Organizations face ongoing challenges to comply with ever-mounting rules and regulations. Simultaneously organizations focus on new and persistent risks as a consequence of providing services from the cloud. IT failures can lead to customer loss, reputational damage and high-profile legal exposure. In the environment, risk management should be a strategic assets resulting in more confidence from customers and consequently more financial yields. Our approach supports this process.
We have efficiently set up our audit process by using industry best practice methods.
Performing effective certification audits by always assigning the best audit team to the assignment.
choosing for risklane
The core attributes of our approach are efficiency and minimizing the disruption of operational processes during the implementation and audit. This requires effective planning and open communication with our customers during the planning phase, throughout the entire engagement and particularly during the reporting and audit phase. Our approach is focused on delivering quality throughout the entire process and is subject to the Risklane quality standards. The process of the implementation and audit of ISAE 3402 or ISAE 3000, consists out of five phases. These phases are outlined below:
Overall support for the certification procedures of an ISO management system, including support on integrated project planning and total management of the engagement.
Performing a walkthrough (pre-audit) focused on identifying possible issues that may arise during the audit. This pre-audit will be part of the quality assessment of your organization.
Providing support in the documentation
of the identified controls and assist in
improving existing processes and
process descriptions within your
organization if necessary.
ISAE / SOC Implementation
Impact analysis & Planning
In Phase 1, the impact (GAP analysis) of the implementation for your company is determined. Based on the impact and the defined scope of the implementation, a detailed plan is prepared in which the various milestones are identified and arrangements with management are made.
Processes & Controls
In Phase 2, interviews are held with your employees to identify risks, determine the impact, the existing working method, and take note of the information present within your company. Afterwards, your company control measures are prepared according to the ISAE / SOC requirements, based on the information obtained from the interviews. These are recorded in a control matrix; a matrix containing the control objectives and control measures.
In Phase 3, Risklane will describe the control framework based on the most recent COSO framework (COSO 2013) and will prepare the general part of the reporting. In the general part a description of the processes, the organization, and the General IT Controls is included.
In Phase 4, the ISAE / SOC report is further prepared based on the general discription, Control Matrix, management statement and confidentiality statement. During this phase, your company will implement any absent controls within the organization if necessary. The processing time of the first four phases will be between six to eight weeks, depending on the commitment and availabilitay of your employees The deployment of your employees is expected to be one day per week during that period. Risklane also provides the opportunity to process phase 1 to 4 using our cloud reporting tool: Controlreports. Thereafter, Risklane employees will GAP-analysis based on the prepared report report to verify which of Security and Availability Trust Services Criteria must be included within the current report. Based on the GAP-analysis, interviews are held with your employees to discuss the existing working method. Phase 4 results in a draft of the ISAE / SOC report.
After the description, Risklane consultants will perform a pre-audit or "readiness assessment" in Phase 5. The controls and the entire framework will be assessed and tested during the pre-audit, and potential problem areas will be identified prior to performing the audit procedures. During this phase your company will provide the documentation and evidence required for the pre-audit.
During Phase 6, as a result of the pre-audit, improvements in control measures and the management system are implemented, and solutions are realized for the identified problem areas. We propose solutions to be implemented by your company within the organization and the report. Phase 6 will result in the final ISAE / SOC reports.
During Phase 7, our group organization Certicus will carry out the audit procedures. Certicus will structure and manage the process according to its proven approach in order to disrupt your business processes as little as possible. and to ensure that the procedures are performed as efficient as possible.