Category: Assurance

Home / Assurance
Jun112019

Benefits of ISO 9001

Benefits of ISO 9001

The ISO/IEC 9001 standard is the international standard for quality management. The ISO 9001 standard focuses on two key aspects: meeting customer requirements and enhancing customer satisfaction. To achieve this, the ISO 9001 standard specifies several specific aspects outlined in requirements. When implementing this standard, there are many benefits.

  1. Increased revenue: by leveraging the reputation of ISO 9001, you can secure more tenders and contracts, while improving efficiency benefits customer satisfaction and retention.
  2. Enhancement of credibility: when organizations seek new suppliers, having a QMS based on ISO 9001 is often a requirement, especially for those in the public sector.
  3. Improved customer satisfaction: by understanding your customers’ needs and reducing errors, you increase customer confidence in your ability to deliver products and services.
  4. Higher business efficiency: by following industry best practices and focusing on quality, you can reduce costs.
  5. Improved decision-making: you can detect and signal issues promptly, enabling you to take quick steps to prevent the same mistakes in the future.
  6. Increased employee engagement: by improving internal communication, you ensure everyone works with one agenda. Involving employees in designing process improvements makes them happier and more productive.
  7. Better process integration: by examining process interactions, you can more easily find efficiency improvements, reducing errors and benefiting from cost savings.
  8. A culture of continuous improvement: this is the third principle of ISO 9001. It means embedding a systematic approach to identifying and exploiting improvement opportunities.
  9. Improved supplier relationships: using best-practice processes contributes to more efficient supply chains, and certification will signal these to your suppliers.
Jun92019

Dealing with Suppliers (Sub-Service Organizations) in 4 Steps.

Dealing with Suppliers

(Sub-Service Organizations) in 4 steps.

This article provides 4 steps to better oversee the audit process and work more efficiently.

Step 1. Is there a subservice organization?

The so-called subservice organizations represent a special class of suppliers. These are defined as “a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.”

Subservice organizations may appear in an SOC 1 or SOC 2 report, and this may determine whether it is a Type 1 or a Type 2 report. The following providers are typical examples of a subservice organization:

  • Datacenter
  •  IT service providers
  • -Software als service of platform als serviceprovider

Step 2. Split or inclusive reporting?

Once the organization has been able to identify whether there is a subservice organization, that is actually just the tip of the iceberg. For the report, it still needs to be decided whether to use the carve-out method or the inclusive method.

Carve-out method

This method involves CSOCS coming into play. The controls performed by the subservice organization are not included in the report. Only an overview of what the subservice organization means for the service organization and how it interacts with it in combination with your system and the different expected controls so that you can achieve control objectives for trust services.

Inclusive method

With this method, the relevant aspects of the subservice organization’s operations and related internal control measures at the subservice organization are fully included in the report. The inclusive method can also be seen as a merger of separate SOC reports from two entities. What is important is that the same level of work that is used for the service organization must also be used for the subservice organization. This can be discouraging and therefore the use of the inclusive method is rarely seen in practice. Entities of the brother/sister type, such as an operational unit supported by a separate IT department, both from the same parent company, are an example of when inclusive could be used. Another example would be when the subservice organization carries out almost all its activities with an unrelated service organization.

Step 3. Demonstrate how your organization manages the split subservice organizations

Now you need to ensure that if there is a split subservice organization, the organization documents well how it is managed. With subservice organizations, a typical supplier management program where you evaluate the services, quality, policy, and procedures (e.g., IT security) and insurance coverage of the supplier is not sufficient. With a subservice organization, as a service organization, you need to take steps to determine whether the types of CSOCS you expect the subservice organization to have are actually present. This is done by one of the easiest ways is to obtain the subservice organization’s SOC report, assuming they have one.

If there is no SOC report available, the organization should gather information from the management of the subservice organization, read other internal reports that the subservice organization may produce, and/or conduct on-site visits to assess your required CSOCS.

Step 4. Understand and comply with complementary controls over user entities Arriving at the final step.

Most service organizations have expectations of their user entities, which auditors also refer to as CUECs. CUEC stands for “Complementary User Entity Controls.” The subservice organization also expects the organization as a user entity to engage in certain types of internal control measures. And now the final step is to understand and determine how the organization complies with these.

