaper set does not transfer cleanly when the auditee calculates indices, publishes ratings, and licenses analytics. Maps the actual revenue model (licensing, subscription, contractual SLAs to asset managers) to the control environment the IA function has to assure. Names the four entity-level controls that anchor everything else and the artefacts that already exist inside methodology committees and ratings governance that you can repurpose as workpapers.
Module 2. Reading the AICPA SOC 1 SSAE 18 standard as the auditee, not the auditor
The SSAE 18 standard reads differently when the report is about your own organisation. Walks through the control objectives and the carve-out versus inclusive method, then shows which sections an internal audit senior owns versus which sit with the SOC report coordinator. Includes the exact paragraph references that asset manager clients quote back at you when they invoke their service agreement clauses, and how to translate that into IA scope.
Module 3. Walkthrough templates for index methodology governance
A methodology committee approving a constituent change to a flagship equity index is not the same shape as an ITGC change advisory board. Provides the walkthrough template that captures committee composition, quorum, voting rationale, dissent recording, and announcement timing. Shows the three control points an external SOC 1 auditor will sample and how to evidence them from minutes, mailing lists, and the announcement system without ten meetings of follow-up.
Module 4. The ESG ratings override log as a control artefact
Analyst overrides on an ESG rating are the single most scrutinised control in the entire ratings function. Provides the testing program: population definition, sampling strata by rating magnitude and sector sensitivity, sampling rationale that survives SSAE 18 review, and the workpaper structure for documenting override justification. Includes the question template you walk the ratings governance lead through, plus the exception treatment when the override rationale is thin.
Module 5. Third-party data provenance for climate risk analytics
Climate risk analytics ingests emissions data from multiple third-party sources, sometimes through licensed feeds, sometimes through scraping, sometimes through partner contracts. Provides the provenance chain mapping template and the user entity control language that has to appear in the SOC 1 report description so that the asset manager auditor cannot push assurance gaps back into your scope. Names the contractual right-to-audit clauses the IA function should be reading in the third-party agreements.
Module 6. Sampling rationale memos that hold up under SSAE 18
External auditors push back hardest on the sampling rationale, not the sample size. Provides three reusable memos: one for population-defined sampling (rating actions in a period), one for risk-stratified sampling (index reconstitution events), and one for judgmental sampling (carve-out user entity controls). Each memo shows the standard reference, the population definition, the strata logic, the sample selection method, and the conclusion language that an external auditor reads as defensible without further conversation.
Module 7. The CSA grid against AICPA SOC 1 trust services criteria
A pre-mapped Control Self Assessment grid that runs against the AICPA SOC 1 trust services criteria, organised by control objective, with the index, ratings, and analytics product lines as rows. Lets you walk the external auditor through coverage in one meeting rather than three. Includes the colour-coded coverage map showing which objectives are fully covered by existing controls, which need supplementary testing, and which need a carve-out disclosure.
Module 8. Responding to client asset manager SOC questions sales escalates to you
When sales escalates a contractual SOC clause invocation, the reply that goes out shapes the client renewal. Provides the response template for the three most common asks: requesting the SOC 1 Type 2 report before the deadline, requesting clarification on a carve-out, requesting a bridge letter for a period the SOC report did not cover. Names the language that protects the IA function from being treated as a client-facing assurance team while keeping sales credible with the client.
Module 9. Coordinating with the SOC report coordinator and the methodology committee secretariat
The IA senior who works alone produces workpapers that the SOC coordinator rejects on intake. Maps the joint calendar that has to run between IA testing, SOC report drafting, methodology committee meetings, and ratings governance reviews. Shows which evidence packets feed which downstream artefact, and the handoff template that prevents the same data being recollected three times.
Module 10. The annual IA testing plan for the data and analytics provider
Most IA functions inherit a testing plan that was written for a different auditee. Provides the annual plan structure that covers methodology committee governance, ratings override testing, third-party data provenance, calculation engine controls, analytics product release governance, and client SLA monitoring. Includes the risk assessment matrix that justifies the depth allocated to each area to the Audit Committee.
Module 11. Audit Committee reporting that names what the asset manager clients see
Audit Committee papers that read as generic SOX reporting do not land when the business is an index and ratings provider. Provides the reporting template that names the client-facing assurance artefacts (the SOC 1 report, the methodology fact sheet, the ratings transparency document), the IA conclusion on each, and the open items the Committee has to take a view on. Includes the executive summary structure that the CAE can use unchanged.
Module 12. Building the workpaper library that survives staff turnover
The IA senior who builds workpapers that only they can read leaves a function that has to rebuild from scratch every two years. Provides the workpaper library structure: file naming, evidence indexing, conclusion templates, cross-references between testing of related controls, and the review notes structure that lets a successor pick up testing without recollecting context. Includes the quarterly self-review checklist that catches drift before the external auditor finds it.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

A client asset manager invokes the SOC 1 clause in the service agreement and sales escalates the request to you (modules 2, 8).
The methodology committee approves a constituent change to a flagship equity index and you need to evidence the control points (modules 3, 7).
The ratings governance lead presents the override log at the quarterly review and you need to test a defensible sample (modules 4, 6).
The external SOC 1 auditor schedules the walkthrough and you have one meeting to demonstrate coverage (modules 7, 9, 10).

