Skip to main content
Risk and security advisory

The process

Organizations face ongoing challenges to comply with ever-mounting rules and regulations. Simultaneously organizations focus on new and persistent risks as a consequence of providing services from the cloud. IT failures can lead to customer loss, reputational damage and high-profile legal exposure. In the environment, risk management should be a strategic assets resulting in more confidence from customers and consequently more financial yields. Our approach supports this process. 





We have efficiently set up our audit process by using industry best practice methods.



Performing effective certification audits by always assigning the best audit team to the assignment.

Quality guaranteerd

choosing for risklane

The core attributes of our approach are efficiency and minimizing the disruption of operational processes during the implementation and audit. This requires effective planning and open communication with our customers during the planning phase, throughout the entire engagement and particularly during the reporting and audit phase. Our approach is focused on delivering quality throughout the entire process and is subject to the Risklane quality standards. The process of the implementation and audit of ISAE 3402 or ISAE 3000, consists out of five phases. These phases are outlined below: 


Project management

Overall support for the certification procedures of an ISO management system, including support on integrated project planning and total management of the engagement.


Readiness assessment

Performing a walkthrough (pre-audit) focused on identifying possible issues that may arise during the audit. This pre-audit will be part of the quality assessment of your organization.



Providing support in the documentation

of the identified controls and assist in

improving existing processes and

process descriptions within your

organization if necessary.

Our work flow

Phase 01.

Scoping & pre-audit

In Phase 1, the scope of the controlreport (SOC1/SOC2) will be determined by the management of the organization, reviewed, and adjusted if necessary. The scope of the ISAE3402/SOC1 or ISAE 3000/SOC2 report will be either all financial controles (SOC1) or all General IT Controls (SOC2).

Phase 02.

Planning & preparation

Based on the quality of existing process descriptions and internal manuals, a detailed plan is prepared in Phase 2, in which the various milestones are identified and arrangements with management are made. 

Phase 03.

Testing activities

In Phase 3, the descriptions of the controls of your organization are analysed based on interviews with your staff. Furthermore, the control framework is reviewed and enhanced based on the COSO 2013/COSO 2017 (ERM) framework and the ISAE 3000/ ISAE 3402 report is drafted. The deliverable of this phase is a organization specific ControlReports, consisting of control matrices, in which controls and related control objectives are described. 

Phase 04.


After drafting the ISAE 3402 report in Phase 3, a pre-audit or "walkthrough" will be performed by Risklane in Phase 4. During the pre-audit, all controls are tested and problem areas are identified for the final ISAE 3000 or ISAE 3402 audit. The pre-audit includes a walkthrough or operational procedures, scripting for application controls, monitoring & incident handling procedures, physical security measures and GITC procedures. 

Phase 05.


During Phase 5 improvements in the organization are discussed and solutions for the identified problem areas are implemented in consultation with your employees. 



                    Check out our latest articles regarding risk management, governance and compliance.