ISAE 3000

General

Press release: Risklane announces strategic partnership with TÜV Nederland

15 Jul 21 / 0 comments

Gavias Slider Slider Expertise ISAE 3000 (2)

Gavias Blockbuider Clone ISAE 3000 optie 2

Internal Control over Non-Financial Reporting

Processes or data are increasingly outsourced to service providers. If processes do not have a relation to financial processes it is relevant for ISAE 3000 reporting. An ISAE 3000 report is an internal control report that focuses on controls at a service provider relevant to Security, Availability, Processing Integrity, and privacy. An ISAE 3000 report ensures that a service organization keeps data private and secure while processing and that data is accessible at any time.

A third-party assurance on security, availability, confidentiality, processing integrity and privacy of data is required when outsourcing the processing or hosting of data. ISAE 3000 audits are external confirmations that these criteria are met.

Public Companies in the US or financial institutions in Europe are required to outsource to providers with a valid ISAE 3000, ISAE 3402 or SOC 1 report in place to provide investors assurance over controls that are performed by the outsourcing provider.

Our approach for implementing procedures is based on industry best practices for security, risk management, and internal control. This combined with our in-depth knowledge in different industries with improving your internal control and procedures to the best in your industry.

Audits performed by our group company Certicus will help you to continuously improve procedures and reduce the interruption of business operations by multiple user organization audits.

Cloud Services

Speed and cost control create an important competitive advantage. Cloud hosting providers offer services at a fraction of the costs of self-installation on local servers. Flexible payments plans avoid large investments and provide new opportunities for new and existing business lines. Flexibility and cost control also brings risks; are security, privacy and availability established as solid as you would expect or your supervisors and customers require? An ISAE 3000 report provides all answers to these questions and risks.

Trust Services Criteria

ISAE 3000 reports are based on Trust Services Criteria where Security, Availability, Processing Integrity, and privacy specific principles and criteria are defined. ISAE 3000 reports are modular, implying that reports can cover one or more of the principles, depending on the needs and requirements of a services organization. The only criteria that is mandatory for ISAE 3000 are the Security criteria, these are also referred to as the Common Criteria (CC1 – CC9). In addition to security requirements, the Common Criteria also contain requirements for an internal control framework, including risk management (COSO).

The Trust Services Criteria explained

Common Criteria

ISAE 3000 focuses on a business’s non-financial reporting controls as they relate to Security, Availability, Processing Integrity, Confidentiality, and Privacy. These principles are outlined in the Trust Services Criteria (TSC). Each of the criteria has defined requirements (Points of Focus) that must be met and implemented within the organization to demonstrate adherence to the criteria.

The Security criteria are the only mandatory criteria for ISAE 3000, which also refers to as the Common Criteria. In addition to security requirements (Logical and Physical Access Controls, System Operations, and Change Management), the Common Criteria also contain requirements for an internal control framework, including risk management (COSO). Control Environment, Communication and Information, Risk Assessment and Risk mitigation, Monitoring Activities, and Control Activities are the key elements of the COSO framework.

The scope of an ISAE 3000 reporting could include additional criteria. More often, the applicability of the Availability, Confidentiality, Processing Integrity, and Privacy criteria are considered based on the services provided and in conjunction with key clients and ISAE 3000 experts. When an organization chooses to include criteria, all associated requirements and points of focus must be considered and implemented when applicable.

Reporting types explained

ISAE 3000 reports

Selecting a service provider that is properly certified is the key to successful outsourcing. An ISAE 3000 certification provides assurance on the Security, Availability, Processing Integrity, and privacy of information. These elements are key success factors if you are dealing with sensitive customer data. The ISAE 3000 contains a describe risk control framework, including the related controls and procedures for monitoring the risk control framework. The report is prepared in accordance with the Trust Services Criteria to provide a set of criteria for Security, Availability, Processing Integrity, and privacy to keep pace with the rapid growth of cloud computing and business outsourcing challenges provided by the global economy.

Type I report

An ISAE 3000 Type I report includes an opinion of an external auditor on the controls placed in operation at a specific moment in time. The external auditor examines whether the controls are suitably designed to provide reasonable assurance that the financial statement assertions are accomplished and whether the controls are in place.

Type II report

In an ISAE 3000 Type II report, the external auditor reports on the suitability of the design and existence of controls and on the operating effectiveness of these controls in a predefined period of six months minimum. This implies that the external auditor performs a detailed examination of the internal control of the service organization and also examines whether all controls are operating effectively in accordance with the predefined processes and controls.