What you get with this course

  • Twelve text-based modules in the Art of Service learning environment, sized for two to three hours of work each.
  • Downloadable walkthrough templates, sampling rationale memos, and CSA grid mapped to AICPA SOC 1 SSAE 18 trust services criteria.
  • Hand-built implementation playbook for an internal audit function inside an index, ESG ratings, and analytics provider, written for your specific scope after purchase.
  • Response templates for client-escalated SOC questions and Audit Committee reporting templates.
  • 30-day money-back commitment.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

Workpapers carried over from external audit experience that do not map to an index and ratings auditee. Sampling rationales that the external SOC 1 auditor pushes back on. Client SOC questions that arrive through sales and consume two days each. Methodology committee minutes that have to be re-extracted as control evidence after the fact.

After

A workpaper library purpose-built for an index, ESG ratings, and analytics auditee. Sampling rationales that survive AICPA SSAE 18 scrutiny without rework. A CSA grid the external auditor walks through in one meeting. Sales-escalated client SOC questions answered with a templated reply in under an hour. Methodology committee artefacts harvested as control evidence in real time.

What happens if you do not address this

The next external SOC 1 walkthrough runs over schedule because the sampling rationale needs rework. The next client carve-out clause invocation lands on sales without a templated reply and the renewal conversation gets harder. The next methodology committee change has to be re-evidenced after the fact because the walkthrough template was not in place. Each of these is recoverable individually. Together they erode the credibility of the IA function with both the external auditor and the client-facing teams.

Who it is for

An internal audit senior (or senior associate moving toward manager) inside an index, ESG ratings, or financial analytics provider. Background is typically two to five years of external audit at a mid-tier or Big4 firm, recently in-house. Reports into a Head of Internal Audit or a Chief Audit Executive. Sits adjacent to the SOC report coordinator, the methodology committee secretariat, and the ESG ratings governance lead. Accountable for the IA workpapers that feed the annual SOC 1 Type 2 external audit and for responding to client asset manager questions when contractual SOC clauses are invoked.

Who this is NOT for. Not for external auditors at firms still serving asset manager clients (the perspective is the auditee's). Not for fund accountants, portfolio analysts, or middle office staff (this is a controls and assurance role). Not for IA functions inside pure SaaS or banks where the AICPA SOC 1 trust services criteria already map cleanly to the existing workpaper set.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Twelve modules at two to three hours each. Most internal audit seniors complete the course over four to six weeks of evening and weekend work alongside their day job, applying templates to live audits as they go.

Why $199 is the right number

The AICPA SSAE 18 standard reads as written for external auditors, not for the auditee internal audit function. Free vendor whitepapers on SOC 1 readiness assume a SaaS or banking auditee. Big4 training catalogues cover external audit method, not in-house IA for an index and ratings provider. This course covers the specific gap between external assurance technique and the controls actually present inside an index, ESG ratings, and analytics provider.

FAQ

Will this transfer if I move from an index provider to a credit ratings agency or a benchmark administrator?
Yes. The workpaper structure, sampling rationale memos, and CSA grid all apply to any organisation that publishes regulated reference data or ratings under an SSAE 18 SOC report. The implementation playbook delivered with your course is built for your current employer's product mix.
Does the course cover SOC 2 as well as SOC 1?
The course focuses on SOC 1 because the asset manager client contracts cite SOC 1 for financial reporting reliance. SOC 2 trust services criteria are mentioned where they overlap, particularly for the analytics product line. A separate course on SOC 2 for data providers is on the roadmap.
I am still in the Menzies workflow mentally. Is this too senior?
No. The course assumes recent external audit experience and translates the workpaper instincts you already have into the specific shape an index, ESG ratings, and analytics auditee needs. The implementation playbook is hand-built to where you actually are, not where you were.
How is the implementation playbook tailored?
After purchase, the implementation playbook is written for the actual product lines, methodology committees, and client contract structure of your employer. Scope is confirmed with you before delivery so the playbook lands on a real audit plan, not a template.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!