May152019

ISAE 3402 | SOC 1 adapted to an organisation?

ISAE 3402 | SOC 1

Adapted to an organisation?


Systems and Controls – SOC reporting revolves around controls. An ISAE 3402 | SOC 1 report focuses on financial outsourcing, including asset management, SaaS providers (financial software), data centers (storage of financial data). The SOC 2 report targets a broader scope for user organizations with additional requirements on security, availability, processing integrity, confidentiality, and privacy. Our consultants guide many organizations in achieving the ultimate goal; a professional SOC report and an approving statement. What are the necessary steps to achieve this?

The Method

The initial steps involve understanding the criteria, selecting the right audit scope, and following a structured approach for implementation. In this article, we outline how this process unfolds. Obtaining an approved assurance statement relies on various factors and requires significant discipline from your employees in adhering to procedures and performing controls, but effective structuring and planning can greatly assist!

Criteria

The criteria for an ISAE 3402 | SOC 1 report mainly depend on the reporting procedures of the user organization, the SLA agreement, and other requirements of the user organization. The criteria for an ISAE 3000 | SOC 2 report are developed by the American Institute of Certified Public Accountants (AICPA). The AICPA has developed criteria for trust services that are more descriptive and cover the control environment, risk management, communication, detailed controls, and detailed technical criteria.

In other words, the Trust Service Criteria broadly outline what needs to be done, but it is up to organizations to develop controls. Auditors verifying the organization’s controls through SOC audits observe and rephrase controls to determine if they are well-established, exist, and function effectively to achieve the desired outcome. The first step in the SOC implementation process is defining the audit scope.

Scope of Control

Gaining an overview of the environment and systems is crucial for defining the scope. Therefore, Risklane SOC implementation projects commence with a thorough analysis of the organization, infrastructure, services provided, and processes. Without this analysis, the quality of the SOC report may not be optimal, ultimately leading to a qualified opinion or, at the very least, an ineffective ISAE 3402 or ISAE 3000 audit. For an ISAE 3000 | SOC 2 report, the next step is understanding the Trust Service Criteria.

Understanding Trust Service Criteria
The first step to understanding the criteria is acquiring them from the AICPA website and studying them in relation to the defined scope. The Trust Service Criteria are contained in an extensive document, and the specific language may sometimes be challenging to comprehend, but investing time in studying them will pay off in later stages of the audit. The Trust Service Criteria include examples for each criterion of the risks and controls that typically mitigate these risks. After understanding the criteria, controls need to be mapped to risks and vice versa.

Mapping Risks and Controls

The most common errors we identify in existing frameworks are unmatched or redundant controls. Unmatched internal control measures are those that do not effectively cover a defined risk or risks for which internal control measures are lacking (unmatched internal control measures). Redundant internal control measures are defined as internal control measures covered by other internal control measures or not covering any risk at all. These redundant controls essentially exist without a real purpose. After this analysis and matching, the next step is creating a control matrix.

Creating a Control Matrix

Documenting control objectives and related controls in a structured control matrix will be beneficial for more than one reason; it will become the source for how risk controls are structured and implemented and will be a significant reference document for your SOC auditors.

Thus, the Trust Service Criteria related to monitoring controls are linked to a list of affirmative controls, demonstrating how these controls mitigate the relevant risk, are well-designed, and effective. In our experience, these should be as detailed as possible; who performs the control? What information is used? What is the outcome? How is this documented? Answering these questions will be very helpful for your auditor to validate that the listed internal control measures are present, designed to achieve control objectives, and effective. In future articles, we will delve deeper into how to structure your control framework. Following this phase, the readiness assessment (pre-audit) ensues, after which the reporting is tailored, and the final audit can be prepared.


Audit Preparation

The process described above may seem a bit daunting, but do not panic. We can support you in this regard. We can help you understand the Trust Service Criteria and advise you on how to effectively align controls with risks and remove redundant controls. Of course, you can also obtain a ControlReports license for ISAE 3402 | SOC 1 implementation or ISAE 3000 | SOC 2 implementation, which provides a well-defined approach and effective workflow for examining, understanding, and defining the different elements. Both ultimately result in SOC reporting in accordance with our industry best practices, based on years of experience. Contact Securance (+31) 30 2800888. 

