Skip to main content
Governance, risk and security advisory

Structured process

Organizations face ongoing challenges to comply with ever-mounting rules and regulations. Simultaneously organizations focus on new and persistent risks as a consequence of providing services from the cloud. IT failures can lead to customer loss, reputational damage and high-profile legal exposure. In the environment, risk management should be a strategic assets resulting in more confidence from customers and consequently more financial yields. Our approach supports this process. 





We have efficiently set up our audit process by using industry best practice methods.



Performing effective audits by always assigning the best audit team to the assignment.

Quality guaranteerd

choosing for risklane

The core attributes of our approach are efficiency and minimizing the disruption of operational processes during the implementation and audit. This requires effective planning and open communication with our customers during the planning phase, throughout the entire engagement and particularly during the reporting and audit phase. Our approach is focused on delivering quality throughout the entire process and is subject to the Risklane quality standards. The process of the implementation and audit of ISAE 3402 or ISAE 3000, consists out of five phases. These phases are outlined below: 


Project management

Overall support for the cimplementation procedures, including support on integrated project planning and total management of the engagement.


Readiness assessment

Performing a walkthrough (pre-audit) focused on identifying possible issues that may arise during the audit. This pre-audit will be part of the quality assessment of your organization.



Providing support in the documentation

of the identified controls and assist in

improving existing processes and

process descriptions within your

organization if necessary.

ISAE / SOC Implementation

Project approach

Phase 01.


In Phase 1, the impact (GAP analysis) of the implementation for your company is determined. Based on the impact and the defined scope of the implementation, a detailed plan is prepared in which the various milestones are identified and arrangements with management are made.

Phase 02.


In Phase 2, interviews are held with your employees to identify risks, determine the impact, the existing working method, and take note of the information present within your company. Afterwards, your company control measures are prepared according to the ISAE / SOC requirements, based on the information obtained from the interviews. These are recorded in a control matrix; a matrix containing the control objectives and control measures.

Phase 03.


In Phase 3, Risklane will describe the control framework based on the most recent COSO framework (COSO 2013) and will prepare the general part of the reporting. In the general part a description of the processes in scope, the organization, services, IT structure, and the General IT Controls is included. 

Phase 04.


In Phase 4, the ISAE / SOC report is further prepared based on the general discription, Control Matrix, management statement and confidentiality statement. During this phase, your company will implement any absent controls within the organization if necessary. The processing time of the first four phases will be between six to eight weeks, depending on the commitment and availabilitay of your employees The deployment of your employees is expected to be one day per week during that period. Risklane also provides the opportunity to process phase 1 to 4 using our cloud reporting tool: Controlreports. Phase 4 results in a draft of the ISAE / SOC report.

Phase 05.


After the description, Risklane consultants will perform a pre-audit or "readiness assessment" in Phase 5. The controls and the entire framework will be assessed and tested during the pre-audit, and potential problem areas will be identified prior to performing the audit procedures. During this phase your company will provide the documentation and evidence required for the pre-audit.

Phase 06.


During Phase 6, as a result of the pre-audit, improvements in control measures and the management system are implemented, and solutions are realized for the identified problem areas. We propose solutions to be implemented by your company within the organization and the report. Phase 6 will result in the final ISAE / SOC report.

Phase 07.


During Phase 7, our group organization Certicus will carry out the audit procedures. Certicus will structure and manage the process according to its proven approach in order to disrupt your business processes as little as possible. and to ensure that the procedures are performed as efficient as possible.