Organizations face ongoing challenges to comply with ever-mounting rules and regulations. Simultaneously organizations focus on new and persistent risks as a consequence of providing services from the cloud. IT failures can lead to customer loss, reputational damage and high-profile legal exposure. In the environment, risk management should be a strategic assets resulting in more confidence from customers and consequently more financial yields. Our approach supports this process.
We have efficiently set up our audit process by using industry best practice methods.
Performing effective certification audits by always assigning the best audit team to the assignment.
choosing for risklane
The core attributes of our approach are efficiency and minimizing the disruption of operational processes during the implementation and audit. This requires effective planning and open communication with our customers during the planning phase, throughout the entire engagement and particularly during the reporting and audit phase. Our approach is focused on delivering quality throughout the entire process and is subject to the Risklane quality standards. The process of the implementation and audit of ISAE 3402 or ISAE 3000, consists out of five phases. These phases are outlined below:
In Phase 1, the scope of the controlreport (SOC1/SOC2) will be determined by the management of the organization, reviewed, and adjusted if necessary. The scope of the ISAE3402/SOC1 or ISAE 3000/SOC2 report will be either all financial controles (SOC1) or all General IT Controls (SOC2).
Planning & preparation
Based on the quality of existing process descriptions and internal manuals, a detailed plan is prepared in Phase 2, in which the various milestones are identified and arrangements with management are made.
In Phase 3, the descriptions of the controls of your organization are analysed based on interviews with your staff. Furthermore, the control framework is reviewed and enhanced based on the COSO 2013/COSO 2017 (ERM) framework and the ISAE 3000/ ISAE 3402 report is drafted. The deliverable of this phase is a organization specific ControlReports, consisting of control matrices, in which controls and related control objectives are described.
After drafting the ISAE 3402 report in Phase 3, a pre-audit or "walkthrough" will be performed by Risklane in Phase 4. During the pre-audit, all controls are tested and problem areas are identified for the final ISAE 3000 or ISAE 3402 audit. The pre-audit includes a walkthrough or operational procedures, scripting for application controls, monitoring & incident handling procedures, physical security measures and GITC procedures.
During Phase 5 improvements in the organization are discussed and solutions for the identified problem areas are implemented in consultation with your employees.
Check out our latest articles regarding risk management, governance and compliance.