May82019

Outsourcing throughout history

Outsourcing throughout history

 

Economies of scale

Since the industrial revolution, organizations have pondered on leveraging their competitive advantage to expand markets and increase profits. The predominant model in the 19th and 20th centuries was the large integrated organization. In the 1950s and 1960s, businesses broadened their bases to capitalize on economies of scale.

The large integrated organization diversified its product range, requiring more layers of management for expansions. Technological advancements like the internet in the 1980s and 1990s forced organizations to globalize more and were hampered by inflexibility due to bloated management structures. To enhance agility, many large organizations developed a strategy focused on their core activities and core processes.

Principal-agent problem

The focus on core processes initiated discussions about which processes were essential and crucial for business continuity and which could be outsourced to external service providers. Processes or functions lacking internal resources were outsourced to specialized agencies or service providers. Consequently, the principal-agent problem evolved between user organizations and service organizations, and the principal-agent theory and related information asymmetry gained importance in line with outsourcing growth.

Information asymmetry

The most common agency relationship in the financial domain occurs between investors (or shareholders) and the management of a company. The principal may not be aware of the agent’s activities or may be prohibited by the agent from obtaining information. The result is an information asymmetry between the principal and the agent. For instance, management might want to invest in emerging economies while the principal’s risk tolerance is unfavorable. This management strategy might sacrifice short-term profitability, increase the company’s risks, and potentially lead to future higher returns. Investors seeking high current capital income with low risks may not be aware of these management plans. If the consequence of this management strategy results in certain losses, management may be inclined not to disclose this information to shareholders. The development of the accounting profession was a significant global development in mitigating the agency problem.

Risk and resource planning

As indicated above, situations may arise where the agent intends to allocate certain resources of the investors to high-risk investments. The agent is the decision-maker and bears little to no risk as all losses are borne by the principal. This situation may occur when shareholders contribute financial support to an entity that management uses at its discretion. The agent may have a different risk tolerance than the investors due to unequal risk distribution. Alternatively, employees may decide to invest their energy in a project that has no long-term benefits for the organization. Management is responsible for the organization’s financial situation and may be unaware of employees focusing on the wrong goals.

Financial consequences

If the principal is an investor or shareholder of an organization, the principal’s interests are focused on optimizing returns on investments. Returns from investments are distributed as dividends to investors in the short or long term. Principles are focused on optimizing (long-term) dividend yields. Paying high dividends to principals restricts investment opportunities or may cause cash flow problems for the organization’s management. Principals and agents have opposing financial interests in this regard.

The agency theory is also relevant in the management-employee relationship. Employees have an interest in increasing their personal salary and personal satisfaction with minimal effort. Management aims to optimize production or sales volumes at the lowest labor costs. In this context, information asymmetry also exists in the form of incomplete understanding of employees’ daily operations by management. Management is likely to implement budgeting mechanisms and controls to optimize employee activities for the organization’s purpose. The agency theory is also relevant in outsourcing situations.

Agency theory in outsourcing

In general terms, agency theory pertains to all relationships between two parties where one party is the principal and the other is the agent representing the principal in transactions with third parties. Agency relationships occur when principals hire agents to perform a service on behalf of the principals. Principals typically delegate decision-making authority to agents. Because contracts and decisions with third parties are made by the agent affecting the principal, agency problems may arise.

In the situation where activities are outsourced by a user organization to a service organization, agency theory is relevant to all aspects described; information asymmetry, risk tolerance, and committed resources. For example, a financial institution outsources IT services to a managed services provider. The managed service provider lacks insight into the institution’s risk tolerance and may decide that weekly backups are acceptable or that storing data outside the EU is acceptable. The service provider may not inform the organization about downtime of certain servers if this network outage is not identified by the financial institution. The service organization may also be inclined to minimize resources performing activities while attempting to increase fees received. A service organization may have a different tolerance for fraud or may engage in fraud itself. In the pension sector, asset managers can profit by front running transactions from pension funds. This results in the principal-agent problem described above.