Category: Cyber Security

IT General Control

IT General Control

More organizations are outsourcing IT or other processes. This outsourcing brings efficiency but also risks. Is information security well managed? How is privacy handled? The ISAE 3402 standard is the standard for reliable outsourcing and provides answers. This standard ensures that aspects such as risk management, information security, privacy, anti-fraud measures, and continuity are controlled. An ISAE 3402 | SOC 1 report describes how risks are managed. A service auditor then verifies if this is indeed happening. What steps do you need to take to obtain such a report?

Firstly, you need to describe the organization’s risk management and internal control measures in a report. These internal control measures are also called controls. The report is called a Service Organization Control Report (SOC); a term from the United States. If the SOC report concerns outsourcing of (financial) processes, then this report is called an SOC 1 or ISAE 3402 report. If the report concerns processes that do not affect the financial statements (and are based on, for example, the Trust Service Principles), then the report is called an SOC 2 or an ISAE 3000 report. This may seem complicated, but you could say that as soon as your organization provides services that ‘touch’ your customer’s financial statements, then an SOC 1 applies, and if there are no implications for the financial statements, then an SOC 2 applies.

IT general control

No financial information is processed by the service organization. However, if the network fails, this could affect the financial statements because the ERP system runs on the network. Therefore, IT General Controls (ITGCs) are important; the IT General Controls (ITGC) are the control measures that an organization has implemented to ensure that the IT systems are reliable and integral. These IT General Controls are described in the SOC 1 (ISAE 3402) report of the managed server provider. In addition, a description of the organization and a description of risk management are included so that the customer can view these controls from the right perspective.

ISO 9001 and ISO 27001

ISO 9001 and ISO 27001

As organizations strive to continuously meet customer demands and comply with legal requirements, there is an increasing need for them to obtain and maintain multiple ISO certifications. A common combination gaining popularity is ISO 9001 and ISO 27001.

The ISO 9001 standard specifies the requirements an organization must meet to demonstrate the presence of an effective quality management system and consistently deliver quality-driven products and services that meet customer requirements and regulations. Achieving ISO 9001 certification for an organization signifies the successful demonstration of the organization’s robust quality process, considering the business process environment of products/services, quality-focused customer orientation, infrastructure, design and development of products and services, design inputs and outputs, and how externally provided processes and services are managed. Additionally, ISO 27001 is the internationally recognized standard that guides an organization in implementing and maintaining an effective information security management system. By obtaining ISO 27001 certification, an organization has demonstrated its ability to effectively manage information security risks through the implementation of an information security management system.

The International Organization for Standardization (ISO) defines a management system as “a system in which an organization manages the interrelated parts of its business to achieve its objectives.”

The Differences:

ISO 9001

  • Objective: Maintaining expected quality standards within the organization
  • Does not require a Statement of Applicability

ISO 27001

  • Objective: Setting requirements for establishing, implementing, maintaining, and continually improving ISMS
  • Utilizes controls from ISO 27002 to support its ISMS

It’s evident that there are more similarities between the two management systems than differences, and the differences that do exist can also benefit and complement the other management system peripherally. Therefore, achieving this dual certification of ISO 9001 and ISO 27001 can be incredibly beneficial – enabling an organization to simultaneously demonstrate the capability and commitment to information security risk management while also validating their commitment to optimal delivery of their quality products and services.

TeslinCS (TCS Fund Services) completes ISAE 3402 implementation

TeslinCS (TCS FundServices)

Completes ISAE 3402 implementation

As of February 1st, TCS Fund Services B.V. (part of Teslin CS) has completed the implementation of ISAE 3402. This demonstrates the organization’s control over internal processes.

This organization serves as the hub for alternative investment funds to outsource mid- and back-office services, allowing managers to focus on fund investments and investors. Services provided by TCS Fund Services include complete fund and financial administration, preparation of financial statements, quarterly reports, and reporting to regulators.

Given that managers of alternative investment funds delegate some of their tasks to TCS Fund Services, the organization highly values their ability to rely on the existence and operation of robust procedures and systems.

Birgitte van de Broek, managing director of TeslinCS, emphasizes the importance of  ISAE 3402 implementation: ‘Given that TeslinCS is highly automated, sensitive information is often shared online via our platform. It’s crucial that this platform meets all security requirements. The implementation of ISAE 3402 was a logical step for us. We’re satisfied with our collaboration with Securance on this. They are experienced in procedure documentation and have provided us with valuable guidance.’

Koen van der Aa, supervisor at Securance, adds: ‘Throughout the ISAE 3402 implementation, TeslinCS has demonstrated itself as an organization that recognizes the importance of internal control. This has enabled TeslinCS to effectively establish and continuously optimize processes and procedures. In addition to implementing control measures in the ISAE 3402 report, TeslinCS has standardized the entire internal manual of processes and procedures.

On behalf of Securance, congratulations on completing the implementation! Click here for more information on ISAE.

Student Experience receives ISAE 3402 reporting

Student Experience receives

– ISAE 3402 reporting

As of January 2017, Student Experience Beheer B.V. holds an ISAE 3402 Type II report. This demonstrates that Student Experience meets high-quality standards and that its processes are in order according to international norms.

Johan Verweij, CEO of Student Experience: “We are very proud of achieving this certification. By obtaining this, the opportunities to collaborate with financial institutions and institutional investors supervised by the DNB or AFM are expanded. It enables us to continue the growth of Student Experience.”

Koen van der Aa, senior consultant at SECURANCE, the consultancy firm that conducted the audit: “Student Experience is a professional organisation that thinks in terms of possibilities and creates solutions for complex issues, leading them to innovative practices. Student Experience has standardised its internal procedures and implemented a solid risk management framework in a short period.”

By obtaining the ISAE 3402 report, Student Experience ensures that clients have insight into how processes and risks are managed. This ISAE 3402 Type II report covers the management and maintenance activities of Student Experience for its clients. The report concerns the processes that impact the financial statements of the user organisations. It includes how risks are identified and whether measures are effectively designed to manage risks.