On December 15, 2014, the transition period for adopting the COSO 2013 framework ended. What are the opportunities and risks that arise from this transition? The COSO Internal Control Integrated Framework (ICIF) 2013 is a comprehensive update of the COSO ICIF 1992 model.
More organizations are outsourcing IT or other processes. This outsourcing brings efficiency but also risks. Is information security well managed? How is privacy handled? The ISAE 3402 standard is the standard for reliable outsourcing and provides answers. This standard ensures that aspects such as risk management, information security, privacy, anti-fraud measures, and continuity are controlled. An ISAE 3402 | SOC 1 report describes how risks are managed. A service auditor then verifies if this is indeed happening. What steps do you need to take to obtain such a report?
Firstly, you need to describe the organization’s risk management and internal control measures in a report. These internal control measures are also called controls. The report is called a Service Organization Control Report (SOC); a term from the United States. If the SOC report concerns outsourcing of (financial) processes, then this report is called an SOC 1 or ISAE 3402 report. If the report concerns processes that do not affect the financial statements (and are based on, for example, the Trust Service Principles), then the report is called an SOC 2 or an ISAE 3000 report. This may seem complicated, but you could say that as soon as your organization provides services that ‘touch’ your customer’s financial statements, then an SOC 1 applies, and if there are no implications for the financial statements, then an SOC 2 applies.
IT general control
No financial information is processed by the service organization. However, if the network fails, this could affect the financial statements because the ERP system runs on the network. Therefore, IT General Controls (ITGCs) are important; the IT General Controls (ITGC) are the control measures that an organization has implemented to ensure that the IT systems are reliable and integral. These IT General Controls are described in the SOC 1 (ISAE 3402) report of the managed server provider. In addition, a description of the organization and a description of risk management are included so that the customer can view these controls from the right perspective.
As organizations strive to continuously meet customer demands and comply with legal requirements, there is an increasing need for them to obtain and maintain multiple ISO certifications. A common combination gaining popularity is ISO 9001 and ISO 27001.
The ISO 9001 standard specifies the requirements an organization must meet to demonstrate the presence of an effective quality management system and consistently deliver quality-driven products and services that meet customer requirements and regulations. Achieving ISO 9001 certification for an organization signifies the successful demonstration of the organization’s robust quality process, considering the business process environment of products/services, quality-focused customer orientation, infrastructure, design and development of products and services, design inputs and outputs, and how externally provided processes and services are managed. Additionally, ISO 27001 is the internationally recognized standard that guides an organization in implementing and maintaining an effective information security management system. By obtaining ISO 27001 certification, an organization has demonstrated its ability to effectively manage information security risks through the implementation of an information security management system.
The International Organization for Standardization (ISO) defines a management system as “a system in which an organization manages the interrelated parts of its business to achieve its objectives.”
The Differences:
It’s evident that there are more similarities between the two management systems than differences, and the differences that do exist can also benefit and complement the other management system peripherally. Therefore, achieving this dual certification of ISO 9001 and ISO 27001 can be incredibly beneficial – enabling an organization to simultaneously demonstrate the capability and commitment to information security risk management while also validating their commitment to optimal delivery of their quality products and services.
As of February 1st, TCS Fund Services B.V. (part of Teslin CS) has completed the implementation of ISAE 3402. This demonstrates the organization’s control over internal processes.
This organization serves as the hub for alternative investment funds to outsource mid- and back-office services, allowing managers to focus on fund investments and investors. Services provided by TCS Fund Services include complete fund and financial administration, preparation of financial statements, quarterly reports, and reporting to regulators.
Given that managers of alternative investment funds delegate some of their tasks to TCS Fund Services, the organization highly values their ability to rely on the existence and operation of robust procedures and systems.
Birgitte van de Broek, managing director of TeslinCS, emphasizes the importance of ISAE 3402 implementation: ‘Given that TeslinCS is highly automated, sensitive information is often shared online via our platform. It’s crucial that this platform meets all security requirements. The implementation of ISAE 3402 was a logical step for us. We’re satisfied with our collaboration with Securance on this. They are experienced in procedure documentation and have provided us with valuable guidance.’
Koen van der Aa, supervisor at Securance, adds: ‘Throughout the ISAE 3402 implementation, TeslinCS has demonstrated itself as an organization that recognizes the importance of internal control. This has enabled TeslinCS to effectively establish and continuously optimize processes and procedures. In addition to implementing control measures in the ISAE 3402 report, TeslinCS has standardized the entire internal manual of processes and procedures.
On behalf of Securance, congratulations on completing the implementation! Click here for more information on ISAE.