IT General Control
More organizations are outsourcing IT or other processes. This outsourcing brings efficiency but also risks. Is information security well managed? How is privacy handled? The ISAE 3402 standard is the standard for reliable outsourcing and provides answers. This standard ensures that aspects such as risk management, information security, privacy, anti-fraud measures, and continuity are controlled. An ISAE 3402 | SOC 1 report describes how risks are managed. A service auditor then verifies if this is indeed happening. What steps do you need to take to obtain such a report?
Firstly, you need to describe the organization’s risk management and internal control measures in a report. These internal control measures are also called controls. The report is called a Service Organization Control Report (SOC); a term from the United States. If the SOC report concerns outsourcing of (financial) processes, then this report is called an SOC 1 or ISAE 3402 report. If the report concerns processes that do not affect the financial statements (and are based on, for example, the Trust Service Principles), then the report is called an SOC 2 or an ISAE 3000 report. This may seem complicated, but you could say that as soon as your organization provides services that ‘touch’ your customer’s financial statements, then an SOC 1 applies, and if there are no implications for the financial statements, then an SOC 2 applies.
IT general control
No financial information is processed by the service organization. However, if the network fails, this could affect the financial statements because the ERP system runs on the network. Therefore, IT General Controls (ITGCs) are important; the IT General Controls (ITGC) are the control measures that an organization has implemented to ensure that the IT systems are reliable and integral. These IT General Controls are described in the SOC 1 (ISAE 3402) report of the managed server provider. In addition, a description of the organization and a description of risk management are included so that the customer can view these controls from the right perspective.