Category: Assurance

Home / Assurance
Apr252019

Expansion obtains ISAE 3402 Type II statement

Expansion obtains

ISAE 3402 Type II statement

Utrecht, April 25, 2019 – DMS provider Expansion obtained the  ISAE 3402 Type II statement in January 2019. Assisted by Securance, Expansion’s clients receive an objective confirmation of their service processes’ reliability. Conclude Accountants conducted the audit.

Digital archiving and document management

Expansion is a leading provider of digital archiving and document management solutions. It increasingly offers its solutions from the Cloud. Expansion enables organizations to fully outsource the management of their critical business information. To assure clients and their accountants of meeting the highest standards of information security, Expansion decided to obtain an ISAE 3402 Type II statement.

Implementation & audit

Securance and Conclude Accountants supported Expansion in the second half of 2018 with the ISAE 3402 report implementation and audited on various aspects: Is the service organization’s description accurate? Are the defined control measures adequately set up? Do the control measures effectively achieve Expansion’s goals? Conclude Accountants obtained confirmation on these aspects during the audit, enabling the issuance of the ISAE 3402 Type II statement.

Comprehensive selection

Expansion chose Securance and Conclude Accountants to guide the process, primarily for their extensive experience in this field.

Continuous process
Expansion found the collaboration highly constructive, contributing to elevating its services to even higher and more consistent levels. Obtaining the ISAE 3402 Type II statement isn’t the end for Expansion but a part of an ongoing improvement process, where Securance will continue to contribute. Initial arrangements for the upcoming audit have already been made.

About Expansion

With the standard DMS Xtendis, Expansion is one of the market leaders in the Netherlands in digital archiving and document management. Xtendis is increasingly taken as a Cloud service. Xtendis is used in the Netherlands by more than 650 organizations for various applications, including digital personnel files, order files, invoice processing, customer files, and mail processing. Xtendis unlocks a total of over 2.6 billion documents for more than 4 million users.

Jan42019

ISAE 3402 | SOC 1 Type I vs. Type II

Type I versus Type II

 

To clarify which SOC Types your organization needs, here’s the essential information.

There are two types of ISAE 3402 reports: a Type I report and a Type II report. Both reports are the same in content. The difference lies in the performed audit; in a Type I audit, the accountant determines whether the risk management framework and control measures cover the framework (design) and exist at a specific moment. To determine this, the accountant “walks through” processes. These controls are called walkthroughs. In a Type II audit, the accountant determines over a period of at least six months whether the control measures have actually been effective. A Type I report relates to one measurement point, and a Type II report relates to at least six months.

With a Type II report, a user organization has more certainty that the service is controlled as agreed. The period in which the ISAE Type II audit takes place is a minimum of six months unless there is a special situation, such as the purchase of a new organizational unit or the introduction of a new IT system.

The first audit always requires some extra work for the organization and auditor to build mutual understanding. Undergoing Type I to Type II spreads that business impact, as Type I requires fewer audit tests. For Type I, auditors test every sample of every control practice to confirm the transaction designs. For Type II, auditors select and test multiple samples from auditor populations. A Type I report paves the way for Type II without addressing everything at once.

One advantage of Type I reports is the flexibility during the audit, where “issues” can be identified before the report is released. These are not included as issues in the report because it is a snapshot at the time of recording.

ISAE 3402 advice?

ISAE 3402 reports are read not only by your customers but also by their accountants. A report that does not meet best practice or one that is less professionally described is likely to be recognized by your customer or your customer’s accountant as less professional. With Securance’s experience with ISAE 3402 since 2004, we are well-positioned to prepare a professional report. We can also provide you with appropriate advice on how to improve measures so that you have better control over the risks.

Learn more about Securance and ISAE 3402.

Aug172018

COSO Enterprise Risk Management

COSO Enterprise Risk Management

When an organization aims to achieve its objectives, it must address risks that threaten these objectives and manage them. COSO has defined various elements of an internal control system for this purpose. The COSO model depicts the direct relationship between:

  1. Organizational objectives;
  2. Control components;
  3. The activities/units requiring internal control.
  4. COSO identifies the relationships between enterprise risks and the internal control system. COSO operates under the notion that internal control is a process aimed at ensuring the achievement of objectives in the following categories:
  5. Achieving strategic objectives (Strategic);
  6. Effectiveness and efficiency of business processes (Operations);
  7. Reliability of financial reporting (Reporting);
  8. Compliance with relevant laws and regulations (Compliance).

Furthermore, organizations must demonstrate to investors and other stakeholders that they handle uncertainties correctly (Code Tabaksblat and the Sarbanes-Oxley Act). In the Risklane approach to Enterprise Risk Management (ERM), risks are identified, and their consequences are detailed. Risklane utilizes the latest standards, methods, and techniques in risk management for this purpose.

Aug122018

Steps to Successful Risk Management

Steps to Successful Risk Management

Risk management is a tool to systematically and explicitly identify, evaluate, and better manage risks by addressing them proactively. Risk management is based on conducting risk analyses.

In risk management, risks are controlled by determining how to manage the likelihood of the risk occurring or its consequences for identified risks.

The company identifies risks, understands as much as possible the financial implications of the risks, and implements measures accordingly. By considering the possible risks of certain policies at an early stage, these can be prevented or any serious consequences can be mitigated.

A one-time risk analysis is not sufficient. Only when the risk analysis is regularly repeated and updated, and the resulting measures…

STEP 1: IDENTIFYING RISKS

Risk identification encompasses all strategic, operational, financial, and traditional (damage) risks. The connection with the goals of the organization and business units is essential.

STEP 2: ANALYZING AND ASSESSING RISKS

Mapping out the risks allows for their analysis. A financial manager cannot stop at merely identifying risks. It is important to determine which risks are the greatest. Not all risks deserve the same attention; start with the most important ones.

STEP 3: ANALYSIS OF CURRENT CONTROL MEASURES

Companies can distinguish themselves from their competition by managing their risks more efficiently. In this phase, it must be determined whether the risks are not overly controlled and whether there are blind spots.

STEP 4: DESIGNING AND IMPLEMENTING ACTION PLANS

After the control measures have been mapped out, the financial manager must make a choice. What happens to the remaining risks? For each risk, they must choose from the following four options:

  • Avoid
  • Reduce
  • Transfer
  • Accept

STEP 5: MEASURING, MONITORING, AND REPORTING

Risk management is a continuous process. It is important to measure whether the action plans are affecting the risk profile. Risk information can also be used for planning audits.

STEP 6: INTEGRATING RESULTS INTO DECISION-MAKING PROCESSES

The risk information can be used for the analysis of future decisions (through risk analyses from the past). For each new investment proposal or major project, the organization must consciously take the risks into account.